Can ISA route two LAN Subnets?

I have a situation where I have a LAN address of 10.x.x.x and I have an external company giving one of my users a V PN which uses the same 10.x.x.x range.  Obviously you need to two seperate LAN subnets when creating a VPN so this is where my problem starts.

I have limited ISA experience and need to know how/if I can configure ISA to route two subnets on the LAN?

I have one ADSL internet connection coming in and want a standalone box with a 192.168.x.x address to be able to use this VPN client and get out on the internet.  I do not need the subnets to talk to each other.

Is this possible and if so how?  Cheers
LogicalSolutionsNZAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
Wouldn't it be simpler to just go buy a $50 home-user Linksys box and do the same thing with it instead of spending several thousand dollars on hardware, server OS, and a copy of TMG just to dedicate to this one particular small job?
0
 
bbaoIT ConsultantCommented:
YES. ISA supports routing between two defined subnets, just specify the corresponding firewall rule from NAT to Route. of course, ISA cannot route between two subnets having the same IP address and mask.

for details please see the following 3rd party article.

Allowing Intradomain Communications through the ISA Firewall (2004)
http://www.isaserver.org/articles/2004perimeterdomain.html

hope it helps,
bbao
0
 
Suliman Abu KharroubIT Consultant Commented:
add 192.168.x.x to Internal network address ranges...now, ISA will consider 192.168.x.x as same as internal network.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
pwindellCommented:
The VPN Client (a Remote Access VPN Client) will not function if the Firewall Client is enabled on the VPN Client workstation.  So the Firewall Client will have to be disabled temporarily while the VPN is in use.

An Access Rule for PPTP, or L2TP, or one of the IPSec protocols must be created and the Rule must be anonymous (aka "All Users")

Since the remote Company's LAN is the same IP Range as yours the Client will most likely simply send the connection attempts to your own LAN and will hit whatever machine on your LAN happens to be running the same IP# as the intended device on the other side. If no device on your side uses the same IP then it would simply report that it gets no response.

Bottom line,...because both LANs use the same IP Range the project will most likely fail miserably.
0
 
Suliman Abu KharroubIT Consultant Commented:
>>The VPN Client (a Remote Access VPN Client) will not function if the Firewall Client is enabled on the VPN Client workstation.  So the Firewall Client will have to be disabled temporarily while the VPN is in use.

I agree except for SSTP.... I had not test it but logically it should work because SSTP does not depend on GRE protocol.... foe sure SSTP is only in TMG not ISA.

Qestion for author:
>>I have one ADSL internet connection coming in and want a standalone box with a 192.168.x.x address to be able to use this VPN client and get out on the internet.

where is the location of this standalone box? inside LAN or outside ?
0
 
pwindellCommented:
I agree except for SSTP.... I had not test it but logically it should work because SSTP does not depend on GRE protocol.... foe sure SSTP is only in TMG not ISA.

Ok, I see.  Well I have not been exposed to SSTP and still use ISA myself.
But will probably will still have the issue with the IP ranges being the same on both side no matter what network or tunneling protocol is used.  Unless the VPN dialup adapter,..because they always get bumped tot he top of the binding order when they activate,...my save him since the path it would want to take could over-ride the routing behavor of the LAN Nic.  I'm not sure what to expect there, but me being the bright & sunny guy that I am,..I expect the worst  :-).
0
 
Suliman Abu KharroubIT Consultant Commented:
My respect :)
0
 
LogicalSolutionsNZAuthor Commented:
Thanks for the response guys and it TMG, sorry i have limited experience here and just call it ISA.

Well i was planning on putting the standalone box inside the LAN, adding the 192.168.x.x range to TMG as suggested, creating an access rule and off i go.  Launching their VPN app from my standalone box, using TMG as the default gateway, and hopefully making the connection.

What i need to get my head around is configuring up the networking on the standalone box.  Do I add the 192.168.x.x network to TMG, then give the standalone box a 192.168.x.x address with a 10.x.x.x default gateway?  Do i have to add the 192.168.x.x network to a network adapter on the TMG box?

I have site to site IPSec experience, PPTP experience but never by just using an app like this.  I've never tried to do anything like this before so sorry for my lack of knowledge.

Sound like my plan will work, or should I just put it in the too hard basket?
0
 
pwindellCommented:
You don't add anything to the TMG beyond what is normal for it to function on your LAN.

There is no "routing" on the TMG with respect to the VPN,  and no "routing" with respect to  the network over the VPN because the TMG never sees that or is even aware it exists.  Why? Because the VPN is a Remote Access VPN that is initiated at the User Workstation involved, so the only thing aware that it exists is the workstation that initated it.

There is no "routing" on the initiating workstation because the Remote Access VPN is based on the same principles as Dialup-Networking and it is impossible in a Windows workstation OS to base any route off of a Demand-Dial-Interface.  

The way Dial-up Networking functions is by dynamically moving the Dialuup-Adapter to the top of the binding order and setting the Default Gateway to be the dynamically received IP# of the Dialup-Adapter and changing the Mask to 32 bit (255.255.255.255). This causes it to treat any traffic that is not destined for the exact dynamic IP of the Dialup-Adapter as "foreign" and just blindly and inexplicably dropping the traffic on the Link formed by the Dial-up Connection.  Hence, everything goes out the Dialup-Connection,...hence why machines with active Dialup-Connections often fail to function on the LAN while the Dialup-Connection is active.

So if the Dialup-Connection works as expected you might be able to reach the resource on the opposite LAN while sacrificing activity on the local LAN.  But if the fact that both LANs run the same IP Range throws a wrench into the mix,...then whatever machine on your local LAN that happens to be runnning the same IP# as the target on the Remote LAN will get hit by the traffic instead and obviously won't know what to do with it and the whole things fails.

In any case,...the TMG really has nothing to do with any thing except to allow the Tunnel to be established between the LAN IP of the Workstation initiating the connection and the Public IP of the VPN Device on the other side.  The TMG will be completely and totally oblivious to anything happening over the VPN once the Tunnel has been establsihed.

I hope that makes some sense,...my fingers are tired....  :-)
0
 
Suliman Abu KharroubIT Consultant Commented:
@pwindell thanks for your clarification...
But think the problem is not here ...

@author:
please try the following:

On TMG server:
add an additional IP to the NIC adapter (ncpa.cpl).  192.168.1.1/24
from TMG console --> networking-->add the range to internal network address ranges(192.168.1.x).
make sure yo have an access rule allowing (L2TP/Ipsec) and/or (PPTP).

on client side:
assigned the ip address into NIC adapter (192.168.1.2) and default gateway 192.168.1.1. ( you can use 8.8.8.8 (google's  DNS server) as dns server ip .
this machine can only used to connect VPN to remote site. in other words, this machine can't communicate with 10.x.x.x network in the same site.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.