Suggestion on Wan config for Main Ofc and 4 Branch locations

The problem: I need to reconfigure this LAN. I am a PC tech with modest networking skills and this task has fallen to me. Its success will change things for me.
  I inherited: 35 nodes in main offc. and four branch offices of 2 to 10 nodes connecting through Internet to 2 Dsl routers at the main office. The routers are economy Netgear and used mostly as NAT boxes. Two routers were used on separate ip's to allow mapping of two different telnet conections: One, to a local ip of and the second to The routers are connected on the wan side to a switch which is uplinked to the DSL modem. Also inherited were 4 new 3COM office connect 25 user firewalls with vpn upgrades still in new boxes. I have an PII class NT4.0 Domain Controller with service pack 5, a 2000 Email server running Exchange 5.5 . I have tried installing one of the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but not reliably in this config. As the sole router it is fine but not with these other two. My hope was to use the four 3COM firewalls and add one additional router to build a VPN. I need help with the plan of the best way to attack this problem without taking the network down for more than just an hour or so.
Whew! I don't ask for much do I?
Who is Participating?
1) First read all the Docs on the firewalls.

2) You mentioned
>> I have tried installing one of   the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but  not reliably in this config.
What "other firewalls ).

3) Plan to do your work on a weekend, since 1 hour shut down time is not realistic for this kind of work, unless you have sufficient extra computers to do offline testing..

4) You are going to need help, since to properly test your VPN, you are going to need 1 person at at least 2 locations.

Plan all you steps in advance, map out the connections  and get all your steps written down, before you do anything !!
You may also be able to get help from 3 com since you bought 4 VPN boxes.

I hope this helps  !
ken2421Author Commented:
This might make this clearer. The DSL routers I mention are Firewall routers made by Netgear. Each one is configured with an Internet IP and mapped by ports to two servers. The main office is configured in a tree fashion: 1st, the DSL Modem
2nd, 5 port switch
3rd, 2 Netgear routers (this is where I hoped to put the new 3COM with VPN)
4th, main hubs
5th, user pc's

This current config allows users access to basic services but I am to make them part of the DOMAIN. I had hoped to configure the new firewall router and then build a VPN, one branch at a time, moving them from old to new.

I know this is ambitious and I am prepared to hire assistance. I am most concerned with bouncing my thoughts off of capable Networking people like yourself.
Thanks again,
The only way to test this is to disconnect the present routers and plug in the new VPN boxes instead.
These will have to be configured in advance.

Then - 1 person at each site disconnects the netgeat routers , and you plug in the VPN box.

Other options, include testing the VPN boxes separately using a test LAN - this will at least feedback that they can talk to each other properly.

I hope this helps !
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

ken2421Author Commented:
I suspect you are probably right. What puzzles me is that I can browse the 3com as long as nothing is connected to the wan port. If I connect to the wan side and restart the router it becomes unstable.

The switch that it is hooked to is an auto uplink. I wonder if that could be troublesome.
Again. I would not have the old and new stuff working together.
For separate testing, check that the connection speed/duplex rates  ( 100 Mbps/duplex or similar ) are set the same on both ends.

I hope this helps !
Do the 3Com boxes support IPSEC?  If so, then they are well suited to your needs.  I would look into the possibility of purchased a fifth, more powerful box to act as the firewall/VPN router at your main office

How many external or REAL IP addresses does your company own?

If you have sufficient addresses to configure more than one simultaneous firewall/perimeter router.  This would enable you to begin testing with your live network still intact.  As you'd be using the internet rather than a dedicated circuit, you could simply have the two units in place at each site and modify the gateway settings on a single machine at each site to enable you to test a VPN.
ken2421Author Commented:

Yes the 3COMs do IPsec.

This is the thinking I was hoping to work toward. As SysExpert points out the short down time is unrealistic and so as much pre-testing as possible should be done.

I have managed to Get one VPN connection made between the main office and one branch. I have tried to learn as much as I can with this tunnel and it was the hardest I think in that the branch connects w/ broadband wireless.

I think one of the problems with reliability comes from the NT4.0 server being the domain controller and the Win2K server handles the email. That just seems backwards to me.

We have 5 IPs at each location. The configuration of the wireless uses 3 of that branches and the other 2 or not really available there.

Note: At one point I mentioned that I could not browse the Firewall w/ it in parallel with the others. It turns out that the Netgear FR314 is nearly identical in design and firmware as the 3com OfficeConnect. I switched them out and now I can browse the firewall. I still have another Netgear in line. It is used to route telnet to the frame relay on the LAN and doesn't seem to interfere.

So. Am I heading in the right direction here? It has turned out to be far more time intensive than I planned and  I hope I am moving it in the best direction.

Well, so far it definitely sounds good, especially if you already have one branch able to get through.

ALways have a fall back plan in place, if any serious issues pop up.

I hope this helps !

Give a spin to CIPE, maybe it's the solution you're searching; CIPE is an encrypting software router which can run on *nix as well on win32 platforms and will allow you to create "encrypted tunnels" in a snap.

For more infos please see the home site

which has a link for the win32 version too

Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to SysExpert.
Please leave any comments here within the next seven days.


EE Page Editor
ken2421Author Commented:
I apologize for the long time.  I had completely forgotten this post.

Thanks for closing.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.