1. Home
  2. Cisco Systems
  3. Remote Office Connectivity

Remote Office Connectivity

We have 2 offices. Head office and a satelite office.

Each site has a router and an internal PIX firewall.

The satelite office has a point to point link back to headquarters and will be used for all connectivity, as head quarters has a very large internet connection.

In addition to this the satellite office has 2 bonded ADSL lines for failover should the primary point to point link fail.

My question is how to connect the 2 sites. Should each end of the point to point link connect into the routers at each site?

This is not really routing as they could see each other at layer 2 so I am confused what the config should look like on each router. Do I simply configure the WAN site of the Satellite office in say one private subnet and the WAN site of HQ in the same subnet and run a VPN across this link and that is it?

The satellite office needs to be able to reach the NAT'd internal addresses at HQ.

Any pointers on method/config greatly appreciated.

Gary

Reply to
Gary
Loading thread data ...

As stated, you seem to be doing everything possible to make the solution more complex. If you treat the satellite office and the main office as separate subnets and route between them, then the VPN can be configured like a dial backup link. Bridging rather than routing between the two sites makes the solution much more difficult (or much less robust, take your choice). Ditto on using the external addresses of the servers at HQ rather than the internal addresses when accessing from the satellite.

One hint: terminate the VPN at the HQ end on a router inside the HQ PIX so satellite users will still be able to reach the Internet when running on the VPN. PIX don't like to send traffic out the same interface it came in on, although this limitation has been addressed in 7.0.

Good luck and have fun!

Reply to
Vincent C Jones

Thanks for the hint. We do not have any routers behind the PIX's and do not have the money for that.

From what you are saying I should run routing across the point to point link router to router?

i.e EIGRP?

What do you mean by using the external addresses at HQ. The point to point link does not care about these and cannot route across the public internet anyway as it is fixed link router to router?

My thoughts were to route somehow across the P2P and have a VPN across the public network using the ADSL's and somehow only activate the ADSL's on P2P link failure.

Gary

Reply to
Gary Shine

yes

whatever floats your boat

The phrase "The satellite office needs to be able to reach the NAT'd internal addresses at HQ." The NAT'd internal addresses at HQ are the external addresses used by HQ. So how do users at the branch address the required services, by their internal IP or their public (external) IP? If the former, no problem.

Think about it, that is exactly how dial backup works. Just remember that if the first time you try to activate the ADSL link is two years from now when the PtoP link fails, the chances of the ADSL link working is whatever remains from the probability of the ADSL link failing at ANY time over the previous two years. Routine testing of backup facilities needs to be part of your SOP.

Good luck and have fun!

Reply to
Vincent C Jones

Never used dial backup so I guess we are talking weighted route statements with the P2P being favoured over the ADSL Wan link?

QUOTE

You confused me here???

I am expecting Satellite users to be able to address services at HQ using the internal private address range behind the PIX's. Ultimately I see a VPN from the private address range of the Satellite office to the private address range of HQ behind the PIX's.

Currently HQ looks like this

Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix

It will eventually look like this

Internet --- [2MB Leased Line] -----> HQ Router -------> HQ Pix Satellite ------[EIGRP]-------------> HQ Router -------> HQ Pix

HQ Router has a public IP only on the outside interface towards the internet and public plus private secondary on the inside. We will add in a new G703 card for the 2MB P2P link and I assume we will allocate it a new private subnet different to anything at HQ but the same as the external interface at the satellite office, and we will run EIGRP over this link.

We will also create a VPN across the public internet using the ADSL at the Satellite office for failover or dial backup?

I think this and maybe a few route statements should do the job?

Gary

Reply to
Gary Shine

Yes. Floating static routes in Cisco terminology.

You had asked what caused me to infer that satellite users would use the external public IP of the HQ servers.

This is scary. Any router outside the firewall should not be trusted with internal routing. Plus, in your diagram above, there is nothing inside the HQ PIX.

A few route statement should be enough to provide robust failover, but whether the "few route statements" you think the job is and those I think the job is are the same, and whether the design is sustainable in a hostile Internet, is not at all clear. As you have explained it, your design requirements far exceed that which I can provide without investing significant time and effort into understanding said requirements, which in turn prevents me from providing further free advice. Sorry.

Good luck and have fun!

Reply to
Vincent C Jones

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.