Prev: Pix 506e w/5 static outside IPs - How to create a rule to allowALL tcp/udp traffic from one outside IP to an internal IP (for an internalrouter/NAT with it's own subnet)
Next: VPN Errors on multilink T1 - but inly for DHCP and not staticNAT users?
From: RoverDrover on 8 Apr 2008 01:32
We have a 3005 concentrator with 3002s at three branches of a clinic.
Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
live on a family farm and connect to a satellite router that is
maintained by my daughter-in-law's employer, so I can't change the
192.168.0.0 subnet I'm on.

So, I can get into the concentrator with VPN Client or a 3002 from
home using a 192.168.10.0 address, but I can only ping hosts on the
x.x .1.0 and x.x.3.0 subnets.

I tried putting a LinkSys router in between the 3002 and the local
subnet with another set of IP addresses on those two ports, hoping the
tunnel would get me past the local subnet and into the 192.168.0.0
subnet at the main clinic. But no, those requests keep being treated
as local and I don't hit the clinic subnet -- except strangely,
192.168.0.30 is their 3002 and I can hit it. But nothing else. I
made sure there are no entries in the routing table for 192.168.0.0 --
but maybe there should be.

Or are my ping packets hitting the 192.168.0.0 hosts at the main
clinic and not getting back?

Is there a way around this? Seems like something that would happen to
others, since 192.168.0.0 or .1.0 are so common both as corporate
subnets and on the cable/DSL routers etc.

Thanks in advance,

Bob Wilson

From: Merv on 8 Apr 2008 07:19
On Apr 8, 1:32 am, RoverDrover <b...(a)bobwilson.us> wrote:
> We have a 3005 concentrator with 3002s at three branches of a clinic.
> Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
> live on a family farm and connect to a satellite router that is
> maintained by my daughter-in-law's employer, so I can't change the
> 192.168.0.0 subnet I'm on.
>
> So, I can get into the concentrator with VPN Client or a 3002 from
> home using a 192.168.10.0 address, but I can only ping hosts on the
> x.x .1.0 and x.x.3.0 subnets.
>
> I tried putting a LinkSys router in between the 3002 and the local
> subnet with another set of IP addresses on those two ports, hoping the
> tunnel would get me past the local subnet and into the 192.168.0.0
> subnet at the main clinic. But no, those requests keep being treated
> as local and I don't hit the clinic subnet -- except strangely,
> 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
> made sure there are no entries in the routing table for 192.168.0.0 --
> but maybe there should be.
>
> Or are my ping packets hitting the 192.168.0.0 hosts at the main
> clinic and not getting back?
>
> Is there a way around this? Seems like something that would happen to
> others, since 192.168.0.0 or .1.0 are so common both as corporate
> subnets and on the cable/DSL routers etc.


Why not just change the LAN using subnet 192.168.0.0 to something
else ???

From: News Reader on 8 Apr 2008 13:25
RoverDrover wrote:
> We have a 3005 concentrator with 3002s at three branches of a clinic.
> Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
> live on a family farm and connect to a satellite router that is
> maintained by my daughter-in-law's employer, so I can't change the
> 192.168.0.0 subnet I'm on.
>
> So, I can get into the concentrator with VPN Client or a 3002 from
> home using a 192.168.10.0 address, but I can only ping hosts on the
> x.x .1.0 and x.x.3.0 subnets.
>

On our non-3005, non-3002 hardware, we configure VPN policies on the VPN
server that are pushed to the VPN client. If we refrain from enabling
Split Tunneling, "all traffic" from the VPN client passes through the
tunnel. While the tunnel is up, the reachable 192.168.0.0 network would
be the one at the clinic, rather than the one to which the VPN client is
physically connected.

I think your issue is Split Tunneling (perhaps known by a different name
on your platform).

Perhaps you could setup a separate profile on the Concentrator for your
VPN client connections, that did not permit Split Tunneling. A separate
profile for yourself would not affect other users that may derive a
benefit from Split Tunneling.

> I tried putting a LinkSys router in between the 3002 and the local
> subnet with another set of IP addresses on those two ports, hoping the
> tunnel would get me past the local subnet and into the 192.168.0.0
> subnet at the main clinic. But no, those requests keep being treated
> as local and I don't hit the clinic subnet -- except strangely,
> 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
> made sure there are no entries in the routing table for 192.168.0.0 --
> but maybe there should be.
>
> Or are my ping packets hitting the 192.168.0.0 hosts at the main
> clinic and not getting back?
>
> Is there a way around this? Seems like something that would happen to
> others, since 192.168.0.0 or .1.0 are so common both as corporate
> subnets and on the cable/DSL routers etc.
>
> Thanks in advance,
>
> Bob Wilson
>


--
Best Regards,
News Reader
From: RoverDrover on 9 Apr 2008 00:12
On Apr 8, 12:25 pm, News Reader <u...(a)domain.null> wrote:
> RoverDrover wrote:
> > We have a 3005 concentrator with 3002s at three branches of a clinic.
> > Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
> > live on a family farm and connect to a satellite router that is
> > maintained by my daughter-in-law's employer, so I can't change the
> > 192.168.0.0 subnet I'm on.
>
> > So, I can get into the concentrator with VPN Client or a 3002 from
> > home using a 192.168.10.0 address, but I can only ping hosts on the
> > x.x .1.0 and x.x.3.0 subnets.
>
> On our non-3005, non-3002 hardware, we configure VPN policies on the VPN
> server that are pushed to the VPN client. If we refrain from enabling
> Split Tunneling, "all traffic" from the VPN client passes through the
> tunnel. While the tunnel is up, the reachable 192.168.0.0 network would
> be the one at the clinic, rather than the one to which the VPN client is
> physically connected.
>
> I think your issue is Split Tunneling (perhaps known by a different name
> on your platform).
>
> Perhaps you could setup a separate profile on the Concentrator for your
> VPN client connections, that did not permit Split Tunneling. A separate
> profile for yourself would not affect other users that may derive a
> benefit from Split Tunneling.
>
>
>
> > I tried putting a LinkSys router in between the 3002 and the local
> > subnet with another set of IP addresses on those two ports, hoping the
> > tunnel would get me past the local subnet and into the 192.168.0.0
> > subnet at the main clinic. But no, those requests keep being treated
> > as local and I don't hit the clinic subnet -- except strangely,
> > 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
> > made sure there are no entries in the routing table for 192.168.0.0 --
> > but maybe there should be.
>
> > Or are my ping packets hitting the 192.168.0.0 hosts at the main
> > clinic and not getting back?
>
> > Is there a way around this? Seems like something that would happen to
> > others, since 192.168.0.0 or .1.0 are so common both as corporate
> > subnets and on the cable/DSL routers etc.
>
> > Thanks in advance,
>
> > Bob Wilson
>
> --
> Best Regards,
> News Reader

Thank you both for your input. I believe split tunneling is the
problem. No chance of changing the subnet at the big clinic just to
help with remote access -- they'd say we were moving the mountain to
Mohammed (will I get in trouble for saying that?)

Again, I appreciate your responses and I will go at it from the split
tunneling angle.

Bob W.
 | 
Pages: 1
Prev: Pix 506e w/5 static outside IPs - How to create a rule to allowALL tcp/udp traffic from one outside IP to an internal IP (for an internalrouter/NAT with it's own subnet)
Next: VPN Errors on multilink T1 - but inly for DHCP and not staticNAT users?