Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Wide Area Network - Please Advise

Posted on 2007-03-28
Medium Priority
Last Modified: 2010-04-09
Here is what we have:

PIX 506E at corp HQ
PIX 501 at 12 remote offices

Corp has:
- two Active Directory servers that are fully functional DNS and WINS servers.
- one Application Server that runs Symantec AV Corp Edition + a few other apps
- one Network Attached Storage server (shares files only available to users at Corp)

- We want to manage remote computers over a VPN via PIX boxes
- We also want to be able to push out Symantec installs so we can mintor virus protection
- We also want to be able to setup a very limited set of IP's/URLs that remote office computers can visit
- We want to be able to manage all user accounts and passwords at Corp with Active directory

I have no cisco experience, but all these boxes were configured by a previous admin.  We've rebuilt the Active directory structure correctly with a fully qualified domain name and everything is working fine but at this point we haven't added any of the remote computers to the domain - just the corp onese (there are about 15 of those).

Although the VPNs are configured already and are running, the previous admin failed to provide correct username's and passwords for the PIX boxes.  I've already reset the password on the 506e at corp and have reviewed the PDM interface enough to know the VPN's are active.  I will have to reset the passwords at each location on the PIX though, but when I do that I want to know how best to go about it and what are the recommended configurations for DNS traffic considering all the desires I listed above?

1.) Should I point DNS back to Corp over the VPN or use the ISP's DNS?
2.) Is there a need to specify WINS back to Corp?
3.) Whats the most secure way to remotely manage these PIX boxes?
4.) What is the best way to handel this conversion overall step by step?
5.) Am I missing any important details, because I'd like to take care of everything needed once remote site visits start so a second round of travel isn't required.  Remote admin is key, being these offices are spread accross the state.

I know a imdiate question I will get is bandwidth, the corp office has a full T1 and each remote office has broadband with static IP's.

Any advice, feedback, ideas, suggestions would be greatly appreciated!  Also, pointers on Cisco PIX and configuring them for remote access would be great.

Thank you all!!!
Question by:Mike4CCM
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 18807143
1. With AD you have no choice but to use your AD DNS
2. Not if you use your DNS correctly and all workstations are XP
3. Via SNMP through the VPN tunnel
4. Pick the nearest office as your test bed and just start adding PC's to the domain and note anything unusual. The connectivity is already there, so it's just a matter of finding the DC. Is the PIX providing local DHCP? Be sure to give out the correct dns IP's.
5. Just be sure to enable Remote Desktop on the PC's when you join them up to the domain.

Bandwidth will be an issue especially at HQ with only a T1. If everybody has to come across the wire for all authentication and DNS, then it will increase your T1 load for sure.  You definately want to keep an eye on the usage and guage its increase every time you convert a remote office. Do you have any monitoring tools today? I  highly recommend SolarWinds http://www.solarwinds.net

To setup the pix for remote access, it is simply a matter of designating the inside interface as Management Access interface, enable SNMP, and add your network monitoring system's IP to the SNMP access and your HQ subnet to the http access list.

Author Comment

ID: 18853607
1.) how do I enable SNMP through the VPN tunnel
2.) I've added one PC to the domain, nothing was unusual.  Yes, the local PIX is providing the local DHCP at the remote locations.  At corp one of our servers is assigning DHCP.
3.) I've checked, and I can remote desktop to the computers name from corp over the VPN to the remote office without having to use the IP address, which is good.
4.) Can you give me the steps you recommend in order to setup the pix for secure remote access?  Preferibly in an order of commands I type into the PIX command line interface?
5.) Not sure what you are referencing with adding my network monitoring systems IP to the SNMP access and my HQ subnet to the http access list??  Could you provide steps in accomplishing this?
6.) most importantly, we want to be able to push out Symantec Corp edition client installs and monitor their status from corp, is this possible over the PIX VPN?  Normally from Symantec's management consol, I would do a remote client install but it then prompts me to browse to the computer and the remote office computer doesn't appear in the network neiborhood??  Any suggestions?

Thanks for your help.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19035760
Mike, that is about 6 different questions in there own right.

Author Comment

ID: 19588161

I am glad you see I have six different questions, they were numbered - good for you!  Did you have anything positive to say or a response that might answer at least one of the questions?

- Mike
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19588287
Sarcasm doesn't help anyone Mike. When you joined the site and read the members agreement plus the FAQ's you saw that multiple questions require to be submitted seperately/individually. LRMoore assisted you in the first instance with your first set although he woud have been in his rights to have asked you to follow the guidelines at that point. No-one has wanted to respond to your subsequent set of questions and as the thread has now been dormant for over 21 days it falls into the cleanup category.

As LRMoore has answered your initial question(s) it is fair to award him the points.
If you wish to dispute my recommendation then please post a comment in the community support section.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question