CISCO VPN not working from Home Wifi

Today a new customer of mine complainted about his inability to connect to his HQs through CISCO VPN connection, when he goes over his home wifi connection, or some public/other home places wifi hot spots.

Well my answer was rather fast…

The customers lan ip addresses are dhcp pooled by a CISCO 800 family router that spreads a network of 192.168.1.0 255.255.255.0

How common….come on!!!!

Most of home/soho routers use this particular range. The problem and its cause is almost obvious…

Let’s have an easy example:

External client connected through home wifi has local ip address 192.168.1.100 and 192.168.1.254 as a gateway.

The user fires up a vpn connection (cisco/microsoft/etc) in order to connect to a server inside his corporate network that has an ip of 192.168.1.200

The client will try to find the recipient (stated in the packet header) in his local lan and not on the other side. That’s easy to understand if you simply hit a route print command on your cmd.

IPv4 Route Table
===================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.100 20

192.168.1.0 255.255.255.0 On-link 192.168.1.100 276

192.168.1.100 255.255.255.255 On-link 192.168.1.100 276

192.168.1.100 255.255.255.255 On-link 192.168.1.100 276

The first line says that for any destination ask your gateway

The second says that for any ip address in your family ip range ASK YOURSELF-NOT THE GATEWAY, eg. find the recipient server in your lan. Of course the second rule supersedes the first….

As you may understand any try to connect to the remote server will fail, even if the vpn is connected, since the packet will never leave the gateway and will never reach the other end.

The customer, has a complete AD inside his corporate lan and lot of remote sites going around. Personally I think it was quite stupid to use a commercial/home ip range for this type of network…. Now since I cannot change any of the ip ranges inside the corporate lan I have only 2 options

  1. Visit his house and change the ip range pooled by his home router. Pretent that problem is fixed and wait till he visits another network with the problematic range (a hotel or another hot spot). Sorry not my type….
  2. The second option is to chase my NPS (Network Philosophers Stone), using nats, other router pools and God help us what else….

Be very cautious on your network designs…Someone in the future may curse you!!!!

Creativepeople.gr

Advertisements

About cpsaroudakis

IT professional, founder of CreativePeople.gr

Posted on September 17, 2013, in Cisco, Everyday IT issues, VPN and tagged , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: