[isalist] Re: Error establishing a VPN to the ISA server

Because it doesn¹t matter what the VPN subnet is. You could have a million
VPN¹s with a million different subnets and it won¹t make a bit of difference
if the destination IP is the same subnet as the local interface.  You would
have to dual-home your entire network with 2 different VPN¹s to avoid this.

In a ³single box² solution that Tom outlined, having multiple VPN¹s with
multiple subnets and multiple matching IP¹s bound to the single interface
would work, but only for that one box, and only for one ³fake² IP at a time
unless you created multiple boxes with multiple VPN endpoints.

t


On 6/28/06 11:20 AM, "D PIETRUSZKA USWRN INTERLINK INFRA"
<DPietruszka@xxxxxx> spoketh to all:

> Why not just create two VPN¹s, one with 1 subnet and the other one with
> another subnet, you won¹t have this problem again no matter on which hotel
> your customer stay.
> For us OWA/RPC HTTP don¹t work because we use RSA to authenticate user on OWA.
>  
> 
> Regards
> Diego R. Pietruszka
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 28, 2006 1:57 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>  
> Until the one you switch to is on a 10. network and all the work Tom did with
> the internal IP stuff is all for naught.  ;)
> 
> I¹m telling ya... This is becoming way more and more common.  I¹m surprised to
> see this dude¹s hotel on 192.168.110 (I really am) but it¹s actually becoming
> more common for some of my people to be on conflicting nets, particularly when
> they give you a 10.0.0.0 address on a 255.0.0.0 subnet.   Hence the need for a
> localized NAT solution? OWA/RCPoHTTP is fine when all you need is email stuff,
> but when you¹ve got to be RDP¹ing into multiple servers, accessing SQL boxes,
> hitting VoIP equipment, etc., publishing scenarios just don¹t cut it...
> 
> I¹ve tried lots of different things at varying degrees of complexity (like a
> virtual pc install, Kerio routing tricks, KY jelly, etc) but I¹ve found that
> keeping things limited to the ³plug THIS into THAT, then plug THAT into the
> OTHER THING² mentality is the best.
> 
> That¹s really why most of my mobile people have the high speed EVDO solutions
> (we use verizon) so that we don¹t really have to worry about it.  Hotel
> connections are usually way faster, but EVDO works all the time (most of the
> time, anyway). 
> 
> I can actually envision a market for a little USB device that NAT¹s the
> connection all the time for the true ³road warrior² that spends a lot of time
> on other people¹s networks.
> 
> t  
> 
> 
> On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx> spoketh to all:
> A non-technical solution: Wouldn't it of been easier to tell the Directory to
> switch hotels? :p
> 
> But then that wouldn't be any fun for you guys...
> 
> Jonathon J. Howey
> MENSE Inc.
> P 780.409.5620
> F 780.409.5621
> D 780.409.5628
> C 780.965.8363
> Jonathon@xxxxxxxx
>  
> Defining the Future of Transportation
> www.MENSE.ca <http://www.mense.ca/>
>  
>  
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thomas W Shinder
> Sent: June 28, 2006 8:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
> 
> Nice tip!
> Thanks!
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
> 
>  
> 
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx  [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of  God)
> Sent: Wednesday, June 28, 2006 9:19 AM
> To:  isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a  VPN to the ISA server
> 
>  
> You¹ll still hit it.  The router will be given  the local IP just like a lappy
> would, and you¹ll hit it via the NAT¹d  connection.  Do it all the time.
> 
> t
> 
> 
> On 6/28/06 6:51 AM,  "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
> all:
> 
>  
> What if that broadband router has to interact with a log on  page?
> 
> Thomas W Shinder,  M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP  -- ISA Firewalls
> 
>  
> 
>  
> 
>  
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx   [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Glenn P.  JOHNSTON
> Sent: Tuesday, June  27, 2006 11:18 PM
> To:   isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: Error  establishing  a VPN to the ISA server
> 
>  
>  
> Plan is, I am going to  take;
> 
>  
>  
> 1.  
> 2. A linksys 4 port BB  router, to  plug in between the hotels BB, and his
> notebook, which  I think will do the  trick nicely.
> 3.  
> 4.  
> 5. A wireless broadband  card, just in  case.
> 6.  
> 7.  
> 8. A second notebook  with the companys SOE on it,  also just in case.
> 9.  
> 10.  
> 11. My Wife, it will be a  nice little day or two  away for us.
> 
> 
>  
>  
>  
> 
> 
> 
>  
> From:   isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of  God)
> Sent:  Wed 28/Jun/2006 14:06
> To:  isalist@xxxxxxxxxxxxx
> Subject:  [isalist] Re: Error  establishing a VPN to the ISA server
> 
>  
>  
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>  
> You   gonna add a new IP to the server, bring a little NAT router, or  both?
> ;)
> 
> t
> 
> 
> On 6/27/06 9:00 PM, "Glenn P. JOHNSTON"   <glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
> 
>> > I  don't  believe it.
>> > 
>> > I've just been offered a return  first class  plane ticket, a nights
>> > accomodation, 2 nights if  need be, all expenses  + how ever many hours it
>> takes
>> > at my  normal hourly rate to go see the  director in person and fix this
>> for  him
>> > so he can get his e-mail  !
>> > 
>> > "Well I'll  loose a whole day on this", "Fine, then  charge us for every
>> hour
>> > your away, just get it fixed  !"
>> > 
>> >  
>> >
>> >  ________________________________
>> >
>> >  From:  isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of  God)
>> > Sent:  Wed 28/Jun/2006 13:45
>> > To:  isalist@xxxxxxxxxxxxx
>> > Subject:  [isalist] Re: Error  establishing a VPN to the ISA  server
>> >
>> >
>> >
>> >  http://www.ISAserver.org
>> >   -------------------------------------------------------
>> >  
>> >  OWA would be a great "backup" solution in the rare case  where the  local
>> > Ethernet LAN is the same logical subnet as  their own offices,  even if he
>> > couldn't sync.  But, in  your case of having a jackass  for a client,
>> you're
>> > kind of  stuck.
>> >
>> > An easier thing to  do would be to get a  little Linksys NAT router to
>> stick
>> > in  between.  Plug  the hotel ethernet to the "Internet" port, and plug  >>
the
>> >  laptop into a "LAN" port.  That way he'll get a local  192.168.1  address
>> and
>> > have no problems.  Plus, there is no   configuration needed at all.  The
>> > defaults will work  just  fine.  Just plug it in and go.
>> >
>> >  t
>> >
>> >
>> >  On 6/27/06 8:29 PM, "Glenn P. JOHNSTON"  <glenn.johnston@xxxxxxxxxxx>
>> spoketh
>> > to  all:
>> >
>>> >> I'm told he refuses to use OWA as  he can't  sync his mail with the OST
>>> on his
>>> >> notebook. There is just   no helping some people, no matter how hard you
>>> try to
>>> >> be  helpful  and solve their problem, they just refuse all help on
>>> principle  !
>>> >>
>>> >> Also they passed on to me, that  in his yelling and  screaming his
>>> demanding to
>>> >> know 'Why  someone did not realise this  would happen, and get it fixed
>>> before
>>> >> hand, so I can get my   e-mail"
>>> >>
>>> >> I really feel sorry for the IT guy  at the  site, his early 20's,
>>> finished a
>>> >> development  oriented IT degree  last year, is quite bright really, but
is
>>> >> still
>>> >> just  learning the finer points of  the winserver environment, supporting
XP
>>> >> etc, and it  working toward his MCSE, having passed the first 2  exams in
>>> the
>>> >> last couple of months. He reports to this Director,   and from what I can
>>> see,
>>> >> gets one hell of a serve from  him as soon  as anything a little bit odd
>>> >>  occurs.
>>> >>
>>> >> I  can't see a away around this,  without the Director having to do
>>> something
>>> >> out of the  ordinary, which apparently, is just not an  option, and have
>>> just
>>> >> told them that.
>>> >>
>>> >> I've   suggested the only possibly way, I can see, is to go out and
>>> purchase  a
>>> >> wireless broadband card from someone local,  get it on the  net,  set up
a
>>> >> notebook with it and  his e-mail, and get it  express couriered to him.
>>> He'd
>>> >>  have it early eveing or first thing  in the  morning.
>>> >>
>>> >> There was a chocking sound on the   other end of the phone, "but then
>>> he'd have
>>> >> to carry 2  notebooks  back ! " and "What do I do if he gets it and it
>>> does  not
>>> >> work ?"   ..................................
>>> >>
>>> >> Find  another job  came to mind..
>>> >>
>>> >>   ________________________________
>>> >>
>>> >> From:   isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of  God)
>>> >>  Sent: Wed 28/Jun/2006 12:49
>>> >> To:  isalist@xxxxxxxxxxxxx
>>> >>  Subject: [isalist] Re: Error  establishing a VPN to the ISA   server
>>> >>
>>> >>
>>> >>
>>> >> http://www.ISAserver.org
>>> >>   -------------------------------------------------------
>>> >>
>>> >>   Well, it would have worked other than the gw on the hotel being the
>>> same  as
>>> >> the SBS box... Bad luck there.  But, I've  had to do this  several times
>>> for
>>> >> the exact same scenario  with my people.   Seems the Marriott and I
>>> thought
>>> >>  alike in our IP schemes  ;)
>>> >>
>>> >> You could always  just add another IP address to the  SBS box (well, you
>>> could
>>> >> if it were a "regular" server install-- I  don't  know what you'd have to
go
>>> >> through on SBS to do that.)    That would work, though.
>>> >>
>>> >> Not much we  can do about a  guy who wants to scream more than get the
>>> job
>>> >> done, though.   I'd tell him that if he wanted  his email to STFU and do
>>> what
>>> >> was  needed.  It's not  like it is anyone's "fault."  There are other
>>> options
>>> >> you have, but they would all require him doing   *something*.
>>> >>
>>> >> I'm assuming that OWA is not an  option  for some reason?
>>> >>
>>> >>  t
>>> >>
>>> >>
>>> >>  On 6/27/06 7:37 PM, "Glenn P.  JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>> spoketh
>>> >> to  all:
>>> >>
>>>> >>> The internal IP of the  SBS server  is 192.168.110.2, G/W on the hotel
BB
>>>> >>> service is   also 192.168.110.2 unfortunately !
>>>> >>>
>>>> >>> I  tried the  static route on my home ADSL service by changing the
>>>> internal
>>>> >>>  private IP to match the Hotel's to play  with, and everything else
>>>> works,  I
>>>> >>>  can
>>>> >>> get to the internet and other clients  networks  fine, but I can not
>>>> get  to
>>>> >>> anything on the   remote network after the tunnel is connected, of the
>>>> client
>>>> >>>  with the  problem.
>>>> >>>
>>>> >>> Putting the static route in   I doubt will work anyway, the fellow will
>>>> >>>   probably
>>>> >>> just yell and scream as soon as he is asked  to do  anything remotely
>>>> >>> technical,
>>>> >>>  expecting it to  be magically fixed from this  end.
>>>> >>>
>>>> >>>   ________________________________
>>>> >>>
>>>> >>>  From:  isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of  God)
>>>> >>>  Sent: Wed 28/Jun/2006 12:27
>>>> >>> To:   isalist@xxxxxxxxxxxxx
>>>> >>> Subject: [isalist] Re: Error   establishing a VPN to the ISA   server
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>  http://www.ISAserver.org
>>>> >>>   -------------------------------------------------------
>>>> >>>
>>>> >>>   All he has to do is set a static route for the SBS box's IP to the
>>>> gateway
>>>> >>> address of the VPN   endpoint.
>>>> >>>
>>>> >>> IOW, if the SBS box is   192.168.110.101, and his PPP VPN interface got
>>>> >>>  assigned  something like 192.168.110.11 from the RRAS server (do an
>>>> IP  config
>>>> >>> to see what ip his PPP adapter is, or look  at the RRAS  properties of
the
>>>> >>> connection) then you  would have him do  a:
>>>> >>>
>>>> >>> ROUTE -p add  192.168.110.101 mask  255.255.255.255  192.168.110.11
>>>> >>>
>>>> >>> That way, when  he  attempts to access the SBS server, the request will
>>>> route
>>>> >>>   down the VPN rather than broadcasting on the "local" 192.168.110.x
>>>> network.
>>>> >>>
>>>> >>>   t
>>>> >>>
>>>> >>>
>>>> >>> On 6/27/06 7:13  PM, "Glenn  P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>> spoketh
>>>> >>> to  all:
>>>> >>>
>>>>> >>>>  http://www.ISAserver.org
>>>>> >>>>   -------------------------------------------------------
>>>>> >>>>
>>>>> >>>>   Hi,
>>>>> >>>>
>>>>> >>>> Maybe, maybe not  directly and ISA  question, and I've posted this in
>>>>> an  SBS
>>>>> >>>> forum as well,  but you people are pretty  bright & I thought you
>>>>> might  have
>>>>> >>>> some worth  while input on  this.
>>>>> >>>>
>>>>> >>>> One of  my clients has an issue  with VPN tunnel. This has been
>>>>> inplace  since
>>>>> >>>> Sunday  afternoon, but they only rang me  this  morning.
>>>>> >>>>
>>>>> >>>> One of their  directors is at  a week long conference, and the Hotel
>>>>> where  he
>>>>> >>>>  is
>>>>> >>>> staying, has provides  an in room broadband  service.
>>>>> >>>> The BroadBand in  the hotel is using a  192.168.110.0/24 address
>>>>> range,  the
>>>>> >>>> internal address of  the clients network at  the office is also a
>>>>> >>>>  192.168.110.0/24  range.
>>>>> >>>>
>>>>> >>>> The VPN  tunnel   establishes fine, and the VPN connector on his
>>>>> notebook   get
>>>>> >>>> an
>>>>> >>>> address, of course,  in the  192.168.110.100 to 192.168.110.199 range
>>>>> of  the
>>>>> >>>> DHCP  server on the SBS  server.
>>>>> >>>>
>>>>> >>>> Once the  tunnel is  established, he can acess nothing on the SBS.
>>>>> This is   to
>>>>> >>>> be
>>>>> >>>> expected as the  address ranges  are the same, does anyone have any
>>>>> bright
>>>>> >>>> idea's on how to  get around this. The  Director is yelling and
>>>>> screaming
>>>>> >>>>   about
>>>>> >>>> not being able to get his   e-mail.
>>>>> >>>>
>>>>> >>>> Unfortunately he is  out out  direct reach in another state, and has
very
>>>>> >>>>  little
>>>>> >>>> tolerance for  such  problems.
>>>>> >>>>
>>>>> >>>>  Regards
>>>>> >>>>  Glenn
>>>>> >>>>   ------------------------------------------------------
>>>>> >>>>   List Archives: http://www.freelists.org/archives/isalist/
>>>>> >>>>   ISA Server Newsletter:
>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>> >>>>   ISA Server Articles and Tutorials:
>>>>> >>>> http://www.isaserver.org/articles_tutorials/
>>>>> >>>>   ISA Server Blogs: http://blogs.isaserver.org/
>>>>> >>>>   ------------------------------------------------------
>>>>> >>>>   Visit TechGenix.com for more information about our other   sites:
>>>>> >>>> http://www.techgenix.com
>>>>> >>>>   ------------------------------------------------------
>>>>> >>>>  To  unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>> >>>>   Report abuse to   listadmin@xxxxxxxxxxxxx
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>> >>>
>>>> >>>
>>>> >>>   ------------------------------------------------------
>>>> >>>  List  Archives: http://www.freelists.org/archives/isalist/
>>>> >>>   ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>> >>>   ISA Server Articles and Tutorials:
>>>> >>> http://www.isaserver.org/articles_tutorials/
>>>> >>>   ISA Server Blogs: http://blogs.isaserver.org/
>>>> >>>   ------------------------------------------------------
>>>> >>>  Visit  TechGenix.com for more information about our other  sites:
>>>> >>> http://www.techgenix.com
>>>> >>>   ------------------------------------------------------
>>>> >>>  To  unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>> >>>   Report abuse to   listadmin@xxxxxxxxxxxxx
>>>> >>>
>>>> >>>
>>>> >>>
>>> >>
>>> >>
>>> >>   ------------------------------------------------------
>>> >>  List  Archives: http://www.freelists.org/archives/isalist/
>>> >>   ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>> >>   ISA Server Articles and Tutorials:
>>> >> http://www.isaserver.org/articles_tutorials/
>>> >>   ISA Server Blogs: http://blogs.isaserver.org/
>>> >>   ------------------------------------------------------
>>> >>  Visit  TechGenix.com for more information about our other  sites:
>>> >> http://www.techgenix.com
>>> >>   ------------------------------------------------------
>>> >>  To  unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>> >>   Report abuse to   listadmin@xxxxxxxxxxxxx
>>> >>
>>> >>
>>> >>
>> >
>> >
>> >   ------------------------------------------------------
>> > List  Archives:  http://www.freelists.org/archives/isalist/
>> >   ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> >   ISA Server Articles and Tutorials:
>> > http://www.isaserver.org/articles_tutorials/
>> >   ISA Server Blogs: http://blogs.isaserver.org/
>> >   ------------------------------------------------------
>> > Visit   TechGenix.com for more information about our other sites:
>> > http://www.techgenix.com
>> >   ------------------------------------------------------
>> > To  unsubscribe  visit http://www.isaserver.org/pages/isalist.asp
>> >   Report abuse to   listadmin@xxxxxxxxxxxxx
>> >
>> >
>> >
> 
> 
> ------------------------------------------------------
> List   Archives: http://www.freelists.org/archives/isalist/
> ISA  Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA   Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA   Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit   TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To   unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report   abuse to  listadmin@xxxxxxxxxxxxx
>  
>  
>  
>  
> 


Other related posts: