Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Design problem

Hi Experts,

Please   find the attached  network diagram.

Point to point  connectivity    is there between two sites. And all the services aurhentication , dns , internet(webbrowsing) is accessed by all the machines

at remote site from site1.

On remote site there is extra wan connection. Is it poosible that all the machine in remote site should be able to access only internet (webrowsing)

through that link and the remaining services as AD authentication and mail access should be from site1.

Please find the routes on remote site

0.0.0.0  0.0.0.0 192.168.0.1

172.16.x.x  255.255.0.0  192.168.0.2

152.149.1.x  255.255.255.0 192.168.0.2

Please suggest .

  • LAN Switching and Routing
9 REPLIES

Design problem

Hi Prasant,

Yes it is possible.

Just change your default route on firewall to point toward internet connection..

Regards,

Smitesh

New Member

Design problem

Hi smitesh,

we have implemented DR scenario at remote site.

Whenever any server fails in site 1 than server at remote sure will take over.

Also natting is also than from site1 for the remote site servers.

we give default pointing towards internet connection than nattimg doesnot work.

New Member

Design problem

Hi,

Create a port object group with all the portnumbers which need to be opened fron remote to main. for example mail-smtp,pop....

and then create an ACL to allow traffic from remote to main by allowing this port object group and deny all other communication from remote to main. and bind this rule on the IN of the inside interface.

I hope this will work.

please update the status

Thanks

Vipin

Thanks and Regards, Vipin
New Member

Design problem

Hi vipin,

Problem is all the machine get authenticated from site active directory.so that we have provided dnsip of site1.

If we provide other than this dns ip .that system doesnot get authenticate from site1 and access other application.

and if we provide dnsip of site1 than  it is not  able to access the internet from wan link of remote site

New Member

Design problem

Hi,

Please configure an alternate DNS in your remote site hosts. Also allow the necessary port to the main sites.

Please update

Thanks

Vipin

Thanks and Regards, Vipin
New Member

Design problem

Hi vipin,

That solution we have in mind.any alternative solution.

thanks you.

Re: Design problem

Hi Prashant,

Problem is all the machine get authenticated from site active directory.so that we have provided dnsip of site1.

If we provide other than this dns ip .that system doesnot get authenticate from site1 and access other application.

and if we provide dnsip of site1 than  it is not  able to access the internet from wan link of remote site

You dont need to change the DNS ip at the remote site. You can still use the DNS at the main site for the internet and also you internal applications as well.This is more like a Centralised Architecture for DNS/AD etc. DNS is just a query. Once your PC browser  gets the public ip address then the forwarding of traffic takes place via the L3 switch and the firewall at the remote site.

Your scenario is quite common where you have a private link between Head office and Remote office. Generally speaking remote sites use HQ for Internet as well but in some scenarios the remote site also has internet as back up connection. Do you have internet at your HQ office?

Anyway, if you want the remote site to use the internet at remote site then the firewall needs to have a default route to the ISP. If you are getting a full routing table then this is not required but I am sure your FW is not receiving the full internet table.

Hope this helps,

Regards

Kishore

New Member

Design problem

Hi kishore,

You are right remote site uses HQ internet .And also there is backup link at remote site.

So when ever HQ internet goesdown remote site should use WAN link amd must able to access internet.

When after giving  default  route to that isp even it is not going could you please suggest

Re: Design problem

You could fo the following to accomplish this..

access-list 101 extended permit tcp any any eq 80
access-list 101 extended permit tcp any any eq 443

route-map WebTrafficWan permit 10
match ip address 101
set ip next-hop (next hop of Remote WAN connection0

int vlan10
ip address 10.10.10.1 255.255.255.0
ip policy route-map WebTrafficWan

All 80/443 traffic on the remote site will go towards the remote site WAN connection and all other traffic

will follow normal routing. I did notice, according to your diagram, all the DNS servers are at the main

site. So, if you are querying DNS for let's say.... www.blah.com, it's going to go across the p2p connection

to the remote site, which will send a response to the client, so basically traffic will go from the remote site,

to the main site for dns, and then back out the remote site wan connection for web browsing traffic. This seems

like suboptimal routing to me. I would put a DNS server at your remote location personally, if you wanted to

do this. You could also, just have route's pointing to the main site for whatever you need at the remote site

and then have a default route going towards the Remote site WAN.

377
Views
0
Helpful
9
Replies
This widget could not be displayed.