We help IT Professionals succeed at work.

vpn connection through cable modem

352 Views
Last Modified: 2013-11-30
I always seem to have a problem setting our external users up with a vpn connection when there home network utilizes a cable modem

I have everything set up correctly,  THe users is able to log into our network (everything authenticates and connects)

they get the connection windows however they aren't able to ping any of the servers or get mail ect...

but this only happens with cable modem users.

I had them check there setting and it seems there home network settings are the same internal ip scheme as our office internal ip scheme

for example our vpn server designates a 192.168.0.x ip address 192.168.0.1 default gateway

THe users home router designates the same a 192.168.0.x ip address and 192.168.0.1 default gateway

is this causing the problem and how can I allow users with cable modems to gaing vpn access to network work resources

THanks
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
That is likely your issue. Either end of a VPN tunnel needs to be on a different subnet, otherwise there are routing conflicts, does the packet get sent to the local network or the remote when they are both part of the same subnet. The easiest solution is to get the home user to change their local subnet, however the best long term solution is to change the main/server network so that you are not constantly chasing this problem with each new user or a mobile user. I know this is a bigger job but it does reduce on-going conflicts. If you do so change to something uncommon. 192.168.0.x, 192.168.1.x, 192.168.2.x and 192.168.100.x seem to be the most common defaults for ISP's and various routers. Try something like 192.168.222.x or a number that has some relationship to the site address or phone number so you remember it.

Author

Commented:
So I can basically just change all the internal ips

everything is static

so I can just change all our servers and computers from 192.168.0.x  to 192.168.222.1-256

and that would solve the problem?
Sr. Infrastructure Engineer
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2013

Commented:
I don't recommend changing the server IP scheme without a little planning, it can have quite an impact on your network, especially DNS. You existing static DNS records would have to be updated and and dynamic ones flushed, or you may wind up with devices and services pointing to old records until updated. Also switching to DHCP for you workstations may be advantageous as Chris mentioned, although there definitely are reasons to have static addressing in some cases or at least specific DHCP reservations.

My suggestion is a long term solution to subnet overlap, but should be carefully planed, especially if you have a multiple server network with different services available to users. Short term, get the user to change their local subnet to verify it will resolve your problem. I like to keep the main network different than that of the common or default networks, as traveling users will always be a problem if you use the standard subnets.

Author

Commented:
were not too large,

3 servers

maybe 35 computers

I still might go dhcp

we had it running before I Started here but apparently they ran into problems with it so I made everything static
CERTIFIED EXPERT
Top Expert 2013

Commented:
Do you have any reasons to have static workstations, such as remotely connecting to the workstations? One possible reason to go static is name resolution doesn't work well in many cases over VPN's, so you don't want to be trying to connect by IP, to dynamic workstations. You can address this issue by using DHCP reservations, which is a little slower to set up, but accomplishes the same goal, and allows central management.

With 3 servers, be carefully making the change, and look carefully at how you will impact the overall network.

Author

Commented:
So what do you suggest? Switching over to DHCP?

If I want to do that, how do I update my dns records and flush the dynamice like you said?

Do I set that up on the domain controller and just have it replicate out to the other servers and clients?


Should I leave my router's dhcp turned off cause our router has a built in dhcp?

what would I need to update on my router?

Commented:
I don't think you should change anything on your internal network.  As "RobWill" mentioned you should have a separate tunnel subnet and the VPN Router should be able to route the traffic based on where it originated at.
CERTIFIED EXPERT
Top Expert 2013
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
As a side note, you also want to make sure that the end-user's router supports IPSEC Passthrough and it is set to do so.  
CERTIFIED EXPERT
Top Expert 2013

Commented:
WestonGroup, how did you end up making out?
--Rob

Author

Commented:
Still not working.

I'm waiting on the user to find out about their local isp provider

CERTIFIED EXPERT
Top Expert 2013

Commented:
Thanks for the update, let us know how you make out, I am curious.
--Rob
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.