?
Solved

How to accomplish this ?

Posted on 2005-03-31
39
Medium Priority
?
786 Views
Last Modified: 2007-12-19
Here is a situation.

We have a point to point t1 connection to each of these locations (location 1 and location 2)

      CISCO  7206
      |              |
      |              |
 Location 1    Location2

Location 1 has got a CISCO 1720 and Location 2 has got an Adtran 612.  The reason why there is an Adtran 612 in Location 2 is because they are provided both Voice and Data.

The question here is , we need to provide some kind of secure connection between Location 1 and Location 2 . the reason is that both these locations have got servers and Data synchronisation between these 2 servers need to be done multiple times everyday.. Lets says around 1000 of files being transferred everyday.

Prior to this , both locations had a VPN connection to do the file transfer . They had a DSL connection .

From a commonsense prespective , if we do a VPN connection between these 2 locations though the existing T1 , would it be faster than the VPN through DSL?

SR

0
Comment
Question by:sunray_2003
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 20
  • 10
  • 9
39 Comments
 
LVL 7

Accepted Solution

by:
minmei earned 1000 total points
ID: 13671331
If you have a point-to-point line, it's already secure. The old solution needed a VPN because the traffic flowed over the internet.

If the traffic for the file transfer flows both ways, it will probably be faster over the point-to-point links. T1 is symmetric (1.5Mbps each way) where most DSL is not (upload speed less or much less than download speed).

0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13671480
Thanks.

so technically I donot require a VPN connection between these 2 locations. So it is as simple as working with the peersync software (this is the software that is being used) between these 2 locations to make both servers work .. Right ?

Here is a quick snapshot of their previous connections

Connection 1:
----------------

DSL1 in Location 1
DSL2 in Location 2
VPN between these 2  
Result : Slow data transfer

Connection 2:
----------------
Since Connection 1 was slow , they changed to this

Location 1  <-------T1 point to point -----------> Location 2.
Location 2 had got a DSL connection..
Location 1 and Location 2 shared the internet connection and email.
Result: This worked out good.

Connection 3:
---------------
Since they switched their T1 providers and got rid of DSL, here is the latest situation

Location 1 : point to point T1 #1
Location 2 : point to point T1 #2
This provider cannot provide a point to point T1 between these 2 locations ..

Question:  If there is data transfer between Location 1 and Location 2 , I assume it should be safer it doesnot go through the internet .
Also , peersync software is being used for Data synchronisation. Is that a matter of making this software on one server work with the same software on the other server to do the synchronization ?

SR
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 13671530
> technically I donot require a VPN connection
Perhaps technically you don't, but regulatory issues may mandate it. HIPPAA, GLB, SOX, depending on the type/sensitivitiy of the data

That said, as long as you're routing on the 7206 in the middle, they should have full connectivity between them today.
There is an alternative to setup a GRE tunnel between site 1 and 2 so that it "appears" to have a direct point to point connection. You can always add ipsec encryption to the GRE tunnel if it becomes mandated.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 49

Author Comment

by:sunray_2003
ID: 13671742
Lrmoore,

To make sure that we are the same page with respect to the connections ..

7206:
--------

serial interface 1
ip address 10.10.1.1  255.255.255.252
encapsulation ppp

serial interface 2
ip address 10.10.1.5  255.255.255.252
encapsulation ppp

ip route  *.*.*.8 255.255.255.252 serial 1
ip route *.*.*.12 255.255.255.252 serial 2

*****************************************
Location 1 : got 1720  

interface serial 0
ip address 10.10.1.2

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex

ip route 0.0.0.0 0.0.0.0 serial 0
*****************************************
Location 2 : Adtran 612

WAN IP : 10.10.1.6
Far end IP : 10.10.1.5

LAN IP : *.*.*.13
Default gateway : 10.10.1.5

*****************************************
If there is any data transfer between location 1 and location 2 , ie between ips *.*.*.9 to *.*.*.13, it is going through the CISCO 7206 .. Just wanted to make sure again that without any regulatory issues, it is still a good secure connection.

If the answer is "yes", then I need to check why they cannot do data transfer between these 2 locations.

SR

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13671862
Yes. They should have full communications between them 'through' the 7206 core router.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13671902
Customers are you know like to hear the word "secure"..  So assuming they donot have any HIPPAA or any other regulations into play , any communications between these 2 locations , I mean data transfer , would be secure and not through internet..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13671952
Correct. Point to point data communcations do not traverse the internet in any way shape or form. It's just like an open phone line direct between the two sites. Yes, someone could climb up the telephone poles and tap in, just like they can on voice comms.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13671985
Thanks so much.
Will open a sep question for GRE tunnelling.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13673997
Before working on the peersync, I asked the customer to ping the location 2 from location 1 and he cannot.

Is there something in the IP route in my CISCO 7206 that could be affecting this ?

I can ping and telnet to the Adtran router and also to the CISCO router from outside the network ie from internet.. But I cannot ping or telnet to either of them from within the network.. Surprising and mainly puzzling..

Any ideas ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13674056
From inside the HQ - LAN connected to 7206.
Can you ping Adtran 10.10.1.6 ?
Can you ping Adtran LAN a.b.c.13 ?
Can you ping 1720 10.10.1.2 ?
Can you ping 1720 LAN  *.*.*.9 ?

On 1720, are you sure this is the correct LAN IP subnet mask? Is there only one single device at each site?

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252

Does Adtran have the correct subnet mask on the LAN interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13674083
Do both locations still have their own internet connections?
What is the default gateway setting on the single device there that you're tying to access?
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674226
From inside the 7206, I can do the following

I can ping Adtran serial interface 10.10.1.6
Can ping ethernet interface of Adtran *.*.*.13
Can ping CISCO 1720 serial interface 10.10.1.2
Can ping CISCO ethernet interface *.*.*.9

At location 1 :
-----------------

CISCO 1720  <-------Linksys router ------> PC
From the PC , the customer can ping www.google.com, He is able to pull out websites fine.. The only IP he cannot ping is the ethernet interface of the Adtran ie *.*.*.13.. He CANNOT telnet to this IP aswell..

Taking one location at a time, From the above PC, he can check google websites and other websites fine meaning he got internet connection fine. But from that CISCO 1720 , he is not able to ping google's ip address or any external IP address.
He can ping 10.10.1.1 (which is the serial interface of CISO 7206 for this T1 line)..

0
 
LVL 7

Expert Comment

by:minmei
ID: 13674262
Where did the Linksys come from?

Maybe can't ping internet because of NAT rules from source address of router.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674269
Here is the configuration of the CISCO 1720

memory-size iomem 25
ip subnet-zero   <=== not sure if this one is needed..
!
!!
interface Serial0
 ip address 10.10.1.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
!
interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
!
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674280
minmei ,

The linksys router was already there at the customer location.. What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13674302
Does the linksys do nat? is it the default gateway for the subnet?
0
 
LVL 7

Expert Comment

by:minmei
ID: 13674321
the 1720 pings from the serial address, it may not be in your NAT rules for outside access to the net (this is ok).

How are you putting the pc inside the 1720 and not the linksys?

0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674324
CISCO router : IP address of Ethernet interface *.*.*.9
                      subnet mask : 255.255.255.252

yes the linksys does the NAT.
linksys has the following config

IP address *.*.*.10
subnet mask : 255.255.255.252
default gateway : *.*.*.9

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13674332
>What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.

It's no wonder the two PC's can communicate directly if they each have another router/linkys in front of them - D'oh!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13674345
Correction -
the two PC's CANNOT communicate directly because of this linksys nat router in the middle.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13674386
If you keep things this way, the internal subnet PC's/Servers will all be forced into one ip address (outside on the linksys *.*.*.10). You will have to use a "virtual server" rule to point ports from the inbound traffic thru the linksys to the specific servers that need to communicate.

Is there any special reason you have public IP's all the way to the sites? Can you not rearrange and use NAT on the 7206 and hide everything behind it with NAT?
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674536
Lrmoore,

>> Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.

I think i get the pt here.. From the CISCO 1720 , if I ping google, the source ip address is 10.10.1.2 (serial interface on the CISCO 1720) and hence I donot get back a reply. Whereas, from the PC, the source ip address would be *.*.*.10 (because of the NAT of linksys) and hence I can successfully ping google..

If the above understanding is correct , when he pings from PC to the Adtran LAN interface *.*.*.13, I should get back reply , right ?
0
 
LVL 7

Expert Comment

by:minmei
ID: 13674905
Check the subnet mask for the adtran lan interface to make sure it's /30
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13674914
yes it is /30  (255.255.255.252)

0
 
LVL 7

Expert Comment

by:minmei
ID: 13674973
he should get a reply, since *.*.*.13 will go to linksys,

linksys will go to default gateway 1720

1720 has route to 10.10.1.1 as default (7206)

7206 has route (static) to *.*.*.12 out serial 2

adtran can reach *.*.*.13 on inside interface
---------

back to pc at *.*.*.10

default gw to 10.10.1.5 (7206)

7206 has route (s) to *.*.*.8 our serial 1

1720 has interface on *.*.*.8 to linksys

linksys is *.*.*.10
---------

should work

adtran def gw on outside interface is 10.10.1.5, like you said?
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13675073
OK.. I changed
no ip classless in  CISCO 1720 to "ip classless" and now , I can PING from CISCO 1720 to Adtran 602 and Viceversa..

Now here is the first step progress towards making that peersync work..
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13675096
I cannot ping google from inside the cisco and I donot think I need to bother about that . Thanks to lrmoore for making the pt clear that source address that google machine is going to see wud be a 10.10.*.* address.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13676244
>no ip classless in  CISCO 1720
D'oh! I missed seeing that. IP classless is turned on by default, so I didn't even think to look for it.

You still have the Linksys in the way to have the peersync application work.
Does the Adtran side also have a linksys or other type router?
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13676732
Here is the situation on the Adtran side.

Adtran is connected to the windows 2000 server machine (which I believe has got the peersync software) and this server gives out DHCP to rest of the machines in that network.

I checked that peersync software uses port 7333 as default and I assume opening that port on the linksys router in the location CISCO 1720 is present and opening TCP port 7333 on the adtran router wud make the peersync software on both ends to work..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13676777
<shudder....>
I'm glad it's not my network.....
Yes, opening the appropriate ports (same on both ends?) on the [Linksys] router, forwarded to the appropriate internal host might let it work...
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13676792
>> I'm glad it's not my network.....

I know ..  I can see the unnecessary complexity. I would have to try port forwarding and check with the customer tommorrow.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13676983
I shuddered when I heard about the linksys.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13852005
Hello all ,

From what lrmoore said "If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
", I understand from my 1720 , if i ping google or any other ip on the internet , the return traffic cannot come back as the source ip would be 10.10 private IP..

do i need to add any other ip route statement other than
ip route 0.0.0.0 0.0.0.0 serial0  , to get ping replies back ??  
0
 
LVL 7

Expert Comment

by:minmei
ID: 13852073
No - you can do a ping without arguments...

type ping

It will ask you a number of questions - the only ones you have to answer are the target address, the "extended commands" (answer it yes), and the source address -- the source address is the outside interface (ethernet) pointing to the internet.
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13852118
router#ping
Protocol [ip]:
Target IP address: 64.233.161.104  <=== google's IP
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.1.6  <== serial0's IP address
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.161.104, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13852129
To make it clear, here are the connections

***************************
7206:
--------

serial interface 2
ip address 10.10.1.5  255.255.255.252
encapsulation ppp

ip route *.*.*.12 255.255.255.252 serial 2
ip route 0.0.0.0 0.0.0.0  <public ip>
*****************************************
Location 1 : got 1720  

interface serial 0
ip address 10.10.1.6

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex

ip route 0.0.0.0 0.0.0.0 serial 0
******************************************

I am trying to ping from 1720 router to google..  
0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13852132
Sorry , typo..

>> ip route *.*.*.12 255.255.255.252 serial 2

should be (in cisco 7206)

ip route *.*.*.8 255.255.255.252 serial 2
0
 
LVL 7

Expert Comment

by:minmei
ID: 13853264
Pinging Google will require the source adddress being inside the NAT pool.

Use the other interface address of the 1720 as the source - the *.*.*.9.

0
 
LVL 49

Author Comment

by:sunray_2003
ID: 13853292
Oh that was silly on my part to give the serial interface IP.. Thanks for the quick help...  
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question