![]() |
Reference Manual |
HOW TO use VPN connections to a RAS Server.
HOW TO use NAT32 to bypass Web Proxies.
Running the Windows RAS Server on a NAT32 machine is actually very useful because you can then either dial in to your private network via a modem, or you can set up a VPN connection to your private network from the Internet.
While Windows does support the above features per default, there are major limitations in what can be done with such connections. For example, if you dial in to a Windows RAS Server, you would normally need to assign private IP addresses to the connection. If you then need to give the computer that has dialed in Internet access, you cannot use Windows ICS, because it does not work with RAS Server connections.
NAT32 overcomes these limitations by treating the RAS Server interface just like any other private network interface, which means that a computer that dials in will have full access to your private LANs as well as NAT access to the Internet.
To configure NAT32 to use the RAS Server, simply create an "Incoming Connection" using the Windows "Create new connection" wizard. Then select the first NDISWANIP adapter in the NAT32 Interface Selection dialog box and set its "Connection Type" to "Private".
The NAT32 RAS Server support has an interesting side-effect: it can be used to bypass mandatory Web Proxies in most enterprise networks. If such networks allow either incoming or outgoing VPN connections, the proxy can be bypassed by setting up a VPN connection to an external NAT32 machine running a RAS Server. All Internet traffic from the client machine will then travel via the VPN connection to NAT32, which then uses its own Internet interface to provide unrestricted Web access.
Be sure to configure the outgoing VPN connection to use the default gateway on the remote network. This is done by clicking the appropriate checkbox in the TCP/IP Properties (Advanced) of the connection. Also check the Web Browser settings and ensure that no proxy is configured for that connection.
Be sure to configure the RAS Server on the NAT32 machine to assign an IP address from a private range, and to allow access for the required user accounts.
If your NAT32 machine has a variable public IP address, you might like to use DynDNS or a special link on your public home page to determine the current address.
Common Problems
If your enterprise PC cannot successfully establish the VPN connection to the NAT32 RAS Server, the most likely reasons for this are:
1. The enterprise firewall is blocking outgoing TCP Port 1723 connections to the Internet.
2. The enterprise firewall is blocking outgoing GRE packets to the Internet.
3. Your ISP is blocking unsolicited GRE packets to your NAT32 machine. Note that this is actually a very common problem.
If your enterprise is running a VPN Server that allows connections to be established from the Internet, all of the above problems can be solved by using the following technique:
First set up a VPN connection from your NAT32 machine to the enterprise VPN Server (128.1.1.1). Be sure that that connection has the "Use default gateway on remote network" option turned off. Then set up the VPN connection from the enterprise PC to the NAT32 RAS Server, using the client IP address of the first VPN connection (128.1.1.x in the above example) as the target address.
The required TCP and GRE packets for VPN 2 will then travel over VPN 1 and will be totally invisible to any traffic filters. Note that NAT32 need not be configured to use connection VPN 1, although you can configure it to do so if desired, in which case NAT32 will route all traffic from your private machines to addresses on your enterprise network via VPN 1.
The above solution can also be used in cases where a TCP connection from the enterprise PC to the NAT32 machine is initially established correctly, but the subsequent authentication fails. This is usually because GRE packets are not getting through from the VPN Client to the RAS Server.
To determine the IP address of the client end of VPN 1, you might like to use a special link on your public home page.
SEE ALSO
Dynamic DNS, Variable IP addresses, VPN Connections, VPN Clients, VPN Servers