Thanks, Tom. So, we'll add the 172./16 network to the ISA Internal network and from cmd on the ISA server we should do a: route add 172.16.0.0 mask 255.255.0.0 192.168.0.4? Cheers. On Nov 30, 2007 11:27 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > Hi Danny, > > In that case, you should add all the addresses on the 172./16 network to > the defintion of the Default Internal Network. > > You don't need to create any Subnet Network Objects. > > This will prevent spoofing errors when the packets from 172./16 subnet > arrives at the intenal interface of the ISA Firewall. > > The ISA Firewall needs to be configured with a routing table entry that > provides the correct gateway address that the VPN clients can use to reach > the 172./16 network. > > In addition, the router need to be configured with a gateway address to > reach the network ID that you're using for your VPN clients. The gateway > address to this network ID that the router will use is the address of the > NIC representing the "root" of the default Internal network. > > Often remember the routing table entry on the ISA Firewall, which allows > the packets to reach the destination, but forget to enter the information on > the routers that's required for the responses to make their way back to the > ISA Firewall. > > HTH, > Tom > > * > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > * > > ------------------------------ > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Danny > *Sent:* Friday, November 30, 2007 10:12 AM > > *To:* isalist@xxxxxxxxxxxxx > *Subject:* [isalist] Re: VPN Client to access additional network > > Tom, > > Definitely the Internal network is closest; here is a shady diagram on the > logical path of packets with source address of 192.168.0.100 and > destination address of 172.16.0.100: > > Default GW on LAN switch 192.168.0.2 -> via static route -> Frame Relay > Router 192.168.0.4 -> via Frame Relay network -> Destination server > 172.16.0.100. > > Jim, sorry - which router in the digram are you referring to? > > Thanks. > > On Nov 30, 2007 9:46 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > > What you need to determine is what ISA Firewall Network (not subnet, > > etc) that the 172.16.0.0/16 addresses should belong to. > > > > What NIC on the ISA Firewall is closest to the 172. network? > > > > Tom > > > > * > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > * > > > > ------------------------------ > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx > > ] *On Behalf Of *Danny > > *Sent:* Friday, November 30, 2007 8:30 AM > > > > *To:* isalist@xxxxxxxxxxxxx > > *Subject:* [isalist] Re: VPN Client to access additional network > > > > Yes, on the first point. None that I recall. So, it is advised to > > create a new Network definition for the 172.16.0.0/16 subnet and create > > a policy that permits the VPN Client access to the network? Will this take > > care of all the routing then? > > > > Thanks. > > > > On Nov 30, 2007 9:17 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > > > > OK, client is a member of the VPN Clients Network. > > > > > > Destination -- what ISA Firewall Network does that belong to? > > > > > > Tom > > > > > > * > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > * > > > > > > ------------------------------ > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx > > > ] *On Behalf Of *Danny > > > *Sent:* Friday, November 30, 2007 7:38 AM > > > *To:* isalist@xxxxxxxxxxxxx > > > *Subject:* [isalist] Re: VPN Client to access additional network > > > > > > The VPN Client is coming in through the Internet/External NIC. The > > > destination is subnet is an extension of the Internal network. > > > > > > I am not sure that answered your question, though! Please advise. > > > > > > Thanks, Dr. Shinder. > > > > > > On Nov 29, 2007 10:43 PM, Thomas W Shinder <tshinder@xxxxxxxxxxx> > > > wrote: > > > > > > > What ISA Firewall Network is the client on? > > > > > > > > > > > > > > > > *From:* isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > *On Behalf Of *Danny > > > > *Sent:* Thursday, November 29, 2007 9:29 PM > > > > *To:* isalist@xxxxxxxxxxxxx > > > > *Subject: *[isalist] VPN Client to access additional network > > > > > > > > > > > > > > > > Challenge: ISA 2004 VPN client is unable to connect to additional ( > > > > 172.16.0.0/16) network via LAN ( 192.168.0.2/24) default gateway > > > > supplied by LAN DHCP server. > > > > > > > > ISA Internal NIC: 192.168.0.250 > > > > ISA External NIC: 123.123.123.123 (i.e Public IP) > > > > > > > > Default Gateway IP on LAN: 192.168.0.2 > > > > Router IP connected to 172.16.0.0 Network: 192.168.0.3 (static route > > > > on DGW for 172.16.0.0 network points to this router) > > > > > > > > DHCP supplied VPN client: > > > > IP: 192.168.0.150 > > > > Default Gateway: <same as above> > > > > > > > > VPN client pings 172.16.0.10 IP, result is request timed out. > > > > Traceroute times out with unlabeled (*) network hops. > > > > > > > > VPN firewall policy permits All Outbound from VPN Clients to All > > > > Protected Networks. I am thinking I should create a new Network > > > > definition > > > > and update the policy and/or ensure the new network is included in the > > > > All > > > > Protected Networks definition. > > > > > > > > I am reviewing <http://www.isaserver.org/articles/2004netinnet.html> > > > > and > > > > <http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx>, > > > > trying to figure out what options or what would be the best practice on > > > > how > > > > to configure ISA and/or the network to accommodate this requirement? > > > > > > > > Thank you for your assistance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > CPDE - Certified Petroleum Distribution Engineer > > > CCBC - Certified Canadian Beer Consumer > > > > > > > > > > > > -- > > CPDE - Certified Petroleum Distribution Engineer > > CCBC - Certified Canadian Beer Consumer > > > > > > > -- > CPDE - Certified Petroleum Distribution Engineer > CCBC - Certified Canadian Beer Consumer > > -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer