This document explains how to connect to a NAT network behind an Astaro 3.2 firewall from a LAN using Windows 2000
Server Routing & Remote Access demand dial function.
It assumes you have a working Astaro 3.2 box and a network topology similar to the diagram below:
You will need Windows 2000 Server.
[Private LAN 1][Astaro]{Internet}[Astaro][Private LAN 2]
For purposes of illustration in this document:
Private LAN 1 = 192.168.2.0
Private LAN 2 = 203.13.35.0
=====================================
=== ASTARO PPTP ROADWARRIOR SETUP ===
=====================================
Open Astaro WebAdmin (Version 3.2)
Select Network->PPTP Roadwarrior Access
Click the enable button
I use strong (128) bit encryption as I am running Windows 2000 Server with SP2, you may want to try weak (40 bit)
while testing.
The PPTP-Pool network should be already created and specified, typically 10.215.12.0
Enter optional DNS, WINS & Client domain information.
Now you need to define a user ID, go to WebAdmin->Definitions->Users
Enter a username and password.
Tick the Remote access (PPTP) checkbox, {PPTP-Pool} is default IP assigned.
Check which allowed features you want the user to be able to access.
Click Save
Server setup should now be complete.
===============================================
=== CLIENT LAN SETUP ON WINDOWS 2000 SERVER ===
===============================================
Click Start-Programs-Administrative Tools-Routing and Remote Access
Right click on the server name and click "Configure and Enable Routing and Remote Access"
The Routing and Remote Access Server Setup Wizard should appear.
Click Next
Select "Network Router" from the "Common Configurations" screen.
Click Next
"Routed Protocols" screen should appear, if the protocol TCP/IP is listed, click Next.
"Demand-Dial Connections" screen appears, select "Yes" and click Next.
"IP Address Assignment" screen appears, select "Automatically" and click Next.
Click Finish
The server should now start.
============================
Open the server tree and right click on "Routing Interfaces"
Left click on "New Demand-dial Interface..."
The "Demand Dial Interface Wizard" should appear.
Click Next
The "Interface Name" dialog appears, give the new interface a name, ie: HomeLAN
Click Next
Select "Connect using virtual private networking (VPN)" from the "Connection Type" screen.
Click Next
Select "Point to Point Tunneling Protocol (PPTP)" from the "VPN Type" screen.
Click Next
Enter the hostname or IP of the Astaro PPTP server on the "Destination Address" screen. This is the IP on your
*Red* (external) interface.
Click Next
Tick "Route IP packets on this interface." on the "Protocols and Security" screen.
Click Next
On the "Dial Out Credentials" screen, enter the details for the Astaro user account you have setup on the Astaro
box. Leave Domain blank.
Click Next
Click Finish
You should now have a Routing interface for "HomeLAN" listed. Test it now by right clicking on it and selecting
"Connect"
It should connect in about 20-30 seconds. If it does not connect, check the settings on the Astaro PPTP server and
the properties of the the HomeLAN interface you just created. Double check password, ensure you have not set a
L2TP connection but a PPTP connection.
Now, you have a connection, but no packets can get to it, you need to create a static route.
In Routing and Remote Access
Left click "IP Routing"
Right Click "Static Routes"
Click on "New Static Route"
Select "HomeLAN" for the interface.
Enter the IP & Network mask for the LAN network behind the Astaro server you are connecting to.
(For instance, you might have 192.168.2.0 255.255.255.0 as your private network)
Click OK
Start a DOS command prompt and type: PING 192.168.2.X where X is a valid IP of a machine on the HomeLAN network.
You might need to repeat the ping command a few times while the interface connects, eventually you should get a
ping response from the box you are pinging. (Usually within 30 seconds).
===============================================================
=== ACCESSING THE DEMAND DIAL LINK FROM ANOTHER LAN MACHINE ===
===============================================================
If you want to access this link from another box on the LAN where you setup the Routing and Remote Access demand
dial link you will need to add a route on that box.
For instance, the server where you setup the demand dial link is 203.13.35.10
You need to access this from workstation 203.13.35.56
On 203.13.35.56 type this at a command prompt:
ROUTE ADD 192.168.2.0 MASK 255.255.255.0 203.13.35.10
^- HomeLAN ^- Netmask ^- Box hosting demand dialler.
(This will route packets to 192.168.2.* to the demand dialler host which should then dial out and connect.)
You should now be able to access your private LAN via the demand dial from the workstation.
Hope this helps people. Any questions, please reply here.
Simon Shaw.
This thread was automatically locked due to age.
