cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
0
Helpful
1
Replies

Very Small Office + 2 Remote Users via VPN

gtjacobs
Level 1
Level 1

Hi...

I'm hoping for some advice on the following scenario, particularly, will the 1605-R perform the intended function.

I have a Windows 2000 Server with DHCP, WINS, and the Routing and Remote Access services configured. This server has one network card, configured with IP address 192.168.100.10

There are 2 Win2K-Pro desktop computers and 2 Win2K-Pro notebook computers in my office. The 2 notebook users would like to connect via PPTP (or L2TP I suppose) using the Win2K-Server's RRAS when out of the office, such as from home or from a hotel.

I intend to configure a 1605-R with a public IP address on one ethernet port (which would be connected to a cable modem, a static IP address as provided by my ISP) and a private IP address on the 2nd ethernet port (prehaps 192.168.100.1)

Can the 1605-R be further configured to allow incoming PPTP connections from the 2 notebook users (using the built-in Win2K dial-up VPN option), such that the PPTP VPN connection is completed by the Win2K Server's Routing and Remote Access Service? I believe that PPTP requires TCP 1723 + Protocol 47 (GRE), while L2TP requires UDP 500 + UDP 1701. I've heard that there can be issues forwarding GRE packets from multiple external sources to a single internal VPN server, especially when the intermediate router is configured for NAT or PAT. All other inbound protocols or ports would be blocked, because we're not running our own web or mail services at this time. My desktop & notebook users would need to be able to browse the internet and download email when in the office, and access a database running on the Win2K Server when out of the office connected by the VPN.

I would be hiring a consultant to complete this configuration but want to be sure that the 1605-R will do the job as intended. I don't necessarily want to purchase a 1700 or 2600-series product, or find myself in a situation where the consultant recommends a higher-performance device, as cost is an issue.

Thanks in advance,

G.T.

1 Reply 1

j-block
Level 4
Level 4

You won’t be able to terminate your remote users to the PAT address on your network. You’ll have to get another IP address and make a permanent static translation to your RAS server for that purpose. You could alternately terminate your VPN tunnels right at the 1605 using 56bit IPSec (you’ll likely have to upgrade your IOS) and then your remote users can authenticate against the NT server once inside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: