09-10-2008 11:59 PM - edited 03-06-2019 01:18 AM
Hi,
We are a F&B company. We have 06 restaurants currently running and in the next 3 months another 15 will be added. Below are the technical details:
1. Each restaurant will have one PC running a application which will be connected to a server at HO through data circuits.
2. Each restaurant user will also have access to his e-mail and should be able to share files.
3. The data circuits are done through ADSL for each restaurant.
Issue:
1. The HO lan is running a 192.168.1.0/24 network with all the static natting done on a pix 501 firewall.
2. There is a DHCP/Domain/Dns/Exchange server running on the LAN which serves all the users.
3. How do I get users to come on the same LAN? The ISP doesnt recommend bridging and are asking me to assign separate networks for each restaurant.
4. If I do so means changing the configuration on the firewall and I m not well versed with pix. The company doesnt want to invest in new hardware.
5. Will I be able to work without issues if I use bridging and connect to my LAN from the restaurants?
Please give me your recommendations, attached is the config file of the firewall and network diagram.
09-11-2008 02:05 AM
Hello Sarfaraz,
bridging is not recommended because performance is impacted.
the changes on the pix should be limited in adding new ACL statements for the ACL applied on the outside interface
you can use
sh nameif
sh access-group
sh access-list
to see the ACL applied on the outside interface.
the command syntax is the same with the exclusion of the final counters at the end of the line.
look for the commands that contain the current user subnet
use
sh access-list acl-name | inc subnet
replicate this command for the the aggregate of new remote subnets
provide space for growth :
allocate 32 subnets each /28 for the restaurants
use 192.168.4.0/28, 192.168.4.16/28, 192.168.4.32/28, ...
for each remote subnet on the dhcp you need to define a separate pool
the aggregate will be 192.168.4.0/23
Hope to help
Giuseppe
09-11-2008 04:28 AM
Hi Giuseppe,
I had attached the configuration of the fw. Can you be a lil more specific. Currently we have only one subnet 192.168.1.0/24. I understood the part where I will define subnets for each remote site. But where do I define the aggregate? On the firewall? What will be the gateway of these remote subnets? Currently the firewall is the gateway for the 192.168.1.0/24 subnet. I have attached the config file for the firewall.
Regards
Sarfaraz
09-11-2008 11:53 AM
Hello Sarfaraz,
the DSL lines for the restaurants will be on the public internet or inside a VPN ?
in the first case, each remote router can have an IPSec tunnel to the PIX.
We use a solution with a GRE tunnel carried inside IPSec packets for remote branch offices and it works, but I don't know if the PIX can terminate the GRE tunnels.
For the second case you will need a third link on the PIX to be used as a DMZ or you can use the current subnet also for the the next hops of the remote site routers.
Hope to help
Giuseppe
09-11-2008 05:59 PM
Hi there,
I am under the assumption that the data cloud is a private MPLS cloud, probably looked after by your carrier..
Why do you need to the clients/users to be on the same LAN as the DHCP/DC/DNS/Exchange server?
It makes more sense to let the restaurants have their own LANs and connect back to the DC over the WAN.
DHCP requests can be forwarded to the DHCP server via the ip helper command on the cisco 877s.
Each restaurant's LAN can be any other network .. eg 192.168.100.0/24.
The 877 at the main site can advertise a default route to the data cloud so all your site know to come back to the main site for internet access. If you have a proxy, that would be even better, that way the main site's 877 only need advertise the 192.168.1.0/24 range.
Regards,
Brad
09-11-2008 06:02 PM
Mate, I also just looked at your pix config. is there any reason why you have so many dynamic host NATs?
eg at (inside) 1 192.168.1.2 255.255.255.255 0 0
.
.
.
nat (inside) 1 192.168.1.250 255.255.255.255 0 0
you could make it easier to read by using:
nat (inside) 1 192.168.1.0 255.255.255.0
Brad
09-13-2008 12:50 AM
Hi,
Thanks for your answer. The only reason why I want to have them on the same LAN is so that each restaurant can have email access through outlook. The dynamic host nat were defined for the managers, the other normal user pass through ISA (192.168.1.10).
I will go with your suggestion to have separate lan for each network but what about the NAT on the pix? Eg If I give each restaurant say 192.168.2.0,3.0 what will be their default gateway on the pix? I dont have much idea on the pix so need your expert comments.
Sarfaraz
06-26-2023 07:45 AM
Hello,
I'm under the supposition that the information cloud is a confidential MPLS cloud, most likely taken care of by your transporter..
For what reason do you have to the clients/clients to be on a similar LAN as the DHCP/DC/DNS/Trade server?
It appears to be legit to allow the eateries to have their own LANs and associate back to the DC over the WAN.
DHCP solicitations can be sent to the DHCP server through the ip partner order on the cisco 877s.
Every eatery's LAN can be some other organization .. eg 192.168.100.0/24.
The 877 at the principal website can publicize a default course to the information cloud so the entirety of your webpage know to return to the primary website for web access. Assuming you have an intermediary, that would be far superior, that way the principal site's 877 just need publicize the 192.168.1.0/24 territory.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide