• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to Implement VPN Off-Subnet IP Addresses

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> How to Implement VPN Off-Subnet IP Addresses Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to Implement VPN Off-Subnet IP Addresses - 22.Mar.2003 5:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
This thread is for the How to Implement VPN Off-Subnet IP Addresses article.

Thanks,
Stefaan

[ March 23, 2003, 02:01 PM: Message edited by: spouseele ]
Post #: 1
RE: How to Implement VPN Off-Subnet IP Addresses - 22.Mar.2003 7:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Very nice article! Gets right to the point and explains a very important concept in VPN security.

Thanks!

Tom

(in reply to spouseele)
Post #: 2
RE: How to Implement VPN Off-Subnet IP Addresses - 16.Dec.2003 6:32:00 AM   
BobW

 

Posts: 227
Joined: 27.Mar.2002
Status: offline
quote:
Originally posted by spouseele:
This thread is for the How to Implement VPN Off-Subnet IP Addresses article.

Thanks,
Stefaan

Forgive me, but I am a bit confused about the suggestion of using an additional subnet for ISA only. Probably my environment is to simple.

My ISA is dual homed with an internal 192.168.2.x/24 which all of my servers and workstations share as well. All of which are connected by a layer 2 switch. It does have the capabilities of creating VLANs AND there is router on my network pointing to 192.168.1.x in a different location.

So if I read the article correctly I should, somehow, give the ISA it's own separate subnet? Would this be helpful given my setup?

I have had folks try to use PPTP through hotels and have found that if there IP is 192.168.2.x (from the hotel) it messes thinsg up....would giving it it's own subnet help this?

Thanks again,
Bob

(in reply to spouseele)
Post #: 3
RE: How to Implement VPN Off-Subnet IP Addresses - 16.Dec.2003 8:53:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bob,

the article just shows you a method to avoid as much as possible the split tunneling issue with VPN users. However, it requires an internal routed network with a carefully designed IP numbering scheme.

The problem you are pointing to is a *general* VPN design problem and not an ISA specific problem. The only solution to that problem is to renumber one of the sites so there is no longer an IP address conflict. However, that's simpler said than done! If you don't have any control over the IP numbering scheme used on the remote networks, then sooner or later you will run into a situation with a conflicting IP numbering scheme. Nothing much you can do about that unless you assign public IP's to your VPN users. [Wink]

HTH,
Stefaan

(in reply to spouseele)
Post #: 4
RE: How to Implement VPN Off-Subnet IP Addresses - 23.Jun.2004 2:50:00 AM   
jdskee

 

Posts: 4
Joined: 23.Jun.2004
Status: offline
quote:
Originally posted by spouseele:

Nothing much you can do about that unless you assign public IP's to your VPN users. [Wink]

Stefaan,
Is using public IP's to assign to VPN clients the only solution to this problem? I have been using 192.168.x.x (mainly 192.168.1 to 192.168.5 and a few others) for addressing in my internal network and have recently been experiencing the problem of end users not being able to ping any servers because of the use of conflicting internal subnets at various hotels. I was conisdering renumbering to 172.16 but as far as I can see this is at best a temporary solution since somewhere along the line a hotel will decide to use that.

Surprisingly I have searched on google, MS, tech republic, here, and various other places and although this would seem to be a widespread problem I have not found much of anything as far as experiences resolving this issue.

Any help is appreciated. Thanks.

(in reply to spouseele)
Post #: 5
RE: How to Implement VPN Off-Subnet IP Addresses - 23.Jun.2004 8:15:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi James,

check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002415 ! [Big Grin]

Thanks,
Stefaan

(in reply to spouseele)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> How to Implement VPN Off-Subnet IP Addresses Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts