Client VPN connected but cannot RDP or connect to Intranet

Solved
IT_Tropolis
Getting noticed

Client VPN connected but cannot RDP or connect to Intranet

Hi:

 

User has MacOS machine.  User connects to Client VPN successfully.  They obtain Client VPN IP address and I can ping their IP.  But they cannot RDP to their computer on the LAN via IP address or connect to the LAN Intranet.  They cannot even ping IPs on the LAN. Split tunneling is NOT cfg. and they can connect to Internet sites, and those sites see their public IP as the office IP, not their home ISP public IP.

 

If user physically takes same MacOS machine to a Starbucks or another house it works as expected, i.e. they can RDP to their machine at the office and they can connect/open the Intranet site.

 

At location w/issue, they have Frontier FIOS w/an ARRIS NVG468MQ router.  It uses 192.168.254/24 network.  The office coincidentally uses the same LAN subnet 192.168.254/24.  Is this the cause?

 

Thanks for any insights!

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

Almost certainly - have a look at the routing table on the client, whilst at home.

The client is probably ARPing the destination directly on his home network.

View solution in original post

3 Replies 3
GreenMan
Meraki Employee
Meraki Employee

Almost certainly - have a look at the routing table on the client, whilst at home.

The client is probably ARPing the destination directly on his home network.

Hi @GreenMan 

 

Is there a way to workaround/cfg. for this scenario to work, i.e. for Client VPN users to be able to access LAN resources when coincidentally their outside LAN subnet from which they're connecting is same as the office LAN subnet?

 

Thank you! 

Bruce
Kind of a big deal

@IT_Tropolis I’ve never come across an easy solution to this problem. It’s one of the reasons why I try to avoid the 192.168.x.x networks for anything to do with a corporate/office network. If they need to access Local LAN resources at the same time as being connected to the office via VPN then one of the networks IP addresses has to change, or be NATed.

 

Maybe you can provide them a small Meraki MX/Z device for use at home (via AutoVPN) and enable VPN subnet translation, https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation. You’ll need Meraki Support to enable it. However this will most likely then cause you other issues with DNS hostname to IP address mappings. As I said, unfortunately no easy way to fix this one.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels