I have a 2012 R2 Dual Role DA and VPN server that is working great for internal connectivity, but we have some users that travel overseas that want to be able to use the VPN to access the web as if they were in our country.
The server is configured two NICs, one is on our internal LAN with address:
IP: 192.168.20.95
Subnet 255.255.254.0
DNS using internal DNS servers
the other NIC is in our DMZ with address:
10.50.10.100
Subnet 255.255.255.0
Default Gateway: 10.50.10.1
DNS using external DNS servers
We have a Router/Firewall/NAT device doing a 1 - 1 NAT of an external IP we'll call 1.1.1.1 to the DMZ interface of the RRAS/DA server and allowing through PPTP/GRE for VPN and HTTPS for DA.
DHCP is being provided by our internal DHCP server which is on the 192.168.20.0 subnet.
Client connect to the VPN fine and can browse our internal resources as expected, but are unable to use our internet. I enabled routing and NAT on the RRAS server with the DMZ interface set as the NAT internet interface and configured the internal LAN interface as the internal interface in the NAT settings menu.
When I show mappings on the NAT interface, I see the VPN client getting mapped to the DMZ interface of the RRAS server as expected, for example 192.168.20.207 is mapped to 10.50.10.100 and both incoming and outbound packets are being translated, but the client isn't receiving the packets.
Could it be a firewall policy on the VPN server? Or is it the double NAT of the DMZ interface on the RRAS server being translated to the external ip of 1.1.1.1 ?
I'd like to leave my RRAS server with the dual NIC set up and allow my clients to access the web through the DMZ.