• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 594
  • Last Modified:

ISA 2006 VPN clients on the same subnet as corp LAN

I am use ISA 2006 on Win2k3 standard. I have VPN rules set up and they seem to work fine. The corporate network is on a 192.168.1.x and I am finding that when the vpn clients are on the same subnet they can connect but they cant access internal resources. If they are on anything other that 192.168.1.x they are fine. I have tried to configure ISA to use our dhcp server and dns servers as well but no joy. When the client connents it shows all the correct settings for DNS suffix, ip address, default gateway and dns servers. I know this may be caused by IP spoofing on the ISA server but how do you get around this????
0
clynch302
Asked:
clynch302
  • 3
  • 3
1 Solution
 
clynch302Author Commented:
Nobody is answering the other post.
0
 
Keith AlabasterCommented:
Bear in mind that we have hundreds of questions to catch up on after Christmas/new year etc. We also have a day job.....
0
 
pwindellCommented:
I have a day job,...then a night job,...then this Site,....then www.isaserver.org,...then the Public News groups.  No wonder I get grouchy in some of my posts   :-)

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
pwindellCommented:
The corporate network is on a 192.168.1.x and I am finding that when the vpn clients are on the same subnet they can connect but they cant access internal resources.

That is the nail in the coffin.  You just can't do that.  That is basic "Networking 101" simple stuff,...you cannot have two networks interact together when they are running the same IP# segment.

You (along with everyone else) should never ever ever ever ever ever ever run a business network with the heavily overused low numbers on the 192.168 RFC Private range.

192.168.0.x and 192.168.1.x  is the default for every single "home user" NAT Box that you buy off the store shelves,...leave those address ranges to the "Home Users".   Run business networks on something like 192.168.10.x or higher.

So you are pretty much screwed (and will be repeatedly screwed in the future) if you do not re-address your LAN with a different Range.   In your current situation someone is going to have to re-address their LAN,...typically it will be whoever has the smallest simplest LAN.
0
 
clynch302Author Commented:
We are planning to go to a 172 range. I understand Network 101. Sometimes we inherit these problems and have to do the best with what we can.
0
 
pwindellCommented:
Ok.  No problem,...I do understand the "inheriting" thing.

You can keep 192.168,..just go higher in the third Octet.

If you go with 172 then get in the middle somewhere between 16 - 31 in the second Octect (like maybe 172.21.x.x).

Also do not go lower than /24 bits on the mask,...do not make subnets bigger than 254 Hosts.  If there are too many Hosts for that then add a new subnet and again,..no more that a 254-host segment with it either.  Two subnets like that will give you over 500 hosts.

0
 
clynch302Author Commented:
Thanks for the advice.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now