Need to renumber network so that home users can connect to vpn


I have published a diagram of our network at

I want to move to the private subnet of 172.16.10.x because too many home users cannot connect to our network with the vpn because their home networks are on the 192.168.x.x network.

I don't really want to mess with the aironets or the vpn between the netscreens.

Can I just change the 192.168.1.x network to 172.16.10.x and leave the y.y.y.x and networks alone?  Or will the 172 not talk to the 192 network because those are non routable IP's?

Thanks for any input,
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Rob WilliamsConnect With a Mentor Commented:
If I understand the question correctly, you can change the network to without a problem. 192's are routable, just not over the Internet (except through the VPN tunnel). However, the entire network would need to be changed by the looks of it. Look into this carefully, as there may be a fair amount involved in moving the NEC phone system. Could it be kept on it's own, separated by the router, or does it have integrated features with the workstations as some do?
FrabbleConnect With a Mentor Commented:
Hi Bonnie
You should be able to change the addresses as you say. The 172.16.10.x network will route the same way that the 192.168.1.x network talks to the 192.168.2.x network. You just need to make the necessary routing and tunnel configuration changes for the new network on the netscreens.

But, why is a user VPN tunneling to their home network? Your VPN setup should be able to allocate remote VPN client IP addresses from an address pool, one that doesn't conflict with your internal or users home networks, for example
If users home networks appear across the VPN then you will still get conflicts when more than one client connects with the same address since just about all home networks are  192.168.0.X or 192.168.1.X
hiteshgupta1Connect With a Mentor Commented:
There is no problem in changing the ddress
but why do u think that this will solve ur problem?

How you number the network doesn't affect network layer traffic segmentation. The only things that do that are routers or Layer 3 switches.
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

lrmooreConnect With a Mentor Commented:
Good idea to change the 192.168.1.x subnet now. You are 100% correct that this is a HUGE problem if you have home/remote users that the vast majority are also using the 192.168.1.x subnet. Probably easier to bite the bullet and change yours now than try to convince every remote user to change their home networks (and hotels, too)..

The subnet is not a problem talking to any other private subnets.
You will, however, have to change the tunnel configurations in the Netscreens
Bonnie_KAuthor Commented:
Thanks for the comments  - I hope to use these tips to renumber the network this or next weekend and will accept answers then.

Part of me wants to put the aironets on the other side of the netscreen and have all of the equipment within the netscreen firewall with no public IP's.

Here's why I think this will help, the way I explain this to people at work is that if their home network is on the same addressing scheme as the server, their computers think that the server should be found in their house and never go over the vpn tunnel to try and find the server.  
You've got a good point. Putting the wireless bridges on a public IP space and using the 2nd Netscreen with a VPN tunnel between the netscreens does seem to be a bit over-complicating matters when you can simply extend your Private IP space and have everything inside just one Netscreen firewall. No VPN to worry about, everyone can be on the same happy IP subnet.
Bonnie_KAuthor Commented:
The company that installed the aironets for my predecessor told him that even though the traffic was encyrped between the aironets that it should flow through the netscreen vpn, that's why it is the way it is.  Have you heard of that as being necessary?  
If the wireless connection between the two aironets is encrypted via WEP/WPA then adding another layer of encryption on top of it is just paranoia, but if Security of the data is the #1 priority, then by all means adding another layer of encryption may certainly be called for.

Bonnie_KAuthor Commented:
I ended up moving the aironets behind the netscreen and have everything on the 172.16.10.x netwrok.  Very nice and tidy now.  VPN is back up and running and I hope that this clears up the problems I was having with some users being able to connect.

Thanks for all of your responses.  It really helped a lot.
Rob WilliamsCommented:
Thank you Bonnie.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.