Re: adding a route to the client
- From: jogdial <jogdial@xxxxxxxxx>
- Date: Thu, 3 Apr 2008 02:24:36 -0700 (PDT)
On 1 Apr, 15:19, "Phillip Windell" <philwind...@xxxxxxxxxxx> wrote:
"jogdial" <jogd...@xxxxxxxxx> wrote in message
news:70fcd87c-43cd-4d5f-b3c6-547acd821362@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 31 Mar, 16:54, "Phillip Windell" <philwind...@xxxxxxxxxxx> wrote:
That's fine, it's what I want. Now, recently, we were taken over by
anoher company. They brought in their own network space, we put a
bunch of our systems on it, they linked our 10.xxx.xxx.xxx network to
their 152.xxx.xxx.xxx network with a router/firewall appliance.
152.x.x.x is not an RFC Private Addresses Range. That is a Public Address
Range that is actually *owned* by somebody. It is not open to use on
private internal company networks.
Yes, it is owned by the company that has taken us over. Pitney
Bowes. It is their address range and they have assigned it to us.
You may be screwed if you have no control over the routing of the LAN.
The LAN routing is already in place and works fine, I can get changes
done to it if necessary.
You may also be totally screwed if you are not using the correct terminology
and and not accuartely describing the situation because that can cause
everything I am going to say to be completely wrong.
Here goes.....
1. The Default Gateway of *ALL* machines except the ISA needs to be set to
the LAN Router IP that sits between the two network segments. Both segments
(10 & 152) will need to do this.
this is already done... The ISA server is not the problem... The
client is where the problem lies.
2. The Default Gateway of the LAN Router is supposed to be the ISA. But
since this other company probably doesn't want to use your ISA,,,*and*,...
if this "router" is "doubling" as an Internet Firewall than that cannot
happen.
3. So the LAN Router / Firewall will now become that "path" that you take
for the VPN Tunnel and it will have to be configured to allow PPTP outbound.
done
4. You can still use the ISA for Web Proxy and Firewall (Winsock)done
Clients,...but you can no longer use the ISA for SecureNAT Clients because
the LAN Router / Firewall will now take over that role.
5. You must (at minimum) take *both* the Public IP# that you "dial" to
connect to the remote VPN network and the entire Private Internal Range of
the remote VPN network and add them to the Addresses Tab of the Internal
Network Defintion.
done ISA server is all working fine.
6. Concerning the remote VPN network side of things....With the "use gateway
on remote network" disabled you will not be able to communicate with any
other additional segments on the remote network side,...you will only be
able to connect to the one you VPN'ed directly into.
As stated before, if I add a net route statement to my client, using
the clients PPP DHCP assigned address that is obtained during the VPN
negotiation, I can talk to these additional segments fine. I was just
trying to find a way of automating this.
7. Because the 152.x.x.x network is not a valid RFC Private Address Range
for use on private, internal, home or company networks,...you will never
ever ever be able to connect to any resource on the internet if the IP# of
the Internet resource begins with "152".
I take exception with what you are saying there. If you own an
address space, you can do whatever you like with it.. use it at home,
internally or on a company network. PB ownes this address space,
they have assigned it to our company, we can do what we like with it.
Granted it's not that common to use public address space in this way,
but they have it, so they can use it. Large companies often have
class B networks and have had them for ages, so they use them.
And as stated, I can route to this network as I have configured the
ISA server routing protocol to know where the segments are via the
gateway and adding these segments to our internal networks.
Anyway, I guess I'll write a script to parse the address and generate
a batch file and put it on their desktop to run after the negotiation
of the VPN...
Saying that, is there any way I can start up the client VPN in a batch
file? At least they would just run the one batch file then rather
than having to connect to our network using the windows client VPN and
then run the batch file after....
Thanks
--
Phillip Windellwww.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processinghttp://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-...
Microsoft Internet Security & Acceleration Server: Partnershttp://www.microsoft.com/isaserver/partners/default.mspx
Microsoft ISA Server Partners: Partner Hardware Solutionshttp://www.microsoft.com/forefront/edgesecurity/partners/hardwarepart...
-----------------------------------------------------
.
- Follow-Ups:
- Re: adding a route to the client
- From: Phillip Windell
- Re: adding a route to the client
- References:
- Re: adding a route to the client
- From: jogdial
- Re: adding a route to the client
- From: Phillip Windell
- Re: adding a route to the client
- Prev by Date: How to obtain L2TP/IPSec certificate
- Next by Date: Re: adding a route to the client
- Previous by thread: Re: adding a route to the client
- Next by thread: Re: adding a route to the client
- Index(es):
Relevant Pages
|
