• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 812
  • Last Modified:

How to accomplish this ?

Here is a situation.

We have a point to point t1 connection to each of these locations (location 1 and location 2)

      CISCO  7206
      |              |
      |              |
 Location 1    Location2

Location 1 has got a CISCO 1720 and Location 2 has got an Adtran 612.  The reason why there is an Adtran 612 in Location 2 is because they are provided both Voice and Data.

The question here is , we need to provide some kind of secure connection between Location 1 and Location 2 . the reason is that both these locations have got servers and Data synchronisation between these 2 servers need to be done multiple times everyday.. Lets says around 1000 of files being transferred everyday.

Prior to this , both locations had a VPN connection to do the file transfer . They had a DSL connection .

From a commonsense prespective , if we do a VPN connection between these 2 locations though the existing T1 , would it be faster than the VPN through DSL?

SR

0
sunray_2003
Asked:
sunray_2003
  • 20
  • 10
  • 9
2 Solutions
 
minmeiCommented:
If you have a point-to-point line, it's already secure. The old solution needed a VPN because the traffic flowed over the internet.

If the traffic for the file transfer flows both ways, it will probably be faster over the point-to-point links. T1 is symmetric (1.5Mbps each way) where most DSL is not (upload speed less or much less than download speed).

0
 
sunray_2003Author Commented:
Thanks.

so technically I donot require a VPN connection between these 2 locations. So it is as simple as working with the peersync software (this is the software that is being used) between these 2 locations to make both servers work .. Right ?

Here is a quick snapshot of their previous connections

Connection 1:
----------------

DSL1 in Location 1
DSL2 in Location 2
VPN between these 2  
Result : Slow data transfer

Connection 2:
----------------
Since Connection 1 was slow , they changed to this

Location 1  <-------T1 point to point -----------> Location 2.
Location 2 had got a DSL connection..
Location 1 and Location 2 shared the internet connection and email.
Result: This worked out good.

Connection 3:
---------------
Since they switched their T1 providers and got rid of DSL, here is the latest situation

Location 1 : point to point T1 #1
Location 2 : point to point T1 #2
This provider cannot provide a point to point T1 between these 2 locations ..

Question:  If there is data transfer between Location 1 and Location 2 , I assume it should be safer it doesnot go through the internet .
Also , peersync software is being used for Data synchronisation. Is that a matter of making this software on one server work with the same software on the other server to do the synchronization ?

SR
0
 
lrmooreCommented:
> technically I donot require a VPN connection
Perhaps technically you don't, but regulatory issues may mandate it. HIPPAA, GLB, SOX, depending on the type/sensitivitiy of the data

That said, as long as you're routing on the 7206 in the middle, they should have full connectivity between them today.
There is an alternative to setup a GRE tunnel between site 1 and 2 so that it "appears" to have a direct point to point connection. You can always add ipsec encryption to the GRE tunnel if it becomes mandated.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sunray_2003Author Commented:
Lrmoore,

To make sure that we are the same page with respect to the connections ..

7206:
--------

serial interface 1
ip address 10.10.1.1  255.255.255.252
encapsulation ppp

serial interface 2
ip address 10.10.1.5  255.255.255.252
encapsulation ppp

ip route  *.*.*.8 255.255.255.252 serial 1
ip route *.*.*.12 255.255.255.252 serial 2

*****************************************
Location 1 : got 1720  

interface serial 0
ip address 10.10.1.2

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex

ip route 0.0.0.0 0.0.0.0 serial 0
*****************************************
Location 2 : Adtran 612

WAN IP : 10.10.1.6
Far end IP : 10.10.1.5

LAN IP : *.*.*.13
Default gateway : 10.10.1.5

*****************************************
If there is any data transfer between location 1 and location 2 , ie between ips *.*.*.9 to *.*.*.13, it is going through the CISCO 7206 .. Just wanted to make sure again that without any regulatory issues, it is still a good secure connection.

If the answer is "yes", then I need to check why they cannot do data transfer between these 2 locations.

SR

0
 
lrmooreCommented:
Yes. They should have full communications between them 'through' the 7206 core router.
0
 
sunray_2003Author Commented:
Customers are you know like to hear the word "secure"..  So assuming they donot have any HIPPAA or any other regulations into play , any communications between these 2 locations , I mean data transfer , would be secure and not through internet..
0
 
lrmooreCommented:
Correct. Point to point data communcations do not traverse the internet in any way shape or form. It's just like an open phone line direct between the two sites. Yes, someone could climb up the telephone poles and tap in, just like they can on voice comms.
0
 
sunray_2003Author Commented:
Thanks so much.
Will open a sep question for GRE tunnelling.
0
 
sunray_2003Author Commented:
Before working on the peersync, I asked the customer to ping the location 2 from location 1 and he cannot.

Is there something in the IP route in my CISCO 7206 that could be affecting this ?

I can ping and telnet to the Adtran router and also to the CISCO router from outside the network ie from internet.. But I cannot ping or telnet to either of them from within the network.. Surprising and mainly puzzling..

Any ideas ?
0
 
lrmooreCommented:
From inside the HQ - LAN connected to 7206.
Can you ping Adtran 10.10.1.6 ?
Can you ping Adtran LAN a.b.c.13 ?
Can you ping 1720 10.10.1.2 ?
Can you ping 1720 LAN  *.*.*.9 ?

On 1720, are you sure this is the correct LAN IP subnet mask? Is there only one single device at each site?

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252

Does Adtran have the correct subnet mask on the LAN interface?
0
 
lrmooreCommented:
Do both locations still have their own internet connections?
What is the default gateway setting on the single device there that you're tying to access?
0
 
sunray_2003Author Commented:
From inside the 7206, I can do the following

I can ping Adtran serial interface 10.10.1.6
Can ping ethernet interface of Adtran *.*.*.13
Can ping CISCO 1720 serial interface 10.10.1.2
Can ping CISCO ethernet interface *.*.*.9

At location 1 :
-----------------

CISCO 1720  <-------Linksys router ------> PC
From the PC , the customer can ping www.google.com, He is able to pull out websites fine.. The only IP he cannot ping is the ethernet interface of the Adtran ie *.*.*.13.. He CANNOT telnet to this IP aswell..

Taking one location at a time, From the above PC, he can check google websites and other websites fine meaning he got internet connection fine. But from that CISCO 1720 , he is not able to ping google's ip address or any external IP address.
He can ping 10.10.1.1 (which is the serial interface of CISO 7206 for this T1 line)..

0
 
minmeiCommented:
Where did the Linksys come from?

Maybe can't ping internet because of NAT rules from source address of router.
0
 
sunray_2003Author Commented:
Here is the configuration of the CISCO 1720

memory-size iomem 25
ip subnet-zero   <=== not sure if this one is needed..
!
!!
interface Serial0
 ip address 10.10.1.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
!
interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
!
0
 
sunray_2003Author Commented:
minmei ,

The linksys router was already there at the customer location.. What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
0
 
minmeiCommented:
Does the linksys do nat? is it the default gateway for the subnet?
0
 
minmeiCommented:
the 1720 pings from the serial address, it may not be in your NAT rules for outside access to the net (this is ok).

How are you putting the pc inside the 1720 and not the linksys?

0
 
sunray_2003Author Commented:
CISCO router : IP address of Ethernet interface *.*.*.9
                      subnet mask : 255.255.255.252

yes the linksys does the NAT.
linksys has the following config

IP address *.*.*.10
subnet mask : 255.255.255.252
default gateway : *.*.*.9

0
 
lrmooreCommented:
>What is surprising is that from inside the PC , he can ping the internet but not from inside the CISCO 1720.
Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.
If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.

It's no wonder the two PC's can communicate directly if they each have another router/linkys in front of them - D'oh!
0
 
lrmooreCommented:
Correction -
the two PC's CANNOT communicate directly because of this linksys nat router in the middle.
0
 
minmeiCommented:
If you keep things this way, the internal subnet PC's/Servers will all be forced into one ip address (outside on the linksys *.*.*.10). You will have to use a "virtual server" rule to point ports from the inbound traffic thru the linksys to the specific servers that need to communicate.

Is there any special reason you have public IP's all the way to the sites? Can you not rearrange and use NAT on the 7206 and hide everything behind it with NAT?
0
 
sunray_2003Author Commented:
Lrmoore,

>> Does not surprise me at all. Apparently you have no NAT device between the 7206 at HQ and this router? Direct connection from 7206 with public IP's on the LAN's.

I think i get the pt here.. From the CISCO 1720 , if I ping google, the source ip address is 10.10.1.2 (serial interface on the CISCO 1720) and hence I donot get back a reply. Whereas, from the PC, the source ip address would be *.*.*.10 (because of the NAT of linksys) and hence I can successfully ping google..

If the above understanding is correct , when he pings from PC to the Adtran LAN interface *.*.*.13, I should get back reply , right ?
0
 
minmeiCommented:
Check the subnet mask for the adtran lan interface to make sure it's /30
0
 
sunray_2003Author Commented:
yes it is /30  (255.255.255.252)

0
 
minmeiCommented:
he should get a reply, since *.*.*.13 will go to linksys,

linksys will go to default gateway 1720

1720 has route to 10.10.1.1 as default (7206)

7206 has route (static) to *.*.*.12 out serial 2

adtran can reach *.*.*.13 on inside interface
---------

back to pc at *.*.*.10

default gw to 10.10.1.5 (7206)

7206 has route (s) to *.*.*.8 our serial 1

1720 has interface on *.*.*.8 to linksys

linksys is *.*.*.10
---------

should work

adtran def gw on outside interface is 10.10.1.5, like you said?
0
 
sunray_2003Author Commented:
OK.. I changed
no ip classless in  CISCO 1720 to "ip classless" and now , I can PING from CISCO 1720 to Adtran 602 and Viceversa..

Now here is the first step progress towards making that peersync work..
0
 
sunray_2003Author Commented:
I cannot ping google from inside the cisco and I donot think I need to bother about that . Thanks to lrmoore for making the pt clear that source address that google machine is going to see wud be a 10.10.*.* address.
0
 
lrmooreCommented:
>no ip classless in  CISCO 1720
D'oh! I missed seeing that. IP classless is turned on by default, so I didn't even think to look for it.

You still have the Linksys in the way to have the peersync application work.
Does the Adtran side also have a linksys or other type router?
0
 
sunray_2003Author Commented:
Here is the situation on the Adtran side.

Adtran is connected to the windows 2000 server machine (which I believe has got the peersync software) and this server gives out DHCP to rest of the machines in that network.

I checked that peersync software uses port 7333 as default and I assume opening that port on the linksys router in the location CISCO 1720 is present and opening TCP port 7333 on the adtran router wud make the peersync software on both ends to work..
0
 
lrmooreCommented:
<shudder....>
I'm glad it's not my network.....
Yes, opening the appropriate ports (same on both ends?) on the [Linksys] router, forwarded to the appropriate internal host might let it work...
0
 
sunray_2003Author Commented:
>> I'm glad it's not my network.....

I know ..  I can see the unnecessary complexity. I would have to try port forwarding and check with the customer tommorrow.
0
 
minmeiCommented:
I shuddered when I heard about the linksys.
0
 
sunray_2003Author Commented:
Hello all ,

From what lrmoore said "If you telnet to the 1720 and try to ping google, your source IP is going to be 10.10.1.2 which obviously cannot be routed or get return traffic. Try doing a source ping using the Ethernet ip as the source.
", I understand from my 1720 , if i ping google or any other ip on the internet , the return traffic cannot come back as the source ip would be 10.10 private IP..

do i need to add any other ip route statement other than
ip route 0.0.0.0 0.0.0.0 serial0  , to get ping replies back ??  
0
 
minmeiCommented:
No - you can do a ping without arguments...

type ping

It will ask you a number of questions - the only ones you have to answer are the target address, the "extended commands" (answer it yes), and the source address -- the source address is the outside interface (ethernet) pointing to the internet.
0
 
sunray_2003Author Commented:
router#ping
Protocol [ip]:
Target IP address: 64.233.161.104  <=== google's IP
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.1.6  <== serial0's IP address
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.161.104, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


0
 
sunray_2003Author Commented:
To make it clear, here are the connections

***************************
7206:
--------

serial interface 2
ip address 10.10.1.5  255.255.255.252
encapsulation ppp

ip route *.*.*.12 255.255.255.252 serial 2
ip route 0.0.0.0 0.0.0.0  <public ip>
*****************************************
Location 1 : got 1720  

interface serial 0
ip address 10.10.1.6

interface FastEthernet0
 ip address *.*.*.9 255.255.255.252
 no ip directed-broadcast
 full-duplex

ip route 0.0.0.0 0.0.0.0 serial 0
******************************************

I am trying to ping from 1720 router to google..  
0
 
sunray_2003Author Commented:
Sorry , typo..

>> ip route *.*.*.12 255.255.255.252 serial 2

should be (in cisco 7206)

ip route *.*.*.8 255.255.255.252 serial 2
0
 
minmeiCommented:
Pinging Google will require the source adddress being inside the NAT pool.

Use the other interface address of the 1720 as the source - the *.*.*.9.

0
 
sunray_2003Author Commented:
Oh that was silly on my part to give the serial interface IP.. Thanks for the quick help...  
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 20
  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now