Re: VPN clients routing to other internal networks
- From: "Newbievn" <khoa.le@xxxxxxxxxxxxxxxx>
- Date: Wed, 9 Nov 2005 14:25:13 +0700
Hi,
One more question, VPN client is pointing to the PPP adapter of VPN server
as default, right ? And the option "Use default gateway on remote
network..." must be checked, right ? If this option uncheck then we have to
add static route ?
Thanks,
"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:1MKeWDB5FHA.1172@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi:
> Thank you for posting here. Also many thanks for Virgil's inputs.
>
> From the description, I understand that you have configured the ISA 2004
> as
> a VPN Server. There are several subnets which are connected to the W2k3
> Server via a router. You want to give the remote VPN users access to these
> subnets. If I have misunderstood your concern, please do let me know.
>
> Based on my experience, if the internal clients the different subnet, for
> example, the W2k3/ISA Server was in the 192.168.0.x subnet, and
> 192.168.1.x
> for subnet A and 192.168.2.x for the internal subnet B, we may need to do
> some additional configuration in ISA 2004 MMC. As in ISA 2000 scenario, we
> only need to add all the subnets to the LAT.
>
> 1. a. Open ISA management console, navigate to
> Servername\Configuration\Networks, on the "Networks" pane, double click
> Internal.
> b. Go to the Addresses tab, remove the existed address range.
>
> 2. Add several static routes on the ISA 2004 Server.
> Suppose the IP address of the router which is connected to the ISA Server
> is 192.168.0.2, we should add the following static route from the command
> prompt:
> "route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.2 Metric 1"
> (without
> the quotation mark)
> "route add -p 192.168.2.0 mask 255.255.255.0 192.168.0.2 Metric 1"
>
> Then add the static routes one by one if you have a couple of subnets.
>
> 3. a. Open ISA management console, navigate to
> Servername\Configuration\Networks, on the "Networks" pane, double click
> Internal.
> b. Go to the Addresses tab, Click "Add Adapter", and add the internal NIC
> of your ISA Server. Then click Apply.
> c. You will find all the internal subnets are included in the network
> "Internal".
>
> For your information, I attached the network diagram as following:
> Internet---ISA(192.168.0.1)--(192.168.0.2)Router--(192.168.1.x)subnet A
>
> |____(192.168.2.x)subnet B
>
> |____(192.168.3.x)subnet C
>
> |____(192.168.4.x)subnet D
>
>
> We call the network behind the router as Network Behind Another
> Network(NBAN).
>
> After performing the above steps, we should create an access rule as
> Virgil
> mentioned to allow VPN clients to access the internal subnets. You can
> create this access rule as following:
>
> Rule name: Allow VPN traffic
> Rule Action: Allow
> Protocols: ALL protocol
> Sources: VPN clients
> Destination: Internal and Local Host
> User Sets: All Users
>
> In addition, we should make sure the default gateway of the VPN client is
> pointing to the PPP adapter of the VPN Server. If not, we should add
> static
> route on the VPN client to route the traffic. (Tell the VPN client that
> for
> traffic destined to 192.168.x.x subnets, it should go through the PPP
> adapter of the VPN server)
>
> There is an option called "Use default gateway on remote network check
> box", if we check this option, the VPN client will use the VPN Server as
> its default gateway, you can find the option at:
>
> 1). Double-click My Computer, and then click the Network and Dial-up
> Connections link.
> 2). Right-click the VPN connection that you want to change, and then click
> Properties.
> 3). Click the Networking tab, click Internet Protocol (TCP/IP) in the
> 'Components checked are used by this connection' list, and then click
> Properties.
> 4). Click Advanced, and then you will find the Use default gateway on
> remote network check box.
>
> Hope the above information helps. Please feel free to let me know if you
> have any questions or concerns.
>
> Have a good day!
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | Thread-Topic: VPN clients routing to other internal networks
> | thread-index: AcXjk6EiB9g5x7hWTzO9oaGoYAda6g==
> | X-WBNR-Posting-Host: 217.89.116.196
> | From: =?Utf-8?B?TWFyY3Vz?= <wws@xxxxxxxxxxxxxxxx>
> | Subject: VPN clients routing to other internal networks
> | Date: Mon, 7 Nov 2005 04:06:05 -0800
> | Lines: 12
> | Message-ID: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.isa
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:14595
> | X-Tomcat-NG: microsoft.public.isa
> |
> | Hi,
> | I am running ISA 2004 on a W2K3 Server and want to use it as a
> VPN-Server.
> | VPN clients can access the directly attached internal network. However I
> | have other internal Networks being in another subnet connected with a
> router.
> | I want to give the VPN-Users access to these networks too.
> | How do I setup ISA to use the internal router to forward all requests
> with a
> | specific IP-Subnet to this router? I tried to add a static route to
> RRAS
> but
> | it won't work.
> |
> | Thanks
> | br
> | Marcus
> |
>
.
- Follow-Ups:
- Re: VPN clients routing to other internal networks
- From: Edward Tian
- Re: VPN clients routing to other internal networks
- References:
- RE: VPN clients routing to other internal networks
- From: Edward Tian
- RE: VPN clients routing to other internal networks
- Prev by Date: Re: Can use both Leasedline and ADSL with ISA 2004
- Next by Date: Witch rule to allow firewal client to connect to isa server ?
- Previous by thread: RE: VPN clients routing to other internal networks
- Next by thread: Re: VPN clients routing to other internal networks
- Index(es):
Relevant Pages
|
