From: mike-newsgroup@-DELETETHISPART-.upcraft.com   
      
   KraftyDood wrote:   
   > Hi,   
   >   
   > I have a problem that I just can't solve.  I've contacted my ISP,   
   > NETGEAR, etc., and even brought in someone who claimed to be a   
   > networking expert.  No-one has been able to help me solve or understand   
   > this problem.   
   >   
   > I have a static ip addresss from my internet service provider (SHAW),   
   > and on my server I am developing a web application. I can access my web   
   > server via the static ip from an outside computer - up until I start a   
   > VPN client (Nortel) running on my server.  After that I just get   
   > timeouts when trying to access the server from an outside computer.  I   
   > need to run the VPN on my server because it needs to access a database   
   > on a government network.  With the VPN running on my server, I can   
   > still access the server via the static ip address from another computer   
   > on my LAN though (when I am using a router).   
      
   This is working properly.  The Nortel VPN client is configured to cut   
   off access to external computers when the VPN link is active to prevent   
   your computer from becoming a conduit for a hacker to gain entry to the   
   remote network via your computer.  (In a case made public this actually   
   happened to a Microsoft programmer working from home)   
   The Administrator of the Nortel VPN router would need to change settings   
   to allow "split tunnelling".   
      
   > I've tried this going directly to the cable modem, or through a router   
   > - same thing happens.   
   >   
   > Other strange things:  If I just connect my computer to the cable   
   > modem, the default ip address I am assigned is not the static ip   
   > address I was assigned by shaw - I need to go into my TCP/IP settings   
   > and manually set the static ip address I want.  Is this normal?   
   >   
   > Also, even before I run a VPN client on my server, I cannot PING my   
   > static ip address (though shaw says it is working) from my LAN (when I   
   > am using a router) or from an outside computer - I just get timeout.   
      
   Shaw static IP's work like this.  You manually assign the static IP they   
   give you into your equipment.  If you turn on DHCP (automatic)   
   addressing then you will get one of their dynamic IP's.  I don't see why   
   you are concerned about it.   
      
      
   > When I run the Nortel VPN Client, it shows an Assigned Ip Address.  I   
   > can access my server through this Ip Address from anywhere, but this   
   > doesn't really do me any good - I need to be able to access my server   
   > using my static ip address.   
   >   
   > Am I just missing something about how VPN works, or is there a setting   
   > somewhere I am missing, or maybe the cable modem (Motorola Surfboard   
   > SB5100) has limitations I am not aware of.   
   >   
   > I really would appreciate any help.   
   >   
      
   Yes, you are missing something about how VPN works.  It is not a problem   
   with your cable modem, with Shaw, or your software.  The Nortel VPN   
   client forces your default route to change to become the remote VPN   
   router when you are connected so that ALL traffic to the Internet is   
   sent through the VPN link.  In a command prompt type "route print".  Try   
   this before and after connecting to the VPN and see the difference.   
      
   If you want to connect these two sites you might consider running a   
   branch office style VPN tunnel between a VPN router at your site to the   
   remote VPN router.  This will give you more control over routing.  The   
   VPN client is not really designed for anything other than remote client   
   access.  It's not a way to build interconnected networks on an ad-hoc   
   basis like you seem to be attempting to do.  The "government network"   
   would also want to set up appropriate network firewall rules on the   
   remote side so that only connections to the database ports you require   
   will get through and nothing else to prevent the surface area that can   
   be attacked if your machine was compromised.   
      
      
      
   --   
   WARNING!  Email address has been altered for spam resistance.   
   Please remove the -deletethispart-. section before replying directly.   
   Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)