locked
ISA 2004 - route via incomming VPN connection RRS feed

  • Question

  • Hi all,

    is there any way to route outgoing traffic via incomming VPN connection? My idea is this:

    Client connects to ISA via VPN, I set the user to get static IP, on the ISA server I set route via that IP to client's LAN.

    I've tried it and I cannot ping to any IP in the client's LAN - on ISA monitoring I get error 0xc004002d FWX_E_UNREACHABLE_ADDRESS.

    Is this even possible?

    Thanks!


    R.*
    Wednesday, May 26, 2010 12:48 PM

Answers

  • it may be tricky as I have never tried this scenerio. First, when you connect, let it use the dhcp pool. See if that works for you as client is set to get the ip from the profile.

    Also, the bottom line is that the NIC on isa should receive the pakcet from the address range defined for it in networks defination (eventually the routing table). So, we need to make the LAN range of the client as trusted range for the PPP adaptor of the ISA Server. Now, whatever range we do not define on ISA netowrk, becomes a part of external network. So, if you dont define the client lan in the VPN network range, it will be deemed as a part of external network and traffic will be allowed to come/go from external NIC, else, will be spoofed.


    Regards, Amit Saxena
    • Marked as answer by James Kilner Tuesday, September 28, 2010 8:00 AM
    Thursday, June 17, 2010 4:39 PM

All replies

  • Do you have a static route set up on the ISA Server machine? You do this by using the Route Add command. From the ISA Server itself (assuming you have an access rule to allow this) are you able to ping to the clients LAN? Is the client LAN located across some other WAN connection?

    What about letting a router do this. Have your VPN clients assigned a default gateway of a router that is aware of that network as well as how to get out of yours.

    Wednesday, May 26, 2010 2:58 PM
    Answerer
  • Hi Keith,

    thanks for your reply!

    Yes, I've created static route via this comand:

    "route add 10.1.1.0 mask 255.255.255.0 192.168.253.55 metric 1 if 0x10002"

    10.1.1.0/24 is the client's LAN, 192.168.253.55 is the client's VPN static IP address, 0x10002 is the "WAN (PPP/SLIP) Interface" of ISA (the route add command cannot be done w/o specifying the interface).

    The client is connecting accross public Internet to VPN on the ISA, I'm able to ping to it's VPN IP address while it's connected.

    I cannot use site-to-site VPN feature on the ISA - there is no route/VPN server on the client's side, just NAT-capable appliance...


    R.*
    Thursday, May 27, 2010 6:59 AM
  • Hello...

    Not 100% clear what you're trying to do.  Is ISA multi-homed?  Are you trying to route all traffic from ISA's Internal network to a VPN client?

    Regards,

    Richard Barker (MSFT)

    Wednesday, June 2, 2010 1:54 PM
  • Hi Richard,

    I do not know what you mean by "multi-homed ISA", however you're almost right - I'm trying to route just subnet 10.1.1.0/24 to VPN client with static IP address 192.168.253.55.

    Thanks,


    R.*
    Wednesday, June 2, 2010 2:26 PM
  • "Client connects to ISA via VPN, I set the user to get static IP, on the ISA server I set route via that IP to client's LAN"

    So, to get this straight, you want to access VPN client's LAN network via the ISA Server or clients behind ISA?

    I dont think it can be done as the RRAS server (ISA) does a proxy ARP for client connected to it and then forwards the traffic. However, try to enable this key on the client and see if that helps:

    http://support.microsoft.com/kb/315236

    My recommendation is to try this first with a normal RRAS and a client. ISA has other concepts like spoofing etc which may play a role to block the traffic. If you succeed to do this on a plain RRAS, then we can think about ISA.

    One a personal note, this is quite a playful use of VPN :)

    Also, how are you giving that static IP to the client? Using user profile or CMAK?

     


    Regards.
    Sunday, June 6, 2010 3:05 PM
  • Hi Amit,

    thanks for link, i'll try it, as well as I'll try to play with RRAS. Actually, this idea came from one of our customer - just one of those trying to reduce costs "at full blast" :-)

    To make VPN client to get the same IP everytime, just edit properties of his/her account (locally on ISA, or in ADUC), on "Dial-In" tab check off the "Assign stastic IP Address" checkbox, and the set it up by click the "Static IP Address button". :-)

    Regards,


    R.*
    Monday, June 7, 2010 7:12 AM
  • Yup! Thas the way to give static IP. Also, re-iterating that it may or may not work, also try to check if enabling ICS and sharing the PPP with other clients helps you.
    Regards, Amit Saxena
    Monday, June 7, 2010 9:38 PM
  • Hi,

    Any updates on this? Did it work for you?

     

     


    Regards, Amit Saxena
    Thursday, June 10, 2010 7:15 PM
  • Hello Amit,

    sorry, not yet, I'll try it today (hope so).


    R.*
    Friday, June 11, 2010 5:55 AM
  • It works with W2k8 RRAS installed. Unfortunatelly I've no way to test it on W2k3 RRAS and install the ISA there in this time, however I suppose the RRAS is the same in W2k8 (same icons and commands... :-)
    R.*
    Monday, June 14, 2010 9:24 AM
  • thanks for the update. Shoudl work for 2003 too if it worked for 2008 :)
    Regards, Amit Saxena
    Monday, June 14, 2010 4:07 PM
  • Well, the original question (if it's possible with ISA) still remains...
    R.*
    Monday, June 14, 2010 6:14 PM
  • Now, for ISA, try to define the remote network as a part of VPN network itself. Check if it gives you any spoofing alters. Moreover, if you are using ISA, you would get a chance to check it on a 2003 box as ISA can only work on 2003 machine.
    Regards, Amit Saxena
    Monday, June 14, 2010 10:36 PM
  • Thanks for reply, Amit. Please, how can I "define the remote network as a part of VPN network itself"? I do not know what exactly do you mean by that... I'll try the RRAS on Win2003...

    Thanks!


    R.*
    Tuesday, June 15, 2010 5:40 AM
  • it may be tricky as I have never tried this scenerio. First, when you connect, let it use the dhcp pool. See if that works for you as client is set to get the ip from the profile.

    Also, the bottom line is that the NIC on isa should receive the pakcet from the address range defined for it in networks defination (eventually the routing table). So, we need to make the LAN range of the client as trusted range for the PPP adaptor of the ISA Server. Now, whatever range we do not define on ISA netowrk, becomes a part of external network. So, if you dont define the client lan in the VPN network range, it will be deemed as a part of external network and traffic will be allowed to come/go from external NIC, else, will be spoofed.


    Regards, Amit Saxena
    • Marked as answer by James Kilner Tuesday, September 28, 2010 8:00 AM
    Thursday, June 17, 2010 4:39 PM