Solved

Suggestion on Wan config for Main Ofc and 4 Branch locations

Posted on 2002-07-18
12
350 Views
Last Modified: 2010-04-11
The problem: I need to reconfigure this LAN. I am a PC tech with modest networking skills and this task has fallen to me. Its success will change things for me.
  I inherited: 35 nodes in main offc. and four branch offices of 2 to 10 nodes connecting through Internet to 2 Dsl routers at the main office. The routers are economy Netgear and used mostly as NAT boxes. Two routers were used on separate ip's to allow mapping of two different telnet conections: One, to a local ip of 192.168.1.10 and the second to 192.168.1.3. The routers are connected on the wan side to a switch which is uplinked to the DSL modem. Also inherited were 4 new 3COM office connect 25 user firewalls with vpn upgrades still in new boxes. I have an PII class NT4.0 Domain Controller with service pack 5, a 2000 Email server running Exchange 5.5 . I have tried installing one of the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but not reliably in this config. As the sole router it is fine but not with these other two. My hope was to use the four 3COM firewalls and add one additional router to build a VPN. I need help with the plan of the best way to attack this problem without taking the network down for more than just an hour or so.
Whew! I don't ask for much do I?
Help,
Ken
0
Comment
Question by:ken2421
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
ID: 7163794
1) First read all the Docs on the firewalls.

2) You mentioned
>> I have tried installing one of   the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but  not reliably in this config.
What "other firewalls ).

3) Plan to do your work on a weekend, since 1 hour shut down time is not realistic for this kind of work, unless you have sufficient extra computers to do offline testing..

4) You are going to need help, since to properly test your VPN, you are going to need 1 person at at least 2 locations.

Plan all you steps in advance, map out the connections  and get all your steps written down, before you do anything !!
You may also be able to get help from 3 com since you bought 4 VPN boxes.

I hope this helps  !
0
 
LVL 9

Author Comment

by:ken2421
ID: 7164514
This might make this clearer. The DSL routers I mention are Firewall routers made by Netgear. Each one is configured with an Internet IP and mapped by ports to two servers. The main office is configured in a tree fashion: 1st, the DSL Modem
2nd, 5 port switch
3rd, 2 Netgear routers (this is where I hoped to put the new 3COM with VPN)
4th, main hubs
5th, user pc's

This current config allows users access to basic services but I am to make them part of the DOMAIN. I had hoped to configure the new firewall router and then build a VPN, one branch at a time, moving them from old to new.

I know this is ambitious and I am prepared to hire assistance. I am most concerned with bouncing my thoughts off of capable Networking people like yourself.
Thanks again,
Ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7165962
The only way to test this is to disconnect the present routers and plug in the new VPN boxes instead.
These will have to be configured in advance.

Then - 1 person at each site disconnects the netgeat routers , and you plug in the VPN box.

Other options, include testing the VPN boxes separately using a test LAN - this will at least feedback that they can talk to each other properly.

I hope this helps !
0
 
LVL 9

Author Comment

by:ken2421
ID: 7165989
I suspect you are probably right. What puzzles me is that I can browse the 3com as long as nothing is connected to the wan port. If I connect to the wan side and restart the router it becomes unstable.

The switch that it is hooked to is an auto uplink. I wonder if that could be troublesome.
Ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7168464
Again. I would not have the old and new stuff working together.
For separate testing, check that the connection speed/duplex rates  ( 100 Mbps/duplex or similar ) are set the same on both ends.

I hope this helps !
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7179539
Do the 3Com boxes support IPSEC?  If so, then they are well suited to your needs.  I would look into the possibility of purchased a fifth, more powerful box to act as the firewall/VPN router at your main office

How many external or REAL IP addresses does your company own?

If you have sufficient addresses to configure more than one simultaneous firewall/perimeter router.  This would enable you to begin testing with your live network still intact.  As you'd be using the internet rather than a dedicated circuit, you could simply have the two units in place at each site and modify the gateway settings on a single machine at each site to enable you to test a VPN.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Author Comment

by:ken2421
ID: 7181371
hstiles,

Yes the 3COMs do IPsec.

This is the thinking I was hoping to work toward. As SysExpert points out the short down time is unrealistic and so as much pre-testing as possible should be done.

I have managed to Get one VPN connection made between the main office and one branch. I have tried to learn as much as I can with this tunnel and it was the hardest I think in that the branch connects w/ broadband wireless.

I think one of the problems with reliability comes from the NT4.0 server being the domain controller and the Win2K server handles the email. That just seems backwards to me.

We have 5 IPs at each location. The configuration of the wireless uses 3 of that branches and the other 2 or not really available there.

Note: At one point I mentioned that I could not browse the Firewall w/ it in parallel with the others. It turns out that the Netgear FR314 is nearly identical in design and firmware as the 3com OfficeConnect. I switched them out and now I can browse the firewall. I still have another Netgear in line. It is used to route telnet to the frame relay on the LAN and doesn't seem to interfere.

So. Am I heading in the right direction here? It has turned out to be far more time intensive than I planned and  I hope I am moving it in the best direction.

ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7183040
Well, so far it definitely sounds good, especially if you already have one branch able to get through.

ALways have a fall back plan in place, if any serious issues pop up.

I hope this helps !
0
 
LVL 4

Expert Comment

by:anzen
ID: 7352707

Give a spin to CIPE, maybe it's the solution you're searching; CIPE is an encrypting software router which can run on *nix as well on win32 platforms and will allow you to create "encrypted tunnels" in a snap.

For more infos please see the home site

http://sites.inka.de/sites/bigred/devel/cipe.html

which has a link for the win32 version too

0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9711664
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to SysExpert.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0
 
LVL 9

Author Comment

by:ken2421
ID: 9715530
I apologize for the long time.  I had completely forgotten this post.

Thanks,
Ken
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9717051
Thanks for closing.

j
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now