wolski

I am trying to establish an IPSec tunnel from a router at a remote location to Windows Server 2003. The server has two network cards (internal and external) and is using Remote Routing and Access Service (RRAS). The external NIC is attached directly to the Internet via DSL with a static IP. The internal NIC is attached to a LAN with clients (mostly XP) that access the Internet via RRAS which has NAT enabled on the external card. There are also vpn clients that connect via PPTP.

I followed the directions in the MS Technet article 816514 which depicts exactly what I am trying to accomplish:
http://support.microsoft.com/kb/816514

I was able to get the tunnel configured and the router was showing that the tunnel was up. I could also ping from the router's internal network (NetB) to the internal IP address of the server but I couldn't ping any internal clients on the server's internal network (NetA) the ping would time out. Nor could I ping from the server's internal network (NetA) to the router's internal network (NetB)--I would get a response from the ISP's default gateway saying there was no route available to the address. So after pulling my hair out for 2 days, I discovered that the issue was NATing was enabled on the internal server network (NetA). As soon as I disabled NAT from RRAS, I was able to ping from a client on NetA to any client on NetB and map drives, and Remote Desktop, etc. Although I still couldn't ping directly from the server to NetB. It was still trying to go out to the ISP default gateway but that is not a big deal as long as the clients could connect.

So my question is how can I turn NAT back on and still be able to use the IPSec Tunnel? Right now it's either NAT or IPSec tunnel. Is there a way to exclude just the tunnel traffic from NAT?