Need to renumber network so that home users can connect to vpn

Posted on 2006-07-05
Medium Priority
Last Modified: 2010-04-12

I have published a diagram of our network at http://members.cox.net/bak27/

I want to move to the private subnet of 172.16.10.x because too many home users cannot connect to our network with the vpn because their home networks are on the 192.168.x.x network.

I don't really want to mess with the aironets or the vpn between the netscreens.

Can I just change the 192.168.1.x network to 172.16.10.x and leave the y.y.y.x and networks alone?  Or will the 172 not talk to the 192 network because those are non routable IP's?

Thanks for any input,
Question by:Bonnie_K
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
LVL 77

Accepted Solution

Rob Williams earned 600 total points
ID: 17044979
If I understand the question correctly, you can change the network to without a problem. 192's are routable, just not over the Internet (except through the VPN tunnel). However, the entire network would need to be changed by the looks of it. Look into this carefully, as there may be a fair amount involved in moving the NEC phone system. Could it be kept on it's own, separated by the router, or does it have integrated features with the workstations as some do?
LVL 15

Assisted Solution

Frabble earned 400 total points
ID: 17045025
Hi Bonnie
You should be able to change the addresses as you say. The 172.16.10.x network will route the same way that the 192.168.1.x network talks to the 192.168.2.x network. You just need to make the necessary routing and tunnel configuration changes for the new network on the netscreens.

But, why is a user VPN tunneling to their home network? Your VPN setup should be able to allocate remote VPN client IP addresses from an address pool, one that doesn't conflict with your internal or users home networks, for example
If users home networks appear across the VPN then you will still get conflicts when more than one client connects with the same address since just about all home networks are  192.168.0.X or 192.168.1.X

Assisted Solution

hiteshgupta1 earned 400 total points
ID: 17056542
There is no problem in changing the ddress
but why do u think that this will solve ur problem?

How you number the network doesn't affect network layer traffic segmentation. The only things that do that are routers or Layer 3 switches.
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

LVL 79

Assisted Solution

lrmoore earned 600 total points
ID: 17057720
Good idea to change the 192.168.1.x subnet now. You are 100% correct that this is a HUGE problem if you have home/remote users that the vast majority are also using the 192.168.1.x subnet. Probably easier to bite the bullet and change yours now than try to convince every remote user to change their home networks (and hotels, too)..

The subnet is not a problem talking to any other private subnets.
You will, however, have to change the tunnel configurations in the Netscreens

Author Comment

ID: 17058708
Thanks for the comments  - I hope to use these tips to renumber the network this or next weekend and will accept answers then.

Part of me wants to put the aironets on the other side of the netscreen and have all of the equipment within the netscreen firewall with no public IP's.

Here's why I think this will help, the way I explain this to people at work is that if their home network is on the same addressing scheme as the server, their computers think that the server should be found in their house and never go over the vpn tunnel to try and find the server.  
LVL 79

Expert Comment

ID: 17058919
You've got a good point. Putting the wireless bridges on a public IP space and using the 2nd Netscreen with a VPN tunnel between the netscreens does seem to be a bit over-complicating matters when you can simply extend your Private IP space and have everything inside just one Netscreen firewall. No VPN to worry about, everyone can be on the same happy IP subnet.

Author Comment

ID: 17059071
The company that installed the aironets for my predecessor told him that even though the traffic was encyrped between the aironets that it should flow through the netscreen vpn, that's why it is the way it is.  Have you heard of that as being necessary?  
LVL 79

Expert Comment

ID: 17059617
If the wireless connection between the two aironets is encrypted via WEP/WPA then adding another layer of encryption on top of it is just paranoia, but if Security of the data is the #1 priority, then by all means adding another layer of encryption may certainly be called for.


Author Comment

ID: 17139236
I ended up moving the aironets behind the netscreen and have everything on the 172.16.10.x netwrok.  Very nice and tidy now.  VPN is back up and running and I hope that this clears up the problems I was having with some users being able to connect.

Thanks for all of your responses.  It really helped a lot.
LVL 77

Expert Comment

by:Rob Williams
ID: 17140174
Thank you Bonnie.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question