In article , Will Plaice wrote: :I am looking to do something very simple.. and have only managed :complicated solutions...
:I need to run a 6.x.x.x network for a customer, and I want to carry this :accross a 10.x.x.x network...
:Router attached to firewall, serial connection to two other routers. :each router has an interface in the customer network :Router attched to firewall runs nat between the 6.x.x.x and 10.x.x.x :networks.
:requirements. :1. Firewalls do not see 6.x.x.x
To check, the situation is like this:
__________ __________ |cust R#1| |cust R#2| ---------- ---------- 6.x.x.1 6.y.y.254 | | serial serial | | 6.x.x.2 6.y.y.y.253 -------------- |your router | --------------- b.b.b.1 | b.b.b.2 _______________ |your firewall| --------------- 10.x.x.x
:2 each lan (behind the 6.x interface of each router) must be able to :see each other
If the diagram above is correct, then:
- are the customer subnets the same? e.g., where I have shown
6.x.x and 6.y.y, is x the same as y ?
- your router has two serial interfaces in 6.something (customer network)?
- is your router's ethernet interface to the firewall (above shown as b.b.b) also in 6.something? The same something as for both customers?
If 6.x.x is the same network as 6.y.y then you need to do some kind of bridging; if they are different networks then you have a routing situation.
:3. routing for the 10.x.x.x network should not be visable in the
6.x.x.x network
So if the customer sends packets to 10.x.x.x, you want the packets to... be dropped? Go out the customer's internet connection that you didn't happen to mention in the above discussion? Be visible (not dropped) to both premises of the customer, thus allowing them to use the same 10.x.x.x network internally if they so wish? Be delivered through your firewall to your network, but your network will be set up never to reply to those packets [not even to reply to tcp handshakes] ??
:I have looked at doing this with ipsec, and with gre, gre does not give me :routing serparation, and the ipsec vpn solution looks too complicated....
I'm not at all sure that I understand correctly what has to be done. If the two customer premises are on different links into the same router and you want to bridge the two customer premises together without it affecting your other equipment, then just put the two serial interfaces into the same VLAN, make sure the two are bridged together, and don't assign an IP address to the VLAN so it won't route to anywhere else. ("ip unnumbered" might help in such a configuration.)