Internet Networking issue - help appreciated.

I use VPN thru cable internet to connect to work. I have admin rights, and can resolve to all resources on our network. The only issue I have is that I can't connect to the internet thru this connection. I can do everything at home I can do at work except get to the internet.

My thoughts were that I could get to the internet thru the internet server at work as if I were there, but haven't been able to get it to work. Any network experts out there that can explain the issue or issues ?

 

internet

You prolly have a firewall setup at the work cable modem. You say you can "see" everything at the work computer so that leaves an internet guard somewhere.

 

Firewall issue ?

Yes, we have a firewall. It is called WatchGuard. I can ping all servers and map drives to them, including the Internet Server. So if I understand you right, you're saying that something, maybe WatchGuard, is blocking me from connecting to the internet, even though I have access to all servers including the WatchGuard Firebox.

I don't know if it will help, but when I try to ping an address, like www.yahoo.com it will say it is pinging www.yahoo.akadns.net. I have never seen anything like that before.

TIA

 

Rockhound - yahoo is not a good site to ping for this sort of testing. You can get one IP and then if you ping again in a minute, you will probably get a different one. Neither will really be a place called www.yahoo.com.

Try this. First ping www.yahoo.com to get the IP address. And yes, it will probably tell you that you are pinging www.yahoo.akadns.net

Next, ping that IP address but add in the -a switch to force the name to display as well. It should say you are pinging pnn.www.dcn.yahoo.com (where nn is any two digit number so p11.www.dcn.yahoo.com or p14.www.dcn.yahoo.com or similar).

Also note that if you keep pinging the www.yahoo.com address, you will get different IP addresses. Same range so 216.109.118.nnn but not always the same.

Any site like Yahoo that has huge numbers of users will be doing something similar.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As to your specific problem, I'm guessing but it sounds like you aren't getting assigned a proper gateway address when you VPN to the network. That would result in your being able to see anything on the same subnet as the server you connected to since no router would be involved but nothing outside that subnet since your PC would not know how to find a router - that's basically what the default gateway address does.

Next time you connect, try looking at your PC's specific IP settings (and the method differs according to the OS you use) and see if you do have a gateway address assigned and, if so, does it match the one you need for your work network.

 

Gateway address - Yes I have

Yes, I do have a default gateway address and an assigned IP address. The assigned IP is not in the same range as the ones at work though. Example: My PCs IP at work would be 144.1.117.35 and the VPN IP is 22.1.8.108 (subnet 255.255.255.255) and the default gateway is same as the assigned IP address, 22.1.8.108.

Could the problem be because the VPN IP doesn't belong in the same group as the IP assigned to PCs at work ? If so, do you know a remedy ? Of course all of the above IPs are fictitous, but do resemble our pattern.

Thanks.

 

This might be a security issue. There are potential problems with allowing VPN users access to a remote network. For example, I have heard of a case where a company found that a competitor's network was routing via trusted links to a common wholesaler through their network (due to automatic routing protocols seeing this link as the shortest path). Also at the client end it is usually a good idea to restrict internet access to prevent malious hijacking of a VPN connection from the internet. Restricting access via VPN only to the networks immidiately connect to each end of the tunnel is a good starting configuration. Therefore to access remote networks via VPN, is usually a setting you have to switch on. For help with the exact setting we would need to know what VPN software you are using (that is if anyone recognises it).

Having the default gateway the same as the end of the tunnel will effectively prevent you connecting to anything but the network you are connected to. The gateway needs to be the internal IP of the route out of your network (I expect that is the internal address of you Watchguard firewall).

However, why would you want to do this? By enabling this you would be adding an additional vulnerability to the system. If you have VPN working, I would think that you have internet access at your end. The obvious reason for doing this would be to test the network's ability to connect to the network. I would suggest that a better way to do this is to install VNC (or similar remote desktop utility) on your network; connect to this via your VPN; and then test connectivity via the PC you have remote control of.

Following on from Newt's comments: I have always found that a good IP to use to test a connection is your ISP's DNS server. If you can connect to this, you have connection to the ISP's network. The response time is usually very quick (so you don't have the worry that the connection isn't working because of slow response rather than no response). Even better use TRACERT to test internet access. This not only tells you that you can get to a remote node, but also the path you took to get to it.

 

Rockhound, I think ReggieB may well have hit on the reason but given the addressing you have, I'd be very surprised if your machine could ever get out to the internet and I'm guessing there will also be restrictions on what it can do even on the LAN at work.

 

Those IP addresses are public addresses, rather than the private addresses usually used on private networks (Addresses set aside for private use are 10.*.*.* and 192.168.*.* - there's a class B one too, but I can never remember it). That suggests to me that your network is set up without NAT (Network Address Translation). There is nothing intrinsically wrong with that, but it is expensive (you have to buy a range of IP addresses to match the size of the network, rather than sharing a small number of addresses), and a little harder to secure.

However, if you are using NAT on your network you may have problems accessing IP addresses on the internet that start 144.1.*.*, as your network will see those as local addresses and not route your communication out of your network.

If you are not using NAT, I would suggest that it is not a good idea to publish your IP address on a public board like this.

 

How closely do they resemble your pattern? Especially, did you give the correct beginning octet so that you are using 144.x.x.x or is it one of the 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x ranges that ReggieB spoke of as being reserved for private LANs?

 

172.16.X.X to 172.31.X.X - yes those are the class B private addresses. Thank you Newt. Also I missed that comment about those not being the actual addresses.

 

First off, let me apologize for taking so long to answer to thank everyone for their assistance and knowledge. I was disabled after I first posted because of a bad email address I had. He asked me to fix it, but also disabled my account until it was. He asked me to let him know, but couldn't because my accout was disabled. It's been four or so days, but I'm finally back.

Now to the issue at hand. You were right on the internal octet. I was just using a ficticous one for security, but since alot of users use the 10.xxx.xxx.xxx range, I see no problem letting you know. The issue still hasn't been resolved, and adding to the routing table didn't help. It might be because most of our internal IP traffic is on a subnet of 128.xxx.xxx.xxx. I believe the 10.xxx.xxx.xxx is just at the firebox, even thou our main dns server is with this IP range.

Anyhow, thanks to all for the help, and if anyone can think of anyway to reach our Internet connection through VPN, I'd appreciate the response. Right now we're looking into the fact it is blocked at the server for security reasons.

And since there are only 2 of us in the whole IT dept. and we're the only ones that dial in, we don't see an issue with us enabling this capability. But neither of us are knowledgable enough to know how to configure the IE server to let us thru. If anyone knows what method could be used, it would be appreciated.


Thanks very much again.

 

Please post the full ipconfig information for both your PC when VPN connected for the server you connect to.

In case you don't mess with this stuff often, if you are running NT OS versions it's easy enough.

start -> run -> cmd
then from the command prompt
ipconfig /all > c:\config.txt
and then copy the contents of config.txt to a reply here.

9X/ME with that GUI thing and you'll have to do some typing.

We will need to see everything though with no masking. Since, as you noted, they are private internal systems you won't be putting yourself at risk.