How to Implement VPN Off-Subnet IP Addresses
By Stefaan Pouseele
Last Update: 30/03/2003
In his article about VPN client security - Part 1: Split Tunneling Issues, Tom Shinder talks about the use of off-subnet IP addresses to improve the safety of your internal network by assigning the VPN clients off-subnet IP addresses. This works great. However there is one major drawback to this approach, and that is you won’t be able to use DHCP to assign IP addresses to the clients, as the DHCP server should be on the same network segment as the internal interface of the ISA Server. In this short article I will show you how you can modify your network design and overcome that limitation. Moreover, the proposed network design can also be used as a general framework if you have multiple LAN's and/or WAN's on your internal network.
2. Network Design
I read frequently on the message boards that people want to use multiple internal interfaces on the ISA server. As a network guy, I'm not an advocate of such a scenario. In my opinion, ISA server should only be used as a firewall and not as an internal router. Because ISA server can't control the traffic between multiple internal interfaces, I strongly recommend to offload the routing of internal traffic to a dedicated layer-3 device such as a router or layer-3 switch. Therefore, I would propose the following generic network design:
How to configure the routing on ISA server in such a network scenario is very well explained in Jim Harrison's article Designing An ISA Server Solution on a Complex Network. So, I wan't repeat it here. At first sight, there is nothing special about this design. However, if you want to avoid the Split Tunneling problem and smack down non-compliant users who disable the default gateway setting in the VPN connectoids, you must assign an IP address range to the ISA Server internal interface that is not contained in the classfull IP address range of the rest of the internal network. Also, no other devices but the ISA Server and the layer-3 device should be connected to that segment. Because that segment is only used as a transit network, I've called that segment a stub subnet in the above figure.
3. Classfull IP Addresses
In the original Internet routing scheme developed in the 1970s, sites were assigned addresses from one of three classes: Class A, Class B and Class C. The address classes differ in size and number. Class A addresses are the largest, but there are few of them. Class Cs are the smallest, but they are numerous. Classes D and E are also defined, but not used in normal operation. The different classes can be summarized as follows:
- Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh
First bit 0; 7 network bits; 24 host bits Initial byte: 0 - 127 126 Class As exist (0 and 127 are reserved) 16,777,214 hosts on each Class A
- Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh
First two bits 10; 14 network bits; 16 host bits Initial byte: 128 - 191 16,384 Class Bs exist 65,532 hosts on each Class B
- Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh
First three bits 110; 21 network bits; 8 host bits Initial byte: 192 - 223 2,097,152 Class Cs exist 254 hosts on each Class C
- Class D - 1110mmmm mmmmmmmm mmmmmmmm mmmmmmmm
First four bits 1110; 28 multicast address bits Initial byte: 224 - 247 Class Ds are multicast addresses - see RFC 1112
- Class E - 1111rrrr rrrrrrrr rrrrrrrr rrrrrrrr
First four bits 1111; 28 reserved address bits Initial byte: 248 - 255 Reserved for experimental use
As part of the setup process of ISA Server in firewall or integrated mode, you must specify the local address table (LAT). The local address table is a table of all internal Internet protocol (IP) address ranges used by the internal network behind the ISA Server computer. ISA Server uses the LAT to control how machines on the internal network communicate with external networks.
Typically, the LAT contains all IP addresses associated with the internal network cards on the ISA Server computer, in addition to the private IP address ranges defined by the Internet Assigned Numbers Authority (IANA) in the Request for Comments 1918: Address Allocation for Private Internets. This private IP address ranges are:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
As you can see, the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers.
To assign an IP address range not contained in the classfull IP address range of the internal network to the stub subnet, you will have to carefully design your IP numbering scheme. In example, if you use a subset of the private IP address range 10/8 on the internal network, you can't assign another subset of the same private IP address range 10/8 to the stub subnet because they belong to the same class A network number. Therefore, I would recommend to assign a private IP address range to the stub subnet in the following way:
- Determine first how many VPN clients you want to support simultaneously. This is of course directly related to the number of VPN ports you have defined.
- If you need less than 254 simultaneous VPN users, assign a class C network number (/24) out of the private IP range 192.168/16.
- If you need more than 254 simultaneous VPN users, assign a class B network number (/16) out of the private IP range 172.16/12.
For more info how to use DHCP to assign IP addresses to VPN clients, check out the article Using DHCP with ISA/VPN Server Clients by Tom Shinder.
By using the above network design and assigning to the stub subnet an IP address range not contained in the classfull IP address range of the internal network, you can improve VPN client security with off-subnet IP addresses without having the limitation you can't use DHCP assigned IP addresses for the VPN clients.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001405 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! – Stefaan.