Connecting two networks together at one location to two networks at another location via VPN

Greetings...

I have the following situation:

I need to be able to have two networks at two seperate locations connected together.

Location One:
192.168.1.0/24 connected to another LAN of 72.22.1.0/24

Both these subnets need to talk to each other. IE, computers on both subnets communicate together.

Location Two:

10.100.11.0/24 connected to another LAN of 77.10.0.0/24

Both of these subnets need to talk to each other. IE, computers on both subnets communicate together.

Now, to make it more complicated:

I need to be able to have anyone on any of the 4 subnets communicate with each other.....  

We have a VPN between Location One and Two using a Cisco Pix 506e and a Watchguard SOHO6TC.

One more hitch:

We need anyone connecting to the Cisco PIX 506e to be have the ability to connect to any of the 4 subnets.

What hardware do we need in order to do this?

What router would you suggest?

Right this minute, 192.168.1.0/24 is able to communicate with the 72.22.1.0/24 machines because one server, 192.168.1.252 has two NICs in it and one is setup for the 72.22.1.0/24 subnet.

Please help ASAP with ideas for which router to use to best serve this purpose.  NO, the PIX will not do the routing before someone asks =)

Thank you again,

John
PlusIncAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
Some questions first:

1. I'm assuming that the firewalls are on one of the LANs at each location?

2. hen you say anyone connecting to the PIX can get to any of the subnets, how do you mean connect? A user doing VPN?

3. Are the 2 locations talking now to any degree?

The simplest way might be to just add some permanent routes to the 2 servers, if they can already talk to each other.

fatladCommented:
4. At the moment are the two networks at location 2 connected in anyway?
mikebernhardtCommented:
That was #3 in my post :-)
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

fatladCommented:
Sorry I thought did you mean was there communication between the locations (i.e. inter-site via the VPN). I meant is there any intra-site communication at location 2.
mikebernhardtCommented:
Oh, sorry. I think he did say there was though...
PlusIncAuthor Commented:
As we stand, we have:

Location One:
192.168.1.0/24 lan 1
172.22.1.0/24 lan 2

ANYONE on 192.168.1.0/24 can communicate with an as/400 on 172.22.1.2 no problem.

Location Two:
10.100.11.0/24 lan 1
77.10.0.0/24 lan 2

ANYONE on 10.100.11.0/24 (Location Two) can communicate with  our server at 192.168.1.252 (at Location One) via the VPN.

NOBODY outside of Location One (VPN from Location Two OR via a cisco vpn connection to Location One) can connect to 172.22.1.2 (the AS/400 at Location One).

This is because the PIX 506E will NOT allow us to ROUTE the packets on the same interface.

I need a router that will allow packets received on the VPN at 192.168.1.254 (the PIX) to be routed to the 172.22.1.2 server via the 192.168.1.252 server, which has a NIC, connected to the 172.22.1.0/24 LAN as well as the 192.168.1.0/24 LAN.

I don't want to buy a router that is incapable of this.

I am most concerned with Location One.. If I can get it working, I can mirror it at Location Two of course.

Location One:
Real World in via a T1 on an Adtran, PIX-506e set up as 192.168.1.254 then two cisco 24 port switches.  NO ROUTER.
Server at this location is 192.168.1.252, it has a second NIC that is on the 172.22.1.x network.

Location Two:
Real world in via a DSL connection on a Netopia in Bridged moded, Watchguard SOHO6tc set up as 10.100.11.254 then cisco 16 port switch. NO ROUTER.
Server at this location is 10.100.11.1, it has a second NIC that is on 77.10.x.x.

Hope this is enough info. I know its clear as mud =)

Thank you,

John
mikebernhardtCommented:
It would seem like the easiest thing to do would be:
1. On the PIX, set up a route to 172.22.1.0/24 with a next hop of 192.168.1.252. Are you unable to define 172.22.1.0/24 as an additional network on the inside?

2. On the Watchguard, set up a route to 77.10.0.0/24 with a next hop of 10.100.11.1

3. On both servers, set a default route that points to the respective firewall.
PlusIncAuthor Commented:
The PIX is incapable of routing though the same interface.. It HAS a route set up... everyone on 192.168.1.0/24, the LAN behind the PIX is able to access the 172.22.1.0/0 network fine...

It's just that anyone coming in from the VPNs cannot access it.

That's the sticky wicket so to speak =)
fatladCommented:
You should be able to set a VLAN trunk from the switch to the PIX and set up this a two sub-interfaces (you will need the latest version of PIX OS to do this).

That way you will not need the  server with two nics acting as a router between the two. The PIX will do it for you once you put in an ACL to say that it should permit traffic from 192.168.1.0/24 lan 1 to 172.22.1.0/24 lan 2.

The traffic over the VPN should be able to reach either subnet here aswell, again providing the ACLs are set correctly.

Short answer no new devices, just a software upgrade and some cable jockeying

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fatladCommented:
mikebernhardtCommented:
Wait-- so the 2 LANs at location 1 are on opposite sides of the PIX? I'm not at all clear about your topography. Can you make a little diagram which includes the VPN connectivity between the 2 sites?
PlusIncAuthor Commented:
Fatlad, let me investigate your information, but as far as I know, from the lips of cisco support, there is no way to actually route to two subnets via the same interface it comes in on.  In other words, I can do it locally, I'm DOING it locally, on one network.  But on the VPN side of things, nothing from the tunnel makes it through to the "other" subnet.  The pix 506e only has the two interfaces.  inside and outside.

mikebernhardt:

At location one:

(INTERNET) -> (Adtran for the T1) -> (Cisco PIX 506E with address of 192.168.1.254) -> (Cisco 24port switches) ->
(Server1 192.168.1.252).

Server 1 also has a NIC in it that has an address on the 172.22.1.0/24 network.

PIX has a route that routes anything for 172.22.1.0/24 to 192.168.1.252 which routes it on to the 172.22.1.0/24 network just fine, as long as it is originating from the 192.168.1.0/24 network.

Anything from the OUTSIDE world (VPNs, either branch or mobile) can not get to the 172.22.1.0/24 network addresses.

Clearer?  Not sure...

I'm willing to buy a router to put behind the PIX, I'll get one today, I just don't want to get the wrong appliance for the job.

Thank you,

John
MarkDozierCommented:
i would get a router behind each firewall device and connect
 LAN 1 and LAN 2 together on the router.
LAN 3 and LAN 4 together on the router at the other end.
Do a static router between the PIX and the WatchGuard. Getting these 2 talking together first.
Now use OSPF and create LAN 1,2,3,4 in a single area. This should work but having not tried it I am not positive.
fatladCommented:
So the real problem you have is to get your VPN to transport traffic through the PIX? The same interface thing is a side issue (BTW the ability to do so is quite new, I only found out about it last week).

Could you post the config of your PIX (with relevant sensitive bits removed)? It sounds like you just need to put the correct ACL in but lets check it out first.
mikebernhardtCommented:
>PIX has a route that routes anything for 172.22.1.0/24 to 192.168.1.252 which routes it on to the 172.22.1.0/24 network just fine, as long as it is originating from the 192.168.1.0/24 network.
I think you need to change the interface config on the PIX. there is no reason that it can't route outside traffic to 172.22.1.0/24 other than not being configured to do so. 172.22.1.0/24 needs to be added as an inside network and some other things might need to be done, but it can be done.
mikebernhardtCommented:
And thing about getting a router is, you'll still have to make the same changes to the PIX to get it to permit outside traffic to both LANs. A router may be a good idea but it won't solve this particular problem...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.