clynch302
asked on
ISA 2006 VPN clients on the same subnet as corp LAN
I am use ISA 2006 on Win2k3 standard. I have VPN rules set up and they seem to work fine. The corporate network is on a 192.168.1.x and I am finding that when the vpn clients are on the same subnet they can connect but they cant access internal resources. If they are on anything other that 192.168.1.x they are fine. I have tried to configure ISA to use our dhcp server and dns servers as well but no joy. When the client connents it shows all the correct settings for DNS suffix, ip address, default gateway and dns servers. I know this may be caused by IP spoofing on the ISA server but how do you get around this????
Bear in mind that we have hundreds of questions to catch up on after Christmas/new year etc. We also have a day job.....
I have a day job,...then a night job,...then this Site,....then www.isaserver.org,...then the Public News groups. No wonder I get grouchy in some of my posts :-)
The corporate network is on a 192.168.1.x and I am finding that when the vpn clients are on the same subnet they can connect but they cant access internal resources.
That is the nail in the coffin. You just can't do that. That is basic "Networking 101" simple stuff,...you cannot have two networks interact together when they are running the same IP# segment.
You (along with everyone else) should never ever ever ever ever ever ever run a business network with the heavily overused low numbers on the 192.168 RFC Private range.
192.168.0.x and 192.168.1.x is the default for every single "home user" NAT Box that you buy off the store shelves,...leave those address ranges to the "Home Users". Run business networks on something like 192.168.10.x or higher.
So you are pretty much screwed (and will be repeatedly screwed in the future) if you do not re-address your LAN with a different Range. In your current situation someone is going to have to re-address their LAN,...typically it will be whoever has the smallest simplest LAN.
That is the nail in the coffin. You just can't do that. That is basic "Networking 101" simple stuff,...you cannot have two networks interact together when they are running the same IP# segment.
You (along with everyone else) should never ever ever ever ever ever ever run a business network with the heavily overused low numbers on the 192.168 RFC Private range.
192.168.0.x and 192.168.1.x is the default for every single "home user" NAT Box that you buy off the store shelves,...leave those address ranges to the "Home Users". Run business networks on something like 192.168.10.x or higher.
So you are pretty much screwed (and will be repeatedly screwed in the future) if you do not re-address your LAN with a different Range. In your current situation someone is going to have to re-address their LAN,...typically it will be whoever has the smallest simplest LAN.
ASKER
We are planning to go to a 172 range. I understand Network 101. Sometimes we inherit these problems and have to do the best with what we can.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the advice.
ASKER