RE: Will this break the Firewall Service?
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 25 Mar 2003 16:06:50 -0800
You RRAS VPN / dial-in server should give out IP addresses that are in the LAT.
The question of whether or not those IPs are routable in your existing LAN is a
different issue
that primarily depends on whether or not you want the RRAS clients to access
the LAN.
The alerts are expected for two reasons:
1. you have the "Network changed" alert enabled
2. every time a dial-in client connects, the Windows routing table changes and
fires the alert
you have enabled
Jim Harrison [ISAQFE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
----- Original Message -----
From: "William Robertson" <william.robertson@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, March 25, 2003 06:06
Subject: [isalist] RE: Will this break the Firewall Service?
http://www.ISAserver.org
Well, I have tried using a private/off-subnet IP Address range for the
pool of addresses available for VPN Clients, but I still have the
problem wherein my Firewall Service gets his knickers in a not and won't
permit any normal outbound Firewall Client traffic.
Please could someone tell me what my (hopefully) obvious mistake is?
Cheers
William R.
-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: 25 March 2003 10:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Will this break the Firewall Service?
http://www.ISAserver.org
Hi there
Instead of posing my problem scenario, let me just ask the following:
(All
IP Addresses have been changed to protect the innocent)
If I have an internal network using a Public Address range
123.123.x.x
and I have my ISA Server accepting VPN connections on the ISA's external
Interface
200.123.200.123
and I tell RRAS to assign IP Addresses to VPN Clients from a Pool of
addresses setup within RRAS
123.123.123.1 - 123.123.123.255
Will this cause a problem on my ISA Firewall? As I have it, my ISA
should
get confused about where to send VPN traffic and then where to send
normal
Internal LAN traffic? But that is not the problem, my VPN connections
work
like a charm.
The problem is that when I connect via VPN I get many ISA Alerts such
as:
- ISA Server detected a change in the IP routing table of the computer.
- ISA Server detected a change in the IP addresses of the computer.
- ISA Server detected that network interface card (NIC) WAN (PPP/SLIP)
Interface, with IP address 123.123.123.1, was disabled.
- Microsoft Firewall failed. The failure occurred during Initialization
of
reverse Network Address Translation (NAT). (This message appears for
each
Server Publishing rule that I have)
And when this happens, all of my other outbound Firewall Connections
fail.
E.g. All Server Publishing, SMTP Mail, Outbound SAP links. All Web Proxy
connections work like a charm, it just appears that the Firewall Service
has got a bit stuck.
To resolve this I need to restart ALL ISA Services, not just the
Firewall
Service.
Can someone perhaps conclude whether the IP Addressing that I am using
could be the major cause of my problems? The thing is I can only test
again after hours so I am just trying to get my bag of tricks filled
with
some ideas from you guys before I tackle the problem later.
Cheers
William R.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
