I work in a company with two offices.  We run a Windows 2k server
network using NAT on each server.  We have 2 sonicwall soho 2
firewalls with a vpn connection.  There are two servers in one office
and one server in the other.  The office with two servers has one
server with 2 NICs - one with an internal address and one with and
external, and one server with only an internal address.

I am currently unable to consistently connect with the server that has
only an internal address from the other office.  I am wondering if
configuring static routes between the offices would help.  If so,
could someone supply me with an example of a routing table properly
configured to accomplish this.

Thanks for your help.

---

Request for Question Clarification by maniac-ga on 02 Aug 2002 18:56 PDT

Hmm. What you are asking for should be feasible based on what I read
about the capabilities of the SOHO2, but could you provide a
little more information to be sure the answer is correct?

From your description, I can't quite figure out the network connections
and tasks each item is performing. Is it something like the following or
something else?

Office 1 ...   PC's   & W 2000 Server     Office 2 PC's & Server
                |  (local LAN)                      |
            W 2000 Server                           |
                |                                   |
             SOHO 2  ------- vpn ---------------  SOHO 2
                |                                   |
                +---- Other internet connections ---+

I can't quite figure out why you indicate the Windows 2k servers
provide the NAT service. I would have the SOHO 2 machines do that
since I expect them to have the connection to your ISP.

What internal addresses do you use in each office? If the address
ranges are not selected properly, that might cause the problem
you mention. I would also use the address ranges & masks in the
answer I provide.

When the connection fails, can you use ping, traceroute, or a similar
network utility to determine if IP packets go between the two machines?

Thanks.
  --Mark

---

Clarification of Question by tiewire-ga on 04 Aug 2002 08:11 PDT

maniac-ga

Thanks for the help.  I agree that NAT would normally run off of the
firewalls, but these machines are 10 user boxes and they kept using up
all of their licenses and cutting off internet access to the offices
despite the fact that the number of users was within the limit.  To
remedy the problem, I gave the firewall and the server in each office
a public IP and had the server run NAT so that the firewall could only
see one connection in each office.

Using your diagram, the cofig looks like this:

Office 1 ... Office PC's                   Office 2 PC's & W 2000
Server
                | (local LAN 192.168.120.x)         | (Local LAN
192.168.121.x)
            W 2000 Server(NAT)                   W 2000 Server(NAT)
                |                                   | 
             SOHO 2  ------- vpn ---------------  SOHO 2 
                |                                   | 
                +---- Other internet connections ---+ 

This setup has worked fine for about a year now.  However, the
additional server in Office 2 which has an internal IP, is not
accessible from Office 1.  Ping does not work and a tracert stops at
the gateway in office 1.  So, since DNS isn't able to get me where I
want to go, I was hoping that some static routes would do the trick.

Hope this helps,

tiewire

Hello Tiewire,

I think I have enough information now to make several suggestions. If
these don't work - please ask for a clarification so I can get you a
good answer. I don't see how static routing alone is going to solve
the problem alone - the purpose of NAT is to hide the machines behind
the translation machine. We need to make the second server visible to
the other machines.

1. Purchase a second network interface and hub (total cost about $100)
to put both Windows 2000 servers in parallel in office 2. This assumes
the VPN already makes the two existing servers visible to each other
and the other machines on the private LAN's. This would be the highest
performance option (since it reduces the load on the current office #2
machine).

2. Since you only have one PC (Windows 2000 server) visible to the
SOHO 2 in each office, run the VPN connection between the two NT
machines (via the SOHO 2 and internet) instead of between the two SOHO
2 machines. This is perhaps the lowest performance option since it
adds load to both server machines.
3. Assign the second Windows 2000 server an address that is not in the
range of 192.168.121.x. You should then be able to set up the first
Windows 2000 server to route the traffic for that machine to SOHO 2
(without translation) and make it visible in a way similar to the
first suggestion. This would probably have to be another "public IP"
address. The route on the office #1 server may be something like...
  route add 192.168.122.0 mask 255.255.255.0 199.199.42.1 metric 3
where 192.168.122.1 (if a private address DOES work) is the address of
the second server in office #2, 199.199.42.1 is the "public" address
of the public server in office #2 and is three hops away (to SOHO 2,
between SOHO 2, to public server). The route on the public office #2
server would be something like...
  route add 199.199.41.0 mask 255.255.255.0 199.199.41.1 metric 3
where 199.199.41.1 is the "public" address of the publich server in
office #1. You would have to make sure the connection goes through the
VPN (and not the public internet). Traceroute or counters on the SOHO
2 should be able to check that. This may be closest to what you were
thinking of when asking the question.

A good online source of material you may not be aware of is:
  http://www.labmice.net/networking/default.htm
which has direct links to a number of resources and tutorials inside
and outside of Microsoft. The routing information (separate from
remote access) is under networking fundamentals.

A final comment - from the original question, you indicated the
inability to get a consistent connection. That would imply you *have*
a connection at some times, but are unable to determine why. If you
ask for a clarification - please let me know if you have any data on
the times when "it works" so I can help provide a complete solution.

  --Maniac

Good stuff.  I hadn't considered running the VPN connection from
server to server.  However, I believe the performance hit will be too
great.  Your help has shed some light on the problem though and I
believe that I can come up a variation on your suggestion that will
work for my situation.

Thanks for your help!

The performance hit is very minimal.. Also, you can specify static
routes to be added automatically when a user logs in to the VPN,
facilitating automatic routing between the two internal networks. I
use this sort of configuration in my own WAN.

One caveat about using the "route add" command is that you have to do
it every time you reboot the computer (and with Windows, this can be
quite frequently). You can also add static routes that are permanent
even after you reboot in the Routing & Remote Access manager under
static routes.

Hopes this helps a little more..

-jordan3757, CCNA