Ah, the old ³bind an off-net IP address to the internal interface and use a HOSTS entry² trick. ;) Yep, that would work to if you did all that... I didn¹t see the part about the new IP in addition to the different VPN address space. When I saw ³to the ISA box² I didn¹t think you meant as the solution for an SBS install. So yes, for a single host box that is the RRAS box as well as the destination host, that would work. But, I gotta say, that¹s a lot to do on both the server and workstation. A single ³route² from the workstation would take care of everything, as long as the remote host destination IP wasn¹t the same as the local gateway IP (which is the case here.) But at this point, this is more of an academic exercise than a production solution, right? :-p t On 6/28/06 7:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Well, now that I've taken my morning ipecac, I think I'm thinking more > clearly. > > Let's look at the scenario: > > Remote client is on network ID 192.168.110.0/24 > > Office network is also on network ID 192.168.110.0/24 > > OK, clearly this won't work because both client and remote network are on the > local network and thus the connection will be sent out the local interface and > not the PPP interface. > > However, if we assign the VPN clients an IP address that is on a different > network ID, such as 10.20.25.0/24, then the PPP interface is on a different > network ID. > > Next, we bind an IP address on the 10.20.25.0/24 on the internal interface (or > even a loopback interface) on the VPN server (in this case the bucket of bolts > SBS box). > > The Outlook client is configured with a HOSTS file entry to resolve the SBS > name to 10.20.25.1/24. Since the Outlook client has a route to this network ID > bound to the PPP interface, the connection will go out that interface and > connect to the Exchange Server at that address. > > I'm 98.6% sure I've done this before and it worked. Was it an hallucination? > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thor (Hammer of God) >> Sent: Wednesday, June 28, 2006 9:22 AM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: Error establishing a VPN to the ISA server >> >> >> Right, but that won¹t solve the problem in this case because the >> ³destination network² is the same as the ³local² network he is already on. >> ARP¹s will use broadcast on the local segment to get to the ³destination² >> because it is on the local subnet. >> >> You¹ve gotta remember that the ³issue² is present because his internal >> destination LAN is the same subnet structure (by happenstance) as the local >> hotel¹s. >> >> Let¹s say my internal LAN is 192.168.1.x. Your internal LAN is also >> 192.168.1.x. You assign a range of 10.1.1.x to VPN RRAS clients. I connect >> up to your external IP RRAS, and am given a 10.1.1.17 IP for my PPP adapter. >> If your host.shinder.com is 192.168.1.222, and I try to ping it, my stack >> will route that request to my local Ethernet segment because my local subnet >> is _already on_ 192.168.1.0 255.255.255.0. If I wanted to actually hit your >> host via the VPN, I would have to do a : >> ³Route add 192.168.1.222 mask 255.255.255.255 10.1.1.17² to force the route >> via the VPN gateway. I could use a p if I wanted, but probably wouldn¹t >> since I would get a different address the next time... And you would have >> to do that for every host unless you had a high range or something on the >> other side and you could subnet it out further with a different mask... >> >> t >> >> >> >> >> On 6/28/06 6:47 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to >> all: >> >> >>> Hi Tim, >>> >>> If I assign an off-subnet address to the internal interface of ISA >>> firewall, and then create a static address pool for the VPN clients that >>> are also assigned to the same static address pool (such as the autonet >>> addresses), and then the VPN clients get the PPP interface set to that >>> autonet network ID and forward connections to the autonet network ID through >>> the PPP interface to the autonet IP address I assigned to the internal >>> interface of the ISA firewall. >>> >>> Make sensei? >>> >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org <http://www.isaserver.org/> >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>> MVP -- ISA Firewalls >>> >>> >>> >>> >>>> >>>> >>>> >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Thor (Hammer of God) >>>> Sent: Tuesday, June 27, 2006 10:42 PM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>> >>>> >>>> I don¹t understand... If the local Ethernet by chance uses the same >>>> logical subnet as the corporate office, how is changing the VPN¹s >>>> assigned IP going to make host destinations on the local subnet route >>>> down the VPN rather than local? >>>> >>>> t >>>> >>>> >>>> On 6/27/06 8:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to >>>> all: >>>> >>>> >>>> >>>>> How about RPC/HTTP? That gives him full Outlook functionallity without >>>>> requireing VPN. >>>>> >>>>> Or use Jim suggestion -- I've used the same trick and it works a treat. >>>>> >>>>> HTH, >>>>> Tom >>>>> >>>>> Thomas W Shinder, M.D. >>>>> Site: www.isaserver.org <http://www.isaserver.org/> >>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>>>> MVP -- ISA Firewalls >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: isalist-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Glenn P. JOHNSTON >>>>>> Sent: Tuesday, June 27, 2006 10:29 PM >>>>>> To: isalist@xxxxxxxxxxxxx >>>>>> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I'm told he refuses to use OWA as he can't sync his mail with the OST >>>>>> on his notebook. There is just no helping some people, no matter how >>>>>> hard you try to be helpful and solve their problem, they just refuse >>>>>> all help on principle ! >>>>>> >>>>>> >>>>>> >>>>>> Also they passed on to me, that in his yelling and screaming his >>>>>> demanding to know 'Why someone did not realise this would happen, and >>>>>> get it fixed before hand, so I can get my e-mail" >>>>>> >>>>>> >>>>>> >>>>>> I really feel sorry for the IT guy at the site, his early 20's, >>>>>> finished a development oriented IT degree last year, is quite bright >>>>>> really, but is still just learning the finer points of the winserver >>>>>> environment, supporting XP etc, and it working toward his MCSE, having >>>>>> passed the first 2 exams in the last couple of months. He reports to >>>>>> this Director, and from what I can see, gets one hell of a serve from >>>>>> him as soon as anything a little bit odd occurs. >>>>>> >>>>>> >>>>>> >>>>>> I can't see a away around this, without the Director having to do >>>>>> something out of the ordinary, which apparently, is just not an >>>>>> option, and have just told them that. >>>>>> >>>>>> >>>>>> >>>>>> I've suggested the only possibly way, I can see, is to go out and >>>>>> purchase a wireless broadband card from someone local, get it on the >>>>>> net, set up a notebook with it and his e-mail, and get it express >>>>>> couriered to him. He'd have it early eveing or first thing in the >>>>>> morning. >>>>>> >>>>>> >>>>>> >>>>>> There was a chocking sound on the other end of the phone, "but then >>>>>> he'd have to carry 2 notebooks back ! " and "What do I do if he gets >>>>>> it and it does not work ?" .................................. >>>>>> >>>>>> >>>>>> >>>>>> Find another job came to mind.. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >>>>>> Sent: Wed 28/Jun/2006 12:49 >>>>>> To: isalist@xxxxxxxxxxxxx >>>>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> http://www.ISAserver.org >>>>>> ------------------------------------------------------- >>>>>> >>>>>> Well, it would have worked other than the gw on the hotel being the >>>>>> same as >>>>>> the SBS box... Bad luck there. But, I've had to do this several times >>>>>> for >>>>>> the exact same scenario with my people. Seems the Marriott and I >>>>>> thought >>>>>> alike in our IP schemes ;) >>>>>> >>>>>> You could always just add another IP address to the SBS box (well, >>>>>> you could >>>>>> if it were a "regular" server install-- I don't know what you'd have >>>>>> to go >>>>>> through on SBS to do that.) That would work, though. >>>>>> >>>>>> Not much we can do about a guy who wants to scream more than get the >>>>>> job >>>>>> done, though. I'd tell him that if he wanted his email to STFU and do >>>>>> what >>>>>> was needed. It's not like it is anyone's "fault." There are other >>>>>> options >>>>>> you have, but they would all require him doing *something*. >>>>>> >>>>>> I'm assuming that OWA is not an option for some reason? >>>>>> >>>>>> t >>>>>> >>>>>> >>>>>> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> >>>>>> spoketh >>>>>> to all: >>>>>> >>>>>>> > The internal IP of the SBS server is 192.168.110.2, G/W on the >>>>>>> hotel BB >>>>>>> > service is also 192.168.110.2 unfortunately ! >>>>>>> > >>>>>>> > I tried the static route on my home ADSL service by changing the >>>>>>> internal >>>>>>> > private IP to match the Hotel's to play with, and everything else >>>>>>> works, I can >>>>>>> > get to the internet and other clients networks fine, but I can not >>>>>>> get to >>>>>>> > anything on the remote network after the tunnel is connected, of >>>>>>> the client >>>>>>> > with the problem. >>>>>>> > >>>>>>> > Putting the static route in I doubt will work anyway, the fellow >>>>>>> will probably >>>>>>> > just yell and scream as soon as he is asked to do anything remotely >>>>>>> technical, >>>>>>> > expecting it to be magically fixed from this end. >>>>>>> > >>>>>>> > ________________________________ >>>>>>> > >>>>>>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of >>>>>>> God) >>>>>>> > Sent: Wed 28/Jun/2006 12:27 >>>>>>> > To: isalist@xxxxxxxxxxxxx >>>>>>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > http://www.ISAserver.org >>>>>>> > ------------------------------------------------------- >>>>>>> > >>>>>>> > All he has to do is set a static route for the SBS box's IP to the >>>>>>> gateway >>>>>>> > address of the VPN endpoint. >>>>>>> > >>>>>>> > IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface >>>>>>> got >>>>>>> > assigned something like 192.168.110.11 from the RRAS server (do an >>>>>>> IP config >>>>>>> > to see what ip his PPP adapter is, or look at the RRAS properties >>>>>>> of the >>>>>>> > connection) then you would have him do a: >>>>>>> > >>>>>>> > ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11 >>>>>>> > >>>>>>> > That way, when he attempts to access the SBS server, the request >>>>>>> will route >>>>>>> > down the VPN rather than broadcasting on the "local" 192.168.110.x >>>>>>> network. >>>>>>> > >>>>>>> > t >>>>>>> > >>>>>>> > >>>>>>> > On 6/27/06 7:13 PM, "Glenn P. JOHNSTON" >>>>>>> <glenn.johnston@xxxxxxxxxxx> spoketh >>>>>>> > to all: >>>>>>> > >>>>>>>> >> http://www.ISAserver.org >>>>>>>> >> ------------------------------------------------------- >>>>>>>> >> >>>>>>>> >> Hi, >>>>>>>> >> >>>>>>>> >> Maybe, maybe not directly and ISA question, and I've posted this >>>>>>>> in an SBS >>>>>>>> >> forum as well, but you people are pretty bright & I thought you >>>>>>>> might have >>>>>>>> >> some worth while input on this. >>>>>>>> >> >>>>>>>> >> One of my clients has an issue with VPN tunnel. This has been >>>>>>>> inplace since >>>>>>>> >> Sunday afternoon, but they only rang me this morning. >>>>>>>> >> >>>>>>>> >> One of their directors is at a week long conference, and the >>>>>>>> Hotel where he >>>>>>>> >> is >>>>>>>> >> staying, has provides an in room broadband service. >>>>>>>> >> The BroadBand in the hotel is using a 192.168.110.0/24 address >>>>>>>> range, the >>>>>>>> >> internal address of the clients network at the office is also a >>>>>>>> >> 192.168.110.0/24 range. >>>>>>>> >> >>>>>>>> >> The VPN tunnel establishes fine, and the VPN connector on his >>>>>>>> notebook get >>>>>>>> >> an >>>>>>>> >> address, of course, in the 192.168.110.100 to 192.168.110.199 >>>>>>>> range of the >>>>>>>> >> DHCP server on the SBS server. >>>>>>>> >> >>>>>>>> >> Once the tunnel is established, he can acess nothing on the SBS. >>>>>>>> This is to >>>>>>>> >> be >>>>>>>> >> expected as the address ranges are the same, does anyone have any >>>>>>>> bright >>>>>>>> >> idea's on how to get around this. The Director is yelling and >>>>>>>> screaming about >>>>>>>> >> not being able to get his e-mail. >>>>>>>> >> >>>>>>>> >> Unfortunately he is out out direct reach in another state, and >>>>>>>> has very >>>>>>>> >> little >>>>>>>> >> tolerance for such problems. >>>>>>>> >> >>>>>>>> >> Regards >>>>>>>> >> Glenn >>>>>>>> >> ------------------------------------------------------ >>>>>>>> >> List Archives: //www.freelists.org/archives/isalist/ >>>>>>>> >> ISA Server Newsletter: >>>>>>>> http://www.isaserver.org/pages/newsletter.asp >>>>>>>> >> ISA Server Articles and Tutorials: >>>>>>>> >> http://www.isaserver.org/articles_tutorials/ >>>>>>>> >> ISA Server Blogs: http://blogs.isaserver.org/ >>>>>>>> >> ------------------------------------------------------ >>>>>>>> >> Visit TechGenix.com for more information about our other sites: >>>>>>>> >> http://www.techgenix.com >>>>>>>> >> ------------------------------------------------------ >>>>>>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>>>>> >> Report abuse to listadmin@xxxxxxxxxxxxx >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> > >>>>>>> > >>>>>>> > ------------------------------------------------------ >>>>>>> > List Archives: //www.freelists.org/archives/isalist/ >>>>>>> > ISA Server Newsletter: >>>>>>> http://www.isaserver.org/pages/newsletter.asp >>>>>>> > ISA Server Articles and Tutorials: >>>>>>> > http://www.isaserver.org/articles_tutorials/ >>>>>>> > ISA Server Blogs: http://blogs.isaserver.org/ >>>>>>> > ------------------------------------------------------ >>>>>>> > Visit TechGenix.com for more information about our other sites: >>>>>>> > http://www.techgenix.com >>>>>>> > ------------------------------------------------------ >>>>>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>>>> > Report abuse to listadmin@xxxxxxxxxxxxx >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> >>>>>> >>>>>> ------------------------------------------------------ >>>>>> List Archives: //www.freelists.org/archives/isalist/ >>>>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>>>> ISA Server Articles and Tutorials: >>>>>> http://www.isaserver.org/articles_tutorials/ >>>>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>>>> ------------------------------------------------------ >>>>>> Visit TechGenix.com for more information about our other sites: >>>>>> http://www.techgenix.com >>>>>> ------------------------------------------------------ >>>>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>>>> >>>>> >>>> >>> >> >