RE: VPN clients routing to other internal networks

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi:
Thank you for posting here. Also many thanks for Virgil's inputs.

>From the description, I understand that you have configured the ISA 2004 as
a VPN Server. There are several subnets which are connected to the W2k3
Server via a router. You want to give the remote VPN users access to these
subnets. If I have misunderstood your concern, please do let me know.

Based on my experience, if the internal clients the different subnet, for
example, the W2k3/ISA Server was in the 192.168.0.x subnet, and 192.168.1.x
for subnet A and 192.168.2.x for the internal subnet B, we may need to do
some additional configuration in ISA 2004 MMC. As in ISA 2000 scenario, we
only need to add all the subnets to the LAT.

1. a. Open ISA management console, navigate to
Servername\Configuration\Networks, on the "Networks" pane, double click
Internal.
b. Go to the Addresses tab, remove the existed address range.

2. Add several static routes on the ISA 2004 Server.
Suppose the IP address of the router which is connected to the ISA Server
is 192.168.0.2, we should add the following static route from the command
prompt:
"route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.2 Metric 1" (without
the quotation mark)
"route add -p 192.168.2.0 mask 255.255.255.0 192.168.0.2 Metric 1"

Then add the static routes one by one if you have a couple of subnets.

3. a. Open ISA management console, navigate to
Servername\Configuration\Networks, on the "Networks" pane, double click
Internal.
b. Go to the Addresses tab, Click "Add Adapter", and add the internal NIC
of your ISA Server. Then click Apply.
c. You will find all the internal subnets are included in the network
"Internal".

For your information, I attached the network diagram as following:
Internet---ISA(192.168.0.1)--(192.168.0.2)Router--(192.168.1.x)subnet A

|____(192.168.2.x)subnet B

|____(192.168.3.x)subnet C

|____(192.168.4.x)subnet D


We call the network behind the router as Network Behind Another
Network(NBAN).

After performing the above steps, we should create an access rule as Virgil
mentioned to allow VPN clients to access the internal subnets. You can
create this access rule as following:

Rule name: Allow VPN traffic
Rule Action: Allow
Protocols: ALL protocol
Sources: VPN clients
Destination: Internal and Local Host
User Sets: All Users

In addition, we should make sure the default gateway of the VPN client is
pointing to the PPP adapter of the VPN Server. If not, we should add static
route on the VPN client to route the traffic. (Tell the VPN client that for
traffic destined to 192.168.x.x subnets, it should go through the PPP
adapter of the VPN server)

There is an option called "Use default gateway on remote network check
box", if we check this option, the VPN client will use the VPN Server as
its default gateway, you can find the option at:

1). Double-click My Computer, and then click the Network and Dial-up
Connections link.
2). Right-click the VPN connection that you want to change, and then click
Properties.
3). Click the Networking tab, click Internet Protocol (TCP/IP) in the
'Components checked are used by this connection' list, and then click
Properties.
4). Click Advanced, and then you will find the Use default gateway on
remote network check box.

Hope the above information helps. Please feel free to let me know if you
have any questions or concerns.

Have a good day!

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: VPN clients routing to other internal networks
| thread-index: AcXjk6EiB9g5x7hWTzO9oaGoYAda6g==
| X-WBNR-Posting-Host: 217.89.116.196
| From: =?Utf-8?B?TWFyY3Vz?= <wws@xxxxxxxxxxxxxxxx>
| Subject: VPN clients routing to other internal networks
| Date: Mon, 7 Nov 2005 04:06:05 -0800
| Lines: 12
| Message-ID: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.isa
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:14595
| X-Tomcat-NG: microsoft.public.isa
|
| Hi,
| I am running ISA 2004 on a W2K3 Server and want to use it as a VPN-Server.
| VPN clients can access the directly attached internal network. However I
| have other internal Networks being in another subnet connected with a
router.
| I want to give the VPN-Users access to these networks too.
| How do I setup ISA to use the internal router to forward all requests
with a
| specific IP-Subnet to this router? I tried to add a static route to RRAS
but
| it won't work.
|
| Thanks
| br
| Marcus
|

.

Relevant Pages

  • Re: Internet Intermittent Connection
    ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...
    (microsoft.public.isa)
  • Re: Disable dynamic route entries in Windows 2003?
    ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ...
    (microsoft.public.windows.server.networking)
  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: routing on isa 2006
    ... LAN connects to Internet via ISA which is connected to the Internet ... Several branches are connected to HQ via hardware VPN ... In "Internal network list" I added the LAN IP range as well as remote ...
    (microsoft.public.isaserver)