Route VPN Clients Through NAT

Most of us use the MMC to administer Windows 2000 RRAS. But what happens when you need to route an incoming VPN client back to the net and you’re using NAT with private, non-routable addresses? Users of the company’s VPN used complain about losing internet access while using VPN. The usual way to avoid this is to have the user go to the advanced TCP/IP properties of the VPN connection and uncheck the box that says Use default gateway on remote network.

Unfortunately, not all users can follow instructions, or are willing to do so. Adding the internal interface to NAT puts an end to that issue (but does raise security concerns, so that has to be taken into consideration) and that’s where the NETSHELL command can help.

If you take a look of the interfaces available under the IP routing section of the RRAS console on a Windows 2000 server, you’ll generally see the NIC’s listed, the loopback interface, and a card called the internal interface. That internal connection is the virtual interface that VPN clients connect to, and you’ll notice that you can’t add it to the NAT protocol via the GUI. Time for the command line.

Open the command prompt, type NETSH to open the NETSHELL program. Now type

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

routing ip nat add interface internal private

Done. You’ll now notice that the internal interface is listed under the NAT protocol. At this point, VPN clients can now route to the net as well as your LAN. You can configure all RRAS functions using the netsh command, but personally I only use it for this purpose.

With Windows Server 2003, Microsoft has added the ability to add the internal interface to the NAT protocol via the GUI.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: