Hi Danny, In that case, you should add all the addresses on the 172./16 network to the defintion of the Default Internal Network. You don't need to create any Subnet Network Objects. This will prevent spoofing errors when the packets from 172./16 subnet arrives at the intenal interface of the ISA Firewall. The ISA Firewall needs to be configured with a routing table entry that provides the correct gateway address that the VPN clients can use to reach the 172./16 network. In addition, the router need to be configured with a gateway address to reach the network ID that you're using for your VPN clients. The gateway address to this network ID that the router will use is the address of the NIC representing the "root" of the default Internal network. Often remember the routing table entry on the ISA Firewall, which allows the packets to reach the destination, but forget to enter the information on the routers that's required for the responses to make their way back to the ISA Firewall. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Friday, November 30, 2007 10:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Client to access additional network Tom, Definitely the Internal network is closest; here is a shady diagram on the logical path of packets with source address of 192.168.0.100 and destination address of 172.16.0.100: Default GW on LAN switch 192.168.0.2 -> via static route -> Frame Relay Router 192.168.0.4 -> via Frame Relay network -> Destination server 172.16.0.100. Jim, sorry - which router in the digram are you referring to? Thanks. On Nov 30, 2007 9:46 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: What you need to determine is what ISA Firewall Network (not subnet, etc) that the 172.16.0.0/16 addresses should belong to. What NIC on the ISA Firewall is closest to the 172. network? Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx ] On Behalf Of Danny Sent: Friday, November 30, 2007 8:30 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Client to access additional network Yes, on the first point. None that I recall. So, it is advised to create a new Network definition for the 172.16.0.0/16 subnet and create a policy that permits the VPN Client access to the network? Will this take care of all the routing then? Thanks. On Nov 30, 2007 9:17 AM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: OK, client is a member of the VPN Clients Network. Destination -- what ISA Firewall Network does that belong to? Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx ] On Behalf Of Danny Sent: Friday, November 30, 2007 7:38 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Client to access additional network The VPN Client is coming in through the Internet/External NIC. The destination is subnet is an extension of the Internal network. I am not sure that answered your question, though! Please advise. Thanks, Dr. Shinder. On Nov 29, 2007 10:43 PM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: What ISA Firewall Network is the client on? From: isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On Behalf Of Danny Sent: Thursday, November 29, 2007 9:29 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] VPN Client to access additional network Challenge: ISA 2004 VPN client is unable to connect to additional (172.16.0.0/16) network via LAN ( 192.168.0.2/24 <http://192.168.0.2/24> ) default gateway supplied by LAN DHCP server. ISA Internal NIC: 192.168.0.250 <http://192.168.0.250/> ISA External NIC: 123.123.123.123 <http://123.123.123.123/> (i.e Public IP) Default Gateway IP on LAN: 192.168.0.2 <http://192.168.0.2/> Router IP connected to 172.16.0.0 <http://172.16.0.0/> Network: 192.168.0.3 <http://192.168.0.3/> (static route on DGW for 172.16.0.0 <http://172.16.0.0/> network points to this router) DHCP supplied VPN client: IP: 192.168.0.150 <http://192.168.0.150/> Default Gateway: <same as above> VPN client pings 172.16.0.10 <http://172.16.0.10/> IP, result is request timed out. Traceroute times out with unlabeled (*) network hops. VPN firewall policy permits All Outbound from VPN Clients to All Protected Networks. I am thinking I should create a new Network definition and update the policy and/or ensure the new network is included in the All Protected Networks definition. I am reviewing <http://www.isaserver.org/articles/2004netinnet.html> and < http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network .aspx <http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-networ k.aspx> >, trying to figure out what options or what would be the best practice on how to configure ISA and/or the network to accommodate this requirement? Thank you for your assistance. -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer