Solved

Need to renumber network so that home users can connect to vpn

Posted on 2006-07-05
10
312 Views
Last Modified: 2010-04-12
Hi,

I have published a diagram of our network at http://members.cox.net/bak27/

I want to move to the private subnet of 172.16.10.x because too many home users cannot connect to our network with the vpn because their home networks are on the 192.168.x.x network.

I don't really want to mess with the aironets or the vpn between the netscreens.

Can I just change the 192.168.1.x network to 172.16.10.x and leave the y.y.y.x and 192.168.2.1 networks alone?  Or will the 172 not talk to the 192 network because those are non routable IP's?

Thanks for any input,
Bonnie
0
Comment
Question by:Bonnie_K
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 150 total points
ID: 17044979
If I understand the question correctly, you can change the 192.168.1.0 network to 172.16.10.0 without a problem. 192's are routable, just not over the Internet (except through the VPN tunnel). However, the entire 192.168.1.0 network would need to be changed by the looks of it. Look into this carefully, as there may be a fair amount involved in moving the NEC phone system. Could it be kept on it's own, separated by the router, or does it have integrated features with the workstations as some do?
0
 
LVL 15

Assisted Solution

by:Frabble
Frabble earned 100 total points
ID: 17045025
Hi Bonnie
You should be able to change the addresses as you say. The 172.16.10.x network will route the same way that the 192.168.1.x network talks to the 192.168.2.x network. You just need to make the necessary routing and tunnel configuration changes for the new network on the netscreens.

But, why is a user VPN tunneling to their home network? Your VPN setup should be able to allocate remote VPN client IP addresses from an address pool, one that doesn't conflict with your internal or users home networks, for example 192.168.168.0/24
If users home networks appear across the VPN then you will still get conflicts when more than one client connects with the same address since just about all home networks are  192.168.0.X or 192.168.1.X
0
 
LVL 8

Assisted Solution

by:hiteshgupta1
hiteshgupta1 earned 100 total points
ID: 17056542
There is no problem in changing the ddress
but why do u think that this will solve ur problem?

How you number the network doesn't affect network layer traffic segmentation. The only things that do that are routers or Layer 3 switches.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 150 total points
ID: 17057720
Good idea to change the 192.168.1.x subnet now. You are 100% correct that this is a HUGE problem if you have home/remote users that the vast majority are also using the 192.168.1.x subnet. Probably easier to bite the bullet and change yours now than try to convince every remote user to change their home networks (and hotels, too)..

The 172.16.10.0 subnet is not a problem talking to any other private subnets.
You will, however, have to change the tunnel configurations in the Netscreens
0
 

Author Comment

by:Bonnie_K
ID: 17058708
Thanks for the comments  - I hope to use these tips to renumber the network this or next weekend and will accept answers then.

Part of me wants to put the aironets on the other side of the netscreen and have all of the equipment within the netscreen firewall with no public IP's.

Here's why I think this will help, the way I explain this to people at work is that if their home network is on the same addressing scheme as the server, their computers think that the server should be found in their house and never go over the vpn tunnel to try and find the server.  
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17058919
You've got a good point. Putting the wireless bridges on a public IP space and using the 2nd Netscreen with a VPN tunnel between the netscreens does seem to be a bit over-complicating matters when you can simply extend your Private IP space and have everything inside just one Netscreen firewall. No VPN to worry about, everyone can be on the same happy IP subnet.
0
 

Author Comment

by:Bonnie_K
ID: 17059071
The company that installed the aironets for my predecessor told him that even though the traffic was encyrped between the aironets that it should flow through the netscreen vpn, that's why it is the way it is.  Have you heard of that as being necessary?  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17059617
If the wireless connection between the two aironets is encrypted via WEP/WPA then adding another layer of encryption on top of it is just paranoia, but if Security of the data is the #1 priority, then by all means adding another layer of encryption may certainly be called for.


0
 

Author Comment

by:Bonnie_K
ID: 17139236
I ended up moving the aironets behind the netscreen and have everything on the 172.16.10.x netwrok.  Very nice and tidy now.  VPN is back up and running and I hope that this clears up the problems I was having with some users being able to connect.

Thanks for all of your responses.  It really helped a lot.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17140174
Thank you Bonnie.
--Rob
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now