How to connect an independent network to our network?

Unanswered Question
Mar 27th, 2008

We have an office that has their own independent network and ISP provider in the same building where we provide network access to our remote offices. They need to access our intranet. We are thinking of running a cable from our switch to their office.

The key question is, how do we make this work?

They have a Windows server hosting an Active Directory domain, single forest, single subnet AD DNS, WINS and DHCP, Terminal Services is running on the server. The internal network communicates with outside world via a single firewall gateway, a Sonicwall TZ170 I believe.

Physically, all CAT5 cables are connected to a 16 port unmanaged switch which seats right on top of the server and links to the Sonicwall device. The Sonicwall device connects to an AT&T DSL network.

The network used to have a Gateway to Gateway VPN tunnel that links to another office in a different city, but it has been recently taken out as they have deployed Exchange Server at their site. Currently, the Sonicwall is being used as a gateway for Client base VPN access.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rick Morris Fri, 03/28/2008 - 08:05

When you say Intranet does this mean all your internal networks, a web-site portal, etc...?

I would never give switched network access to an outside company. I would set up a VPN tunnel from site to site, yes even within the building, that way you control their access. Or use SSL.

But really need more info on what they are accessing and how you would like them to access it before a solid solution can be put suggested.

djgizmo250 Fri, 03/28/2008 - 08:56

Not all of our internal networks, just a web-site portal.

Right now, they are using a token to access the site. But, we want to eliminate that by having them connect to the internal IP which requires a change in the HOSTS file.

Rick Morris Fri, 03/28/2008 - 10:18

I guess I am a little confused as to why you want an outside source to access you from an internal source.

If they access via an external source you can provide access that way, either through a VPN or via public access through NAT with user login ID and passwords.

You can carve out a piece on your network and put them all in a DMZ, you will need to make sure their IP scheme does not conflict with yours. Then you can allow certain access from the DMZ/VLAN to the resources you want them to access directly.

meballard Fri, 03/28/2008 - 10:29

If their SonicWall has a DMZ/additional LAN port (which SonicWall's website indicates it's might, I'm not entirely sure), then one way would be connecting your network to that port on their SonicWall, and then the SonicWall would have to be configured to allow traffic through to the specific IP only. Note that security wise this relies on them keeping their SonicWall configured correctly.

Considering their lack of network equipment otherwise, I would personally probably connect a router or firewall between their network and your network, and then setup a NAT based connection from their network to your server. It would appear that when connecting to your server, then are connecting to an IP on their network, which the router/firewall would then translate to your server's IP on your network. Their DNS would have the IP on the NAT connection on their network. That way you can configure the router/firewall to only allow the one NAT connection, and only on the ports needed.

djgizmo250 Fri, 03/28/2008 - 11:01

We can put in a Linksys router. This has been done on other office that needed to connect to our network, but I'm not sure how they were setup. I'm thinking that we plug the Inside of that to their network and the Outside port of it to our switch. Then, they can add a static route to their firewall / router for the IP address of the hosts. And, the Linksys will be set up to use whatever we set the VLAN to on the switch as it's default route???

I'm a novice at this and am getting my feet wet. Thanks for all your help. I'm hoping to hear more feedback.


This Discussion