How to solve remote support with vpn problems

How to resolve remote support VPN problems.

This issue did i find several weeks ago. That i had to support some clients remote. During this remote support activity i reconized that my local lan connaction was disabled so i couldn’t use my local internet connection to search on the net. After some testings it was maybe the access-lists but for some clients it wasn’t

I solved this problem thru

1. Installating a VMware Server 1.06 on my laptop.
2. Created a virtual machine ( windows XP Pro Service Pack 3 UK )
3. I installed in this machine. Cisco VPN Client ( Latest version )
4. I installed SecureCRT version 6.x
5. I tested a VPN Profile who had the problem for losing the local network connection.
6. Test was okay. I could use on my own laptop all functionallities ( like email / internet / lan searching. ) and in the Virtual Machine i could give remote support to my client.

I hope this helps. For you if you need to support yiour clients or friends

Basic Ports for Windows 2003 Small Business Server

If you want to complete the range of ports you can open basically for a windows 2003 SBS.

Batch Smtp ( For mail ) ( TCP )
25 – SMTP

Remote Workstation and Outlook Web Access ( TCP )
443 – HTTPS (for RWW and OWA)

Sharepoint (TCP )
444 – SharePoint

Microsoft VPN (TCP )
1723 – PPTP VPN

Remote Desktop Connection ( TCP )_
3389 – RDP for remote administration

Remote Web Workspace ( TCP / UDP )
4125 – Remote Web Workplace

All ports are TCand must be enabled in the Access-list and port forwarding some examples for a Cisco Router below:

Static ip forwarding
ip nat inside source static tcp < internal Lan address > 3389 interface Dialer10 3389
ip nat inside source static tcp < internal Lan address > 443 interface Dialer10 443
ip nat inside source static tcp < internal Lan address > 4125 interface Dialer10 4125
ip nat inside source static tcp < internal Lan address > 25 interface Dialer10 25

Access-list
permit tcp any any eq 1723
permit tcp any any eq 443
permit tcp any any eq 3389
permit tcp any any eq 4125
permit udp any any eq 4125

Radius Configuration On Router and Server

How to configure fast and simpl Radius on the router and on a server.

First I explame the installation / configuration on a Server.

Installation Internet Authentication Service

1. First you install radius on the server.
2. Click on Add/Remove Windows Components
3. Click on Network Services ( Details )
4. Check the box in front of “Internet Authentication Service” and click OK
5. Click on Next
6. Click on Finish

Active Directory Changes

1. make a Security Group
2. Call it Radius ( Group scope “GLOBAL” & Group type “SECURITY”)
3. Click on Next
4. A mailbox is not necessary and click on next
5. Click on Finish
6. Click right mouse button and Properties of the group Radius
7. Add Members who chain access with VPN ( include the Administrator also )

Internet Authentication Service

1. Go to Radius Clients
2. Add New RADIUS Client
3. Give a Friendly Name and their IP Address
4. On Client – Vendor ( can you choose standard or Cisco )
5. Shared Secret key:( for example: H0m3RS1mps0n )
6. Go to Remote Access Policies
7. Remove all policies which are available
8. Create a New Remote Access Policy
9. Click on Next
10. “Use the Wizard to set up a typical policy for a common scenario”
11. Policy Name: VPN
12. Click on Next
13. Choose VPN and click on Next
14. Choose for Group and click on Add
15. Check the Group ( Radius ) you want to grant access and click on OK
16. Click on Next
17. Check all boxes EAP / MS-CHAPv2 and MS-CHAP and click on next
18. check all boxes basic / strong / strongest
19. Click on Finish
20. Click on the policy Properties
21. Click on Edit Profile
22. Check at Authentication CHAP and PAP,SPAP
23. Click on Apply and OK
24. If you get a warning of a Help file click NO
25. Click on OK

On the Router you have to do something to

Go to the enable mode
Configuration Terminal

aaa new-model
!
!
Local login to the router to avoid login problem when you have to change something Split the local / Radius from the default group.

aaa authentication login default local

Command for the Radius group
aaa authentication login CVPN group radius
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common

The 2 bold lines are associated with the Radius group in AAA
crypto isakmp profile CIP_CVPN_CLIENT
match identity group <Companyname>-VPN
client authentication list CVPN
isakmp authorization list CVPN
client configuration address respond

radius-server host < server ip > auth-port 1645 acct-port 1646 key < example key H0m3RS1mps0n >

Test the VPN connection if you can log on the the network.
Test the Telnet thru contact the router with the local name you entered in the router.

If you have any problems say it and i hope i’m able to help you out with the problem.

Back From Holiday

I’m back from holiday. Even if I didn’t say so. However. I’m back to work for a week now. And found nothing interest yet to share with you all.

Short impression of my holiday. ( I got 3 weeks off )
First weekt being lazy and doing nothing. THe second week I went with friends to Denmark. ( Hasmark Strand Feriepark a very nice campsite. very recomended ) We have been to Odense / Billund and Copenhaven.  for some city trips. )

The third week we went to Germany / a less nice campsite. very strange for sure. After been there for 4 days, we went to Wacken Open Air. Our first time, and next year we going again. And than is Graspop Metal Meeting on the program.

Cheers.