cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
3
Replies

New Site To connect : Ask for advice

tjgli
Level 1
Level 1

Hello everyone

I have to set up an connection to a new branch of my company, witch will be situated only 500m away ,)

I'm very used to hook up client networks to mine but it's the first time i'll have to hook up an network from my own network.

Here's the situation : i have an PIX 515 on the center of my network.

The inside network is 167.221.x.x and the Doamain controlers lies there.

I have an "client/Routeur zone" where all the routeurs lies, with all the lines towards my clients. It's 220.100.100.x

Now i would like DHCP, WINS and the domain to work on my "remote" site (15-20 pc's).

Is that posible ? I have read about "bridging" but don't really know much about it.

I have been given 2 Cisco 1721 routeur for the task, The line will be an 2mB with serial X21. (Same setup as with most of my clients connections).

I think the 1721 can do NAT if needed.

3 Replies 3

paddyxdoyle
Level 6
Level 6

Hi

It would be possible to support the protocols you mention but you may have to punch a massive whole in your firewall to support logins to your Windows domain.

Things might have changed in Windows 2003 but in 2000 when a client logs on to Windows, one of the services required for authentication uses portmapper (tcp_135)

(Forgive my lack of Windows terminology as its been a while, however I think the portmapper service is used by the directory service when logging on to the domain, this also applies to logging on to Exchange)

The client talks to the DC on TCP 135, then the DC tells the client to talk back to it using ports x and y which are random ports >1023. So then the client starts a new TCP session to the DC using ports x and y.

If you have a firewall in the middle, this means that you have to open a massive hole in your firewall to permit your client to talk to the DC using x and y as the firewall only permits tcp 135 between client and server. (there are of course a load more protocols required for windows authentication but we’re only concerned with tcp_135 at the moment!)

I believe you can work around this my editing the registry to force the DC to only use a fix range of ports for the portmapper service, its documented on the Microsoft site.

Perhaps the other option would be to create a VPN between 1720 and PIX, the PIX would only know about the IPSEC protocols so you wouldn't have to worry about permitting specific ports through the PIX.

If you went down this route you will probably have to purchase a VPN accelerator for the 1720 as it may struggle to encrypt at 2 Mbps using software only.

HTH

PJD

Thx for your imput PJD

I'm not forced to plug the routeur on my routeur Zone.

As both network are mine i thaught about plugging the routeur directly on my inside zone, on the same switch as my Domain controlers.

I could for example use the 167.221.20.x area for my remote site ?

My inside is 167.221.x.x

I could put an route to 167.221.20.x on my default gateway (The pix) on my main Network ?

What do you think ?

Yes, i think that's a good idea.

As long as you manage and secure the equipment at the remote site and they don't have external links then this is certainly a better and easier solution to manage/implement

HTH

PJD

Review Cisco Networking for a $25 gift card