• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1648
  • Last Modified:

Can't access RDP or VNC over my VPN

I am currently accessing my work computer through a VPN at home.  Everything works fine and dandy and I have no problems connecting to VNC or RDP.  This network is on a 192.168.100 subnet.

I now have to connect to my 192.168.1 subnet and even though I can connect with my new policy and spd file, I cannot connect to RDP or VNC.  I am thinking it is because I am on the same 192.168.1 subnet at home?  Is there a way to force it to see the VPN subnet over the home subnet?  This may not be the case but it is what i am thinking.  I am a beginner with VPN's so please help me with simplified descriptions if you can.  Thanks.

I am using the Juniper SSG140 firewall at work and the Netscreen Remote Client software at home.
0
bradacus
Asked:
bradacus
  • 8
  • 6
  • 3
  • +1
2 Solutions
 
TDKDCommented:
Your question is a little confusing in the first statement: I am assuming you have introduced a router to your home network, but before this was introduced it all worked fine?

Are you sure the network you are connecting to through way of VPN is on a 192 network, I ask because the reason I ask because this is a non-routable network and not usually the preferred choice?

That being said&.
The first thing I would try is to change the IP address you are receiving from the router (I assume your tunneling through a router?) You can connect to your router by the administrative web GUI and make it so the router is not using 192 but rather 134 or something different. Then try your connection again.

I hope this helps...
0
 
Roachy1979Commented:
If you have a VPN with the same subnet  at both sides you will not have much success working with a VPN with the same address range/.

To explain in simple terms - if a machine is inside your own subnet, an arp request is sent out from your machine to find out which switch and port that IP address resides on.  Anything that falls outside that local address range get's pushed to the default gateway.  When you connect to the VPN, because your machine thinks it is part of the same address range as the remote hosts, it just sends out that broadcast arp request.....rather than trying to route traffic across the tunnel.  It times out when it receives no reply.

In short - you cannot have the same address range at both the local and remote sides of a VPN.....your best chance is to change the address range at home....

0
 
bradacusAuthor Commented:
Is there anyway to force the VPN connection through without changing the subnet on the home router?  Reason I ask is because I am going to clone this SPD and policy off to a few people.  I know they don't understand what their router even does let alone what a subnet is.

Is there a way to point the VPN through the tunnel?  
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
TDKDCommented:
Hi bradacus,

Not really, but lets try changing from 192 first, then we can discuss further your options. This will at the very least give us a starting point :-)
0
 
TDKDCommented:
bradacus,

By the way it is not going to change your wirless security key or anything.
0
 
Roachy1979Commented:
You might be able to create static routes to the remote addresses...

The downside is this though.....how would the return path get through?  What happens if a device with a duplicate address exists on the corporate LAN.

What you are asking to do is effectively an unsupported task.....this is because it's unlikely to work whatever you do....and if by chance you get it working it will be intermittent, prone to failure and likely to break things.

The only supported and feasible way of creating and maintaining a stable VPN is with a different address range at the remote and local sides... sorry!
0
 
Roachy1979Commented:
You might be able to create static routes to the remote addresses...

The downside is this though.....how would the return path get through?  What happens if a device with a duplicate address exists on the corporate LAN.

What you are asking to do is effectively an unsupported task.....this is because it's unlikely to work whatever you do....and if by chance you get it working it will be intermittent, prone to failure and likely to break things.

The only supported and feasible way of creating and maintaining a stable VPN is with a different address range at the remote and local sides... sorry!
0
 
kdearingCommented:
I think the easiest fix would be to change the subnet of your home network to something that is different from the work subnet.
0
 
bradacusAuthor Commented:
Ok I am posting from home now.

My subnet here is 192.168.10
I CAN access my 192.168.100 subnet at work
I CANNOT access my 192.168.1 subnet at work

I can vnc and rdp on the 100 subnet but I can't do any of that on the 1 subnet.

The 1 subnet uses active directory and the 100 doesn't.  Do you think this has something to do with it?
0
 
kdearingCommented:
I assume that all the networks have a mask of 255.255.255.0

There is probably a rule/policy in the Juniper allowing access only to the subnet it is on.
0
 
TDKDCommented:
Hi bradacus,

Is there a reason you have not performed my suggestion? This is the only way this will work??

My Original reply below:

Your question is a little confusing in the first statement: I am assuming you have introduced a router to your home network, but before this was introduced it all worked fine?

Are you sure the network you are connecting to through way of VPN is on a 192 network, I ask because the reason I ask because this is a non-routable network and not usually the preferred choice?

That being said&.
The first thing I would try is to change the IP address you are receiving from the router (I assume your tunneling through a router?) You can connect to your router by the administrative web GUI and make it so the router is not using 192 but rather 134 or something different. Then try your connection again.

I hope this helps...
0
 
bradacusAuthor Commented:
Sorry TDKD, to answer your question:
I have tried to change the IP coming from the router and still no go.  I am able to ping the domain controller (192.168.1.5) and then that's it.

The mask is 255.255.255.0.

I had Juniper on the phone for two hours last night and they couldn't figure it out.

Do you guys think it is most likely an issue with the domain controller since I can ping that but nothing else?
0
 
TDKDCommented:
Hi bradacus,

You change the DHCP to dole out something other than 192 address's and you still cant connect RDP?? I suggest you advise the company to enable split tunneling, this will make it so the only traffic you can communicate with will be the VPN traffic (domain you connect to).
0
 
TDKDCommented:
OOps, I meant disable split tunneling...lol
0
 
bradacusAuthor Commented:
Do you think now that the problem lies with the domain controller?  I think the subnet troubleshooting is completed.

The .100 subnet has NO domain controller and I can access all computers.

The .1 subnet has a domain controller and I can't access any computers.

I am basically using the same policy except of course for a subnet change.
0
 
TDKDCommented:
bradacus,

Try this: on your router at home configure it so the IP you obtained from it is part of the DMZ zone. Then try to RDP after connecting with VPN.
0
 
bradacusAuthor Commented:
Sorry for the late reply...

I tried  your dmz trick tdkd but the problem persists.  It is even occuring on entirely different networks at others homes.

It is something on our side here at work.  I'm going to keep working diligently until a solution is found.
0
 
TDKDCommented:
Hi bradacus,

Sorry I have not replied to you, I had to take care of a situation. Have you tried removing the router from the mix all together? Just to verify it works without it?
0
 
bradacusAuthor Commented:
The answer was I needed to enable Source Translation in my VPN
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now