Need to securely connect workstations on another WAN to my WAN

Hi,

I have several staff housed at another physical location in another
organization. I need to be able to connect these staff to my
organization's WAN in a secure manner for both organizations.

Ideally, my staff at the other site should be able to connect to and
see only my WAN resoources. Also, my staff and our computer resources
should be invisible to the other organization's users and their
network. Essentially, outside of my requirement to connect these
workers to our WAN, both WANs need to be securely separate and
distinct entities.

Both organizations have private routered WANs with Cisco gear and both
have PIX firewalls.

I've considered some options like segregating my staff physically on
the other LAN and dropping in our own router and FR circuit or
highspeed internet and a VPN appliance and bringing them direcly back
through our firewall. However, these options incur cost and I'm
pretty sure this is something that should be able to be done though
the existing routers, etc. Probably by PVCing and VLANing ?

Any help would be appreciated...

Thanks in advance !

 

A little more information about setups would be helpfull. How close are
they? What kind of WANs are they running now? Are they using the same
telco for their networks?

Something I have done before and may be an option for you... If they are
both Frame Relay networks, and you can get the telco's to play nice, then
you can get an NNI (network to network interface) setup between them.
You'll have to pay for a pvc, but it should be pretty low cost, especially
if they are in the same LATA and using the same telco. Create that pvc as a
sub-interface off your frame interface and apply all the rules you like to
it.

 

[..]

Consider an SSL VPN, you allow granular access and don't
need to kludge VLANs, ACLs, routing, etc. If you have a
Cisco 3000 it'll be a free upgrade:
http://tinyurl.com/v4jt
Neoteris seem the most advanced solution to me, but the price
tag reflects this. And of course there's the open-source model..
http://openvpn.sourceforge.net/

alan

 

Thanks,

WANS are close (at least HQ to HQ). WANS are Frame relay but also use
broadband (ATM OC3). Yes, both use the same telco.

So, you're saying the PVC would allow granular rules to control who
sees what ?

 

That's very good news that the same telco is used for both frames. You can
call them and ask if they will set up NNI between the two networks. I'd be
interested to hear what they quote you, but my guess is pretty dang cheap.
Just a single pvc from HQ to HQ should be all you need. Not sure if this
will increase bandwidth demands, though.

Yes, you will be able to use access rules, but how you do it depends a lot
on how your network is setup. There are two ways to set up Frame Relay, one
is point to multipoint, most common for fully meshed networks. The other is
point to point subinterfaces, more common with hub and spoke. If you are
already setup with the subinterfaces, that makes this project much easier.
Then, just apply a access list (or cbac) to the interface with the pvc to
the other hq.

If you have fully meshed, then it makes it more complicated, but I still
believe that it can be done. I'm not sure if you can set up a combonation
of point to point and point to multipoint interfaces on a frame relay
circuit (with Cisco) - I have done this with Nortel. I believe yes, but are
they are people out there that know for sure and want to respond??? Anyway,
if you have them all under a single interface due to being fully meshed,
then you just would probably have to set the rules up a little different.

The one caveat.... If you have the same ip blocks within each WAN.... Easy
to do nat if you are doing the subinterfaces, very hard if you have a single
interface to the other HQ.