Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Placing VPN clients on different subnet/static

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Placing VPN clients on different subnet/static Page: [1]
Login
Message << Older Topic   Newer Topic >>
Placing VPN clients on different subnet/static - 24.Aug.2006 7:40:59 PM   
moscicki

 

Posts: 9
Joined: 3.Feb.2001
From: Milwaukee, WI USA
Status: offline 		I am a newbie to ISA server so please bear with me.

Can I have remote VPN clients (individual clients - not site to site) receive an address on a different subnet than the internal facing nic on an ISA 2006 server?

Background - My network currently is configured with public IP addressing (bot static and DHCP) and we are working on converting over to NAT.  I have setup a private IP subnet and have been assigning private IP addresses as secondary to each of my servers and statically assigned workstations.  So we are readying ourselves to cut over to NAT once I work the bugs out of my ISA configuration.  I am trying to do this so I can gradually move my internal resources behind the ISA server without disrupting our normal day to day activities. (I work with software developers, so we have several thousand web sites that need to be migrated and dns issues to be resolved, so this isn't an overnight process).  We have a Cisco IOS firewall in place that we are trying to migrate away from. 

So...

I have setup the VPN and can attach and receive a static address no problem.  I have configured the ISA server to assign static addresses in a different subnet instead of DHCP passthru because my DHCP server will assign public IP addresses (not NAT addresses).  I receive a configuration error on the ISA server that it sees the packets as spoofed because there isn't a route on the Internal NIC.  So regardless of the rules I put in place, everything gets denied from the VPN client.  I don't see where I can set the ISA configuration to set a DHCP class to pull from a specific scope.  I thought possibly about mapping static addresses to remote users, but I have to run my domain in mixed mode because of an old IP telephony system so I have ruled that out.  Should I put a static route into the Internal Nic? Maybe I am making this too complicated....

Any suggestions would be appreciated.  Thanks in advance!

Brian




Post #: 1
RE: Placing VPN clients on different subnet/static - 25.Aug.2006 5:31:12 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Brian,

You're making something VERY EASY seem very hard.

What are you actually trying to accomplish?

Why not just use DHCP to assign on-subnet addresses and be done with it?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to moscicki)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Placing VPN clients on different subnet/static Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts