OK, client is a member of the VPN Clients Network. Destination -- what ISA Firewall Network does that belong to? Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Friday, November 30, 2007 7:38 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Client to access additional network The VPN Client is coming in through the Internet/External NIC. The destination is subnet is an extension of the Internal network. I am not sure that answered your question, though! Please advise. Thanks, Dr. Shinder. On Nov 29, 2007 10:43 PM, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: What ISA Firewall Network is the client on? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Thursday, November 29, 2007 9:29 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] VPN Client to access additional network Challenge: ISA 2004 VPN client is unable to connect to additional (172.16.0.0/16) network via LAN (192.168.0.2/24) default gateway supplied by LAN DHCP server. ISA Internal NIC: 192.168.0.250 ISA External NIC: 123.123.123.123 (i.e Public IP) Default Gateway IP on LAN: 192.168.0.2 Router IP connected to 172.16.0.0 Network: 192.168.0.3 (static route on DGW for 172.16.0.0 network points to this router) DHCP supplied VPN client: IP: 192.168.0.150 Default Gateway: <same as above> VPN client pings 172.16.0.10 IP, result is request timed out. Traceroute times out with unlabeled (*) network hops. VPN firewall policy permits All Outbound from VPN Clients to All Protected Networks. I am thinking I should create a new Network definition and update the policy and/or ensure the new network is included in the All Protected Networks definition. I am reviewing <http://www.isaserver.org/articles/2004netinnet.html> and < http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network .aspx <http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-networ k.aspx> >, trying to figure out what options or what would be the best practice on how to configure ISA and/or the network to accommodate this requirement? Thank you for your assistance. -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer