[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

Suggested Seup For Remote Office Link

Hi
I'm a 2000 server net admin that has suddenly found myself in the situation where I need to be a "Jack of all Trades".
We currently have a two (shortly to become three) site network, linked by cisco pix firewalls and site to site ipsec vpn. So far all is well. I didn't set this up - I do administer it.
I need to setup a single pc in a remote office to connect securely into the existing network, be part of the domain, access exchange email and possibly terminal server. This pc will be on adsl broadband 512Kbps "always on" connection. I was planning on using the cisco vpn client, but we also need to provide a general low cost firewall for this pc as I don't beleive that we can just use the vpn client initiating at start-up and terminating at shutdown to protect it. The chap onsite is a bit of a "build my own home server based wireless networks kind of guy" and would like to use a Linksys WAG54G Wireless ADSL Gateway to connect and provide a firewall. How reliable is this, and how easy would it be to setup? What do I need to consider and do I really need a static ip? Any recommendations for other configurations or equipment would be most welcome - although "low - cost" means "really low cost" .
Thanks in advance for all replies.

Deb :))
0
Debsyl99
Asked:
Debsyl99
  • 3
  • 3
1 Solution
 
grbladesCommented:
Hi Debsyl99,
That Linksys router should work fine. There are only really two things to be carefull of:-

1) Make sure his local network IP range is not what you use at work. The default Linksys range is 192.168.1.0/24 but this can be changed easily.
2) Enable the 'IPSEC Passthru' option in the Linksys web admin page in order for the VPN client to work.
0
 
Debsyl99Author Commented:
Hi grblades

Thanks for the quick response. We use the 192.168.1.0/24 subnet at one site, so changing it to a static internal of say 192.163.4.1 (not used elsewhere) should be ok - there's only 1 pc at this site anyway so if dhcp exists on the router, which I expect it does, I can just disable that? On connection with the vpn client he'll just pick up one of the ip's allocated from the vpn pool at the main site? Do I need to worry about NAT on this router, and do I really need a static ip or can we happily use dynamic isp allocated ip's?

Sorry - lots of question - I think I understand the basics - just nervous as I've not done this before....



0
 
grbladesCommented:
Can you clarify whether you are thinking about changing the IP address range of one of your sites or the users Linksys router.

You don't need NAT on your site routers. You will be running it on your firewall and the users home Linksys will be running NAT.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Debsyl99Author Commented:
Sorry - I was only referring to the new office connection. I have no plans to change the existing internal ranges at the sites which are/will be:

192.168.0.0/24 - Head office
192.168.1.0/24 - Site1
192.168.2.0/24 - Site2 - new site to be up and running before December

Nor have I any desire to change any of the existing configs on the Pixes. The head office pix assigns ip's from a vpn pool to cisco-vpn clients that dial-in and this works fine, so have no plans to change this either.

What I need to clarify is - do I need a static public ip on the new dsl connection for just 1 pc and this linksys router? I don't think I do, but just need to check. How does NAT fit in on this new router? Presumably it will NAT from the internal single address to either a static or a dynamic public ip?

I would prefer it if this pc is only ever connected to the rest of our network when it's switched via the cisco vpn, but I don't think I can do that. (If I can tell me)

So:
1) When this pc is switched on I need it to be as secure as possible from intrusion via the internet hence a firewall, (except we are a healthcare providing charity so money is super tight with this, but we need to protect any locally held data on it as much as we can)
2) When the guy wants to connect to our network he just clicks on the vpn dialler, or the dialler can fire at startup and then once connected via the tunnel he then logs in.

I just need to make sure that the linksys doesn't intefere with the vpn client connection, or what to do to prevent that.

I hope that's clearer, but if you need any more info just shout,
Deb :))
0
 
grbladesCommented:
All that you will need to do on the Linksys router is:-
1) Change its default network from 192.168.1.1 to 192.168.10.1 (for example).
2) Enable the PPTP Passthru option.
You don't need a fixed IP address. You would only need this if you were setting up a LAN-LAN VPN connection and wanted the PIX to be able to initiate the VPN connection.

The Linksys is a NAT router and therefore unless you specifically configure it to redirect a particular port to the internal machine all connections will be denied. Therefore you don't have to install a firewall on the client machine in order to be secure.

In order for the client to connect to your LAN all he needs to do is run the Cisco client software.
0
 
Debsyl99Author Commented:
Ok great - thanks for your help

Deb :))
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now