Network architecture question 1

[bubarooni]

I have a network architecture question that I can't
figure out. Here is what I need to accomplish:

I have a NT 4.0 domain. I need to integrate a vendor application that runs on two servers running Windows 2000 and requires Active Directory. Because of the
Active Directory requirement I cannot add the servers directly to my network and need to set them up as their own domain.

At the Central Office the broadband comes into the Ethernet0 port on the PIX and the Pix's Ethernet1 port connects to a Catalyst 2900 series switch. The router at the Central Office has just one ethernet port (no WIC-1ENET card) and that port connects to the same switch.

The Remote Sites connect back to the Central Office through Site-To-Site VPN's from their 1750's back to the PIX 506 and would need to be able to access the new vendor application in the new domain. The routers at the Remote sites have a WIC-1ENET card that is connected to a broadband modem and their on-board 10/100 port is connected to a switch.


Here is rough facsimile of my network setup:

Central Office:
Broadband Modem --> Pix 506-->
--> Catalyst 2924XL Switch
1750 Router-->
(192.168.1.x, 255.255.255.0)


Remote Site 1:
Broadband Modem ---> 1750 Router (192.168.2.x,255.255.255.0)

Remote Site 2:
Broadband Modem ---> 1750 Router (192.168.3.x,255.255.255.0)

RemoteSite 3:
Broadband Modem ---> 1750 Router (192.168.4.x,255.255.255.0)

Remote Site 4:
Broadband Modem ---> 1750 Router 192.168.5.x,255.255.255.0)

What I would like to do is add a router at my Central Office to the existing network, 192.168.1.x, and make it the 192.168.6.x network and place the new servers behind it. Because my Server Room and Phone Closet are in different locations at the Central Office, I would need to daisy-chain the new router for the 192.168.6.x network off an existing switch which has a 192.168.1.x. Assuming this is possible, how can I ensure all sites and the Central Office can access the new servers?

I just need someway to set these two servers off by themselves so they can have their own domain and still be accessible to the corporate network. I have never had to put a router behind another router and haven't the foggiest idea how to proceed. Is there a differnet solution and I'm just making this needlessly difficult for myself?



Thanks In Advance

 

[bubarooni]

Could I add a WIC-1ENET card to the Central Office 1750 router, make that a different subnet and route requests to that interface? I thought about subnetting my class c address but I have to many devices on that network.

 

[123tech]

Hello. Alright, here's some things to think about. One thing you could do is to add a secondary ip address on your 1750 router at the head office, the ip address could be something like this 192.168.6.x. So you would have 192.168.1.x and 192.168.6.x on the router ethernet interface, going into the switch. That may not be the best solution, because it's memory intensive. Another option is to setup vlans on the 1750 router.
Vlan 1
ip address 192.168.1.x

Vlan 6
ip address 192.168.6.x

Then setup trunking from the 1750 ethernet port, to the switch port. Then on the switch configure the port connecting to the new server with the new domain to Vlan 6 (switchport access vlan 6). On the pix, make sure you have a route inside statement to 192.168.6.0, which may not be needed if you have a 192.168.0.0 route inside statement.
Hope this helps.

 

[bubarooni]

Anything helps at this point. What if I did this?


Purchase another router with two ethernet ports, probably another 1750 with a WIC-1ENET. I will configure one port with a 192.168.1.x address and put it on the existing catalyst switch. The second port I will configure with a 192.168.6.x address and hook up to a new switch.

If I do this, will the 192.168.1.x network be able to see the 192.168.6.x network? Will I need to add some type of routing statements at the remote site's so they will know to forward packets 192.168.6.x requests to the 192.168.1.x network?

On the route statement, I would only want them to have access to the application server. Assuming the application server is 192.168.6.11, would that be something like this on the PIX:

route inside 192.168.6.11 255.255.255.255 192.168.1.1 1

What about the remote routers?

 

[bubarooni]

OK, I did put a WIC-1ENET card in the router. Is there a way to make them recognize each other beacause they sure don't seem to be aware of each other. I can't ping the the 192.168.6.1 from anywhere on the network though the 192.168.1.2 is visible. Is there some statement or command that needs added. I've been googling for an answer but, bridging is the only thing coming up on my searches and I haven't seen anything relevant to what I'm trying. Here are my two interfaces and the rip as currently configured.

interface ethernet0
ip address 192.168.6.1 255.255.255.0
half-duplex

interface fastethernet0
ip address 192.168.1.2 255.255.255.0
speed auto

router rip
version 2
network 192.168.1.0
network 192.168.6.0
no auto-summary

Thanks In Advance

 

[123tech]

Hi,

First try doing a "show ip route", and see if the 192.168.6.x network shows up. It should. Also you can do a tracert from a pc and see where does the trace stop. Also from the router can you ping 192.168.6.1, you should. Doing these test should help in figuring out what's going on. Your config looks fine, I hope you did a "no shut" on the ethernet 0 interface...I'm sure you did, but you never know. You can also do the "show ip interface brief" command, and you should see that interface "up up". Can you also ping the 192.168.6.1 from the firewall? I think you're almost there, it has to be something small. Good luck!

 

[bubarooni]

OK, before I waste your's or anyone else's time, let me ask you a dumb question. If I don't have anything plugged into ethernet0 yet is that going to prevent it from being pingable or show up as prototcol down? The interface itself is up on e0 but the line protocol is down. I thought I'd be able to ping it anyway, at least from the router itself.

Thanks

 

[123tech]

Hey, this isn't a waste of time at all, so ask away. To answer your question, you do need that interface to be up up status to ping it, and for that route to be advertised. Once you plug a cable into it, you should be fine, you can ping it, and the routes should be in your routing table.

 

[bubarooni]

that was indeed the hold up. a valuable lesson learned the hard way.

i can ping the servers in that new 192.168.6.x subnet from the 192.168.1.x subnet but i can't ping from the 192.168.1.x workstations/servers from the 192.168.6.x subnet.

I can ping the 192.168.1.x subnet from the new router though. I can actually telnet into either interface on the new router and ping everything.

does that mean i have a windows configuration error or am i messing up the routing somehow?

thanks

 

[123tech]

OK, now the second half of the sentence describing the pinging situation is a little unclear, but I believe what you're saying is that you can't ping 192.168.1.x from the 192.168.6.x network servers/workstations.

From the look of it, I think you are probably right, and that it is a windows configuration issue. Are the servers/workstations on the 192.168.6.x network using the correct default gateway? The default should be the router's ethernet interface on the 192.168.6.x network.

 

[Parcival21]

A probably dumb question frm a newbie like me.
Don't you have to declare a static route between the 192.168.1.0 network and the 192.168.6.0 network?
Or use a routing protocoll...
bye,
busche

 

[bubarooni]

What I meant was when I am telnet'ed into the router's 192.168.6.1 interface i can ping anything on the network. When I am sitting on one of the new servers on the 192.168.6.x network I can ping the router's 192.168.6.1 interface and the 192.168.1.2 interface but that as far as I can get. I actually tried both of the interfaces as a default gateway to no avail.

I am going to pursue the Windows configuration angle. It's my first Win2k w/Active Directory domain and I kinda wonder if I'm not missing something to do with that.

Thanks for the tips AND the patience!

 

[chieftan999]

Do the actual networks show on the routers routing table?

Use the command shown

Router1# sh ip route

This will list the table and the network you are trying to ping should be there. If it is not then that is the problem.

Also, ensure ICMP is allowed throughout the network.

If you are using static routes and have a route to the network make sure you have one back as well.

 

[123tech]

The servers and workstations on the 192.168.6.x network, their default gateway should be 192.168.6.1. Also do a tracert from those servers on the 192.168.6.x network to an ip address on the 192.168.1.x network, and see what the last ip address to be resolve, or where it stops responding. And then also try it the reverse, a server on the 192.168.1.x to the 192.168.6.x network.

You are using RIP, and you said that you have both the 192.168.6.x and 192.168.1.x network statements, so the routing table should be fine.

On the 192.168.1.x network, what is the default gateway? Is it pointing to the router's ethernet interface, or is it going to the pix? If it's pointing to the pix, make sure there's a route inside for the 192.168.6.x network. Also from the pix, can you ping the 192.168.6.x. Also make sure the pix isn't stopping ICMP.