|
Posted by Gary Shine on October 17, 2005, 3:07 am
If you were Registered and logged in, you could reply and use other advanced thread options
> >
> >
> >
> >> >We have 2 offices. Head office and a satelite office.
> >> >
> >> >Each site has a router and an internal PIX firewall.
> >> >
> >> >The satelite office has a point to point link back to headquarters and will
> >> >be used for all connectivity, as head quarters has a very large internet
> >> >connection.
> >> >
> >> >In addition to this the satellite office has 2 bonded ADSL lines for
> >> >failover should the primary point to point link fail.
> >> >
> >> >My question is how to connect the 2 sites. Should each end of the point to
> >> >point link connect into the routers at each site?
> >> >
> >> >This is not really routing as they could see each other at layer 2 so I am
> >> >confused what the config should look like on each router. Do I simply
> >> >configure the WAN site of the Satellite office in say one private subnet
and
> >> >the WAN site of HQ in the same subnet and run a VPN across this link and
> >> >that is it?
> >> >
> >> >The satellite office needs to be able to reach the NAT'd internal addresses
> >> >at HQ.
> >> >
> >> >Any pointers on method/config greatly appreciated.
> >> >
> >> >Gary
> >>
> >> As stated, you seem to be doing everything possible to make the solution
> >> more complex. If you treat the satellite office and the main office as
> >> separate subnets and route between them, then the VPN can be configured
> >> like a dial backup link. Bridging rather than routing between the two
> >> sites makes the solution much more difficult (or much less robust, take
> >> your choice). Ditto on using the external addresses of the servers at HQ
> >> rather than the internal addresses when accessing from the satellite.
> >>
> >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
> >> so satellite users will still be able to reach the Internet when running
> >> on the VPN. PIX don't like to send traffic out the same interface it
> >> came in on, although this limitation has been addressed in 7.0.
> >>
> >> Good luck and have fun!
> >> --
> >> Vincent C Jones, Consultant Expert advice and a helping hand
> >> Networking Unlimited, Inc. for those who want to manage and
> >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> >> http://www.networkingunlimited.com
> >
> >Thanks for the hint. We do not have any routers behind the PIX's and do
> >not have the money for that.
> >
> >From what you are saying I should run routing across the point to point
> >link router to router?
>
> yes
>
> >i.e EIGRP?
>
> whatever floats your boat
>
> >What do you mean by using the external addresses at HQ. The point to
> >point link does not care about these and cannot route across the public
> >internet anyway as it is fixed link router to router?
>
> The phrase "The satellite office needs to be able to reach the NAT'd
> internal addresses at HQ." The NAT'd internal addresses at HQ are
> the external addresses used by HQ. So how do users at the branch
> address the required services, by their internal IP or their public
> (external) IP? If the former, no problem.
>
> >My thoughts were to route somehow across the P2P and have a VPN across
> >the public network using the ADSL's and somehow only activate the ADSL's
> >on P2P link failure.
>
> Think about it, that is exactly how dial backup works. Just remember
> that if the first time you try to activate the ADSL link is two
> years from now when the PtoP link fails, the chances of the ADSL
> link working is whatever remains from the probability of the ADSL
> link failing at ANY time over the previous two years. Routine
> testing of backup facilities needs to be part of your SOP.
>
> >Gary
> >
>
> Good luck and have fun!
> --
> Vincent C Jones, Consultant Expert advice and a helping hand
> Networking Unlimited, Inc. for those who want to manage and
> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> http://www.networkingunlimited.com
Never used dial backup so I guess we are talking weighted route
statements with the P2P being favoured over the ADSL Wan link?
QUOTE
> The phrase "The satellite office needs to be able to reach the NAT'd
> internal addresses at HQ." The NAT'd internal addresses at HQ are
> the external addresses used by HQ. So how do users at the branch
> address the required services, by their internal IP or their public
> (external) IP? If the former, no problem.
You confused me here???
I am expecting Satellite users to be able to address services at HQ
using the internal private address range behind the PIX's. Ultimately I
see a VPN from the private address range of the Satellite office to the
private address range of HQ behind the PIX's.
Currently HQ looks like this
Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
It will eventually look like this
Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix
HQ Router has a public IP only on the outside interface towards the
internet and public plus private secondary on the inside. We will add in
a new G703 card for the 2MB P2P link and I assume we will allocate it a
new private subnet different to anything at HQ but the same as the
external interface at the satellite office, and we will run EIGRP over
this link.
We will also create a VPN across the public internet using the ADSL at
the Satellite office for failover or dial backup?
I think this and maybe a few route statements should do the job?
Gary
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map