Register

Forgot Password

Site FAQ

Home > IT Answers > Security > Can make VPN connection, but can’t ping server or access resources

Davemd

10 pts.

Can make VPN connection, but can’t ping server or access resources

Firewall server hardware, IP addressing, Microsoft Windows, Network connectivity, Networking, Router configuration, Routers, VPN, Windows Server 2003

I set up PPTP VPN through our D-Link DFL-200 hardware firewall here at our company so that people could access network resources from home. The problem is, when at home, they can make a VPN connection just fine, but they can't ping the file server here at work, nor can they access or see any network resources. Our network is on a 192.168.1.x segment, with a 255x3 subnet. The server/LAN client that I am trying to ping has a 192.168.1.x address. The VPN server has a private gateway of 192.168.1.1, and public gateway of 66.x.x.x. On the VPN server, I have set it up to where it gives out 192.168.2.x addresses to any VPN clients connecting to it. At home, my router's gateway is 192.168.1.x, the home PC is 192.168.1.x with a 255x3 subnet. The VPN client connection gives me a 192.168.2.x address with a 255x4 subnet. I had a technician from D-Link test it on his end, and he was able to both make the VPN connection, and also ping the server and access network resources. I think the problem with most people not being able to access network resources is because their local networks at home are on the same network id (192.168.1.x) as the corporate network (192.168.1.x). Traffic is not getting passed to the corporate network because the VPN client machine sees the destination as being on the local network. Is this what's happening? Is there an easy way I can change something so that users would not have to get into their routers at home and start changing settings (most people are not that tech savvy). What I mean is, is there something I can do on my end here at our company. I should mention there are two NIC's installed on the file server that we are trying to get into from home. The one NIC is disabled. Can I do anything with this? The server here at work is a Windows 2003 server, which is both running DHCP and DNS. The home users have XP operating systems. I've also tried disabling any firewalls on XP, and still no luck. Thanks very much for your help.

Software/Hardware used:

ASKED: November 29, 2007 9:34 PM

UPDATED: June 20, 2008 4:10 PM

RELATED QUESTIONS

Answer Wiki:

We had a similar issue a while ago. Our office uses a different band of firewall, but the problem is the same. You're right about the 192.168.1.x addresses conflict. That address is reserved for internal network and is used by a lot of network products by default. There are 3 solutions: 1) Change the office's internal IP subnet to a different one. (this is recommended if your network is small) 2) Change the client's internal IP subnet to a different one. (this is sometime impossible, say , in a hotel) 3) On the firewall, assign a "Virtual IP" for the PPTP. And setup a trusted link between the virtual IP & the office's internal IP. (this is possible only if your firewall supports it) Right now, we're using solution #3 as a quick fix. But we'll change to solution #1 when there's time. 4) There is a fourth super-duper easy solution: Add a line to the windows routing table that has the subnet in question assigned to whatever your VPN interface address is [192.168.2.x] with the lowest metric [1] so all traffic to that subnet is routed over the VPN ,and not the LAN. route add 192.168.1.0 mask 255.255.255.0 192.168.2.x metric 1 To automate it for the less savvy users create a batch file with the first [insert maximum number of concurrent VPN connections allowed] lines corresponding to the addresses the vpn will assign. like this: route add 192.168.1.0 mask 255.255.255.0 192.168.2.1 metric 1 route add 192.168.1.0 mask 255.255.255.0 192.168.2.2 metric 1 ... Obviously their local network resources will become available again after they disconnect the VPN interface. I would strongly suggest researching the case when someone attempts to connect from a 192.168.2.x subnet.

We had a similar issue a while ago. Our office uses a different band of firewall, but the problem is the same.

You're right about the 192.168.1.x addresses conflict. That address is reserved for internal network and is used by a lot of network products by default.

There are 3 solutions: 
1) Change the office's internal IP subnet to a different one. (this is recommended if your network is small)
2) Change the client's internal IP subnet to a different one. (this is sometime impossible, say , in a hotel)
3) On the firewall, assign a "Virtual IP" for the PPTP. And setup a trusted link between the virtual IP & the office's internal IP. (this is possible only if your firewall supports it)

Right now, we're using solution #3 as a quick fix. But we'll change to solution #1 when there's time.

4) There is a fourth super-duper easy solution:
Add a line to the windows routing table that has the subnet in question assigned to whatever your VPN interface address is [192.168.2.x] with the lowest metric [1] so all traffic to that subnet is routed over the VPN ,and not the LAN.
route add 192.168.1.0 mask 255.255.255.0 192.168.2.x metric 1

To automate it for the less savvy users create a batch file with the first [insert maximum number of concurrent VPN connections allowed] lines corresponding to the addresses the vpn will assign.
like this:
route add 192.168.1.0 mask 255.255.255.0 192.168.2.1 metric 1 
route add 192.168.1.0 mask 255.255.255.0 192.168.2.2 metric 1 
...
Obviously their local network resources will become available again after they disconnect the VPN interface.
I would strongly suggest researching the case when someone attempts to connect from a 192.168.2.x subnet.

Last Wiki Answer Submitted: June 20, 2008 4:10 pm by HCream

1,235 pts.

All Answer Wiki Contributors: HCream

1,235 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Dec 3, 2007 3:30 PM (GMT)

193.188.0.1 by default is a class B address, using the 192.168.0.192 or /26 will give the subnet 64 address with 4 subnets which should help with the conflict. .

Bfrasure

40 pts.

POSTED: Feb 4, 2010 4:24 PM (GMT)

Thanks for taking the time to share your opinion. If more of us used your line of thinking, the world would be a better place.

Burt Venner

0 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags