Solved

Can't access RDP or VNC over my VPN

Posted on 2008-10-01
19
1,558 Views
Last Modified: 2013-11-30
I am currently accessing my work computer through a VPN at home.  Everything works fine and dandy and I have no problems connecting to VNC or RDP.  This network is on a 192.168.100 subnet.

I now have to connect to my 192.168.1 subnet and even though I can connect with my new policy and spd file, I cannot connect to RDP or VNC.  I am thinking it is because I am on the same 192.168.1 subnet at home?  Is there a way to force it to see the VPN subnet over the home subnet?  This may not be the case but it is what i am thinking.  I am a beginner with VPN's so please help me with simplified descriptions if you can.  Thanks.

I am using the Juniper SSG140 firewall at work and the Netscreen Remote Client software at home.
0
Comment
Question by:bradacus
  • 8
  • 6
  • 3
  • +1
19 Comments
 
LVL 8

Expert Comment

by:TDKD
ID: 22618000
Your question is a little confusing in the first statement: I am assuming you have introduced a router to your home network, but before this was introduced it all worked fine?

Are you sure the network you are connecting to through way of VPN is on a 192 network, I ask because the reason I ask because this is a non-routable network and not usually the preferred choice?

That being said&.
The first thing I would try is to change the IP address you are receiving from the router (I assume your tunneling through a router?) You can connect to your router by the administrative web GUI and make it so the router is not using 192 but rather 134 or something different. Then try your connection again.

I hope this helps...
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22618021
If you have a VPN with the same subnet  at both sides you will not have much success working with a VPN with the same address range/.

To explain in simple terms - if a machine is inside your own subnet, an arp request is sent out from your machine to find out which switch and port that IP address resides on.  Anything that falls outside that local address range get's pushed to the default gateway.  When you connect to the VPN, because your machine thinks it is part of the same address range as the remote hosts, it just sends out that broadcast arp request.....rather than trying to route traffic across the tunnel.  It times out when it receives no reply.

In short - you cannot have the same address range at both the local and remote sides of a VPN.....your best chance is to change the address range at home....

0
 

Author Comment

by:bradacus
ID: 22618113
Is there anyway to force the VPN connection through without changing the subnet on the home router?  Reason I ask is because I am going to clone this SPD and policy off to a few people.  I know they don't understand what their router even does let alone what a subnet is.

Is there a way to point the VPN through the tunnel?  
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22618141
Hi bradacus,

Not really, but lets try changing from 192 first, then we can discuss further your options. This will at the very least give us a starting point :-)
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22618195
bradacus,

By the way it is not going to change your wirless security key or anything.
0
 
LVL 14

Assisted Solution

by:Roachy1979
Roachy1979 earned 25 total points
ID: 22618243
You might be able to create static routes to the remote addresses...

The downside is this though.....how would the return path get through?  What happens if a device with a duplicate address exists on the corporate LAN.

What you are asking to do is effectively an unsupported task.....this is because it's unlikely to work whatever you do....and if by chance you get it working it will be intermittent, prone to failure and likely to break things.

The only supported and feasible way of creating and maintaining a stable VPN is with a different address range at the remote and local sides... sorry!
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22618246
You might be able to create static routes to the remote addresses...

The downside is this though.....how would the return path get through?  What happens if a device with a duplicate address exists on the corporate LAN.

What you are asking to do is effectively an unsupported task.....this is because it's unlikely to work whatever you do....and if by chance you get it working it will be intermittent, prone to failure and likely to break things.

The only supported and feasible way of creating and maintaining a stable VPN is with a different address range at the remote and local sides... sorry!
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22620310
I think the easiest fix would be to change the subnet of your home network to something that is different from the work subnet.
0
 

Author Comment

by:bradacus
ID: 22620380
Ok I am posting from home now.

My subnet here is 192.168.10
I CAN access my 192.168.100 subnet at work
I CANNOT access my 192.168.1 subnet at work

I can vnc and rdp on the 100 subnet but I can't do any of that on the 1 subnet.

The 1 subnet uses active directory and the 100 doesn't.  Do you think this has something to do with it?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 13

Expert Comment

by:kdearing
ID: 22620592
I assume that all the networks have a mask of 255.255.255.0

There is probably a rule/policy in the Juniper allowing access only to the subnet it is on.
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22626228
Hi bradacus,

Is there a reason you have not performed my suggestion? This is the only way this will work??

My Original reply below:

Your question is a little confusing in the first statement: I am assuming you have introduced a router to your home network, but before this was introduced it all worked fine?

Are you sure the network you are connecting to through way of VPN is on a 192 network, I ask because the reason I ask because this is a non-routable network and not usually the preferred choice?

That being said&.
The first thing I would try is to change the IP address you are receiving from the router (I assume your tunneling through a router?) You can connect to your router by the administrative web GUI and make it so the router is not using 192 but rather 134 or something different. Then try your connection again.

I hope this helps...
0
 

Author Comment

by:bradacus
ID: 22626717
Sorry TDKD, to answer your question:
I have tried to change the IP coming from the router and still no go.  I am able to ping the domain controller (192.168.1.5) and then that's it.

The mask is 255.255.255.0.

I had Juniper on the phone for two hours last night and they couldn't figure it out.

Do you guys think it is most likely an issue with the domain controller since I can ping that but nothing else?
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22626806
Hi bradacus,

You change the DHCP to dole out something other than 192 address's and you still cant connect RDP?? I suggest you advise the company to enable split tunneling, this will make it so the only traffic you can communicate with will be the VPN traffic (domain you connect to).
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22626834
OOps, I meant disable split tunneling...lol
0
 

Author Comment

by:bradacus
ID: 22626902
Do you think now that the problem lies with the domain controller?  I think the subnet troubleshooting is completed.

The .100 subnet has NO domain controller and I can access all computers.

The .1 subnet has a domain controller and I can't access any computers.

I am basically using the same policy except of course for a subnet change.
0
 
LVL 8

Expert Comment

by:TDKD
ID: 22626950
bradacus,

Try this: on your router at home configure it so the IP you obtained from it is part of the DMZ zone. Then try to RDP after connecting with VPN.
0
 

Author Comment

by:bradacus
ID: 22670720
Sorry for the late reply...

I tried  your dmz trick tdkd but the problem persists.  It is even occuring on entirely different networks at others homes.

It is something on our side here at work.  I'm going to keep working diligently until a solution is found.
0
 
LVL 8

Accepted Solution

by:
TDKD earned 100 total points
ID: 22690504
Hi bradacus,

Sorry I have not replied to you, I had to take care of a situation. Have you tried removing the router from the mix all together? Just to verify it works without it?
0
 

Author Comment

by:bradacus
ID: 22726885
The answer was I needed to enable Source Translation in my VPN
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Let’s list some of the technologies that enable smooth teleworking. 
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now