Re: Network re-addressing

shabib.syed · ‎10-23-2000

We have outsource VPN and firewall, now we want to make the VPN and security inhouse. I recently got these equipment and have desgined my network as:

I have a cisco 2610 with its serial connected to the internet. PIX 515 , its outisde interface is connected to the 2610 ethernet port. PIX inside is connected to my internal network, and the third interface from PIX is connected to a catalyst 2924 which is DMZ hub. I have 4 VLANs in the internal network and i use RSM module to the inter VLAN routing. We have one class C address pool. Now i will be using private address for my internal network. and will do NAT on PIX. since they will be only 200 hosts that will go out to the internet, out of total 400 hosts in the internal network. Now i will be having 2 pools in the PIX for private address and one pool of class C for Public addresses. I will be giving private IP to the node in the DMZ which will be a different subnet, and will use conduit command on the PIX, so that they get static addresses. RIght now i have 3 vlans and 2 of them private and one the public. So i will be assigning new IP addresses in alll the network. My problem is i need minimum downtime, And i would like to do this in parallel to my existing outsource firewall..Once i wil succeed in testing this, i will re IP my whole network. I need to know if this is how it should be, can some help me how to plan this.I will also be implementing VPN, for which i got 100 clients. I have cisco policy manager 2.2 and CIsco secure ACS 2.4 for winnt which i m using for authentication of my dial up users ...connected thru other link.

kbeltz · ‎11-02-2000

Well, even though this is a fairly large project it looks like you’ve done a good job planning it out. I would say it should take about ½ day to 1 day if you have enough manpower. My question is how are you going to run in parallel with your existing firewall vendor since there can only be one gateway on a network? If you already have the firewall situation figured out, I’d go for it.

shabib.syed · ‎11-06-2000

By parallel i mean that, i will first install n configure cisco 2610 with the new T1, then configure my PIX, putting in the 3 internal networks, and DMZ. Testing all this with some PCs. Once this is done, i will have a minimum downtime, and disconnect my existing default network. And using the new default gateway. Changing my DHCP scope. Can some1 help me with Project planning tips, like some examples or neth'n. I really need some tips here

tmichels · ‎11-17-2000

Although you didn't explain why you are readdressing your network. I think I understand. I went through a similar conversion where my entire network of 400+ subnets was in the public range and we wanted to convert all of the subnets to 10.x.x.x addressing. We accomplished this with virtually NO downtime. We simple design the new 10.x.x.x addressing and gave each network secondary addressing on e0. Then we gradually readdressed all static devices (servers, printers, etc) to the new 10.x.x.x address range, and built new dhcp scopes for each subnet, adding the ip helpers. Once all static devices were switched we shut down the old dhcp scopes. When all the old leases expired we were then able to remove the old public addresses and were then entirely on 10.x.x.x. We did this in about 1 month on 200 routers. The firewall peice is easy. Just create a privately addressed DMZ. NAT every device that must be seen on the internet to one of you public addresses. Your clients can do a combination of NAT & PAT to get out to the internet- this will allow you to save IP's. Your VPN requirements are too vague for me to respond to. The cisco secure ACS box is pretty easy to set up. I prefer TACACS to Radius, but since its not a standard its up to you. The quickest way (and cleanest) is to create groups in NT for your remote VPN users. Then create a corresponding group on your ACS box. Configure access appropriately for those groups and viola- your users can log in using there NT Domain user ID's. For security you might want to tie in RSA's Secure ID tokens, although this isn't as user friendly and is best done on 2 different ACS boxes. Let me know if you need more info.

TJ