Need networking help

[martech55]

I work in the healthcare industry and remotely connect to my customer sites to install software, configure product code, do online training and troubleshoot problems with software.

Frequently, I have to connect to their private network using a VPN client. This one site, I do just that. Once connected to the private network, I can see I have an IP address in their private network range. However, I cannot ping any of the servers there and I cannot connect to our product servers.

An associate of mine has basically the same setup, however, he can connect to the customers servers where our products are located.

My server is sitting in the DMZ of my office router and therefore not being bothered by the firewall of the router.

Does anyone have any ideas why I cannot ping or connect to the servers once on their private network.

Thank you for any and all replies.

 

[aspicer]

Just an educated guess ... but...

If you are behind a router (most people these days) dmz or otherwise. Chances are you are behind NAT.

If the remote network over VPN gives you an IP Address in the same range as your own network...

e.g. Your network gave you 192.168.0.100. The VPN network gave you 192.168.0.50. Both live on 192.168.0.0/24 network (255.255.255.0.)

Since that network (what they call "prefix") 192.168.0 is considered local to your computer ... it would not give your IP traffic to the router. It would just broadcast on the local network (ARP) looking for any IP that you were trying to reach.

Also ... with a VPN this might create an additional virtual "network interface"... in fact it probably does. So the other problem that crops up is that now you could have two "network connections" both claiming to be 192.168.0.0/24. So what does your operating system (Windows) do? Because really it doesn't work to have two network interfaces ... or two "network routes" for the same NETWORK.

So what's a person to do???? Well if you are capable of it ... reconfigure your own router and change the network that it's on. You still need to use RFC 1918 Private IP Addresses like the 192.168 stuff ... but try to use a range that most other peoples routers would not use. A lot tend to use 192.168.0.0 and 192.168.1.0. So avoid those. You could even look into using the 10.x.x.x range. You can use the 255.255.0.0 netmask in the 10 range. But I'd use 255.255.255.0 and make a /24 - I doubt you have 254 computers counting your router... and the math is a bit simpler with a /24 than with a /16. A /16 provides around 65,500 computers - which is two much ... and it operates on the third and fourth numbers ... whereas a /24 only operates on the fourth number. If you are not careful with your netmask usage you could clobber multiple networks. Say you used 255.255.0.0 with a 192.168.0.0 type of network. e.g. 192.168.0.0 /16 or 255.255.0.0 ... you clobber every network from 192.168.0.x to 192.168.255.x.

---
Alan S.
marinetelecom dot net

 

[martech55]

ASpicer, thank you for the reply.

Actually the private network is a 10.xxx.xxx.xxx network and my router is on 192.168.xxx.xxx network. I was concerned about that because my Virtual network is 192.168.1.x and I was thinking I might be having a conflict there, but I looked that over, and I am on 2 separate networks.

When I remote to this private network, I am not using my virtual NICs, so I get an IP in the 10.xx.xx.xx range as I would expect from the customers description of the network.

That was a good thought, but I was there already. Thank you again.

 

[aspicer]

Hmmmm. Have you had any luck connecting to other sites by VPN ... because it sure seems like the problem in on your end, if someone else can access things on that site and you cannot. It would be interesting a comparison between your setup and the one that works.

If there's a way to, even if temporarily, go on the outside IP Address at your location rather than through NAT/Router... that might tell you if the problem is in your ISP. You didn't say wether the one that works is at a different location on a different ISP, but I'm guess that it is.

Try removing your DMZ if YOU are the DMZ as well ... in case that's the problem. You shouldn't have to be DMZ on your end if you are going over a VPN to someone elses network.

Also check your routes ... when you have the VPN up. Make sure you are actually getting a route to that 10.x.x.x network. I would image you would. There should only be one, and it should go through the VPN device.

Another thought, one that killed me on a yacht job one time. Some VPN Servers are configured to NOT let you access your Local Network while you are on the VPN connection. It's supposedly a security thing. This would not affect someone else who was directly on the Internet without NAT, but it might affect you. Try getting them to remove anything like that for your connection only - if they can.

 

[DelJo63]

Another thought, one that killed me on a yacht job one time. Some VPN Servers are configured to NOT let you access your Local Network while you are on the VPN connection. It's supposedly a security thing. This would not affect someone else who was directly on the Internet without NAT, but it might affect you. Try getting them to remove anything like that for your connection only - if they can.

Bingo! This is quiet normal and allowing otherwise is abnormal; yes that's a major security issue for the VPN server.
Yea, I heard you say your buddy can do this but tell your admin staff and they will
go screaming. This is a HIPPA violation at the least!

 

[aspicer]

Nahhhh, we're not playing Bingo here. But it is rather quiet noise wise and fairly normal on most days here. Yah that's what my doctor told me about my last cholesteral test (movie quote)... So you say that's a major security issue with a VPN server ehhh? Well I dunno... I don't have any "buddy"'s but we did get one company to allow access to the local network on a VPN server for one client connection on a yacht. Not for every connection to the server. I'm not sure about this HIPPA (or HIPAA?) violation you are talking about. Isn't that a Medical provider related law? I hope we don't need a $300/hr. lawyer just to configure a VPN anywhere. I would think that just has to do with Medical Providers like Doctors office or someone dealing with patient information. You can tell me if I'm wrong.

 

[DelJo63]

I must have type HIPPA 10,000 times, but it's HIPAA as you noted

If the VPN server contains HIPAA data, then while you're connected to it, any access
to your local LAN represents a security threat to the VPN.

Everytime I've seen a VPN connection, the IP address for that connection is relative to
the remote server, not the local LAN and that causes a routing mismatch -- this is
why you can't access your local lan.

Best wishes if you ever induce a problem to the remote system.

 

[aspicer]

Yahhhh (HIPAA) ... anyway the question is not from me, I was answering it, so I don't know if the VPN server of the site that the original poster is talking about has anything to do with medical records. But thanks for the tip... you made me look up HIPPA and HIPAA which made me aware of what that is (I've heard of it before) in case anyone that I deal with is subject to that law.

I would imagine that even if you didn't have to be HIPAA compliant - that any access to the local LAN (isn't that redundant? "Local - Local Area Network"?) would be a security threat. But then again any connection to the Internet is security threat as well. So there's gotta be a lot more to it than that. I can't imagine the HIPAA POLICE connecting to a VPN and trying to go for their local LAN and citing that as a violation, but then again I don't know how the HIPAA police operate. Supposedly it's rather common to get sued over HIPAA. At least that's what the lawyers in my google.com search were saying.

> Everytime I've seen a VPN connection, the IP address for that connection is relative

* Hmmmm. In my one experience the VPN rules at the server had blocked access by the client to his local LAN. When we finally convinced them that we needed access to the local LAN or else our Internet Connection died upon VPN CONNECT, then all was ok. (This was a custom GPRS Internet over a wireless to RS-232 conversion "thingy" and killing the local LAN killed the connection.) I wonder if that would also kill a connection over NAT/Router. I haven't time to test that right now. But I am curious.

The original poster, as I mentioned, might have a look at his routing table in Windows and see what's going on. He said they were different networks though so it shouldn't kill his local LAN that way. Maybe he'll come back in here and tell me more after my recent questions. I am curious if he can get on any other VPN's... and if the "other guy" that can get into this particular VPN's network ... is directly on the wild wild Internet or through NAT/Router as well.

 

[DelJo63]

The bottom line (imo) is the inability to access the local LAN (as opposed to the remote LAN on the VPN server) is correct and necessary.

There is a technique to allow that access, but being security conscientious, I'll not
disclose that publicly -- sorry.

 

[aspicer]

like we couldn't find that anyway?

 

[DelJo63]

that is correct