Welcome to ISAserver.org

static IP addresses for VPN clients

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> static IP addresses for VPN clients

Page: [1]

Message

<< Older Topic Newer Topic >>

static IP addresses for VPN clients - 29.Aug.2008 12:47:51 PM

stevenjwilliams83101

Posts: 19
Joined: 19.Aug.2008
Status: offline

If I have an internal network range of 10.0.0.0 to 10.0.0.255 and I want to assign my VPN clients a range of 172.16.1.0 to 172.16.1.255 and still have them able to access internal network resources, is this possible? What routing proceedures would have to accomplish or configure? Maybe it's not do-able, but I need to know, I figured you coulf accomplish it through network rules, but can't seem to find any info on it.

Post #: 1

Featured Links*

RE: static IP addresses for VPN clients - 30.Aug.2008 4:37:55 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Steve,
You can do that, use static address assignment on ISA:
Check these(don't worry that they are for ISA 2004, the steps are pretty much the same with ISA 2006)
http://www.microsoft.com/technet/isa/2004/help/M_P_H_VPNAssign.mspx?mfr=true
http://www.microsoft.com/technet/isa/2004/help/CMT_VPNAddress.mspx?mfr=true
Regards!

(in reply to stevenjwilliams83101)

Post #: 2

RE: static IP addresses for VPN clients - 2.Sep.2008 9:59:31 AM

stevenjwilliams83101

Posts: 19
Joined: 19.Aug.2008
Status: offline

Thanks for the links, but it didn't help me. It tells you how to assign and setup VPN clients, but it doesn't answer my question on Internal network and VPN clients on two different subnets being able to communicate. If the two are on different IP subents, is there any routing configuration that needs to be done?

(in reply to stevenjwilliams83101)

Post #: 3

RE: static IP addresses for VPN clients - 2.Sep.2008 12:31:54 PM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Steve,
So, you do not want to assign to your VPN clients on-subnet IP addresses from your Internal Network, 10.0.0.0/24(either using DHCP or a static pool of IP addresses).

Instead you want to assign them IP addresses from 172.16.1.0/24.
Configure the static pool of IP addresses with IP addresses from this range, or with this entire range, as per configuration steps from the above link.

Yes, it works, sort of, you will be able to access resources located on the Internal Network from the VPN clients, that's why this setting is there.
You just need to create the required access rule. The default network relationship between the VPN Clients Network and the Internal Network is route, you do not need to change it.

The sort of part:

If the use default gateway on remote network is checked on the VPN client(as it should be), a default route would be added, so traffic for 10.0.0/24 will be sent over the VPN tunnel. No problems.

If the use default gateway on remote network is not checked on the VPN client, I think that you will have a problem.
You will not have a route to the 10.0.0.0/24 network, only for 172.16.1.0/24. And using CMAK profiles to update the routing table I think it will not work also(if you leave the IF DEFAULT in place), you will end up with a wrong route, sending traffic through the physical interface. As per help docs, you should leave the use default gateway on remote network checked, and add/remove any routes as desired.
The problem adding the route on the VPN client, when use default gateway on remote network is not checked, is that the route is to be added through the PPP interface, and you do not know the id of that interface on the client machine(unless you are a magician or so).
You may use a script to add that route. Check this.
Or you can add that route through DHCP Options, Options 249, Classless Static Routes. Configure on ISA the DHCP relay, http://www.isaserver.org/tutorials/2004dhcprelay.html. On the DHCP server(I suppose is Win 2003), add a scope for 172.16.1.0/24. Add option 249(it appears that you can enter anything in the router tab for this option and still you will have the correct route on the VPN client through the PPP adapter). Personal I have encountered some issues with the DHCP Inform packet with off-subnet static IP addresses(if I changed from dynamic to static, thing were OK, as soon as I've restarted the firewall service on ISA, the DHCP Inform packet seemed to not be sent anymore to the DHCP server by RRAS).

Regards,
J

< Message edited by justmee -- 2.Sep.2008 3:20:05 PM >

(in reply to stevenjwilliams83101)

Post #: 4

RE: static IP addresses for VPN clients - 2.Sep.2008 5:26:11 PM

stevenjwilliams83101

Posts: 19
Joined: 19.Aug.2008
Status: offline

HOLY COW!! Well I do have the use default networks gateway option checked and that doesn't seem to help anything. Why is this so difficult? I am so lost when it comes to routing tables, I have been banging my head for days trying to understand it!! And reading anything cisco dealing with routing makes me want to cry because they make it seem like rocket Science!!!

(in reply to stevenjwilliams83101)

Post #: 5

RE: static IP addresses for VPN clients - 3.Sep.2008 4:58:55 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

It does work fine for me, with the use default gateway on remote network option checked. And I did not do anything special. I did not touch the default network relationships on ISA. Just configured the static pool and the required access rules.

Are you as a VPN client located on the same subnet 10.0.0.0/24 ?
Why exactly do you want to use that static range ?

For example, when you ping a host located on 10.0.0.0/24, do you explicitly see the packets not being sent over the VPN tunnel ?
That's easy to analyze: start the live logging on ISA(to see if the packets are reaching ISA and what happens with them) and a packet capture on the VPN client.
If you can, post here the output of the route print command on the client, after the VPN connection was established.
Anyway, you can eliminate the questions regarding the routing during tests by manually adding a route on the client after the VPN connection was established like so:
For example you may have a route like this:
0.0.0.0 0.0.0.0 172.16.1.25 172.16.1.25
So add something like(although with the above one, this is not necessary):
route add 10.0.0.0 mask 255.255.255.0 172.16.1.25

(in reply to stevenjwilliams83101)

Post #: 6

RE: static IP addresses for VPN clients - 3.Sep.2008 10:33:37 AM

stevenjwilliams83101

Posts: 19
Joined: 19.Aug.2008
Status: offline

When my client is on the same subnet, yes everything works fine. I am trying to give my VPN clients a different address pool than my internal subnet. So my internal subnet is 10.0.0.0/24 and I want my clients to have another range of IPs. Thats why i figured some kind of routing would be required....as far as adding routes to clients, I can possibly do that for all my users nor require them to do it, they are lucky they can log on their computers. What is the relationship between ISA server and Routing and remote access?? Does anything need to be configured on that? I would love to have my VPN just pull from my DHCP server but I tried that and weird stuff happens. Like everytime a user logs off and logs on, even if it is 3 minutes apart, they pull a different IP address, then I see a bunch of RAS IP addresses that dont release till the DHCP lease time is up......so they just build up.

(in reply to stevenjwilliams83101)

Post #: 7

RE: static IP addresses for VPN clients - 22.Oct.2008 6:31:35 AM