Router Configuration Assistance

I have a client I need to make a change to their router setup and trying to figure the best way around this.  

Basically, the company currently has two locations connected to each other by a standard T1 line.    The remote location also has a DSL router setup from AT and T.    The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office.   The router has 2 ethernet ports.  The access layer switch is plugged into one of the ports and the other is currently open and can be configured.   The DSL router is plugged into the switch as part of the Clients attempt to do it himself.  

 I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port.   That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP.   Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out.  I then have two default routes pointing to both the DSL Ethernet port and the Serial port.

Wanted to get opinions of this solution and if anyone has set up something similiar and what they did?  Or if anyone else has a different suggestion.
FrontlineTechAsked:
Who is Participating?
 
airwrckConnect With a Mentor Commented:
greetings FrontlineTech.  Here's one solution in detail

At the remote site, set all the workstations default gateway to the remote T1 router.  You can leave the Remote T1 router Ethernet and the DSL router on the same subnet.
In the T1 router at the remote, set up two routes:  one default route to the Internet, which points to the DSL router Ethernet port, and one route that points to the T1 interface at the "other" office.
In the Internet router at the Main office, configure a route that sends all the traffic back to the remote office to the Ethernet interface in the T1 router.
In the Main office, on the T1 router, configure a route that sends traffic bound for the remote office to the serial interface of the remote office.

On a Cisco router, it would look like this:
Given Remote subnet at 192.168.20.0/24 (/24 is shorthand notation for a subnet mask of 255.255.255.0)
Given Remote router Ethernet at 192.168.20.2
Given Remote DSL router at 192.168.20.1
Given Remote Serial at 192.168.10.2
Given Main T1 Serial at 192.168.10.1
Given Main subnet at 192.168.1.0/24
Given Main T1 Ethernet at 192.168.1.2
Substitute the IP addresses with your correct numbers

Remote T1 router config-add two static routes:
ip route 0.0.0.0 0.0.0.0 192.168.20.1  !sends all traffic by default to the DSL Remote router)
ip route 192.168.1.0 255.255.255.0 192.168.10.1  !sends all the Main office traffic over the T1)
(if the Main office has multiple subnets, then put in a static route to 192.168.10.1 for each of those subnets, too)

Main T1 router config-add one static route
ip route 192.168.20.0 255.255.255.0 192.168.10.2 !routes return Remote traffic to the Remote serial intfc

Main Internet router config-add one static route
ip route 192.168.20.0 255.255.255.0 192.168.1.2 !routes return Remote traffic to the Main T1 router

This is a configuration that most network engineers would understand if they saw it on 3 routers.

A policy route would be a valid idea too, but since you haven't tried basic static routes yet, I'd suggest you give this a try first.  Also, remember, that even with policy route in the Remote T1 router, you would still need to route the packets destined for the Remote office back from the Main office, because if you don't, the packets returning from the Internet will be dropped (null0).

The way to test your configuration is to do traceroutes both to the main office and the internet from a workstaion at the Remote that has it's default gateway reconfigured, and see which interfaces the traceroutes hit on the way out.  (tracert in a Windows cmd window)

Good luck!  If you need remote assistance, ping me offlist.
0
 
mikebernhardtCommented:
Basically I think you are on the right track. What I don't understand is, does each site have a single router doing both T1 and DSL, or 2 routers? What kind of router? Set up the default route to the internet and specific routes to the other office.

As far as DSL access lists, you should be very strict inbound from the DSL. But you probably don't need an access list on the T1 unless there's a reason you don't trust the other office.
0
 
FrontlineTechAuthor Commented:
The main office has a seperate T1 to the internet.   There is a point to point T1 connecting the main office to the remote office.  We do not want ANY internet traffic for the Remote office to go over the T1... instead we want the internet traffic to go out the DSL.  Meanwhile, the remote users will still access servers and file shares over the T1 back at the main office.

So the parameters are:

1) Remote site Internet can ONLY go out DSL
2) Any other remote site traffic goes ONLY through the T1.  

The DSL router is a Cayman ROuter/Modem combo provided by AT and T

The DSL router has a Built in Firewall and will take care of most of the security.

Looking a little further I am thinking of using Policy Route Maps with extended access lists.  So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
mikebernhardtCommented:
You're making it too complicated, standard routing will do the trick for you. How does the inter-office T1 connect at the remote site?
0
 
airwrckCommented:
I forgot one route on the Main T1 router - my apologies
ip route 0.0.0.0 0.0.0.0 192.168.1.1 !where 192.168.1.1 is the Main Internet router Ethernet interface
0
 
FrontlineTechAuthor Commented:
I used aspects of this, but he put int he best effort.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.