cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1052
Views
0
Helpful
7
Replies

Confusion H.O. & Remote Stores (Restaurants)

sarfarazkazi
Level 1
Level 1

Hi,

We are a F&B company. We have 06 restaurants currently running and in the next 3 months another 15 will be added. Below are the technical details:

1. Each restaurant will have one PC running a application which will be connected to a server at HO through data circuits.

2. Each restaurant user will also have access to his e-mail and should be able to share files.

3. The data circuits are done through ADSL for each restaurant.

Issue:

1. The HO lan is running a 192.168.1.0/24 network with all the static natting done on a pix 501 firewall.

2. There is a DHCP/Domain/Dns/Exchange server running on the LAN which serves all the users.

3. How do I get users to come on the same LAN? The ISP doesnt recommend bridging and are asking me to assign separate networks for each restaurant.

4. If I do so means changing the configuration on the firewall and I m not well versed with pix. The company doesnt want to invest in new hardware.

5. Will I be able to work without issues if I use bridging and connect to my LAN from the restaurants?

Please give me your recommendations, attached is the config file of the firewall and network diagram.

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarfaraz,

bridging is not recommended because performance is impacted.

the changes on the pix should be limited in adding new ACL statements for the ACL applied on the outside interface

you can use

sh nameif

sh access-group

sh access-list

to see the ACL applied on the outside interface.

the command syntax is the same with the exclusion of the final counters at the end of the line.

look for the commands that contain the current user subnet

use

sh access-list acl-name | inc subnet

replicate this command for the the aggregate of new remote subnets

provide space for growth :

allocate 32 subnets each /28 for the restaurants

use 192.168.4.0/28, 192.168.4.16/28, 192.168.4.32/28, ...

for each remote subnet on the dhcp you need to define a separate pool

the aggregate will be 192.168.4.0/23

Hope to help

Giuseppe

Hi Giuseppe,

I had attached the configuration of the fw. Can you be a lil more specific. Currently we have only one subnet 192.168.1.0/24. I understood the part where I will define subnets for each remote site. But where do I define the aggregate? On the firewall? What will be the gateway of these remote subnets? Currently the firewall is the gateway for the 192.168.1.0/24 subnet. I have attached the config file for the firewall.

Regards

Sarfaraz

Hello Sarfaraz,

the DSL lines for the restaurants will be on the public internet or inside a VPN ?

in the first case, each remote router can have an IPSec tunnel to the PIX.

We use a solution with a GRE tunnel carried inside IPSec packets for remote branch offices and it works, but I don't know if the PIX can terminate the GRE tunnels.

For the second case you will need a third link on the PIX to be used as a DMZ or you can use the current subnet also for the the next hops of the remote site routers.

Hope to help

Giuseppe

bmcginn
Level 3
Level 3

Hi there,

I am under the assumption that the data cloud is a private MPLS cloud, probably looked after by your carrier..

Why do you need to the clients/users to be on the same LAN as the DHCP/DC/DNS/Exchange server?

It makes more sense to let the restaurants have their own LANs and connect back to the DC over the WAN.

DHCP requests can be forwarded to the DHCP server via the ip helper command on the cisco 877s.

Each restaurant's LAN can be any other network .. eg 192.168.100.0/24.

The 877 at the main site can advertise a default route to the data cloud so all your site know to come back to the main site for internet access. If you have a proxy, that would be even better, that way the main site's 877 only need advertise the 192.168.1.0/24 range.

Regards,

Brad

bmcginn
Level 3
Level 3

Mate, I also just looked at your pix config. is there any reason why you have so many dynamic host NATs?

eg at (inside) 1 192.168.1.2 255.255.255.255 0 0

.

.

.

nat (inside) 1 192.168.1.250 255.255.255.255 0 0

you could make it easier to read by using:

nat (inside) 1 192.168.1.0 255.255.255.0

Brad

Hi,

Thanks for your answer. The only reason why I want to have them on the same LAN is so that each restaurant can have email access through outlook. The dynamic host nat were defined for the managers, the other normal user pass through ISA (192.168.1.10).

I will go with your suggestion to have separate lan for each network but what about the NAT on the pix? Eg If I give each restaurant say 192.168.2.0,3.0 what will be their default gateway on the pix? I dont have much idea on the pix so need your expert comments.

Sarfaraz

arenalazar
Level 1
Level 1

Hello,

I'm under the supposition that the information cloud is a confidential MPLS cloud, most likely taken care of by your transporter..

For what reason do you have to the clients/clients to be on a similar LAN as the DHCP/DC/DNS/Trade server?

It appears to be legit to allow the eateries to have their own LANs and associate back to the DC over the WAN.

DHCP solicitations can be sent to the DHCP server through the ip partner order on the cisco 877s.

Every eatery's LAN can be some other organization .. eg 192.168.100.0/24.

The 877 at the principal website can publicize a default course to the information cloud so the entirety of your webpage know to return to the primary website for web access. Assuming you have an intermediary, that would be far superior, that way the principal site's 877 just need publicize the 192.168.1.0/24 territory.

Review Cisco Networking for a $25 gift card