RE: VPN and Routing Question

2008-09-20 Thread Benjamin Zachary - Lists
I don't do cisco's personally but on Sonicwalls and I think Netscreens
theres an option for VPNS to be able to traverse to other VPN's its just a
checkbox.

 

If that's not there, with 3 locations I don't think it would be too much to
deploy 3 vpn connections so the people can get wherever they needed, for the
sake of bandwidth/speed. 

 

You could also look at adding, omg the name escapes me, it's the file synch
built into 2003+ and have a central sync location for all documents this
would mean the corporate office would have a copy of all documents so the
users don't need to vpn elsewhere. This also could simplify backup
management at the same time.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: VPN and Routing Question

2008-09-20 Thread Ralph Smith
As far as I can tell there is no simple setting on the Cisco routers to
do this. I actually have 9 remote offices, but only 3 that would be that
important to have connected.  So to connect the 3 plus the main office
wouldn't be too bad, it would take 6 VPNs.  If I had to fully mesh all
10, I was thinking it might get a little crazy.

 

I think you mean DFS Replication in Windows server?  I need to check it
out but I think I need Windows 2003 R2 for that, which would mean
upgrading a few of my servers, but that is a good thought.  Thanks for
the idea.

 

 

 

 



From: Benjamin Zachary - Lists [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 20, 2008 9:11 AM
To: NT System Admin Issues
Subject: RE: VPN and Routing Question

 

I don't do cisco's personally but on Sonicwalls and I think Netscreens
theres an option for VPNS to be able to traverse to other VPN's its just
a checkbox.

 

If that's not there, with 3 locations I don't think it would be too much
to deploy 3 vpn connections so the people can get wherever they needed,
for the sake of bandwidth/speed. 

 

You could also look at adding, omg the name escapes me, it's the file
synch built into 2003+ and have a central sync location for all
documents this would mean the corporate office would have a copy of all
documents so the users don't need to vpn elsewhere. This also could
simplify backup management at the same time.

 

 

 

Confidentiality Notice: 

--



This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: VPN and Routing Question

2008-09-20 Thread Benjamin Zachary - Lists
Yes, DFS (it was early) you can do it with 2003 server, but 2003R2 offers
delta updates not complete file copies so you get better bandwidth usage
overall. If you have travelling people that come in and out of different
offices there is nothing better than DFS meshed throughout IMO.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

VPN and Routing Question

2008-09-18 Thread Ralph Smith
I have several branch offices connected to our main offices with site to
site VPNs.  Each location has a PIX 506E.  This has worked great with
never any problems.  Now, however, I am getting some employees who work
at more than one branch office, and they are requesting the ability to
access files at their other offices no matter which one they are in.

I could set up VPNs between the branch offices, but this could get
quickly out of hand. 

 

If I turn on RIP on all the PIXs, will that work to enable communication
between all the branch offices over the VPNs through the PIX at the main
office?

 

Ralph Smith
Gateway Community Industries
845-331-1261 x234

 

 


Confidentiality Notice: 

--



This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: VPN and Routing Question

2008-09-18 Thread Aaron T. Rohyans
RIP will not work across an IPSec VPN as it uses broadcast/multicast -
you'd have to setup unicast neighbor statements (but now that I think
about it, this may not be possible on the PIX).  You'll have to use
static routes to point each branch to the Hub when trying to reach other
branches.  You'll also need some special config on your Hub
router/firewall to allow VPN hairpinning (VPN traffic entering the
outside interface, looping, and exiting the same interface).

 

This also assumes your Hub site has enough bandwidth provisioned to
service all your branch sites accessing other remote sites through it.

 

What kind of device sits in front of the PIXs at each location?  What
kind of connection is it at each site?

 

Depending on your budget, number of branches, and your personal
investment - you could look at DMVPN as an option.  Dynamic Multipoint
VPN essentially allows dynamic IPSec VPN tunnels to be built on the fly
between branches - eliminating the need for traffic to traverse the hub
(and thus comsume bandwidth).  Not to mention other benefits, such as
the ability to run routing protocols, reduce configuration on the
hub/spoke, and (b/c DMVPN relies on GREoIPSec) the ability to send
multicast/broadcast traffic across the tunnels.

Aaron Rohyans 
IT Coordinator, IDC-USA 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]  
317.244.8307 (V) 
317.244.4600 (F) 



From: Ralph Smith [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 18, 2008 9:50 AM
To: NT System Admin Issues
Subject: VPN and Routing Question

 

I have several branch offices connected to our main offices with site to
site VPNs.  Each location has a PIX 506E.  This has worked great with
never any problems.  Now, however, I am getting some employees who work
at more than one branch office, and they are requesting the ability to
access files at their other offices no matter which one they are in.

I could set up VPNs between the branch offices, but this could get
quickly out of hand. 

 

If I turn on RIP on all the PIXs, will that work to enable communication
between all the branch offices over the VPNs through the PIX at the main
office?

 

Ralph Smith
Gateway Community Industries
845-331-1261 x234

 

 

 

Confidentiality Notice:

**

This communication, including any attachments, may contain confidential
information and is intended only for the individual or entity to whom it
is addressed. Any review, dissemination, or copying of this
communication by anyone other than the intended recipient is strictly
prohibited. If you are not the intended recipient, please contact the
sender by reply email, delete and destroy all copies of the original
message.

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: VPN and Routing Question

2008-09-18 Thread Ralph Smith
Aaron,

 

Thanks for a very clear answer.  

 

There are no devices in front of the PIXs, and each site is a broadband
cable connection with only 384K up and 1.5Mb down, so bandwidth could be
an issue but I don't expect there to be a lot of traffic between sites.

 

We are a non-profit, mostly running housing and other services for
people with disabilities and rely mostly on state and federal funding,
so as you can imagine these days our budget is extremely small. I don't
believe we would be able to obtain any new equipment.

I'll have to educate myself on hairpinning and see if that is
something I want to do and can do on a PIX.

We do sometimes qualify for very steep discounts on Cisco equipment
(it's more like a donation with a 10% administrative fee), so it may be
possible for me to replace the PIXs in 2009.

 

Ralph Smith
Gateway Community Industries
845-331-1261 x234

 



From: Aaron T. Rohyans [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 18, 2008 10:33 AM
To: NT System Admin Issues
Subject: RE: VPN and Routing Question

 

RIP will not work across an IPSec VPN as it uses broadcast/multicast -
you'd have to setup unicast neighbor statements (but now that I think
about it, this may not be possible on the PIX).  You'll have to use
static routes to point each branch to the Hub when trying to reach other
branches.  You'll also need some special config on your Hub
router/firewall to allow VPN hairpinning (VPN traffic entering the
outside interface, looping, and exiting the same interface).

 

This also assumes your Hub site has enough bandwidth provisioned to
service all your branch sites accessing other remote sites through it.

 

What kind of device sits in front of the PIXs at each location?  What
kind of connection is it at each site?

 

Depending on your budget, number of branches, and your personal
investment - you could look at DMVPN as an option.  Dynamic Multipoint
VPN essentially allows dynamic IPSec VPN tunnels to be built on the fly
between branches - eliminating the need for traffic to traverse the hub
(and thus comsume bandwidth).  Not to mention other benefits, such as
the ability to run routing protocols, reduce configuration on the
hub/spoke, and (b/c DMVPN relies on GREoIPSec) the ability to send
multicast/broadcast traffic across the tunnels.

Aaron Rohyans 
IT Coordinator, IDC-USA 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]  
317.244.8307 (V) 
317.244.4600 (F) 



From: Ralph Smith [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 18, 2008 9:50 AM
To: NT System Admin Issues
Subject: VPN and Routing Question

 

I have several branch offices connected to our main offices with site to
site VPNs.  Each location has a PIX 506E.  This has worked great with
never any problems.  Now, however, I am getting some employees who work
at more than one branch office, and they are requesting the ability to
access files at their other offices no matter which one they are in.

I could set up VPNs between the branch offices, but this could get
quickly out of hand. 

 

If I turn on RIP on all the PIXs, will that work to enable communication
between all the branch offices over the VPNs through the PIX at the main
office?

 

Ralph Smith
Gateway Community Industries
845-331-1261 x234

 

 

 

Confidentiality Notice:

**

This communication, including any attachments, may contain confidential
information and is intended only for the individual or entity to whom it
is addressed. Any review, dissemination, or copying of this
communication by anyone other than the intended recipient is strictly
prohibited. If you are not the intended recipient, please contact the
sender by reply email, delete and destroy all copies of the original
message.

 

 

 

 

 

 

Confidentiality Notice: 

--



This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~