Hi William, Did you see Stefaan Pouseele's article on using off subnet addressing and stub networks over at www.isaserver.org? Its quite good! HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:william.robertson@xxxxxxxxx] Sent: Tuesday, March 25, 2003 8:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Will this break the Firewall Service? http://www.ISAserver.org Well, I have tried using a private/off-subnet IP Address range for the pool of addresses available for VPN Clients, but I still have the problem wherein my Firewall Service gets his knickers in a not and won't permit any normal outbound Firewall Client traffic. Please could someone tell me what my (hopefully) obvious mistake is? Cheers William R. -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 25 March 2003 10:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] Will this break the Firewall Service? http://www.ISAserver.org Hi there Instead of posing my problem scenario, let me just ask the following: (All IP Addresses have been changed to protect the innocent) If I have an internal network using a Public Address range 123.123.x.x and I have my ISA Server accepting VPN connections on the ISA's external Interface 200.123.200.123 and I tell RRAS to assign IP Addresses to VPN Clients from a Pool of addresses setup within RRAS 123.123.123.1 - 123.123.123.255 Will this cause a problem on my ISA Firewall? As I have it, my ISA should get confused about where to send VPN traffic and then where to send normal Internal LAN traffic? But that is not the problem, my VPN connections work like a charm. The problem is that when I connect via VPN I get many ISA Alerts such as: - ISA Server detected a change in the IP routing table of the computer. - ISA Server detected a change in the IP addresses of the computer. - ISA Server detected that network interface card (NIC) WAN (PPP/SLIP) Interface, with IP address 123.123.123.1, was disabled. - Microsoft Firewall failed. The failure occurred during Initialization of reverse Network Address Translation (NAT). (This message appears for each Server Publishing rule that I have) And when this happens, all of my other outbound Firewall Connections fail. E.g. All Server Publishing, SMTP Mail, Outbound SAP links. All Web Proxy connections work like a charm, it just appears that the Firewall Service has got a bit stuck. To resolve this I need to restart ALL ISA Services, not just the Firewall Service. Can someone perhaps conclude whether the IP Addressing that I am using could be the major cause of my problems? The thing is I can only test again after hours so I am just trying to get my bag of tricks filled with some ideas from you guys before I tackle the problem later. Cheers William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')