[isalist] Re: VPN Client to access additional network

• From: Danny <nocmonkey@xxxxxxxxx>
• To: isalist@xxxxxxxxxxxxx
• Date: Fri, 30 Nov 2007 21:18:05 -0500

Thanks, Tom. So, we'll add the 172./16 network to the ISA Internal network
and from cmd on the ISA server we should do a: route add 172.16.0.0 mask
255.255.0.0 192.168.0.4?

Cheers.

On Nov 30, 2007 11:27 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:

>  Hi Danny,
>
> In that case, you should add all the addresses on the 172./16 network to
> the defintion of the Default Internal Network.
>
> You don't need to create any Subnet Network Objects.
>
> This will prevent spoofing errors when the packets from 172./16 subnet
> arrives at the intenal interface of the ISA Firewall.
>
> The ISA Firewall needs to be configured with a routing table entry that
> provides the correct gateway address that the VPN clients can use to reach
> the 172./16 network.
>
> In addition, the router need to be configured with a gateway address to
> reach the network ID that you're using for your VPN clients. The gateway
> address to this network ID that the router will use is the address of the
> NIC representing the "root" of the default Internal network.
>
> Often remember the routing table entry on the ISA Firewall, which allows
> the packets to reach the destination, but forget to enter the information on
> the routers that's required for the responses to make their way back to the
> ISA Firewall.
>
> HTH,
> Tom
>
> *
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> *
>
>  ------------------------------
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Danny
> *Sent:* Friday, November 30, 2007 10:12 AM
>
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: VPN Client to access additional network
>
>  Tom,
>
> Definitely the Internal network is closest; here is a shady diagram on the
> logical path of packets with source address of 192.168.0.100 and
> destination address of 172.16.0.100:
>
> Default GW on LAN switch 192.168.0.2 -> via static route -> Frame Relay
> Router 192.168.0.4 -> via Frame Relay network  -> Destination server
> 172.16.0.100.
>
> Jim, sorry - which router in the digram are you referring to?
>
> Thanks.
>
> On Nov 30, 2007 9:46 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
>
> >  What you need to determine is what ISA Firewall Network (not subnet,
> > etc) that the 172.16.0.0/16 addresses should belong to.
> >
> > What NIC on the ISA Firewall is closest to the 172. network?
> >
> > Tom
> >
> > *
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> > *
> >
> >  ------------------------------
> >  *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx
> > ] *On Behalf Of *Danny
> > *Sent:* Friday, November 30, 2007 8:30 AM
> >
> > *To:* isalist@xxxxxxxxxxxxx
> > *Subject:* [isalist] Re: VPN Client to access additional network
> >
> >   Yes, on the first point. None that I recall. So, it is advised to
> > create a new Network definition for the 172.16.0.0/16 subnet and create
> > a policy that permits the VPN Client access to the network? Will this take
> > care of all the routing then?
> >
> > Thanks.
> >
> > On Nov 30, 2007 9:17 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> >
> > >  OK, client is a member of the VPN Clients Network.
> > >
> > > Destination -- what ISA Firewall Network does that belong to?
> > >
> > > Tom
> > >
> > > *
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > > *
> > >
> > >  ------------------------------
> > >  *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx
> > > ] *On Behalf Of *Danny
> > > *Sent:* Friday, November 30, 2007 7:38 AM
> > > *To:* isalist@xxxxxxxxxxxxx
> > > *Subject:* [isalist] Re: VPN Client to access additional network
> > >
> > >   The VPN Client is coming in through the Internet/External NIC. The
> > > destination is subnet is an extension of the Internal network.
> > >
> > > I am not sure that answered your question, though! Please advise.
> > >
> > > Thanks, Dr. Shinder.
> > >
> > > On Nov 29, 2007 10:43 PM, Thomas W Shinder <tshinder@xxxxxxxxxxx>
> > > wrote:
> > >
> > > >  What ISA Firewall Network is the client on?
> > > >
> > > >
> > > >
> > > > *From:* isalist-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > > *On Behalf Of *Danny
> > > > *Sent:* Thursday, November 29, 2007 9:29 PM
> > > > *To:* isalist@xxxxxxxxxxxxx
> > > > *Subject: *[isalist] VPN Client to access additional network
> > > >
> > > >
> > > >
> > > > Challenge: ISA 2004 VPN client is unable to connect to additional (
> > > > 172.16.0.0/16) network via LAN ( 192.168.0.2/24) default gateway
> > > > supplied by LAN DHCP server.
> > > >
> > > > ISA Internal NIC: 192.168.0.250
> > > > ISA External NIC: 123.123.123.123 (i.e Public IP)
> > > >
> > > > Default Gateway IP on LAN: 192.168.0.2
> > > > Router IP connected to 172.16.0.0 Network: 192.168.0.3 (static route
> > > > on DGW for 172.16.0.0 network points to this router)
> > > >
> > > > DHCP supplied VPN client:
> > > > IP: 192.168.0.150
> > > > Default Gateway: <same as above>
> > > >
> > > > VPN client pings 172.16.0.10 IP, result is request timed out.
> > > > Traceroute times out with unlabeled (*) network hops.
> > > >
> > > > VPN firewall policy permits All Outbound from VPN Clients to All
> > > > Protected Networks. I am thinking I should create a new Network 
> > > > definition
> > > > and update the policy and/or ensure the new network is included in the 
> > > > All
> > > > Protected Networks definition.
> > > >
> > > > I am reviewing <http://www.isaserver.org/articles/2004netinnet.html>
> > > > and 
> > > > <http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx>,
> > > > trying to figure out what options or what would be the best practice on 
> > > > how
> > > > to configure ISA and/or the network to accommodate this requirement?
> > > >
> > > > Thank you for your assistance.
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > CPDE - Certified Petroleum Distribution Engineer
> > > CCBC - Certified Canadian Beer Consumer
> > >
> > >
> >
> >
> > --
> > CPDE - Certified Petroleum Distribution Engineer
> > CCBC - Certified Canadian Beer Consumer
> >
> >
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>
>


-- 
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

• References:
  • [isalist] Re: VPN Client to access additional network
    • From: Thomas W Shinder

Other related posts:

• » [isalist] VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network
• » [isalist] Re: VPN Client to access additional network

1. Home
2. isalist
3. Archive
4. 11-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---