CISCO VPN not working from Home Wifi

How to no www on website publish

September 9, 2013

Email notifications don’t appear in Windows phone 7,7.8 in lock screen

September 30, 2013

Published by Chrysostomos Psaroudakis on September 17, 2013

Today a new customer of mine complained about his inability to connect to his HQs through CISCO VPN connection, when he goes over his home wifi connection, or some public/other home places wifi hot spots.

Well my answer was rather fast…

The customers lan ip addresses are dhcp pooled by a CISCO 800 family router that spreads a network of 192.168.1.0 255.255.255.0

How common….come on!!!!

Most of home/soho routers use this particular range. The problem and its cause is almost obvious…

Let’s have an easy example:

External client connected through home wifi has local ip address 192.168.1.100 and 192.168.1.254 as a gateway.

The user fires up a vpn connection (cisco/microsoft/etc) in order to connect to a server inside his corporate network that has an ip of 192.168.1.200

The client will try to find the recipient (stated in the packet header) in his local lan and not on the other side. That’s easy to understand if you simply hit a route print command on your cmd.

IPv4 Route Table
===================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.100 20

192.168.1.0 255.255.255.0 On-link 192.168.1.100 276

192.168.1.100 255.255.255.255 On-link 192.168.1.100 276

The first line says that for any destination ask your gateway

The second says that for any ip address in your family ip range ASK YOURSELF-NOT THE GATEWAY, eg. find the recipient server in your lan. Of course the second rule supersedes the first….

As you may understand any try to connect to the remote server will fail, even if the vpn is connected, since the packet will never leave the gateway and will never reach the other end.

The customer, has a complete AD inside his corporate lan and lot of remote sites going around. Personally I think it was quite stupid to use a commercial/home ip range for this type of network…. Now since I cannot change any of the ip ranges inside the corporate lan I have only 2 options

Visit his house and change the ip range pooled by his home router. Pretent that problem is fixed and wait till he visits another network with the problematic range (a hotel or another hot spot). Sorry not my type….
The second option is to chase my NPS (Network Philosophers Stone), using nats, other router pools and God help us what else….

Be very cautious on your network designs…Someone in the future may curse you!!!!

Creativepeople.gr

Chrysostomos Psaroudakis

Commercially astute IT professional, highly experienced in many aspects of IT designing, development and management -including network infrastructures, security and database administration. Committed to objectives’ achievement within tight deadlines, by being able to communicate concisely at all levels. Areas of Expertise Windows Environments, Elastix, FreePBX, Microsoft SQL Server, SharePoint, IIS, ISA, MSHyperV, Access, VBA, Dreamweaver, HW building and maintenance, Wired and Wireless networks, IT R&D