[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2004
  • Last Modified:

Route Help

I am setting up a VPN between a remote office and my corporate LAN. I will be initiating a VPN between the two site firewalls. There is a Cisco 1821 series router at each site as well.  The remote site's subnet is 192.168.3.0/24 and the main office is on 192.168.0.0/24. The internal IP address of the firewall at the remote office is 192.168.3.1/24 and the internal ip on the router at the remote site is 192.168.3.230 (this will be the Default Gateway on the network). This router has two Fast Ethernet's on it. I will need to add a route to the firewall for 0.0.0.0 0.0.0.0 192.168.3.1 for nodes to get to the internet.

What IP address do I need to assign the other interface (e1) on the router? Also, how do I configure the route get to the main offices network (192.168.0.0/24)? Also, explain wiring if possible.
0
Trihimbulus
Asked:
Trihimbulus
  • 7
  • 4
  • 3
  • +1
1 Solution
 
knightrider2k2Commented:
Please clarify your network setup. draw a diagram if possible.

Example

internet------------firewall----------router---------switch
                                                        |
                                                 another firewall
0
 
amoldkelkarCommented:


Corp LAN--------cisco 1821------internet-----eth1---cisco 1821--eth0(192.168.3.2/30)--------Firewall----192.168.3.1/24-----------Remote office LAN
Is this how your diagram is?

If so then i have a doubt are the addresses correct as you mentioned for firewall internal ip and eth0 of the router on remote site?
How the internal ip of router and internal ip of the firewall on remote side be 192.168.3.2/30 and 192.168.3.1/24

192.168.3.2/30 basically has 2 host ips under this subnet and those are 192.168.3.1 and 192.168.3.2

I might have wrongly interpreted.
Can you please comment on the same?

Thanks
-AK

0
 
Jan SpringerCommented:
I think the question is confusing due to the use of RFC1918 (private) address space and the lack of explanation as to where network address translation is being performed.

A VPN across an internet connection is established from public IP to public IP.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
TrihimbulusAuthor Commented:

Main Office Lan--------Cisco 1821----Firewall---Internet--Firewall--Cisco 1821-------Remote Office Lan
192.168.0.0/24      e0192.168.0.230        vpn<------------->vpn         e0192.168.3.230/24

I have rethought this and let me know if this makes any sense. As shown through the diagram above, I will be initiating the VPN between the firewalls (These are Symantec SGS 5400 series). On my firewalls, I do have the ability to set the VPN's up to different interfaces (ie. e0,e1,e2,e3, etc...) On the firewall at my remote office- e0 will be the WAN interface, e1 is the LAN  interface (192.168.3.1/24).

At my remote office, should I do the following:

1) Set the VPN  on another internal interface (e2 with 192.168.3.2/24)
2) On the router at my remote office, add the following routes:
0.0.0.0 0.0.0.0 192.168.3.1
192.168.0.0 255.255.255.0 192.168.3.2
2) On the router at my remote office, make e0 192.168.3.230/24 which will be the default gateway for the network.

It is at this point that I need help (assuming eveything else here look legit). On the other Fast Ethernet Port on the router, what IP address do I assign this? !92.168.3.3 possibly, and connect that to the VPN interface on the firewall (192.168.3.2/24) with a straight through cable? Please advise.
0
 
TrihimbulusAuthor Commented:
Also forgot to mention that we also have 2 other offices connected to the main office via PPP T1's- and thus this is why we have Cisco routers at each site. We have made the decision NOT to install a T1 at this new office, as it will only support a handful of employees (but it good grow overnight to 30!)
0
 
TrihimbulusAuthor Commented:
So sorry - just read Jesper's comment. Each Firewall will be providing NAT services to each network. Each firewall will be assigned a static public IP address as well.
0
 
amoldkelkarCommented:
Questions:
Can you tell me the firewall inside interface ip facing the router on remote side?
I am assuming the firewall insdie ip is 192.168.3.1? if it is so and if u give it as /30 the give the router's interface facing the firewall on remote site as 192.168.3.2/30

Now assuming what i mentioned above,on the router forward the traffic for 192.168.0.0/24 network to be reached to 192.168.3.1 thats the firewall's inside interface ip.
On firewall you need to forward that traffic to the VPN

Correct me if i am wrong.
Also can you please be clear on ip addressing scheme and network diagram.
Sorry but its still confusing.
Your second query sounds ok.

Now if i just see at your last comment then the router's FE port can have 3.3 and can be connected to firewall inside interface to the router's FE back-to-back with a straight through cable.

-Ak
0
 
knightrider2k2Commented:
Please provide all ip addresses.
Cisco LAN
Cisco WAN
Firewall LAN
Firewall WAN

You can hide the public ip address partially with xxx or ***
0
 
TrihimbulusAuthor Commented:
Remote Office Firewall IP Addresses:
e0 - WAN Interface - Static Public IP Address - (TBD) Plugged in to Cable Modem
e1 - LAN Interface - 192.168.3.1/24 - Plugged in to LAN Switch
e2 - VPN Interface - 192.168.3.2/24 - Plugged in to e1 on Cisco Router with Crossover Cable

Router IP Addresses:
e0 - 192.168.3.230/24- Default Gateway for Network - Plugged in to LAN switch
e1 - 192.168.3.3/24 - Plugged in to e2 of firewall to VPN

Routes in Cisco Router:
0.0.0.0 0.0.0.0 192.168.3.1 - To get out to the internet though e1 on firewall
192.168.0.0 255.255.255.0 192.168.3.2 - To get to the 192.168.0.0/24 network which is the MAIN office network through e2 on firewall

Routes in Firewall:
192.168.0.0 255.255.255.0 192.168.3.230

Diagram:

Main Office
*****************
                                                                                                                               ****************
LAN  -------Switch-------Router-------------------------------------Firewall-----------   INTERNET
  |                                         |                                                             |                      ***************
192.168.0.0/24               e0-192.168.0.230                                e0- WAN IP
                                       plugged into lan switch                       e1- 192.168.0.1
                                       s1 and s2 are plugged in-                    plugged into lan switch
                                    to two T1's to other offices      
                                                     
Proposed Remote Office
*******************************

*****************              
INTERNET     --------Firewall-----------------------------Router-------------------------------Switch-- -LAN
*****************              
                                     |                                               |                                                                    |
                            e0-WAN IP                                      e0-192.168.3.230/24 (Def. Gtwy)     192.168.3.0/24
                            e1-192.168.3.1/24                         plugged into Lan Switch
                            plugged into Lan switch                e1- 192.168.3.3/24 (VPN int)
                            e2-192.168.3.2/24 (VPN int)          plugged into e2 of firewall
                             plugged into e1 of router

Would this work?
0
 
TrihimbulusAuthor Commented:
Here is a Visual Layout of the proposed remote office. Please let me know if this will work. I will laso layout the MAIN office if need be.

http://s204.photobucket.com/albums/bb125/Trihimbulus/ 
0
 
TrihimbulusAuthor Commented:
I have now uploaded the Main Office Layout at the same link above
0
 
amoldkelkarCommented:
Hi,
I looked at your remote site network,
One interface ip on firewall is 192.168.3.1/24 and the other interface of same firewall is 192.168.3.2/24

I feel the ip addressing is incorrect. Interfaces of same firewall cant have the ips in same subnet.
Correct me if wrong.
But is it been already assigned by anyone?

Let me know.

Thanks
-AK
0
 
knightrider2k2Commented:
Why do you have a router at the remote site. It is not doing anything. Remove the router and make the firewall 192.168.3.1 the default gateway for the network.

Now on the VPN interfaces use a different subnet. For example:

At main office
VPN interface will have a ip address 192.168.5.1 255.255.255.252

At Remote office
VPN interface will have a ip address 192.168.5.2 255.255.255.252

Now, routes on the firewall in main office
192.168.3.0 255.255.255.0 192.168.5.2
0.0.0.0 0.0.0.0 <WAN IP>

Route on the firewall in the remote office
192.168.0.0 255.255.255.0 192.168.5.1
0.0.0.0 0.0.0.0 <WAN IP>



0
 
amoldkelkarCommented:
any update?
0
 
TrihimbulusAuthor Commented:
Knightrider2k2 for the win
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now