in my network I have a back-to-back DMZ-configuration, with an ISA 2004 standard edition being the front-end server. The networks affected by this configuration are assigned the following IP-address ranges:
- ISA (external interface): static public IP assigned by ISP - DMZ network: 172.16.a.b / 28 with ISA (internal interface): 172.16.a.x back-end firewall (external interface): 172.16.a.y back-end firewall (internal inteface): 192.168.a.b / 24 - VPN-address space is a 172.16.x.y-range outside the DMZ-network's IP- address range
I configured the ISA server as written in Tom Shinder's "Enabling the ISA Server 2004 VPN Server" article, where I am using a PPTP-VPN so far. Connecting Windows XP SP2-based clients works fine. Unfortunately I am only able to reach the ISA server itself through the VPN tunnel. The back-end firewall's external interface, although it is pingable from the ISA server, when logged on locally, is unreachable through the VPN tunnel. The back-end firewalluses the ISA as default gateway. On the ISA server, I added the route to he internal (192.168.a.b) network to the routing tables.
I, too, read the articles about "VPN off-subnet IP-addresses" and the "ISA server solution in a complex network". However, I did not find anything that would have my problem solved. Could anybody give me a hint, on what to do ?