Remote Office Connectivity

Discussion in 'Cisco' started by Gary, Oct 14, 2005.

  1. Gary

    Gary Guest

    We have 2 offices. Head office and a satelite office.

    Each site has a router and an internal PIX firewall.

    The satelite office has a point to point link back to headquarters and will
    be used for all connectivity, as head quarters has a very large internet
    connection.

    In addition to this the satellite office has 2 bonded ADSL lines for
    failover should the primary point to point link fail.

    My question is how to connect the 2 sites. Should each end of the point to
    point link connect into the routers at each site?

    This is not really routing as they could see each other at layer 2 so I am
    confused what the config should look like on each router. Do I simply
    configure the WAN site of the Satellite office in say one private subnet and
    the WAN site of HQ in the same subnet and run a VPN across this link and
    that is it?

    The satellite office needs to be able to reach the NAT'd internal addresses
    at HQ.

    Any pointers on method/config greatly appreciated.

    Gary
     
    Gary, Oct 14, 2005
    #1
    1. Advertising

  2. In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <> wrote:
    >We have 2 offices. Head office and a satelite office.
    >
    >Each site has a router and an internal PIX firewall.
    >
    >The satelite office has a point to point link back to headquarters and will
    >be used for all connectivity, as head quarters has a very large internet
    >connection.
    >
    >In addition to this the satellite office has 2 bonded ADSL lines for
    >failover should the primary point to point link fail.
    >
    >My question is how to connect the 2 sites. Should each end of the point to
    >point link connect into the routers at each site?
    >
    >This is not really routing as they could see each other at layer 2 so I am
    >confused what the config should look like on each router. Do I simply
    >configure the WAN site of the Satellite office in say one private subnet and
    >the WAN site of HQ in the same subnet and run a VPN across this link and
    >that is it?
    >
    >The satellite office needs to be able to reach the NAT'd internal addresses
    >at HQ.
    >
    >Any pointers on method/config greatly appreciated.
    >
    >Gary


    As stated, you seem to be doing everything possible to make the solution
    more complex. If you treat the satellite office and the main office as
    separate subnets and route between them, then the VPN can be configured
    like a dial backup link. Bridging rather than routing between the two
    sites makes the solution much more difficult (or much less robust, take
    your choice). Ditto on using the external addresses of the servers at HQ
    rather than the internal addresses when accessing from the satellite.

    One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
    so satellite users will still be able to reach the Internet when running
    on the VPN. PIX don't like to send traffic out the same interface it
    came in on, although this limitation has been addressed in 7.0.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Oct 14, 2005
    #2
    1. Advertising

  3. Gary

    Gary Shine Guest

    "Vincent C Jones" <> wrote in message
    news:diohcm$smb$:

    > In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <> wrote:
    > >We have 2 offices. Head office and a satelite office.
    > >
    > >Each site has a router and an internal PIX firewall.
    > >
    > >The satelite office has a point to point link back to headquarters and will
    > >be used for all connectivity, as head quarters has a very large internet
    > >connection.
    > >
    > >In addition to this the satellite office has 2 bonded ADSL lines for
    > >failover should the primary point to point link fail.
    > >
    > >My question is how to connect the 2 sites. Should each end of the point to
    > >point link connect into the routers at each site?
    > >
    > >This is not really routing as they could see each other at layer 2 so I am
    > >confused what the config should look like on each router. Do I simply
    > >configure the WAN site of the Satellite office in say one private subnet and
    > >the WAN site of HQ in the same subnet and run a VPN across this link and
    > >that is it?
    > >
    > >The satellite office needs to be able to reach the NAT'd internal addresses
    > >at HQ.
    > >
    > >Any pointers on method/config greatly appreciated.
    > >
    > >Gary

    >
    > As stated, you seem to be doing everything possible to make the solution
    > more complex. If you treat the satellite office and the main office as
    > separate subnets and route between them, then the VPN can be configured
    > like a dial backup link. Bridging rather than routing between the two
    > sites makes the solution much more difficult (or much less robust, take
    > your choice). Ditto on using the external addresses of the servers at HQ
    > rather than the internal addresses when accessing from the satellite.
    >
    > One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
    > so satellite users will still be able to reach the Internet when running
    > on the VPN. PIX don't like to send traffic out the same interface it
    > came in on, although this limitation has been addressed in 7.0.
    >
    > Good luck and have fun!
    > --
    > Vincent C Jones, Consultant Expert advice and a helping hand
    > Networking Unlimited, Inc. for those who want to manage and
    > Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > http://www.networkingunlimited.com


    Thanks for the hint. We do not have any routers behind the PIX's and do
    not have the money for that.

    From what you are saying I should run routing across the point to point
    link router to router?

    i.e EIGRP?

    What do you mean by using the external addresses at HQ. The point to
    point link does not care about these and cannot route across the public
    internet anyway as it is fixed link router to router?

    My thoughts were to route somehow across the P2P and have a VPN across
    the public network using the ADSL's and somehow only activate the ADSL's
    on P2P link failure.

    Gary
     
    Gary Shine, Oct 14, 2005
    #3
  4. In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <> wrote:
    >
    >
    >"Vincent C Jones" <> wrote in message
    >news:diohcm$smb$:
    >
    >> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <> wrote:
    >> >We have 2 offices. Head office and a satelite office.
    >> >
    >> >Each site has a router and an internal PIX firewall.
    >> >
    >> >The satelite office has a point to point link back to headquarters and will
    >> >be used for all connectivity, as head quarters has a very large internet
    >> >connection.
    >> >
    >> >In addition to this the satellite office has 2 bonded ADSL lines for
    >> >failover should the primary point to point link fail.
    >> >
    >> >My question is how to connect the 2 sites. Should each end of the point to
    >> >point link connect into the routers at each site?
    >> >
    >> >This is not really routing as they could see each other at layer 2 so I am
    >> >confused what the config should look like on each router. Do I simply
    >> >configure the WAN site of the Satellite office in say one private subnet and
    >> >the WAN site of HQ in the same subnet and run a VPN across this link and
    >> >that is it?
    >> >
    >> >The satellite office needs to be able to reach the NAT'd internal addresses
    >> >at HQ.
    >> >
    >> >Any pointers on method/config greatly appreciated.
    >> >
    >> >Gary

    >>
    >> As stated, you seem to be doing everything possible to make the solution
    >> more complex. If you treat the satellite office and the main office as
    >> separate subnets and route between them, then the VPN can be configured
    >> like a dial backup link. Bridging rather than routing between the two
    >> sites makes the solution much more difficult (or much less robust, take
    >> your choice). Ditto on using the external addresses of the servers at HQ
    >> rather than the internal addresses when accessing from the satellite.
    >>
    >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
    >> so satellite users will still be able to reach the Internet when running
    >> on the VPN. PIX don't like to send traffic out the same interface it
    >> came in on, although this limitation has been addressed in 7.0.
    >>
    >> Good luck and have fun!
    >> --
    >> Vincent C Jones, Consultant Expert advice and a helping hand
    >> Networking Unlimited, Inc. for those who want to manage and
    >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    >> http://www.networkingunlimited.com

    >
    >Thanks for the hint. We do not have any routers behind the PIX's and do
    >not have the money for that.
    >
    >From what you are saying I should run routing across the point to point
    >link router to router?


    yes

    >i.e EIGRP?


    whatever floats your boat

    >What do you mean by using the external addresses at HQ. The point to
    >point link does not care about these and cannot route across the public
    >internet anyway as it is fixed link router to router?


    The phrase "The satellite office needs to be able to reach the NAT'd
    internal addresses at HQ." The NAT'd internal addresses at HQ are
    the external addresses used by HQ. So how do users at the branch
    address the required services, by their internal IP or their public
    (external) IP? If the former, no problem.

    >My thoughts were to route somehow across the P2P and have a VPN across
    >the public network using the ADSL's and somehow only activate the ADSL's
    >on P2P link failure.


    Think about it, that is exactly how dial backup works. Just remember
    that if the first time you try to activate the ADSL link is two
    years from now when the PtoP link fails, the chances of the ADSL
    link working is whatever remains from the probability of the ADSL
    link failing at ANY time over the previous two years. Routine
    testing of backup facilities needs to be part of your SOP.

    >Gary
    >


    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Oct 16, 2005
    #4
  5. Gary

    Gary Shine Guest

    "Vincent C Jones" <> wrote in message
    news:diuhod$886$:

    > In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <> wrote:
    > >
    > >
    > >"Vincent C Jones" <> wrote in message
    > >news:diohcm$smb$:
    > >
    > >> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <> wrote:
    > >> >We have 2 offices. Head office and a satelite office.
    > >> >
    > >> >Each site has a router and an internal PIX firewall.
    > >> >
    > >> >The satelite office has a point to point link back to headquarters and will
    > >> >be used for all connectivity, as head quarters has a very large internet
    > >> >connection.
    > >> >
    > >> >In addition to this the satellite office has 2 bonded ADSL lines for
    > >> >failover should the primary point to point link fail.
    > >> >
    > >> >My question is how to connect the 2 sites. Should each end of the point to
    > >> >point link connect into the routers at each site?
    > >> >
    > >> >This is not really routing as they could see each other at layer 2 so I am
    > >> >confused what the config should look like on each router. Do I simply
    > >> >configure the WAN site of the Satellite office in say one private subnet and
    > >> >the WAN site of HQ in the same subnet and run a VPN across this link and
    > >> >that is it?
    > >> >
    > >> >The satellite office needs to be able to reach the NAT'd internal addresses
    > >> >at HQ.
    > >> >
    > >> >Any pointers on method/config greatly appreciated.
    > >> >
    > >> >Gary
    > >>
    > >> As stated, you seem to be doing everything possible to make the solution
    > >> more complex. If you treat the satellite office and the main office as
    > >> separate subnets and route between them, then the VPN can be configured
    > >> like a dial backup link. Bridging rather than routing between the two
    > >> sites makes the solution much more difficult (or much less robust, take
    > >> your choice). Ditto on using the external addresses of the servers at HQ
    > >> rather than the internal addresses when accessing from the satellite.
    > >>
    > >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
    > >> so satellite users will still be able to reach the Internet when running
    > >> on the VPN. PIX don't like to send traffic out the same interface it
    > >> came in on, although this limitation has been addressed in 7.0.
    > >>
    > >> Good luck and have fun!
    > >> --
    > >> Vincent C Jones, Consultant Expert advice and a helping hand
    > >> Networking Unlimited, Inc. for those who want to manage and
    > >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > >> http://www.networkingunlimited.com

    > >
    > >Thanks for the hint. We do not have any routers behind the PIX's and do
    > >not have the money for that.
    > >
    > >From what you are saying I should run routing across the point to point
    > >link router to router?

    >
    > yes
    >
    > >i.e EIGRP?

    >
    > whatever floats your boat
    >
    > >What do you mean by using the external addresses at HQ. The point to
    > >point link does not care about these and cannot route across the public
    > >internet anyway as it is fixed link router to router?

    >
    > The phrase "The satellite office needs to be able to reach the NAT'd
    > internal addresses at HQ." The NAT'd internal addresses at HQ are
    > the external addresses used by HQ. So how do users at the branch
    > address the required services, by their internal IP or their public
    > (external) IP? If the former, no problem.
    >
    > >My thoughts were to route somehow across the P2P and have a VPN across
    > >the public network using the ADSL's and somehow only activate the ADSL's
    > >on P2P link failure.

    >
    > Think about it, that is exactly how dial backup works. Just remember
    > that if the first time you try to activate the ADSL link is two
    > years from now when the PtoP link fails, the chances of the ADSL
    > link working is whatever remains from the probability of the ADSL
    > link failing at ANY time over the previous two years. Routine
    > testing of backup facilities needs to be part of your SOP.
    >
    > >Gary
    > >

    >
    > Good luck and have fun!
    > --
    > Vincent C Jones, Consultant Expert advice and a helping hand
    > Networking Unlimited, Inc. for those who want to manage and
    > Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > http://www.networkingunlimited.com


    Never used dial backup so I guess we are talking weighted route
    statements with the P2P being favoured over the ADSL Wan link?

    QUOTE
    > The phrase "The satellite office needs to be able to reach the NAT'd
    > internal addresses at HQ." The NAT'd internal addresses at HQ are
    > the external addresses used by HQ. So how do users at the branch
    > address the required services, by their internal IP or their public
    > (external) IP? If the former, no problem.


    You confused me here???

    I am expecting Satellite users to be able to address services at HQ
    using the internal private address range behind the PIX's. Ultimately I
    see a VPN from the private address range of the Satellite office to the
    private address range of HQ behind the PIX's.

    Currently HQ looks like this

    Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix

    It will eventually look like this

    Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
    Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix


    HQ Router has a public IP only on the outside interface towards the
    internet and public plus private secondary on the inside. We will add in
    a new G703 card for the 2MB P2P link and I assume we will allocate it a
    new private subnet different to anything at HQ but the same as the
    external interface at the satellite office, and we will run EIGRP over
    this link.

    We will also create a VPN across the public internet using the ADSL at
    the Satellite office for failover or dial backup?

    I think this and maybe a few route statements should do the job?

    Gary
     
    Gary Shine, Oct 17, 2005
    #5
  6. In article <YzE4f.1504$Ix3.633@dukeread05>,
    Gary Shine <> wrote:
    >
    >
    >"Vincent C Jones" <> wrote in message
    >news:diuhod$886$:
    >
    >> In article <m5R3f.6$Ix3.4@dukeread05>, Gary Shine <> wrote:
    >> >
    >> >
    >> >"Vincent C Jones" <> wrote in message
    >> >news:diohcm$smb$:
    >> >
    >> >> In article <ZNO3f.2$Ix3.0@dukeread05>, Gary <> wrote:
    >> >> >We have 2 offices. Head office and a satelite office.
    >> >> >
    >> >> >Each site has a router and an internal PIX firewall.
    >> >> >
    >> >> >The satelite office has a point to point link back to headquarters and will
    >> >> >be used for all connectivity, as head quarters has a very large internet
    >> >> >connection.
    >> >> >
    >> >> >In addition to this the satellite office has 2 bonded ADSL lines for
    >> >> >failover should the primary point to point link fail.
    >> >> >
    >> >> >My question is how to connect the 2 sites. Should each end of the point to
    >> >> >point link connect into the routers at each site?
    >> >> >
    >> >> >This is not really routing as they could see each other at layer 2 so I am
    >> >> >confused what the config should look like on each router. Do I simply
    >> >> >configure the WAN site of the Satellite office in say one private subnet and
    >> >> >the WAN site of HQ in the same subnet and run a VPN across this link and
    >> >> >that is it?
    >> >> >
    >> >> >The satellite office needs to be able to reach the NAT'd internal addresses
    >> >> >at HQ.
    >> >> >
    >> >> >Any pointers on method/config greatly appreciated.
    >> >> >
    >> >> >Gary
    >> >>
    >> >> As stated, you seem to be doing everything possible to make the solution
    >> >> more complex. If you treat the satellite office and the main office as
    >> >> separate subnets and route between them, then the VPN can be configured
    >> >> like a dial backup link. Bridging rather than routing between the two
    >> >> sites makes the solution much more difficult (or much less robust, take
    >> >> your choice). Ditto on using the external addresses of the servers at HQ
    >> >> rather than the internal addresses when accessing from the satellite.
    >> >>
    >> >> One hint: terminate the VPN at the HQ end on a router inside the HQ PIX
    >> >> so satellite users will still be able to reach the Internet when running
    >> >> on the VPN. PIX don't like to send traffic out the same interface it
    >> >> came in on, although this limitation has been addressed in 7.0.
    >> >>
    >> >> Good luck and have fun!
    >> >> --
    >> >> Vincent C Jones, Consultant Expert advice and a helping hand
    >> >> Networking Unlimited, Inc. for those who want to manage and
    >> >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    >> >> http://www.networkingunlimited.com
    >> >
    >> >Thanks for the hint. We do not have any routers behind the PIX's and do
    >> >not have the money for that.
    >> >
    >> >From what you are saying I should run routing across the point to point
    >> >link router to router?

    >>
    >> yes
    >>
    >> >i.e EIGRP?

    >>
    >> whatever floats your boat
    >>
    >> >What do you mean by using the external addresses at HQ. The point to
    >> >point link does not care about these and cannot route across the public
    >> >internet anyway as it is fixed link router to router?

    >>
    >> The phrase "The satellite office needs to be able to reach the NAT'd
    >> internal addresses at HQ." The NAT'd internal addresses at HQ are
    >> the external addresses used by HQ. So how do users at the branch
    >> address the required services, by their internal IP or their public
    >> (external) IP? If the former, no problem.
    >>
    >> >My thoughts were to route somehow across the P2P and have a VPN across
    >> >the public network using the ADSL's and somehow only activate the ADSL's
    >> >on P2P link failure.

    >>
    >> Think about it, that is exactly how dial backup works. Just remember
    >> that if the first time you try to activate the ADSL link is two
    >> years from now when the PtoP link fails, the chances of the ADSL
    >> link working is whatever remains from the probability of the ADSL
    >> link failing at ANY time over the previous two years. Routine
    >> testing of backup facilities needs to be part of your SOP.
    >>
    >> >Gary
    >> >

    >>
    >> Good luck and have fun!
    >> --
    >> Vincent C Jones, Consultant Expert advice and a helping hand
    >> Networking Unlimited, Inc. for those who want to manage and
    >> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    >> http://www.networkingunlimited.com

    >
    >Never used dial backup so I guess we are talking weighted route
    >statements with the P2P being favoured over the ADSL Wan link?


    Yes. Floating static routes in Cisco terminology.

    >QUOTE
    >> The phrase "The satellite office needs to be able to reach the NAT'd
    >> internal addresses at HQ." The NAT'd internal addresses at HQ are
    >> the external addresses used by HQ. So how do users at the branch
    >> address the required services, by their internal IP or their public
    >> (external) IP? If the former, no problem.

    >
    >You confused me here???


    You had asked what caused me to infer that satellite users would
    use the external public IP of the HQ servers.

    >I am expecting Satellite users to be able to address services at HQ
    >using the internal private address range behind the PIX's. Ultimately I
    >see a VPN from the private address range of the Satellite office to the
    >private address range of HQ behind the PIX's.
    >
    >Currently HQ looks like this
    >
    >Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
    >
    >It will eventually look like this
    >
    >Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix
    >Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix


    This is scary. Any router outside the firewall should not be trusted
    with internal routing. Plus, in your diagram above, there is nothing
    inside the HQ PIX.

    >HQ Router has a public IP only on the outside interface towards the
    >internet and public plus private secondary on the inside. We will add in
    >a new G703 card for the 2MB P2P link and I assume we will allocate it a
    >new private subnet different to anything at HQ but the same as the
    >external interface at the satellite office, and we will run EIGRP over
    >this link.
    >
    >We will also create a VPN across the public internet using the ADSL at
    >the Satellite office for failover or dial backup?
    >
    >I think this and maybe a few route statements should do the job?


    A few route statement should be enough to provide robust failover,
    but whether the "few route statements" you think the job is and
    those I think the job is are the same, and whether the design is
    sustainable in a hostile Internet, is not at all clear. As you
    have explained it, your design requirements far exceed that which
    I can provide without investing significant time and effort into
    understanding said requirements, which in turn prevents me from
    providing further free advice. Sorry.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Oct 17, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Sale
    Replies:
    1
    Views:
    12,044
    Robin Walker
    Dec 11, 2004
  2. Marc

    Office 97 to Office XP User guide upgrade

    Marc, Apr 14, 2004, in forum: Microsoft Certification
    Replies:
    0
    Views:
    610
  3. Jimmy Clay

    Microsoft Office Specialist Study Guide Office 2003 Edition

    Jimmy Clay, Sep 10, 2004, in forum: Microsoft Certification
    Replies:
    2
    Views:
    1,328
    Guest
    Sep 10, 2004
  4. =?Utf-8?B?SGFyZGlw?=

    Front Office and Back Office Upgrade

    =?Utf-8?B?SGFyZGlw?=, Apr 8, 2006, in forum: Microsoft Certification
    Replies:
    0
    Views:
    546
    =?Utf-8?B?SGFyZGlw?=
    Apr 8, 2006
  5. Replies:
    1
    Views:
    958
    Zeta Reticulae
    Aug 19, 2003
Loading...

Share This Page