Routing

[wagan20012000]

Hi,

Our company acquired took over a new company (let's call this office3). Currently we have two offices (office1 and office2). Office1 and Office2 are connected using 24x7 VPN connection.

We requested our VPN vendor to setup a 24x7 VPN connection to office3 so it connect Office3 to our other two offices. They did that and provided us a router configured with an IP address of 192.168.0.1. We connected this VPN router to the main switching hub.

Here's our problem, Office3 has a Window 2000 Server acting as a gateway/dhcp/dns to all clients computer. Internal LAN card settings are as follows:

IP Address: 10.0.0.1
Subnet Mask: 255.0.0.0
Gateway: blank

So now we have to gateway 10.0.0.1 and 192.168.0.1. Could anyone please advice how we can setup a routes in Windows 2000 server so that ip packets are routed from Windows 200 server to the VPN router.

 

[ShackDaddy]

Are all three sites on the same subnet? Or are there two subnets? Why did the VPN guy give your router a 192.168.0 address if your local network was set to use the 10. network? In any case, maybe you are trying to turn your server into a router now. Read on.

The smallest change you can make would be to bind an additional IP address to your server's internal adapter, perhaps 192.168.0.2, and set the default gateway on the server to be 192.168.0.1. That way your server will forward all traffic not in the local 10. network out to the VPN router.

Now, on your internal routers, the VPN routers, there needs to be a route to the 10. network that directs that traffic to the 192.168.0 network. And the local VPN router in Office3 needs to forward traffic to the 10. network directly to the server at 192.168.0.2.

One other option is to introduce NAT into your internal network so that you don't have to create the routes and your Office3 clients can still communicate over the VPN. I hate this option. You shouldn't have to NAT internally.

Better might be to start moving toward an IP migration for Office3 over to the 192.168.0 network. Or, have the VPN guys treat the 10. network as an equal and set up the gateway to use a 10. address as your gateway address.

I don't know all the relevant details: the size of the networks, the sorts of servers/applications/traffic involved, but it seems like they could have planned things so that you didn't have to "gateway" the two networks. Did you tell them ahead of time what your internal address scheme was? Is it too late for them to use your existing address scheme?

Anyway, hope this was helpful.

ShackDaddy

 

[wagan20012000]

ShackDaddy,

We were able to convince the VPN vendor to change the IP address of VPN router from 192.168.0.1 to 10.0.0.2.

The IP ranges used by the three offices are:

Office 1: 192.168.1.0 255.255.255.0
Office 2: 192.168.2.0 255.255.255.0
Office 3: 10.0.0.0 255.255.255.0

After vendor changed the ip address, we still cannot ping the Office 1 and 2.

I'm wondering if we change the LAN card setting of the Windows 2000 server for the internal network of Office 3 to:

IP: 10.0.0.1
Subnet: 255.255.255.0
Gateway: 10.0.0.2

At present the gateway is blank. My worry in doing this is will this affect our ISA firewall. And also Windows Server 2000 acts as web proxy server for Office 3.

 

[ShackDaddy]

First, what's the default gateway for all your clients? Go to that device/system and set up a route to offices 1 and 2 with the 'route add' command or whatever's appropriate.

Second, you are on target when you talk about setting an IP, but your server, without a default gateway, will lack any way to get out of the 10. network. You need to use the 'route add' command on that server to tell it how to get to the other two offices.

If you cover those two bases, you should be ok.

ShackDaddy