[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Need to renumber network so that home users can connect to vpn

Hi,

I have published a diagram of our network at http://members.cox.net/bak27/

I want to move to the private subnet of 172.16.10.x because too many home users cannot connect to our network with the vpn because their home networks are on the 192.168.x.x network.

I don't really want to mess with the aironets or the vpn between the netscreens.

Can I just change the 192.168.1.x network to 172.16.10.x and leave the y.y.y.x and 192.168.2.1 networks alone?  Or will the 172 not talk to the 192 network because those are non routable IP's?

Thanks for any input,
Bonnie
0
Bonnie_K
Asked:
Bonnie_K
  • 3
  • 3
  • 2
  • +2
4 Solutions
 
Rob WilliamsCommented:
If I understand the question correctly, you can change the 192.168.1.0 network to 172.16.10.0 without a problem. 192's are routable, just not over the Internet (except through the VPN tunnel). However, the entire 192.168.1.0 network would need to be changed by the looks of it. Look into this carefully, as there may be a fair amount involved in moving the NEC phone system. Could it be kept on it's own, separated by the router, or does it have integrated features with the workstations as some do?
0
 
FrabbleCommented:
Hi Bonnie
You should be able to change the addresses as you say. The 172.16.10.x network will route the same way that the 192.168.1.x network talks to the 192.168.2.x network. You just need to make the necessary routing and tunnel configuration changes for the new network on the netscreens.

But, why is a user VPN tunneling to their home network? Your VPN setup should be able to allocate remote VPN client IP addresses from an address pool, one that doesn't conflict with your internal or users home networks, for example 192.168.168.0/24
If users home networks appear across the VPN then you will still get conflicts when more than one client connects with the same address since just about all home networks are  192.168.0.X or 192.168.1.X
0
 
hiteshgupta1Commented:
There is no problem in changing the ddress
but why do u think that this will solve ur problem?

How you number the network doesn't affect network layer traffic segmentation. The only things that do that are routers or Layer 3 switches.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
lrmooreCommented:
Good idea to change the 192.168.1.x subnet now. You are 100% correct that this is a HUGE problem if you have home/remote users that the vast majority are also using the 192.168.1.x subnet. Probably easier to bite the bullet and change yours now than try to convince every remote user to change their home networks (and hotels, too)..

The 172.16.10.0 subnet is not a problem talking to any other private subnets.
You will, however, have to change the tunnel configurations in the Netscreens
0
 
Bonnie_KAuthor Commented:
Thanks for the comments  - I hope to use these tips to renumber the network this or next weekend and will accept answers then.

Part of me wants to put the aironets on the other side of the netscreen and have all of the equipment within the netscreen firewall with no public IP's.

Here's why I think this will help, the way I explain this to people at work is that if their home network is on the same addressing scheme as the server, their computers think that the server should be found in their house and never go over the vpn tunnel to try and find the server.  
0
 
lrmooreCommented:
You've got a good point. Putting the wireless bridges on a public IP space and using the 2nd Netscreen with a VPN tunnel between the netscreens does seem to be a bit over-complicating matters when you can simply extend your Private IP space and have everything inside just one Netscreen firewall. No VPN to worry about, everyone can be on the same happy IP subnet.
0
 
Bonnie_KAuthor Commented:
The company that installed the aironets for my predecessor told him that even though the traffic was encyrped between the aironets that it should flow through the netscreen vpn, that's why it is the way it is.  Have you heard of that as being necessary?  
0
 
lrmooreCommented:
If the wireless connection between the two aironets is encrypted via WEP/WPA then adding another layer of encryption on top of it is just paranoia, but if Security of the data is the #1 priority, then by all means adding another layer of encryption may certainly be called for.


0
 
Bonnie_KAuthor Commented:
I ended up moving the aironets behind the netscreen and have everything on the 172.16.10.x netwrok.  Very nice and tidy now.  VPN is back up and running and I hope that this clears up the problems I was having with some users being able to connect.

Thanks for all of your responses.  It really helped a lot.
0
 
Rob WilliamsCommented:
Thank you Bonnie.
--Rob
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now