Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Point to Point T1 WAN

Ok, here is the deal:

Currently, we have a T1 line being provided that is terminated via a CSU/DSU and router provided by our telco. A standard 10/100 Ethernet jack is what interfaces the CSU/DSU with whatever Ethernet device I would like (router, firewall, computer...) I currently am using a SonicWall Pro 300 firewall for our main firewall. (25 PCs reside behind it, as well as 3 servers (1 webserver/dns/smtp/pop, 1 VoIP server, 1 Terminal Server)

The problem started at the beginning of July when I was informed we would be purchasing another building 3 miles down the road. Due to the VPN capabilities of the firewall, I thought this would be a simple Remote Office -> Corporate Office setup via VPN. All would have been good, had the DSL service the telco provided was worth anything. Because of some requirements, we had to have VoIP phones that integrated with our phone system, and work really well, accept when everyone uses the Internet and their phone at the same time (killing that poor little DSL line)

The solution:
A point to point T1 connection.

My problem is this, how do I implement this? The line will be installed within 2 weeks. (just ordered it today) My thought has been to use Cisco 1720 or 2610 routers with WIC-T1-DSU/CSU cards, but where do I put these?

I still need the Internet to be accessible from all sides of the link, and I still need the PCs to be able to talk to each other through the link.

Should the Cisco routers be placed on the public network outside my firewall, between the telco router and my firewall, then a T1 connection over to my other building, and a second SonicWall router with a VPN tunnel which travels over the 1.5 MB connection?

Or should I put it inside my firewall, having it on some sort of a strange network? I'm not sure how that would work, considering all the PCs can only have one gateway. I would suppose I would have to have 2 Ethernet Links on the router at the corporate office, one for the outbound to the Sonicwall firewall, and one for the LAN connection, then the last WIC slot for the T1 connection?

To me, the one that makes the most sense is putting the routers on the outside of the firewalls, then utilizing the T1 just like any ISP would, and then just VPNing across the connection. The downside to this is the fact that I would have to open up all ports, but my firewalls at each end should stop any trouble.

Another option would be to setup the link in bridge mode, but I understand this can cause a lot of unneeded traffic (can't be too much, only a total of 40-50 PCs)

I would GREATLY appreciate any suggestions or help. The routers have to be purchased on Monday, and I've never even TOUCHED a Cisco router, but it seems easy enough to setup. Once again, thanks for the help.

 - Peter
  • 5
  • 4
1 Solution
Hi Peter,

Sounds like you're in for an interesting challenge :-)

I assume that most traffic will be travelling between your two sites, and that's where the VoIP traffic is as well?

In that case, I'd put the point-to-point link INSIDE your network (behind your firewall).

I'm also assuming that you have distinct IP subnets in each site

Remote site router:
Configure this to send all trafic (default-gateway) to your router in your main site.
Site PCs are configured to use this router as their gateway

Central site router:
Configure this with routing information for your remote site.
Set it's default gateway to be your firewall.
Site PCs are configured to use this router as their gateway

The above setup means that all the PCs will be able to contact each other, and Internet access from your remote site will go through your firewall at your central site.
You may need to do a little reconfiguration of your firewall.

This arrangement gives you the benefit of centralised control of Internet access.

You were thinking about 1720 or 2610 routers.  The 1720 will work fine on a T1 link, assuming that you're not doing anything with complicated ACLs or compression.
If you are, then the 2610 would be a better bet.

Don't use bridged mode :-)

Erm, I think that's it.  Let me know if any of my comments are way out and I'll adjust my suggestions :-)

plewis1250Author Commented:
Thank you SO much scampgb.

You are correct in assuming the VoIP traffic is traveling between the two sites, as is any Internet traffic of course. We do have distinct IP subnets at each end (used for the VPN tunnel) so that should not be a problem there.

I only have one question, being TOTALLY unfamiliar with routers. Can I use just one Ethernet connection inside the central site router, or do I need to purchase a second WIC with an Ethernet jack on it?

Ok, one more:
Will the firewall that is connected directly to the Internet be able to still pass One-to-One NAT mappings to the PCs inside the network? Or will I have to open those ports on the routers as well?

As far as the rest of it, I was thinking that would be the best route (pardon the pun) due to the lack of overhead that a VPN tunnel adds to the traffic.

Considering I don't know what an ACL is, it sounds like the 1720 is a pretty good fit, the only drawback being that fact that it is not rack mountable.

I greatly appreciate your help, and look forward to hearing back from ya!

 - Peter
Router interfaces: You will need one interface for each "network" that the router connects directly to.

So, you will need an Ethernet port to plug into your LAN and then an interface to plug into the T1.  You said that the T1 was delivered to you in Ethernet format?
I suggest you check with your carrier exactly what format the service will be delivered in - you will then need to get a suitable interface for it.

Unfortunately I'm not familiar with US telcos, so I don't know how they'd normally be presented.  In the UK, you generally get a serial X.21 connection, which you would get a WIC-1T for.  I would guess that you'd have the same, but you will need to check with your telco.

Both the central and remote sites would be connected up the same way.

You don't need to worry about opening or closing of ports on the routers (unless you wanted to restrict certain traffic between the sites, but it's best to ignore it at present for simplicity.

As for the firewall, what you can/can't do will depend on the exact firewall.  If you've currently got it doing one-to-one NAT, then you *should* be able to do this for the remote site as well.
For example, if you currently have directly mapping to and mapping to, there's no reason why you shouldn't be able to map to
However, it's really important that you check the manual on this one :-)

As for which routers to go for - I generally prefer the 2600s, 'cos they look nicer :-)

That said, I tend to use the 1600/1700 series more 'cos they're cheaper and smaller.

Good luck!

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

plewis1250Author Commented:
Ok, so just to clarify:

I have 2 T1 lines at site 1, one of which is connected to the Internet via a firewall; the other is connected to site 2.

Inside the Cisco 1710 at Site 1, I should place 1 CSU/DSU for the termination of the Site2 T1. I should then connect the network of Site 1 to the Cisco 1710. Then, I should also place a second WIC in the router for connection to the firewall/Internet T1.

Or should I connect the Ethernet side of my firewall directly to my network at Site 1, and the PCs of site 1 just don't point to that firewall, they point to the Cisco 1710. The Cisco 1710 needs to then point to the firewall as its default gateway (since it is just going to pass the packets it does not handle on to the firewall/Internet.

Do I need an extra WIC with an Ethernet connection, or can I use the single Ethernet connection that is built into the router?

Once again, thank you SO much for your help.

Just to let you know, most T1s in the states are provided via an RJ-48 jack (looks just like a standard RJ-45 (Ethernet Jack))

 - Peter
Hi Peter

Sorry, I'm a little confused over the T1 presentations here - so if you could just clarify something, I'll be able to give you a better answer :-)

The T1 that provides your Internet connection at your main site.  Is this presented to you in the form of a straightforward Ethernet port?
Is this plugged directly into your LAN at your main site?

Also, can you please let me know what "presentation" you'll be getting with your T1?  This is likely to be X.21.

Assuming that the above is the case:

The firewall is connected to the Internet T1 and your LAN
You need to set up a Cisco 1720 with a WIC-1T card in it.  The WIC card attaches to the point-to-point T1, and the Ethernet port plugs into your LAN
The 1720 router is configured to default route to the Firewall
This router has a route to your remote office LAN
The PCs on your LAN are configured to default route to the Cisco 1720

You need to set up a Cisco 1720 with a WIC-1T card in it.  The WIC card attaches to the point-to-point T1, and the Ethernet port plugs into your LAN
The 1720 router is configred to default route to the Cisco router at your main site
The PCs on this LAN are configured to default route to this Cisco router.

I'm confident with the arrangement, although I'm unfamiliar with the T1 presentations you get there (I don't just mean the shape of the plug!)

Does this make sense?  
plewis1250Author Commented:
Oh I'm so sorry for the confusion.

The T1 to the Internet is presented in the form of an Ethernet port. The telco has a router that "throttles" the channels for data and voice traffic.

As with the point-to-point T1, I would have to guess that is x.21 due to standards. I do not have that information on me, but I would say it is safe to assume this is the case.

You did answer my question! All I need is the one Ethernet port on the 1720, plugged directly into the same physical network as my PCs at the main site and plugged into the same network as the LAN side of my firewall.

I'm also assuming I will need a third subnet for the link between the routers.

I thank you so much for your help, and hope in the future I could help you with any question you may have, thanks!

 - Peter
Hi Peter

Don't worry about confusing me - it's my natural state.
The bit about the telco/ISP providing the Internet connection as an Ethernet port makes much more sense now :-)

Your point-to-point T1 is likely to be X.21, but do check with the telco before buying anything!

You can use something called "ip unnumbered" over the serial link, but I prefer to use a small private subnet for this - it makes tracing routes easier :-)

I'm glad I could help.  Once you've got the T1 and the kit, post a question if you're having difficulty setting it up and I'll do my best to help.

plewis1250Author Commented:
Yes, I will def. check with the telco before I purchase the routers, but like you said, it should be X.21.

I agree with using a small private subnet over the serial link, as trying to trace a route where one segment is untraceable would certainly make things less fun. ;-)

Hopefully all will go smoothly. I'll be ordering the routers on Monday, so sometime next week I'll let ya know how all is going.

Is there a way to connect to two CSU/DSUs together with a cable to "simulate" the T1?

Once again, thanks for everything, you really have helped more than you could possibly imagine.

 - Peter
Hi Peter

Good luck with it.

Although it's technically another question ;-) it is possible to connect the serial interfaces of two Cisco routers together.  I do it regularly :-)
You'll need a "DCE" cable for one of them (you would ordinarily use DTE), and you need to set the one with the DCE cable to provide a clocking signal.

You do that with the "clock rate" command on the serial interface.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now