[isalist] Re: Error establishing a VPN to the ISA server
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 07:22:29 -0700
Right, but that won¹t solve the problem in this case because the
³destination network² is the same as the ³local² network he is already on.
ARP¹s will use broadcast on the local segment to get to the ³destination²
because it is on the local subnet.
You¹ve gotta remember that the ³issue² is present because his internal
destination LAN is the same subnet structure (by happenstance) as the local
hotel¹s.
Let¹s say my internal LAN is 192.168.1.x. Your internal LAN is also
192.168.1.x. You assign a range of 10.1.1.x to VPN RRAS clients. I connect
up to your external IP RRAS, and am given a 10.1.1.17 IP for my PPP adapter.
If your host.shinder.com is 192.168.1.222, and I try to ping it, my stack
will route that request to my local Ethernet segment because my local subnet
is _already on_ 192.168.1.0 255.255.255.0. If I wanted to actually hit your
host via the VPN, I would have to do a :
³Route add 192.168.1.222 mask 255.255.255.255 10.1.1.17² to force the route
via the VPN gateway. I could use a p if I wanted, but probably wouldn¹t
since I would get a different address the next time... And you would have
to do that for every host unless you had a high range or something on the
other side and you could subnet it out further with a different mask...
t
On 6/28/06 6:47 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
> Hi Tim,
>
> If I assign an off-subnet address to the internal interface of ISA firewall,
> and then create a static address pool for the VPN clients that are also
> assigned to the same static address pool (such as the autonet addresses), and
> then the VPN clients get the PPP interface set to that autonet network ID and
> forward connections to the autonet network ID through the PPP interface to the
> autonet IP address I assigned to the internal interface of the ISA firewall.
>
> Make sensei?
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Tuesday, June 27, 2006 10:42 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>
>>
>> I don¹t understand... If the local Ethernet by chance uses the same logical
>> subnet as the corporate office, how is changing the VPN¹s assigned IP going
>> to make host destinations on the local subnet route down the VPN rather than
>> local?
>>
>> t
>>
>>
>> On 6/27/06 8:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
>> all:
>>
>>
>>> How about RPC/HTTP? That gives him full Outlook functionallity without
>>> requireing VPN.
>>>
>>> Or use Jim suggestion -- I've used the same trick and it works a treat.
>>>
>>> HTH,
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Glenn P. JOHNSTON
>>>> Sent: Tuesday, June 27, 2006 10:29 PM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server
>>>>
>>>>
>>>>
>>>>
>>>> I'm told he refuses to use OWA as he can't sync his mail with the OST on
>>>> his notebook. There is just no helping some people, no matter how hard
>>>> you try to be helpful and solve their problem, they just refuse all help
>>>> on principle !
>>>>
>>>>
>>>>
>>>> Also they passed on to me, that in his yelling and screaming his
>>>> demanding to know 'Why someone did not realise this would happen, and get
>>>> it fixed before hand, so I can get my e-mail"
>>>>
>>>>
>>>>
>>>> I really feel sorry for the IT guy at the site, his early 20's, finished
>>>> a development oriented IT degree last year, is quite bright really, but
>>>> is still just learning the finer points of the winserver environment,
>>>> supporting XP etc, and it working toward his MCSE, having passed the
>>>> first 2 exams in the last couple of months. He reports to this Director,
>>>> and from what I can see, gets one hell of a serve from him as soon as
>>>> anything a little bit odd occurs.
>>>>
>>>>
>>>>
>>>> I can't see a away around this, without the Director having to do
>>>> something out of the ordinary, which apparently, is just not an option,
>>>> and have just told them that.
>>>>
>>>>
>>>>
>>>> I've suggested the only possibly way, I can see, is to go out and
>>>> purchase a wireless broadband card from someone local, get it on the net,
>>>> set up a notebook with it and his e-mail, and get it express couriered to
>>>> him. He'd have it early eveing or first thing in the morning.
>>>>
>>>>
>>>>
>>>> There was a chocking sound on the other end of the phone, "but then he'd
>>>> have to carry 2 notebooks back ! " and "What do I do if he gets it and it
>>>> does not work ?" ..................................
>>>>
>>>>
>>>>
>>>> Find another job came to mind..
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>> Sent: Wed 28/Jun/2006 12:49
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>
>>>>
>>>>
>>>>
>>>> http://www.ISAserver.org
>>>> -------------------------------------------------------
>>>>
>>>> Well, it would have worked other than the gw on the hotel being the same
>>>> as
>>>> the SBS box... Bad luck there. But, I've had to do this several times
>>>> for
>>>> the exact same scenario with my people. Seems the Marriott and I thought
>>>> alike in our IP schemes ;)
>>>>
>>>> You could always just add another IP address to the SBS box (well, you
>>>> could
>>>> if it were a "regular" server install-- I don't know what you'd have to
>>>> go
>>>> through on SBS to do that.) That would work, though.
>>>>
>>>> Not much we can do about a guy who wants to scream more than get the job
>>>> done, though. I'd tell him that if he wanted his email to STFU and do
>>>> what
>>>> was needed. It's not like it is anyone's "fault." There are other
>>>> options
>>>> you have, but they would all require him doing *something*.
>>>>
>>>> I'm assuming that OWA is not an option for some reason?
>>>>
>>>> t
>>>>
>>>>
>>>> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>> spoketh
>>>> to all:
>>>>
>>>>> > The internal IP of the SBS server is 192.168.110.2, G/W on the hotel
>>>>> BB
>>>>> > service is also 192.168.110.2 unfortunately !
>>>>> >
>>>>> > I tried the static route on my home ADSL service by changing the
>>>>> internal
>>>>> > private IP to match the Hotel's to play with, and everything else
>>>>> works, I can
>>>>> > get to the internet and other clients networks fine, but I can not get
>>>>> to
>>>>> > anything on the remote network after the tunnel is connected, of the
>>>>> client
>>>>> > with the problem.
>>>>> >
>>>>> > Putting the static route in I doubt will work anyway, the fellow will
>>>>> probably
>>>>> > just yell and scream as soon as he is asked to do anything remotely
>>>>> technical,
>>>>> > expecting it to be magically fixed from this end.
>>>>> >
>>>>> > ________________________________
>>>>> >
>>>>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>>> > Sent: Wed 28/Jun/2006 12:27
>>>>> > To: isalist@xxxxxxxxxxxxx
>>>>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>> >
>>>>> >
>>>>> >
>>>>> > http://www.ISAserver.org
>>>>> > -------------------------------------------------------
>>>>> >
>>>>> > All he has to do is set a static route for the SBS box's IP to the
>>>>> gateway
>>>>> > address of the VPN endpoint.
>>>>> >
>>>>> > IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface got
>>>>> > assigned something like 192.168.110.11 from the RRAS server (do an IP
>>>>> config
>>>>> > to see what ip his PPP adapter is, or look at the RRAS properties of
>>>>> the
>>>>> > connection) then you would have him do a:
>>>>> >
>>>>> > ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11
>>>>> >
>>>>> > That way, when he attempts to access the SBS server, the request will
>>>>> route
>>>>> > down the VPN rather than broadcasting on the "local" 192.168.110.x
>>>>> network.
>>>>> >
>>>>> > t
>>>>> >
>>>>> >
>>>>> > On 6/27/06 7:13 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>>> spoketh
>>>>> > to all:
>>>>> >
>>>>>> >> http://www.ISAserver.org
>>>>>> >> -------------------------------------------------------
>>>>>> >>
>>>>>> >> Hi,
>>>>>> >>
>>>>>> >> Maybe, maybe not directly and ISA question, and I've posted this in
>>>>>> an SBS
>>>>>> >> forum as well, but you people are pretty bright & I thought you
>>>>>> might have
>>>>>> >> some worth while input on this.
>>>>>> >>
>>>>>> >> One of my clients has an issue with VPN tunnel. This has been
>>>>>> inplace since
>>>>>> >> Sunday afternoon, but they only rang me this morning.
>>>>>> >>
>>>>>> >> One of their directors is at a week long conference, and the Hotel
>>>>>> where he
>>>>>> >> is
>>>>>> >> staying, has provides an in room broadband service.
>>>>>> >> The BroadBand in the hotel is using a 192.168.110.0/24 address
>>>>>> range, the
>>>>>> >> internal address of the clients network at the office is also a
>>>>>> >> 192.168.110.0/24 range.
>>>>>> >>
>>>>>> >> The VPN tunnel establishes fine, and the VPN connector on his
>>>>>> notebook get
>>>>>> >> an
>>>>>> >> address, of course, in the 192.168.110.100 to 192.168.110.199 range
>>>>>> of the
>>>>>> >> DHCP server on the SBS server.
>>>>>> >>
>>>>>> >> Once the tunnel is established, he can acess nothing on the SBS.
>>>>>> This is to
>>>>>> >> be
>>>>>> >> expected as the address ranges are the same, does anyone have any
>>>>>> bright
>>>>>> >> idea's on how to get around this. The Director is yelling and
>>>>>> screaming about
>>>>>> >> not being able to get his e-mail.
>>>>>> >>
>>>>>> >> Unfortunately he is out out direct reach in another state, and has
>>>>>> very
>>>>>> >> little
>>>>>> >> tolerance for such problems.
>>>>>> >>
>>>>>> >> Regards
>>>>>> >> Glenn
>>>>>> >> ------------------------------------------------------
>>>>>> >> List Archives: //www.freelists.org/archives/isalist/
>>>>>> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>>>> >> ISA Server Articles and Tutorials:
>>>>>> >> http://www.isaserver.org/articles_tutorials/
>>>>>> >> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>> >> ------------------------------------------------------
>>>>>> >> Visit TechGenix.com for more information about our other sites:
>>>>>> >> http://www.techgenix.com
>>>>>> >> ------------------------------------------------------
>>>>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>> >> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>> >
>>>>> >
>>>>> > ------------------------------------------------------
>>>>> > List Archives: //www.freelists.org/archives/isalist/
>>>>> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>>> > ISA Server Articles and Tutorials:
>>>>> > http://www.isaserver.org/articles_tutorials/
>>>>> > ISA Server Blogs: http://blogs.isaserver.org/
>>>>> > ------------------------------------------------------
>>>>> > Visit TechGenix.com for more information about our other sites:
>>>>> > http://www.techgenix.com
>>>>> > ------------------------------------------------------
>>>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>> > Report abuse to listadmin@xxxxxxxxxxxxx
>>>>> >
>>>>> >
>>>>> >
>>>>
>>>>
>>>> ------------------------------------------------------
>>>> List Archives: //www.freelists.org/archives/isalist/
>>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>> ISA Server Articles and Tutorials:
>>>> http://www.isaserver.org/articles_tutorials/
>>>> ISA Server Blogs: http://blogs.isaserver.org/
>>>> ------------------------------------------------------
>>>> Visit TechGenix.com for more information about our other sites:
>>>> http://www.techgenix.com
>>>> ------------------------------------------------------
>>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>
>>>
>>
>
Other related posts:
