Because it doesn¹t matter what the VPN subnet is. You could have a million VPN¹s with a million different subnets and it won¹t make a bit of difference if the destination IP is the same subnet as the local interface. You would have to dual-home your entire network with 2 different VPN¹s to avoid this. In a ³single box² solution that Tom outlined, having multiple VPN¹s with multiple subnets and multiple matching IP¹s bound to the single interface would work, but only for that one box, and only for one ³fake² IP at a time unless you created multiple boxes with multiple VPN endpoints. t On 6/28/06 11:20 AM, "D PIETRUSZKA USWRN INTERLINK INFRA" <DPietruszka@xxxxxx> spoketh to all: > Why not just create two VPN¹s, one with 1 subnet and the other one with > another subnet, you won¹t have this problem again no matter on which hotel > your customer stay. > For us OWA/RPC HTTP don¹t work because we use RSA to authenticate user on OWA. > > > Regards > Diego R. Pietruszka > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Wednesday, June 28, 2006 1:57 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Error establishing a VPN to the ISA server > > Until the one you switch to is on a 10. network and all the work Tom did with > the internal IP stuff is all for naught. ;) > > I¹m telling ya... This is becoming way more and more common. I¹m surprised to > see this dude¹s hotel on 192.168.110 (I really am) but it¹s actually becoming > more common for some of my people to be on conflicting nets, particularly when > they give you a 10.0.0.0 address on a 255.0.0.0 subnet. Hence the need for a > localized NAT solution? OWA/RCPoHTTP is fine when all you need is email stuff, > but when you¹ve got to be RDP¹ing into multiple servers, accessing SQL boxes, > hitting VoIP equipment, etc., publishing scenarios just don¹t cut it... > > I¹ve tried lots of different things at varying degrees of complexity (like a > virtual pc install, Kerio routing tricks, KY jelly, etc) but I¹ve found that > keeping things limited to the ³plug THIS into THAT, then plug THAT into the > OTHER THING² mentality is the best. > > That¹s really why most of my mobile people have the high speed EVDO solutions > (we use verizon) so that we don¹t really have to worry about it. Hotel > connections are usually way faster, but EVDO works all the time (most of the > time, anyway). > > I can actually envision a market for a little USB device that NAT¹s the > connection all the time for the true ³road warrior² that spends a lot of time > on other people¹s networks. > > t > > > On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx> spoketh to all: > A non-technical solution: Wouldn't it of been easier to tell the Directory to > switch hotels? :p > > But then that wouldn't be any fun for you guys... > > Jonathon J. Howey > MENSE Inc. > P 780.409.5620 > F 780.409.5621 > D 780.409.5628 > C 780.965.8363 > Jonathon@xxxxxxxx > > Defining the Future of Transportation > www.MENSE.ca <http://www.mense.ca/> > > > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thomas W Shinder > Sent: June 28, 2006 8:31 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Error establishing a VPN to the ISA server > > Nice tip! > Thanks! > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) > Sent: Wednesday, June 28, 2006 9:19 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Error establishing a VPN to the ISA server > > > You¹ll still hit it. The router will be given the local IP just like a lappy > would, and you¹ll hit it via the NAT¹d connection. Do it all the time. > > t > > > On 6/28/06 6:51 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to > all: > > > What if that broadband router has to interact with a log on page? > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Glenn P. JOHNSTON > Sent: Tuesday, June 27, 2006 11:18 PM > To: isalist@xxxxxxxxxxxxx > Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server > > > > Plan is, I am going to take; > > > > 1. > 2. A linksys 4 port BB router, to plug in between the hotels BB, and his > notebook, which I think will do the trick nicely. > 3. > 4. > 5. A wireless broadband card, just in case. > 6. > 7. > 8. A second notebook with the companys SOE on it, also just in case. > 9. > 10. > 11. My Wife, it will be a nice little day or two away for us. > > > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) > Sent: Wed 28/Jun/2006 14:06 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Error establishing a VPN to the ISA server > > > > > http://www.ISAserver.org > ------------------------------------------------------- > > You gonna add a new IP to the server, bring a little NAT router, or both? > ;) > > t > > > On 6/27/06 9:00 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh > to all: > >> > I don't believe it. >> > >> > I've just been offered a return first class plane ticket, a nights >> > accomodation, 2 nights if need be, all expenses + how ever many hours it >> takes >> > at my normal hourly rate to go see the director in person and fix this >> for him >> > so he can get his e-mail ! >> > >> > "Well I'll loose a whole day on this", "Fine, then charge us for every >> hour >> > your away, just get it fixed !" >> > >> > >> > >> > ________________________________ >> > >> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >> > Sent: Wed 28/Jun/2006 13:45 >> > To: isalist@xxxxxxxxxxxxx >> > Subject: [isalist] Re: Error establishing a VPN to the ISA server >> > >> > >> > >> > http://www.ISAserver.org >> > ------------------------------------------------------- >> > >> > OWA would be a great "backup" solution in the rare case where the local >> > Ethernet LAN is the same logical subnet as their own offices, even if he >> > couldn't sync. But, in your case of having a jackass for a client, >> you're >> > kind of stuck. >> > >> > An easier thing to do would be to get a little Linksys NAT router to >> stick >> > in between. Plug the hotel ethernet to the "Internet" port, and plug >> the >> > laptop into a "LAN" port. That way he'll get a local 192.168.1 address >> and >> > have no problems. Plus, there is no configuration needed at all. The >> > defaults will work just fine. Just plug it in and go. >> > >> > t >> > >> > >> > On 6/27/06 8:29 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >> spoketh >> > to all: >> > >>> >> I'm told he refuses to use OWA as he can't sync his mail with the OST >>> on his >>> >> notebook. There is just no helping some people, no matter how hard you >>> try to >>> >> be helpful and solve their problem, they just refuse all help on >>> principle ! >>> >> >>> >> Also they passed on to me, that in his yelling and screaming his >>> demanding to >>> >> know 'Why someone did not realise this would happen, and get it fixed >>> before >>> >> hand, so I can get my e-mail" >>> >> >>> >> I really feel sorry for the IT guy at the site, his early 20's, >>> finished a >>> >> development oriented IT degree last year, is quite bright really, but is >>> >> still >>> >> just learning the finer points of the winserver environment, supporting XP >>> >> etc, and it working toward his MCSE, having passed the first 2 exams in >>> the >>> >> last couple of months. He reports to this Director, and from what I can >>> see, >>> >> gets one hell of a serve from him as soon as anything a little bit odd >>> >> occurs. >>> >> >>> >> I can't see a away around this, without the Director having to do >>> something >>> >> out of the ordinary, which apparently, is just not an option, and have >>> just >>> >> told them that. >>> >> >>> >> I've suggested the only possibly way, I can see, is to go out and >>> purchase a >>> >> wireless broadband card from someone local, get it on the net, set up a >>> >> notebook with it and his e-mail, and get it express couriered to him. >>> He'd >>> >> have it early eveing or first thing in the morning. >>> >> >>> >> There was a chocking sound on the other end of the phone, "but then >>> he'd have >>> >> to carry 2 notebooks back ! " and "What do I do if he gets it and it >>> does not >>> >> work ?" .................................. >>> >> >>> >> Find another job came to mind.. >>> >> >>> >> ________________________________ >>> >> >>> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >>> >> Sent: Wed 28/Jun/2006 12:49 >>> >> To: isalist@xxxxxxxxxxxxx >>> >> Subject: [isalist] Re: Error establishing a VPN to the ISA server >>> >> >>> >> >>> >> >>> >> http://www.ISAserver.org >>> >> ------------------------------------------------------- >>> >> >>> >> Well, it would have worked other than the gw on the hotel being the >>> same as >>> >> the SBS box... Bad luck there. But, I've had to do this several times >>> for >>> >> the exact same scenario with my people. Seems the Marriott and I >>> thought >>> >> alike in our IP schemes ;) >>> >> >>> >> You could always just add another IP address to the SBS box (well, you >>> could >>> >> if it were a "regular" server install-- I don't know what you'd have to go >>> >> through on SBS to do that.) That would work, though. >>> >> >>> >> Not much we can do about a guy who wants to scream more than get the >>> job >>> >> done, though. I'd tell him that if he wanted his email to STFU and do >>> what >>> >> was needed. It's not like it is anyone's "fault." There are other >>> options >>> >> you have, but they would all require him doing *something*. >>> >> >>> >> I'm assuming that OWA is not an option for some reason? >>> >> >>> >> t >>> >> >>> >> >>> >> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >>> spoketh >>> >> to all: >>> >> >>>> >>> The internal IP of the SBS server is 192.168.110.2, G/W on the hotel BB >>>> >>> service is also 192.168.110.2 unfortunately ! >>>> >>> >>>> >>> I tried the static route on my home ADSL service by changing the >>>> internal >>>> >>> private IP to match the Hotel's to play with, and everything else >>>> works, I >>>> >>> can >>>> >>> get to the internet and other clients networks fine, but I can not >>>> get to >>>> >>> anything on the remote network after the tunnel is connected, of the >>>> client >>>> >>> with the problem. >>>> >>> >>>> >>> Putting the static route in I doubt will work anyway, the fellow will >>>> >>> probably >>>> >>> just yell and scream as soon as he is asked to do anything remotely >>>> >>> technical, >>>> >>> expecting it to be magically fixed from this end. >>>> >>> >>>> >>> ________________________________ >>>> >>> >>>> >>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >>>> >>> Sent: Wed 28/Jun/2006 12:27 >>>> >>> To: isalist@xxxxxxxxxxxxx >>>> >>> Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>> >>> >>>> >>> >>>> >>> >>>> >>> http://www.ISAserver.org >>>> >>> ------------------------------------------------------- >>>> >>> >>>> >>> All he has to do is set a static route for the SBS box's IP to the >>>> gateway >>>> >>> address of the VPN endpoint. >>>> >>> >>>> >>> IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface got >>>> >>> assigned something like 192.168.110.11 from the RRAS server (do an >>>> IP config >>>> >>> to see what ip his PPP adapter is, or look at the RRAS properties of the >>>> >>> connection) then you would have him do a: >>>> >>> >>>> >>> ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11 >>>> >>> >>>> >>> That way, when he attempts to access the SBS server, the request will >>>> route >>>> >>> down the VPN rather than broadcasting on the "local" 192.168.110.x >>>> network. >>>> >>> >>>> >>> t >>>> >>> >>>> >>> >>>> >>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >>>> spoketh >>>> >>> to all: >>>> >>> >>>>> >>>> http://www.ISAserver.org >>>>> >>>> ------------------------------------------------------- >>>>> >>>> >>>>> >>>> Hi, >>>>> >>>> >>>>> >>>> Maybe, maybe not directly and ISA question, and I've posted this in >>>>> an SBS >>>>> >>>> forum as well, but you people are pretty bright & I thought you >>>>> might have >>>>> >>>> some worth while input on this. >>>>> >>>> >>>>> >>>> One of my clients has an issue with VPN tunnel. This has been >>>>> inplace since >>>>> >>>> Sunday afternoon, but they only rang me this morning. >>>>> >>>> >>>>> >>>> One of their directors is at a week long conference, and the Hotel >>>>> where he >>>>> >>>> is >>>>> >>>> staying, has provides an in room broadband service. >>>>> >>>> The BroadBand in the hotel is using a 192.168.110.0/24 address >>>>> range, the >>>>> >>>> internal address of the clients network at the office is also a >>>>> >>>> 192.168.110.0/24 range. >>>>> >>>> >>>>> >>>> The VPN tunnel establishes fine, and the VPN connector on his >>>>> notebook get >>>>> >>>> an >>>>> >>>> address, of course, in the 192.168.110.100 to 192.168.110.199 range >>>>> of the >>>>> >>>> DHCP server on the SBS server. >>>>> >>>> >>>>> >>>> Once the tunnel is established, he can acess nothing on the SBS. >>>>> This is to >>>>> >>>> be >>>>> >>>> expected as the address ranges are the same, does anyone have any >>>>> bright >>>>> >>>> idea's on how to get around this. The Director is yelling and >>>>> screaming >>>>> >>>> about >>>>> >>>> not being able to get his e-mail. >>>>> >>>> >>>>> >>>> Unfortunately he is out out direct reach in another state, and has very >>>>> >>>> little >>>>> >>>> tolerance for such problems. >>>>> >>>> >>>>> >>>> Regards >>>>> >>>> Glenn >>>>> >>>> ------------------------------------------------------ >>>>> >>>> List Archives: //www.freelists.org/archives/isalist/ >>>>> >>>> ISA Server Newsletter: >>>>> http://www.isaserver.org/pages/newsletter.asp >>>>> >>>> ISA Server Articles and Tutorials: >>>>> >>>> http://www.isaserver.org/articles_tutorials/ >>>>> >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>>> >>>> ------------------------------------------------------ >>>>> >>>> Visit TechGenix.com for more information about our other sites: >>>>> >>>> http://www.techgenix.com >>>>> >>>> ------------------------------------------------------ >>>>> >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>> >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>> >>> >>>> >>> >>>> >>> ------------------------------------------------------ >>>> >>> List Archives: //www.freelists.org/archives/isalist/ >>>> >>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> >>> ISA Server Articles and Tutorials: >>>> >>> http://www.isaserver.org/articles_tutorials/ >>>> >>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> >>> ------------------------------------------------------ >>>> >>> Visit TechGenix.com for more information about our other sites: >>>> >>> http://www.techgenix.com >>>> >>> ------------------------------------------------------ >>>> >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> >>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>> >>>> >>> >>>> >>> >>> >> >>> >> >>> >> ------------------------------------------------------ >>> >> List Archives: //www.freelists.org/archives/isalist/ >>> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>> >> ISA Server Articles and Tutorials: >>> >> http://www.isaserver.org/articles_tutorials/ >>> >> ISA Server Blogs: http://blogs.isaserver.org/ >>> >> ------------------------------------------------------ >>> >> Visit TechGenix.com for more information about our other sites: >>> >> http://www.techgenix.com >>> >> ------------------------------------------------------ >>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>> >> Report abuse to listadmin@xxxxxxxxxxxxx >>> >> >>> >> >>> >> >> > >> > >> > ------------------------------------------------------ >> > List Archives: //www.freelists.org/archives/isalist/ >> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> > ISA Server Articles and Tutorials: >> > http://www.isaserver.org/articles_tutorials/ >> > ISA Server Blogs: http://blogs.isaserver.org/ >> > ------------------------------------------------------ >> > Visit TechGenix.com for more information about our other sites: >> > http://www.techgenix.com >> > ------------------------------------------------------ >> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >> > Report abuse to listadmin@xxxxxxxxxxxxx >> > >> > >> > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > > >