Solved

ISA 2006 & DHCP VPN Setup

Posted on 2009-07-09
4
595 Views
Last Modified: 2012-05-07
I've setup a ISA2006 server, which has VPN clients connecting succesfully and been assigned IPs by a DHCP server.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.

As a result these machines are not able to connect to other vlans.  

If a machine obtains an IP address off the DHCP server directly then they receive all the correct IP information, so I assume its something the ISA server is doing.

I've had a read around but cant seem to find anything that might point me in the right direction.

Thanks
Paul
0
Comment
Question by:pmason08
  • 2
4 Comments
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.
That is what it is supposed to do

As a result these machines are not able to connect to other vlans.  
They are not supposed to be able to.  That is a security design in the technology of VPN (no matter what brand/vendor it comes from).  It is designed to protect the network receiving the connection by limiting the scope of what other networks the VPN Client may be joined to at the same time.
If you want the system to drop its pants security wise then you need to override this with what is sometimes called Split-Tunneling.  To do this with a Windows DUN based VPN Client, find the setting that says "Use Gateway on Remote Network" and disable it.  However this will cause a reversal of the behavor,...meaning that on the Remote Network side of things,...the VPN Client will only be able to communicate with the subnet that they directly VPN'ed into.  This would be the subnet that matches the IP they received when they connected.  They will not be able to connect to any other subnets "futher out" on the remote side.  This could also violate security policy set by the company that owns remote system and they can revoke your access if they find out.  But if it is your own company then I guess you don't have to worry about that.
0
 

Author Comment

by:pmason08
Comment Utility
I see what your saying, the issue I have is the network was set up with a rather silly amount of vlans for each department, and as a result the VPN users need to be able to access servers in different vlans.

Assuming I didnt change the gateway settings, what would be the recommended way to gain access to these, servers?

0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
I didn't suggest any gateway changes.  The change I suggested is simply a "toggle" in the DUN settings.  It is your only option beyond setting really ugly Static Routes on each and every effected Client that points to the LAN Router to get to the other subnets.
0
 
LVL 1

Expert Comment

by:pure_satis_faction
Comment Utility
If I understand you right, you should not need to disable the "Use Gateway on Remote Network" setting.

Instead, add static routes on your ISA Server (in the Routing and Remote access console, not ISA) to make sure the ISA server has routes to all of your different vlans.

The next step depends on how your vlan IP subnets are set up.

if all of your vlans are subnetted under one IP range, and your "supernet" is setup as your internal network, just make sure you have a policy rule that allows all outbound protocols from the VPN Clients network to the Internal network.

If not, then you need to create a Network in ISA for each of your vlans ip ranges, and then add a network access rule to allow VPN Clients to route to those networks, and also add a policy rule allowing all outbound protocols (or selected protocols if you wish) from VPN Clients to those networks.

Then your shouldn't have any problems. The thing to realise is that even though it has the IP address of the PC as the default gateway, it really is the ISA server that is your default gateway.

If you need detailed instructions on configuring ISA for those, let me know.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco AnyConnect License 3 61
Server 2012 R2 DHCP 6 38
Sonicwall routing between VPNs 5 23
ASA AnyConnect tunneling 3 15
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now