Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

routers cascade or in series...

Status
Not open for further replies.
karmic

karmic

Technical User
Jul 20, 2001
973
CA
I know i'm starting a second thread with close to the same issue, but I didn't get a response to the first...
What I need to know is this. Can you cascade routers? I mean actually plug the lan connection of a cisco 2600 router into the internet port of a snapgear soho+?

Here's the current scenario.
Head office gateway (192.168.0.4) > VPN > Cisco 2600 router > Hubs > server and workstations
What I need:
Head office gateway (192.168.0.4) > VPN > Cisco 2600 router > Snapgear firewall > Hubs > server and workstations

I have a client that has alot of issues with multiple virus infections and is prone to hacking. They have a T1 managed VPN into head office and they get internet through this line. The problem is, I know for a fact it isn't secure. Seems the whole internet is surfing thru the internal network. I need some way to firewall that connection as head office isn't doing a great job of it. I don't have any access to the current hardware or this wouldn't even be an issue.

Unless someone else has some ideas that I don't know about.

Thanks... ~ The day I think I know it all, i'm changing careers ~
 
Sort by date Sort by votes
Yes, it's perfectly normal to plug the ethernet side of the router into a firewall and then patch the LAN side of the firewall into the hub/switch.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Yes.
What you are doing is actually a best practice design by deploying a screening router on the edge of your network.

------------
Bill
Consultant / Network Engineer
CNE, CCNA
 
Upvote 0 Downvote
Thanks for the reply but it's a little less simple than that. It's a managed VPN, and I don't have access to the cisco. If I did, it wouldn't be an issue. I don't have the internal IP address of the cisco and the gateway IP (192.168.0.4) is on the other end of the VPN.

I've tried many different scenarios so far and i'm not quite ready to start making some massive changes to the network at this point. I'm simply trying to put a barrier in between a very insecure VPN and the office.

The gateway IP is 192.168.0.4 and is on the other end of the vpn. My dhcp scope range is 192.168.0.1-200. I don't know the internal ip of the cisco which is very important. i'm suspecting 10.x.x.x but am not sure.
I've made the firewall address lan IP 192.168.0.1 and the Wan IP 192.168.0.12 with NAT disabled with no success... can't ping the 192.168.0.4 gateway thru the firewall.

I can't seem to get any help at all from the corporate IT. They believe the network is secure and won't listen to the fact that the office has been hacked.

Any ideas??? ~ The day I think I know it all, i'm changing careers ~
 
Upvote 0 Downvote
Thanks for the clarification.
There's not much you can do without access to the devices.

The really big question is: How on earth can your IT staff ignore a security breach? Do you have any documented evidence? If so, you need to go to your company management and RAISE HELL. Of course, do this via email and make a hard copy so you're covered. ------------
Bill
Consultant / Network Engineer
CNE, CCNA
 
Upvote 0 Downvote
In this local office I am the IT staff... head office provides the internet, security and other services via the managed VPN. I'm suspecting a security breach within the VPN itself though it's quite hard to prove without the firewall in place.

I've got some documented evidence and have given it to them and I don't know why they won't act upon it. I'm up a tree trying to protect the network and unless I get help from them, it's going to take some major changed to the internal.

All I need is the capability to protect one IP address that exists in another city :O(

~ The day I think I know it all, i'm changing careers ~
 
Upvote 0 Downvote
What evidence do you have that the network is insecure? Also, who is responsible for the security of the network, you or the head office?

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Well, you can always try a trace route to see if that remote IP comes up...since its the gateway right? If its as insecure as you say it is, maybe they allow ICMP.

Along with iproute...how do you know the vpn is stuffed? Or why do you think its bad?

Putting up a firewall in behind the vpn might cause you some headaches with address translation as well. You might want to take that into account. I'm sure it could be done though.

What device is acting as your local VPN endpoint? That is most likely acting as your firewall too. Ask Head Office IT (very nicely) if you could have access to that device so that you can restrict access. Tell them that you'll clear it with them before you make any changes. Be very nice and ask a lot of questions. Slip in "what's the IP of....", and you might just get an answer. A bit of social engineering on your own IT. [ponder]
Don't get your hopes up though, if they're like me at all, there's no way your getting access, but you never know...

Let us know what happens!
[thumbsup2]
________________________________________
Check out
 
Upvote 0 Downvote
Thanks for the replies everyone but it's an ISP managed VPN. They are not going to give me access.
Guess my next step is to use the main DC for a router/firewall...

As for the insecurity, they've been hacked once already and have had repeated virus infections, 4 different ones. ~ The day I think I know it all, i'm changing careers ~
 
Upvote 0 Downvote
Never let someone else manage your network in any respect! Its such a pain isnt it?
Don't use your DC as the firewall though. Big mistake. They compromise that server, and your whole network is in trouble. Usernames and passwords for everyone! [thumbsdown]
If money/resources is an issue, try running a Linux based firewall off an old machine. ________________________________________
Check out
 
Upvote 0 Downvote
If you've been hacked I would take this up with the the firewall admin at the main site and the ISP who provides the VPN. Your VPN connection should only allow traffic from the main site and nothing from the internet.

If the hack has come through the internet connection at the main site and through the VPN to your site then the firewall admin needs to get his/her act together and look at the site security as a whole.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Quick update...

Went in tonite to reconfigure the new firewall... Turns out the cisco in the office is a transparent bridge, no IP address (no firewall either), mac address only.
No sweat to configure the firewall after this little tidbit came my way. Of course it means a change in the internal network IP addressing scheme but that's minor. Wanted to do that eventually anyway.

Thanks all.
~ The day I think I know it all, i'm changing careers ~
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
817
Johnkite
Johnkite
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
461
AllenH12
AllenH12
cambo2k
  • Locked
  • Question
Watchguard or Cisco?
Replies
1
Views
236
hairlessupportmonkey
hairlessupportmonkey
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
269
disturbedone
disturbedone
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
289
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top