General Network Help - TCP-IP

This is a discussion on General Network Help - TCP-IP ; We are having an issue that I could use some help on. We need to connect two networks together, we'll call them network 1 and network 2. I am an administrator on network 1 but not on network 2. We've ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: General Network Help

  1. General Network Help

    We are having an issue that I could use some help on.

    We need to connect two networks together, we'll call them network 1
    and network 2. I am an administrator on network 1 but not on network
    2. We've been provided an IP address for network 2 and a port on
    their main switch.


    Our network (network 1) has a totally different set of network
    address
    (3 class C subnets) from network2. We'll say Network1's subnets are
    192.168.64.X
    192.168.65.X
    192.168.66.X
    and
    Network2's subnet is
    192.2.10.X


    Network1 is configured in a star topoly with a mix of Cisco 6509
    catalysts and Cisco 3550s. We have a central 6509 with a supervisor
    module setup as a basic router. The router inerface has the VLANs
    setup for each of our subnets.


    Now here is the issue:
    We need to connect Network1 to Network2 in order to get out to a
    bunch
    of Web Based tools, websites etc. These networks are isolated and do
    not connect to the Internet in any way. Network2 is a network
    hanging
    off a larger logical network (not dissimliar to the Internet). This
    greater logical network we'll call InfoWAN. The Network2 has an
    establish pressence on the InfoWAN but Network1 does not. Our
    specific issues are:
    How do we route specific web traffic out Network 2 to get out to
    InfoWAN?
    How do we ensure that the web traffic knows how to return to a
    specific machine on Network1?


    We have a Foundry BigIron 8000 at our disposal that may be used to
    connect the two networks.


    If anyone has any help for us I would greatly appreciate it. By the
    way, I'm a point-and-click administrator (Windows admin). They cut
    our network engineer job a while so I'm pretty much up a creek.


    Thanks,
    Mat

  2. Re: General Network Help

    On Tue, 18 Dec 2007 03:23:05 -0800, NoVaBoiler wrote:

    > We are having an issue that I could use some help on.
    >
    > We need to connect two networks together, we'll call them network 1 and
    > network 2. I am an administrator on network 1 but not on network 2.
    > We've been provided an IP address for network 2 and a port on their main
    > switch.
    >
    >
    > Our network (network 1) has a totally different set of network address
    > (3 class C subnets) from network2. We'll say Network1's subnets are
    > 192.168.64.X
    > 192.168.65.X
    > 192.168.66.X
    > and
    > Network2's subnet is
    > 192.2.10.X
    >
    >
    > Network1 is configured in a star topoly with a mix of Cisco 6509
    > catalysts and Cisco 3550s. We have a central 6509 with a supervisor
    > module setup as a basic router. The router inerface has the VLANs setup
    > for each of our subnets.
    >
    >
    > Now here is the issue:
    > We need to connect Network1 to Network2 in order to get out to a bunch
    > of Web Based tools, websites etc. These networks are isolated and do
    > not connect to the Internet in any way. Network2 is a network hanging
    > off a larger logical network (not dissimliar to the Internet). This
    > greater logical network we'll call InfoWAN. The Network2 has an
    > establish pressence on the InfoWAN but Network1 does not. Our specific
    > issues are:
    > How do we route specific web traffic out Network 2 to get out to
    > InfoWAN?
    > How do we ensure that the web traffic knows how to return to a specific
    > machine on Network1?
    >
    >
    > We have a Foundry BigIron 8000 at our disposal that may be used to
    > connect the two networks.


    Well first you need some physical connection. Putting aside that you
    probably want a real firewall between those networks, let's first
    concentrate on the simple stuff.

    Just hang the Connection to InfoWAN of your 6509, giving it a separate
    VLAN. This obviously assumes you can get a presence for that VLAN on
    InfoLAN, if not your task becomes pretty impossible, but see below.

    Or if you do want a firewall, you need a connecting segment between the
    6509 and the firewall (You could place the firewall on one of the
    existing VLANs, but don't do that if you haven't got good reasons). Just
    use 192.168.67.x or something like that.

    Now if you only need to connect from your lans to Network2, and not the
    other way around, use NAT. All internal IPs get NATted to the one IP you
    have on InfoWeb.

    Note that NAT breaks a lot of protocols (starting with FTP, although
    passive FTP is fine in this setup), so you have to account for this if
    applicable. In that case you need a NATting router with more intelligence
    (Cisco calls it fixups, Linux helpers, dunno about others). So either
    make sure your 6509 has an IOS that can handle this (I'm not sure there
    is an IOS for the 6509 that can handle this), or maybe the BigIron has
    this capability (I doubt it, iirc, it's made to route packets fast, not
    intelligent), or get the firewall after all. Most (all?) firewalls will
    have the capability to fixup protocols when natting.

    If you need to allow connections from network2 into your networks, there
    are a couple of ways.

    1) Do basically the same as described above, but also NAT some stuff in
    the other direction. So get more than one address on InfoWAN, NAT an
    InfoWAN address to server1, another InfoWAN address to server2, etc.

    2) Get a lot of addresses on InfoWAN and NAT your networks 1:1, so every
    internal addresses is mapped to an InfoWAN address. The NAT-unfriendly-
    protocol warning above still aplies!

    3) Set up some kind of tunnel between network2 and your 6509. Ipip, gre
    and IPSec with null encryption are viable candidates. With this setup,
    there is no NAT involved, so this may actually be the easiest setup if
    you need more than basic connectivity from your networks to network2.

    If you cannot get onto InfoWAN at all, then you're obviously screwed. In
    that case, forget about InfoWAN and try to set up an IPSec tunnel to
    network2 over the Internet.

    HTH,
    M4


+ Reply to Thread