Routing between two networks

Answered Question
Sep 1st, 2010
User Badges:

We have a new CA office and are leasing space from another company. this is are pupose plan:


- setup or own network with own T1, Router, Switch, and workstations

- We would like to be able to Route the company's IP on our network in order to utilize their printers.


What would be the best way to acomplish this. Thank you in advace for your cooperation.

Correct Answer by Jon Marshall about 6 years 7 months ago

dukeminus wrote:


Jon,


There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)


Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.


If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.


If you have the Pix then use that as it is a dedicated firewall.


As for cabling you need to make sure you don't bypass the pix. I would simply connect the cable from their switch to the outside interface of your pix and then connect the inside interface of the pix to your switch. Add a route to your router for their network pointing to the inside interface of the pix.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 09/01/2010 - 12:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dukeminus wrote:


We have a new CA office and are leasing space from another company. this is are pupose plan:


- setup or own network with own T1, Router, Switch, and workstations

- We would like to be able to Route the company's IP on our network in order to utilize their printers.


What would be the best way to acomplish this. Thank you in advace for your cooperation.


Best solution is to get a firewall and connect the inside to your LAN and the outside to their LAN and make sure no traffic is allowed to be initiated from their LAN.


To be honest they should also be firewalling the link.


Jon

dukeminus Wed, 09/01/2010 - 13:03
User Badges:

Would'nt it be easier to setup a route on my router to allow for us to see their network. Or could I setup a vlan on my switch using there subnet addressing and the make it routable thru the switch.

Jon Marshall Wed, 09/01/2010 - 13:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dukeminus wrote:


Would'nt it be easier to setup a route on my router to allow for us to see their network. Or could I setup a vlan on my switch using there subnet addressing and the make it routable thru the switch.


Yes absolutely it would be easier but not very secure.


How well do you trust the company and how well do they trust you ?


If you have a virus outbreak on your network how understanding will they be if it transfers to their network. And vice-versa.

If you each have internet connections and a person in the other company uses your internet connection to hack a third party site you are legally liable, not them.

What is the value of the data you have and they have and how much of a cost would it be to either company if that data was tampered with or destroyed.


I could go on but the above should be enough to give you an idea of how inherently insecure simply connecting up 2 companies networks are. As i say, of course simply connecting them up via an RJ45 link and adding routes is the easiest thing to do but not necessarily the right thing.


A lot depends on the relationship between your company and the other company but i wouldn't do it.


Jon

dukeminus Wed, 09/01/2010 - 13:21
User Badges:

Jon,


Thank you for that insight. I was not thinking in regards to the security aspect. With that said and I just add the route to see there network and they do not add a route on their router, I will only see their network, not vice-versa right.. If that is the case I will defintly add a firewall on my network.

Jon Marshall Wed, 09/01/2010 - 13:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dukeminus wrote:


Jon,


Thank you for that insight. I was not thinking in regards to the security aspect. With that said and I just add the route to see there network and they do not add a route on their router, I will only see their network, not vice-versa right.. If that is the case I will defintly add a firewall on my network.


Well, they could simply add a route


There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blown firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ?


So you wouldn't necessairly need a separate firewall but there are a lot of variables. Using access-lists on a router is minimal in terms of CPU but acls are not that secure, they add some security but they can be quite easily overcome. Running a firewall on the router does hit the CPU but it is a lot more secure.


It is a tradeoff between complexity,threat and value/critcality of assets. Your manager(s) will probably always want the quickest, easiest and cheapest solution so you need to make sure that if you go that route they fully understand the potential security implications.


Jon

dukeminus Wed, 09/01/2010 - 13:39
User Badges:

Jon,


There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)


Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.


If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.

Correct Answer
Jon Marshall Wed, 09/01/2010 - 13:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dukeminus wrote:


Jon,


There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)


Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.


If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.


If you have the Pix then use that as it is a dedicated firewall.


As for cabling you need to make sure you don't bypass the pix. I would simply connect the cable from their switch to the outside interface of your pix and then connect the inside interface of the pix to your switch. Add a route to your router for their network pointing to the inside interface of the pix.


Jon

Jon Marshall Thu, 09/02/2010 - 07:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post visio as a .jpg as i have don't have visio on my laptop ?


Jon

Jon Marshall Thu, 09/02/2010 - 07:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Looks good. Is your internal switch a L3 switch ? if so remember you will need routes on the pix for your internal networks pointing to the L3 switch. You will also need routes on your 3620 for your internal networks pointing to the outside interface of the pix unless you are Natting on the pix in which case you don't need them.


Finally you will need to the third party to route your IPs back to the DMZ interface on the pix.


Jon

Actions

This Discussion