Hi, I have a Cisco 877 ADSL router setup in VPN mode and is working fine. The remote office has just had another network link put in to another remote comapany. It's just an ethernet cable for this other network. So my users need to continue to use my VPN but occasionally use this other network.
How can I configure this and the routing. I was wondering if I can put the ethernet cable into say FE/0? Give the FE/0 and IP address that is on the remote IP range of this new network?
What exactly do you mean by VPN mode? Do you currently have two offices and have a VPN between the two, or are your users connecting in via a client?
I can't really say all that you need without knowing what you have, but it sounds like you may be looking at a GRE/IPSec Tunnel and maybe a dynamic routing protocol.
Please give a few more details.
Sorry let me explain.
I am in the head office and I have a simple VPN from a remote office via this Cisco 877 to me at he head office where I have a Cisco Concentrator. All is working just fine between here and this small office on an ADSL line. The connect to our email server, file server and internet is put through this tunnel too, basically everything.
Now this remote office has had a lease line installed to a company thats not part of our company. They will be just leaving an ethernet cable in the comms cabinet where this Cisco 877 is and I'm just wondering how I can simply get this remote office to continue with my simple VPN, but when the users in this remote office need to use this "other" network on this lease line they can.
I was windering if I put the ethernet cable into this Cisco 877 FE/0 and gave it an IP for the lease line (they will provide) then that would be ok?
I think that you've got two things to be concerned with.
1- Security - Should the users at this site that is not part of your company be able to connect to both your remote office and your head office? Should they have full access to everything or will you need to restrict there access?
How many subnets do you currently have? How many subnets does the other company connecting in have? If the sum of those answers is 3, you can easily get by with static routing. You could plug the Ethernet cable into the 877 and give it the IP address that they provide. This will probably be a peering IP address which means it will be a /30 or something which gets you to their network, but is not on the subnet of their network.
1- Configure the IP address on Fe0/0
2- Verify connectivity with remote router
3- Define static route to remote network on 877 through your peering on Fe0/0 (this step assumes that the address that they give for Fe0/0 is not on the subnet that you are trying to connect to0
4- Define route at head-end to point to 877 to get to the subnet of the company tying in
5 - The company tying in will also have to add routing on their side to point to the subnet in your remote office, and at your head end
6- Depending on how your VPN is setup, ie whether you are using GRE/IPSec or IPSec, you will need to match the interesting traffic that you have defined for IPSec so that what goes from your head end to remote and back for the new office being tied in will be matched and sent through the VPN.
Please post back if you have further questions.
Jeff makes some very good points. I have a couple of things to add.
Your post talks about the remote office having a leased line to this other location. If it really is a leased line what does it connect to? It is rare that leased lines terminate in Ethernet. Can you clarify what kind of line and what kind of termination it is?
It is also not clear to me from your post what connectivity is desired for whatever is connecting to your remote office. Are they getting connectivity only to your remote office? Are they getting connectivity to your remote office and your HQ office? Are they getting connectivity to your remote office, to your HQ office and to the Internet? The answer to this will determine how much and what kind of work you need to do. If they are getting connectivity only to your remote office then you need to make sure that your remote router has a route to their addresses, that their router has a route to your remote addresses, and you will need some access list filtering to prevent their traffic going through your VPN connection. If they are getting connectivity to your remote office and to your HQ office then you need routes to their address space in your remote and in your HQ, and you need to modify what is interesting traffic over the VPN to include their traffic (and they need routes for your remote addresses and your HQ addresses). And you need some filtering at HQ to prevent their traffic being sent into the Internet.
I do apologise.
This new network will only connect to this remote office and not our HQ. So:
Current network A (HQ) and our remote office B are on an IPsec VPN. The remote office has a Cisco 877 and the HQ has a concentrator. Everything is great with this and working.
Now network C is here to be put in at the remote office B. Network B only needs to use network C. Network C will not need to speak to network A and I will not be putting them on the network lists on the VPN.
Your right I'm not sure how they will present this lease line I was told it was an ethernet cable.
It is a helpful clarification that the new network is only to access the network at your remote site and not to HQ or to the Internet. In this case, while it is not absolutely required, I think that it would be prudent to do some access list filtering to prevent traffic from that site from accidentally going out your outward facing interface or going out through your VPN.
There are some questions to get answered before you can know what to do on the 877 to accommodate this. It might be possible that the new connection will be presented as an Ethernet (perhaps it might be some kind of Metro Ethernet, or perhaps the other network is physically close enough to get an Ethernet to you). You need to get some clarification about how the connection will be presented. And you need to get some clarification about whether the interface address is part of the network address space where their users are (it really is an Ethernet connection) or whether the new connection is some connecting subnet and the users are in a different address space (the more typical leased line scenario). If the new connection is really part of the address space where the users are (Ethernet connection) then you will automatically route to them. If the new connection is some connecting subnet then you would need some kind of routing information (probably a static route) to their subnet pointing to the intermediate subnet as the next hop. And they will need routing information to your network address space.
Thanks Rick, as soon as I get some more information I will post back with the 877 config etc.
Would the IP of the FE/0 be different from all the IP subnets currently in-use? Just trying to get this figured out in my head?
While we will not know for sure until you get some clarification from them about the new connection, I can not imagine a scenario where the FE/0 would be part of the subnets currently in use. I would think that it would almost certainly have to be a subnet range not currently used. My question is more whether the address you will configure on your router is part of the subnet where their users are located or whether it is a connecting subnet and their users are on a different subnet from the one that will appear on your router.
1- Configure the IP address on Fe0/0
Would I give it a different IP/sunbet to the LAN and remote office network?
Cisco 877 is 172.19.1.0/24
HQ is 192.168.30.0/24
This other remote company 10.10.10.0/24
Would I give it a completely different range? like 172.19.2.1/24
I think that I addressed this issue in the response that I was typing when you posted this. I do not believe that we can answer this question until you know a bit more about the connection to this new network. There is a possible scenario in which your interface address is part of the same subnet where their users are located (a direct Ethernet connection). I suspect it is more likely that the interface on your router is part of some connecting subnet and in that case it would be given an address in some different range.
When you get clarification from them about how this connection will work, and whether it is a connecting subnet or part of their actual subnet then we will know better how to configure your interface.