Solved

Routing traffic through T-1 and Cable connection

Posted on 2011-03-13
12
536 Views
Last Modified: 2012-08-14
We have an existing T-1 line which is fed through a Cisco 2600 router (loaner) and then into a Sonicwall 3050, which is setup as a remote end of a VPN site to site.  We are adding a business class cable line which we want most of the traffic to go through except what is need for the VPN.  Unfortuately, some of traffic is required to pass through the VPN for authentication purposes and then we want to port everyting else through the much faster cable connection.  Might add that we don't have access to the router or sonicwall; controlled by a different company.  Can we port everyting through an ASA5505 or better and maybe create a static route to pass necessary traffic through VPN?  Not sure what is the best way to accomplish this, think we may need dual connections and think the ASA only one port out Port0.  Maybe we need another router?
0
Comment
Question by:Webcc
  • 4
  • 4
  • 4
12 Comments
 
LVL 11

Expert Comment

by:Patmac951
ID: 35125361
I am not sure I completely understand the scenario.....but it sounds like you have a remote office that is accessing a VPN connection to another network where the T1 is installed?  Are you presently getting all of your internet access through the VPN only?   I am assuming if you do not have access to the Cisco Router or the Sonicwall that they must be installed at a remote site? Are you adding the business class cable line locally at your site?

Depending upon the configuration it would be easy to setup a separate gateway on your business class cable line....but that depends on the configuration.
0
 

Author Comment

by:Webcc
ID: 35128898
Sorry right now all traffic is going through the VPN.  I am configuring the remote site which connects to the main office to authenticate and uses some proprietry software applications.

Existing setup:
(T-1) -----------(2600 router DSU/CSU)----------(Sonicwall)-----------(LAN)192.168.44.0
(Connects via site-site VPN to main office)  *Router and Sonicwall is on-site, but don't have access to configure and would like to keep seperate if possible.

Adding business class cable:
(Cable)--------(Cable modem)----------------(????)--------------------(LAN)
Want to route most of workstations through the cable connection for Internet traffic, but need to access main office for applications but don't want to use the slow T-1 for Internet.  Was thinking of a static route or some other way of performing the routing.  The traffic is destine for 204.121.133.0.
Hope this clarifies a little.
0
 
LVL 13

Accepted Solution

by:
kdearing earned 250 total points
ID: 35131992
If you don't have access to either the 2600 or the SonicWall...

Then you'll need to put a router behind the SonicWall
The new router will need to have 3 interfaces

Configure as follows:
Set up new router normally for the Comcast internet connected to WAN1
Connect WAN2 to SonicWall with a static IP (probably 192.168.44.2)
Add a static route for the remote site and point it to the SonicWall (192.168.44.1)
The LAN connected to your internal network.

Note that this means your LAN subnet will have to change to something other than 192.168.44.0
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35135038
kdearing's post is accurate and adding another router behind the Sonicwall will work granted the router has two WAN interfaces. Can I ask a stupid question?  If you don't have access to the Cisco 2600 or the Sonicwall...who does?

If the Cisco and Sonicwall are in fact located onsite, is it possible to get access to the devices? If you could get access to them it would be very easy to install a second firewall like the Sonicwall for your business DSL cable connection and plug it into the Cisco 2600 WAN2 port and accomplish the same thing, assuming you have someone who can configure the WAN2 interface on the 2600 to your specs.

Another workaround that I have used in the past for small networks is to setup up your new Cable router that you want to use for your outbound internet access and assign it a static IP address that is valid on your current network 192.168.44.* (any address that is not currently in use) and make sure it is accessible from your main network(backbone) switch. Then configure each workstation with a static IP address and use the new Cable router as the default gateway, you should also statically assign the DNS servers provided by your ISP on each workstation. Then you can assign a static route on each computer for the VPN to use the other Sonicwall gateway for your application needs, using the windows "Route ADD" command.  However this would require you to visit each and every workstation that uses the VPN to access the remote application.

0
 

Author Comment

by:Webcc
ID: 35139517
Kind of complicated - company is part of a consortium that has an IT company which manages the WAN, the state of the consortium is crumbling.  Everyone is trying to hold on to their piece of the pie and this company has been unwilling to devulge logins/passwords to routers/firewalls and we don't have any leverage right now to force them.  So, I trying to work around them.a

Could I not enter a static in the cable router that would send all traffic destine for 204.121.133.0 to the Sonicwall and out the T-1 line?
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35139817
The problem with just connecting it is that you will have 2 DHCP servers on the same network (bad idea)

If you do not want to get a dual-WAN router (about $300-500), then putting everything on static IPs (as Patmac951 suggests) would work.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:Patmac951
ID: 35140242
I am not sure what type of Cable router you are using do you know the manufacturer and model number?  You can usually disable DHCP on  most routers this will ensure the router is not trying to assign an IP address to your client computers.  My previous suggestion would work but only if you assigned Static IP's on all your workstations.  This suggestion was a workaround for a small network,  how many computers are we talking about at this location?

The problem with entering a static route on the cable modem is because it will be acting as your gateway (edge of the network before the internet) you may run into problems trying to route traffic back to the internal network.  If you set up a static route on the cable modem to an outside WAN address the traffic will go out over the cable router.  However if you route the traffic at the workstation using a persistent static route the computer will know to send the VPN traffic to the Sonicwall gateway and not the cable router.
0
 

Author Comment

by:Webcc
ID: 35141826
About 40 workstations and they are already configured for static IP's.  Was looking for a suggestion on a dual WAN router.  The cable service is going in this week.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35142419
If you disable the cable modem's DHCP and leave your computers as is, they will still use the SonicWall as the default gateway and never use the cable modem.
0
 
LVL 11

Assisted Solution

by:Patmac951
Patmac951 earned 250 total points
ID: 35143240
Below is link to Linksys/Cisco Dual Port WAN Router that I have used in the past.


http://www.amazon.com/Cisco-RV042-4-port-100-Router/dp/B0002I7288

Use Kdearing's first post as an example of how you should set up the dual WAN router behind the Sonicwall firewall.

Note that if you are already using static IP addresses on your client computers you should set up the dual port router as your default gateway on all of your workstations.  Then in the new dual WAN router configure a static route for all outbound traffic with a destination of 204.121.133.0 (or whatever the VPN gateway WAN address is)  and this will ensure all traffic for the VPN will be routed through the Sonicwall and T1 connection.

However this will still require you to visit each computer to change the static Gateway address to the new router.
0
 

Author Comment

by:Webcc
ID: 35153549
Can then add the static in the new dual WAN router instead of at the workstation level correct?  What would be the syntax of the route command?  Thnks, think we are getting there.  
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35153659
You can use the GUI
All traffic for the remote site subnet should route to the Sonicwall.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now