?
Solved

VPN issue with external and internal conflicting subnets

Posted on 2005-05-02
14
Medium Priority
?
205 Views
Last Modified: 2006-11-18
I have a situation with VPN connections to our Windows 2000 VPN server that is only occurring when the client is at certain hotels. The hotel lan is using the same subnet addressing that is on our LAN, 192.168.2.x. Does anyone know of a work around that doesn't add too much complexity to the network scheme to resolve this problem?

Thanks,
Steve
0
Comment
Question by:sdoughty
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13913615
To be honest, I can't think of *any* workaround for this problem.  I think you are stuck!
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 2000 total points
ID: 13915043
I had this same issue - i changed our local subnet to the ever freaky 172.16.x.x - no-one uses that (much)

we used to have 10.x.x.x but a lot of home broadband routers here used that same range, again making VPNs painful

good luck

-red
0
 

Author Comment

by:sdoughty
ID: 13916921
The problem I have is that we have 20 subnets divided over a WAN and to change the host LAN subnet poses a great deal of work for the sake of access from a few external networks. I was hoping someone had any ideas to avoid having to make these extensive changes.

Thanks,
Steve
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 7

Expert Comment

by:sr_millar
ID: 13918391
Steve,

I am assuming the Windows 2000 server has a public IP address - and I assume the VPN is so that your users can access certain machines like email, Citrix for example.  I am wondering about using NAT somehow so that the client thinks it is speaking to another address.  For example, place a router between your W2K VPN box and your LAN.  Then configure NAT on it so that your exchange server (which may be 192.168.2.10) appears as a 172.16 address.  Just map the 172.16 address to the 192.168.2.10 address for your exchange box/

I have never done this, but I am just offering the theory in case anyone can be more specific?

Stuart
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 13921921
When using VPN connections, the client-side LAN access should always be disabled, otherwise the VPN client is acting as a bridge between the two networks. Not only making your setup much more secure, it will also solve your problem. :)
0
 

Author Comment

by:sdoughty
ID: 13925504
CoccoBill Not allowing LAN access to the VPN client defeats the purpose of giving them the VPN connection. They must be able to access local network resources.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 13925669
I understand this is often the case, but remember that it's not just the remote client being able to access your network now, evil hax0rs and worms will be able to use the same pathway. This is how the Windows NT4 source code got stolen a few years back.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 13925696
Oh, I think there was a slight misunderstanding. By LAN access in this case it would be the hotel's LAN that needs to be blocked, not your internal network. Most 3rd party VPN products support this feature.
http://www.webopedia.com/TERM/S/split_tunneling.html
0
 

Author Comment

by:sdoughty
ID: 14227222
After considering all the excellent input and further research I have seen that the only solution to this problem would be through changing our local subnetting. It is something I was trying to avoid but it seems to be the general consesus that it is the only real solution. I thank everyone for their feedback on my dilemna.

Steve
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 14227305
so did you want to accept and answer?

i suggested that solution at the beginning of this question

i know it sucks, but sometimes the only option is a bad one

-red
0
 

Author Comment

by:sdoughty
ID: 14229892
Yes I accepted the answer. I know. I was hoping that someone might have found a less troublesome solution.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 14236273
if i find one in my travels, i will post it here :)

i was trying to seem rude in my previous post, it is just that the cleanup volunteer was recommending a different answer

thanks

-red
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question