Routing traffic through T-1 and Cable connection
We have an existing T-1 line which is fed through a Cisco 2600 router (loaner) and then into a Sonicwall 3050, which is setup as a remote end of a VPN site to site. We are adding a business class cable line which we want most of the traffic to go through except what is need for the VPN. Unfortuately, some of traffic is required to pass through the VPN for authentication purposes and then we want to port everyting else through the much faster cable connection. Might add that we don't have access to the router or sonicwall; controlled by a different company. Can we port everyting through an ASA5505 or better and maybe create a static route to pass necessary traffic through VPN? Not sure what is the best way to accomplish this, think we may need dual connections and think the ASA only one port out Port0. Maybe we need another router?
ASKER
Sorry right now all traffic is going through the VPN. I am configuring the remote site which connects to the main office to authenticate and uses some proprietry software applications.
Existing setup:
(T-1) -----------(2600 router DSU/CSU)----------(Sonicwa
(Connects via site-site VPN to main office) *Router and Sonicwall is on-site, but don't have access to configure and would like to keep seperate if possible.
Adding business class cable:
(Cable)--------(Cable modem)----------------(???
Want to route most of workstations through the cable connection for Internet traffic, but need to access main office for applications but don't want to use the slow T-1 for Internet. Was thinking of a static route or some other way of performing the routing. The traffic is destine for 204.121.133.0.
Hope this clarifies a little.
Existing setup:
(T-1) -----------(2600 router DSU/CSU)----------(Sonicwa
(Connects via site-site VPN to main office) *Router and Sonicwall is on-site, but don't have access to configure and would like to keep seperate if possible.
Adding business class cable:
(Cable)--------(Cable modem)----------------(???
Want to route most of workstations through the cable connection for Internet traffic, but need to access main office for applications but don't want to use the slow T-1 for Internet. Was thinking of a static route or some other way of performing the routing. The traffic is destine for 204.121.133.0.
Hope this clarifies a little.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
kdearing's post is accurate and adding another router behind the Sonicwall will work granted the router has two WAN interfaces. Can I ask a stupid question? If you don't have access to the Cisco 2600 or the Sonicwall...who does?
If the Cisco and Sonicwall are in fact located onsite, is it possible to get access to the devices? If you could get access to them it would be very easy to install a second firewall like the Sonicwall for your business DSL cable connection and plug it into the Cisco 2600 WAN2 port and accomplish the same thing, assuming you have someone who can configure the WAN2 interface on the 2600 to your specs.
Another workaround that I have used in the past for small networks is to setup up your new Cable router that you want to use for your outbound internet access and assign it a static IP address that is valid on your current network 192.168.44.* (any address that is not currently in use) and make sure it is accessible from your main network(backbone) switch. Then configure each workstation with a static IP address and use the new Cable router as the default gateway, you should also statically assign the DNS servers provided by your ISP on each workstation. Then you can assign a static route on each computer for the VPN to use the other Sonicwall gateway for your application needs, using the windows "Route ADD" command. However this would require you to visit each and every workstation that uses the VPN to access the remote application.
If the Cisco and Sonicwall are in fact located onsite, is it possible to get access to the devices? If you could get access to them it would be very easy to install a second firewall like the Sonicwall for your business DSL cable connection and plug it into the Cisco 2600 WAN2 port and accomplish the same thing, assuming you have someone who can configure the WAN2 interface on the 2600 to your specs.
Another workaround that I have used in the past for small networks is to setup up your new Cable router that you want to use for your outbound internet access and assign it a static IP address that is valid on your current network 192.168.44.* (any address that is not currently in use) and make sure it is accessible from your main network(backbone) switch. Then configure each workstation with a static IP address and use the new Cable router as the default gateway, you should also statically assign the DNS servers provided by your ISP on each workstation. Then you can assign a static route on each computer for the VPN to use the other Sonicwall gateway for your application needs, using the windows "Route ADD" command. However this would require you to visit each and every workstation that uses the VPN to access the remote application.
ASKER
Kind of complicated - company is part of a consortium that has an IT company which manages the WAN, the state of the consortium is crumbling. Everyone is trying to hold on to their piece of the pie and this company has been unwilling to devulge logins/passwords to routers/firewalls and we don't have any leverage right now to force them. So, I trying to work around them.a
Could I not enter a static in the cable router that would send all traffic destine for 204.121.133.0 to the Sonicwall and out the T-1 line?
Could I not enter a static in the cable router that would send all traffic destine for 204.121.133.0 to the Sonicwall and out the T-1 line?
The problem with just connecting it is that you will have 2 DHCP servers on the same network (bad idea)
If you do not want to get a dual-WAN router (about $300-500), then putting everything on static IPs (as Patmac951 suggests) would work.
If you do not want to get a dual-WAN router (about $300-500), then putting everything on static IPs (as Patmac951 suggests) would work.
I am not sure what type of Cable router you are using do you know the manufacturer and model number? You can usually disable DHCP on most routers this will ensure the router is not trying to assign an IP address to your client computers. My previous suggestion would work but only if you assigned Static IP's on all your workstations. This suggestion was a workaround for a small network, how many computers are we talking about at this location?
The problem with entering a static route on the cable modem is because it will be acting as your gateway (edge of the network before the internet) you may run into problems trying to route traffic back to the internal network. If you set up a static route on the cable modem to an outside WAN address the traffic will go out over the cable router. However if you route the traffic at the workstation using a persistent static route the computer will know to send the VPN traffic to the Sonicwall gateway and not the cable router.
The problem with entering a static route on the cable modem is because it will be acting as your gateway (edge of the network before the internet) you may run into problems trying to route traffic back to the internal network. If you set up a static route on the cable modem to an outside WAN address the traffic will go out over the cable router. However if you route the traffic at the workstation using a persistent static route the computer will know to send the VPN traffic to the Sonicwall gateway and not the cable router.
ASKER
About 40 workstations and they are already configured for static IP's. Was looking for a suggestion on a dual WAN router. The cable service is going in this week.
If you disable the cable modem's DHCP and leave your computers as is, they will still use the SonicWall as the default gateway and never use the cable modem.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can then add the static in the new dual WAN router instead of at the workstation level correct? What would be the syntax of the route command? Thnks, think we are getting there.
You can use the GUI
All traffic for the remote site subnet should route to the Sonicwall.
All traffic for the remote site subnet should route to the Sonicwall.
Depending upon the configuration it would be easy to setup a separate gateway on your business class cable line....but that depends on the configuration.