Hi guys, you certainly need to read Thaddeus Fortenberry's book about W2K virtual private networking (see my previous mail). Then you will understand how it works (client-side routing). There's nothing wrong with it, but you have to take it into account when designing your vpn. I will try to highlight the important points. The vpn client gets his/her ip-address, dns and wins from a static pool or a dhcp server (internal network). A subnetmask is not given to the client! Therefore you will see a subnet mask of 255.255.255.255 (host entry) when doing a route print on the client. If on the client 'use default gateway on remote network' is checked, the vpn client will get a new default gateway who points to the tunnel interface. So, all request not for the 'local net' (seen by the client) will be routed through the tunnel to the vpn server. No split tunneling is possible. In other words, the vpn client can, when the tunnel is active, no longer communicate directly with other remote networks (i.e. the Internet). This is very good from a security point of view. However, if on the vpn client 'use default gateway on remote network' is NOT checked, it becomes a little bit tricky. The client gets a route to the classfull network id from which he got an ip-address. An example: clients gets ip-address 10.1.2.3 (out of a pool 10.1.2.0/24) and on the client you will find a new route to 10.0.0.0/8 who points to the tunnel interface. Suppose now that the central internal network has also another subnet 128.1.0.0/16. How can we tell the client to route to that subnet through the tunnel? There is at this moment no easy way todo it. Conclusion: as long as 'use default gateway on remote network' is checked, you will have no problems! Hope this helps a little bit... Stefaan -----Original Message----- From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx] Sent: donderdag 10 januari 2002 17:17 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org i am having the same problem with that automatic subnet mask. so far i have been unable to change it. please post if you find something. steve -----Original Message----- From: Quita Harris [mailto:qharris@xxxxxxxx] Sent: Thursday, January 10, 2002 7:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org Hi Jason, Thanks again for ALL your assistence, you got me on the right track. I see where the invalid subnet mask is coming from, when I enter the block of static IPS in RRAS (rightclick of RRAS server container, select IP tab)there is no option to enter a subnet mask and some how an automatic mask is generated. that's what I need to resolve. Thanks Again ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sherrera@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')