Confusion H.O. & Remote Stores (Restaurants)

Unanswered Question
Sep 10th, 2008


We are a F&B company. We have 06 restaurants currently running and in the next 3 months another 15 will be added. Below are the technical details:

1. Each restaurant will have one PC running a application which will be connected to a server at HO through data circuits.

2. Each restaurant user will also have access to his e-mail and should be able to share files.

3. The data circuits are done through ADSL for each restaurant.


1. The HO lan is running a network with all the static natting done on a pix 501 firewall.

2. There is a DHCP/Domain/Dns/Exchange server running on the LAN which serves all the users.

3. How do I get users to come on the same LAN? The ISP doesnt recommend bridging and are asking me to assign separate networks for each restaurant.

4. If I do so means changing the configuration on the firewall and I m not well versed with pix. The company doesnt want to invest in new hardware.

5. Will I be able to work without issues if I use bridging and connect to my LAN from the restaurants?

Please give me your recommendations, attached is the config file of the firewall and network diagram.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 09/11/2008 - 02:05

Hello Sarfaraz,

bridging is not recommended because performance is impacted.

the changes on the pix should be limited in adding new ACL statements for the ACL applied on the outside interface

you can use

sh nameif

sh access-group

sh access-list

to see the ACL applied on the outside interface.

the command syntax is the same with the exclusion of the final counters at the end of the line.

look for the commands that contain the current user subnet


sh access-list acl-name | inc subnet

replicate this command for the the aggregate of new remote subnets

provide space for growth :

allocate 32 subnets each /28 for the restaurants

use,,, ...

for each remote subnet on the dhcp you need to define a separate pool

the aggregate will be

Hope to help


sarfarazkazi Thu, 09/11/2008 - 04:28

Hi Giuseppe,

I had attached the configuration of the fw. Can you be a lil more specific. Currently we have only one subnet I understood the part where I will define subnets for each remote site. But where do I define the aggregate? On the firewall? What will be the gateway of these remote subnets? Currently the firewall is the gateway for the subnet. I have attached the config file for the firewall.



Giuseppe Larosa Thu, 09/11/2008 - 11:53

Hello Sarfaraz,

the DSL lines for the restaurants will be on the public internet or inside a VPN ?

in the first case, each remote router can have an IPSec tunnel to the PIX.

We use a solution with a GRE tunnel carried inside IPSec packets for remote branch offices and it works, but I don't know if the PIX can terminate the GRE tunnels.

For the second case you will need a third link on the PIX to be used as a DMZ or you can use the current subnet also for the the next hops of the remote site routers.

Hope to help


bmcginn Thu, 09/11/2008 - 17:59

Hi there,

I am under the assumption that the data cloud is a private MPLS cloud, probably looked after by your carrier..

Why do you need to the clients/users to be on the same LAN as the DHCP/DC/DNS/Exchange server?

It makes more sense to let the restaurants have their own LANs and connect back to the DC over the WAN.

DHCP requests can be forwarded to the DHCP server via the ip helper command on the cisco 877s.

Each restaurant's LAN can be any other network .. eg

The 877 at the main site can advertise a default route to the data cloud so all your site know to come back to the main site for internet access. If you have a proxy, that would be even better, that way the main site's 877 only need advertise the range.



bmcginn Thu, 09/11/2008 - 18:02

Mate, I also just looked at your pix config. is there any reason why you have so many dynamic host NATs?

eg at (inside) 1 0 0




nat (inside) 1 0 0

you could make it easier to read by using:

nat (inside) 1


sarfarazkazi Sat, 09/13/2008 - 00:50


Thanks for your answer. The only reason why I want to have them on the same LAN is so that each restaurant can have email access through outlook. The dynamic host nat were defined for the managers, the other normal user pass through ISA (

I will go with your suggestion to have separate lan for each network but what about the NAT on the pix? Eg If I give each restaurant say,3.0 what will be their default gateway on the pix? I dont have much idea on the pix so need your expert comments.



This Discussion