We have an ethernet LAN consisting of several clients and a Windows
2003 server. The network is controlled by a Buffalo WBR-G54 router,
which acts as a DHCP server. The Windows 2003 server machine acts as a
domain controller, DNS server, and file server. Finally we have a
ZyXEL router from our ISP which is connected to the Buffalo router to
provide Internet access. The ZyXEL router has a static IP address.

There is a schematic here:

We want to set up a Windows VPN. The Windows Server 2003 machine only
has one NIC and is at the same network level as the clients (i.e. the
clients are not 'behind' the server). Is it possible to have a VPN
using this layout?

The tasks list I have drawn up is:

* Set up VPN services on the Windows Server 2003 machine.
* Set up a NAT entry on the Buffalo router to forward the VPN traffic
to the Windows Server.
* Set up a NAT entry on the ZyXEL router to forward the VPN traffic to
the Buffalo router.

I have tried all of this, but without any luck. To simplify my test
case I've tried just setting up NAT entries to pass on WWW requests
(TCP port 80) from the outside to the server machine, but this is
failing too.

Does anyone have experience with this specific hardware or network
layout, or have any ideas about how to diagnose the problem? (I'm not
getting any log errors on either routers when I try to access
something that should be handled by the NAT).