Confusion H.O. & Remote Stores (Restaurants)

Unanswered Question
Sep 10th, 2008
User Badges:

Hi,


We are a F&B company. We have 06 restaurants currently running and in the next 3 months another 15 will be added. Below are the technical details:


1. Each restaurant will have one PC running a application which will be connected to a server at HO through data circuits.


2. Each restaurant user will also have access to his e-mail and should be able to share files.


3. The data circuits are done through ADSL for each restaurant.


Issue:


1. The HO lan is running a 192.168.1.0/24 network with all the static natting done on a pix 501 firewall.


2. There is a DHCP/Domain/Dns/Exchange server running on the LAN which serves all the users.


3. How do I get users to come on the same LAN? The ISP doesnt recommend bridging and are asking me to assign separate networks for each restaurant.


4. If I do so means changing the configuration on the firewall and I m not well versed with pix. The company doesnt want to invest in new hardware.


5. Will I be able to work without issues if I use bridging and connect to my LAN from the restaurants?


Please give me your recommendations, attached is the config file of the firewall and network diagram.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/11/2008 - 02:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sarfaraz,

bridging is not recommended because performance is impacted.


the changes on the pix should be limited in adding new ACL statements for the ACL applied on the outside interface


you can use

sh nameif

sh access-group


sh access-list


to see the ACL applied on the outside interface.

the command syntax is the same with the exclusion of the final counters at the end of the line.

look for the commands that contain the current user subnet

use

sh access-list acl-name | inc subnet


replicate this command for the the aggregate of new remote subnets


provide space for growth :

allocate 32 subnets each /28 for the restaurants

use 192.168.4.0/28, 192.168.4.16/28, 192.168.4.32/28, ...

for each remote subnet on the dhcp you need to define a separate pool

the aggregate will be 192.168.4.0/23



Hope to help

Giuseppe

sarfarazkazi Thu, 09/11/2008 - 04:28
User Badges:

Hi Giuseppe,


I had attached the configuration of the fw. Can you be a lil more specific. Currently we have only one subnet 192.168.1.0/24. I understood the part where I will define subnets for each remote site. But where do I define the aggregate? On the firewall? What will be the gateway of these remote subnets? Currently the firewall is the gateway for the 192.168.1.0/24 subnet. I have attached the config file for the firewall.


Regards


Sarfaraz



Attachment: 
Giuseppe Larosa Thu, 09/11/2008 - 11:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sarfaraz,

the DSL lines for the restaurants will be on the public internet or inside a VPN ?


in the first case, each remote router can have an IPSec tunnel to the PIX.

We use a solution with a GRE tunnel carried inside IPSec packets for remote branch offices and it works, but I don't know if the PIX can terminate the GRE tunnels.


For the second case you will need a third link on the PIX to be used as a DMZ or you can use the current subnet also for the the next hops of the remote site routers.


Hope to help

Giuseppe


bmcginn Thu, 09/11/2008 - 17:59
User Badges:
  • Bronze, 100 points or more

Hi there,


I am under the assumption that the data cloud is a private MPLS cloud, probably looked after by your carrier..


Why do you need to the clients/users to be on the same LAN as the DHCP/DC/DNS/Exchange server?


It makes more sense to let the restaurants have their own LANs and connect back to the DC over the WAN.


DHCP requests can be forwarded to the DHCP server via the ip helper command on the cisco 877s.


Each restaurant's LAN can be any other network .. eg 192.168.100.0/24.


The 877 at the main site can advertise a default route to the data cloud so all your site know to come back to the main site for internet access. If you have a proxy, that would be even better, that way the main site's 877 only need advertise the 192.168.1.0/24 range.


Regards,


Brad

bmcginn Thu, 09/11/2008 - 18:02
User Badges:
  • Bronze, 100 points or more

Mate, I also just looked at your pix config. is there any reason why you have so many dynamic host NATs?


eg at (inside) 1 192.168.1.2 255.255.255.255 0 0

.

.

.

nat (inside) 1 192.168.1.250 255.255.255.255 0 0


you could make it easier to read by using:

nat (inside) 1 192.168.1.0 255.255.255.0



Brad


sarfarazkazi Sat, 09/13/2008 - 00:50
User Badges:

Hi,


Thanks for your answer. The only reason why I want to have them on the same LAN is so that each restaurant can have email access through outlook. The dynamic host nat were defined for the managers, the other normal user pass through ISA (192.168.1.10).

I will go with your suggestion to have separate lan for each network but what about the NAT on the pix? Eg If I give each restaurant say 192.168.2.0,3.0 what will be their default gateway on the pix? I dont have much idea on the pix so need your expert comments.


Sarfaraz

Actions

This Discussion