?
Solved

Can ISA route two LAN Subnets?

Posted on 2011-05-03
10
Medium Priority
?
790 Views
Last Modified: 2012-05-11
I have a situation where I have a LAN address of 10.x.x.x and I have an external company giving one of my users a V PN which uses the same 10.x.x.x range.  Obviously you need to two seperate LAN subnets when creating a VPN so this is where my problem starts.

I have limited ISA experience and need to know how/if I can configure ISA to route two subnets on the LAN?

I have one ADSL internet connection coming in and want a standalone box with a 192.168.x.x address to be able to use this VPN client and get out on the internet.  I do not need the subnets to talk to each other.

Is this possible and if so how?  Cheers
0
Comment
Question by:LogicalSolutionsNZ
10 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 35556891
YES. ISA supports routing between two defined subnets, just specify the corresponding firewall rule from NAT to Route. of course, ISA cannot route between two subnets having the same IP address and mask.

for details please see the following 3rd party article.

Allowing Intradomain Communications through the ISA Firewall (2004)
http://www.isaserver.org/articles/2004perimeterdomain.html

hope it helps,
bbao
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35673397
add 192.168.x.x to Internal network address ranges...now, ISA will consider 192.168.x.x as same as internal network.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35690465
The VPN Client (a Remote Access VPN Client) will not function if the Firewall Client is enabled on the VPN Client workstation.  So the Firewall Client will have to be disabled temporarily while the VPN is in use.

An Access Rule for PPTP, or L2TP, or one of the IPSec protocols must be created and the Rule must be anonymous (aka "All Users")

Since the remote Company's LAN is the same IP Range as yours the Client will most likely simply send the connection attempts to your own LAN and will hit whatever machine on your LAN happens to be running the same IP# as the intended device on the other side. If no device on your side uses the same IP then it would simply report that it gets no response.

Bottom line,...because both LANs use the same IP Range the project will most likely fail miserably.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35692387
>>The VPN Client (a Remote Access VPN Client) will not function if the Firewall Client is enabled on the VPN Client workstation.  So the Firewall Client will have to be disabled temporarily while the VPN is in use.

I agree except for SSTP.... I had not test it but logically it should work because SSTP does not depend on GRE protocol.... foe sure SSTP is only in TMG not ISA.

Qestion for author:
>>I have one ADSL internet connection coming in and want a standalone box with a 192.168.x.x address to be able to use this VPN client and get out on the internet.

where is the location of this standalone box? inside LAN or outside ?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35692472
I agree except for SSTP.... I had not test it but logically it should work because SSTP does not depend on GRE protocol.... foe sure SSTP is only in TMG not ISA.

Ok, I see.  Well I have not been exposed to SSTP and still use ISA myself.
But will probably will still have the issue with the IP ranges being the same on both side no matter what network or tunneling protocol is used.  Unless the VPN dialup adapter,..because they always get bumped tot he top of the binding order when they activate,...my save him since the path it would want to take could over-ride the routing behavor of the LAN Nic.  I'm not sure what to expect there, but me being the bright & sunny guy that I am,..I expect the worst  :-).
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35692634
My respect :)
0
 

Author Comment

by:LogicalSolutionsNZ
ID: 35703495
Thanks for the response guys and it TMG, sorry i have limited experience here and just call it ISA.

Well i was planning on putting the standalone box inside the LAN, adding the 192.168.x.x range to TMG as suggested, creating an access rule and off i go.  Launching their VPN app from my standalone box, using TMG as the default gateway, and hopefully making the connection.

What i need to get my head around is configuring up the networking on the standalone box.  Do I add the 192.168.x.x network to TMG, then give the standalone box a 192.168.x.x address with a 10.x.x.x default gateway?  Do i have to add the 192.168.x.x network to a network adapter on the TMG box?

I have site to site IPSec experience, PPTP experience but never by just using an app like this.  I've never tried to do anything like this before so sorry for my lack of knowledge.

Sound like my plan will work, or should I just put it in the too hard basket?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35706133
You don't add anything to the TMG beyond what is normal for it to function on your LAN.

There is no "routing" on the TMG with respect to the VPN,  and no "routing" with respect to  the network over the VPN because the TMG never sees that or is even aware it exists.  Why? Because the VPN is a Remote Access VPN that is initiated at the User Workstation involved, so the only thing aware that it exists is the workstation that initated it.

There is no "routing" on the initiating workstation because the Remote Access VPN is based on the same principles as Dialup-Networking and it is impossible in a Windows workstation OS to base any route off of a Demand-Dial-Interface.  

The way Dial-up Networking functions is by dynamically moving the Dialuup-Adapter to the top of the binding order and setting the Default Gateway to be the dynamically received IP# of the Dialup-Adapter and changing the Mask to 32 bit (255.255.255.255). This causes it to treat any traffic that is not destined for the exact dynamic IP of the Dialup-Adapter as "foreign" and just blindly and inexplicably dropping the traffic on the Link formed by the Dial-up Connection.  Hence, everything goes out the Dialup-Connection,...hence why machines with active Dialup-Connections often fail to function on the LAN while the Dialup-Connection is active.

So if the Dialup-Connection works as expected you might be able to reach the resource on the opposite LAN while sacrificing activity on the local LAN.  But if the fact that both LANs run the same IP Range throws a wrench into the mix,...then whatever machine on your local LAN that happens to be runnning the same IP# as the target on the Remote LAN will get hit by the traffic instead and obviously won't know what to do with it and the whole things fails.

In any case,...the TMG really has nothing to do with any thing except to allow the Tunnel to be established between the LAN IP of the Workstation initiating the connection and the Public IP of the VPN Device on the other side.  The TMG will be completely and totally oblivious to anything happening over the VPN once the Tunnel has been establsihed.

I hope that makes some sense,...my fingers are tired....  :-)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35706284
@pwindell thanks for your clarification...
But think the problem is not here ...

@author:
please try the following:

On TMG server:
add an additional IP to the NIC adapter (ncpa.cpl).  192.168.1.1/24
from TMG console --> networking-->add the range to internal network address ranges(192.168.1.x).
make sure yo have an access rule allowing (L2TP/Ipsec) and/or (PPTP).

on client side:
assigned the ip address into NIC adapter (192.168.1.2) and default gateway 192.168.1.1. ( you can use 8.8.8.8 (google's  DNS server) as dns server ip .
this machine can only used to connect VPN to remote site. in other words, this machine can't communicate with 10.x.x.x network in the same site.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 35706455
Wouldn't it be simpler to just go buy a $50 home-user Linksys box and do the same thing with it instead of spending several thousand dollars on hardware, server OS, and a copy of TMG just to dedicate to this one particular small job?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question