How to no www on website publish
September 9, 2013Email notifications don’t appear in Windows phone 7,7.8 in lock screen
September 30, 2013Today a new customer of mine complained about his inability to connect to his HQs through CISCO VPN connection, when he goes over his home wifi connection, or some public/other home places wifi hot spots.
Well my answer was rather fast…
The customers lan ip addresses are dhcp pooled by a CISCO 800 family router that spreads a network of 192.168.1.0 255.255.255.0
How common….come on!!!!
Most of home/soho routers use this particular range. The problem and its cause is almost obvious…
Let’s have an easy example:
External client connected through home wifi has local ip address 192.168.1.100 and 192.168.1.254 as a gateway.
The user fires up a vpn connection (cisco/microsoft/etc) in order to connect to a server inside his corporate network that has an ip of 192.168.1.200
The client will try to find the recipient (stated in the packet header) in his local lan and not on the other side. That’s easy to understand if you simply hit a route print command on your cmd.
IPv4 Route Table
===================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.100 20
192.168.1.0 255.255.255.0 On-link 192.168.1.100 276
192.168.1.100 255.255.255.255 On-link 192.168.1.100 276
192.168.1.100 255.255.255.255 On-link 192.168.1.100 276
The first line says that for any destination ask your gateway
The second says that for any ip address in your family ip range ASK YOURSELF-NOT THE GATEWAY, eg. find the recipient server in your lan. Of course the second rule supersedes the first….
As you may understand any try to connect to the remote server will fail, even if the vpn is connected, since the packet will never leave the gateway and will never reach the other end.
The customer, has a complete AD inside his corporate lan and lot of remote sites going around. Personally I think it was quite stupid to use a commercial/home ip range for this type of network…. Now since I cannot change any of the ip ranges inside the corporate lan I have only 2 options
- Visit his house and change the ip range pooled by his home router. Pretent that problem is fixed and wait till he visits another network with the problematic range (a hotel or another hot spot). Sorry not my type….
- The second option is to chase my NPS (Network Philosophers Stone), using nats, other router pools and God help us what else….
Be very cautious on your network designs…Someone in the future may curse you!!!!