Re: Network Management Guru required (for 5 minutes)

Discussion in 'Cisco' started by Phillip Windell, Feb 6, 2004.

  1. "Jansen Reyes" <> wrote in message
    news:Z8LUb.139$...
    > centered around 2 Filtering routers ( Diagram can be found here)


    This is a "plain text" message and there is no diagram.

    > N.B The DMZ is the only network with public IP's


    It is better to use private IP bocks in the DMZ of a Back-toBack DMZ
    such as this. But you can use public IP#s if you want to.

    > 1) Remote users need access to the internl DATA and Voice lans. My

    plan at
    > the moment is to use the exterior 2600 as a VPN terminator,

    authenticating
    > via a Radius to an server located in the data lan. Is this good

    practice.
    > Would one normally place the authentication server in the internal

    LAN, and
    > would one terminate VPN tunnels in the perimter router?


    To VPN with a B2B DMZ you must create two VPN tunnels. The first one
    runs between the two routers. The second tunnel runs inside the first
    one and goes between the user and the internal resource.

    Here are some articles on the subject. They are centered around using
    MS ISA Server, but the overall principles are the same in any
    situation.
    Watchout for the line-wrap on these links:

    Configuring VPN Access in a Back to Back ISA Server Environment
    http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to
    _Back_ISA_Server_Environment.html

    Joining Private Networks over the Internet: Back to Back ISA Server
    DMZs on Both Sides, Part 1
    http://www.isaserver.org/tutorials/g2gb2bpart1.html

    Joining Private Networks over the Internet: Back to Back ISA Server
    DMZs on Both Sides, Part 2
    http://www.isaserver.org/tutorials/backtobackdmzvpnpart2.html


    > 3) We have client networks which we have to monitor/manage. The

    problem is,
    > we have no control over the thrid-party address space. In many an

    occation
    > they might be using exactly the same range as another client, or

    even as
    > ourselves. (everyone uses 192.168.1....). I''ve done a lot of

    research into

    I know of no way around that without some kind of NAT in combination
    with the VPN.

    > this and finally arrived at some conclusions. Inorder to resolve

    this issue,
    > I hope to do the following: initiate VPN tunnels form the internal

    router to
    > the third-party network. Then, map the external Address range

    (subnet) to a
    > unique address space within our network. This an be done using IOS.

    Does
    > this seem reasonable?


    I have no idea what you are trying to describe there.

    > 4) For remote managment purposes, certain peers on the internal LAN

    would
    > have to access the remote network. There are 2 things which i am

    worried
    > about:
    > i) Client access to the third-party nets - This can be dealt with

    via ACL's
    > i suppose


    You're trying to depend on routers and ACLs to control
    everything,..not good. Use things that way they were meant to be used.
    Routers and firewalls control *initial* access to a network. Once
    access to a LAN is granted at that level the firewalls or routers are
    done with thier job, from then on security is controlled by the LAN's
    own security systems (User accounts, User Groups, File System
    Permissions, ect). Just because a user is allowed to get to a certain
    LAN by the router of firewall doesn't mean they automatically can see
    or grab whatever they want within that LAN. Resource access within
    LANs is controlled by Domain Controllers, user accounts, Filesystem
    Permissions

    > ii) Polution on third-party networks from internal & vice versa. By

    this i
    > mean, publicaiton of printers and the sorts. My inital plan was to

    have 2
    > NIC's on all the machines that require access, disableFile and

    printer
    > sharing on the NIC that connects to the managment net, and bob's

    your uncle.
    > However, this seems like a waste of physical resrouces. Has anyone

    got any
    > other alternatives to this?


    Forget the duel-homed workstations.
    You're worry about something that doesn't even happen. Don't forget
    the significance of subnets and routers. LAN broadcasts (polution)
    doesn't cross routers. That's why Cisco often refers to a router as a
    "Broadcast Firewall" because that kind of stuff doesn't go across them
    except for things that you have to go out of your way to make it
    happen.

    > 5) Form a higher-level perspective. Has anyone got any information

    on hwo to
    > manag multipel windows 2000 domains?


    There is no way to deal with a wide open broad question like that in a
    news group message.

    --

    Phillip Windell [CCNA, MVP, MCP]
    WAND-TV (ABC Affiliate)
    www.wandtv.com
     
    Phillip Windell, Feb 6, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Windows-1252?Q?Frisbee=AE_MCNGP?=

    Re: Rock Star Network Guru takes Indian Americans to New Heights Oy!

    =?Windows-1252?Q?Frisbee=AE_MCNGP?=, Aug 19, 2003, in forum: MCSE
    Replies:
    0
    Views:
    401
    =?Windows-1252?Q?Frisbee=AE_MCNGP?=
    Aug 19, 2003
  2. Samantha
    Replies:
    46
    Views:
    1,293
    Laura A. Robinson
    Jun 9, 2004
  3. Dalesgate

    Help required from Olympus guru...

    Dalesgate, Jan 20, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    305
    Dalesgate
    Jan 20, 2004
  4. Giuen
    Replies:
    0
    Views:
    1,158
    Giuen
    Sep 12, 2008
  5. Rohit

    IT Job Guru - Certification Guru

    Rohit, Aug 13, 2008, in forum: A+ Certification
    Replies:
    0
    Views:
    1,990
    Rohit
    Aug 13, 2008
Loading...

Share This Page