VPN Infrastucture Question.

• From: "William Holmes" <wtholmes@xxxxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Tue, 23 Nov 2004 13:47:27 -0500

Hello,

I have a few question about some changes that I would like to make to my VPN
infrastructure. I have a diagram here:

http://www.cs.cornell.edu/~wtholmes/vpnquestion.htm


Currently:

The ISA server allocates ip addresses from a private 172.x.x.x range without
using DHCP.
The DHCP relay agent is not enabled.
The Network setup on the ISA server is configured to NAT to both the internal
and external networks.

The problems with this setup are:

Internal servers can not connect to VPN Clients. There are several
applications in our environment that require this.
Allowing the RRAS server to assingn addresses from a pool without using DHCP
and without enabling the DHCP relay agent seems to prevent the clients from
having their DNS configure correctly. This causes a large number of problems.


Proposed:

Eliminate NAT for traffic destined to the internal interface and networks.

The Internal network router would be configured to route traffic from our
internal systems to the ISA server that is destined for a VPN client on the
172.x.x.x network. The ISA server would be reconfigured to Route rather than
NAT for all the Internal networks.

RRAS on the ISA would be configured to use DHCP for its address allocation,
and have the DHCP relay agent enabled to point to the internal DHCP server.


Question:

I would like the VPN network to be separate from both the Internal and
External networks.  That is I want the VPN network to remain as 172.x.x.x,
The external network to remain as x.x.x.x and the internal network to remain
as y.y.y.y.

I want to use my internal DHCP server for the VPN network. How can I assign
the correct subnet to the VPN net so that when it requests an address it
requests it from the correct DHCP scope? There does not seem to be a way to
configure this that I can see. It only gives me a choice of the internal and
external adapters as a source for DCHP information. It does not allow me to
say use the internal adapter and the following subnet.

Thanks

Bill  




William Holmes (MCP)
Department of Computer Science
310 Upson Hall
Cornell University
Ithaca, NY 14853
wtholmes@xxxxxxxxxxxxxx
607 255-1757 (o) 607 227-6049 (c)
 

Other related posts:

• » VPN Infrastucture Question.

1. Home
2. isalist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---