FrontlineTech
asked on
Router Configuration Assistance
I have a client I need to make a change to their router setup and trying to figure the best way around this.
Basically, the company currently has two locations connected to each other by a standard T1 line. The remote location also has a DSL router setup from AT and T. The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office. The router has 2 ethernet ports. The access layer switch is plugged into one of the ports and the other is currently open and can be configured. The DSL router is plugged into the switch as part of the Clients attempt to do it himself.
I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port. That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP. Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out. I then have two default routes pointing to both the DSL Ethernet port and the Serial port.
Wanted to get opinions of this solution and if anyone has set up something similiar and what they did? Or if anyone else has a different suggestion.
Basically, the company currently has two locations connected to each other by a standard T1 line. The remote location also has a DSL router setup from AT and T. The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office. The router has 2 ethernet ports. The access layer switch is plugged into one of the ports and the other is currently open and can be configured. The DSL router is plugged into the switch as part of the Clients attempt to do it himself.
I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port. That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP. Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out. I then have two default routes pointing to both the DSL Ethernet port and the Serial port.
Wanted to get opinions of this solution and if anyone has set up something similiar and what they did? Or if anyone else has a different suggestion.
ASKER
The main office has a seperate T1 to the internet. There is a point to point T1 connecting the main office to the remote office. We do not want ANY internet traffic for the Remote office to go over the T1... instead we want the internet traffic to go out the DSL. Meanwhile, the remote users will still access servers and file shares over the T1 back at the main office.
So the parameters are:
1) Remote site Internet can ONLY go out DSL
2) Any other remote site traffic goes ONLY through the T1.
The DSL router is a Cayman ROuter/Modem combo provided by AT and T
The DSL router has a Built in Firewall and will take care of most of the security.
Looking a little further I am thinking of using Policy Route Maps with extended access lists. So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
So the parameters are:
1) Remote site Internet can ONLY go out DSL
2) Any other remote site traffic goes ONLY through the T1.
The DSL router is a Cayman ROuter/Modem combo provided by AT and T
The DSL router has a Built in Firewall and will take care of most of the security.
Looking a little further I am thinking of using Policy Route Maps with extended access lists. So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
You're making it too complicated, standard routing will do the trick for you. How does the inter-office T1 connect at the remote site?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I forgot one route on the Main T1 router - my apologies
ip route 0.0.0.0 0.0.0.0 192.168.1.1 !where 192.168.1.1 is the Main Internet router Ethernet interface
ip route 0.0.0.0 0.0.0.0 192.168.1.1 !where 192.168.1.1 is the Main Internet router Ethernet interface
ASKER
I used aspects of this, but he put int he best effort.
As far as DSL access lists, you should be very strict inbound from the DSL. But you probably don't need an access list on the T1 unless there's a reason you don't trust the other office.