11-09-2004 04:17 AM - edited 02-21-2020 01:26 PM
Hello,
What problems can i expect in the following situation.
The clients local LAN is using the same IP addressing scheme as the remote LAN to be connected to via VPN. They for example both are lying within 192.168.1.0/24 but on different physical networks.
I have major problems with this. The client doesn't "get" that it should use the VPN tunnel as the default gateway. If the same client is trying to connect from home there are no problems.
How do I get around this problem?
Kind regards,
Rutger
11-09-2004 04:40 AM
Have split tunneling disabled on your remote PIX/VPN box. This will have all the traffic originating from your PC routed onto the IPSEC tunnel. Your local LAN access will be logically cut off and seperated from the IPSEC.
but this is a potential risk of having such networks. when a user gets an ip address from the pool, which is already existing in the network, it might even knock off the LAN user out of the network, as the PIX will have ARP of the IPSEC pool user. make sure you change the IP pool at the remote end.
Its just one command which you are going to change at the remote end. dont have overlapping networks.. it is not the right way to do it..
hope this helps ..
All the best.. rate all replies if useful..
11-09-2004 04:57 AM
Hello and thanks for your reply.
Actually the thing is that I would like to connect to the public interface of our local VPN concentrator and via that way get back into our own network. I guess i should connect to the private interface instead?
Rutger
11-09-2004 05:16 AM
Hello Rutger,
I actually did not get your previous statement. You want to connect to VPN conc outside from inside LAN (conn to inside VPN conc) ????
if that is the case, you cannot do it. you have to do it from outside only..
can you please explain us ...
11-09-2004 06:59 AM
I'm sorry for being unclear. There are some external consultants that need to get in via VPN and for some reason this is not working.
They get connected, get authenticated and get an IP-address from the local IP-pool on the VPN concentrator. Despite all this they are not able to ping or connect to any internal servers we have on our side.
I'm busy here troubleshooting this problem and I'm slowly getting a headache. Does anybody have a clue what the problem could be? When we connect internally to the private interface of the same concentrator, we get an IP from the same local pool and are able to connect to everything.
Rutger
11-10-2004 12:03 AM
what is the ip pool that you have defined ? is it on the same LAN network of the inside of the VPN concentrator ? if so , are the servers reachable from the VPN concentrator ? seems to be a problem with internal routing. can you please clarify us on this ?
11-10-2004 01:32 AM
Yes the pool is on the same LAN as the private interface. The private interface can reach all servers.
We did some more testing yesterday. When I sit at home and connect via my DSL-link things work fine. I'm using the same profile (PCF) as the consultants at the company. This must mean it is something in the companies firewall configuration. What kind of mis-configuration could cause this specific problem?
They get an IP-address, we can see them on the concentrator under sessions, but it is like they are completely isolated.
Ruger
11-10-2004 01:46 AM
what is the split tunneling parameters configured ? i hope u have it enabled right ?? please let us know..
11-10-2004 01:53 AM
We have disabled split-tunneling on the concentrator and selectet "Tunnel Everything".
Once again. It works fine for me from home behind my Linksys.
Rutger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide