[isalist] Re: VPN Client to access additional network
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 30 Nov 2007 10:27:16 -0600
Hi Danny,
In that case, you should add all the addresses on the 172./16 network to
the defintion of the Default Internal Network.
You don't need to create any Subnet Network Objects.
This will prevent spoofing errors when the packets from 172./16 subnet
arrives at the intenal interface of the ISA Firewall.
The ISA Firewall needs to be configured with a routing table entry that
provides the correct gateway address that the VPN clients can use to
reach the 172./16 network.
In addition, the router need to be configured with a gateway address to
reach the network ID that you're using for your VPN clients. The gateway
address to this network ID that the router will use is the address of
the NIC representing the "root" of the default Internal network.
Often remember the routing table entry on the ISA Firewall, which allows
the packets to reach the destination, but forget to enter the
information on the routers that's required for the responses to make
their way back to the ISA Firewall.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Friday, November 30, 2007 10:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client to access additional network
Tom,
Definitely the Internal network is closest; here is a shady
diagram on the logical path of packets with source address of
192.168.0.100 and destination address of 172.16.0.100:
Default GW on LAN switch 192.168.0.2 -> via static route ->
Frame Relay Router 192.168.0.4 -> via Frame Relay network ->
Destination server 172.16.0.100.
Jim, sorry - which router in the digram are you referring to?
Thanks.
On Nov 30, 2007 9:46 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx>
wrote:
What you need to determine is what ISA Firewall Network
(not subnet, etc) that the 172.16.0.0/16 addresses should belong to.
What NIC on the ISA Firewall is closest to the 172.
network?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx ] On Behalf Of Danny
Sent: Friday, November 30, 2007 8:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client to access
additional network
Yes, on the first point. None that I recall. So,
it is advised to create a new Network definition for the 172.16.0.0/16
subnet and create a policy that permits the VPN Client access to the
network? Will this take care of all the routing then?
Thanks.
On Nov 30, 2007 9:17 AM, Thomas W Shinder
<tshinder@xxxxxxxxxxx> wrote:
OK, client is a member of the VPN
Clients Network.
Destination -- what ISA Firewall Network
does that belong to?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx ] On Behalf Of Danny
Sent: Friday, November 30, 2007 7:38 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client to
access additional network
The VPN Client is coming in through the
Internet/External NIC. The destination is subnet is an extension of the
Internal network.
I am not sure that answered your
question, though! Please advise.
Thanks, Dr. Shinder.
On Nov 29, 2007 10:43 PM, Thomas W
Shinder <tshinder@xxxxxxxxxxx> wrote:
What ISA Firewall Network is the client
on?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx> ] On Behalf Of Danny
Sent: Thursday, November 29, 2007 9:29
PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Client to access
additional network
Challenge: ISA 2004 VPN client is unable
to connect to additional (172.16.0.0/16) network via LAN (
192.168.0.2/24 <http://192.168.0.2/24> ) default gateway supplied by LAN
DHCP server.
ISA Internal NIC: 192.168.0.250
<http://192.168.0.250/>
ISA External NIC: 123.123.123.123
<http://123.123.123.123/> (i.e Public IP)
Default Gateway IP on LAN: 192.168.0.2
<http://192.168.0.2/>
Router IP connected to 172.16.0.0
<http://172.16.0.0/> Network: 192.168.0.3 <http://192.168.0.3/>
(static route on DGW for 172.16.0.0 <http://172.16.0.0/> network points
to this router)
DHCP supplied VPN client:
IP: 192.168.0.150
<http://192.168.0.150/>
Default Gateway: <same as above>
VPN client pings 172.16.0.10
<http://172.16.0.10/> IP, result is request timed out. Traceroute times
out with unlabeled (*) network hops.
VPN firewall policy permits All Outbound
from VPN Clients to All Protected Networks. I am thinking I should
create a new Network definition and update the policy and/or ensure the
new network is included in the All Protected Networks definition.
I am reviewing
<http://www.isaserver.org/articles/2004netinnet.html> and <
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network
.aspx
<http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-networ
k.aspx> >, trying to figure out what options or what would be the best
practice on how to configure ISA and/or the network to accommodate this
requirement?
Thank you for your assistance.
--
CPDE - Certified Petroleum Distribution
Engineer
CCBC - Certified Canadian Beer Consumer
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
Other related posts:
