wireless DMZ and isa server 2004

are these VPN clients attaching over the internet?  if so, then you must be using a device that performs NATing.  Network Address Translation.  In order to properly route a VPN network, you will need to describe the hardware that is doing this.  Secondly, you are dynamically assigning VPN clients with a 10.0.0.x range from the ISA server?

>>what than do I simple tell the isa server to allow communication between the dmz
>>network and the internal lan.

No way.  if you open up communications between your DeMilitarized Zone and your Internal LAN, then your LAN is basically DeMilitarized.


what are you planning on doing with VPN?  are you gonna have them log into a domain on the LAN?  What is the purpose of the DMZ?

Thanks for the reply Adam I have  isa 2004  set up behind a sonicwall. After further research I think that I'm supposed to route vpn traffice into the lan. If I were to allow the dmz to touch the lan it would defeat the purpose of the entire setup. So lets say for example that I have an internal lan on network 192.168.15 a dmz for wireless use on 192.18.24 and my vpn client would recieve 10.0.0.1 and above. I would than take the 10.0.0.1 and route that address into the lan. I'm know routing expert so don't laugh to hard. Now let me ask you about interfce setup of course I;m talking about the 3 nics I've installed in the isa box. I confiured the nic for the lan side without a default gateway. The nic for the wan side has the ip address of the sonicwall as its gateway. Now my question is what IP address should I give the nic that will be used for the DMZ interface.

ok, DMZs usually refer to the computers that exist between your firewall and your internet connection.  This means that they have little or no protection from the internet.  If internet traffic has to travel through your ISA to get to your "dmz", then it's technically not a dmz, unless you configure ISA to pass everything through.

Most networks are setup like this:

INTERNET ------------ Router(Border) -------- DMZ -------- Firewall/ISA -------- LAN

In this scenario, the ISA computer does not need 3 network cards.  Only 2.  Get that?



you describe your network like such:
                                                                           --------------- Wireless Network (DMZ)
                                                                         /
INTERNET ----------- Sonicwall --------- ISA Server
                                                                         \
                                                                           --------------- LAN


If that is correct, then only the NIC that attaches to WAN should have a gateway.

about the 10.x.x.x scope:
are the VPN clients going to be logging on to a windows domain?  What computer is configured to issue them IP addresses? the ISA server?  why are you issuing the vpn clients this addressing scheme?

what VPN client software or devices are they going to be using?  are you going to setup the VPN at the ISA server or at the Sonicwall?


Sorry for all the questions

In your first diagram the isa system only needs the two nics because 1 nic is connected to the lan sie and the other to the dmz side. The second network you diagramed is exactly what I'm working with.  Why should the nic that only attaches to the lan have a gateway? I assumed that more than one gateway would be needed.  After the windows clients establish a vpn session they will be logging into the domain. I plain on having them check the log on using dial up connection this should allow them to log in and have the same functionalty as wired clients.  The isa server will be giving out the ip addresses.  I will be using the built in vpn windows software and yes I'll be using the isa server to establish all vpn connections.  You stated that the first diagram is really a dmz so what should I call the second diagram. Also will I still need to set up the routing I'm assuming so

>>Why should the nic that only attaches to the lan have a gateway?
it shouldn't.  The WAN one should.  The ISA server should have explicit routes to the LAN and wireless networks and not need a gateway.  the computer sends packets to the "gateway" if it doesn't know where else to send them.  Your ISA server will know how to communicate with both the LAN and wireless network. all other communications should be sent to the sonicwall.

Try and read this through before we begin with the routing:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_For_Inbound_VPN_Calls.html

I see that the nic attacthed the lan should only have a gateway. I got confused with routing because I read some stuff that said if I give out 10.X.X.X addressess to vpn clients that are connecting to an internal adrress of lets say 192.168.94.1 than I would have to set up routing via the route table on the isa server 2004 box. I pasted this from the article because it says everything that I'm tryong to say. He states that if a vpn client connects and gets address 192.168.1.54 and the isa server interface is 192.168.1.1. The vpn client will be able to access all host on network id 192.168.1.0. Than he says if I have another network such as 192.168.10.0 than I would have to configure routing for the vpn client to access resources on that network. Why do I not have to configure routing in my situation because I'm giving out 10.x.x.x that will go to a lan address of 192.168.x.x.  So in my setup does isa simply build explict routes to all interfaces that are in the box?

==========================
Routed Remote Networks
==========================
Things get a little more sticky when you have multiple internal network IDs on the internal network to which the VPN client connects.

For example, suppose the VPN client connects to the VPN server and is assigned the address 192.168.1.54. The IP address of the internal interface of the ISA Server is 192.168.1.1/24. The VPN client will be able to access all hosts on network ID 192.168.1.0/24 because it has a routing table entry that says to send all packets for that network ID to the VPN gateway interface. However, if you have another network, such as 192.168.10.0/24 on the internal network, the VPN client does not have a routing table entry to support that network, and will send the request to its default gateway, which is now the ISPs gateway. The request will fail because the ISPs gateway will drop the request for a private network ID.

To solve this problem, you can create routing table entries on the VPN clients to use the VPN gateway address for network IDs on the remote network. This gets a little problematic since the VPN gateway is assigned via DHCP so its likely to change over time. A better solution is to configure the VPN client to be a RIP listener. When you install the RIP listener on the VPN client, it will be able to get routing table entries from the VPN server as along as the server is configured as a RIP router."

I went back over that article a second time and I think I'm starting to see your point. Sorry I read over it to fast the first time. According to what I've pasted below the only time I should have to worry about routing is when my clients need access to resources that are on an etirely different network id than the internal interface of the isa card. It seems that the fact I gave vpn clients a ip of 10.X.X.X would not even matter at all.

Client Config
Adam now let me ask you about client config the clients on the wireless network. The clients will recieve a ip address from the 192.168.80 network and a subnet mask of 255.255.255.0 now what gateway should I config on the client end or do I need a gateway. The dns servers will be left empty since I have none out there.

Wireless Ap Config
On the ap I will give it an address in the 192.168.80 network and a subnet mask of 255.255.255.0 but agin what gateway will I use this whole thing if gateways is confusing to me how can I tell when I need one also does it make any difference what wireless protocals I use on the ap I can use wep wpa preshared key and radius. I'm thinking that I'll have to use wep it seems that wep is a constantly on. What I mean be contanlt on is that if a wireless client is set up for wep I can log the computer out and still ping it but if I use wpa preshared key and I try to ping the computer it is dead. I'm assuming that I'll need some type of connection thats constant since I want them to authenticate to the vpn before they log in.




By the way I will be adding more points on to this question since I'm asling more detailed question on client confiuration and access point config

Routing Table On The ISA Server
==========================

If you wish the VPN clients to be able to connect to servers that are not on the same network ID as the internal interface of the ISA Server, then you must configure a routing table on the ISA Server. There should be a route for all network IDs on your internal network. You can configure this manually, using the ROUTE ADD command from the command prompt, or you can use a simple routing protocol such as the Routing Information Protocol (RIP). You can even use OSPF if you enjoy that kind of punishment. As you'll see later, using RIP can solve some problems with client gateway addressing

>>I see that the nic attacthed the lan should only have a gateway.
again. this is not correct.  Only the nic attached to the WAN should be configured with the gateway.

First thing you should do is setup explicit routes on your ISA server.  That computer will need to know which nic to send information out based on the destination IP address.

you'll have to add things like this:
ROUTE -P ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1
ROUTE -P ADD 192.168.54.0 MASK 255.255.255.0 192.168.54.1

now these aren't exact.  What it's doing is telling the ISA server to use the 192.168.1.1 NIC for anything on the 192.168.1.x network, etc...  You may have to change these depending on the schemes that you use and the particular IP addresses of the NICs in your ISA box.

Also, do you know the internal IP address of the Sonicwall?

Once all this is done, you should have total connectivity between all of your devices.  Then we can start talking about VPN, but I'll need to know on which network your domain controllers are, what operating system they will be running, if you are running WINS, etc...

I'm using the sonicwalls internal ip address as the default gatewau for the wan lets say for example that it is 192.168.47.1. All of my server are windows 2003 standard andenterprise.  All client systems are windows xp professional service pck 1 soon to be service pack 2. I run active diretory native mode along with wins,dhcp and internal ad integrated dns. Why am I having to add these routes I thought the only time I has to add routes was if my vpn clients needed access to another network thats different from the network of the internal nic on the isa box. I'm just trying to get a clear understanding of when I need to use routing.