Inline... Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "jeff hooper" <jeff.hooper@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 14, 2001 08:05 Subject: [isalist] Internet Access through RAS or VPN http://www.ISAserver.org Routing and Remote access is setup on a box with ISA server in firewall mode. The VPN and Modem pool work great. I want the people that dial-in to be able to get back out and surf. Right now the only way I can get this to work is with the Firewall client. Here is the setup. Internal interface has static routes to everything. * if you're using RRAS, make your routes in there; not in the "route -p add" command External interface has default gateway on it. RAS Users get private IP when they dial-in ie. 172.20.20.2-254 * is this subnet in the LAT? I have tried both selecting the RRAS as router w/lan and demand-dial routing, with remote access server always selected. I have setup a client access group with the IP's of my dial-in users, to allow all protocols, and all sites. (This is what lets my Firewall client users out, but doesn't let my RAS users be SNAT clients for some reason.) *RRAS clients can't be SNAT because they use their own IP address as the default gateway another option is I have a different ISA server that is my default gateway that the SNAT is working on, but if I remove my default gateway from the external interface of course the external VPN can't get it because it won't talk to the outside.. but Dial-in came get out through the other ISA server. Check out Tom's article on RRAS clients http://isaserver.org/shinder/tutorials/ie_vpn_settings.htm Having a mental block, please help. Thanks JH ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')