Work VPN and Home LAN on the same subnet

I have just been informed by my employers IT department that my home private subnet ( is the same as the one they use on the VPN at the other end of the tunnel. What? Doesn't this seem incredibly short-sighted or am the one who should have "known better". My setup is the way it is because of the defaults from the consumer routers most people have. I always thought it was blocked for security reasons and I never had a "business need" for this until now.

Here was my question: "I need to have access to a network printer on my internal LAN. When I am connected to the VPN <on the company machine>I cannot see the rest of my LAN and other devices on the LAN do not see the <company> machine. There is a preference in the Cisco AnyConnect client to "Enable local LAN access (if configured)" and since it is enabled and what I just described is true I am assuming it is not configured.

This is a specialty thermal printer used to print <print format> from <third party vendor> and I have 2 customers that have these printers. I got the manufacturer to send me a loaner to use while developing these output formats."

This was their response: "You have a routing issue caused by the IP addressing on your local network.  You are using the IP addressing 192.168.0.X which is the same IP addressing we use inside the firewall.  When you connect to the <company> VPN, all your local network traffic is being routed across the <company> VPN tunnel and any local network devices are unreachable.  To fix this issue, you will need to change your local IP addressing to a different network segment.  Example:  192.168.1.x or 192.168.2.x  You make this change on your local router.    Please let me know if you have any questions."

What? All of my personal traffic was routed through their network? Financial information and other "stuff"?
Changing this will not be as straight forward as they think. I have a small AD domain at home (I like to play...what can i say?) and a small group of both physical and VM servers on static IP addresses. I handle the DHCP "myself" on the server so I guess I just need to change the scope IP range and all of the reservations I just did.

I have a router capable of doing a private and "guest" network but I do not think segregating them will accomplish my goal. Static routes? Probably not.


Edit: I also have a static IP address from my ISP if that helps.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Unfortunately you have no choice, subnets must be different for routing to take place.  In some cases when all traffic is forced to the VPN server/router you can access corporate resources, but if you disable that you most certainly will not be able to access corporate resources.  This is a common issue.

I will agree the company should have chosen something less common as using defaults like 192.168.0.x, 192.168.1.x, 10.0.0.x  often results in conflicts with home networks and hotels.  However if you are running an AD domain or anything more than your typical 2 PC home network I would suggest you should have done the same and changed yours.  Doing so now will resolve your current problem and possibly other problems you might have in the future, at least for you.
JohnBusiness Consultant (Owner)Commented:
I have been in that situation and I just found it easier for me to change my home office subnet than to convince clients to change theirs.

There is no difference in have a subnet of (say) 192.168.75.x than to have 192.168.0.x . They function the same way.

I just changed mine, moved on, and have no more conflicts.
Agree with the two previous posts.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

mike1142Author Commented:

I agree with what you are saying about I should have changed mine as well. This is what happens when an amateur tries to play with the big-boy toys. The point was for me to learn. I guess I missed that lesson in networking 101 and network security 301 (seriously just took those classes this year) .

Thanks I will leave this open a little while longer. I am hoping for some information that will make me feel more comfortable that they can no longer see any of my private traffic or internal resources. I think I get it but...
JohnBusiness Consultant (Owner)Commented:
The subnet does not change security or how they can (or more likely cannot) view your private resources.

I have static tunnels to key clients for my convenience and no one can get to my machine. The subnet number is the least important variable.
Rob WilliamsCommented:
If all traffic is forced through the VPN the only thing to which that really refers or they could conceivably monitor, if they have systems in place to do so, is web browsing, while connected to the VPN.  They can't capture passwords from SSL sites like banks and such but they could with a proxy server monitor sites visited.
mike1142Author Commented:
All of the traffic does not have to be forced through the VPN. I think that the VPN client on the work machine allows me access to the VPN resources and if I set the option to allow it the other side of the tunnel can see my resources. All of the AD connected devices will need credentials but anything else is fair game.

