Solved

Wide Area Network - Please Advise

Posted on 2007-03-28
6
230 Views
Last Modified: 2010-04-09
Here is what we have:

PIX 506E at corp HQ
PIX 501 at 12 remote offices

Corp has:
- two Active Directory servers that are fully functional DNS and WINS servers.
- one Application Server that runs Symantec AV Corp Edition + a few other apps
- one Network Attached Storage server (shares files only available to users at Corp)

Need:
- We want to manage remote computers over a VPN via PIX boxes
- We also want to be able to push out Symantec installs so we can mintor virus protection
- We also want to be able to setup a very limited set of IP's/URLs that remote office computers can visit
- We want to be able to manage all user accounts and passwords at Corp with Active directory

I have no cisco experience, but all these boxes were configured by a previous admin.  We've rebuilt the Active directory structure correctly with a fully qualified domain name and everything is working fine but at this point we haven't added any of the remote computers to the domain - just the corp onese (there are about 15 of those).

Although the VPNs are configured already and are running, the previous admin failed to provide correct username's and passwords for the PIX boxes.  I've already reset the password on the 506e at corp and have reviewed the PDM interface enough to know the VPN's are active.  I will have to reset the passwords at each location on the PIX though, but when I do that I want to know how best to go about it and what are the recommended configurations for DNS traffic considering all the desires I listed above?

1.) Should I point DNS back to Corp over the VPN or use the ISP's DNS?
2.) Is there a need to specify WINS back to Corp?
3.) Whats the most secure way to remotely manage these PIX boxes?
4.) What is the best way to handel this conversion overall step by step?
5.) Am I missing any important details, because I'd like to take care of everything needed once remote site visits start so a second round of travel isn't required.  Remote admin is key, being these offices are spread accross the state.


I know a imdiate question I will get is bandwidth, the corp office has a full T1 and each remote office has broadband with static IP's.

Any advice, feedback, ideas, suggestions would be greatly appreciated!  Also, pointers on Cisco PIX and configuring them for remote access would be great.

Thank you all!!!
0
Comment
Question by:Mike4CCM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18807143
1. With AD you have no choice but to use your AD DNS
2. Not if you use your DNS correctly and all workstations are XP
3. Via SNMP through the VPN tunnel
4. Pick the nearest office as your test bed and just start adding PC's to the domain and note anything unusual. The connectivity is already there, so it's just a matter of finding the DC. Is the PIX providing local DHCP? Be sure to give out the correct dns IP's.
5. Just be sure to enable Remote Desktop on the PC's when you join them up to the domain.

Bandwidth will be an issue especially at HQ with only a T1. If everybody has to come across the wire for all authentication and DNS, then it will increase your T1 load for sure.  You definately want to keep an eye on the usage and guage its increase every time you convert a remote office. Do you have any monitoring tools today? I  highly recommend SolarWinds http://www.solarwinds.net

To setup the pix for remote access, it is simply a matter of designating the inside interface as Management Access interface, enable SNMP, and add your network monitoring system's IP to the SNMP access and your HQ subnet to the http access list.
0
 

Author Comment

by:Mike4CCM
ID: 18853607
1.) how do I enable SNMP through the VPN tunnel
2.) I've added one PC to the domain, nothing was unusual.  Yes, the local PIX is providing the local DHCP at the remote locations.  At corp one of our servers is assigning DHCP.
3.) I've checked, and I can remote desktop to the computers name from corp over the VPN to the remote office without having to use the IP address, which is good.
4.) Can you give me the steps you recommend in order to setup the pix for secure remote access?  Preferibly in an order of commands I type into the PIX command line interface?
5.) Not sure what you are referencing with adding my network monitoring systems IP to the SNMP access and my HQ subnet to the http access list??  Could you provide steps in accomplishing this?
6.) most importantly, we want to be able to push out Symantec Corp edition client installs and monitor their status from corp, is this possible over the PIX VPN?  Normally from Symantec's management consol, I would do a remote client install but it then prompts me to browse to the computer and the remote office computer doesn't appear in the network neiborhood??  Any suggestions?

Thanks for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19035760
Mike, that is about 6 different questions in there own right.
0
 

Author Comment

by:Mike4CCM
ID: 19588161
Kieth,

I am glad you see I have six different questions, they were numbered - good for you!  Did you have anything positive to say or a response that might answer at least one of the questions?

Thanks!
- Mike
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19588287
Sarcasm doesn't help anyone Mike. When you joined the site and read the members agreement plus the FAQ's you saw that multiple questions require to be submitted seperately/individually. LRMoore assisted you in the first instance with your first set although he woud have been in his rights to have asked you to follow the guidelines at that point. No-one has wanted to respond to your subsequent set of questions and as the thread has now been dormant for over 21 days it falls into the cleanup category.

As LRMoore has answered your initial question(s) it is fair to award him the points.
If you wish to dispute my recommendation then please post a comment in the community support section.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question