Re: How expand domain subnet?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thanks Bill.

Don't forget this is split-tunnel VPN terminating in the Cisco Pix.

It is my understanding that if I configure the Pix for split-tunnel using
192.168.1.x/24, then when the VPN Client software in the remote client asks
to open the tunnel, the Pix tells it to configure the PPP adapter on the
client to encapsulate and send traffic for 192.168.1.x/24 only. Other IP
destinations now default to the routing rules of the Ethernet LAN adapter
next down the binding order.

It is also my belief that I can configure the PIX to use a different i.e.
tighter split-tunnel subnet mask that that of its' LAN-side Ethernet adapter.

Or have I got something wildly wrong?

--
Newell White


"Bill Grant" wrote:

I will have a stab at the VPN routing question you raise. I think that
you are making an assumption which is not really true.

You seem to assume that, it you set up your LAN as 192.168.0.0/22, VPN
clients with 192.168.1.x/24 addresses will only be able to access LAN
machines which have 192.168.1.x addresses, and not be able to access
machines with, say, 192.168.2.x addresses.

IP routing doesn't work like that. 192.168.1.30/24 is not the same thing
as 192.168.1.30/22 . A machine in a subnet with a 24-bit subnet can route to
all of the machines in a subnet with a 22-bit subnet mask.

I believe that you will have trouble with your VPN if you change the
subnet mask on the LAN. If the LAN and the remotes are using addresses in
the same IP subnet, it is not using normal IP routing. It is using some sort
of proxy ARP (ie the server is doing proxy ARP on the LAN to receive packets
addressed to the remote clients) , and it will fail if you change the LAN
subnet mask.


"Phillip Windell" <@.> wrote in message
news:Oo4LwgZ3GHA.5000@xxxxxxxxxxxxxxxxxxxxxxx
"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5BDAB452-376F-4BC6-9142-CE9FF7F32AD3@xxxxxxxxxxxxxxxx
Gentlemen,
I understand that you are encouraging me to follow what is generally
regarded as best practice, and I thank you for your time. But you seem to
ignore some points of my plan.

I'm not ignoring those points,...I'm telling you to stop doing them if you
want this to work right. Being "feasible" isn't the question for me and I
am not going to play it that way. "Two-Cans-and-a-string" is feasible,
but I'm not going to tell anyone to use that.

If you want the machines to "hang on" until you get into the office then
use the default DHCP Lease period of 8 days. That gives you about 4 days
to get in to fix it. If that isn't enough then make it thirty days which
gives you 15 days. The reason of the "half period" is because DHCP
Clients attempt to renew their lease at 50% of the Lease.

Creating a disaster of a LAN design just because you want to have the
machines not be affected by a down DHCP until you get back in the office
is...well...I don't know how to say it in a good way. LAN design is
primary,...DHCP schemes are secondary (not the other way around).

If you want one DHCP to keep it all running indefinately if one goes
down,..do this...
1. If you have 200 Hosts, then use two separate segments of 254 each.
(/24)
2. Have 100 hosts in each.
3. Identically configure two DHCP boxes as I described before and divide
them up with Exclusions. Remember to configure two Scopes on each to
represent each segment.
4. Configure the LAN router to forward DHCP Queries to the two DHCP
Servers.
5. Add a static Route to the Pix so that it knows to use the LAN Router as
the path to the segment on the far side of the router. Correct the Local
Addess Table on the PIX to include both LAN IP Ranges

Now there will be less than half the avialable address in use in either
segment,...which means that just one DHCP Server by itself will have
enough addresses to keep thing going indefinately,...and you are not
violating proper LAN design in the process of doing so.

If I think of anything else,..I'll post agan.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com





.

Relevant Pages

  • VPN vs. VLAN
    ... I'm setting up a totally isolated VLAN for testing and bumped into a few ... VPN via PPTP works. ... DNS and DHCP for the client, however, are broken. ... the XP client gets an IP from the LAN router. ...
    (microsoft.public.win2000.networking)
  • Re: Cant connect using VPN
    ... The VPN clients need to get a LAN IP ... Pool or from a DHCP Server ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Site-to-site VPN to client, good idea?
    ... Indeed it is the main problem with Site to Site VPN. ... you give a complete access to your LAN to the other company. ... Port address translation on your PIX. ...
    (microsoft.public.security)
  • Re: Opening Port 3389
    ... One thing that still concerns me even with VPN is that unless I change the ... the LAN but will have a back door. ... > The firewall at my work is a Cisco PIX 515E with DMZ. ... > On the DMZ I am going to sit a 2k server with IIS as a web server. ...
    (comp.security.firewalls)
  • Re: Can PIX 501 be VPN terminator inside another firewall?
    ... The LAN is a class C, but could it be segmented and part of it used for VPN? ... Does the 501 support that? ... into and come out of the same PIX interface to the existing LAN that is ...
    (comp.dcom.sys.cisco)