Re: VPN USERS - Question For Mark Renoden and Phillip Windell
From: Julian Dragut (julianmd_at_groups.com)
Date: 03/11/05
- Next message: A.Klimkin: "Re: logging question (isa format)"
- Previous message: Peter B: "Re: ISA2004 and Symantec Update"
- In reply to: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Next in thread: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Reply: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 11 Mar 2005 14:54:40 GMT
"Phillip Windell" <@.> wrote in message
news:Oz9WSakJFHA.1528@TK2MSFTNGP09.phx.gbl...
>
> "Julian Dragut" <julianmd@groups.com> wrote in message
> news:eSbkDaeJFHA.2756@TK2MSFTNGP10.phx.gbl...
> > I know is not intended to have both interfaces in the same subnet but
i've
> > blinded the external if so it would not cause any trouble
>
> That won't work.
However it is working...
>
> > Situaion:
> > I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
> Firewall,
> > and the internal interface is 192.168.0.1.
> > I have implemented ISA 2004 for testing inside the network and I have
> setup
> > a few users with firewall client (with autodiscovery and stuff) so
they're
> > (test clients) are NAt-ed by the ISA before they reach the PIX.
>
> That won't work. The Firewall ans SecureNAT Service require a properly
> functioning and correctly configured External NIC.
And then again it's working.....
>
> > PIX Firewall comes with a VPN Software, and I have set it up to mobile
> users
> > so they can connect from outside and access resources. By default, PIX
> > Firewall doesn't allow outbound connection through the same interface
the
> > inbound connection was initially made; therefore, the mobile clients
once
> > connected they cannot browse the internet (in my case they cannot use
our
> > email server, which is hosted outside the company), so I am looking at a
> way
> > to set ISA up as gateway for them.
>
> That won't work. The VPN Client must use Split-Tunneling in this case and
> they must access the mail server directly from the internet and not by
> looping through your LAN. Split-Tunneling is done by disabling "Use
Gateway
> on Remote Network" in the Clients dialup configuration.
>
PIX VPN Clients use proprietary client app, and there's no such setting, not
to mention that split tunnel it's security risk whic I am not willing to
take....
> When you use things that way they were meant to be used they will work
> everytime. When you try to make up your own rules and try to "outsmart the
> system" you will have nothing but trouble.
>
Well yeah, you're right, but tell me how many of us would have learned what
we know without testing and pushing the limits over the "defined" bariers?
Thank you very much for your imput, I will be looking for a solution
anyways......What I'm afraid of is that if I change the config, the mobile
users will be denied access:
LAN <----> ISA <----> PIX <---------inet----------> PIX <--> EML Server
Thank you,
Julian Dragut
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
- Next message: A.Klimkin: "Re: logging question (isa format)"
- Previous message: Peter B: "Re: ISA2004 and Symantec Update"
- In reply to: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Next in thread: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Reply: Phillip Windell: "Re: VPN USERS - Question For Mark Renoden and Phillip Windell"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
