Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Network Management Guru required (for 5 minutes)

Reply
Thread Tools

Re: Network Management Guru required (for 5 minutes)

 
 
Phillip Windell
Guest
Posts: n/a
 
      02-06-2004
"Jansen Reyes" <(E-Mail Removed)> wrote in message
news:Z8LUb.139$(E-Mail Removed)...
> centered around 2 Filtering routers ( Diagram can be found here)


This is a "plain text" message and there is no diagram.

> N.B The DMZ is the only network with public IP's


It is better to use private IP bocks in the DMZ of a Back-toBack DMZ
such as this. But you can use public IP#s if you want to.

> 1) Remote users need access to the internl DATA and Voice lans. My

plan at
> the moment is to use the exterior 2600 as a VPN terminator,

authenticating
> via a Radius to an server located in the data lan. Is this good

practice.
> Would one normally place the authentication server in the internal

LAN, and
> would one terminate VPN tunnels in the perimter router?


To VPN with a B2B DMZ you must create two VPN tunnels. The first one
runs between the two routers. The second tunnel runs inside the first
one and goes between the user and the internal resource.

Here are some articles on the subject. They are centered around using
MS ISA Server, but the overall principles are the same in any
situation.
Watchout for the line-wrap on these links:

Configuring VPN Access in a Back to Back ISA Server Environment
http://www.isaserver.org/tutorials/C...s_in_a_Back_to
_Back_ISA_Server_Environment.html

Joining Private Networks over the Internet: Back to Back ISA Server
DMZs on Both Sides, Part 1
http://www.isaserver.org/tutorials/g2gb2bpart1.html

Joining Private Networks over the Internet: Back to Back ISA Server
DMZs on Both Sides, Part 2
http://www.isaserver.org/tutorials/b...zvpnpart2.html


> 3) We have client networks which we have to monitor/manage. The

problem is,
> we have no control over the thrid-party address space. In many an

occation
> they might be using exactly the same range as another client, or

even as
> ourselves. (everyone uses 192.168.1....). I''ve done a lot of

research into

I know of no way around that without some kind of NAT in combination
with the VPN.

> this and finally arrived at some conclusions. Inorder to resolve

this issue,
> I hope to do the following: initiate VPN tunnels form the internal

router to
> the third-party network. Then, map the external Address range

(subnet) to a
> unique address space within our network. This an be done using IOS.

Does
> this seem reasonable?


I have no idea what you are trying to describe there.

> 4) For remote managment purposes, certain peers on the internal LAN

would
> have to access the remote network. There are 2 things which i am

worried
> about:
> i) Client access to the third-party nets - This can be dealt with

via ACL's
> i suppose


You're trying to depend on routers and ACLs to control
everything,..not good. Use things that way they were meant to be used.
Routers and firewalls control *initial* access to a network. Once
access to a LAN is granted at that level the firewalls or routers are
done with thier job, from then on security is controlled by the LAN's
own security systems (User accounts, User Groups, File System
Permissions, ect). Just because a user is allowed to get to a certain
LAN by the router of firewall doesn't mean they automatically can see
or grab whatever they want within that LAN. Resource access within
LANs is controlled by Domain Controllers, user accounts, Filesystem
Permissions

> ii) Polution on third-party networks from internal & vice versa. By

this i
> mean, publicaiton of printers and the sorts. My inital plan was to

have 2
> NIC's on all the machines that require access, disableFile and

printer
> sharing on the NIC that connects to the managment net, and bob's

your uncle.
> However, this seems like a waste of physical resrouces. Has anyone

got any
> other alternatives to this?


Forget the duel-homed workstations.
You're worry about something that doesn't even happen. Don't forget
the significance of subnets and routers. LAN broadcasts (polution)
doesn't cross routers. That's why Cisco often refers to a router as a
"Broadcast Firewall" because that kind of stuff doesn't go across them
except for things that you have to go out of your way to make it
happen.

> 5) Form a higher-level perspective. Has anyone got any information

on hwo to
> manag multipel windows 2000 domains?


There is no way to deal with a wide open broad question like that in a
news group message.

--

Phillip Windell [CCNA, MVP, MCP]
WAND-TV (ABC Affiliate)
www.wandtv.com


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dataset retunring Null ..a guru's opinion required! Nab ASP .Net Web Services 4 09-11-2008 06:30 PM
IT Job Guru - Certification Guru Rohit A+ Certification 0 08-13-2008 07:31 PM
A respond to "MCSE NT4, W2K.." "Network Guru" & "Techie" Samantha MCSE 46 06-09-2004 07:49 AM
Help required from Olympus guru... Dalesgate Digital Photography 2 01-20-2004 07:54 PM
Re: Rock Star Network Guru takes Indian Americans to New Heights Oy! =?Windows-1252?Q?Frisbee=AE_MCNGP?= MCSE 0 08-19-2003 08:00 PM



Advertisments