Jim, I will definately make a case for ISA2004 server purchase. But in the meantime.... Can I use the Netscreen 5xp VPN appliance with ISA 2000 in a gateway to gateway setup and still control what VPN users can do in internal network? Thanks Jim Harrison <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org The best suggestion I can give is to get ISA 2004. ISA 2000 does not / can not place routing restrictions on inbound VPN traffic to the Internal network. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "tim S" To: "[ISAserver.org Discussion List]" Sent: Friday, October 08, 2004 06:50 Subject: [isalist] Suggestion needed!! http://www.ISAserver.org I have the following requirement: I have a customer who wants to setup a VPN connection using their hardware VPN appliance to our site to access resources in three internal servers. This VPN connection will be persistent. I want to make sure that the customer can only access those three servers and nothing else in the internal network. Likewise, I don't want none of my internal users has access to those three servers except four people. Also, one of those three servers will need to have access to an SQL server in the current internal network. My current network setup: I have a ISA 2000 that sits between public internet and internal network. There aren't any routers in the internal network. All internal clients and SecureNat serves directly connect to the ISA. I have only one ISA license. I was thinking about splitting the current internal network into two subnets (like 10.10.10.0/24 and 192.168.1.0/24) with a windows 2k or 2k3 router and setup packet filters on the interfaces. The 10.1.1.0/24 is current internal network. Add the new subnet ID 192.168.1.0/24 to the ISA LAT. I was thinking about placing customer's hardware VPN appliance outside of ISA and let the traffic through external NIC of ISA. The VPN appliance will have the preset IP numbers that I tell them. How do I make sure that any request from the customer only goes to the new subnet? If there is any simple approach, I would really appreciate your suggestion. Thanks TS --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tim724342@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com