11-25-2011 09:53 PM - edited 03-07-2019 03:36 AM
Hi Experts,
Please find the attached network diagram.
Point to point connectivity is there between two sites. And all the services aurhentication , dns , internet(webbrowsing) is accessed by all the machines
at remote site from site1.
On remote site there is extra wan connection. Is it poosible that all the machine in remote site should be able to access only internet (webrowsing)
through that link and the remaining services as AD authentication and mail access should be from site1.
Please find the routes on remote site
0.0.0.0 0.0.0.0 192.168.0.1
172.16.x.x 255.255.0.0 192.168.0.2
152.149.1.x 255.255.255.0 192.168.0.2
Please suggest .
11-25-2011 10:42 PM
Hi Prasant,
Yes it is possible.
Just change your default route on firewall to point toward internet connection..
Regards,
Smitesh
11-25-2011 10:51 PM
Hi smitesh,
we have implemented DR scenario at remote site.
Whenever any server fails in site 1 than server at remote sure will take over.
Also natting is also than from site1 for the remote site servers.
we give default pointing towards internet connection than nattimg doesnot work.
11-25-2011 10:48 PM
Hi,
Create a port object group with all the portnumbers which need to be opened fron remote to main. for example mail-smtp,pop....
and then create an ACL to allow traffic from remote to main by allowing this port object group and deny all other communication from remote to main. and bind this rule on the IN of the inside interface.
I hope this will work.
please update the status
Thanks
Vipin
11-25-2011 11:00 PM
Hi vipin,
Problem is all the machine get authenticated from site active directory.so that we have provided dnsip of site1.
If we provide other than this dns ip .that system doesnot get authenticate from site1 and access other application.
and if we provide dnsip of site1 than it is not able to access the internet from wan link of remote site
11-26-2011 12:04 AM
Hi,
Please configure an alternate DNS in your remote site hosts. Also allow the necessary port to the main sites.
Please update
Thanks
Vipin
11-26-2011 12:13 AM
Hi vipin,
That solution we have in mind.any alternative solution.
thanks you.
11-26-2011 02:39 AM
Hi Prashant,
Problem is all the machine get authenticated from site active directory.so that we have provided dnsip of site1.
If we provide other than this dns ip .that system doesnot get authenticate from site1 and access other application.
and if we provide dnsip of site1 than it is not able to access the internet from wan link of remote site
You dont need to change the DNS ip at the remote site. You can still use the DNS at the main site for the internet and also you internal applications as well.This is more like a Centralised Architecture for DNS/AD etc. DNS is just a query. Once your PC browser gets the public ip address then the forwarding of traffic takes place via the L3 switch and the firewall at the remote site.
Your scenario is quite common where you have a private link between Head office and Remote office. Generally speaking remote sites use HQ for Internet as well but in some scenarios the remote site also has internet as back up connection. Do you have internet at your HQ office?
Anyway, if you want the remote site to use the internet at remote site then the firewall needs to have a default route to the ISP. If you are getting a full routing table then this is not required but I am sure your FW is not receiving the full internet table.
Hope this helps,
Regards
Kishore
11-26-2011 03:55 AM
Hi kishore,
You are right remote site uses HQ internet .And also there is backup link at remote site.
So when ever HQ internet goesdown remote site should use WAN link amd must able to access internet.
When after giving default route to that isp even it is not going could you please suggest
11-26-2011 04:05 AM
You could fo the following to accomplish this..
access-list 101 extended permit tcp any any eq 80
access-list 101 extended permit tcp any any eq 443
route-map WebTrafficWan permit 10
match ip address 101
set ip next-hop (next hop of Remote WAN connection0
int vlan10
ip address 10.10.10.1 255.255.255.0
ip policy route-map WebTrafficWan
All 80/443 traffic on the remote site will go towards the remote site WAN connection and all other traffic
will follow normal routing. I did notice, according to your diagram, all the DNS servers are at the main
site. So, if you are querying DNS for let's say.... www.blah.com, it's going to go across the p2p connection
to the remote site, which will send a response to the client, so basically traffic will go from the remote site,
to the main site for dns, and then back out the remote site wan connection for web browsing traffic. This seems
like suboptimal routing to me. I would put a DNS server at your remote location personally, if you wanted to
do this. You could also, just have route's pointing to the main site for whatever you need at the remote site
and then have a default route going towards the Remote site WAN.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: