Always On Routing / Accessing Ressources in external DMZ?

Franz Schenk 336 Reputation points
2023-03-31T14:11:57.7266667+00:00

Have an Always-ON VPN Infrastructure:

  • External DMZ with AO VPN Server (external interface): 192.168.110.0/24
  • Internal DMZ with AOVPN Clients: 192.168.120.0/24
  • Internal Company network: 192.168.100.0/24

Have deactivated class based routing according https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/, and added a static route for 192.168.100.0/24 that points to the default GW of the internal DMZ.

AOVPN clients can access ressources in the internal company network. But they are unable to access ressources that are in the external DMZ 192.168.110.0/24. Have tried to add a route to one specific system in the DMZ: route add -p 192.168.110.166 mask 255.255.255.255 192.168.120.1, and have also added this route to the AO VPN Profile.

No success. Do not get a ping answer from a AOVPN Client pinging 192.168.110.166.

Thank you in advance for any advice / how is it possible to access ressources in the DMZ from AOVPN clients.

Franz

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,966 Reputation points
    2023-04-03T12:46:21.6033333+00:00

    Hello there,

    There are a couple of basic things worth checking.

    First one would be to determine if you are using a Full Tunnel or Split Tunnel VPN Client connection. Full Tunnel naturally means that all traffic is forwarded to the VPN connection while its active. Split Tunnel defines the network to which traffic is tunneled through the VPN connection.

    This can be checked either through the configuration or when the VPN connection is up you have to navigate on the client software to the section which shows Route Details - Secured Routes. If the output is something along the lines of "0.0.0.0 0.0.0.0" then its Full Tunnel. If there is separate networks listed then its Split Tunnel.

    In Split Tunnel VPN you would have to add the DMZ network into the Split Tunnel ACL.

    In addition to the above you might be missing NAT configuration for the DMZ network to VPN Pool traffic.

    How is your NAT rule configured?

    Most of the NAT rule for the VPN (the top most) only handles "inside" <-> "outside" traffic. You need the above that handles the NAT for "dmz" <-> "outside".

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  2. Franz Schenk 336 Reputation points
    2023-04-05T15:46:25.13+00:00

    Hello Thank you for the feedback. I don't think that NAT is involved, because the communication happens inside the VPN tunnel. According our tests, it's really a problem of the AOVPN Server. This server has the following IP configuration: ipconfig-ao

    ... and the following routes route1

    route2

    • When tracing on a AOVPN Client a system in the network 192.168.100.0/24, the data is sent to the "PPP Adapter RAS" of the AOVPN server. Then the AOVPN server correctly sends the data to the default gateway of the "internal DMZ" where the AOVPN clients reside.
    • When tracing on a AOVPN Client the system 192.168.110.166 in the external DMZ network, which also hosts the AOVPN server, the data is sent to the "PPP Adapter RAS" of the AOVPN server. But for some reason, the AOVPN server does not forward the data to the default gateway of the "internal DMZ"!

    tracert

    Can not understand this behaviour of the AOVPN server, because the manually added route for 192.168.110.166/32 has a higher metric than the default route 192.168.110.0/24. Any advice? Thank you in advance for any help. Franz

    0 comments