Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN/Stub Network design issue
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN/Stub Network design issue - 7.Oct.2004 5:23:00 PM
|
|
|
Saltin
Posts: 9
Joined: 1.Apr.2002
Status: offline
|
Hello all...
My network design is summed up in the article found (there's a diagram that describes it prefectly)
Here
The stub subnet is 192.168.4.0/24
Four other internal subnets are reachable through my layer 3 device (Cisco 2611XM). Routing is working, no issues.
My problem is stemming from assigning VPN clients IP addresses. I would like to assign IP's from a static pool. Obviously, these IP's ,must fall in the 192.168.4.0/24 range, as this is the subnet the are connecting to. After that, the Cisco router allows them to reach other subnets in the internal network. Unfortunately, because I have 192.168.4.0/24 defined (among all other internal subnets) in my Internal Network object, I cannot build a static pool for VPN clients of 192.168.4.0/24 ! The VPN network object and internal network object would then have overlapping address ranges, which isnt allowed.
Obviously I don't understand this reasoning! How can I assign my VPN clients any address other than from range 192.168.4.0/24 ? Impossible.
How can I not define 192.168.4.0/24 as part of my internal network?
Any help would be greatly appreciated.
Thanks!
[ October 07, 2004, 05:24 PM: Message edited by: Saltin ]
|
|
|
|
|
RE: VPN/Stub Network design issue - 7.Oct.2004 6:04:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Saltin,
The answer is that ISA Server 2004 considers the VPN clients to be a separate network object to which rules can be applied. As you have found, network IP ranges can't overlap.
To work around your issue, simply exclude the static pool of VPN IP addresses from the IP ranges found in your Internal Network object.
HTH,
Bill
|
|
|
|
|
RE: VPN/Stub Network design issue - 7.Oct.2004 6:48:00 PM
|
|
|
Saltin
Posts: 9
Joined: 1.Apr.2002
Status: offline
|
Geeze.
Looking at that answer it seems so obvious! Thank you very much.
I guess I was working under the assumption that I could only include full subnet ranges in the internal network component.
Clearly that is a poor assumption!
|
|
|
|
|
RE: VPN/Stub Network design issue - 7.Oct.2004 7:07:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Saltin,
Glad to have helped.
Bill
|
|
|
|
|
RE: VPN/Stub Network design issue - 7.Oct.2004 7:35:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
Just for the future, if you use DHCP for assigning the VPN clients addresses, you can have the VPN clients network use an overlapping range.
Its just a "peculiarity" of how ISA and VPN client addressing works.
HTH,
Tom
|
|
|
|
|
RE: VPN/Stub Network design issue - 8.Oct.2004 4:59:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Tom,
That's true -- since RRAS requests a block of 10 addresses at a time (by default) from the DHCP server, ISA Server "knows" that these addresses will be part of the VPN Clients network as soon as they are in use by remote VPN clients.
Thanks!
Bill
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
