[isalist] Re: Error establishing a VPN to the ISA server
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 08:28:54 -0700
Ah, the old ³bind an off-net IP address to the internal interface and use a
HOSTS entry² trick. ;)
Yep, that would work to if you did all that... I didn¹t see the part about
the new IP in addition to the different VPN address space.
When I saw ³to the ISA box² I didn¹t think you meant as the solution for an
SBS install. So yes, for a single host box that is the RRAS box as well as
the destination host, that would work. But, I gotta say, that¹s a lot to do
on both the server and workstation. A single ³route² from the workstation
would take care of everything, as long as the remote host destination IP
wasn¹t the same as the local gateway IP (which is the case here.) But at
this point, this is more of an academic exercise than a production solution,
right? :-p
t
On 6/28/06 7:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
> Well, now that I've taken my morning ipecac, I think I'm thinking more
> clearly.
>
> Let's look at the scenario:
>
> Remote client is on network ID 192.168.110.0/24
>
> Office network is also on network ID 192.168.110.0/24
>
> OK, clearly this won't work because both client and remote network are on the
> local network and thus the connection will be sent out the local interface and
> not the PPP interface.
>
> However, if we assign the VPN clients an IP address that is on a different
> network ID, such as 10.20.25.0/24, then the PPP interface is on a different
> network ID.
>
> Next, we bind an IP address on the 10.20.25.0/24 on the internal interface (or
> even a loopback interface) on the VPN server (in this case the bucket of bolts
> SBS box).
>
> The Outlook client is configured with a HOSTS file entry to resolve the SBS
> name to 10.20.25.1/24. Since the Outlook client has a route to this network ID
> bound to the PPP interface, the connection will go out that interface and
> connect to the Exchange Server at that address.
>
> I'm 98.6% sure I've done this before and it worked. Was it an hallucination?
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, June 28, 2006 9:22 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>
>>
>> Right, but that won¹t solve the problem in this case because the
>> ³destination network² is the same as the ³local² network he is already on.
>> ARP¹s will use broadcast on the local segment to get to the ³destination²
>> because it is on the local subnet.
>>
>> You¹ve gotta remember that the ³issue² is present because his internal
>> destination LAN is the same subnet structure (by happenstance) as the local
>> hotel¹s.
>>
>> Let¹s say my internal LAN is 192.168.1.x. Your internal LAN is also
>> 192.168.1.x. You assign a range of 10.1.1.x to VPN RRAS clients. I connect
>> up to your external IP RRAS, and am given a 10.1.1.17 IP for my PPP adapter.
>> If your host.shinder.com is 192.168.1.222, and I try to ping it, my stack
>> will route that request to my local Ethernet segment because my local subnet
>> is _already on_ 192.168.1.0 255.255.255.0. If I wanted to actually hit your
>> host via the VPN, I would have to do a :
>> ³Route add 192.168.1.222 mask 255.255.255.255 10.1.1.17² to force the route
>> via the VPN gateway. I could use a p if I wanted, but probably wouldn¹t
>> since I would get a different address the next time... And you would have
>> to do that for every host unless you had a high range or something on the
>> other side and you could subnet it out further with a different mask...
>>
>> t
>>
>>
>>
>>
>> On 6/28/06 6:47 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
>> all:
>>
>>
>>> Hi Tim,
>>>
>>> If I assign an off-subnet address to the internal interface of ISA
>>> firewall, and then create a static address pool for the VPN clients that
>>> are also assigned to the same static address pool (such as the autonet
>>> addresses), and then the VPN clients get the PPP interface set to that
>>> autonet network ID and forward connections to the autonet network ID through
>>> the PPP interface to the autonet IP address I assigned to the internal
>>> interface of the ISA firewall.
>>>
>>> Make sensei?
>>>
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Thor (Hammer of God)
>>>> Sent: Tuesday, June 27, 2006 10:42 PM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>
>>>>
>>>> I don¹t understand... If the local Ethernet by chance uses the same
>>>> logical subnet as the corporate office, how is changing the VPN¹s
>>>> assigned IP going to make host destinations on the local subnet route
>>>> down the VPN rather than local?
>>>>
>>>> t
>>>>
>>>>
>>>> On 6/27/06 8:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
>>>> all:
>>>>
>>>>
>>>>
>>>>> How about RPC/HTTP? That gives him full Outlook functionallity without
>>>>> requireing VPN.
>>>>>
>>>>> Or use Jim suggestion -- I've used the same trick and it works a treat.
>>>>>
>>>>> HTH,
>>>>> Tom
>>>>>
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>>>> MVP -- ISA Firewalls
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Glenn P. JOHNSTON
>>>>>> Sent: Tuesday, June 27, 2006 10:29 PM
>>>>>> To: isalist@xxxxxxxxxxxxx
>>>>>> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'm told he refuses to use OWA as he can't sync his mail with the OST
>>>>>> on his notebook. There is just no helping some people, no matter how
>>>>>> hard you try to be helpful and solve their problem, they just refuse
>>>>>> all help on principle !
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also they passed on to me, that in his yelling and screaming his
>>>>>> demanding to know 'Why someone did not realise this would happen, and
>>>>>> get it fixed before hand, so I can get my e-mail"
>>>>>>
>>>>>>
>>>>>>
>>>>>> I really feel sorry for the IT guy at the site, his early 20's,
>>>>>> finished a development oriented IT degree last year, is quite bright
>>>>>> really, but is still just learning the finer points of the winserver
>>>>>> environment, supporting XP etc, and it working toward his MCSE, having
>>>>>> passed the first 2 exams in the last couple of months. He reports to
>>>>>> this Director, and from what I can see, gets one hell of a serve from
>>>>>> him as soon as anything a little bit odd occurs.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I can't see a away around this, without the Director having to do
>>>>>> something out of the ordinary, which apparently, is just not an
>>>>>> option, and have just told them that.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I've suggested the only possibly way, I can see, is to go out and
>>>>>> purchase a wireless broadband card from someone local, get it on the
>>>>>> net, set up a notebook with it and his e-mail, and get it express
>>>>>> couriered to him. He'd have it early eveing or first thing in the
>>>>>> morning.
>>>>>>
>>>>>>
>>>>>>
>>>>>> There was a chocking sound on the other end of the phone, "but then
>>>>>> he'd have to carry 2 notebooks back ! " and "What do I do if he gets
>>>>>> it and it does not work ?" ..................................
>>>>>>
>>>>>>
>>>>>>
>>>>>> Find another job came to mind..
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>>>> Sent: Wed 28/Jun/2006 12:49
>>>>>> To: isalist@xxxxxxxxxxxxx
>>>>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://www.ISAserver.org
>>>>>> -------------------------------------------------------
>>>>>>
>>>>>> Well, it would have worked other than the gw on the hotel being the
>>>>>> same as
>>>>>> the SBS box... Bad luck there. But, I've had to do this several times
>>>>>> for
>>>>>> the exact same scenario with my people. Seems the Marriott and I
>>>>>> thought
>>>>>> alike in our IP schemes ;)
>>>>>>
>>>>>> You could always just add another IP address to the SBS box (well,
>>>>>> you could
>>>>>> if it were a "regular" server install-- I don't know what you'd have
>>>>>> to go
>>>>>> through on SBS to do that.) That would work, though.
>>>>>>
>>>>>> Not much we can do about a guy who wants to scream more than get the
>>>>>> job
>>>>>> done, though. I'd tell him that if he wanted his email to STFU and do
>>>>>> what
>>>>>> was needed. It's not like it is anyone's "fault." There are other
>>>>>> options
>>>>>> you have, but they would all require him doing *something*.
>>>>>>
>>>>>> I'm assuming that OWA is not an option for some reason?
>>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>>>> spoketh
>>>>>> to all:
>>>>>>
>>>>>>> > The internal IP of the SBS server is 192.168.110.2, G/W on the
>>>>>>> hotel BB
>>>>>>> > service is also 192.168.110.2 unfortunately !
>>>>>>> >
>>>>>>> > I tried the static route on my home ADSL service by changing the
>>>>>>> internal
>>>>>>> > private IP to match the Hotel's to play with, and everything else
>>>>>>> works, I can
>>>>>>> > get to the internet and other clients networks fine, but I can not
>>>>>>> get to
>>>>>>> > anything on the remote network after the tunnel is connected, of
>>>>>>> the client
>>>>>>> > with the problem.
>>>>>>> >
>>>>>>> > Putting the static route in I doubt will work anyway, the fellow
>>>>>>> will probably
>>>>>>> > just yell and scream as soon as he is asked to do anything remotely
>>>>>>> technical,
>>>>>>> > expecting it to be magically fixed from this end.
>>>>>>> >
>>>>>>> > ________________________________
>>>>>>> >
>>>>>>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of
>>>>>>> God)
>>>>>>> > Sent: Wed 28/Jun/2006 12:27
>>>>>>> > To: isalist@xxxxxxxxxxxxx
>>>>>>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > http://www.ISAserver.org
>>>>>>> > -------------------------------------------------------
>>>>>>> >
>>>>>>> > All he has to do is set a static route for the SBS box's IP to the
>>>>>>> gateway
>>>>>>> > address of the VPN endpoint.
>>>>>>> >
>>>>>>> > IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface
>>>>>>> got
>>>>>>> > assigned something like 192.168.110.11 from the RRAS server (do an
>>>>>>> IP config
>>>>>>> > to see what ip his PPP adapter is, or look at the RRAS properties
>>>>>>> of the
>>>>>>> > connection) then you would have him do a:
>>>>>>> >
>>>>>>> > ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11
>>>>>>> >
>>>>>>> > That way, when he attempts to access the SBS server, the request
>>>>>>> will route
>>>>>>> > down the VPN rather than broadcasting on the "local" 192.168.110.x
>>>>>>> network.
>>>>>>> >
>>>>>>> > t
>>>>>>> >
>>>>>>> >
>>>>>>> > On 6/27/06 7:13 PM, "Glenn P. JOHNSTON"
>>>>>>> <glenn.johnston@xxxxxxxxxxx> spoketh
>>>>>>> > to all:
>>>>>>> >
>>>>>>>> >> http://www.ISAserver.org
>>>>>>>> >> -------------------------------------------------------
>>>>>>>> >>
>>>>>>>> >> Hi,
>>>>>>>> >>
>>>>>>>> >> Maybe, maybe not directly and ISA question, and I've posted this
>>>>>>>> in an SBS
>>>>>>>> >> forum as well, but you people are pretty bright & I thought you
>>>>>>>> might have
>>>>>>>> >> some worth while input on this.
>>>>>>>> >>
>>>>>>>> >> One of my clients has an issue with VPN tunnel. This has been
>>>>>>>> inplace since
>>>>>>>> >> Sunday afternoon, but they only rang me this morning.
>>>>>>>> >>
>>>>>>>> >> One of their directors is at a week long conference, and the
>>>>>>>> Hotel where he
>>>>>>>> >> is
>>>>>>>> >> staying, has provides an in room broadband service.
>>>>>>>> >> The BroadBand in the hotel is using a 192.168.110.0/24 address
>>>>>>>> range, the
>>>>>>>> >> internal address of the clients network at the office is also a
>>>>>>>> >> 192.168.110.0/24 range.
>>>>>>>> >>
>>>>>>>> >> The VPN tunnel establishes fine, and the VPN connector on his
>>>>>>>> notebook get
>>>>>>>> >> an
>>>>>>>> >> address, of course, in the 192.168.110.100 to 192.168.110.199
>>>>>>>> range of the
>>>>>>>> >> DHCP server on the SBS server.
>>>>>>>> >>
>>>>>>>> >> Once the tunnel is established, he can acess nothing on the SBS.
>>>>>>>> This is to
>>>>>>>> >> be
>>>>>>>> >> expected as the address ranges are the same, does anyone have any
>>>>>>>> bright
>>>>>>>> >> idea's on how to get around this. The Director is yelling and
>>>>>>>> screaming about
>>>>>>>> >> not being able to get his e-mail.
>>>>>>>> >>
>>>>>>>> >> Unfortunately he is out out direct reach in another state, and
>>>>>>>> has very
>>>>>>>> >> little
>>>>>>>> >> tolerance for such problems.
>>>>>>>> >>
>>>>>>>> >> Regards
>>>>>>>> >> Glenn
>>>>>>>> >> ------------------------------------------------------
>>>>>>>> >> List Archives: //www.freelists.org/archives/isalist/
>>>>>>>> >> ISA Server Newsletter:
>>>>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>>>>> >> ISA Server Articles and Tutorials:
>>>>>>>> >> http://www.isaserver.org/articles_tutorials/
>>>>>>>> >> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>>>> >> ------------------------------------------------------
>>>>>>>> >> Visit TechGenix.com for more information about our other sites:
>>>>>>>> >> http://www.techgenix.com
>>>>>>>> >> ------------------------------------------------------
>>>>>>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>>>> >> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>> >
>>>>>>> >
>>>>>>> > ------------------------------------------------------
>>>>>>> > List Archives: //www.freelists.org/archives/isalist/
>>>>>>> > ISA Server Newsletter:
>>>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>>>> > ISA Server Articles and Tutorials:
>>>>>>> > http://www.isaserver.org/articles_tutorials/
>>>>>>> > ISA Server Blogs: http://blogs.isaserver.org/
>>>>>>> > ------------------------------------------------------
>>>>>>> > Visit TechGenix.com for more information about our other sites:
>>>>>>> > http://www.techgenix.com
>>>>>>> > ------------------------------------------------------
>>>>>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>>> > Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------
>>>>>> List Archives: //www.freelists.org/archives/isalist/
>>>>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>>>> ISA Server Articles and Tutorials:
>>>>>> http://www.isaserver.org/articles_tutorials/
>>>>>> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>> ------------------------------------------------------
>>>>>> Visit TechGenix.com for more information about our other sites:
>>>>>> http://www.techgenix.com
>>>>>> ------------------------------------------------------
>>>>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>>
>>>>>
>>>>
>>>
>>
>
Other related posts:
