Link to home
Start Free TrialLog in
Avatar of Bill_Huber
Bill_Huber

asked on

VPN clients getting wrong IPs from DHCP server (ISA 2006)

I have an unusual setup that I am trying to get working correctly and have not found anything posted that quite fits my scenario, so here goes.

SETUP:
ISA 2006 server, standard.
Two physical NICs, the one facing "in" is setup to use two VLANs, and those show up fine as network adapters to Windows and ISA also recognizes them fine.  Call them Vlan101 (10.2.1.0/24, my VPN vlan) and Vlan102 (10.2.0.0/24, my general user vlan).  When I tell ISA to provide my VPN clients an IP from a DHCP server, I only have two options for the "Use the following network to obtain DHCP, etc, etc", the logical networks "internal" and "external" that ISA uses.  I have this set to internal.  The "internal" network address range I have spanning the whole 10.0.0.0/8 range.
I also have DHCP relay agent setup in RRAS.  The Interface listed for this relay agent is the virtual adapter associated with VLAN 101, my vpn vlan.  The relay agent is pointing to my DHCP server, which is on a completely different vlan altogether and I have verified that I have good route/connectivity to this server from the ISA server.  DHCP server is setup and servicing multiple vlans successfully.
I also verified that the virtual adapter for vpn101, the vpn vlan, is at the top of the list for "..the order in which they are accessed by network services" under the Adapters and Bindings tab of the Network Connections>Advanced Settings function.

MY ISSUE:
If I have both virtual adapters enabled (10.2.1.x and 10.2.0.x) and a vpn client connects in from outside (that is all I allow), they are getting an IP from vlan102, i.e. 10.2.0.100.  This is not what I want, I want them to get an IP from vlan101, 10.2.1.x.  If I disable the virtual network card associated with vlan102, then restart RRAS, the ISA server then grabs from the correct scope, 10.2.1.x.  If I undo this change, then the ISA server goes back to pulling from the wrong scope again.  I am assuming that the DHCP server is just providing IPs to the ISA server based on the address of the DHCP relay agent.

MY QUESTION:
How the heck do I get ISA/RRAS to use the correct adapter for the DHCP Relay Agent so that the DHCP server is providing the correct IPs???
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

The ISA is likely passing across an address from the first dhcp server that responds rather than being selective. Does ISA need to see the dhcp server on the 10.2.0.0 subnet? if not, you have said that ISA is recognising both vlans (as opposed the to host operating system of the ISA) therefore in the ISA system policy (not the firewall policy)you may be able to block dhcp requests/replies to vlan2.
Avatar of Bill_Huber
Bill_Huber

ASKER

simple diagram showing logical network connectivity.
Drawing1.jpg
Keith...I have a static route for the 10.0.0.0/8 network to use the vlan101 gateway, so I would think that it should then be using that interface...
  Network Address          Netmask  Gateway Address  Metric
         10.0.0.0        255.0.0.0         10.2.1.2       1
there is only one dhcp server at this physical location and it is providing IPs for all vlans.  it is on a vlan that is different that both vlan101 and 102.
I just re-read your post and will look at blocking DHCP to vlan2
ASKER CERTIFIED SOLUTION
Avatar of Bill_Huber
Bill_Huber

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
well, that did it for us.  for some reason, RRAS was ignoring everything else and insisted on using the wrong NIC to talk to the DHCP server for VPN client IPs.  Removed that NIC, set everything up correctly, rebuilt the NIC, all is working fine now.  Thanks for the help, keith, but this way seems to be a more "correct" solution.  I think yours would have worked, if it had come to that, but this is working now.