Solved

Wide Area Network - Please Advise

Posted on 2007-03-28
6
224 Views
Last Modified: 2010-04-09
Here is what we have:

PIX 506E at corp HQ
PIX 501 at 12 remote offices

Corp has:
- two Active Directory servers that are fully functional DNS and WINS servers.
- one Application Server that runs Symantec AV Corp Edition + a few other apps
- one Network Attached Storage server (shares files only available to users at Corp)

Need:
- We want to manage remote computers over a VPN via PIX boxes
- We also want to be able to push out Symantec installs so we can mintor virus protection
- We also want to be able to setup a very limited set of IP's/URLs that remote office computers can visit
- We want to be able to manage all user accounts and passwords at Corp with Active directory

I have no cisco experience, but all these boxes were configured by a previous admin.  We've rebuilt the Active directory structure correctly with a fully qualified domain name and everything is working fine but at this point we haven't added any of the remote computers to the domain - just the corp onese (there are about 15 of those).

Although the VPNs are configured already and are running, the previous admin failed to provide correct username's and passwords for the PIX boxes.  I've already reset the password on the 506e at corp and have reviewed the PDM interface enough to know the VPN's are active.  I will have to reset the passwords at each location on the PIX though, but when I do that I want to know how best to go about it and what are the recommended configurations for DNS traffic considering all the desires I listed above?

1.) Should I point DNS back to Corp over the VPN or use the ISP's DNS?
2.) Is there a need to specify WINS back to Corp?
3.) Whats the most secure way to remotely manage these PIX boxes?
4.) What is the best way to handel this conversion overall step by step?
5.) Am I missing any important details, because I'd like to take care of everything needed once remote site visits start so a second round of travel isn't required.  Remote admin is key, being these offices are spread accross the state.


I know a imdiate question I will get is bandwidth, the corp office has a full T1 and each remote office has broadband with static IP's.

Any advice, feedback, ideas, suggestions would be greatly appreciated!  Also, pointers on Cisco PIX and configuring them for remote access would be great.

Thank you all!!!
0
Comment
Question by:Mike4CCM
  • 2
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
1. With AD you have no choice but to use your AD DNS
2. Not if you use your DNS correctly and all workstations are XP
3. Via SNMP through the VPN tunnel
4. Pick the nearest office as your test bed and just start adding PC's to the domain and note anything unusual. The connectivity is already there, so it's just a matter of finding the DC. Is the PIX providing local DHCP? Be sure to give out the correct dns IP's.
5. Just be sure to enable Remote Desktop on the PC's when you join them up to the domain.

Bandwidth will be an issue especially at HQ with only a T1. If everybody has to come across the wire for all authentication and DNS, then it will increase your T1 load for sure.  You definately want to keep an eye on the usage and guage its increase every time you convert a remote office. Do you have any monitoring tools today? I  highly recommend SolarWinds http://www.solarwinds.net

To setup the pix for remote access, it is simply a matter of designating the inside interface as Management Access interface, enable SNMP, and add your network monitoring system's IP to the SNMP access and your HQ subnet to the http access list.
0
 

Author Comment

by:Mike4CCM
Comment Utility
1.) how do I enable SNMP through the VPN tunnel
2.) I've added one PC to the domain, nothing was unusual.  Yes, the local PIX is providing the local DHCP at the remote locations.  At corp one of our servers is assigning DHCP.
3.) I've checked, and I can remote desktop to the computers name from corp over the VPN to the remote office without having to use the IP address, which is good.
4.) Can you give me the steps you recommend in order to setup the pix for secure remote access?  Preferibly in an order of commands I type into the PIX command line interface?
5.) Not sure what you are referencing with adding my network monitoring systems IP to the SNMP access and my HQ subnet to the http access list??  Could you provide steps in accomplishing this?
6.) most importantly, we want to be able to push out Symantec Corp edition client installs and monitor their status from corp, is this possible over the PIX VPN?  Normally from Symantec's management consol, I would do a remote client install but it then prompts me to browse to the computer and the remote office computer doesn't appear in the network neiborhood??  Any suggestions?

Thanks for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Mike, that is about 6 different questions in there own right.
0
 

Author Comment

by:Mike4CCM
Comment Utility
Kieth,

I am glad you see I have six different questions, they were numbered - good for you!  Did you have anything positive to say or a response that might answer at least one of the questions?

Thanks!
- Mike
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Sarcasm doesn't help anyone Mike. When you joined the site and read the members agreement plus the FAQ's you saw that multiple questions require to be submitted seperately/individually. LRMoore assisted you in the first instance with your first set although he woud have been in his rights to have asked you to follow the guidelines at that point. No-one has wanted to respond to your subsequent set of questions and as the thread has now been dormant for over 21 days it falls into the cleanup category.

As LRMoore has answered your initial question(s) it is fair to award him the points.
If you wish to dispute my recommendation then please post a comment in the community support section.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now