Need advice : Work asking to be on personal network...best way to setup?

T

thespeakerbox

Gawd
Joined
Feb 16, 2006
Messages
640
I work for a small family business (25 emp). I've been working from home a lot more recently and they would like to set up a site to site an IP/sec VPN connection some standard cisco hardware.

They want to set everything up on my lan- 192.168.1.X. and also need a DDNS account in order to log in remotely if necessary, (im using a non-business ISP account, so no static IP)

Is it possible for me to setup a VLAN to segregate their corp network , and have a DDNS address point to only that specific VLAN ? I just want to make sure they can only log in remotely and see only their stuff.
 
Yes yes and yes, but I'd use a pair of Zyxel Zywall 110s for this. No need to pay crazy cisco rates for a SMB case like this. Hell, buy a third one as a backup. and you'll still be farther ahead than going cisco.

Just make sure to export the config for both devices when you are done and keep the config backups handy and near.

Also if they already have Cisco ASA.... the zywall 110 will interface with that too with no issues.
 
The DDNS won't have any effect on where the traffic gets routed, that is only required for the VPN connection. You'll need to create a new subnet and only allow the VPN traffic to that VLAN, then put the rest of your home machines on a separate subnet.
 
Biznatch said:
The DDNS won't have any effect on where the traffic gets routed, that is only required for the VPN connection. You'll need to create a new subnet and only allow the VPN traffic to that VLAN, then put the rest of your home machines on a separate subnet.
Click to expand...

Do i need to do a new subnet or create a vLAN - wont they accomplish the same thing? Sorry for the dumb question.
 
Why the hell would your employer log into your home LAN? If you work from home, ideally you'd be working on data on a server at the company, not bring all data home that the company then needs to access remotely.

This whole setup sounds like someone doesn't know what they're doing.
 
TCM2 said:
Why the hell would your employer log into your home LAN? If you work from home, ideally you'd be working on data on a server at the company, not bring all data home that the company then needs to access remotely.

This whole setup sounds like someone doesn't know what they're doing.
Click to expand...

It's a small family business thats located in another county - where the fast internet connection is still really slow/unreliable. The dial up connection keeps dropping and some servers will move to this location to allow a faster connection for other employees. Hope that makes sense, lol.
 
If you know what you're doing a EdgeRouter Lite running FreeBSD and a few OpenWRT-boxes can fix this easily using OpenVPN.
//Danne
 
Sorry, thespeakerbox, people love to tell you how it SHOULD be done and/or what hardware you SHOULD use...pretty common around here really.

This can be achieved with Cisco hardware if that's what you want / have. You don't say what hardware you actually have so I'll run down the basics.

What you'll want to do at your location is create 2 subnets and two VLAN to go with those subnets. One subnet/VLAN will be your stuff one will be their stuff. The router/firewall you use for the VPN can route between the two when needed. Then at the other far end site you should have another subnet. Your subnets should not overlap.

You only need DDNS if both of your public IP addresses change, if either public IP is static then you don't need DDNS.

In that case you can build static-dynamic tunnels:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

If both are dynamic you could try following this guide with two Cisco routers:
https://supportforums.cisco.com/thread/343363

This WOULD require DDNS.

That forum is fairly old, it may be possible with two ASAs now but I don't have two ASAs to play with to try it. At the time of that article the ASAs didn't do DNS based ACLs either but today I can use DNS names in access lists so it may work.

You only need DNS for the public IPs because once the tunnel is up all traffic is routed through the public IP addresses. Your internal DNS server should handle all the private DNS/IP mappings.

As far as keeping the networks separate that's all up to your firewall and VPN rules.

If your network is 192.168.1.0/24 and their network is 192.168.2.0/24 and their far end network is 192.168.3.0/24 then you can use ACLs to tell the Router/Firewall what traffic to send over the VPN and you can use the Router/Firewall to limit that traffic even further with standard ACLs.
 
Last edited:
Thanks for all the help so far. I guess I should have mentioned it before , but here is the hardware they want me to setup in my home rack:

1 - Cisco 1841
1 - Dlink DIR 601

The cisco behind my current router and the D-link hooked up to the cisco in order to provide a company AP for wifi.

From all of the replies, here's what I understand to be best solution to segregating their network from mine.

Setup 2 VLANS: (Example using the 192.x schema)
- 1 personal 192.68.1.X
- 1 work related. 192.168.5.X

I'm concerned about their need to access my network via DDNS. As the poster above says, its not necessary? Is that true? They have 3 static IP's on their network, but im not sure if any are (or have to be ) specifically used for this site to site. Do i really need to setup DDNS for them? Of course, they wont give me any kind of admin access on the cisco or dlink hardware. I just want to make sure that if someone else in IT gets that DDNS password, they dont go snooping around.
(Yes it sounds paranoid, but i have tons of wife/baby/kid photos and I think some of the IT staff are creeps)

Another concern is: Is talking between the two VLANS- is it necessary to setup? I run a VM who's NIC will run into the cisco 1841. I dont really need to be able to see any of my network from inside that VM. It's solely a work use VM. I also dont want them to be able to see anything in my network.

So in all, their cisco appliance will be plugged into my router and then a NIC from my VM will go into that along with the D-Link AP.

Does this sound like it will work?
 
So I'm not sure you understand what DDNS is or does...

DDNS is Dynamic DNS. All DDNS does is update a DNS record on the internet with your current IP address. If someone were to "hack" your DDNS password the only thing they could do is tear down the VPN connection by making you attempt a connection to the wrong IP. That would only work if they also knew your VPN shared secret keys...

However, because they have a static IP address you don't need DDNS at all. Their IP address is static so all you need to do is configure your Cisco 1841 to initiate a VPN connection to their static IP address.

Their router at their side will be configured to accept a VPN connection from a dynamic IP address. Your router will initiate the connection attempt. Just Google "Static to Dynamic VPN tunnel" It is secured by a shared secret key (or certificates) so even if someone else tries to initiate the VPN they wont be able to unless the shared secret is compromised.

On your DLINK, assuming it can, you'll need to setup port forwarding and protocol forwarding for the VPN traffic. Generally IKE's UDP port 500 and IPSec ESP protocol 50, sometimes UDP 4500 is needed too for NAT-T

If your goal is to keep your network and the VPN network completely separate and you don't have access to the Cisco then on your DLINK you'll want to setup an access list that only permits the Cisco's subnet to the outside.

There is no requirement for their subnet to talk to your subnet. It just needs to get to their public IP address.
 
Last edited:
If they need to remote into your location, from outside of their office, then you would need DDNS to setup the remote access VPN. But again, DDNS isn't a security concern. The only thing that is likely to happen if the DDNS password is compromised is that DNS will point to the wrong IP address and VPNs will drop/fail. The attacker would also have to compromise your VPN passwords for anything to happen.

OR they can remote into their office and use the already built site-to-site VPN tunnel to get to your VPN network.
 
diizzy said:
If you know what you're doing a EdgeRouter Lite running FreeBSD and a few OpenWRT-boxes can fix this easily using OpenVPN.
//Danne
Click to expand...

Edgerouter lite with factory firmware will also do this.....if you know what you are doing.

Firmware 1.4 was just released. The Edgerouter is starting to become much more interesting...
 
Last edited:
thespeakerbox said:
Thanks for all the help so far. I guess I should have mentioned it before , but here is the hardware they want me to setup in my home rack:

1 - Cisco 1841
1 - Dlink DIR 601

The cisco behind my current router and the D-link hooked up to the cisco in order to provide a company AP for wifi.

From all of the replies, here's what I understand to be best solution to segregating their network from mine.

Setup 2 VLANS: (Example using the 192.x schema)
- 1 personal 192.68.1.X
- 1 work related. 192.168.5.X

I'm concerned about their need to access my network via DDNS. As the poster above says, its not necessary? Is that true? They have 3 static IP's on their network, but im not sure if any are (or have to be ) specifically used for this site to site. Do i really need to setup DDNS for them? Of course, they wont give me any kind of admin access on the cisco or dlink hardware. I just want to make sure that if someone else in IT gets that DDNS password, they dont go snooping around.
(Yes it sounds paranoid, but i have tons of wife/baby/kid photos and I think some of the IT staff are creeps)

Another concern is: Is talking between the two VLANS- is it necessary to setup? I run a VM who's NIC will run into the cisco 1841. I dont really need to be able to see any of my network from inside that VM. It's solely a work use VM. I also dont want them to be able to see anything in my network.

So in all, their cisco appliance will be plugged into my router and then a NIC from my VM will go into that along with the D-Link AP.

Does this sound like it will work?
Click to expand...



Enterprise hardware? Is this a mission critical deployment?

Do you have a business level SLA connection to your house?

Do you have redundant power setup?

Are they giving you this hardware?

Again... I'd endorse using a Zyxel router for this. If your throughput expectations are 20Mbps you could use a USG20W which is a VPN endpoint and AP. It runs BSD at its core and has a 5 year warranty. The setup support is fantastic and is free for the first 90 days.

Just plug the thing into a port on your router and map it to the DMZ.

The Zywall 110 doesn't have the wireless AP built in but is almost 60 times faster than the USG20W. Its also 8 times faster than the Cisco 1841. But you can buy two Zyxel Zywall 110 for the price of one 1841.
 
You must log in or register to reply here.
Back
Top