?
Solved

Wide Area Network - Please Advise

Posted on 2007-03-28
6
Medium Priority
?
231 Views
Last Modified: 2010-04-09
Here is what we have:

PIX 506E at corp HQ
PIX 501 at 12 remote offices

Corp has:
- two Active Directory servers that are fully functional DNS and WINS servers.
- one Application Server that runs Symantec AV Corp Edition + a few other apps
- one Network Attached Storage server (shares files only available to users at Corp)

Need:
- We want to manage remote computers over a VPN via PIX boxes
- We also want to be able to push out Symantec installs so we can mintor virus protection
- We also want to be able to setup a very limited set of IP's/URLs that remote office computers can visit
- We want to be able to manage all user accounts and passwords at Corp with Active directory

I have no cisco experience, but all these boxes were configured by a previous admin.  We've rebuilt the Active directory structure correctly with a fully qualified domain name and everything is working fine but at this point we haven't added any of the remote computers to the domain - just the corp onese (there are about 15 of those).

Although the VPNs are configured already and are running, the previous admin failed to provide correct username's and passwords for the PIX boxes.  I've already reset the password on the 506e at corp and have reviewed the PDM interface enough to know the VPN's are active.  I will have to reset the passwords at each location on the PIX though, but when I do that I want to know how best to go about it and what are the recommended configurations for DNS traffic considering all the desires I listed above?

1.) Should I point DNS back to Corp over the VPN or use the ISP's DNS?
2.) Is there a need to specify WINS back to Corp?
3.) Whats the most secure way to remotely manage these PIX boxes?
4.) What is the best way to handel this conversion overall step by step?
5.) Am I missing any important details, because I'd like to take care of everything needed once remote site visits start so a second round of travel isn't required.  Remote admin is key, being these offices are spread accross the state.


I know a imdiate question I will get is bandwidth, the corp office has a full T1 and each remote office has broadband with static IP's.

Any advice, feedback, ideas, suggestions would be greatly appreciated!  Also, pointers on Cisco PIX and configuring them for remote access would be great.

Thank you all!!!
0
Comment
Question by:Mike4CCM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 18807143
1. With AD you have no choice but to use your AD DNS
2. Not if you use your DNS correctly and all workstations are XP
3. Via SNMP through the VPN tunnel
4. Pick the nearest office as your test bed and just start adding PC's to the domain and note anything unusual. The connectivity is already there, so it's just a matter of finding the DC. Is the PIX providing local DHCP? Be sure to give out the correct dns IP's.
5. Just be sure to enable Remote Desktop on the PC's when you join them up to the domain.

Bandwidth will be an issue especially at HQ with only a T1. If everybody has to come across the wire for all authentication and DNS, then it will increase your T1 load for sure.  You definately want to keep an eye on the usage and guage its increase every time you convert a remote office. Do you have any monitoring tools today? I  highly recommend SolarWinds http://www.solarwinds.net

To setup the pix for remote access, it is simply a matter of designating the inside interface as Management Access interface, enable SNMP, and add your network monitoring system's IP to the SNMP access and your HQ subnet to the http access list.
0
 

Author Comment

by:Mike4CCM
ID: 18853607
1.) how do I enable SNMP through the VPN tunnel
2.) I've added one PC to the domain, nothing was unusual.  Yes, the local PIX is providing the local DHCP at the remote locations.  At corp one of our servers is assigning DHCP.
3.) I've checked, and I can remote desktop to the computers name from corp over the VPN to the remote office without having to use the IP address, which is good.
4.) Can you give me the steps you recommend in order to setup the pix for secure remote access?  Preferibly in an order of commands I type into the PIX command line interface?
5.) Not sure what you are referencing with adding my network monitoring systems IP to the SNMP access and my HQ subnet to the http access list??  Could you provide steps in accomplishing this?
6.) most importantly, we want to be able to push out Symantec Corp edition client installs and monitor their status from corp, is this possible over the PIX VPN?  Normally from Symantec's management consol, I would do a remote client install but it then prompts me to browse to the computer and the remote office computer doesn't appear in the network neiborhood??  Any suggestions?

Thanks for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19035760
Mike, that is about 6 different questions in there own right.
0
 

Author Comment

by:Mike4CCM
ID: 19588161
Kieth,

I am glad you see I have six different questions, they were numbered - good for you!  Did you have anything positive to say or a response that might answer at least one of the questions?

Thanks!
- Mike
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19588287
Sarcasm doesn't help anyone Mike. When you joined the site and read the members agreement plus the FAQ's you saw that multiple questions require to be submitted seperately/individually. LRMoore assisted you in the first instance with your first set although he woud have been in his rights to have asked you to follow the guidelines at that point. No-one has wanted to respond to your subsequent set of questions and as the thread has now been dormant for over 21 days it falls into the cleanup category.

As LRMoore has answered your initial question(s) it is fair to award him the points.
If you wish to dispute my recommendation then please post a comment in the community support section.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question