Need to securely connect workstations on another WAN to my WAN

Discussion in 'Cisco' started by kev, Nov 16, 2003.

  1. kev

    kev Guest


    I have several staff housed at another physical location in another
    organization. I need to be able to connect these staff to my
    organization's WAN in a secure manner for both organizations.

    Ideally, my staff at the other site should be able to connect to and
    see only my WAN resoources. Also, my staff and our computer resources
    should be invisible to the other organization's users and their
    network. Essentially, outside of my requirement to connect these
    workers to our WAN, both WANs need to be securely separate and
    distinct entities.

    Both organizations have private routered WANs with Cisco gear and both
    have PIX firewalls.

    I've considered some options like segregating my staff physically on
    the other LAN and dropping in our own router and FR circuit or
    highspeed internet and a VPN appliance and bringing them direcly back
    through our firewall. However, these options incur cost and I'm
    pretty sure this is something that should be able to be done though
    the existing routers, etc. Probably by PVCing and VLANing ?

    Any help would be appreciated...

    Thanks in advance !
    kev, Nov 16, 2003
    1. Advertisements

  2. kev

    Scooby Guest

    A little more information about setups would be helpfull. How close are
    they? What kind of WANs are they running now? Are they using the same
    telco for their networks?

    Something I have done before and may be an option for you... If they are
    both Frame Relay networks, and you can get the telco's to play nice, then
    you can get an NNI (network to network interface) setup between them.
    You'll have to pay for a pvc, but it should be pretty low cost, especially
    if they are in the same LATA and using the same telco. Create that pvc as a
    sub-interface off your frame interface and apply all the rules you like to
    Scooby, Nov 16, 2003
    1. Advertisements

  3. [..]

    Consider an SSL VPN, you allow granular access and don't
    need to kludge VLANs, ACLs, routing, etc. If you have a
    Cisco 3000 it'll be a free upgrade:
    Neoteris seem the most advanced solution to me, but the price
    tag reflects this. And of course there's the open-source model..

    Alan Strassberg, Nov 16, 2003
  4. kev

    kev Guest


    WANS are close (at least HQ to HQ). WANS are Frame relay but also use
    broadband (ATM OC3). Yes, both use the same telco.

    So, you're saying the PVC would allow granular rules to control who
    sees what ?
    kev, Nov 16, 2003
  5. kev

    Scooby Guest

    That's very good news that the same telco is used for both frames. You can
    call them and ask if they will set up NNI between the two networks. I'd be
    interested to hear what they quote you, but my guess is pretty dang cheap.
    Just a single pvc from HQ to HQ should be all you need. Not sure if this
    will increase bandwidth demands, though.

    Yes, you will be able to use access rules, but how you do it depends a lot
    on how your network is setup. There are two ways to set up Frame Relay, one
    is point to multipoint, most common for fully meshed networks. The other is
    point to point subinterfaces, more common with hub and spoke. If you are
    already setup with the subinterfaces, that makes this project much easier.
    Then, just apply a access list (or cbac) to the interface with the pvc to
    the other hq.

    If you have fully meshed, then it makes it more complicated, but I still
    believe that it can be done. I'm not sure if you can set up a combonation
    of point to point and point to multipoint interfaces on a frame relay
    circuit (with Cisco) - I have done this with Nortel. I believe yes, but are
    they are people out there that know for sure and want to respond??? Anyway,
    if you have them all under a single interface due to being fully meshed,
    then you just would probably have to set the rules up a little different.

    The one caveat.... If you have the same ip blocks within each WAN.... Easy
    to do nat if you are doing the subinterfaces, very hard if you have a single
    interface to the other HQ.
    Scooby, Nov 17, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.