SP2 Firewall Breaks VPN

Toggle sidebar Toggle sidebar
D

Dan

Distinguished
Dec 31, 2007
2,208
0
19,780
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

2 Computers, both running XP Pro SP2. This problem has only existed since the
install of SP2.

Computer A connects to Computer B over the Internet via Windows RAS PPTP.
Both computers are protected from the internet via a NAT router on each end.

Computer A successfully connects to the VPN server on Computer B. I am able
to ping the NAT router on that remote network (192.168.0.1). I cannot ping
Computer B. I am ultimately trying to use Computer B as a host for my Palm
software and other network applications.

On the remote network, the following are the addresses in use:

192.168.0.x
..1 NAT Router
..100 Computer B
..200 VPN Server on Computer B
..201 Computer A's address on the remote network

If I turn off the Firewall and reconnect to the VPN, I am able to
successfully ping and perform all other actions.

I have installed the patch mentioned in KB article 884020 on both machines
and the problem persists.
 
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:1B0A11E8-0241-42BF-901B-3D945F5E8DA3@microsoft.com
>
> 2 Computers, both running XP Pro SP2. This problem has only existed
> since the install of SP2.
>
> Computer A connects to Computer B over the Internet via Windows RAS
> PPTP. Both computers are protected from the internet via a NAT router
> on each end.
>
> Computer A successfully connects to the VPN server on Computer B. I
> am able to ping the NAT router on that remote network (192.168.0.1).
> I cannot ping Computer B. I am ultimately trying to use Computer B as
> a host for my Palm software and other network applications.
>
> On the remote network, the following are the addresses in use:
>
> 192.168.0.x
> .1 NAT Router
> .100 Computer B
> .200 VPN Server on Computer B
> .201 Computer A's address on the remote network
>
> If I turn off the Firewall and reconnect to the VPN, I am able to
> successfully ping and perform all other actions.

Please use the Advanced tab in Windows Firewall to turn on logging of
dropped packets so that we can see what it is objecting to.

One possibility is that you try to ping 192.168.0.100 but the reply comes
from 192.168.0.200, so the firewall drops it.

In any case, it would not be unreasonable to turn off the firewall
permanently on the VPN connection, and leave it running for the other
connections.

--
Robin Walker
rdhw@cam.ac.uk
 
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Before I answer your question, I want to point out that the problem firewall
is on the computer acting as the VPN Server, not the client.

The following are dropped packets on the server's firewall in response to
pings.
2004-10-29 12:45:53 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:45:58 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:46:03 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:46:09 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND

** .205 is the current address of the client computer on the VPN

"Robin Walker" wrote:

> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:1B0A11E8-0241-42BF-901B-3D945F5E8DA3@microsoft.com
> >
> > 2 Computers, both running XP Pro SP2. This problem has only existed
> > since the install of SP2.
> >
> > Computer A connects to Computer B over the Internet via Windows RAS
> > PPTP. Both computers are protected from the internet via a NAT router
> > on each end.
> >
> > Computer A successfully connects to the VPN server on Computer B. I
> > am able to ping the NAT router on that remote network (192.168.0.1).
> > I cannot ping Computer B. I am ultimately trying to use Computer B as
> > a host for my Palm software and other network applications.
> >
> > On the remote network, the following are the addresses in use:
> >
> > 192.168.0.x
> > .1 NAT Router
> > .100 Computer B
> > .200 VPN Server on Computer B
> > .201 Computer A's address on the remote network
> >
> > If I turn off the Firewall and reconnect to the VPN, I am able to
> > successfully ping and perform all other actions.
>
> Please use the Advanced tab in Windows Firewall to turn on logging of
> dropped packets so that we can see what it is objecting to.
>
> One possibility is that you try to ping 192.168.0.100 but the reply comes
> from 192.168.0.200, so the firewall drops it.
>
> In any case, it would not be unreasonable to turn off the firewall
> permanently on the VPN connection, and leave it running for the other
> connections.
>
> --
> Robin Walker
> rdhw@cam.ac.uk
>
>
>
 
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Have you allowed the ICMP request messages in the firewall for that
particular interface which you are trying to ping? You can configure this in
the 'Exceptions' tab of the firewall by opening up TCP port 445.

--
Thanks,
Janani.

---------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:5001F9C8-EEA9-4C16-9A91-34F3D81AAB98@microsoft.com...
> Before I answer your question, I want to point out that the problem
firewall
> is on the computer acting as the VPN Server, not the client.
>
> The following are dropped packets on the server's firewall in response to
> pings.
> 2004-10-29 12:45:53 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
0
> - SEND
> 2004-10-29 12:45:58 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
0
> - SEND
> 2004-10-29 12:46:03 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
0
> - SEND
> 2004-10-29 12:46:09 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
0
> - SEND
>
> ** .205 is the current address of the client computer on the VPN
>
> "Robin Walker" wrote:
>
> > "Dan" <Dan@discussions.microsoft.com> wrote in message
> > news:1B0A11E8-0241-42BF-901B-3D945F5E8DA3@microsoft.com
> > >
> > > 2 Computers, both running XP Pro SP2. This problem has only existed
> > > since the install of SP2.
> > >
> > > Computer A connects to Computer B over the Internet via Windows RAS
> > > PPTP. Both computers are protected from the internet via a NAT router
> > > on each end.
> > >
> > > Computer A successfully connects to the VPN server on Computer B. I
> > > am able to ping the NAT router on that remote network (192.168.0.1).
> > > I cannot ping Computer B. I am ultimately trying to use Computer B as
> > > a host for my Palm software and other network applications.
> > >
> > > On the remote network, the following are the addresses in use:
> > >
> > > 192.168.0.x
> > > .1 NAT Router
> > > .100 Computer B
> > > .200 VPN Server on Computer B
> > > .201 Computer A's address on the remote network
> > >
> > > If I turn off the Firewall and reconnect to the VPN, I am able to
> > > successfully ping and perform all other actions.
> >
> > Please use the Advanced tab in Windows Firewall to turn on logging of
> > dropped packets so that we can see what it is objecting to.
> >
> > One possibility is that you try to ping 192.168.0.100 but the reply
comes
> > from 192.168.0.200, so the firewall drops it.
> >
> > In any case, it would not be unreasonable to turn off the firewall
> > permanently on the VPN connection, and leave it running for the other
> > connections.
> >
> > --
> > Robin Walker
> > rdhw@cam.ac.uk
> >
> >
> >
 
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

The firewall that is doing the blocking is on the VPN Server! The Port 445
entry is controlled from the Advanced Tab/ICMP/Settings. But the problem I
am having is affected by ALL ports that I have tested.

I also use Remote Desktop. It is defined in the firewall and is open to
"Any" incoming address. It works fine from the Client computer with the
firewall running on the server as long as the address attempted is the
outside address of the NAT router (which forwards to the server's internal
address). If I attempt a RDP connection to the inside address directly (VPN
connected), it is denied as well...

2004-10-31 09:15:12 DROP TCP 192.168.0.100 192.168.0.205 3389 1658 40 A
2835594038 3895429792 9520 - - - SEND


"Janani V[MSFT]" wrote:

> Have you allowed the ICMP request messages in the firewall for that
> particular interface which you are trying to ping? You can configure this in
> the 'Exceptions' tab of the firewall by opening up TCP port 445.
>
> --
> Thanks,
> Janani.
>
> ---------------------------------
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:5001F9C8-EEA9-4C16-9A91-34F3D81AAB98@microsoft.com...
> > Before I answer your question, I want to point out that the problem
> firewall
> > is on the computer acting as the VPN Server, not the client.
> >
> > The following are dropped packets on the server's firewall in response to
> > pings.
> > 2004-10-29 12:45:53 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
> 0
> > - SEND
> > 2004-10-29 12:45:58 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
> 0
> > - SEND
> > 2004-10-29 12:46:03 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
> 0
> > - SEND
> > 2004-10-29 12:46:09 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0
> 0
> > - SEND
> >
> > ** .205 is the current address of the client computer on the VPN
> >
> > "Robin Walker" wrote:
> >
> > > "Dan" <Dan@discussions.microsoft.com> wrote in message
> > > news:1B0A11E8-0241-42BF-901B-3D945F5E8DA3@microsoft.com
> > > >
> > > > 2 Computers, both running XP Pro SP2. This problem has only existed
> > > > since the install of SP2.
> > > >
> > > > Computer A connects to Computer B over the Internet via Windows RAS
> > > > PPTP. Both computers are protected from the internet via a NAT router
> > > > on each end.
> > > >
> > > > Computer A successfully connects to the VPN server on Computer B. I
> > > > am able to ping the NAT router on that remote network (192.168.0.1).
> > > > I cannot ping Computer B. I am ultimately trying to use Computer B as
> > > > a host for my Palm software and other network applications.
> > > >
> > > > On the remote network, the following are the addresses in use:
> > > >
> > > > 192.168.0.x
> > > > .1 NAT Router
> > > > .100 Computer B
> > > > .200 VPN Server on Computer B
> > > > .201 Computer A's address on the remote network
> > > >
> > > > If I turn off the Firewall and reconnect to the VPN, I am able to
> > > > successfully ping and perform all other actions.
> > >
> > > Please use the Advanced tab in Windows Firewall to turn on logging of
> > > dropped packets so that we can see what it is objecting to.
> > >
> > > One possibility is that you try to ping 192.168.0.100 but the reply
> comes
> > > from 192.168.0.200, so the firewall drops it.
> > >
> > > In any case, it would not be unreasonable to turn off the firewall
> > > permanently on the VPN connection, and leave it running for the other
> > > connections.
> > >
> > > --
> > > Robin Walker
> > > rdhw@cam.ac.uk
> > >
> > >
> > >
>
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom