Right, but that won¹t solve the problem in this case because the ³destination network² is the same as the ³local² network he is already on. ARP¹s will use broadcast on the local segment to get to the ³destination² because it is on the local subnet. You¹ve gotta remember that the ³issue² is present because his internal destination LAN is the same subnet structure (by happenstance) as the local hotel¹s. Let¹s say my internal LAN is 192.168.1.x. Your internal LAN is also 192.168.1.x. You assign a range of 10.1.1.x to VPN RRAS clients. I connect up to your external IP RRAS, and am given a 10.1.1.17 IP for my PPP adapter. If your host.shinder.com is 192.168.1.222, and I try to ping it, my stack will route that request to my local Ethernet segment because my local subnet is _already on_ 192.168.1.0 255.255.255.0. If I wanted to actually hit your host via the VPN, I would have to do a : ³Route add 192.168.1.222 mask 255.255.255.255 10.1.1.17² to force the route via the VPN gateway. I could use a p if I wanted, but probably wouldn¹t since I would get a different address the next time... And you would have to do that for every host unless you had a high range or something on the other side and you could subnet it out further with a different mask... t On 6/28/06 6:47 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Hi Tim, > > If I assign an off-subnet address to the internal interface of ISA firewall, > and then create a static address pool for the VPN clients that are also > assigned to the same static address pool (such as the autonet addresses), and > then the VPN clients get the PPP interface set to that autonet network ID and > forward connections to the autonet network ID through the PPP interface to the > autonet IP address I assigned to the internal interface of the ISA firewall. > > Make sensei? > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thor (Hammer of God) >> Sent: Tuesday, June 27, 2006 10:42 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: Error establishing a VPN to the ISA server >> >> >> I don¹t understand... If the local Ethernet by chance uses the same logical >> subnet as the corporate office, how is changing the VPN¹s assigned IP going >> to make host destinations on the local subnet route down the VPN rather than >> local? >> >> t >> >> >> On 6/27/06 8:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to >> all: >> >> >>> How about RPC/HTTP? That gives him full Outlook functionallity without >>> requireing VPN. >>> >>> Or use Jim suggestion -- I've used the same trick and it works a treat. >>> >>> HTH, >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org <http://www.isaserver.org/> >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>> MVP -- ISA Firewalls >>> >>> >>> >>> >>>> >>>> >>>> >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Glenn P. JOHNSTON >>>> Sent: Tuesday, June 27, 2006 10:29 PM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server >>>> >>>> >>>> >>>> >>>> I'm told he refuses to use OWA as he can't sync his mail with the OST on >>>> his notebook. There is just no helping some people, no matter how hard >>>> you try to be helpful and solve their problem, they just refuse all help >>>> on principle ! >>>> >>>> >>>> >>>> Also they passed on to me, that in his yelling and screaming his >>>> demanding to know 'Why someone did not realise this would happen, and get >>>> it fixed before hand, so I can get my e-mail" >>>> >>>> >>>> >>>> I really feel sorry for the IT guy at the site, his early 20's, finished >>>> a development oriented IT degree last year, is quite bright really, but >>>> is still just learning the finer points of the winserver environment, >>>> supporting XP etc, and it working toward his MCSE, having passed the >>>> first 2 exams in the last couple of months. He reports to this Director, >>>> and from what I can see, gets one hell of a serve from him as soon as >>>> anything a little bit odd occurs. >>>> >>>> >>>> >>>> I can't see a away around this, without the Director having to do >>>> something out of the ordinary, which apparently, is just not an option, >>>> and have just told them that. >>>> >>>> >>>> >>>> I've suggested the only possibly way, I can see, is to go out and >>>> purchase a wireless broadband card from someone local, get it on the net, >>>> set up a notebook with it and his e-mail, and get it express couriered to >>>> him. He'd have it early eveing or first thing in the morning. >>>> >>>> >>>> >>>> There was a chocking sound on the other end of the phone, "but then he'd >>>> have to carry 2 notebooks back ! " and "What do I do if he gets it and it >>>> does not work ?" .................................. >>>> >>>> >>>> >>>> Find another job came to mind.. >>>> >>>> >>>> >>>> >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >>>> Sent: Wed 28/Jun/2006 12:49 >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>> >>>> >>>> >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Well, it would have worked other than the gw on the hotel being the same >>>> as >>>> the SBS box... Bad luck there. But, I've had to do this several times >>>> for >>>> the exact same scenario with my people. Seems the Marriott and I thought >>>> alike in our IP schemes ;) >>>> >>>> You could always just add another IP address to the SBS box (well, you >>>> could >>>> if it were a "regular" server install-- I don't know what you'd have to >>>> go >>>> through on SBS to do that.) That would work, though. >>>> >>>> Not much we can do about a guy who wants to scream more than get the job >>>> done, though. I'd tell him that if he wanted his email to STFU and do >>>> what >>>> was needed. It's not like it is anyone's "fault." There are other >>>> options >>>> you have, but they would all require him doing *something*. >>>> >>>> I'm assuming that OWA is not an option for some reason? >>>> >>>> t >>>> >>>> >>>> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >>>> spoketh >>>> to all: >>>> >>>>> > The internal IP of the SBS server is 192.168.110.2, G/W on the hotel >>>>> BB >>>>> > service is also 192.168.110.2 unfortunately ! >>>>> > >>>>> > I tried the static route on my home ADSL service by changing the >>>>> internal >>>>> > private IP to match the Hotel's to play with, and everything else >>>>> works, I can >>>>> > get to the internet and other clients networks fine, but I can not get >>>>> to >>>>> > anything on the remote network after the tunnel is connected, of the >>>>> client >>>>> > with the problem. >>>>> > >>>>> > Putting the static route in I doubt will work anyway, the fellow will >>>>> probably >>>>> > just yell and scream as soon as he is asked to do anything remotely >>>>> technical, >>>>> > expecting it to be magically fixed from this end. >>>>> > >>>>> > ________________________________ >>>>> > >>>>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >>>>> > Sent: Wed 28/Jun/2006 12:27 >>>>> > To: isalist@xxxxxxxxxxxxx >>>>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>>> > >>>>> > >>>>> > >>>>> > http://www.ISAserver.org >>>>> > ------------------------------------------------------- >>>>> > >>>>> > All he has to do is set a static route for the SBS box's IP to the >>>>> gateway >>>>> > address of the VPN endpoint. >>>>> > >>>>> > IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface got >>>>> > assigned something like 192.168.110.11 from the RRAS server (do an IP >>>>> config >>>>> > to see what ip his PPP adapter is, or look at the RRAS properties of >>>>> the >>>>> > connection) then you would have him do a: >>>>> > >>>>> > ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11 >>>>> > >>>>> > That way, when he attempts to access the SBS server, the request will >>>>> route >>>>> > down the VPN rather than broadcasting on the "local" 192.168.110.x >>>>> network. >>>>> > >>>>> > t >>>>> > >>>>> > >>>>> > On 6/27/06 7:13 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >>>>> spoketh >>>>> > to all: >>>>> > >>>>>> >> http://www.ISAserver.org >>>>>> >> ------------------------------------------------------- >>>>>> >> >>>>>> >> Hi, >>>>>> >> >>>>>> >> Maybe, maybe not directly and ISA question, and I've posted this in >>>>>> an SBS >>>>>> >> forum as well, but you people are pretty bright & I thought you >>>>>> might have >>>>>> >> some worth while input on this. >>>>>> >> >>>>>> >> One of my clients has an issue with VPN tunnel. This has been >>>>>> inplace since >>>>>> >> Sunday afternoon, but they only rang me this morning. >>>>>> >> >>>>>> >> One of their directors is at a week long conference, and the Hotel >>>>>> where he >>>>>> >> is >>>>>> >> staying, has provides an in room broadband service. >>>>>> >> The BroadBand in the hotel is using a 192.168.110.0/24 address >>>>>> range, the >>>>>> >> internal address of the clients network at the office is also a >>>>>> >> 192.168.110.0/24 range. >>>>>> >> >>>>>> >> The VPN tunnel establishes fine, and the VPN connector on his >>>>>> notebook get >>>>>> >> an >>>>>> >> address, of course, in the 192.168.110.100 to 192.168.110.199 range >>>>>> of the >>>>>> >> DHCP server on the SBS server. >>>>>> >> >>>>>> >> Once the tunnel is established, he can acess nothing on the SBS. >>>>>> This is to >>>>>> >> be >>>>>> >> expected as the address ranges are the same, does anyone have any >>>>>> bright >>>>>> >> idea's on how to get around this. The Director is yelling and >>>>>> screaming about >>>>>> >> not being able to get his e-mail. >>>>>> >> >>>>>> >> Unfortunately he is out out direct reach in another state, and has >>>>>> very >>>>>> >> little >>>>>> >> tolerance for such problems. >>>>>> >> >>>>>> >> Regards >>>>>> >> Glenn >>>>>> >> ------------------------------------------------------ >>>>>> >> List Archives: //www.freelists.org/archives/isalist/ >>>>>> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>>>> >> ISA Server Articles and Tutorials: >>>>>> >> http://www.isaserver.org/articles_tutorials/ >>>>>> >> ISA Server Blogs: http://blogs.isaserver.org/ >>>>>> >> ------------------------------------------------------ >>>>>> >> Visit TechGenix.com for more information about our other sites: >>>>>> >> http://www.techgenix.com >>>>>> >> ------------------------------------------------------ >>>>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>>> >> Report abuse to listadmin@xxxxxxxxxxxxx >>>>>> >> >>>>>> >> >>>>>> >> >>>>> > >>>>> > >>>>> > ------------------------------------------------------ >>>>> > List Archives: //www.freelists.org/archives/isalist/ >>>>> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>>> > ISA Server Articles and Tutorials: >>>>> > http://www.isaserver.org/articles_tutorials/ >>>>> > ISA Server Blogs: http://blogs.isaserver.org/ >>>>> > ------------------------------------------------------ >>>>> > Visit TechGenix.com for more information about our other sites: >>>>> > http://www.techgenix.com >>>>> > ------------------------------------------------------ >>>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>> > Report abuse to listadmin@xxxxxxxxxxxxx >>>>> > >>>>> > >>>>> > >>>> >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>> >> >