Network upgrade

[mikeleahy]

hi,
we have two sites in ireland. We will soon have a wan link between them and want to implement 1 server in each running AD and exchange so all users will have the same email extension. One exchange server will also be accesssed through a cisco vpn so do i need 2 nics in this server ?? so it will be able to talk to dublin using the wan link as its gateway and also be accessible for remote access users by using a gateway that will give it internet access. Our mx record is pointing to our router which will forward to our router. if a mail comes in then for someone in the other office how do they receive it??? will it need to be replicated up the link to their server??? can i have some help on this implemntaion please???????

 

[bkuepers]

You should not need 2 NIC's on these servers since it sounds like you have 2 Routers and a firewall on your network.

The server on the network with the internet connection should just point to the router as its default gateway. Any traffic destined for your other ireland site will be sent through the WAN interface, and the rest will be sent out through your firewall to the internet.

Your MX should be able to point to the server at the site with the internet connection to have mail delivered. Once it hits this server it'll be routed to the proper server as long as the servers are in the same domain and exchange organization. Just make sure you have a static internet IP and have it translate to the exchange server and leave port 25 open.

Hope that helps.

 

[mikeleahy]

Any traffic destined for your other ireland site will be sent through the WAN interface, and the rest will be sent out through your firewall to the internet. " how do you make the traffic for the other ireland site to go through the wan interface?? How would the server conncect to the wan interface??

 

[bkuepers]

The ethernet interface of the router, the server, and the internal interface of the firewall at site #1 will be on the same subnet (site #1/call it 192.168.1.x). The servers default gateway will be the routers ethernet interface(call it 192.168.1.1). Site #1's router will have the other network (second ireland site/call it 192.168.2.x) in its routing table. The router will tell any traffic destined for this network to go out its WAN interface to the router at site #2. All of the traffic will go to IT'S(the routers) default gateway which will be the firewall (call it 192.168.1.254). Essentially the server sends all of its traffic to the router will know what to do with it. This is of course assuming you have a leased line between the site that will require two routers. Most of this will get handled by a routing protocol, most likely being RIP.

 

[mikeleahy]

thanks for that. Do you have an email address that i could send you to get some help on the config some more. please!!!!

 

[bkuepers]

If your really struggling with this, I'd recommend bringing in some outside consultants. Getting something like this up and running could take a little time. Where are you at with it now? Planning?

 

[mikeleahy]

bk. at the moment, we have our own site running on sbs 2003. We will have a private vpn link between the 2 offices shortly by our isp. it will be running 2 cisco 3800 series,its primarily for a voice link but we want to use it for the network integration as well. its 512 k link. I understand how to do it all really, the only part i have difficulty with is the routes on the cisco box. everyones gateway will be the router ip. when the trafic destined for the other sites subnet hits the router it will be forwarded out to the serial interface. but when trafic destined for the internet hit it what kind of route will send that to our firewall address i.e. would it just be everything on port 80 etc. how can the server send email to the internet or is it a fact that all trafic goes to the router then to its gateway which is its firewall except for the trafic destined for our other office??????

 

[bkuepers]

You should really only need 2 routes on the router at your main site.

Not sure what your IP scheme is but lets say...

site#1 192.168.1.x
site#2 192.168.2.x
WAN 10.1.1.x

Router#1 IP addresses Eth0 192.168.1.1 Serial0 10.1.1.1
Router#2 IP addresses Eth0 192.168.2.1 Serial0 10.1.1.2
Internet Gateway Internal IP 192.168.1.254

So the routes your would need.

Router#1
ip route 192.168.2.x 255.255.255.0 10.1.1.2 1 (Route to Second Site)
ip route 0.0.0.0 0.0.0.0 192.168.1.254 (Default Route sending everything else out internet gateway)
Router#2
ip route 0.0.0.0 0.0.0.0 10.1.1.1 (Default Route to send all its traffic to Router#1)
Internet Gateway
ip route 192.168.2.0 255.255.255.0 192.168.1.1 (Route to send internet traffic from site #2 back to Site#2)

All Site#1 devices will point to 192.168.1.1 as their default gateway. They should be able to get to Site#2 and internet

All Site#2 devices will point to 192.168.2.1 as their default gateway. They should be able to get to Site#1 and to the internet and back.

I wish I could draw a picture it would be easier.

Hope this helps.

 

[bkuepers]

Reading your post again I gave you a config for if you were using a leased line between the sites (which I assumed.. doh), It sounds like you will be using a site to site VPN with each site having it's own internet connection. I'm not much of an expert with setting up site to site VPN's on Routers.

I'm more inclined to setup VPN's with PIX firewall's and VPN concentrators. Are you doing the router config, or is the ISP? If you are I'd suggest taking this question to the cisco routers forum. I'm sure someone can answer it there.

 

[mikeleahy]

bk, but shouldnt it be the same anyway. The isp will be doing the router config for the voice trafic. But i will be configuring for data. Their config might suffice anyway as they will be linking the two offices.Its called a private VPN but really its only a leased line. We have one allready for other stuff and there is a netopia router on both sides and when i configure the appropriate gateways on the pcs etc i can ping the other site no problem but as its only a netopia router i cant use static routes on them. The voice link will need serial ports so i presume they will be doing it as per your config above. Internet access will be provided by another broadband link with a cisco 837. on your config do u have site 2 accessing the net using site 1's firewall. if they have their own firewall up there i can just put their internet traffic going out through that, can i not???

 

[bkuepers]

Mike,

If it is a leased line and site#2 has it's own internet connection then just change the following from the configuration I gave you.

Router#2
ip route 192.168.1.0 255.255.255.0 10.1.1.1 (Route to site#1)
ip route 0.0.0.0 0.0.0.0 192.168.2.254 (internet gateway at site#2)

Remove the Route off the internet gateway at Site#1 as Site#2 has it's own internet connection.

If you have a leased line between the two you could save an ISP charge and buying equipment for internet at Site#2 by sending your internet through Site#1. You'll just need to figure out if you have enough bandwidth. Food for thought.

 

[mikeleahy]

well the link is 512 so i think we will leave their existing internet connection and put a proxy there etc. A private vpn is basically a new alternative to a leased line as it uses dedicated lines and is not visible to the internet. thanks for all your help. wish us luck