-
Demand Dial Routing
Code:
I am having problems with routing from a client which is connected to a server which uses "Demand Dialing" to gain access to
a specific subnet.
Here is the routing table of the server BEFORE the Demand Dial connection is created:
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric Additional Information
0.0.0.0 0.0.0.0 217.34.225.78 217.34.225.75 30 Out onto the internet
10.0.0.0 255.0.0.0 10.1.0.30 10.1.255.30 1
10.1.0.0 255.255.0.0 10.1.255.30 10.1.255.30 20
10.1.250.10 255.255.255.255 127.0.0.1 127.0.0.1 50 VPN [IN] STUFF (old connection)
10.1.255.30 255.255.255.255 127.0.0.1 127.0.0.1 20 Company Network
10.255.255.255 255.255.255.255 10.1.255.30 10.1.255.30 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.18.0.0 255.255.0.0 172.18.0.200 172.18.0.200 20
172.18.0.200 255.255.255.255 127.0.0.1 127.0.0.1 20 RIS Network
172.18.255.255 255.255.255.255 172.18.0.200 172.18.0.200 20
217.34.225.72 255.255.255.248 217.34.225.75 217.34.225.75 30
217.34.225.75 255.255.255.255 127.0.0.1 127.0.0.1 30
217.34.225.255 255.255.255.255 217.34.225.75 217.34.225.75 30
224.0.0.0 240.0.0.0 10.1.255.30 10.1.255.30 20
224.0.0.0 240.0.0.0 172.18.0.200 172.18.0.200 20
224.0.0.0 240.0.0.0 217.34.225.75 217.34.225.75 30
255.255.255.255 255.255.255.255 10.1.255.30 10.1.255.30 1
255.255.255.255 255.255.255.255 172.18.0.200 172.18.0.200 1
255.255.255.255 255.255.255.255 217.34.225.75 217.34.225.75 1
Default Gateway: 217.34.225.78
===========================================================================
So I have 3 interfaces as you can see, 217 - Internet NIC, 10 - Internal Company network and 172 - Internal RIS network.
Routing a remote access/NAT is setup and everything works fine, 172 can ping 10 network, 10 can access internet, 172 can
access internet. Now the problem is when I setup "Demand Dialing".
Setup:
Demand Dial 192.168.0.0/16 access via VPN 82.152.32.72 PERSISTENT
Now here is new routing table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 217.34.225.78 217.34.225.75 30
10.0.0.0 255.0.0.0 10.1.0.30 10.1.255.30 1
10.1.0.0 255.255.0.0 10.1.255.30 10.1.255.30 20
10.1.250.10 255.255.255.255 127.0.0.1 127.0.0.1 50
10.1.255.30 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.1.255.30 10.1.255.30 20
82.152.32.72 255.255.255.255 217.34.225.78 217.34.225.75 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.18.0.0 255.255.0.0 172.18.0.200 172.18.0.200 20
172.18.0.200 255.255.255.255 127.0.0.1 127.0.0.1 20
172.18.255.255 255.255.255.255 172.18.0.200 172.18.0.200 20
192.168.0.0 255.255.0.0 0.0.0.0 192.168.1.17 1
192.168.0.0 255.255.0.0 192.168.1.19 192.168.1.17 1
192.168.1.17 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.19 255.255.255.255 192.168.1.17 192.168.1.17 1
192.168.1.255 255.255.255.255 192.168.1.17 192.168.1.17 50
217.34.225.72 255.255.255.248 217.34.225.75 217.34.225.75 30
217.34.225.75 255.255.255.255 127.0.0.1 127.0.0.1 30
217.34.225.255 255.255.255.255 217.34.225.75 217.34.225.75 30
224.0.0.0 240.0.0.0 10.1.255.30 10.1.255.30 20
224.0.0.0 240.0.0.0 172.18.0.200 172.18.0.200 20
224.0.0.0 240.0.0.0 192.168.1.17 192.168.1.17 50
224.0.0.0 240.0.0.0 217.34.225.75 217.34.225.75 30
255.255.255.255 255.255.255.255 10.1.255.30 10.1.255.30 1
255.255.255.255 255.255.255.255 172.18.0.200 172.18.0.200 1
255.255.255.255 255.255.255.255 217.34.225.75 217.34.225.75 1
Default Gateway: 217.34.225.78
===========================================================================
Now the Demand Dial server can ping 192.168.1.1 which is the internal IP of 82.152.32.72
Reply from 192.168.1.1: bytes=32 time=66ms TTL=128
Reply from 192.168.1.1: bytes=32 time=71ms TTL=128
Reply from 192.168.1.1: bytes=32 time=72ms TTL=128
Reply from 192.168.1.1: bytes=32 time=90ms TTL=128
but the clients, for example them on the 10 network cannot.
Tracing route to 192.168.1.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms DC1-2003 [10.1.255.30]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ETC
Why not? The clinet can ping everything else. All the following options are turned on on the server:
Routing and Remote access: LAN and demand dial routing
Routing and Remote access: IP: Enable IP Routing
Routing and Remote access: IP: Allow IP based remote access and demand dial connection
Routing and Remote access: IP Routing: General: Demand Dial connection: Enable IP router manager
No filtering is setup anywhere.
What gets me is the fact all other routing works apart from the demand dial up one. All the clients have the server set as
its default gateway and its dns (although dns does not apply here)
thanks if anyone can help
-
Honest answer is I've no clue how to fix this, as I've no experience with RAS, but I can offer conjecture as to the possible cause of the problem...
The remote end of the VPN is aware of the 192.168.x.x networks but is either unaware of how to route to the other networks, so chances are it is receiving the ping request but unable to know where to send the reply.
(Asymmetric routing.)
Alternatively it might be a firewall at the other end which is only expecting to see 192.168.x.x traffic and so anti-spoofing is kicking in and dropping the inbound request.
It might be possible to employ (hide mode) NAT on the server to get round this problem, as all clients will then appear to come from one IP in the 192.168.x.x range (most likely the server itself), but I can't help with that.
Might be way off-base, but it's where I would start.
GL!
-
thanks very much for your input, I've just got back from lunch and have a few things to do, then I'll put on my techy head and look into it, looks like you may have a point with Asymmetric routing, scene as it would NOT be using NAT (nat only used for internet request), meaning the remote 192 machine wont know how to route back to the 10 box as it's (the 192 box) default gateway is that of the internet.
cheers again
I'll let you know how I get on
edit: well i've just managed to kill my computer at home so I cant connect from work, ill have a look when i get home
-
I've sorted it, it was a biggie, if anyone wants to know how mail me rick1_11@hotmail.com