HW & SW VPN client -- need routing workaround

Discussion in 'Cisco' started by RoverDrover, Apr 8, 2008.

  1. RoverDrover

    RoverDrover Guest

    We have a 3005 concentrator with 3002s at three branches of a clinic.
    Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
    live on a family farm and connect to a satellite router that is
    maintained by my daughter-in-law's employer, so I can't change the
    192.168.0.0 subnet I'm on.

    So, I can get into the concentrator with VPN Client or a 3002 from
    home using a 192.168.10.0 address, but I can only ping hosts on the
    x.x .1.0 and x.x.3.0 subnets.

    I tried putting a LinkSys router in between the 3002 and the local
    subnet with another set of IP addresses on those two ports, hoping the
    tunnel would get me past the local subnet and into the 192.168.0.0
    subnet at the main clinic. But no, those requests keep being treated
    as local and I don't hit the clinic subnet -- except strangely,
    192.168.0.30 is their 3002 and I can hit it. But nothing else. I
    made sure there are no entries in the routing table for 192.168.0.0 --
    but maybe there should be.

    Or are my ping packets hitting the 192.168.0.0 hosts at the main
    clinic and not getting back?

    Is there a way around this? Seems like something that would happen to
    others, since 192.168.0.0 or .1.0 are so common both as corporate
    subnets and on the cable/DSL routers etc.

    Thanks in advance,

    Bob Wilson
    RoverDrover, Apr 8, 2008
    #1
    1. Advertising

  2. RoverDrover

    Merv Guest

    On Apr 8, 1:32 am, RoverDrover <> wrote:
    > We have a 3005 concentrator with 3002s at three branches of a clinic.
    > Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
    > live on a family farm and connect to a satellite router that is
    > maintained by my daughter-in-law's employer, so I can't change the
    > 192.168.0.0 subnet I'm on.
    >
    > So, I can get into the concentrator with VPN Client or a 3002 from
    > home using a 192.168.10.0 address, but I can only ping hosts on the
    > x.x .1.0 and x.x.3.0 subnets.
    >
    > I tried putting a LinkSys router in between the 3002 and the local
    > subnet with another set of IP addresses on those two ports, hoping the
    > tunnel would get me past the local subnet and into the 192.168.0.0
    > subnet at the main clinic. But no, those requests keep being treated
    > as local and I don't hit the clinic subnet -- except strangely,
    > 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
    > made sure there are no entries in the routing table for 192.168.0.0 --
    > but maybe there should be.
    >
    > Or are my ping packets hitting the 192.168.0.0 hosts at the main
    > clinic and not getting back?
    >
    > Is there a way around this? Seems like something that would happen to
    > others, since 192.168.0.0 or .1.0 are so common both as corporate
    > subnets and on the cable/DSL routers etc.



    Why not just change the LAN using subnet 192.168.0.0 to something
    else ???
    Merv, Apr 8, 2008
    #2
    1. Advertising

  3. RoverDrover

    News Reader Guest

    RoverDrover wrote:
    > We have a 3005 concentrator with 3002s at three branches of a clinic.
    > Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
    > live on a family farm and connect to a satellite router that is
    > maintained by my daughter-in-law's employer, so I can't change the
    > 192.168.0.0 subnet I'm on.
    >
    > So, I can get into the concentrator with VPN Client or a 3002 from
    > home using a 192.168.10.0 address, but I can only ping hosts on the
    > x.x .1.0 and x.x.3.0 subnets.
    >


    On our non-3005, non-3002 hardware, we configure VPN policies on the VPN
    server that are pushed to the VPN client. If we refrain from enabling
    Split Tunneling, "all traffic" from the VPN client passes through the
    tunnel. While the tunnel is up, the reachable 192.168.0.0 network would
    be the one at the clinic, rather than the one to which the VPN client is
    physically connected.

    I think your issue is Split Tunneling (perhaps known by a different name
    on your platform).

    Perhaps you could setup a separate profile on the Concentrator for your
    VPN client connections, that did not permit Split Tunneling. A separate
    profile for yourself would not affect other users that may derive a
    benefit from Split Tunneling.

    > I tried putting a LinkSys router in between the 3002 and the local
    > subnet with another set of IP addresses on those two ports, hoping the
    > tunnel would get me past the local subnet and into the 192.168.0.0
    > subnet at the main clinic. But no, those requests keep being treated
    > as local and I don't hit the clinic subnet -- except strangely,
    > 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
    > made sure there are no entries in the routing table for 192.168.0.0 --
    > but maybe there should be.
    >
    > Or are my ping packets hitting the 192.168.0.0 hosts at the main
    > clinic and not getting back?
    >
    > Is there a way around this? Seems like something that would happen to
    > others, since 192.168.0.0 or .1.0 are so common both as corporate
    > subnets and on the cable/DSL routers etc.
    >
    > Thanks in advance,
    >
    > Bob Wilson
    >



    --
    Best Regards,
    News Reader
    News Reader, Apr 8, 2008
    #3
  4. RoverDrover

    RoverDrover Guest

    On Apr 8, 12:25 pm, News Reader <> wrote:
    > RoverDrover wrote:
    > > We have a 3005 concentrator with 3002s at three branches of a clinic.
    > > Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I
    > > live on a family farm and connect to a satellite router that is
    > > maintained by my daughter-in-law's employer, so I can't change the
    > > 192.168.0.0 subnet I'm on.

    >
    > > So, I can get into the concentrator with VPN Client or a 3002 from
    > > home using a 192.168.10.0 address, but I can only ping hosts on the
    > > x.x .1.0 and x.x.3.0 subnets.

    >
    > On our non-3005, non-3002 hardware, we configure VPN policies on the VPN
    > server that are pushed to the VPN client. If we refrain from enabling
    > Split Tunneling, "all traffic" from the VPN client passes through the
    > tunnel. While the tunnel is up, the reachable 192.168.0.0 network would
    > be the one at the clinic, rather than the one to which the VPN client is
    > physically connected.
    >
    > I think your issue is Split Tunneling (perhaps known by a different name
    > on your platform).
    >
    > Perhaps you could setup a separate profile on the Concentrator for your
    > VPN client connections, that did not permit Split Tunneling. A separate
    > profile for yourself would not affect other users that may derive a
    > benefit from Split Tunneling.
    >
    >
    >
    > > I tried putting a LinkSys router in between the 3002 and the local
    > > subnet with another set of IP addresses on those two ports, hoping the
    > > tunnel would get me past the local subnet and into the 192.168.0.0
    > > subnet at the main clinic. But no, those requests keep being treated
    > > as local and I don't hit the clinic subnet -- except strangely,
    > > 192.168.0.30 is their 3002 and I can hit it. But nothing else. I
    > > made sure there are no entries in the routing table for 192.168.0.0 --
    > > but maybe there should be.

    >
    > > Or are my ping packets hitting the 192.168.0.0 hosts at the main
    > > clinic and not getting back?

    >
    > > Is there a way around this? Seems like something that would happen to
    > > others, since 192.168.0.0 or .1.0 are so common both as corporate
    > > subnets and on the cable/DSL routers etc.

    >
    > > Thanks in advance,

    >
    > > Bob Wilson

    >
    > --
    > Best Regards,
    > News Reader


    Thank you both for your input. I believe split tunneling is the
    problem. No chance of changing the subnet at the big clinic just to
    help with remote access -- they'd say we were moving the mountain to
    Mohammed (will I get in trouble for saying that?)

    Again, I appreciate your responses and I will go at it from the split
    tunneling angle.

    Bob W.
    RoverDrover, Apr 9, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,257
  2. jarcar
    Replies:
    0
    Views:
    588
    jarcar
    Feb 12, 2004
  3. OZ
    Replies:
    3
    Views:
    10,999
  4. Jay Levitt
    Replies:
    1
    Views:
    433
    Walter Roberson
    Jan 21, 2006
  5. JB

    Need Timestamp Workaround

    JB, Apr 23, 2007, in forum: Digital Photography
    Replies:
    10
    Views:
    992
Loading...

Share This Page