Just to let you know mine is working. The constant hours spent on it must have made me blind as well as stupid. I noticed that the metric to the remote networks was incorrect, changed this morning and the VPN client can ping the local subnet as well as the other 2 remote subnets I am still receiving the configuration error, but have decided to ignore as everything is working. Jim I will get a configuration to you shortly, when I have 5mins !! Paul Crisp Snr Network Support Analyst Telephone: 020 7 827 5201 Email: pcrisp@xxxxxxxxxxxxxxxxx -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: 24 February 2005 14:36 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004, VPN, Network behind a network http://www.ISAserver.org Your ISA is complaining correctly - leave that in place. Windows (and therefore ISA) take a rather "global" view on what constitutes a broadcast subnet. Since Windows uses subnet "classing" to determine "all net" broadcast IPs, ISA does too. Consequently, you'll have to keep the 10.255.255.255 subnet in the Internal network if you don't want ISA whining about it not being there. -----Original Message----- From: DJG [mailto:intellihome@xxxxxxxxxxx] Sent: Wednesday, February 23, 2005 9:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004, VPN, Network behind a network http://www.ISAserver.org I get the same error if I remove the address range 10.255.255.255 - 10.255.255.255 from the Internal Networks address ranges. So the Internal Network contains 10.4.2.0 - 10.4.2.255 and the above mentioned range. The 10.4.2.0 are assigned by DHCP. The routing table on the ISA includes that route: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 20 10.4.2.0 255.255.255.0 10.4.2.2 10.4.2.2 20 10.4.2.2 255.255.255.255 127.0.0.1 127.0.0.1 20 10.4.2.27 255.255.255.255 127.0.0.1 127.0.0.1 50 10.255.255.255 255.255.255.255 10.4.2.2 10.4.2.2 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 20 192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 20 224.0.0.0 240.0.0.0 10.4.2.2 10.4.2.2 20 224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 20 255.255.255.255 255.255.255.255 10.4.2.2 10.4.2.2 1 255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1 Default Gateway: 192.168.1.1 This was and is the routing table from the ISA 2004 machine. I have no idea why the 10.255.255.255 route is there. Is this something I should be concerned about? Dan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, February 23, 2005 8:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004, VPN, Network behind a network http://www.ISAserver.org Hi Jim, That's what I thought. But I know 100% for honest to goodly sure that mine is correctly configured, and that the error is generated only from time to time when a remote access VPN client calls in. If it happened all the time, I'd be suspicious. I'm even a good boy and use DHCP for VPN client addressing and use on-subnet addresses so no one gets confused :) For example: Alert Information Description: ISA Server detected routes through adapter "LAN" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.1.155-192.168.1.155;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message. The IP address 192.168.1.155, and is delivered via DHCP The Internal Network Definition is 192.168.1.0-192.168.1.255 There are no remote site networks on this ISA firewall I've seen it at other locations where everything is working handy-dandy, so I figure it spurgeonous, or at least the problem below radar range. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, February 23, 2005 8:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004, VPN, Network behind a network http://www.ISAserver.org The message "ISA Server detected routes" is normally caused by misconfigured subnet definitions (VPN included) at the ISA. If you wanna send your ISAInfo, I can help you sort this out. Trying to describe your ISA configuration without it is like listening to Andy spell the word "a" in a single try. -----Original Message----- From: Paul Crisp [mailto:pcrisp@xxxxxxxxxxxxxxxxx] Sent: Wednesday, February 23, 2005 4:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004, VPN, Network behind a network http://www.ISAserver.org OK, I have been racking my brain about this all night. First of all i have successfully installed ISA 2004 and setup VPN access, both client and site-2-site. The problem i am experiencing is this. As a remote access user myself, i want to be able to VPN into our ISA 2004 server (Not a problem in itself, works fine), but i also want to gain access to two other subnets behind our ISA 2004. I have read all of the articles regarding networks behind networks and i have added the relevant ranges both to the Internal network and i have also created the neccessary subnets and i have added manual persistant routes as well. From the ISA server itself i can ping all subnets without a problem, but as a VPN user i can only ever ping the subnet the ISA itself sits on. 1 - What do i need to do to get this to work, i have been working on home on this for the last 6hrs !! ? Next question is, i keep getting this error ISA Server detected routes through adapter "Intel(R) PRO/100+ Server Adapter (PILA8470B) (Microsoft's Packet Scheduler) " that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.?.?.255-192.?.?.255;192.?.?.0-192.?.?.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message. 2 - Again i have tried everything to add the correct address range to the network, but this error persists. I did read an article on the ISAServer.org forum and Tom said this can be ignored if all is working, is that correct Tom ? Third and final question is a slightly strange one. RRAS. I have also upgraded another ISA 2000 server to 2004 and although the RRAS does not contain any interfaces apart from the standard physical and loopback interfaces, the ISA server keeps getting this error Description: The VPN connection attempt by user <computername>\WORCESTER_BILL could not be established. The failure is due to error: 0xc0040021 3 - Although i haven't had this specific error with ISA 2000 before, i have experienced interfaces disapearing and then suddenly appearing in RRAS and Windows 2000, can anyone shed any light ? All help is extremely appreciated and if you require anymore information i will be pleased to pass on Regards Paul Crisp Snr Network Support Analyst Metal Bulletin PLC ------------------------------------------------------------------------ ------------------- This e-mail, together with any attachments, is confidential between the sender and addressee(s). If you are not the intended recipient(s)of this e-mail you should not copy it or use it for any purpose nor disclose its contents to any person: to do so may be unlawful. If you have received this e-mail by mistake please notify the sender immediately by e-mail and delete this e-mail and any attachments from your system. To the maximum extent permitted by law, Metal Bulletin PLC accepts no liability for any loss or damage resulting from unauthorised use of this email or any attachment or from unauthorised use of any information contained or implied in the email or attachments. Metal Bulletin PLC gives no warranty as to the security, accuracy or completeness of this e-mail, or any attachments, after it has been sentnor does it accept responsibility for any errors or omissions in the contents of this message which arise as a result of the e-mail transmission. The views and opinions of the sender are not necessarily those of Metal Bulletin Plc Metal Bulletin PLC takes care to check all outgoing emails but any liability for any loss or damage resulting from any viruses that might accompany this email or any attachments is excluded to the fullest extent permitted by law. If you have reason to believe that this email or any attachment is contaminated with any form of virus please delete it from your system and advise us by return. Metal Bulletin PLC reserves the right to monitor incoming and outgoing emails to investigate or detect any unauthorised use of our system or any other email system. As a result, we may monitor who is sending and/or receiving email, the subject of emails and the content of emails and we may collect related personal information about you within our email system. We will use this information for the purposes set out above and may also disclose it to relevant regulatory authorities. Metal Bulletin PLC is a company registered in England and Wales under registered number 142215 and whose registered office is at 3 Park Terrace, Worcester Park, Surrey, KT4 7HY, England. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: intellihome@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx