wesvt1
asked on
Routing between two networks, two different entities
I'll try to explain as simply as I can, even though it is rather convoluted:
Two entities , a small office and a large office, that are in buildings across a parking lot from each other and have ethernet running between their two buildings. Currently, there is a Dlink NAT router between the two offices which allows access from one pc to the larger office. The large office has a host system that must see a unique IP from each host, or it won't allow a login. Their needs have changed recently and the small office now needs access for several pc's to this host system next door. The administrator for the large office wants the smaller office to install a Cisco dual ethernet, and to re-address their space. The small office doesn't want to re-address their space since they also have a couple of VPN's to other entities.
As a solution, could I just add a secondary ethernet address to the Cisco? If so, would I then add a second NIC (they all have Win2k Pro) to any pc that needs access to the host system at the large office? Or is there an easier way? The administrator from the large office has recommended setting up static NAT addressing on the Cisco, but I see that as more potentially more complicated.
Thanks
Two entities , a small office and a large office, that are in buildings across a parking lot from each other and have ethernet running between their two buildings. Currently, there is a Dlink NAT router between the two offices which allows access from one pc to the larger office. The large office has a host system that must see a unique IP from each host, or it won't allow a login. Their needs have changed recently and the small office now needs access for several pc's to this host system next door. The administrator for the large office wants the smaller office to install a Cisco dual ethernet, and to re-address their space. The small office doesn't want to re-address their space since they also have a couple of VPN's to other entities.
As a solution, could I just add a secondary ethernet address to the Cisco? If so, would I then add a second NIC (they all have Win2k Pro) to any pc that needs access to the host system at the large office? Or is there an easier way? The administrator from the large office has recommended setting up static NAT addressing on the Cisco, but I see that as more potentially more complicated.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Both solutions would work. In my opinion, doing it with NAT would be a lot less messy. You only have to make changes on the router. A lot easier to manage as well.
The NAT will not break surfing to secure sites. It was designed for the purpose of allowing people with a private RFC 1918 IP address to connect to the internet. However, there are certain applications that does not like NAT, but since the administrator suggested it, one can assume that it will work.
Installing a Cisco router would also give you flexibility in the configuration that you will not get with most other vendor's products.
Configuring the NAT is really not that tricky - 4 lines to add to the config to be exact ;-)
Both solutions would work. In my opinion, doing it with NAT would be a lot less messy. You only have to make changes on the router. A lot easier to manage as well.
The NAT will not break surfing to secure sites. It was designed for the purpose of allowing people with a private RFC 1918 IP address to connect to the internet. However, there are certain applications that does not like NAT, but since the administrator suggested it, one can assume that it will work.
Installing a Cisco router would also give you flexibility in the configuration that you will not get with most other vendor's products.
Configuring the NAT is really not that tricky - 4 lines to add to the config to be exact ;-)
I agree with NicBrey, centralizing administration on the router and not having to mess with the client computers at all would be ideal.
ASKER
Good advice, looks like I should do the dynamic NAT then....
Can you give me any example configuration hints or links as well?
Can you give me any example configuration hints or links as well?
You said that there is currently a DLink NAT router in between the networks, so I presume they have the same IP address space and that's the reason that you need NAT or re address the network - correct??
Lets sy for example that:
IP address range of LAN with server = 192.168.1.0 255.255.255.0
IP address of the server = 192.168.1.10 255.255.255.0
IP address range of smaller LAN is also = 192.168.1.0 255.255.255.0
You want to NAT the addresses to 200.1.1.1 to 200.1.1.50
This will make it look like all PC's from the smaller LAN comes from the 200.1.1.0/24 network
Config will look something like this:
interface Ethernet0 <--- Inside Interface
ip address 10.1.2.1 255.255.255.0
ip nat inside
interface Ethernet 1 <--- Outside interface
ip address 200.1.1.1 255.255.255.0
ip nat outside
ip nat pool outsidepool 200.1.1.2 200.1.1.50 netmask 255.255.255.0 <--- defines outside address pool
ip nat pool inside 10.1.2.2 10.1.2.254 netmask 255.255.255.0 <--- defines inside address pool
ip nat outside source list 2 pool outsidepool <--- NAT statement for incomming traffic
ip nat inside source list 2 pool inside pool <--- NAT statement for outgoing traffic
access-list 2 permit 10.1.2.0 0.0.0.255 <--- Access List defining internal network
Hope this helps.
Lets sy for example that:
IP address range of LAN with server = 192.168.1.0 255.255.255.0
IP address of the server = 192.168.1.10 255.255.255.0
IP address range of smaller LAN is also = 192.168.1.0 255.255.255.0
You want to NAT the addresses to 200.1.1.1 to 200.1.1.50
This will make it look like all PC's from the smaller LAN comes from the 200.1.1.0/24 network
Config will look something like this:
interface Ethernet0 <--- Inside Interface
ip address 10.1.2.1 255.255.255.0
ip nat inside
interface Ethernet 1 <--- Outside interface
ip address 200.1.1.1 255.255.255.0
ip nat outside
ip nat pool outsidepool 200.1.1.2 200.1.1.50 netmask 255.255.255.0 <--- defines outside address pool
ip nat pool inside 10.1.2.2 10.1.2.254 netmask 255.255.255.0 <--- defines inside address pool
ip nat outside source list 2 pool outsidepool <--- NAT statement for incomming traffic
ip nat inside source list 2 pool inside pool <--- NAT statement for outgoing traffic
access-list 2 permit 10.1.2.0 0.0.0.255 <--- Access List defining internal network
Hope this helps.
ASKER
I forgot that with Win2k with static IP's you could multiple addresses under the advanced setting.
Since I'm not a Cisco expert, seems adding the secondary ethernet address space and statically setting up the clients is easier than doing the "dynamic NAT" solution.... (Or easier for me that is) So given this information, would both methods be a good solution for a solid, reliable networking environment? I would hate to do the dynamic NAT route, and then find that it breaks surfing to some secure sites, etc.
Thanks