On the ISAserver.org mailing list someone wrote in with a common question regarding remote access VPN connections to the main office. The scenario is a common one: he had an ISA firewall acting as a remote access VPN server for his network and the network ID behind the ISA firewall was 192.168.110.0/24. One of his users was at a hotel and the broadband provider for that hotel was assigning IP addresses on the same network ID. This is a big problem for VPN users because the destination network must be on a different network ID as the local network.
The reason why the destination network ID must be different than the local network ID is that if the remote access VPN client tries to connect to a host that is on the same network ID, that connection attempt is sent through the local (Ethernet or wireless) interface. For example, if the NIC on the hotel network located laptop is assigned the IP address 192.168.110.25 and the IP address of the host at the office that he’s VPNed into is 192.168.110.96, then the ARP request is sent out the local NIC, and not through the VPN interface (actually, the ISA firewall will do a proxy ARP to obtain the address).
There aren’t a lot of options here. One option is to assign VPN clients an off-subnet address (off subnet for both the ISA firewall and the hotel network). This will allow them to connect to the ISA firewall itself. At that point you could allow them to RDP into the ISA firewall and then create a second RDP session inside that one to access the internal resource. Needless to say, this isn’t a viable solution because users should not have RDP access to the ISA firewall.
A better solution, suggested by Tim Mullen (who together with Jim Harrison is giving a fantastic ISA firewall seminar at Black Hat in Las Vegas, check out http://blogs.isaserver.org/shinder/2006/06/20/isa-ninjitsu-designing-building-and-maintaining-enterprise-firewall-and-dmz-topologies-with-microsoft-isa-server-2004/) is to use a NAT device and put it in front of the laptop. Plug the laptop into the NAT device and plug the hotel connection on WAN link and away you go. All you need to do is make sure that you configure the internal network ID to be something very unusual. I suggest using the autonet network ID, I’ve never seen anyone use that one.
Here’s a nice little NAT device that you can easily carry with you when traveling:
Here’s another good option:
Thomas W Shinder, M.D.
MVP — ISA Firewalls