Re: Router Lesson/Advice Needed

"TheScullster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). uk...
> Our internal ip address range is 10.0.0....
> The refinery we are trying to connect to uses this same range.
> When I try to pptp to their network, this causes an issue.
> We have a company firewall (which is managed by a local telecomms company)
> which is also clouding the issue.
> To establish the vpn, it has been necessary to declare and fix the ip
> address of the PC on our network, then set firewall rules to allow this ip
> to communicate.
> Doing this enables the vpn to establish, but does not allow communication
> with the target refinery PC due to the common internal ip addresses.
> So the idea was to introduce a router which connects to our network using
> the "firewall-cleared" static ip address - then have our PC pick up an ip
> from the router in the 192.168 range.
> I don't have a problem with the user having to logoff, fit the router and
> log back on again to provide this remote access, as it will be an
> occasional exercise only.
> I have ordered a Linksys router
> http://www.misco.co.uk/applications/...ELAID=84115976

10.0.0.x is also a very heavily over used private subnet and should be
avoided.

I understand what you are thinking,...but your LAN is initiating the
connection to the refinery (not the reverse),...therefore your LAN needs to
be on the "external" side of the Linksys box,...then the Linksys box will
have to do a Static NAT or a 1-to-1 NAT between its External IP and the IP
of the target machine. when you attempt the connection you must target the
External IP# of the Linksys,...not the actual refinery machine.

You'r looking at all kinds of headstands and cart-wheels to try to create a
topology that will work. Remember that you have to run the Linksys
*backwards* from what would be considered normal. You will have to change
the Private Segment that your end of the VPN terminates as (if that is even
possible), then you have to set the Internal subnet of the Linksys to match
it. Then you have to create a static route on the Linksys so it knows to
use the VPN Device as the Gateway to reach the target machine at the
refinery.

It would actually be more logical for the Linksys to physically sit at the
refinery on the other end so it can be setup in a nromal *forward* manner
instead of backwards. But even they would have the "jack" thier topology
around to make it work and probably won't be willing to do it.

The first best way to fix this is of course to re-address the LAN in the
first place.

But the correct way to handle a VPN with indentically addressed networks
would be like the diagram at the link below. It would be impossible to have
full access between the LANs,..it would be limited by the capacity (or lack
of) to do Static NAT or 1-to-1 NAT to the resources on each side. The
reason two NAT Boxes are shown is so that it can be bi-directional. If it
is only one LAN accessing resources on the other then there only needs to be
one NAT box on the *receiving* side where the resource being accessed lives.

http://i591.photobucket.com/albums/s...ll/UglyVPN.jpg


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

If you VPN Device one of the more expensive Cisco products it may already
have the NAT abilities built into it for this type of situation which
eliminates the need for a separate NAT Box,...but I cannot help
there,...you'll have to check the documentation or call Cisco,...although I
am a CCNA I am not a "Cisco guy".

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

One more thing.
Both machines involved in the communication (the client and the server) need
a Static Route on themselves to tell them to use the NAT Box as the path to
get where they need to go for this (you can't do it with Default Gatways).
Only a Multi-subnet LAN with a *real* LAN Router within it could "centrally"
make a routing decision like this. A single subnet LAN must use Static
Routes as I said or they have to move the VPN and the NAT Boxes to "hang off
the side" of the Firewall as a second internal network. I'm not going to
get buried in that one unless that turns out to be what you actually try.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"TheScullster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). uk...
>
> "Phillip Windell" wrote
>>
>> One more thing.
>> Both machines involved in the communication (the client and the server)
>> need a Static Route on themselves to tell them to use the NAT Box as the
>> path to get where they need to go for this (you can't do it with Default
>> Gatways). Only a Multi-subnet LAN with a *real* LAN Router within it
>> could "centrally" make a routing decision like this. A single subnet
>> LAN must use Static Routes as I said or they have to move the VPN and the
>> NAT Boxes to "hang off the side" of the Firewall as a second internal
>> network. I'm not going to get buried in that one unless that turns out
>> to be what you actually try.
>>
>> --
>> Phillip Windell
>>
> Thanks Phillip and others for extensive explanation.
> Not sure why, but the Linksys router method appears to work OK.
> Gave the router a static ip address on our general LAN scope as its
> external "internet" connection setting.
> Connected a laptop set to dhcp and the pptp network connection (including
> viewing software) works!
> One thing I can't figure though is that from the attached PC I can ping
> PCs across our general LAN, but I get a time-out when I try to ping the
> static "internet" ip on the router from the general LAN side??
>
> Phil
>


Unless I am misunderstanding what you are trying to do, pinging the external
interface of a router from a host connected to the inside interface of the
router is not supported. Some call this a "U-Turn" since the requested is
forwarded to the external interface, however it does not come back in. I
think I remember there is one brand router/firewall that supports this, but
for the majority, no. That's the same as saying you would like to connect to
a website being hosted internally but you specify the external IP in the
URL, which it won't connect.

Ace

"TheScullster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). uk...
> Gave the router a static ip address on our general LAN scope as its
> external "internet" connection setting.

Correct,...that is the "backwards" positioning that I described,...the WAN
side of the box faces your LAN,...the LAN side of the box faces the VPN
link.

By comparison a normal forward positioning the LAN side faces the LAN and
the WAN Side faces the "outsdide".

Pinging is a waste of time here. What pings and what doesn't is almost
meaningless here. What matters is what required things specifically work
and what specifically doesn't.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bill Kearney" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) t...
> That's ONE way to do it, not necessarily the only way nor the correct way
> given the expressed desires here.

Well,..Bill,..this is another one of those situations that you can lock 3 IT
guys in a room together and give them this question and you will get 5
different answers and the 3 IT guys will fight till they pass out from
exaustion or you unlock the room.

> One thing that's not fully addressed here is there isn't going to be a way
> to allow OTHER devices on the networks to talk to each other through the
> VPN. Addressing on one side or the other WILL have to change in order to
> make that possible.

This whole situation is just a big mess and if it were me I would avoid ever
getting into it in the first place. Hence why I named my JPG "UglyVPN.jpg"
in that link. As far as a "correct way",....no matter what is suggested
as a "correct way" there is always going to be someone somewhere that jumps
up and throws out another theory that they say is the "correct way". So in
my posts I can only account for giving what I think is the correct way,...I
cannot possibly account for all the other theories and ideas out there or I
would be writing a "book" with every post,...what I already wrote was too
long to me as it was.

Heck, one thing that I don't think was mentioned was that (I
think,..possibly,..) that some Cisco VPN products have NAT (or whatever)
abilities built into them to handle just this sort of thing,...but I am not
an expert on their products.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------