Router Configuration Assistance

I have a client I need to make a change to their router setup and trying to figure the best way around this.  

Basically, the company currently has two locations connected to each other by a standard T1 line.    The remote location also has a DSL router setup from AT and T.    The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office.   The router has 2 ethernet ports.  The access layer switch is plugged into one of the ports and the other is currently open and can be configured.   The DSL router is plugged into the switch as part of the Clients attempt to do it himself.  

 I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port.   That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP.   Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out.  I then have two default routes pointing to both the DSL Ethernet port and the Serial port.

Wanted to get opinions of this solution and if anyone has set up something similiar and what they did?  Or if anyone else has a different suggestion.
FrontlineTechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
Basically I think you are on the right track. What I don't understand is, does each site have a single router doing both T1 and DSL, or 2 routers? What kind of router? Set up the default route to the internet and specific routes to the other office.

As far as DSL access lists, you should be very strict inbound from the DSL. But you probably don't need an access list on the T1 unless there's a reason you don't trust the other office.
0
FrontlineTechAuthor Commented:
The main office has a seperate T1 to the internet.   There is a point to point T1 connecting the main office to the remote office.  We do not want ANY internet traffic for the Remote office to go over the T1... instead we want the internet traffic to go out the DSL.  Meanwhile, the remote users will still access servers and file shares over the T1 back at the main office.

So the parameters are:

1) Remote site Internet can ONLY go out DSL
2) Any other remote site traffic goes ONLY through the T1.  

The DSL router is a Cayman ROuter/Modem combo provided by AT and T

The DSL router has a Built in Firewall and will take care of most of the security.

Looking a little further I am thinking of using Policy Route Maps with extended access lists.  So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
0
mikebernhardtCommented:
You're making it too complicated, standard routing will do the trick for you. How does the inter-office T1 connect at the remote site?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

airwrckCommented:
greetings FrontlineTech.  Here's one solution in detail

At the remote site, set all the workstations default gateway to the remote T1 router.  You can leave the Remote T1 router Ethernet and the DSL router on the same subnet.
In the T1 router at the remote, set up two routes:  one default route to the Internet, which points to the DSL router Ethernet port, and one route that points to the T1 interface at the "other" office.
In the Internet router at the Main office, configure a route that sends all the traffic back to the remote office to the Ethernet interface in the T1 router.
In the Main office, on the T1 router, configure a route that sends traffic bound for the remote office to the serial interface of the remote office.

On a Cisco router, it would look like this:
Given Remote subnet at 192.168.20.0/24 (/24 is shorthand notation for a subnet mask of 255.255.255.0)
Given Remote router Ethernet at 192.168.20.2
Given Remote DSL router at 192.168.20.1
Given Remote Serial at 192.168.10.2
Given Main T1 Serial at 192.168.10.1
Given Main subnet at 192.168.1.0/24
Given Main T1 Ethernet at 192.168.1.2
Substitute the IP addresses with your correct numbers

Remote T1 router config-add two static routes:
ip route 0.0.0.0 0.0.0.0 192.168.20.1  !sends all traffic by default to the DSL Remote router)
ip route 192.168.1.0 255.255.255.0 192.168.10.1  !sends all the Main office traffic over the T1)
(if the Main office has multiple subnets, then put in a static route to 192.168.10.1 for each of those subnets, too)

Main T1 router config-add one static route
ip route 192.168.20.0 255.255.255.0 192.168.10.2 !routes return Remote traffic to the Remote serial intfc

Main Internet router config-add one static route
ip route 192.168.20.0 255.255.255.0 192.168.1.2 !routes return Remote traffic to the Main T1 router

This is a configuration that most network engineers would understand if they saw it on 3 routers.

A policy route would be a valid idea too, but since you haven't tried basic static routes yet, I'd suggest you give this a try first.  Also, remember, that even with policy route in the Remote T1 router, you would still need to route the packets destined for the Remote office back from the Main office, because if you don't, the packets returning from the Internet will be dropped (null0).

The way to test your configuration is to do traceroutes both to the main office and the internet from a workstaion at the Remote that has it's default gateway reconfigured, and see which interfaces the traceroutes hit on the way out.  (tracert in a Windows cmd window)

Good luck!  If you need remote assistance, ping me offlist.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
airwrckCommented:
I forgot one route on the Main T1 router - my apologies
ip route 0.0.0.0 0.0.0.0 192.168.1.1 !where 192.168.1.1 is the Main Internet router Ethernet interface
0
FrontlineTechAuthor Commented:
I used aspects of this, but he put int he best effort.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.