subnet question

[elentz]

I have a customer who has a class a private network setup. I have been given static IP addresses of 10.1.1.50 - 75 / 255.255.255.0 for my phone systems to use. I was given a VPN connection using PPTP to program them offsite using port 4000. Over the summer they changed some things around, like got rid of the company handling their network. Since then I can no longer remotely program my systems. If I connect to their network onsite I get an IP something like 10.1.20.xxx/255.255.255.0 I cannot connect to my systems. When I VPN into their network I get an IP something like 10.38.25.xxx/255.255.255.255, still the same, cannot connect on port 4000. The new IT guy says your problem is that your systems are using the wrong subnet, change it to 255.255.0.0 and all will fine. Well he was wrong. My thoughts are that he has a firewall or a router that will not allow port 4000 through. I can get to the http server on all the phone systems no matter where I connect in. Can someone comment on this to see if the guy is just blowing smoke?

Thanks Alot

 

[burtsbees]

The fact that
A.You get an IP address when VPN'd in, and
B.You can connect
means that you are indeed using the correct mask, and the new IT dude has no clue. I would sat that port 4000 is blocked. What's their topology like?

Burt

 

[elentz]

I'm not sure just how it is setup. They are kinda quiet about it. I know they have a wireless connection from one building to another, they have some fiber to other buildings. They have several different networks. In fact the 10.1.1 network I am on is the range they use for the administrative machines for the superintendants offices. I have the same feeling that port 4000 is blocked somewhere, but I can't seem to get it through their heads. The guy used a phrase " Sterile firewall" I have never heard that before. But, that might also mean that it blocks everything?

Thanks

 

[burtsbees]

I guess he means that it doesn't block anything...do you have telnet access to anything, and if so, telnet via port 4000, or RDC into a machine and do a netstat/ all

Burt

 

[elentz]

I'll see what I can do. I don't think I can telnet into anything I have there. I certainly don't have the ability to RDC into anything.

 

[burtsbees]

Talk to the owner, if they're your systems. I'd pay them a visit, too.

burt

 

[elentz]

WEll, I was right I can't telnet into anything of mine. I reconnected to their VPN and got an address of 10.38.172.2/255.255.255.255 with a gateway of 10.38.172.2 Now to my way of thinking, that address is the only address that can be on that subnet, right? So, the statement from the guy programming the routers/firewall that that is on the same network as 10.1.1.xxx/255.255.0.0 is smoke up a vertical orifice is it not?

Going to their location is about an hour away, so that won't happen at my expense. Soon, I am sure the district manager will get fed up with them messing with it and pay me to come up for a face to face.

Thanks

 

[LawnBoy]

smoke up a vertical orifice

Yep.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[pansophic]

If you are at all comfortable working in the Linux environment, you can download and compile hping. Then you can use it to run the equivalent of a traceroute on any TCP or UDP port that you like. You would not only be able to validate that your packets are being filtered, you'd be able to tell them exactly where they are being filtered.


pansophic

 

[elentz]

As a matter of fact I am loading Ubuntuy on a laptop right next to me as I write this! I'll look into that.

Thanks

 

[burtsbees]

10.38.172.2/255.255.255.255 is indeed a single host address, and not part of any network. Did their IT guy get fired from Taco Bell or something?

Burt

 

[elentz]

He must have. I am not real good at some of this, but would or could his VPN server dole out a single host addy for each VPN connection?

 

[burtsbees]

I have never done that, but I suppose so...but the host address would need routes back and forth...

Burt

 

[brianinms]

Yes, you can hand out VPN ip addresses with a 32 bit mask. Heck, I use addresses on internal networks with a 32 bit mask for security reasons.

 

[elentz]

Then I guess that would make sense to some degree, as Brian said "for security reasons". But, that would mean that if you had say 30 VPN users then you would have to make a rules for routing for each one individually wouldn't you? Sounds like alot of work to me.

 

[burtsbees]

Actually, ip route and access-list commands can cover entire subnets and summarized routes, so perhaps not---any statement with a subnet under which a single host (even with a host mask) would fall I guess would be covered...

Burt

 

[elentz]

So we still are in agreement that his routing is not right.

 

[brianinms]

There are too many variables for us to tell you what the issue may be.

For example.

1.He may have changed the internal routing and hence your system is improperly configured.

2.He may not be allowing your system to traverse the firewall.

3.He may not have the vpn properly configured to allow you to remote to your system.

The easiest way is the next time they call and have problems tell them it will be a day or two before you can get back to them, but if you had remote access you could pencil them in.

 

[elentz]

Brian,

I agree that there are many things that could be going on. They are aware that I will need to make a trip to see them if they need something done. So, all of your suggestions and help have solidified my thoughts about who needs to do what. Thank you all for your help.

HAve a good weekend!