Avatar of Jason Yu
Jason YuFlag for United States of America asked on

VPN connect can't get the IP in the same subnet like internal network with 192.168.1.x

I set up a ISA 2006 firewall and created a VPN connection set up for testing. In the first step of "configure address assignemnt method"; in the first tag-"Access Networks' I chose "External"; in the second tag "Address Assignment", when i chose DNCP, i couldn't get VPN dial up connection successfully, so i decided to use "Static Address pool";when i tried to add IP address range, if i define start and end address under 192.168.1.X subnet, it says Networks cannot contain IP addresses that overlap with another network. I couldn not apply the change.

If i use another subnet like 192.168.2.X, i would successfully apply the change, however, after my client dialled up using VPN, it can only get IP address in the subnet of 192.168.2.X. How can i set up my client to use the same subnet as internal subnet.

Tne even worse  issue is, after i tried many time, i restart the ISA services, however, all my old firewall polies were lost except the VPN one. Did anybody meet this stange phenomenon? My boss asked me to get the result before i deploy it on production environment.

Any guru here is willing to help me with this? I will appreciate your any instructions.

Thank you very much.
printscreen.jpg
Software FirewallsMicrosoft Forefront ISA Server

Avatar of undefined
Last Comment
Voltz-dk

8/22/2022 - Mon
Voltz-dk

You can only use DHCP if there is a DHCP server reachable by the ISA.

For static, you can't as such set it up to use the internal addresses (as defined on the ISA).  But you CAN reserve some of the actual internal addresses to use by VPN, provided you first remove them on the ISA internal network object.  Remember to reserve 1 addy more than needed, for the ISAs VPN interface.

As for the lost configuration, I've never seen that..
ASKER
Jason Yu

What do you mean by "You can only use DHCP if there is a DHCP server reachable by the ISA."?

I have a DHCP server on the domain controller, my ISA server is also located at the same domain, does this mean reachable.

I took your advise and remove 192.168.1.250 - 192.168.1.254 from the internal subnet, and I can successfully add these addresses in "Static Address pool" it works wonderfully.

BTW, after my client workstation dialed in and get the VPN connection, I can't surf online anymore, but if i cut the vpn connection, it works. Is there any gateway settings on vpn that i can get vpn connection and surf online at the same time/

Thank you.
ASKER CERTIFIED SOLUTION
Voltz-dk

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes