[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Getting VPN setup to connect via dial up when VPN shuts down internet connection other than its own.

Posted on 2007-08-06
7
Medium Priority
?
250 Views
Last Modified: 2010-04-12
I have a Toshiba Satellite laptop running Windows Vista Ultimate.  The company I work for has a client that has their VPN set up to shut down any access, other than its own, to the internet.  The client is not willing to make any changes to their current set up.  If I hook up my laptop to the comany's LAN, via a direct ethernet connection, I can sucessfully obtain a VPN connection, and remote desktop to the PC at the clients' location.  However, I'd like to be able to dial in securely to my compay's network and make the connection appear to be the same as if I were using a direct ethernet connection.  Is this possble?  If it is, please tell me how.

Thank you!
Roschera
0
Comment
Question by:roschera
  • 4
  • 3
7 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 19643905
hi there

This is determined by the policy on the VPN itself - ie how the other company has secured it and how it tunnels certain traffic.  Your query isn't quite clear but what i am reading from it is that you can vpn into the client when on your companies lan - but not if you are outside the lan.  So if you are remote to your companies office, the client is unreachable - you want to vpn in to your company and then out to the client?

The reasoning would be that the client is filtering vpn connections by your companys source ip address - so the way to connect is from your lan.  Depending on what type of vpn client you use to access the client, this is possible - but not very simple.  
I recall someone doing this before using a very clever workaround.  They would vpn to their office from home.
Then rdp to a server in the office.  From this server - they would rdp to another server in the office.  From here, they opened an MS PPTP vpn connection to a client and could work.  
For a quick explanation how this worked - they had to bunny-hop to a second server as the PPTP client was setup to allow local access and tunnel everything else.  The VPN they used to get in to their company office has a different ip range to the first server they RDP'd to.  So if they tried to pptp to the client from there - they would be disconnected as the allow local access policy would not contain the ip range of the company VPN.
If you jump to a second server, the machine you have come from *does* reside on the same ip range so you can establish pptp and not get disconnected.  Sound complicated?  :-)

hth
0
 

Author Comment

by:roschera
ID: 19647475
Hi,

You are correct, I want to VPN into my company and then out to the client site.  I just have a few more questions for clarification.  When you stated that it depends on what type of VPN client is being used to access our client site, what type should it be (is this the MS PPTP you refer to later in your response?)  Also, in the workaround, you specifically stated that I have to log on to 2 different severs - so am I right in assuming that it won't work by logging in to two work station PCs that just happen to be loggged in to the network?  Also, how do I set up a PPTP client?

Sorry, as a programmer, networking is not my forte. :-)

Thanks for all your help!
Roschera
0
 
LVL 19

Expert Comment

by:nodisco
ID: 19651295
hi

<<When you stated that it depends on what type of VPN client is being used to access our client site, what type should it be (is this the MS PPTP you refer to later in your response?)
The reason i mentioned this is that it will only work if the VPN client to the client allows you to connect to your local network while on the VPN.  THe PPTP one will allow you to change the setting (if its not already allowed) but a Cisco VPN client for example is configured by the remote end - so if the client has given you VPN access but doesn't allow the VPN access to its own local lan once connected, there is nothing you can do about it.

<<Also, in the workaround, you specifically stated that I have to log on to 2 different severs - so am I right in assuming that it won't work by logging in to two work station PCs that just happen to be loggged in to the network?
PCs will work just as well.  Sorry if i confused you on this - the point is that you need to RDP to a server/PC when you VPN in.  Then RDP to another machine (server/PC) on the local network on the same ip range.  From there you can issue a VPN connection to outside without being disconnected.  

I know this is very roundabout but it does work!

hth
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:roschera
ID: 19880347
Hi,

Sorry so late in getting back to you - production problems.  Unfortunately, my situation is the first scenario you referred to.  However, the client has conceded to allow us to change the Cisco settings on their end, but ONLY if we give them step by step instructions - as they have recently contracted an outside company to handle their networking - and a work order has to be issued with fairly specific instructions on what they want done without the specifics of the exact IP address and other pertinent information.

Thanks!
Roschera
0
 
LVL 19

Expert Comment

by:nodisco
ID: 19881081
hi

i understand your situation but to be honest - I don't think its advisable to go into instructions on this.  The reason is that they may have several policies or different VPN settings and without the full details and knowledge of the setup - me giving you commands could result in something else I am unaware of having issues.  The best thing you can do is supply the company details of what you are trying to achieve and why you are trying to achieve it.  With this detail, the third party company should be able to amend the settings accordingly.  

Have you tried the trick I mentioned above - it may already work depending on the setup of the Cisco client?
I'm sorry I cannot give you a proper fix for this issue but when third parties are involved on a contractual basis, you need to be very careful of giving steps as the responsiblility would ultimately lie with you.

hth
0
 

Author Comment

by:roschera
ID: 19886014
Hi,

I did try the solution you gave but it still closes the port.  I understand your reluctance to give out specific instructions, but could you point me in the right direction as to what they can look at to make the changes?  I'm pretty sure it'd be in the administrative set up of Cisco, but I'm not sure where to tell them to go and look in order to change the behaviour of Cisco closing the port so you can only access the DMZ.

Thanks,
Roschera
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 19886953
Depending on what kind of device they are using to terminate the Cisco VPN - they need to enable split tunnelling - to allow local lan access (where the Lan in this case is the local area network in your office)  That way - when you connect to the office - you can then connect to a different machine and VPN out and not lose connectivity to the local lan.  You would need to give them the local lan range and ensure they don't tunnel it.
Please note though - I have not done this with cisco vpn client - just with PPTP client - and despite searching on it this morning - I cannot verify this will definetly work.

good luck!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question