Solved

Should I use static or Dyn routing for 2 site using P2P T1?

Posted on 2003-12-09
8
395 Views
Last Modified: 2010-04-11
Ok Expert Fam I got a good one this week.

Here it is.  
2 Networks that are connected via P2P T1.  Each Site has a 2611XM
LAN A
FE0/0 192.168.1.0 /24
FE0/1 65.X.X.1
S/0 192.168.100.1 /30

There is Firewall on LAN A side
PIX 506E
E0/0 205.X.X.1
E0/1 192.168.1.1

LAN B
FE0/0 192.168.2.0 /24
S0/0 192.168.100.2 /30
Router will serve up DHCP

Here is the Need
All 192.168.1.0 Traffic needs internet access
All 192 168.2.0 traffic on the far end needs internet access
Need to make sure that firewall still does the job of protection.
____________________________________________________________________________
Should I use dyn. routing protocol or static routing?  
Here is the Config I have so far

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXXXXXX
!
enable secret 5 $1$NA2L$nQ6ZbzfFGt1GEDo1ZuZik1
enable password
!
ip subnet-zero
!
!
interface FastEthernet0/0
 ip address 192.168.1.80 255.255.255.0
 speed auto
 half-duplex

interface Serial0/0
 nterface Serial 0/0
 no shutdown
 description connected to XXXXXX
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service-module t1 linecode b8zs
 service-module t1 lbo none
 service-module t1 remote-alarm-enable
 ip address 192.168.100.1 255.255.255.252
 encapsulation ppp

!
interface FastEthernet0/1
 ip address 205.X.X.80 255.255.0.0
 speed auto
 half-duplex
!
ip classless
ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server community RO
line con 0
line aux 0
line vty 0 4
 password
 login
!
!
end

I need help in making in sure these 2 sides to talk to one another.
Thanks
D  
0
Comment
Question by:deasem
  • 3
  • 3
  • 2
8 Comments
 

Expert Comment

by:brianrance
ID: 9906750
If I am correct in assuming that subnet 192.168.2.0 is routed to 192.168.1.0 then to firewall and out, then I'd say that you should setup static route records for the network.  Unless you have a relatively large network with lots of subnets (eg 4 or more routers), static should be adequate (as long as you dont plan on changing your network architecture too much.  Besides, if you enable Dynamic routing, your network will have to deal with RIP routing updates flying around.  Dynamic is easier to maintain though.  I think it comes down to how much time you have and if your network can stand another device (or 2) sending update packets out.

Basically:
Static= little harder to configure, medium difficulty to maintain, requires less network overhead.
Dynamic= easier to startup, easier to maintain, requires more network overhead.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9906954
Assuming your setup is something like this:

Internet ->PIX-->LANA-->router-->T1-->router-->LANB

All you need on LANB router is a static default, all users on LANB point to the router as their default gateway (192.168.2.x):
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!

On LANA router, you need a route to LANB and a default to the PIX:
!
ip route 192.168.2.0 255.255.255.0 192.168.100.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

All users on LANA point their default gateway to the routers E0 address: 192.168.1.80

Make sure the PIX is setup also with a route back to 192.168.2.0:
PIX:
route inside 192.168.2.0 255.255.255.0 192.168.1.80

and make sure this subnet is included in the nat (inside) statement...

0
 

Author Comment

by:deasem
ID: 9907366
Lmoore
The only other question I have is
If I point all users to to the E0 on the Router to be the default gateway,  then at what point will the 192.168.1.X users get NATed when they try to get out to the internet.

so  I guess I'm going to have something like this
LANA
ip route 192.168.2.1 255.255.255.0 198.168.100.2
ip route 0.0.0.0 192.168.1.1

LANB
ip route 0.0.0.0 0.0.0.0 192.168.100.1

Firewall
route inside 192.168.2.0 255.255.255.0 192.168.1.80
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9908084
>at what point will the 192.168.1.X users get NATed when they try to get out to the internet.
When they go out through the PIX..
UserPC - defaults to router IP
Router defaults to PIX
Router will "redirect" local traffic to the PIX for anthing other than the networks it knows about
Router will "route" remote traffic to the PIX for any destination not local

You got it on the configs...

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Expert Comment

by:brianrance
ID: 9908189
Irmoore has it:

Say PC 192.168.1.x wants yahoo.com (66.218.71.198)

192.168.1.x Asks Router1 "Can you send this request to 66.218.71.198?"
Router1 thinks "I dont know where that is, so I'll send it to my default route, Router2"
Router1 asks Router2 "Can you send this request to 66.218.71.198 for me?
Router2 says "That's not any of my listed subnets, I'll send it to my default route"
Router2 asks Firewall "can you send this to 66.218.71.198"
Firewall says sure, and sends it out, where the routerjumping process continues until a router knows how to connect to 66.218.71.198, and then retrieves info and sends it back the path it came in on.

As long as each default gateway points towards the right device, you should be golden

*This was an oversimplified explanation.
0
 

Author Comment

by:deasem
ID: 9908689
You guys are the best.  Thanks again.  I can't wait until tomorrow to get this thing off the ground.  On last thing.  
if you anybody can answer this.
Since I have the firewall, there is no need for me to place any access-list on the router unless i want to block from 192.168.2.1 network?

Thanks again
D
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9908760
You can use an access-list on the router, but it's not really necessary unless you want to restrict these two subnets from talking to each other...

Unless you mean the router in front of the PIX. In  that case, you can if you want. I have a whole list of AsiaPAC subnets blocked at the router so my firewall never has to deal with them..
0
 

Author Comment

by:deasem
ID: 9908901
Thats about it.. Thanks again for your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
L2 to EIGRP slow migration? 27 64
WiFi Blackspot within home network 7 41
server plus 2 47
Tracking Down IP in VMware 41 45
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now