VPN connection ok, can not ping intranet subnet

50 pts.
Microsoft Windows Server 2003
Hello! I am having problem with configuring routing settings in RRS in Windows Server 2003 which is used as VPN server. VPN servers private NIC is in subnet and can reach subnet (ping request are answered ok). But when I connect to VPN server from client that has public IP, I can not reach subnet (ping requests are answered "Request timed out"). I thing the configuration of routing is not configured right. Does anybody know how it should be configured? Thanks for any kind of answare! Marko

Answer Wiki

Thanks. We'll let you know when a new response is added.


First thing is if you are going through a router you need to port forward the IP address of the VPN server.

Make sure that the Windows Firewall is off on the VPN server.

It sounds like your problem is somewhere there is an active firewall either in the router/moden or in windows itself.

The first clue is the timeout message when you try to ping the IP Address.

If everything is set right you may be pinging the wrong IP Address. The IP Address you are looking for is the one for the router and not the server itself.

One other thing you might check is that the VPN service is active and running on the VPN server.

There could be a couple of things wrong here:

1. ICMP is not permitted through. This is what Brian refers to about the Windows firewall. Another way of testing this is to: Start, Run, CMD, enter, tracert 10.x.x.x. Look at the path, is it what you expect? Do you see points along the path that do not respond? If so, then it is possible that ICMP is not permitted through those devices.

2. Can you reach any resources on the private network by either name, ip address or service? Can you telnet to port 80 on a web server for example? If that does not work, your VPN client may have the incorrect default gateway set. Check the IP properties on the interface to see if the client is getting an address and gateway that is routable on your network.

Check out thisĀ virtual lab from Microsoft that shows how to use Network Address Translation (NAT) and Routing and Remote Access Server (RRAS) basic firewall, install the IPSec computer certificates, configure the remote access server (RAS) for quarantine, and connect to a RAS server from a client.


I had an exam, so I kind of put this problem in a background…

So, on this VPN server ( I already tested the connectivity to machine with ping and tracert command:
Tracert results:

Tracing route to over a maximum of 30 hops

1 * * * Request timed out.
2 <1 ms 1 ms <1 ms

Trace complete.

So, the connection is ok. I guess the routing on router is configured ok and ICMP is disabled.

I think the problem is in the settings that client gets from VPN server. Default gateway is the same as the IP address that the client gets and the subnet mask is which is strange to me.
I am using static address pool and not DHCP – is this a problem? Should the DHCP be enabled and not static address pool or is ist possible that evertyting could and should work by using static address pool?

Tnx for any kind of answare!

I have seen this type addressing before when the device has some internal routing entries that tell the host where to go for various networks. It does not have the default gateway set but if you go to a command prompt and type “route print” what does it show for the route? That is where all traffic will get sent by default. It’s just that this parameter is not getting sent to the client in DHCP as the default gateway.

It shows: “public dg” “public_ip” 20

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Dusti Petit
    You are definitely the real deal!
    0 pointsBadges:
  • Danim2020
    hi my vpn adress is my pin statistics for packets: sent=4 receiveed=0 lost=4 <100% loss> tracing route to [ ] over a maximum of 30 hops: 1 * * * request timed out. 2* 3893 ms * 3 * * * request timed out. 4 * 3754 ms * 5 * * * request timed out. .. . 30 * * * request timed out. now what can i do :D ?
    15 pointsBadges:
  • Genderhayes
    As a statically routed VPN connection or as a dynamically routed VPN connection using BGP If you select static routing, you'll be prompted to manually enter the IP prefix for your network when you create the VPN connection. If you select dynamic routing, the IP prefix is advertised automatically to your VPC through BGP. VPC can't reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies
    10,720 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: