Solved

Advice needed on how to investigate a VPN/Firewall problem

Posted on 2004-04-25
13
381 Views
Last Modified: 2010-03-18
The original setup:

2 Windows XP PC's connected via 100Mbit network switch.
Broadband internet connection provided by a router.
The PC's each have standard 100Mbit network cards, TCP/IP and default gateway/IP Address/DNS information loaded from the router via DHCP.

Can ping each PC and Router from eachother without any problems (all on 192.168 network)

The change to one of the PCs:

Installed AT&T Global Network Client and Firewall configured for VPN access over my existing Internet connection.
Configured the AT&T Firewall software to be enabled only on the Wan Miniport (i.e., the VPN) connection and NOT the local network card.

The problem following the change:
Everything works find when the VPN connection is not connected.
Upon connection, the PC that is connected can no longer ping the other PC and vice versa.
The VPN connection itself works fine and I can ping other remote systems on the connected network.
Once VPN is disconnected, I can ping to/from the PC as normal again.

ipconfig when connected via VPN:
The local network card shows its DHCP allocated 192.168.x.x IP address (from the router) and the router as the default gateway, i.e., no change to when not connected.
The Wan Miniport connection shows its DHCP allocated 192.168.x.x IP address (from AT&T) not conflicting with any local addresses and a blank default gateway.

Can anyone suggest how I can continue to use my local network whilst connected over VPN to a remote network?

If not, can anyone suggest what steps I can take to find out where/how the pings are getting blocked when connected, i.e., how far does the traffic get, what are the responses? Is there any network diagnostic software (preferably freeware) that is recommended for resolving this type of issue.

Any help would be much appreciated.
0
Comment
Question by:loveit
  • 6
  • 6
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Is this VPN using a particular port number?? if so you will need the router to forward all imcominf traffic on that port number to the client on YOUR network :)
0
 

Author Comment

by:loveit
Comment Utility
The router is acting correctly when connected to the VPN in that all access to the VPN connected network is fully working. It is accessing PCs on my local area network, to/from the PC that has the active VPN connection at the time, that is failing. Can I conclude therefore that the router allowing incoming traffic on the VPN port is not the problem?
0
 
LVL 11

Expert Comment

by:ewtaylor
Comment Utility
Everything is working as it should be, for security purposes most vpn clients disable lan access when connected. This prevents tunnel hijacking from people inside the lan. This is by design, though some clients and tunnels allow what is called split tunneling, you can check and see if the client has this option.
0
 

Author Comment

by:loveit
Comment Utility
The VPN client software does not appear to have any options to split or re-enable LAN access whilst connected.

Are there any other suggestions as to how I might acheive simultaneous access to my LAN and the VPN from a single PC? Would a second network card make any difference?
0
 
LVL 11

Accepted Solution

by:
ewtaylor earned 500 total points
Comment Utility
No, most vpn clients install a shim between the os and the interfaces. You might be able to play with the routing tables some and get local lan access depending on the ip addressing of the 2 networks.
0
 

Author Comment

by:loveit
Comment Utility
Thanks. I guess I will just have to live with this or have a seperate PC for VPN access.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 11

Expert Comment

by:ewtaylor
Comment Utility
You might be able to switch your internal lan network to a 10.xxx.xxx.xxx network and then using a route statement get local lan access. How hard would it be to change the ip addressing scheme, i.e. how many clients?
0
 

Author Comment

by:loveit
Comment Utility
It's all DHCP so I can just change the pool to a 10.x.x.x network. From your suggestion, I assume that the VPN only closes down access to addresses on the same network and not to the LAN card iself so trying a new network may work. I'll report back with the outcome when I get a chance to re-boot my net.
0
 
LVL 11

Expert Comment

by:ewtaylor
Comment Utility
Yes we may need to tweek the routing table.
0
 

Author Comment

by:loveit
Comment Utility
Progress Report:
I have changed my local network to a 10.x.x.x addressing scheme. This has improved matters in that I can now ping other PC's successfully by from the PC that is connected to the VPN and use the VPN as normal. However, when connected there are a couple of other problems. I still can't ping the connected PC from another PC (both ping and tracert timeout) plus I can't ping outward from the VPN connected PC using the hostname of another PC, e.g., "ping otherpc", as I could before I was connected (I have to use the actual IP address). So, a few steps forward but still a name resolution problem and an inability to ping in to the connected PC.

Out of interest, excluding VPN for a moment, given that I have no DNS server or static hosts file, how does Windows resolve a ping to a PC by name on the Windows network, e.g., 2 PC's connected, no DNS server, one has a Windows Node Name of abc and the other of xyz, why does "ping xyz" from abc correctly work out the IP address of xyz?
0
 
LVL 11

Expert Comment

by:ewtaylor
Comment Utility
I think the firewall of the at&t client is prventing the ping try disabling all firewall functions and see if the ping gets through. The vpn is probably using the remote dns for name resolution. As for your other question is that it uses the browsing service, I find this link to be extremely useful in explaining and troubleshooting browsing issues. http://labmice.techtarget.com/networking/browsersrvc.htm
0
 
LVL 11

Expert Comment

by:ewtaylor
Comment Utility
Even though it says domain this works for small peer to peer networks as well.
0
 

Author Comment

by:loveit
Comment Utility
Ok, there is no simple answer to this one but I have now worked around it by running the services that I need all on the same PC so no need to network outside. Thank you for all the advice.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now