Re: VPN and local LAN mixed up

Rutger Blom · ‎11-09-2004

Hello,

What problems can i expect in the following situation.

The clients local LAN is using the same IP addressing scheme as the remote LAN to be connected to via VPN. They for example both are lying within 192.168.1.0/24 but on different physical networks.

I have major problems with this. The client doesn't "get" that it should use the VPN tunnel as the default gateway. If the same client is trying to connect from home there are no problems.

How do I get around this problem?

Kind regards,

Rutger

sachinraja · ‎11-09-2004

Have split tunneling disabled on your remote PIX/VPN box. This will have all the traffic originating from your PC routed onto the IPSEC tunnel. Your local LAN access will be logically cut off and seperated from the IPSEC.

but this is a potential risk of having such networks. when a user gets an ip address from the pool, which is already existing in the network, it might even knock off the LAN user out of the network, as the PIX will have ARP of the IPSEC pool user. make sure you change the IP pool at the remote end.

Its just one command which you are going to change at the remote end. dont have overlapping networks.. it is not the right way to do it..

hope this helps ..

All the best.. rate all replies if useful..

Rutger Blom · ‎11-09-2004

Hello and thanks for your reply.

Actually the thing is that I would like to connect to the public interface of our local VPN concentrator and via that way get back into our own network. I guess i should connect to the private interface instead?

Rutger

sachinraja · ‎11-09-2004

Hello Rutger,

I actually did not get your previous statement. You want to connect to VPN conc outside from inside LAN (conn to inside VPN conc) ????

if that is the case, you cannot do it. you have to do it from outside only..

can you please explain us ...

Rutger Blom · ‎11-09-2004

I'm sorry for being unclear. There are some external consultants that need to get in via VPN and for some reason this is not working.

They get connected, get authenticated and get an IP-address from the local IP-pool on the VPN concentrator. Despite all this they are not able to ping or connect to any internal servers we have on our side.

I'm busy here troubleshooting this problem and I'm slowly getting a headache. Does anybody have a clue what the problem could be? When we connect internally to the private interface of the same concentrator, we get an IP from the same local pool and are able to connect to everything.

Rutger

sachinraja · ‎11-10-2004

what is the ip pool that you have defined ? is it on the same LAN network of the inside of the VPN concentrator ? if so , are the servers reachable from the VPN concentrator ? seems to be a problem with internal routing. can you please clarify us on this ?

Rutger Blom · ‎11-10-2004

Yes the pool is on the same LAN as the private interface. The private interface can reach all servers.

We did some more testing yesterday. When I sit at home and connect via my DSL-link things work fine. I'm using the same profile (PCF) as the consultants at the company. This must mean it is something in the companies firewall configuration. What kind of mis-configuration could cause this specific problem?

They get an IP-address, we can see them on the concentrator under sessions, but it is like they are completely isolated.

Ruger

sachinraja · ‎11-10-2004

what is the split tunneling parameters configured ? i hope u have it enabled right ?? please let us know..

Rutger Blom · ‎11-10-2004

We have disabled split-tunneling on the concentrator and selectet "Tunnel Everything".

Once again. It works fine for me from home behind my Linksys.

Rutger