Suggested Seup For Remote Office Link

Hi
I'm a 2000 server net admin that has suddenly found myself in the situation where I need to be a "Jack of all Trades".
We currently have a two (shortly to become three) site network, linked by cisco pix firewalls and site to site ipsec vpn. So far all is well. I didn't set this up - I do administer it.
I need to setup a single pc in a remote office to connect securely into the existing network, be part of the domain, access exchange email and possibly terminal server. This pc will be on adsl broadband 512Kbps "always on" connection. I was planning on using the cisco vpn client, but we also need to provide a general low cost firewall for this pc as I don't beleive that we can just use the vpn client initiating at start-up and terminating at shutdown to protect it. The chap onsite is a bit of a "build my own home server based wireless networks kind of guy" and would like to use a Linksys WAG54G Wireless ADSL Gateway to connect and provide a firewall. How reliable is this, and how easy would it be to setup? What do I need to consider and do I really need a static ip? Any recommendations for other configurations or equipment would be most welcome - although "low - cost" means "really low cost" .
Thanks in advance for all replies.

Deb :))
LVL 20
Debsyl99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi Debsyl99,
That Linksys router should work fine. There are only really two things to be carefull of:-

1) Make sure his local network IP range is not what you use at work. The default Linksys range is 192.168.1.0/24 but this can be changed easily.
2) Enable the 'IPSEC Passthru' option in the Linksys web admin page in order for the VPN client to work.
0
Debsyl99Author Commented:
Hi grblades

Thanks for the quick response. We use the 192.168.1.0/24 subnet at one site, so changing it to a static internal of say 192.163.4.1 (not used elsewhere) should be ok - there's only 1 pc at this site anyway so if dhcp exists on the router, which I expect it does, I can just disable that? On connection with the vpn client he'll just pick up one of the ip's allocated from the vpn pool at the main site? Do I need to worry about NAT on this router, and do I really need a static ip or can we happily use dynamic isp allocated ip's?

Sorry - lots of question - I think I understand the basics - just nervous as I've not done this before....



0
grbladesCommented:
Can you clarify whether you are thinking about changing the IP address range of one of your sites or the users Linksys router.

You don't need NAT on your site routers. You will be running it on your firewall and the users home Linksys will be running NAT.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Debsyl99Author Commented:
Sorry - I was only referring to the new office connection. I have no plans to change the existing internal ranges at the sites which are/will be:

192.168.0.0/24 - Head office
192.168.1.0/24 - Site1
192.168.2.0/24 - Site2 - new site to be up and running before December

Nor have I any desire to change any of the existing configs on the Pixes. The head office pix assigns ip's from a vpn pool to cisco-vpn clients that dial-in and this works fine, so have no plans to change this either.

What I need to clarify is - do I need a static public ip on the new dsl connection for just 1 pc and this linksys router? I don't think I do, but just need to check. How does NAT fit in on this new router? Presumably it will NAT from the internal single address to either a static or a dynamic public ip?

I would prefer it if this pc is only ever connected to the rest of our network when it's switched via the cisco vpn, but I don't think I can do that. (If I can tell me)

So:
1) When this pc is switched on I need it to be as secure as possible from intrusion via the internet hence a firewall, (except we are a healthcare providing charity so money is super tight with this, but we need to protect any locally held data on it as much as we can)
2) When the guy wants to connect to our network he just clicks on the vpn dialler, or the dialler can fire at startup and then once connected via the tunnel he then logs in.

I just need to make sure that the linksys doesn't intefere with the vpn client connection, or what to do to prevent that.

I hope that's clearer, but if you need any more info just shout,
Deb :))
0
grbladesCommented:
All that you will need to do on the Linksys router is:-
1) Change its default network from 192.168.1.1 to 192.168.10.1 (for example).
2) Enable the PPTP Passthru option.
You don't need a fixed IP address. You would only need this if you were setting up a LAN-LAN VPN connection and wanted the PIX to be able to initiate the VPN connection.

The Linksys is a NAT router and therefore unless you specifically configure it to redirect a particular port to the internal machine all connections will be denied. Therefore you don't have to install a firewall on the client machine in order to be secure.

In order for the client to connect to your LAN all he needs to do is run the Cisco client software.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Debsyl99Author Commented:
Ok great - thanks for your help

Deb :))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.