Here is what I was thinking, put the work machine on a static IP on a separate subnet. Force that traffic to my DC and then static routes to the firewall and any other devices I want to access from that machine.

I am not distrustful but well I am. Corporate America has not exactly been shy about letting employees know that accessing company resources is subject to monitoring. Why should I not return the favor? Quid pro quo.

My work is not quite the same as usual private consulting.
JohnBusiness Consultant (Owner)Commented:
I use split tunneling so that Internet and VPN traffic are separate anyway. I use my laptop primarily for VPN work although my desktop computer has the same connection (one hardware VPN router and one subnet).

It has been hooked up this way for years, is very secure, and has never been transgressed by anyone.
Rob WilliamsCommented:
If you put the work machine on a different subnet how is it going to see the local resources such as server?

Split tunneling as John suggested allows you to access corporate resources as needed and the balance of traffic, LAN and Internet is routed through your local network.  However with Cisco VPN's the VPN administrator usually has to allow/enable e spit tunneling.

The #1 concern with VPN's is you have a very secure tunnel, but wide open to all traffic between a corporate network and a PC over which it has no control.  Personally I prefer remote desktop which only exchanges scree refreshes.
mike1142Author Commented:
That was what the static routes were for to (DC is the gateway) on DC static routes to (firewall) and routes to 192.168.0.x and other resources I want to make available?

I know mountain out of a mole hill but me being stupid still smarts right now.
Rob WilliamsCommented:
The static route on it's own will do nothing.  If you router supports multiple subnets and you put that PC on a port defied with a different subnet and assign the new gateway to the PC you could conceivably do so, however once you define the routes, traffic can travel on it the same as the LAN.  You cannot randomly assign a different subnet to a PC.  Perhaps I do not fully understand.

Is the concern your traffic passing through the VPN or the corporate network accessing your PC?
For the former enable split tunneling, for the latter enable the windows firewall, but this is all a moot point if the subnets are the same at home and work.
mike1142Author Commented:
The concern is that they said all of my IP traffic was passing through the VPN through to their servers. I assume that they let that traffic continue on its way. However for this reason I was blocked from seeing my local resources, not because of security reasons as I originally expected.

I would like to see local resources on my LAN while connected to the VPN. Not for convenience but out of necessity. However I do not want the act of accessing these local resources to open up my LAN through their VPN.
Rob WilliamsCommented:
>>"I do not want the act of accessing these local resources to open up my LAN through their VPN."
They won't.

In order to access your local printer, as you have stated, you will need to "Enable local LAN access (if configured)" in the AnyConnect client.  When you do so the VPN connection will stop working because of a routing conflict between the local and remote sites.  This is due to the local systems not knowing where to send the 192.168.0.x packets, should they be kept local or should they be forwarded, where they are the same?  Routing is based on subnets.  There are only 2 choices keep local, when it matches the local subnet, or for anything else forward it to the DEFAULT gateway.  Thus the VPN traffic will be kept local and lost.
Currently all traffic is routed to the corporate network because the default route for 192.168.0.x traffic is the VPN, thus you may be able to access the server.

There are only 2 ways to fix this, change your local subnet or change the corporate LAN.  Though I appreciate the former is not a simple task in your case, I suspect the latter is not an option.  Once you do so and "Enable local LAN access" only 192.168.0.x traffic will be routed to the corporate network and al other will be kept local or in the case of internet traffic, sent you your local remote gateway/router and to the Internet.  All very secure and separated.

As an alternative, with many ISP's you can place a switch between your home router and the modem and add a second router, subnet, and networked PC's.  You could use this for your development network and only change its subnet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mike1142Author Commented:
Got it thank you
While you will change your local subnet, it may be a good idea to set up everything on it with DHCP.
If you need "static IP addresses", you can add DHCP reservations.
This way, you have a central point for managing all your IP addresses... Just in case you have to change your subnet again or for any other reasons...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.