cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1384
Views
0
Helpful
12
Replies

Routing between two networks

dukeminus
Level 1
Level 1

We have a new CA office and are leasing space from another company. this is are pupose plan:

- setup or own network with own T1, Router, Switch, and workstations

- We would like to be able to Route the company's IP on our network in order to utilize their printers.

What would be the best way to acomplish this. Thank you in advace for your cooperation.

1 Accepted Solution

Accepted Solutions

dukeminus wrote:

Jon,

There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)

Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.

If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.

If you have the Pix then use that as it is a dedicated firewall.

As for cabling you need to make sure you don't bypass the pix. I would simply connect the cable from their switch to the outside interface of your pix and then connect the inside interface of the pix to your switch. Add a route to your router for their network pointing to the inside interface of the pix.

Jon

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

dukeminus wrote:

We have a new CA office and are leasing space from another company. this is are pupose plan:

- setup or own network with own T1, Router, Switch, and workstations

- We would like to be able to Route the company's IP on our network in order to utilize their printers.

What would be the best way to acomplish this. Thank you in advace for your cooperation.

Best solution is to get a firewall and connect the inside to your LAN and the outside to their LAN and make sure no traffic is allowed to be initiated from their LAN.

To be honest they should also be firewalling the link.

Jon

Would'nt it be easier to setup a route on my router to allow for us to see their network. Or could I setup a vlan on my switch using there subnet addressing and the make it routable thru the switch.

dukeminus wrote:

Would'nt it be easier to setup a route on my router to allow for us to see their network. Or could I setup a vlan on my switch using there subnet addressing and the make it routable thru the switch.

Yes absolutely it would be easier but not very secure.

How well do you trust the company and how well do they trust you ?

If you have a virus outbreak on your network how understanding will they be if it transfers to their network. And vice-versa.

If you each have internet connections and a person in the other company uses your internet connection to hack a third party site you are legally liable, not them.

What is the value of the data you have and they have and how much of a cost would it be to either company if that data was tampered with or destroyed.

I could go on but the above should be enough to give you an idea of how inherently insecure simply connecting up 2 companies networks are. As i say, of course simply connecting them up via an RJ45 link and adding routes is the easiest thing to do but not necessarily the right thing.

A lot depends on the relationship between your company and the other company but i wouldn't do it.

Jon

Jon,

Thank you for that insight. I was not thinking in regards to the security aspect. With that said and I just add the route to see there network and they do not add a route on their router, I will only see their network, not vice-versa right.. If that is the case I will defintly add a firewall on my network.

dukeminus wrote:

Jon,

Thank you for that insight. I was not thinking in regards to the security aspect. With that said and I just add the route to see there network and they do not add a route on their router, I will only see their network, not vice-versa right.. If that is the case I will defintly add a firewall on my network.

Well, they could simply add a route

There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blown firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ?

So you wouldn't necessairly need a separate firewall but there are a lot of variables. Using access-lists on a router is minimal in terms of CPU but acls are not that secure, they add some security but they can be quite easily overcome. Running a firewall on the router does hit the CPU but it is a lot more secure.

It is a tradeoff between complexity,threat and value/critcality of assets. Your manager(s) will probably always want the quickest, easiest and cheapest solution so you need to make sure that if you go that route they fully understand the potential security implications.

Jon

Jon,

There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)

Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.

If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.

dukeminus wrote:

Jon,

There are differing levels of security. Your router should be able to use access-lists, perhaps reflexive access-lists and possibly even a full blow firewall feature set depending on the router and IOS version/feature set. Is it a Cisco router ? The router is a Cisco 3620 IOS 12.2(37)

Also just to make sure that I implement this correctly I was going to attach a cable from there switch to my switch setup the IP route on my router and hopefully I will have conectivity.

If the 3620 cannot support a firewall I have an older Cisco PIX firewall that I was thinking of using for that office.

If you have the Pix then use that as it is a dedicated firewall.

As for cabling you need to make sure you don't bypass the pix. I would simply connect the cable from their switch to the outside interface of your pix and then connect the inside interface of the pix to your switch. Add a route to your router for their network pointing to the inside interface of the pix.

Jon

Jon,

It was great working with you on this issue. I have attached a basic Visio on the setup. Is this the way to go ?

Can you post visio as a .jpg as i have don't have visio on my laptop ?

Jon

Here is the .jpg

Looks good. Is your internal switch a L3 switch ? if so remember you will need routes on the pix for your internal networks pointing to the L3 switch. You will also need routes on your 3620 for your internal networks pointing to the outside interface of the pix unless you are Natting on the pix in which case you don't need them.

Finally you will need to the third party to route your IPs back to the DMZ interface on the pix.

Jon

Anas Hazeen
Level 1
Level 1

You can use IPsec VPN router configuration,

that VPN between a remote site and a corporate office using Cisco routers

check this link :

http://www.blindhog.net/cisco-how-to-configure-an-ipsec-vpn/

and also you will find attached file

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: