overall network design ??? w/ 2620 router config ?

[fpower]

Hi,
I am having a problem I was hopeing someone could help me with. I need to configure two new routers for DR one on the HeadQuarter side and the DR side. (actually a consultant had set this up before he left, and I have to figure it out now, and I am really lost... the config mentions a 172. network which we dont have????)

My current environment is a netopia router, (internet access) then a PIX 515 firewall then a 4006(internal network). All the servers on the network have the PIX as their default gateway, (10.10.1.1). We use a MS Proxy server for internet access on the workstations. I wanted to change the default gateway on all workstations and servers to the IP of the new HQ router.

Any guidance would be a great help...
here is my HQ router config.

show run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password xxxxxxxx
!
!
!
!
!
ip subnet-zero
!
prompt WL120>
!
!
!
process-max-time 200
--More--
!
interface FastEthernet0/0
description LAN-120W
ip address 10.10.1.254 255.255.0.0
no ip directed-broadcast
speed 100
full-duplex
!
interface Serial0/0
description WAN to DR
ip address 172.16.1.1 255.255.0.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
router rip
network 10.0.0.0
network 172.16.0.0
network 172.20.0.0
network 192.168.1.0
neighbor 10.10.1.1
neighbor 172.16.1.2
!
--More--
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip route 172.20.0.0 255.255.0.0 172.16.1.2
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password xxxxxxxx
login
!
!
no scheduler allocate
end

WL120>

 

[jimmyzz]

fpower,
Before you jump into configs, you should come up with a network design/topology which will suit your requirements. Once you've got the design blueprint, programming the routers becomes the easy part. A proposed solution utilising your existing equipment and the 2 x new 2620 would be:

INTERNET
|
[netopia router]
|
[PIX FW] - (DMZ -proxy/web servers)
|
*****Internal network*****
|
[2620-HQ] <---WAN ---> [2620-DR](DR network)

Once you you've drawn up your topology, you then assign the IP ranges to each network. The 172.16.x.x is considered a private address range (along with 10.x.x.x and 192.168.x.x), hence you can use whatever IPs you want within that range (depending on what subnet mask you use*).

I make the assumption that your PIX515 has three interfaces (1-Internet, 2-DMZ, 3-Internal network). If not then you'll have to re-do the topology a bit to create a DMZ environment for your proxy/web servers. A DMZ is definitely something you should consider creating. Servers located within the DMZ are considered &quot;sacraficial lambs&quot; for the internet. If you get hacked, then the damage is limited. You should restrict access from the internet directly to your internal LAN. Thats why I would recommend moving the proxy from your internal LAN into the DMZ.

Changing the default GW for the clients/internal servers to the 2620-HQ router is a good idea. It will make routing between the HQ and DR quicker/easier (What WAN techology are you using between HQ and DR?). The only time you PCs need to pass through the PIX is for internet access via the proxy.

Post your PIX and router hardware capabilities and we can help redefine the design.

JimmyZ

 

[fpower]

Hi JimmyZ,

Thank you for your help.
Your network design is exactly what I am looking for... Internet - Netopia - PIX - Internal 4006 - 2620 Router
The connection between HQ and DR is a point to point Frame Relay T1. Here is my router info...

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-DS-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 17-Aug-99 13:45 by cmong
Image text-base: 0x80008088, data-base: 0x80C7ED64
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Router uptime is 17 hours, 46 minutes
System returned to ROM by power-on
System image file is &quot;flash:c2600-ds-mz.120-5.T1&quot;
cisco 2620 (MPC860) processor (revision 0x102) with 26624K/6144K bytes of memory
Processor board ID JAB034500ZT (1816932353)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102

My PIX 515 does have a DMZ set up for 192.168 network which I was told will house our web server when it is brought in house at the end of the year. We do have VPN through the PIX, other then that the only traffic now if for internet access and email.
Otherwise nothing on the 192 network, I am confused why the 172. is configured for this network when it is not being used? Just in case we wanted to use it??

Here is my PIX info...

Cisco PIX Firewall Version 6.1(3)
Cisco PIX Device Manager Version 1.1(2)
Compiled on Fri 22-Feb-02 08:15 by morlee
one up 10 days 23 hours
Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 431 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0009.b7b9.4054, irq 10
1: ethernet1: address is 0009.b7b9.4055, irq 11
2: ethernet2: address is 0002.b39e.7bf8, irq 5
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
ISAKMP peers: Unlimited
Serial Number: 406224732 (0x18367f5c)

I was just asked to upgrade to 3DESand to install another 4006 switch with fiber etherchannel uplink to existing 4006.
Thanks again for all the help...