2 Connections 1 PC?

[JeffPell]

Currently my office has branch locations controlled by another company because we supply a service selling their products. Unfortunately this company does not allow any of our branch locations to use the internet or send email over their network. I have decided to explore other possible options on getting these PCs out to the internet for email and other aspects of our business.

All of the branch locations currently only have dedicated 56k frame relay to the parent company's network. I wanted to explore some inexspensive options to get my branch locations out to the internet and still have access to the parent company's network and intranet pages. My only thoughts are to order DSL/Broadband to these locations and setup a Linksys router ahead of the Cisco1100 and DSL/Broadband routers.

How does this work? Will I have to setup NAT tables on the Linksys router to identify and control the flow of the two connections?

Any help will be greatly appreciated.

Thanks,

Jeff

 

[Malk-a-mite]

I wanted to explore some inexspensive options to get my branch locations out to the internet and still have access to the parent company's network and intranet pages.

Have you ok'ed this plan with the parent company? Last job I had if we found people at remote offices have set up secondary internet connections and were still connected to the network we had a habit of throwing the hardware in the trash and having my boss yell at them for a while. It worked nicely for us.

Seriously, you are opening a backdoor in their network if you do this. Sit down with the parent company administrators and talk about setting this up right so you don't comprise the existing network.

 

[JeffPell]

Yes, they have already ok'd this but they wont supply any support on actually setting it up. The routers on their end are setup to only accept traffic from the PCs at our branch offices.

 

[MrGuvernment]

Seriously, you are opening a backdoor in their network if you do this. Sit down with the parent company administrators and talk about setting this up right so you don't comprise the existing network.

exactly - having PC's with 2 NICS - if something comes in via YOUR nic and infects their network - u can kiss your job good bye - especially if you do it with out their permission.

the best thing would be for them to allow only the needed PC's access on specific port to the specific IPs they need access to.

 

[JeffPell]

We are already running certain PCs in our main offices with 2 nics. 1 on their network and 1 on ours. We are able to access both networks and get out the internet fine on these PCs but we are unable to access their intranet pages. The Parent Company's Admin is fine with us looking for alternative means to the internet but they can't supply it for us. The problem with our branch offices is we don't want to spend the money for dedicated connections to the main office to access the T1.

 

[JeffPell]

The parent compay's admin has already given us a contact to help setup a possible solution but rather then paying someone $1000 to setup routing tables on a linksys router, I thought I would check here.

 

[MrGuvernment]

routing tables could work

But who's fualt will it be when their internal network is comprimised becuase someone who now has internet access gets a nice virus on their system

make suer you lock down those systems real tight!

some companies i have seen have 2 PC's @ people's desks - one is only internal and the other is external and the 2 network are completly seperate from one another.

 

[megabyte]

routing tables could work

But who's fualt will it be when their internal network is comprimised becuase someone who now has internet access gets a nice virus on their system

make suer you lock down those systems real tight!

some companies i have seen have 2 PC's @ people's desks - one is only internal and the other is external and the 2 network are completly seperate from one another.

This is probably the only surefire way to make sure that these PC's don't become the point of entry for anything malicuous.

 

[Darkstar850]

What is the current equipment running the frame relay link? This really shouldn't require 2 NICs. It could be done with a default route out the internet link, and a static route or some sort of routing protocol setup on the link to the home office.

 

[aderuwe]

Get a router with the type of interfaces you need, frame relay, ethernet, whatever. Then setup some routing rules on the router stating if the data comes from this set of IPs and has the destination subnet of xxx.xxx.xxx.xxx send it to this network. Its pretty simple actually.

And geeze guys, he comes in here asking for help, he doesn't need a lecture on what's right and wrong.

 

[Malk-a-mite]

And geeze guys, he comes in here asking for help, he doesn't need a lecture on what's right and wrong.

If someone is asking for information on something I feel is at the very basic not the best way to approach a problem you believe that I shouldn't say anything?

How is it lecturing to try to explain to someone that the approach they are taking might open them to problems down the line?

 

[Darkstar850]

If someone is asking for information on something I feel is at the very basic not the best way to approach a problem you believe that I shouldn't say anything?

How is it lecturing to try to explain to someone that the approach they are taking might open them to problems down the line?

I agree. We don't want to "help" someone right out of their job by assisting in doing something unauthorized. That would also be against the spirit of the rules of the forum. However, since we have established that he has gotten the OK to do this, we are ready to assist!

 

[JeffPell]

I didn't take any of the first comments as a lecture or mean. I actually appreciate that you guys are looking out for what's right and wrong. With that said, Would a Linksys 8 port Router/Switch work if it was setup before the Cisco1100 Frame Relay and the Broadband/DSL Routers?

 

[Darkstar850]

I can't find any info on a Cisco 1100 (besides aironet, which obviously isn't what we're dealing with here) anywhere. What interfaces are on this thing? Got a picture of it?

EDIT: Question 2: Does the home office use private or public IP space? If its private, are they NATing it for the frame relay connection? Don't tell us what the IP space actually is, of course, I just want to know so that if I give you an example it will be pertinent.

 

[JeffPell]

I'm sorry I got the number wrong on the frame relay router. It is actually a Cisco 1600. It has one 10 base t ethernet adapter, one 56k dsu/csu, and of course one console port. At the branch locations the PCs are pulling ips via dhcp from the parent company and getting 172.0.0.0 addresses. We currently have the frame relay connected to the dsu/csu port and linksys switches connected the the 10baset.

Thanks in advance for any help.

 

[Darkstar850]

Ok, first, are you sure its 172.0.0.0/8? Because the entire 172 range is not private. 172.16.0.0-172.31.255.255 is private. This is important because there may be some sites you want to access in the 172 range in the future.
This should be very simple in reality. I do this with my netgear wireless router to connect to my Cisco lab network. I have never done it with a WAN link, but it should work just the same.

Just for the sake of example, I am going to assume that your company is using 172.16.0.0/16 for their IP space, and that 172.16.255.254 is the ethernet interface on your frame relay router ya got there.

Now first of all, for this to work properly your office needs to have its own subnet. Otherwise, the Cisco router is not going to know which direction to route traffic. What are the masks on your PCs IPconfigs?
All you should have to do is put a static route on the Linksys for 172.16.0.0 255.255.0.0 next hop 172.16.255.254. This will send any traffic not for your local directly connected machines, but on the 172 network over to the home office. By default, the linksys will also default route all other traffic out its WAN interface.

Then on the cisco router you will probably need another static route for your specific subnet, say 172.16.255.0/8 with the next hop being your linksys.

This may not be very clear, if not I will try to clarify it later.

 

[JeffPell]

I'm certain the we are pulling private address via dhcp. We are being assigned 172.30.x.x adresses, 255.255.255.192 SMs, and 172.30.2.193 GW. Although the Cisco 1600s are shipped to us preconfiged according to the location. Each location is on its own subnet.

So if my PCs were assigned IPs 72.30.2.x and the Cisco 1100 was 172.30.2.1...

I could just add a static route for 172.30.0.0 255.255.255.192 172.30.2.1?
And maybe a second route for 0.0.0.0/24 (DSL Router IP)?

 

[Darkstar850]

That gateway IP, is it an interface on your local cisco router, or something back at home office?

 

[JeffPell]

I'm assuming it's an interface on the local router because whenever I run a tracert to a different branch the first hop is the gw ip of 172.30.2.193.

Branch A pc @ 172.30.2.227
Branch B pc @ 172.30.11.2

If I run a trace route from A to B this is what I get:

tracert 172.30.11.2
1 172.30.2.193
2 172.20.1.30
3 172.20.1.161
4 172.30.11.2

 

[JeffPell]

/bump

 

[Darkstar850]

Ok, Im back. Work is nuts (im at work again today) so I didn't get to reply earlier.

So in order for this to work, this is what we need.
1. Cisco frame relay router to route traffic for your subnet to your linksys router
2. Linksys router to route all home office stuff to the cisco router
3. Linksys router to route all other traffic out to the internet.

#1: The Cisco router should have your subnet configured as the address on the ethernet interface. I am guessing the ethernet interface is 172.30.2.193 (you will want to confirm this). Since it sees your user's subnet as directly connected, it should route this traffic out its ethernet interface to your network by default.

#2: In order to have the linksys router route traffic to the home office network, you need a static route. I would recommend using 172.16.0.0 255.240.0.0 Next hop 172.30.2.193 (again assuming this is the IP of the ethernet interface on the cisco router). This will route the entire 172 private range (172.16.0.0 - 172.31.255.255) back to home base, and keep you from having to add static routes for each network.

#3: The linksys router should default route anything it doesn't know specifically out of its WAN interface. This should work without any changes.

Therefore, you should only have to add 1 static route to your linksys in order to get this configured. Make sure to turn off DHCP on the linksys. It should support pass through DHCP, as other people have used home routers as switches when the need arose.

For physical setup, plug the ethernet port of the Cisco router into a lan port on the linksys router. Give the linksys an IP in your subnet, 172.30.2.194 may be simplest. Plug the WAN port on the linksys into the cable/dsl modem. Hook your switches into the other LAN ports on the linksys, and you should be rocking and rolling.