Re: Network Management Guru required (for 5 minutes)

From: Phillip Windell (none)
Date: 02/06/04 

Date: Fri, 6 Feb 2004 09:20:41 -0600

"Jansen Reyes" <_no_spam_jreyes@wirespeedit.com> wrote in message
news:Z8LUb.139$Yo3.123@newsfep3-gui.server.ntli.net...
> centered around 2 Filtering routers ( Diagram can be found here)

This is a "plain text" message and there is no diagram.

> N.B The DMZ is the only network with public IP's

It is better to use private IP bocks in the DMZ of a Back-toBack DMZ
such as this. But you can use public IP#s if you want to.

> 1) Remote users need access to the internl DATA and Voice lans. My
plan at
> the moment is to use the exterior 2600 as a VPN terminator,
authenticating
> via a Radius to an server located in the data lan. Is this good
practice.
> Would one normally place the authentication server in the internal
LAN, and
> would one terminate VPN tunnels in the perimter router?

To VPN with a B2B DMZ you must create two VPN tunnels. The first one
runs between the two routers. The second tunnel runs inside the first
one and goes between the user and the internal resource.

Here are some articles on the subject. They are centered around using
MS ISA Server, but the overall principles are the same in any
situation.
Watchout for the line-wrap on these links:

Configuring VPN Access in a Back to Back ISA Server Environment
http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to
_Back_ISA_Server_Environment.html

Joining Private Networks over the Internet: Back to Back ISA Server
DMZs on Both Sides, Part 1
http://www.isaserver.org/tutorials/g2gb2bpart1.html

Joining Private Networks over the Internet: Back to Back ISA Server
DMZs on Both Sides, Part 2
http://www.isaserver.org/tutorials/backtobackdmzvpnpart2.html

> 3) We have client networks which we have to monitor/manage. The
problem is,
> we have no control over the thrid-party address space. In many an
occation
> they might be using exactly the same range as another client, or
even as
> ourselves. (everyone uses 192.168.1....). I''ve done a lot of
research into

I know of no way around that without some kind of NAT in combination
with the VPN.

> this and finally arrived at some conclusions. Inorder to resolve
this issue,
> I hope to do the following: initiate VPN tunnels form the internal
router to
> the third-party network. Then, map the external Address range
(subnet) to a
> unique address space within our network. This an be done using IOS.
Does
> this seem reasonable?

I have no idea what you are trying to describe there.

> 4) For remote managment purposes, certain peers on the internal LAN
would
> have to access the remote network. There are 2 things which i am
worried
> about:
> i) Client access to the third-party nets - This can be dealt with
via ACL's
> i suppose

You're trying to depend on routers and ACLs to control
everything,..not good. Use things that way they were meant to be used.
Routers and firewalls control *initial* access to a network. Once
access to a LAN is granted at that level the firewalls or routers are
done with thier job, from then on security is controlled by the LAN's
own security systems (User accounts, User Groups, File System
Permissions, ect). Just because a user is allowed to get to a certain
LAN by the router of firewall doesn't mean they automatically can see
or grab whatever they want within that LAN. Resource access within
LANs is controlled by Domain Controllers, user accounts, Filesystem
Permissions

> ii) Polution on third-party networks from internal & vice versa. By
this i
> mean, publicaiton of printers and the sorts. My inital plan was to
have 2
> NIC's on all the machines that require access, disableFile and
printer
> sharing on the NIC that connects to the managment net, and bob's
your uncle.
> However, this seems like a waste of physical resrouces. Has anyone
got any
> other alternatives to this?

Forget the duel-homed workstations.
You're worry about something that doesn't even happen. Don't forget
the significance of subnets and routers. LAN broadcasts (polution)
doesn't cross routers. That's why Cisco often refers to a router as a
"Broadcast Firewall" because that kind of stuff doesn't go across them
except for things that you have to go out of your way to make it
happen.

> 5) Form a higher-level perspective. Has anyone got any information
on hwo to
> manag multipel windows 2000 domains?

There is no way to deal with a wide open broad question like that in a
news group message. 

--
Phillip Windell [CCNA, MVP, MCP]
WAND-TV (ABC Affiliate)
www.wandtv.com

Relevant Pages

  • Re: Jeff L. -- networking question -- slightly OT
    ... They have a line of VPN routers. ... If you like to try Netgear, ... or be accessed by the "remote" LAN. ...
    (alt.internet.wireless)
  • Re: general question on design options
    ... Behind that I have my ISA, ... How do you get the VPN connections that terminate on the Cisco to get past ... DMZ and not the LAN. ...
    (microsoft.public.isa)
  • Re: Access to network drives for home and roaming users
    ... All the VPN does is to add a security layer to the remote access, ... Do you want the data in a DMZ, or do you want them to come straight ... through the firewall to your LAN? ... have a windows 2003 R2 network with an internal and perimeter network, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Network Management Guru required (for 5 minutes)
    ... It is better to use private IP bocks in the DMZ of a Back-toBack DMZ ... > via a Radius to an server located in the data lan. ... > would one terminate VPN tunnels in the perimter router? ... You're trying to depend on routers and ACLs to control ...
    (microsoft.public.win2000.networking)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ ...
    (comp.unix.sco.misc)
Loading