From: Northern California
We have three sites all connected via VPN tunnels using Linksys VPN routers.
Our main network: Network: 192.168.4.0/24 VPN Gateway: 192.168.4.1 ISA: 192.168.4.6 DHCP Leased Default Gateway for all clients on 4.0 network: 192.168.4.6
Other Networks: Site1 Network: 192.168.2.0/24 Site 2 Network: 192.168.3.0/24
Now that everone on the 4.0 network is set to go through 4.6 as the default gateway, proxy and FWC, I'm having troubles connecting to the 2.0 and 3.0 networks. I know these networks are up and running because I can still ping them fine using our DC which is still set to default out through 192.168.4.1.
I statically set routes in the ISA using the command prompt with the route add -p command. I was able to ping the remote networks fine from the ISA itself but clients on the network could not.
I tried setting up RRAS to just be a router and route to those destinations, but this still didn't let the clients route to the remote networks.
On ISA, my internal network contains the range of 192.168.2.0-192.168.4.255 (initially but see below).
I tried setting the internal network to the range of 192.168.4.0-4.255 and making two new networks with the ranges of 3.0-3.255 and 2.0-2.255. Then I created a network rule to route where the source network was Internal and the destinatin network was the network with the 3.0-3.255 range then tried to ping an address on the 3.0 network. That didn't work either. I did this with RRAS enabled and Disabled and either way mattered not.
So, what is the method I would use to set up the routing on the ISA box for the clients to reach the 2.0 and 3.0 networks? Apparently ISA doesn't use the routes added via the command prompt to route for clients behind the firewall but does for itself, as long as the Internal network includes the network you're pinging. I found that once I changed the 2.0-4.55 network range for Internal to 4.0-4.255 (and before I created two more separate networks of 2.0 and 3.0), I could no longer ping the other networks from ISA.
To properly setup routing through ISA you would need to add additional NICís, define a network object and IP rnage for each and then create access rules to allow the traffic. ISA has routing capability but its main function is a Firewall. Your options, other than above would be to either add persistent manual routes to all devices on the 4.0 network to the other subnets, or change the default route to use the VPN gateway instead of ISA and then configure each client as an ISA Firewall and Web Proxy client on the 4.0 network.
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003