Subnet masks? 10.x..x.x in classful routing is 255.0.0.0 and I doubt that's the subnet mask you are using.... P.S. Is everyone getting bounce messages from freelists? 2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>: > Clients are given an IP from a pool. The pool is a group of addresses, > on the same subnet as the gateway. The default gateway for the IP's given, > is in fact the gateway itself, INT1 (internal network). > > IP given are 10.1.X.X > Default Gateway is the Access Gateway > Access Gateway is 10.1.X.X > > We do have static routes listed. > > Destination Gateway > 172.16.X.X 10.1.X.X > 192.168.X.X 10.1.X.X > 10.0.0.0 10.1.X.X > > > > > > > Chad Schneider > Systems Engineer > ThedaCare IT > 920-735-7615 > > >>> On 4/30/2008 at 10:03 AM, <joe.shonk@xxxxxxxxx> wrote: > > Well, what IP/Gateway is the client using on the Internal Network? Sounds > like a routing configuration issue. > > > > Joe > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Andrew Wood > *Sent:* Wednesday, April 30, 2008 7:49 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: WHY > > > > Here is a beautiful text representation of how I see it > > > > Tunnel to cag internal network > > Me =========== CAG -------------------- INTERNAL > > > > If I setup an ipsec vpn connection to my network via a VPN (cag) I don't > want that VPN to route external traffic out, I don't want it to make that > decision: I want all traffic from my endpoint channelled through the tunnel > to the VPN, and onto the internal network (rules permitting). At a base > level its inefficient – whats the point in sending it though the tunnel if > it is meant to be external? > > > > Maybe I elect to only perform **some** tunnelling – in which case external > traffic goes out from 'Me' and never goes through the tunnel (i.e. split > tunnelling – and at this point my network security chappie has a heart > attack). But, if traffic goes through the tunnel it comes out on the > internal network (rules permitting) - the CAG isn't responsible for deciding > if network traffic that comes through the tunnel should just be routed out > directly onto the web. > > > > > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Berny Stapleton > *Sent:* 30 April 2008 14:57 > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: WHY > > > > But the CAG wouldn't see the packet come into the internal interface as > it's not coming across the wire of the ethernet interface, so why should it > consider it internal traffic? > > 2008/4/30 Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>: > > > > I'd have thought that if the routing address on your internal interface > was correct, that all traffic going through the CAG should head through the > internal interface – and then be routed out through the normal channels for > internal network traffic to the internet (which is unlikely to be the CAG) > > > > Otherwise, someone connecting on the external interface is being routed > straight out onto the web – bypassing any filters/caching/auditing/scanning > that you've got set up. > > > > This doesn't help Chad mind – other than agreeing with him that whats > happening sounds wrong > > > > a. > > > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Berny Stapleton > *Sent:* 30 April 2008 14:26 > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: WHY > > > > OK, maybe this is just me and my limited experience with CAG... > > A VPN session which I presume is a connection from the internet (External) > to the CAG, the CAG being a gateway device between external internet and > internal network, when you bring up a VPN session, or in this case I presume > IPSEC policy between the two devices (Client PC and the CAG) which would > give you a IPSEC policy to the CAG and any traffic you send to it through > the IPSEC policy would end up on it's local routing table. At which point it > has to make a routing decision about where to send the traffic, it's an > external address so therefore it would send it to the external interface and > therefore external address. > > That seems logical to me. My question to you is, unless the destination > address is the internal network, why SHOULD it send it via the internal > interface? My only educated guess on this one is that you used part of your > INTERNAL address space for the addresses you assigned to the CAG for it to > hand out to clients, when as far as I can see, the clients should have been > treated or thought of as DMZ interfaces / connections. > > This is just what I am thinking about having done firewall admin before. > > If I am wrong on this one, and completley off base, please let me know, my > experiece with CAG is limited. > > Berny > > 2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>: > > Does a VPN session to the CAG, route external bound internet traffic > through the CAG external interface, rather than through the CAG Internal > interface? > > > > I am watching the traffic, from our CAG internal IP range, when making a > request to google.com, the traffic goes out the CAG INT0(External). > > > > > > Chad Schneider > Systems Engineer > ThedaCare IT > 920-735-7615 > > > > > > >