Log in

View Full Version : Connecting Offices with VPN


altonv
Jun 17, 2007, 04:45 AM
Company with 55 (max) different locations.
Each location has a static public IP address.
Each location has max 13 PCs in the internal network.

Locations need to be able to connect via VPN thus have the same Sub Net:
I’m thinking (IP) Class B/ (SN) 255.255.252.0 /22
Q1: is this SNM a good choice?


For the internal network at each location:

For the 1st location:


Internet

Router
• Public IP (Static)
• Private IP 172.16.0.1 / SN 255.255.252.0

Firewall with 2 NIC (Linux)
• Router facing NIC – IP OPEN / SN 255.255.252.0/ Gate Way 172.16.0.1 (or blank)
• LAN facing NIC – IP 172.16.0.10/ SN 255.255.252.0/ GW 172.16.0.1 (???)


Hub/Switch

Data Server (Linux) IP 172.16.2.1/ SN 255.255.252.0/ GW 172.16.0.10
File Server (Linux) IP 172.16.2.2/ SN 255.255.252.0/ GW 172.16.0.10

Switch / Switches
all PCs with XP
PC1
PC2
PC3
Etc
IP adds 172.16.3.x/ SN 255.255.252.0/ GW 172.16.0.10




Q2: Is this the right configuration? If not what should I change?





For the 2nd location:
Q3 Should I use the 2nd SN?


Internet

Router
• Public IP (Static)
• Private IP 172.16.4.1 / SN 255.255.252.0

Firewall with 2 NIC (Linux)
• Router facing NIC – IP OPEN / SN 255.255.252.0/ GW 172.16.4.1
• LAN facing NIC – IP 172.16.4.10/ SN 255.255.252.0/ GW 172.16.4.1


Hub/Switch
Data Server (Linux) IP 172.16.5.1/ SN 255.255.252.0/ GW 72.16.4.10
File Server (Linux) IP 172.16.5.2/ SN 255.255.252.0/ GW 72.16.4.10

Switch / Switches
all PCs with XP
PC1
PC2
PC3
Etc
IP adds 172.16.6.x/ SN 255.255.252.0/ GW 72.16.4.10



Q4 What kind of other conflicts might i encounter?


Thank you for taking the time.

Alton

cajalat
Jun 17, 2007, 05:44 AM
I would not use that subnetting scheme at all since it will simply not work. You can't use the same subnet/mask on either end of a network device. Also, your setup uses back to back "NAT/Firewall" devices. All that will do is cause you a headache when you're trying to troubleshoot your network.

If this is a business then you should seriously consider a specialized device that is designed for VPN/Internet access. Instead of a router and a linux appliance you can save your money and spend it on a device that will do the VPN/Firewall/NAT for you. I'm familiar with Cisco's 800 series and ASA series products which run about $1000 per device but I'm sure others make similar products. These types of products are designed to transparently give you access to your local home HQ office via VPN while routing internet traffic for you locally (if you choose to do so).

Also a more reasonable subnet scheme would be to dedicate a super block network to the entire site and then break that block up as you see fit. For example, if you choose a 255.255.252.0 for the entire site then only dedicate 255.255.255.0 to the client network and a 255.255.255.192 or even less to your servers if you want them isolated and want to put firewall rules or ACLs between your servers and XP machines.

So what I would do is this:

Internet

VPN-Device (such as a Cisco ASA)
• Public IP (Static)/NAT/Firewall
• VLAN 10 - Private IP 172.16.0.1 / SN 255.255.255.0 (for Switches)
• VLAN 11 - Private IP 172.16.1.1 / SN 255.255.255.0 (for Servers)
• VLAN 12 - Private IP 172.16.2.1 / SN 255.255.255.0 (for Desktops)

Switch (802.1Q Capable switch)
• VLAN 10 - Switch
• VLAN 11 - Servers
• VLAN 12 - Desktops

You would also setup 802.1Q trunking between your VPN device and your switch and use VLAN 10 for your switch management network to keep it isolated from any PC problems and to restrict access to them. You'd use VLAN 11 for your servers to keep them isolated from your desktops, and finally you use VLAN 12 for your desktops. As traffic comes from your desktops and needs to go to your home office the VPN device will route the traffic via the VPN tunnel. If traffic needs to go to the Internet then the VPn device will route the traffic to the Internet and apply whatever firewall/NAT rules you define.

That's generally how I would set this up as it provides you with the most flexability while at the same time streamlined management.

altonv
Jun 17, 2007, 06:40 AM
Well lets see, there is a lot going way above my head here.

No its not for a Business and NO its not HOMEWORK.

We were asked to figure out the subnet mask to be used in such a scenario. My answer was /22 with 64 subnets.

But I can't figure out for the life of me how it works. With VPN. I know if it was all on the same network then /22 would be good right?

Anyway.

The settings you would do:
VPN-Device (such as a Cisco ASA)
• Public IP (Static)/NAT/Firewall
• VLAN 10 - Private IP 172.16.0.1 / SN 255.255.255.0 (for Switches)
• VLAN 11 - Private IP 172.16.1.1 / SN 255.255.255.0 (for Servers)
• VLAN 12 - Private IP 172.16.2.1 / SN 255.255.255.0 (for Desktops)

That is say at the HO which accepts incoming VPN connections. What private IP would I use for the 1st location connecting to the HO?

"You can't use the same subnet/mask on either end of a network device" either end?

cajalat
Jun 18, 2007, 04:20 PM
Well lets see, there is a lot going way above my head here.

No its not for a Business and NO its not HOMEWORK.
I didn't ask if it was homework. I asked if it was a business to see if it was mission critical vs. "nice to have". But now you have my curiousity up... what is it for?


we were asked to figure out the subnet mask to be used in such a scenario. my answer was /22 with 64 subnets.
This doesn't make sense. Why would anyone be asked about a subnet mask since that's the last part I'd be concerned about in trying to solve the problem you stated. Shouldn't you be given the real requirements first? Subneting is part of the solution not the requirements.


But i can't figure out for the life of me how it works. with VPN. i know if it was all on the same network then /22 would be good right?
The problem is when you involve VPNs then you no longer have the luxury of a flat network. It has to be a routed network which is why you can't use the same subnet/mask across your VPN connections.



anyway.

the settings you would do:
VPN-Device (such as a Cisco ASA)
• Public IP (Static)/NAT/Firewall
• VLAN 10 - Private IP 172.16.0.1 / SN 255.255.255.0 (for Switches)
• VLAN 11 - Private IP 172.16.1.1 / SN 255.255.255.0 (for Servers)
• VLAN 12 - Private IP 172.16.2.1 / SN 255.255.255.0 (for Desktops)

That is say at the HO which accepts incoming VPN connections. What private IP would I use for the 1st location connecting to the HO?
The HQ office would be its own network. It could be part of the larger block of IP's or an entirely different block of IP's all together. Your HQ VPN will install a route on each remote VPN that points back to itself and the rest of the VPN remote sites (if you choose to do so).



"You can't use the same subnet/mask on either end of a network device" either end? Yes. You can't use the same subnet/mask across a Layer3 boundary.

altonv
Jun 18, 2007, 10:07 PM
Thanks cajalat for this answer and also for the link in the other one.



I didn't ask if it was homework. I asked if it was a business to see if it was mission critical vs. "nice to have". But now you have my curiousity up...what is it for?

We did a lesson in class last week over subnetting. As an exercise we got that question.
I know it would work on a LAN scenario but was trying to figure out how it would work on a WAN where locations are connected thr VPN.



The problem is when you involve VPNs then you no longer have the luxury of a flat network. It has to be a routed network which is why you can't use the same subnet/mask across your VPN connections. The HQ office would be its own network. It could be part of the larger block of IP's or an entirely different block of IP's all together.


The answer is basically No. If you're dealing with routers then you must use a different subnet for each location
So what you're saying is if I had 50 locations I HAVE to have different SNMs for all locations OR its BETTER to have 50 diff SNM OR only the HO should have a different SNM than the other Locations?

Suppose;
HO Class A /22 Network, Routers - one one SN, switches/printers/servers - on a different SN, client PCs - on the 3rd SN, but all using the same SNM -

Location 1 Class B / 23 Network, Routers - SN1, switches/printers/servers - SN2, and PCs - SN3

Would this work? And is this more secure?

It's 6 am here, will read the link you gave me later today. Maybe it will throw a little more light.


Thanks again for your quick response.

jslande01
Jul 29, 2007, 08:59 PM
I think probably what the lesson was looking for is the most efficient way of using ip addresses (which really doesn't happen that much in the real world, by the way).

Each of the remotes would (for the sake of the exercise) would have a 28 bit mask (255.255.255.240), for a maximum of 14 hosts per location. You'd never design it that way, you'd always want to allow extra unused addresses for future expansion.

Site a, for example would be 172.16.1.1 - 172.16.1.14
Site b, 172.16.1.17 - 172.16.1.30
Site c, 172.16.1.33 - 172.16.1.46
Etc, etc.

Again, in the real world, you probably just use /24 bit masks like everyone else and make site a 172.16.1.1 - .255
Site b 172.16.2.1 - .255
Site c 172.16.3.1 - .255
And so on.

To put the other poster's words differently, the firewall/VPN device is by primary function a layer 3 device (a router), therefore each interface would live on a different routed subnet. What you describe with your original question (one of the poster's described it as a "flat" network is a bridged, or layer 2 network. So your /22 mask would work for a large, single building, single broadcast domain, "flat", switched, bridged network, that had approximately 1000 hosts on it and you didn't want to segment it for some reason.

VPN's are just a less expensive way of building a multi-site network where in the past we would have used routers and point to point or frame relay type connectivity. Technically, that way you could have bridged all the sites together, but it would be a very bad idea.

Hope that helps...

Jl