Suggestion on Wan config for Main Ofc and 4 Branch locations
The problem: I need to reconfigure this LAN. I am a PC tech with modest networking skills and this task has fallen to me. Its success will change things for me.
I inherited: 35 nodes in main offc. and four branch offices of 2 to 10 nodes connecting through Internet to 2 Dsl routers at the main office. The routers are economy Netgear and used mostly as NAT boxes. Two routers were used on separate ip's to allow mapping of two different telnet conections: One, to a local ip of 192.168.1.10 and the second to 192.168.1.3. The routers are connected on the wan side to a switch which is uplinked to the DSL modem. Also inherited were 4 new 3COM office connect 25 user firewalls with vpn upgrades still in new boxes. I have an PII class NT4.0 Domain Controller with service pack 5, a 2000 Email server running Exchange 5.5 . I have tried installing one of the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but not reliably in this config. As the sole router it is fine but not with these other two. My hope was to use the four 3COM firewalls and add one additional router to build a VPN. I need help with the plan of the best way to attack this problem without taking the network down for more than just an hour or so.
Whew! I don't ask for much do I?
Help,
Ken
I inherited: 35 nodes in main offc. and four branch offices of 2 to 10 nodes connecting through Internet to 2 Dsl routers at the main office. The routers are economy Netgear and used mostly as NAT boxes. Two routers were used on separate ip's to allow mapping of two different telnet conections: One, to a local ip of 192.168.1.10 and the second to 192.168.1.3. The routers are connected on the wan side to a switch which is uplinked to the DSL modem. Also inherited were 4 new 3COM office connect 25 user firewalls with vpn upgrades still in new boxes. I have an PII class NT4.0 Domain Controller with service pack 5, a 2000 Email server running Exchange 5.5 . I have tried installing one of the 3COMs parallel to the two existing firewalls but have had difficulties accessing the 3COM. It is web browsable but not reliably in this config. As the sole router it is fine but not with these other two. My hope was to use the four 3COM firewalls and add one additional router to build a VPN. I need help with the plan of the best way to attack this problem without taking the network down for more than just an hour or so.
Whew! I don't ask for much do I?
Help,
Ken
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The only way to test this is to disconnect the present routers and plug in the new VPN boxes instead.
These will have to be configured in advance.
Then - 1 person at each site disconnects the netgeat routers , and you plug in the VPN box.
Other options, include testing the VPN boxes separately using a test LAN - this will at least feedback that they can talk to each other properly.
I hope this helps !
These will have to be configured in advance.
Then - 1 person at each site disconnects the netgeat routers , and you plug in the VPN box.
Other options, include testing the VPN boxes separately using a test LAN - this will at least feedback that they can talk to each other properly.
I hope this helps !
ASKER
I suspect you are probably right. What puzzles me is that I can browse the 3com as long as nothing is connected to the wan port. If I connect to the wan side and restart the router it becomes unstable.
The switch that it is hooked to is an auto uplink. I wonder if that could be troublesome.
Ken
The switch that it is hooked to is an auto uplink. I wonder if that could be troublesome.
Ken
Again. I would not have the old and new stuff working together.
For separate testing, check that the connection speed/duplex rates ( 100 Mbps/duplex or similar ) are set the same on both ends.
I hope this helps !
For separate testing, check that the connection speed/duplex rates ( 100 Mbps/duplex or similar ) are set the same on both ends.
I hope this helps !
Do the 3Com boxes support IPSEC? If so, then they are well suited to your needs. I would look into the possibility of purchased a fifth, more powerful box to act as the firewall/VPN router at your main office
How many external or REAL IP addresses does your company own?
If you have sufficient addresses to configure more than one simultaneous firewall/perimeter router. This would enable you to begin testing with your live network still intact. As you'd be using the internet rather than a dedicated circuit, you could simply have the two units in place at each site and modify the gateway settings on a single machine at each site to enable you to test a VPN.
How many external or REAL IP addresses does your company own?
If you have sufficient addresses to configure more than one simultaneous firewall/perimeter router. This would enable you to begin testing with your live network still intact. As you'd be using the internet rather than a dedicated circuit, you could simply have the two units in place at each site and modify the gateway settings on a single machine at each site to enable you to test a VPN.
ASKER
hstiles,
Yes the 3COMs do IPsec.
This is the thinking I was hoping to work toward. As SysExpert points out the short down time is unrealistic and so as much pre-testing as possible should be done.
I have managed to Get one VPN connection made between the main office and one branch. I have tried to learn as much as I can with this tunnel and it was the hardest I think in that the branch connects w/ broadband wireless.
I think one of the problems with reliability comes from the NT4.0 server being the domain controller and the Win2K server handles the email. That just seems backwards to me.
We have 5 IPs at each location. The configuration of the wireless uses 3 of that branches and the other 2 or not really available there.
Note: At one point I mentioned that I could not browse the Firewall w/ it in parallel with the others. It turns out that the Netgear FR314 is nearly identical in design and firmware as the 3com OfficeConnect. I switched them out and now I can browse the firewall. I still have another Netgear in line. It is used to route telnet to the frame relay on the LAN and doesn't seem to interfere.
So. Am I heading in the right direction here? It has turned out to be far more time intensive than I planned and I hope I am moving it in the best direction.
ken
Yes the 3COMs do IPsec.
This is the thinking I was hoping to work toward. As SysExpert points out the short down time is unrealistic and so as much pre-testing as possible should be done.
I have managed to Get one VPN connection made between the main office and one branch. I have tried to learn as much as I can with this tunnel and it was the hardest I think in that the branch connects w/ broadband wireless.
I think one of the problems with reliability comes from the NT4.0 server being the domain controller and the Win2K server handles the email. That just seems backwards to me.
We have 5 IPs at each location. The configuration of the wireless uses 3 of that branches and the other 2 or not really available there.
Note: At one point I mentioned that I could not browse the Firewall w/ it in parallel with the others. It turns out that the Netgear FR314 is nearly identical in design and firmware as the 3com OfficeConnect. I switched them out and now I can browse the firewall. I still have another Netgear in line. It is used to route telnet to the frame relay on the LAN and doesn't seem to interfere.
So. Am I heading in the right direction here? It has turned out to be far more time intensive than I planned and I hope I am moving it in the best direction.
ken
Well, so far it definitely sounds good, especially if you already have one branch able to get through.
ALways have a fall back plan in place, if any serious issues pop up.
I hope this helps !
ALways have a fall back plan in place, if any serious issues pop up.
I hope this helps !
Give a spin to CIPE, maybe it's the solution you're searching; CIPE is an encrypting software router which can run on *nix as well on win32 platforms and will allow you to create "encrypted tunnels" in a snap.
For more infos please see the home site
http://sites.inka.de/sites/bigred/devel/cipe.html
which has a link for the win32 version too
Hey people,
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to SysExpert.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to SysExpert.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
ASKER
I apologize for the long time. I had completely forgotten this post.
Thanks,
Ken
Thanks,
Ken
Thanks for closing.
j
j
ASKER
2nd, 5 port switch
3rd, 2 Netgear routers (this is where I hoped to put the new 3COM with VPN)
4th, main hubs
5th, user pc's
This current config allows users access to basic services but I am to make them part of the DOMAIN. I had hoped to configure the new firewall router and then build a VPN, one branch at a time, moving them from old to new.
I know this is ambitious and I am prepared to hire assistance. I am most concerned with bouncing my thoughts off of capable Networking people like yourself.
Thanks again,
Ken