• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to supply static routes to VPN clients?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> How to supply static routes to VPN clients? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to supply static routes to VPN clients? - 4.Nov.2011 2:16:04 PM   
Massimo80

 

Posts: 7
Joined: 18.Nov.2005
Status: offline
I have a ISA Server 2006 firewall (but the exact same behaviour happens with TMG 2010) sitting in front of my company network; the internal network subnet is 192.168.60.0/24 and is correctly configured in ISA. All internal computers use ISA as their default gateway.

I want my VPN clients to use addresses in another subnet, let's say 192.168.17.0/24. So I configured static address assignment in ISA, and I also manually configured the DNS addresses (192.168.60.1 and 192.168.60.3).

Firewall policies are in place to allow all traffic between VPN clients and the internal network.

I don't want VPN clients to use the VPN as their default gateway, so I unchecked the relevant checkbox in the VPN connection properties; I don't want their Internet traffic to go through the VPN, only the traffic directed to the company network.

A client can succesfully establish a VPN connection and get an IP address in the 192.168.17.X range. It can ping the ISA server and even RDP to it (the policies allow this).

But it doesn't get a route to the 192.168.60.0/24 subnet, so it can't talk to the internal network.

If I manually add a static route to the client saying "you can talk to 192.168.60.0/24 using the VPN interface", everything works fine.

How can I automatically supply this static route to VPN clients?

Also, I have a network-behind-network scenario, as there is another internal network (192.168.1.0/24) reachable via a different router; ISA Server knows how to talk to it because it has a static route defined, but, again, VPN clients don't get any information about it.

Same question as above: how to supply static routes to VPN clients?
Post #: 1
RE: How to supply static routes to VPN clients? - 7.Nov.2011 2:45:58 PM   
Massimo80

 

Posts: 7
Joined: 18.Nov.2005
Status: offline
I was finally able to get this to work by assigning addresses to VPN clients using DHCP and then using the DHCP options to hand out those static routes.
This also required enabling the DHCP Relay Agent on the RRAS underlying ISA/TMG.

(in reply to Massimo80)
Post #: 2
RE: How to supply static routes to VPN clients? - 12.Feb.2012 3:01:16 PM   
dariopalermo

 

Posts: 5
Joined: 12.Feb.2012
Status: offline
Hi Massimo, I'm trying to do the same on my isa box but something's wrong: which option did you put in the DHCP scope? And configured how? VPN client use their dynamic IP as the gateway to the ISA box, so how should I configure the gateway for the extra routes?

Thanks

_____________________________

Dario Palermo

(in reply to Massimo80)
Post #: 3
RE: How to supply static routes to VPN clients? - 12.Feb.2012 5:14:23 PM   
Massimo80

 

Posts: 7
Joined: 18.Nov.2005
Status: offline
I configured the firewall to assign addresses to VPN clients from a static pool, and then created a scope in the DHCP server using the same pool; I put DNS and WINS settings there, and also used DHCP option 121, "classless static routes". There, I configured a static route to the internal network, and used the first address of the VPN pool as the gateway address; it looks like the exact address you use doesn't matter, because the actual route supplied to the VPN client is in the form "use the VPN link to reach this network".

(in reply to dariopalermo)
Post #: 4
RE: How to supply static routes to VPN clients? - 13.Apr.2012 6:17:33 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi Massimo80

you mentioned that you configured ISA to assign addresses from a static pool, but then you created a scope in the DHCP server using the same pool?

If you are using ISA to assign addresses to VPN clients, the DHCP scope in this case would not apply to the clients as address assignment is not performed by DHCP right?

I am currently trying to implement a static route to VPN clients via ISA, and have tried your method, but I don't see how the scope in DHCP helps when you are assigning addresses using ISA directly, instead of via DHCP.

(in reply to Massimo80)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> How to supply static routes to VPN clients? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts