[isalist] Re: VPN Client to access additional network

No; don't create a network definition.
DG for hosts in 172.16 cannot point to a router holding a 192.168 address.  
Does this router also have an IP in the 172/16 network?


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Danny
Sent: Friday, November 30, 2007 6:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client to access additional network

Yes, on the first point. None that I recall. So, it is advised to create a new 
Network definition for the 172.16.0.0/16<http://172.16.0.0/16> subnet and 
create a policy that permits the VPN Client access to the network? Will this 
take care of all the routing then?

Thanks.
On Nov 30, 2007 9:17 AM, Thomas W Shinder 
<tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote:
OK, client is a member of the VPN Clients Network.

Destination -- what ISA Firewall Network does that belong to?

Tom


Thomas W Shinder, M.D.
Site: www.isaserver.org<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On 
Behalf Of Danny
Sent: Friday, November 30, 2007 7:38 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Client to access additional network
The VPN Client is coming in through the Internet/External NIC. The destination 
is subnet is an extension of the Internal network.

I am not sure that answered your question, though! Please advise.

Thanks, Dr. Shinder.
On Nov 29, 2007 10:43 PM, Thomas W Shinder 
<tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote:

What ISA Firewall Network is the client on?



From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Danny
Sent: Thursday, November 29, 2007 9:29 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] VPN Client to access additional network



Challenge: ISA 2004 VPN client is unable to connect to additional 
(172.16.0.0/16<http://172.16.0.0/16>) network via LAN ( 
192.168.0.2/24<http://192.168.0.2/24>) default gateway supplied by LAN DHCP 
server.

ISA Internal NIC: 192.168.0.250<http://192.168.0.250/>
ISA External NIC: 123.123.123.123<http://123.123.123.123/> (i.e Public IP)

Default Gateway IP on LAN: 192.168.0.2<http://192.168.0.2/>
Router IP connected to 172.16.0.0<http://172.16.0.0/> Network: 
192.168.0.3<http://192.168.0.3/> (static route on DGW for 
172.16.0.0<http://172.16.0.0/> network points to this router)

DHCP supplied VPN client:
IP: 192.168.0.150<http://192.168.0.150/>
Default Gateway: <same as above>

VPN client pings 172.16.0.10<http://172.16.0.10/> IP, result is request timed 
out. Traceroute times out with unlabeled (*) network hops.

VPN firewall policy permits All Outbound from VPN Clients to All Protected 
Networks. I am thinking I should create a new Network definition and update the 
policy and/or ensure the new network is included in the All Protected Networks 
definition.

I am reviewing <http://www.isaserver.org/articles/2004netinnet.html> and < 
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx>, 
trying to figure out what options or what would be the best practice on how to 
configure ISA and/or the network to accommodate this requirement?

Thank you for your assistance.






--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer



--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

Other related posts: