Debsyl99
asked on
Suggested Seup For Remote Office Link
Hi
I'm a 2000 server net admin that has suddenly found myself in the situation where I need to be a "Jack of all Trades".
We currently have a two (shortly to become three) site network, linked by cisco pix firewalls and site to site ipsec vpn. So far all is well. I didn't set this up - I do administer it.
I need to setup a single pc in a remote office to connect securely into the existing network, be part of the domain, access exchange email and possibly terminal server. This pc will be on adsl broadband 512Kbps "always on" connection. I was planning on using the cisco vpn client, but we also need to provide a general low cost firewall for this pc as I don't beleive that we can just use the vpn client initiating at start-up and terminating at shutdown to protect it. The chap onsite is a bit of a "build my own home server based wireless networks kind of guy" and would like to use a Linksys WAG54G Wireless ADSL Gateway to connect and provide a firewall. How reliable is this, and how easy would it be to setup? What do I need to consider and do I really need a static ip? Any recommendations for other configurations or equipment would be most welcome - although "low - cost" means "really low cost" .
Thanks in advance for all replies.
Deb :))
I'm a 2000 server net admin that has suddenly found myself in the situation where I need to be a "Jack of all Trades".
We currently have a two (shortly to become three) site network, linked by cisco pix firewalls and site to site ipsec vpn. So far all is well. I didn't set this up - I do administer it.
I need to setup a single pc in a remote office to connect securely into the existing network, be part of the domain, access exchange email and possibly terminal server. This pc will be on adsl broadband 512Kbps "always on" connection. I was planning on using the cisco vpn client, but we also need to provide a general low cost firewall for this pc as I don't beleive that we can just use the vpn client initiating at start-up and terminating at shutdown to protect it. The chap onsite is a bit of a "build my own home server based wireless networks kind of guy" and would like to use a Linksys WAG54G Wireless ADSL Gateway to connect and provide a firewall. How reliable is this, and how easy would it be to setup? What do I need to consider and do I really need a static ip? Any recommendations for other configurations or equipment would be most welcome - although "low - cost" means "really low cost" .
Thanks in advance for all replies.
Deb :))
ASKER
Hi grblades
Thanks for the quick response. We use the 192.168.1.0/24 subnet at one site, so changing it to a static internal of say 192.163.4.1 (not used elsewhere) should be ok - there's only 1 pc at this site anyway so if dhcp exists on the router, which I expect it does, I can just disable that? On connection with the vpn client he'll just pick up one of the ip's allocated from the vpn pool at the main site? Do I need to worry about NAT on this router, and do I really need a static ip or can we happily use dynamic isp allocated ip's?
Sorry - lots of question - I think I understand the basics - just nervous as I've not done this before....
Thanks for the quick response. We use the 192.168.1.0/24 subnet at one site, so changing it to a static internal of say 192.163.4.1 (not used elsewhere) should be ok - there's only 1 pc at this site anyway so if dhcp exists on the router, which I expect it does, I can just disable that? On connection with the vpn client he'll just pick up one of the ip's allocated from the vpn pool at the main site? Do I need to worry about NAT on this router, and do I really need a static ip or can we happily use dynamic isp allocated ip's?
Sorry - lots of question - I think I understand the basics - just nervous as I've not done this before....
Can you clarify whether you are thinking about changing the IP address range of one of your sites or the users Linksys router.
You don't need NAT on your site routers. You will be running it on your firewall and the users home Linksys will be running NAT.
You don't need NAT on your site routers. You will be running it on your firewall and the users home Linksys will be running NAT.
ASKER
Sorry - I was only referring to the new office connection. I have no plans to change the existing internal ranges at the sites which are/will be:
192.168.0.0/24 - Head office
192.168.1.0/24 - Site1
192.168.2.0/24 - Site2 - new site to be up and running before December
Nor have I any desire to change any of the existing configs on the Pixes. The head office pix assigns ip's from a vpn pool to cisco-vpn clients that dial-in and this works fine, so have no plans to change this either.
What I need to clarify is - do I need a static public ip on the new dsl connection for just 1 pc and this linksys router? I don't think I do, but just need to check. How does NAT fit in on this new router? Presumably it will NAT from the internal single address to either a static or a dynamic public ip?
I would prefer it if this pc is only ever connected to the rest of our network when it's switched via the cisco vpn, but I don't think I can do that. (If I can tell me)
So:
1) When this pc is switched on I need it to be as secure as possible from intrusion via the internet hence a firewall, (except we are a healthcare providing charity so money is super tight with this, but we need to protect any locally held data on it as much as we can)
2) When the guy wants to connect to our network he just clicks on the vpn dialler, or the dialler can fire at startup and then once connected via the tunnel he then logs in.
I just need to make sure that the linksys doesn't intefere with the vpn client connection, or what to do to prevent that.
I hope that's clearer, but if you need any more info just shout,
Deb :))
192.168.0.0/24 - Head office
192.168.1.0/24 - Site1
192.168.2.0/24 - Site2 - new site to be up and running before December
Nor have I any desire to change any of the existing configs on the Pixes. The head office pix assigns ip's from a vpn pool to cisco-vpn clients that dial-in and this works fine, so have no plans to change this either.
What I need to clarify is - do I need a static public ip on the new dsl connection for just 1 pc and this linksys router? I don't think I do, but just need to check. How does NAT fit in on this new router? Presumably it will NAT from the internal single address to either a static or a dynamic public ip?
I would prefer it if this pc is only ever connected to the rest of our network when it's switched via the cisco vpn, but I don't think I can do that. (If I can tell me)
So:
1) When this pc is switched on I need it to be as secure as possible from intrusion via the internet hence a firewall, (except we are a healthcare providing charity so money is super tight with this, but we need to protect any locally held data on it as much as we can)
2) When the guy wants to connect to our network he just clicks on the vpn dialler, or the dialler can fire at startup and then once connected via the tunnel he then logs in.
I just need to make sure that the linksys doesn't intefere with the vpn client connection, or what to do to prevent that.
I hope that's clearer, but if you need any more info just shout,
Deb :))
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok great - thanks for your help
Deb :))
Deb :))
That Linksys router should work fine. There are only really two things to be carefull of:-
1) Make sure his local network IP range is not what you use at work. The default Linksys range is 192.168.1.0/24 but this can be changed easily.
2) Enable the 'IPSEC Passthru' option in the Linksys web admin page in order for the VPN client to work.