Re: VPN USERS - Question For Mark Renoden and Phillip Windell

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Phillip Windell (_at_.)
Date: 03/11/05 

Date: Fri, 11 Mar 2005 08:28:17 -0600

"Julian Dragut" <julianmd@groups.com> wrote in message
news:eSbkDaeJFHA.2756@TK2MSFTNGP10.phx.gbl...
> I know is not intended to have both interfaces in the same subnet but i've
> blinded the external if so it would not cause any trouble

That won't work.

> Situaion:
> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
Firewall,
> and the internal interface is 192.168.0.1.
> I have implemented ISA 2004 for testing inside the network and I have
setup
> a few users with firewall client (with autodiscovery and stuff) so they're
> (test clients) are NAt-ed by the ISA before they reach the PIX.

That won't work. The Firewall ans SecureNAT Service require a properly
functioning and correctly configured External NIC.

> PIX Firewall comes with a VPN Software, and I have set it up to mobile
users
> so they can connect from outside and access resources. By default, PIX
> Firewall doesn't allow outbound connection through the same interface the
> inbound connection was initially made; therefore, the mobile clients once
> connected they cannot browse the internet (in my case they cannot use our
> email server, which is hosted outside the company), so I am looking at a
way
> to set ISA up as gateway for them.

That won't work. The VPN Client must use Split-Tunneling in this case and
they must access the mail server directly from the internet and not by
looping through your LAN. Split-Tunneling is done by disabling "Use Gateway
on Remote Network" in the Clients dialup configuration.

When you use things that way they were meant to be used they will work
everytime. When you try to make up your own rules and try to "outsmart the
system" you will have nothing but trouble. 

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • Re: tcp window size of 1
    ... AFAIK it should change the window size because it is receiving and processing data which will fill and clear the buffer during the connection. ... firewall in between is also a Centos 4.3 machine. ... After doing some tcpdump's I saw the misbehaving interface on the Centos server. ...
    (comp.os.linux.networking)
  • Re: small linux firewall/router advice
    ... It's really a bad idea to depend on security through obscurity. ... well as the local network interface. ... > I've also used a standard dial up connection with no firewall for over ...
    (comp.os.linux.security)
  • Socket Differences between 1.1 and 2
    ... clients are connecting to the server and once the connection is opened the connection is left open and the client sends data to the server from time to time. ... since the whole thing was working in 1.1 and now in .net 2 it does not work, i think that there are some settings in the way that .net 2 handles socket data that makes the firewall of these clients think that there is some connection problem and therefor the firewall drops the connection. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Freebsd MPD PPTP
    ... The connection goes well, ... connectivity (the clients' Windows icon show packet are being sent, ... A tcpdump on the external interface shows no packets going out and the same for tcpdump on ng0. ...
    (freebsd-net)
  • Re: Freebsd MPD PPTP
    ... The connection goes well, everything functions accordingly but after a ... connectivity (the clients' Windows icon show packet are being sent, ... A tcpdump on the external interface shows no packets going out and the same for tcpdump on ng0. ...
    (freebsd-net)