Need to securely connect workstations on another WAN to my WAN

Discussion in 'Cisco' started by kev, Nov 16, 2003.

  1. kev

    kev Guest

    Hi,

    I have several staff housed at another physical location in another
    organization. I need to be able to connect these staff to my
    organization's WAN in a secure manner for both organizations.

    Ideally, my staff at the other site should be able to connect to and
    see only my WAN resoources. Also, my staff and our computer resources
    should be invisible to the other organization's users and their
    network. Essentially, outside of my requirement to connect these
    workers to our WAN, both WANs need to be securely separate and
    distinct entities.

    Both organizations have private routered WANs with Cisco gear and both
    have PIX firewalls.

    I've considered some options like segregating my staff physically on
    the other LAN and dropping in our own router and FR circuit or
    highspeed internet and a VPN appliance and bringing them direcly back
    through our firewall. However, these options incur cost and I'm
    pretty sure this is something that should be able to be done though
    the existing routers, etc. Probably by PVCing and VLANing ?

    Any help would be appreciated...

    Thanks in advance !
     
    kev, Nov 16, 2003
    #1
    1. Advertising

  2. kev

    Scooby Guest

    A little more information about setups would be helpfull. How close are
    they? What kind of WANs are they running now? Are they using the same
    telco for their networks?

    Something I have done before and may be an option for you... If they are
    both Frame Relay networks, and you can get the telco's to play nice, then
    you can get an NNI (network to network interface) setup between them.
    You'll have to pay for a pvc, but it should be pretty low cost, especially
    if they are in the same LATA and using the same telco. Create that pvc as a
    sub-interface off your frame interface and apply all the rules you like to
    it.



    "kev" <> wrote in message
    news:...
    > Hi,
    >
    > I have several staff housed at another physical location in another
    > organization. I need to be able to connect these staff to my
    > organization's WAN in a secure manner for both organizations.
    >
    > Ideally, my staff at the other site should be able to connect to and
    > see only my WAN resoources. Also, my staff and our computer resources
    > should be invisible to the other organization's users and their
    > network. Essentially, outside of my requirement to connect these
    > workers to our WAN, both WANs need to be securely separate and
    > distinct entities.
    >
    > Both organizations have private routered WANs with Cisco gear and both
    > have PIX firewalls.
    >
    > I've considered some options like segregating my staff physically on
    > the other LAN and dropping in our own router and FR circuit or
    > highspeed internet and a VPN appliance and bringing them direcly back
    > through our firewall. However, these options incur cost and I'm
    > pretty sure this is something that should be able to be done though
    > the existing routers, etc. Probably by PVCing and VLANing ?
    >
    > Any help would be appreciated...
    >
    > Thanks in advance !
     
    Scooby, Nov 16, 2003
    #2
    1. Advertising

  3. In article <>,
    kev <> wrote:
    >Hi,
    >
    >I have several staff housed at another physical location in another
    >organization. I need to be able to connect these staff to my
    >organization's WAN in a secure manner for both organizations.

    [..]

    Consider an SSL VPN, you allow granular access and don't
    need to kludge VLANs, ACLs, routing, etc. If you have a
    Cisco 3000 it'll be a free upgrade:
    http://tinyurl.com/v4jt
    Neoteris seem the most advanced solution to me, but the price
    tag reflects this. And of course there's the open-source model..
    http://openvpn.sourceforge.net/

    alan
     
    Alan Strassberg, Nov 16, 2003
    #3
  4. kev

    kev Guest

    Thanks,

    WANS are close (at least HQ to HQ). WANS are Frame relay but also use
    broadband (ATM OC3). Yes, both use the same telco.

    So, you're saying the PVC would allow granular rules to control who
    sees what ?

    "Scooby" <> wrote in message news:<6qCtb.3056$>...
    > A little more information about setups would be helpfull. How close are
    > they? What kind of WANs are they running now? Are they using the same
    > telco for their networks?
    >
    > Something I have done before and may be an option for you... If they are
    > both Frame Relay networks, and you can get the telco's to play nice, then
    > you can get an NNI (network to network interface) setup between them.
    > You'll have to pay for a pvc, but it should be pretty low cost, especially
    > if they are in the same LATA and using the same telco. Create that pvc as a
    > sub-interface off your frame interface and apply all the rules you like to
    > it.
    >
    >
    >
    > "kev" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I have several staff housed at another physical location in another
    > > organization. I need to be able to connect these staff to my
    > > organization's WAN in a secure manner for both organizations.
    > >
    > > Ideally, my staff at the other site should be able to connect to and
    > > see only my WAN resoources. Also, my staff and our computer resources
    > > should be invisible to the other organization's users and their
    > > network. Essentially, outside of my requirement to connect these
    > > workers to our WAN, both WANs need to be securely separate and
    > > distinct entities.
    > >
    > > Both organizations have private routered WANs with Cisco gear and both
    > > have PIX firewalls.
    > >
    > > I've considered some options like segregating my staff physically on
    > > the other LAN and dropping in our own router and FR circuit or
    > > highspeed internet and a VPN appliance and bringing them direcly back
    > > through our firewall. However, these options incur cost and I'm
    > > pretty sure this is something that should be able to be done though
    > > the existing routers, etc. Probably by PVCing and VLANing ?
    > >
    > > Any help would be appreciated...
    > >
    > > Thanks in advance !
     
    kev, Nov 16, 2003
    #4
  5. kev

    Scooby Guest

    That's very good news that the same telco is used for both frames. You can
    call them and ask if they will set up NNI between the two networks. I'd be
    interested to hear what they quote you, but my guess is pretty dang cheap.
    Just a single pvc from HQ to HQ should be all you need. Not sure if this
    will increase bandwidth demands, though.

    Yes, you will be able to use access rules, but how you do it depends a lot
    on how your network is setup. There are two ways to set up Frame Relay, one
    is point to multipoint, most common for fully meshed networks. The other is
    point to point subinterfaces, more common with hub and spoke. If you are
    already setup with the subinterfaces, that makes this project much easier.
    Then, just apply a access list (or cbac) to the interface with the pvc to
    the other hq.

    If you have fully meshed, then it makes it more complicated, but I still
    believe that it can be done. I'm not sure if you can set up a combonation
    of point to point and point to multipoint interfaces on a frame relay
    circuit (with Cisco) - I have done this with Nortel. I believe yes, but are
    they are people out there that know for sure and want to respond??? Anyway,
    if you have them all under a single interface due to being fully meshed,
    then you just would probably have to set the rules up a little different.

    The one caveat.... If you have the same ip blocks within each WAN.... Easy
    to do nat if you are doing the subinterfaces, very hard if you have a single
    interface to the other HQ.





    "kev" <> wrote in message
    news:...
    > Thanks,
    >
    > WANS are close (at least HQ to HQ). WANS are Frame relay but also use
    > broadband (ATM OC3). Yes, both use the same telco.
    >
    > So, you're saying the PVC would allow granular rules to control who
    > sees what ?
    >
    > "Scooby" <> wrote in message

    news:<6qCtb.3056$>...
    > > A little more information about setups would be helpfull. How close are
    > > they? What kind of WANs are they running now? Are they using the same
    > > telco for their networks?
    > >
    > > Something I have done before and may be an option for you... If they

    are
    > > both Frame Relay networks, and you can get the telco's to play nice,

    then
    > > you can get an NNI (network to network interface) setup between them.
    > > You'll have to pay for a pvc, but it should be pretty low cost,

    especially
    > > if they are in the same LATA and using the same telco. Create that pvc

    as a
    > > sub-interface off your frame interface and apply all the rules you like

    to
    > > it.
    > >
    > >
    > >
    > > "kev" <> wrote in message
    > > news:...
    > > > Hi,
    > > >
    > > > I have several staff housed at another physical location in another
    > > > organization. I need to be able to connect these staff to my
    > > > organization's WAN in a secure manner for both organizations.
    > > >
    > > > Ideally, my staff at the other site should be able to connect to and
    > > > see only my WAN resoources. Also, my staff and our computer resources
    > > > should be invisible to the other organization's users and their
    > > > network. Essentially, outside of my requirement to connect these
    > > > workers to our WAN, both WANs need to be securely separate and
    > > > distinct entities.
    > > >
    > > > Both organizations have private routered WANs with Cisco gear and both
    > > > have PIX firewalls.
    > > >
    > > > I've considered some options like segregating my staff physically on
    > > > the other LAN and dropping in our own router and FR circuit or
    > > > highspeed internet and a VPN appliance and bringing them direcly back
    > > > through our firewall. However, these options incur cost and I'm
    > > > pretty sure this is something that should be able to be done though
    > > > the existing routers, etc. Probably by PVCing and VLANing ?
    > > >
    > > > Any help would be appreciated...
    > > >
    > > > Thanks in advance !
     
    Scooby, Nov 17, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TGOS
    Replies:
    0
    Views:
    562
  2. Calvin Crumrine

    securely setting up a web server on my home network

    Calvin Crumrine, Jan 8, 2004, in forum: Computer Information
    Replies:
    24
    Views:
    1,104
    Calvin Crumrine
    Jan 16, 2004
  3. david jones
    Replies:
    16
    Views:
    3,796
    Sebastian Gottschalk
    Aug 16, 2006
  4. Ann hilferty

    SECURELY ENABLING MY NETWORK

    Ann hilferty, Mar 11, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    365
    Jack \(MVP-Networking\).
    Mar 11, 2007
  5. Replies:
    1
    Views:
    963
    wisdomkiller & pain
    Sep 13, 2007
Loading...

Share This Page