Solved

Suggestion on Wan config for Main Ofc and 4 Branch locations

Posted on 2002-07-18
12
361 Views
Last Modified: 2010-04-11
The problem: I need to reconfigure this LAN. I am a PC tech with modest networking skills and this task has fallen to me. Its success will change things for me.
  I inherited: 35 nodes in main offc. and four branch offices of 2 to 10 nodes connecting through Internet to 2 Dsl routers at the main office. The routers are economy Netgear and used mostly as NAT boxes. Two routers were used on separate ip's to allow mapping of two different telnet conections: One, to a local ip of 192.168.1.10 and the second to 192.168.1.3. The routers are connected on the wan side to a switch which is uplinked to the DSL modem. Also inherited were 4 new 3COM office connect 25 user firewalls with vpn upgrades still in new boxes. I have an PII class NT4.0 Domain Controller with service pack 5, a 2000 Email server running Exchange 5.5 . I have tried installing one of the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but not reliably in this config. As the sole router it is fine but not with these other two. My hope was to use the four 3COM firewalls and add one additional router to build a VPN. I need help with the plan of the best way to attack this problem without taking the network down for more than just an hour or so.
Whew! I don't ask for much do I?
Help,
Ken
0
Comment
Question by:ken2421
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
ID: 7163794
1) First read all the Docs on the firewalls.

2) You mentioned
>> I have tried installing one of   the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but  not reliably in this config.
What "other firewalls ).

3) Plan to do your work on a weekend, since 1 hour shut down time is not realistic for this kind of work, unless you have sufficient extra computers to do offline testing..

4) You are going to need help, since to properly test your VPN, you are going to need 1 person at at least 2 locations.

Plan all you steps in advance, map out the connections  and get all your steps written down, before you do anything !!
You may also be able to get help from 3 com since you bought 4 VPN boxes.

I hope this helps  !
0
 
LVL 9

Author Comment

by:ken2421
ID: 7164514
This might make this clearer. The DSL routers I mention are Firewall routers made by Netgear. Each one is configured with an Internet IP and mapped by ports to two servers. The main office is configured in a tree fashion: 1st, the DSL Modem
2nd, 5 port switch
3rd, 2 Netgear routers (this is where I hoped to put the new 3COM with VPN)
4th, main hubs
5th, user pc's

This current config allows users access to basic services but I am to make them part of the DOMAIN. I had hoped to configure the new firewall router and then build a VPN, one branch at a time, moving them from old to new.

I know this is ambitious and I am prepared to hire assistance. I am most concerned with bouncing my thoughts off of capable Networking people like yourself.
Thanks again,
Ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7165962
The only way to test this is to disconnect the present routers and plug in the new VPN boxes instead.
These will have to be configured in advance.

Then - 1 person at each site disconnects the netgeat routers , and you plug in the VPN box.

Other options, include testing the VPN boxes separately using a test LAN - this will at least feedback that they can talk to each other properly.

I hope this helps !
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 9

Author Comment

by:ken2421
ID: 7165989
I suspect you are probably right. What puzzles me is that I can browse the 3com as long as nothing is connected to the wan port. If I connect to the wan side and restart the router it becomes unstable.

The switch that it is hooked to is an auto uplink. I wonder if that could be troublesome.
Ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7168464
Again. I would not have the old and new stuff working together.
For separate testing, check that the connection speed/duplex rates  ( 100 Mbps/duplex or similar ) are set the same on both ends.

I hope this helps !
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7179539
Do the 3Com boxes support IPSEC?  If so, then they are well suited to your needs.  I would look into the possibility of purchased a fifth, more powerful box to act as the firewall/VPN router at your main office

How many external or REAL IP addresses does your company own?

If you have sufficient addresses to configure more than one simultaneous firewall/perimeter router.  This would enable you to begin testing with your live network still intact.  As you'd be using the internet rather than a dedicated circuit, you could simply have the two units in place at each site and modify the gateway settings on a single machine at each site to enable you to test a VPN.
0
 
LVL 9

Author Comment

by:ken2421
ID: 7181371
hstiles,

Yes the 3COMs do IPsec.

This is the thinking I was hoping to work toward. As SysExpert points out the short down time is unrealistic and so as much pre-testing as possible should be done.

I have managed to Get one VPN connection made between the main office and one branch. I have tried to learn as much as I can with this tunnel and it was the hardest I think in that the branch connects w/ broadband wireless.

I think one of the problems with reliability comes from the NT4.0 server being the domain controller and the Win2K server handles the email. That just seems backwards to me.

We have 5 IPs at each location. The configuration of the wireless uses 3 of that branches and the other 2 or not really available there.

Note: At one point I mentioned that I could not browse the Firewall w/ it in parallel with the others. It turns out that the Netgear FR314 is nearly identical in design and firmware as the 3com OfficeConnect. I switched them out and now I can browse the firewall. I still have another Netgear in line. It is used to route telnet to the frame relay on the LAN and doesn't seem to interfere.

So. Am I heading in the right direction here? It has turned out to be far more time intensive than I planned and  I hope I am moving it in the best direction.

ken
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7183040
Well, so far it definitely sounds good, especially if you already have one branch able to get through.

ALways have a fall back plan in place, if any serious issues pop up.

I hope this helps !
0
 
LVL 4

Expert Comment

by:anzen
ID: 7352707

Give a spin to CIPE, maybe it's the solution you're searching; CIPE is an encrypting software router which can run on *nix as well on win32 platforms and will allow you to create "encrypted tunnels" in a snap.

For more infos please see the home site

http://sites.inka.de/sites/bigred/devel/cipe.html

which has a link for the win32 version too

0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9711664
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to SysExpert.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0
 
LVL 9

Author Comment

by:ken2421
ID: 9715530
I apologize for the long time.  I had completely forgotten this post.

Thanks,
Ken
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9717051
Thanks for closing.

j
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now