sunray_2003
asked on
How to accomplish this ?
Here is a situation.
We have a point to point t1 connection to each of these locations (location 1 and location 2)
CISCO 7206
| |
| |
Location 1 Location2
Location 1 has got a CISCO 1720 and Location 2 has got an Adtran 612. The reason why there is an Adtran 612 in Location 2 is because they are provided both Voice and Data.
The question here is , we need to provide some kind of secure connection between Location 1 and Location 2 . the reason is that both these locations have got servers and Data synchronisation between these 2 servers need to be done multiple times everyday.. Lets says around 1000 of files being transferred everyday.
Prior to this , both locations had a VPN connection to do the file transfer . They had a DSL connection .
From a commonsense prespective , if we do a VPN connection between these 2 locations though the existing T1 , would it be faster than the VPN through DSL?
SR
We have a point to point t1 connection to each of these locations (location 1 and location 2)
CISCO 7206
| |
| |
Location 1 Location2
Location 1 has got a CISCO 1720 and Location 2 has got an Adtran 612. The reason why there is an Adtran 612 in Location 2 is because they are provided both Voice and Data.
The question here is , we need to provide some kind of secure connection between Location 1 and Location 2 . the reason is that both these locations have got servers and Data synchronisation between these 2 servers need to be done multiple times everyday.. Lets says around 1000 of files being transferred everyday.
Prior to this , both locations had a VPN connection to do the file transfer . They had a DSL connection .
From a commonsense prespective , if we do a VPN connection between these 2 locations though the existing T1 , would it be faster than the VPN through DSL?
SR
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lrmoore,
To make sure that we are the same page with respect to the connections ..
7206:
--------
serial interface 1
ip address 10.10.1.1 255.255.255.252
encapsulation ppp
serial interface 2
ip address 10.10.1.5 255.255.255.252
encapsulation ppp
ip route *.*.*.8 255.255.255.252 serial 1
ip route *.*.*.12 255.255.255.252 serial 2
************************** ********** *****
Location 1 : got 1720
interface serial 0
ip address 10.10.1.2
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
ip route 0.0.0.0 0.0.0.0 serial 0
************************** ********** *****
Location 2 : Adtran 612
WAN IP : 10.10.1.6
Far end IP : 10.10.1.5
LAN IP : *.*.*.13
Default gateway : 10.10.1.5
************************** ********** *****
If there is any data transfer between location 1 and location 2 , ie between ips *.*.*.9 to *.*.*.13, it is going through the CISCO 7206 .. Just wanted to make sure again that without any regulatory issues, it is still a good secure connection.
If the answer is "yes", then I need to check why they cannot do data transfer between these 2 locations.
SR
To make sure that we are the same page with respect to the connections ..
7206:
--------
serial interface 1
ip address 10.10.1.1 255.255.255.252
encapsulation ppp
serial interface 2
ip address 10.10.1.5 255.255.255.252
encapsulation ppp
ip route *.*.*.8 255.255.255.252 serial 1
ip route *.*.*.12 255.255.255.252 serial 2
**************************
Location 1 : got 1720
interface serial 0
ip address 10.10.1.2
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
ip route 0.0.0.0 0.0.0.0 serial 0
**************************
Location 2 : Adtran 612
WAN IP : 10.10.1.6
Far end IP : 10.10.1.5
LAN IP : *.*.*.13
Default gateway : 10.10.1.5
**************************
If there is any data transfer between location 1 and location 2 , ie between ips *.*.*.9 to *.*.*.13, it is going through the CISCO 7206 .. Just wanted to make sure again that without any regulatory issues, it is still a good secure connection.
If the answer is "yes", then I need to check why they cannot do data transfer between these 2 locations.
SR
Yes. They should have full communications between them 'through' the 7206 core router.
ASKER
Customers are you know like to hear the word "secure".. So assuming they donot have any HIPPAA or any other regulations into play , any communications between these 2 locations , I mean data transfer , would be secure and not through internet..
Correct. Point to point data communcations do not traverse the internet in any way shape or form. It's just like an open phone line direct between the two sites. Yes, someone could climb up the telephone poles and tap in, just like they can on voice comms.
ASKER
Thanks so much.
Will open a sep question for GRE tunnelling.
Will open a sep question for GRE tunnelling.
ASKER
Before working on the peersync, I asked the customer to ping the location 2 from location 1 and he cannot.
Is there something in the IP route in my CISCO 7206 that could be affecting this ?
I can ping and telnet to the Adtran router and also to the CISCO router from outside the network ie from internet.. But I cannot ping or telnet to either of them from within the network.. Surprising and mainly puzzling..
Any ideas ?
Is there something in the IP route in my CISCO 7206 that could be affecting this ?
I can ping and telnet to the Adtran router and also to the CISCO router from outside the network ie from internet.. But I cannot ping or telnet to either of them from within the network.. Surprising and mainly puzzling..
Any ideas ?
From inside the HQ - LAN connected to 7206.
Can you ping Adtran 10.10.1.6 ?
Can you ping Adtran LAN a.b.c.13 ?
Can you ping 1720 10.10.1.2 ?
Can you ping 1720 LAN *.*.*.9 ?
On 1720, are you sure this is the correct LAN IP subnet mask? Is there only one single device at each site?
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
Does Adtran have the correct subnet mask on the LAN interface?
Can you ping Adtran 10.10.1.6 ?
Can you ping Adtran LAN a.b.c.13 ?
Can you ping 1720 10.10.1.2 ?
Can you ping 1720 LAN *.*.*.9 ?
On 1720, are you sure this is the correct LAN IP subnet mask? Is there only one single device at each site?
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
Does Adtran have the correct subnet mask on the LAN interface?
Do both locations still have their own internet connections?
What is the default gateway setting on the single device there that you're tying to access?
What is the default gateway setting on the single device there that you're tying to access?
ASKER
From inside the 7206, I can do the following
I can ping Adtran serial interface 10.10.1.6
Can ping ethernet interface of Adtran *.*.*.13
Can ping CISCO 1720 serial interface 10.10.1.2
Can ping CISCO ethernet interface *.*.*.9
At location 1 :
-----------------
CISCO 1720 <-------Linksys router ------> PC
From the PC , the customer can ping www.google.com, He is able to pull out websites fine.. The only IP he cannot ping is the ethernet interface of the Adtran ie *.*.*.13.. He CANNOT telnet to this IP aswell..
Taking one location at a time, From the above PC, he can check google websites and other websites fine meaning he got internet connection fine. But from that CISCO 1720 , he is not able to ping google's ip address or any external IP address.
He can ping 10.10.1.1 (which is the serial interface of CISO 7206 for this T1 line)..
I can ping Adtran serial interface 10.10.1.6
Can ping ethernet interface of Adtran *.*.*.13
Can ping CISCO 1720 serial interface 10.10.1.2
Can ping CISCO ethernet interface *.*.*.9
At location 1 :
-----------------
CISCO 1720 <-------Linksys router ------> PC
From the PC , the customer can ping www.google.com, He is able to pull out websites fine.. The only IP he cannot ping is the ethernet interface of the Adtran ie *.*.*.13.. He CANNOT telnet to this IP aswell..
Taking one location at a time, From the above PC, he can check google websites and other websites fine meaning he got internet connection fine. But from that CISCO 1720 , he is not able to ping google's ip address or any external IP address.
He can ping 10.10.1.1 (which is the serial interface of CISO 7206 for this T1 line)..
Where did the Linksys come from?
Maybe can't ping internet because of NAT rules from source address of router.
Maybe can't ping internet because of NAT rules from source address of router.
ASKER
Here is the configuration of the CISCO 1720
memory-size iomem 25
ip subnet-zero <=== not sure if this one is needed..
!
!!
interface Serial0
ip address 10.10.1.2 255.255.255.252
no ip directed-broadcast
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
!
memory-size iomem 25
ip subnet-zero <=== not sure if this one is needed..
!
!!
interface Serial0
ip address 10.10.1.2 255.255.255.252
no ip directed-broadcast
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
!
ASKER
minmei ,
The linksys router was already there at the customer location.. What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
The linksys router was already there at the customer location.. What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
Does the linksys do nat? is it the default gateway for the subnet?
the 1720 pings from the serial address, it may not be in your NAT rules for outside access to the net (this is ok).
How are you putting the pc inside the 1720 and not the linksys?
How are you putting the pc inside the 1720 and not the linksys?
ASKER
CISCO router : IP address of Ethernet interface *.*.*.9
subnet mask : 255.255.255.252
yes the linksys does the NAT.
linksys has the following config
IP address *.*.*.10
subnet mask : 255.255.255.252
default gateway : *.*.*.9
subnet mask : 255.255.255.252
yes the linksys does the NAT.
linksys has the following config
IP address *.*.*.10
subnet mask : 255.255.255.252
default gateway : *.*.*.9
>What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
It's no wonder the two PC's can communicate directly if they each have another router/linkys in front of them - D'oh!
Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
It's no wonder the two PC's can communicate directly if they each have another router/linkys in front of them - D'oh!
Correction -
the two PC's CANNOT communicate directly because of this linksys nat router in the middle.
the two PC's CANNOT communicate directly because of this linksys nat router in the middle.
If you keep things this way, the internal subnet PC's/Servers will all be forced into one ip address (outside on the linksys *.*.*.10). You will have to use a "virtual server" rule to point ports from the inbound traffic thru the linksys to the specific servers that need to communicate.
Is there any special reason you have public IP's all the way to the sites? Can you not rearrange and use NAT on the 7206 and hide everything behind it with NAT?
Is there any special reason you have public IP's all the way to the sites? Can you not rearrange and use NAT on the 7206 and hide everything behind it with NAT?
ASKER
Lrmoore,
>> Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
I think i get the pt here.. From the CISCO 1720 , if I ping google, the source ip address is 10.10.1.2 (serial interface on the CISCO 1720) and hence I donot get back a reply. Whereas, from the PC, the source ip address would be *.*.*.10 (because of the NAT of linksys) and hence I can successfully ping google..
If the above understanding is correct , when he pings from PC to the Adtran LAN interface *.*.*.13, I should get back reply , right ?
>> Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
I think i get the pt here.. From the CISCO 1720 , if I ping google, the source ip address is 10.10.1.2 (serial interface on the CISCO 1720) and hence I donot get back a reply. Whereas, from the PC, the source ip address would be *.*.*.10 (because of the NAT of linksys) and hence I can successfully ping google..
If the above understanding is correct , when he pings from PC to the Adtran LAN interface *.*.*.13, I should get back reply , right ?
Check the subnet mask for the adtran lan interface to make sure it's /30
ASKER
yes it is /30 (255.255.255.252)
he should get a reply, since *.*.*.13 will go to linksys,
linksys will go to default gateway 1720
1720 has route to 10.10.1.1 as default (7206)
7206 has route (static) to *.*.*.12 out serial 2
adtran can reach *.*.*.13 on inside interface
---------
back to pc at *.*.*.10
default gw to 10.10.1.5 (7206)
7206 has route (s) to *.*.*.8 our serial 1
1720 has interface on *.*.*.8 to linksys
linksys is *.*.*.10
---------
should work
adtran def gw on outside interface is 10.10.1.5, like you said?
linksys will go to default gateway 1720
1720 has route to 10.10.1.1 as default (7206)
7206 has route (static) to *.*.*.12 out serial 2
adtran can reach *.*.*.13 on inside interface
---------
back to pc at *.*.*.10
default gw to 10.10.1.5 (7206)
7206 has route (s) to *.*.*.8 our serial 1
1720 has interface on *.*.*.8 to linksys
linksys is *.*.*.10
---------
should work
adtran def gw on outside interface is 10.10.1.5, like you said?
ASKER
OK.. I changed
no ip classless in CISCO 1720 to "ip classless" and now , I can PING from CISCO 1720 to Adtran 602 and Viceversa..
Now here is the first step progress towards making that peersync work..
no ip classless in CISCO 1720 to "ip classless" and now , I can PING from CISCO 1720 to Adtran 602 and Viceversa..
Now here is the first step progress towards making that peersync work..
ASKER
I cannot ping google from inside the cisco and I donot think I need to bother about that . Thanks to lrmoore for making the pt clear that source address that google machine is going to see wud be a 10.10.*.* address.
>no ip classless in CISCO 1720
D'oh! I missed seeing that. IP classless is turned on by default, so I didn't even think to look for it.
You still have the Linksys in the way to have the peersync application work.
Does the Adtran side also have a linksys or other type router?
D'oh! I missed seeing that. IP classless is turned on by default, so I didn't even think to look for it.
You still have the Linksys in the way to have the peersync application work.
Does the Adtran side also have a linksys or other type router?
ASKER
Here is the situation on the Adtran side.
Adtran is connected to the windows 2000 server machine (which I believe has got the peersync software) and this server gives out DHCP to rest of the machines in that network.
I checked that peersync software uses port 7333 as default and I assume opening that port on the linksys router in the location CISCO 1720 is present and opening TCP port 7333 on the adtran router wud make the peersync software on both ends to work..
Adtran is connected to the windows 2000 server machine (which I believe has got the peersync software) and this server gives out DHCP to rest of the machines in that network.
I checked that peersync software uses port 7333 as default and I assume opening that port on the linksys router in the location CISCO 1720 is present and opening TCP port 7333 on the adtran router wud make the peersync software on both ends to work..
<shudder....>
I'm glad it's not my network.....
Yes, opening the appropriate ports (same on both ends?) on the [Linksys] router, forwarded to the appropriate internal host might let it work...
I'm glad it's not my network.....
Yes, opening the appropriate ports (same on both ends?) on the [Linksys] router, forwarded to the appropriate internal host might let it work...
ASKER
>> I'm glad it's not my network.....
I know .. I can see the unnecessary complexity. I would have to try port forwarding and check with the customer tommorrow.
I know .. I can see the unnecessary complexity. I would have to try port forwarding and check with the customer tommorrow.
I shuddered when I heard about the linksys.
ASKER
Hello all ,
From what lrmoore said "If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
", I understand from my 1720 , if i ping google or any other ip on the internet , the return traffic cannot come back as the source ip would be 10.10 private IP..
do i need to add any other ip route statement other than
ip route 0.0.0.0 0.0.0.0 serial0 , to get ping replies back ??
From what lrmoore said "If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
", I understand from my 1720 , if i ping google or any other ip on the internet , the return traffic cannot come back as the source ip would be 10.10 private IP..
do i need to add any other ip route statement other than
ip route 0.0.0.0 0.0.0.0 serial0 , to get ping replies back ??
No - you can do a ping without arguments...
type ping
It will ask you a number of questions - the only ones you have to answer are the target address, the "extended commands" (answer it yes), and the source address -- the source address is the outside interface (ethernet) pointing to the internet.
type ping
It will ask you a number of questions - the only ones you have to answer are the target address, the "extended commands" (answer it yes), and the source address -- the source address is the outside interface (ethernet) pointing to the internet.
ASKER
router#ping
Protocol [ip]:
Target IP address: 64.233.161.104 <=== google's IP
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.1.6 <== serial0's IP address
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.161.104, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Protocol [ip]:
Target IP address: 64.233.161.104 <=== google's IP
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.1.6 <== serial0's IP address
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.161.104, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASKER
To make it clear, here are the connections
************************** *
7206:
--------
serial interface 2
ip address 10.10.1.5 255.255.255.252
encapsulation ppp
ip route *.*.*.12 255.255.255.252 serial 2
ip route 0.0.0.0 0.0.0.0 <public ip>
************************** ********** *****
Location 1 : got 1720
interface serial 0
ip address 10.10.1.6
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
ip route 0.0.0.0 0.0.0.0 serial 0
************************** ********** ******
I am trying to ping from 1720 router to google..
**************************
7206:
--------
serial interface 2
ip address 10.10.1.5 255.255.255.252
encapsulation ppp
ip route *.*.*.12 255.255.255.252 serial 2
ip route 0.0.0.0 0.0.0.0 <public ip>
**************************
Location 1 : got 1720
interface serial 0
ip address 10.10.1.6
interface FastEthernet0
ip address *.*.*.9 255.255.255.252
no ip directed-broadcast
full-duplex
ip route 0.0.0.0 0.0.0.0 serial 0
**************************
I am trying to ping from 1720 router to google..
ASKER
Sorry , typo..
>> ip route *.*.*.12 255.255.255.252 serial 2
should be (in cisco 7206)
ip route *.*.*.8 255.255.255.252 serial 2
>> ip route *.*.*.12 255.255.255.252 serial 2
should be (in cisco 7206)
ip route *.*.*.8 255.255.255.252 serial 2
Pinging Google will require the source adddress being inside the NAT pool.
Use the other interface address of the 1720 as the source - the *.*.*.9.
Use the other interface address of the 1720 as the source - the *.*.*.9.
ASKER
Oh that was silly on my part to give the serial interface IP.. Thanks for the quick help...
ASKER
so technically I donot require a VPN connection between these 2 locations. So it is as simple as working with the peersync software (this is the software that is being used) between these 2 locations to make both servers work .. Right ?
Here is a quick snapshot of their previous connections
Connection 1:
----------------
DSL1 in Location 1
DSL2 in Location 2
VPN between these 2
Result : Slow data transfer
Connection 2:
----------------
Since Connection 1 was slow , they changed to this
Location 1 <-------T1 point to point -----------> Location 2.
Location 2 had got a DSL connection..
Location 1 and Location 2 shared the internet connection and email.
Result: This worked out good.
Connection 3:
---------------
Since they switched their T1 providers and got rid of DSL, here is the latest situation
Location 1 : point to point T1 #1
Location 2 : point to point T1 #2
This provider cannot provide a point to point T1 between these 2 locations ..
Question: If there is data transfer between Location 1 and Location 2 , I assume it should be safer it doesnot go through the internet .
Also , peersync software is being used for Data synchronisation. Is that a matter of making this software on one server work with the same software on the other server to do the synchronization ?
SR