Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Remote Office Connectivity

Reply
Thread Tools

Remote Office Connectivity

 
 
Gary
Guest
Posts: n/a
 
      10-14-2005
We have 2 offices. Head office and a satelite office.

Each site has a router and an internal PIX firewall.

The satelite office has a point to point link back to headquarters and will
be used for all connectivity, as head quarters has a very large internet
connection.

In addition to this the satellite office has 2 bonded ADSL lines for
failover should the primary point to point link fail.

My question is how to connect the 2 sites. Should each end of the point to
point link connect into the routers at each site?

This is not really routing as they could see each other at layer 2 so I am
confused what the config should look like on each router. Do I simply
configure the WAN site of the Satellite office in say one private subnet and
the WAN site of HQ in the same subnet and run a VPN across this link and
that is it?

The satellite office needs to be able to reach the NAT'd internal addresses
at HQ.

Any pointers on method/config greatly appreciated.

Gary


 
Reply With Quote
 
 
 
 
Vincent C Jones
Guest
Posts: n/a
 
      10-14-2005
In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <(E-Mail Removed)> wrote:
>We have 2 offices. Head office and a satelite office.
>
>Each site has a router and an internal PIX firewall.
>
>The satelite office has a point to point link back to headquarters and will
>be used for all connectivity, as head quarters has a very large internet
>connection.
>
>In addition to this the satellite office has 2 bonded ADSL lines for
>failover should the primary point to point link fail.
>
>My question is how to connect the 2 sites. Should each end of the point to
>point link connect into the routers at each site?
>
>This is not really routing as they could see each other at layer 2 so I am
>confused what the config should look like on each router. Do I simply
>configure the WAN site of the Satellite office in say one private subnet and
>the WAN site of HQ in the same subnet and run a VPN across this link and
>that is it?
>
>The satellite office needs to be able to reach the NAT'd internal addresses
>at HQ.
>
>Any pointers on method/config greatly appreciated.
>
>Gary


As stated, you seem to be doing everything possible to make the solution
more complex. If you treat the satellite office and the main office as
separate subnets and route between them, then the VPN can be configured
like a dial backup link. Bridging rather than routing between the two
sites makes the solution much more difficult (or much less robust, take
your choice). Ditto on using the external addresses of the servers at HQ
rather than the internal addresses when accessing from the satellite.

One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
so satellite users will still be able to reach the Internet when running
on the VPN. PIX don't like to send traffic out the same interface it
came in on, although this limitation has been addressed in 7.0.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
 
Gary Shine
Guest
Posts: n/a
 
      10-14-2005


"Vincent C Jones" <(E-Mail Removed)> wrote in message
news:diohcm$smb$(E-Mail Removed):

> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <(E-Mail Removed)> wrote:
> >We have 2 offices. Head office and a satelite office.
> >
> >Each site has a router and an internal PIX firewall.
> >
> >The satelite office has a point to point link back to headquarters and will
> >be used for all connectivity, as head quarters has a very large internet
> >connection.
> >
> >In addition to this the satellite office has 2 bonded ADSL lines for
> >failover should the primary point to point link fail.
> >
> >My question is how to connect the 2 sites. Should each end of the point to
> >point link connect into the routers at each site?
> >
> >This is not really routing as they could see each other at layer 2 so I am
> >confused what the config should look like on each router. Do I simply
> >configure the WAN site of the Satellite office in say one private subnet and
> >the WAN site of HQ in the same subnet and run a VPN across this link and
> >that is it?
> >
> >The satellite office needs to be able to reach the NAT'd internal addresses
> >at HQ.
> >
> >Any pointers on method/config greatly appreciated.
> >
> >Gary

>
> As stated, you seem to be doing everything possible to make the solution
> more complex. If you treat the satellite office and the main office as
> separate subnets and route between them, then the VPN can be configured
> like a dial backup link. Bridging rather than routing between the two
> sites makes the solution much more difficult (or much less robust, take
> your choice). Ditto on using the external addresses of the servers at HQ
> rather than the internal addresses when accessing from the satellite.
>
> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
> so satellite users will still be able to reach the Internet when running
> on the VPN. PIX don't like to send traffic out the same interface it
> came in on, although this limitation has been addressed in 7.0.
>
> Good luck and have fun!
> --
> Vincent C Jones, Consultant Expert advice and a helping hand
> Networking Unlimited, Inc. for those who want to manage and
> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> http://www.networkingunlimited.com


Thanks for the hint. We do not have any routers behind the PIX's and do
not have the money for that.

From what you are saying I should run routing across the point to point
link router to router?

i.e EIGRP?

What do you mean by using the external addresses at HQ. The point to
point link does not care about these and cannot route across the public
internet anyway as it is fixed link router to router?

My thoughts were to route somehow across the P2P and have a VPN across
the public network using the ADSL's and somehow only activate the ADSL's
on P2P link failure.

Gary

 
Reply With Quote
 
Vincent C Jones
Guest
Posts: n/a
 
      10-16-2005
In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <(E-Mail Removed)> wrote:
>
>
>"Vincent C Jones" <(E-Mail Removed)> wrote in message
>news:diohcm$smb$(E-Mail Removed):
>
>> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <(E-Mail Removed)> wrote:
>> >We have 2 offices. Head office and a satelite office.
>> >
>> >Each site has a router and an internal PIX firewall.
>> >
>> >The satelite office has a point to point link back to headquarters and will
>> >be used for all connectivity, as head quarters has a very large internet
>> >connection.
>> >
>> >In addition to this the satellite office has 2 bonded ADSL lines for
>> >failover should the primary point to point link fail.
>> >
>> >My question is how to connect the 2 sites. Should each end of the point to
>> >point link connect into the routers at each site?
>> >
>> >This is not really routing as they could see each other at layer 2 so I am
>> >confused what the config should look like on each router. Do I simply
>> >configure the WAN site of the Satellite office in say one private subnet and
>> >the WAN site of HQ in the same subnet and run a VPN across this link and
>> >that is it?
>> >
>> >The satellite office needs to be able to reach the NAT'd internal addresses
>> >at HQ.
>> >
>> >Any pointers on method/config greatly appreciated.
>> >
>> >Gary

>>
>> As stated, you seem to be doing everything possible to make the solution
>> more complex. If you treat the satellite office and the main office as
>> separate subnets and route between them, then the VPN can be configured
>> like a dial backup link. Bridging rather than routing between the two
>> sites makes the solution much more difficult (or much less robust, take
>> your choice). Ditto on using the external addresses of the servers at HQ
>> rather than the internal addresses when accessing from the satellite.
>>
>> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
>> so satellite users will still be able to reach the Internet when running
>> on the VPN. PIX don't like to send traffic out the same interface it
>> came in on, although this limitation has been addressed in 7.0.
>>
>> Good luck and have fun!
>> --
>> Vincent C Jones, Consultant Expert advice and a helping hand
>> Networking Unlimited, Inc. for those who want to manage and
>> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
>> http://www.networkingunlimited.com

>
>Thanks for the hint. We do not have any routers behind the PIX's and do
>not have the money for that.
>
>From what you are saying I should run routing across the point to point
>link router to router?


yes

>i.e EIGRP?


whatever floats your boat

>What do you mean by using the external addresses at HQ. The point to
>point link does not care about these and cannot route across the public
>internet anyway as it is fixed link router to router?


The phrase "The satellite office needs to be able to reach the NAT'd
internal addresses at HQ." The NAT'd internal addresses at HQ are
the external addresses used by HQ. So how do users at the branch
address the required services, by their internal IP or their public
(external) IP? If the former, no problem.

>My thoughts were to route somehow across the P2P and have a VPN across
>the public network using the ADSL's and somehow only activate the ADSL's
>on P2P link failure.


Think about it, that is exactly how dial backup works. Just remember
that if the first time you try to activate the ADSL link is two
years from now when the PtoP link fails, the chances of the ADSL
link working is whatever remains from the probability of the ADSL
link failing at ANY time over the previous two years. Routine
testing of backup facilities needs to be part of your SOP.

>Gary
>


Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
Gary Shine
Guest
Posts: n/a
 
      10-17-2005


"Vincent C Jones" <(E-Mail Removed)> wrote in message
news:diuhod$886$(E-Mail Removed):

> In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <(E-Mail Removed)> wrote:
> >
> >
> >"Vincent C Jones" <(E-Mail Removed)> wrote in message
> >news:diohcm$smb$(E-Mail Removed):
> >
> >> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <(E-Mail Removed)> wrote:
> >> >We have 2 offices. Head office and a satelite office.
> >> >
> >> >Each site has a router and an internal PIX firewall.
> >> >
> >> >The satelite office has a point to point link back to headquarters and will
> >> >be used for all connectivity, as head quarters has a very large internet
> >> >connection.
> >> >
> >> >In addition to this the satellite office has 2 bonded ADSL lines for
> >> >failover should the primary point to point link fail.
> >> >
> >> >My question is how to connect the 2 sites. Should each end of the point to
> >> >point link connect into the routers at each site?
> >> >
> >> >This is not really routing as they could see each other at layer 2 so I am
> >> >confused what the config should look like on each router. Do I simply
> >> >configure the WAN site of the Satellite office in say one private subnet and
> >> >the WAN site of HQ in the same subnet and run a VPN across this link and
> >> >that is it?
> >> >
> >> >The satellite office needs to be able to reach the NAT'd internal addresses
> >> >at HQ.
> >> >
> >> >Any pointers on method/config greatly appreciated.
> >> >
> >> >Gary
> >>
> >> As stated, you seem to be doing everything possible to make the solution
> >> more complex. If you treat the satellite office and the main office as
> >> separate subnets and route between them, then the VPN can be configured
> >> like a dial backup link. Bridging rather than routing between the two
> >> sites makes the solution much more difficult (or much less robust, take
> >> your choice). Ditto on using the external addresses of the servers at HQ
> >> rather than the internal addresses when accessing from the satellite.
> >>
> >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
> >> so satellite users will still be able to reach the Internet when running
> >> on the VPN. PIX don't like to send traffic out the same interface it
> >> came in on, although this limitation has been addressed in 7.0.
> >>
> >> Good luck and have fun!
> >> --
> >> Vincent C Jones, Consultant Expert advice and a helping hand
> >> Networking Unlimited, Inc. for those who want to manage and
> >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> >> http://www.networkingunlimited.com

> >
> >Thanks for the hint. We do not have any routers behind the PIX's and do
> >not have the money for that.
> >
> >From what you are saying I should run routing across the point to point
> >link router to router?

>
> yes
>
> >i.e EIGRP?

>
> whatever floats your boat
>
> >What do you mean by using the external addresses at HQ. The point to
> >point link does not care about these and cannot route across the public
> >internet anyway as it is fixed link router to router?

>
> The phrase "The satellite office needs to be able to reach the NAT'd
> internal addresses at HQ." The NAT'd internal addresses at HQ are
> the external addresses used by HQ. So how do users at the branch
> address the required services, by their internal IP or their public
> (external) IP? If the former, no problem.
>
> >My thoughts were to route somehow across the P2P and have a VPN across
> >the public network using the ADSL's and somehow only activate the ADSL's
> >on P2P link failure.

>
> Think about it, that is exactly how dial backup works. Just remember
> that if the first time you try to activate the ADSL link is two
> years from now when the PtoP link fails, the chances of the ADSL
> link working is whatever remains from the probability of the ADSL
> link failing at ANY time over the previous two years. Routine
> testing of backup facilities needs to be part of your SOP.
>
> >Gary
> >

>
> Good luck and have fun!
> --
> Vincent C Jones, Consultant Expert advice and a helping hand
> Networking Unlimited, Inc. for those who want to manage and
> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> http://www.networkingunlimited.com


Never used dial backup so I guess we are talking weighted route
statements with the P2P being favoured over the ADSL Wan link?

QUOTE
> The phrase "The satellite office needs to be able to reach the NAT'd
> internal addresses at HQ." The NAT'd internal addresses at HQ are
> the external addresses used by HQ. So how do users at the branch
> address the required services, by their internal IP or their public
> (external) IP? If the former, no problem.


You confused me here???

I am expecting Satellite users to be able to address services at HQ
using the internal private address range behind the PIX's. Ultimately I
see a VPN from the private address range of the Satellite office to the
private address range of HQ behind the PIX's.

Currently HQ looks like this

Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix

It will eventually look like this

Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix


HQ Router has a public IP only on the outside interface towards the
internet and public plus private secondary on the inside. We will add in
a new G703 card for the 2MB P2P link and I assume we will allocate it a
new private subnet different to anything at HQ but the same as the
external interface at the satellite office, and we will run EIGRP over
this link.

We will also create a VPN across the public internet using the ADSL at
the Satellite office for failover or dial backup?

I think this and maybe a few route statements should do the job?

Gary




 
Reply With Quote
 
Vincent C Jones
Guest
Posts: n/a
 
      10-17-2005
In article <YzE4f.1504$Ix3.633@dukeread05>,
Gary Shine <(E-Mail Removed)> wrote:
>
>
>"Vincent C Jones" <(E-Mail Removed)> wrote in message
>news:diuhod$886$(E-Mail Removed):
>
>> In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <(E-Mail Removed)> wrote:
>> >
>> >
>> >"Vincent C Jones" <(E-Mail Removed)> wrote in message
>> >news:diohcm$smb$(E-Mail Removed):
>> >
>> >> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <(E-Mail Removed)> wrote:
>> >> >We have 2 offices. Head office and a satelite office.
>> >> >
>> >> >Each site has a router and an internal PIX firewall.
>> >> >
>> >> >The satelite office has a point to point link back to headquarters and will
>> >> >be used for all connectivity, as head quarters has a very large internet
>> >> >connection.
>> >> >
>> >> >In addition to this the satellite office has 2 bonded ADSL lines for
>> >> >failover should the primary point to point link fail.
>> >> >
>> >> >My question is how to connect the 2 sites. Should each end of the point to
>> >> >point link connect into the routers at each site?
>> >> >
>> >> >This is not really routing as they could see each other at layer 2 so I am
>> >> >confused what the config should look like on each router. Do I simply
>> >> >configure the WAN site of the Satellite office in say one private subnet and
>> >> >the WAN site of HQ in the same subnet and run a VPN across this link and
>> >> >that is it?
>> >> >
>> >> >The satellite office needs to be able to reach the NAT'd internal addresses
>> >> >at HQ.
>> >> >
>> >> >Any pointers on method/config greatly appreciated.
>> >> >
>> >> >Gary
>> >>
>> >> As stated, you seem to be doing everything possible to make the solution
>> >> more complex. If you treat the satellite office and the main office as
>> >> separate subnets and route between them, then the VPN can be configured
>> >> like a dial backup link. Bridging rather than routing between the two
>> >> sites makes the solution much more difficult (or much less robust, take
>> >> your choice). Ditto on using the external addresses of the servers at HQ
>> >> rather than the internal addresses when accessing from the satellite.
>> >>
>> >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
>> >> so satellite users will still be able to reach the Internet when running
>> >> on the VPN. PIX don't like to send traffic out the same interface it
>> >> came in on, although this limitation has been addressed in 7.0.
>> >>
>> >> Good luck and have fun!
>> >> --
>> >> Vincent C Jones, Consultant Expert advice and a helping hand
>> >> Networking Unlimited, Inc. for those who want to manage and
>> >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
>> >> http://www.networkingunlimited.com
>> >
>> >Thanks for the hint. We do not have any routers behind the PIX's and do
>> >not have the money for that.
>> >
>> >From what you are saying I should run routing across the point to point
>> >link router to router?

>>
>> yes
>>
>> >i.e EIGRP?

>>
>> whatever floats your boat
>>
>> >What do you mean by using the external addresses at HQ. The point to
>> >point link does not care about these and cannot route across the public
>> >internet anyway as it is fixed link router to router?

>>
>> The phrase "The satellite office needs to be able to reach the NAT'd
>> internal addresses at HQ." The NAT'd internal addresses at HQ are
>> the external addresses used by HQ. So how do users at the branch
>> address the required services, by their internal IP or their public
>> (external) IP? If the former, no problem.
>>
>> >My thoughts were to route somehow across the P2P and have a VPN across
>> >the public network using the ADSL's and somehow only activate the ADSL's
>> >on P2P link failure.

>>
>> Think about it, that is exactly how dial backup works. Just remember
>> that if the first time you try to activate the ADSL link is two
>> years from now when the PtoP link fails, the chances of the ADSL
>> link working is whatever remains from the probability of the ADSL
>> link failing at ANY time over the previous two years. Routine
>> testing of backup facilities needs to be part of your SOP.
>>
>> >Gary
>> >

>>
>> Good luck and have fun!
>> --
>> Vincent C Jones, Consultant Expert advice and a helping hand
>> Networking Unlimited, Inc. for those who want to manage and
>> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
>> http://www.networkingunlimited.com

>
>Never used dial backup so I guess we are talking weighted route
>statements with the P2P being favoured over the ADSL Wan link?


Yes. Floating static routes in Cisco terminology.

>QUOTE
>> The phrase "The satellite office needs to be able to reach the NAT'd
>> internal addresses at HQ." The NAT'd internal addresses at HQ are
>> the external addresses used by HQ. So how do users at the branch
>> address the required services, by their internal IP or their public
>> (external) IP? If the former, no problem.

>
>You confused me here???


You had asked what caused me to infer that satellite users would
use the external public IP of the HQ servers.

>I am expecting Satellite users to be able to address services at HQ
>using the internal private address range behind the PIX's. Ultimately I
>see a VPN from the private address range of the Satellite office to the
>private address range of HQ behind the PIX's.
>
>Currently HQ looks like this
>
>Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
>
>It will eventually look like this
>
>Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
>Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix


This is scary. Any router outside the firewall should not be trusted
with internal routing. Plus, in your diagram above, there is nothing
inside the HQ PIX.

>HQ Router has a public IP only on the outside interface towards the
>internet and public plus private secondary on the inside. We will add in
>a new G703 card for the 2MB P2P link and I assume we will allocate it a
>new private subnet different to anything at HQ but the same as the
>external interface at the satellite office, and we will run EIGRP over
>this link.
>
>We will also create a VPN across the public internet using the ADSL at
>the Satellite office for failover or dial backup?
>
>I think this and maybe a few route statements should do the job?


A few route statement should be enough to provide robust failover,
but whether the "few route statements" you think the job is and
those I think the job is are the same, and whether the design is
sustainable in a hostile Internet, is not at all clear. As you
have explained it, your design requirements far exceed that which
I can provide without investing significant time and effort into
understanding said requirements, which in turn prevents me from
providing further free advice. Sorry.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Assistance fails to connect, remote remote host name could not be resolved Peter Sale Wireless Networking 1 12-11-2004 09:09 PM
Microsoft Office Specialist Study Guide Office 2003 Edition Jimmy Clay Microsoft Certification 2 09-10-2004 12:27 PM
Remote SQL Connectivity Problem with ASP.Net Web Application Hammad Rajjoub ASP .Net Security 3 05-14-2004 01:53 AM
Problem with Remote SQL Server Connectivity Hammad Rajjoub ASP .Net Security 0 05-12-2004 11:36 AM
Office 97 to Office XP User guide upgrade Marc Microsoft Certification 0 04-14-2004 01:31 PM



Advertisments