Remote connection problem(build a separated lan in two VPN connected lan)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7
Hi everyone

I am facing a weird situation here.

right now, I have a VPN formed with 2 LAN in two different place.
Site 1 has IP like 192.168.1.XX
and Site 2 has IP like 192.168.2.XX

I can connect to computer in either site without a problem.


My Problem is...
In Site 1, there are couple computers that form a private LAN which is not connecting to Site 1 LAN nor to the WAN.
but now I need to add a computer from Site 2 to this private group.
I understand that I have to connect this private group to internet for this to be done.

but is there way to do it so this private LAN, including computer from Site 1 and Site 2 can still be isolated from the rest of network and WAN?

It seems that I need to build a VPN inside a VPN.
but I am not sure how is it going to work.

Please give me some advise.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
A network diagram will be helpful here.

Keep in mind doing a VPN tunnel within a VPN tunnel is possible but you're going to take a performance hit. Both from the hardware aspect of the overhead associated with processing VPN traffic but also from the decreased size available for the data payload in layer 2 frames you can send. You'll have to tweak the MTU settings to account for the double VPN frame encapsulation to ensure you don't have fragmentation.

There may be other ways to provide secure access to this isolated environment but without knowing what your network looks like on that end, there's no way to make a recommendation.
 

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7


Here is my network diagram.
Original PC group 3 is only in Site 1 and form a private network.
I wish to add a PC from Site 2 to it.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
What's your VPN server?

Depending on your VPN solution, you can create two separate tunnels for the connectivity. One for your general traffic and one for the private/isolated network you want to create.
 

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7
my VPN server is my firewall
I can add more VPN policies on it. that can create an extra VPN tunnel.

but how do separate it from the rest of LAN?
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
How much separation do you need? Total isolation down to layer 2?
 

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7
How much separation do you need? Total isolation down to layer 2?
I am sorry that I don't quite understand the difference.
can you please explain?

or suggest me which one is more common for application.
the isolated group is for some information I don't want common user in the LAN to get access.

Thanks




OK. I did some more reading.
I believe I need it to be isolated down to layer 2.
Since I am still using same set of firewall.
I can only isolate the data transaction.



Just be curious.
Is this really possible to completely isolate my group 3 LAN.
It still relies on Internet to form the VPN tunnel.
So how can it be possible to be isolated from physical layer???
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
So I don't know what type of firewall/router you have. It can be done and I have done it in many different implementations. You need a firewall/router which supports multiple virtual routing interfaces. This firewall/router must also support 802.1Q tagging. But typically, firewall/routers which support multiple virtual routing interfaces will also support 802.1Q.
 

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7
So I don't know what type of firewall/router you have. It can be done and I have done it in many different implementations. You need a firewall/router which supports multiple virtual routing interfaces. This firewall/router must also support 802.1Q tagging. But typically, firewall/routers which support multiple virtual routing interfaces will also support 802.1Q.

I checked my firewall, and it doesn't have multiple virtual routing interface.
I will look for a new set of firewalls.

Can you give me some suggestion about how the routing is done?

Thanks
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
Well, if you're going to use a Cisco ASA which the entry model (ASA 5505) has a 8 port switch built in, you would create a sub-interface/virtual interface to a particular VLAN ID. You would then assign a port on the 8 port switch to the same VLAN ID. You would need to do this for both internal networks. You would also need to define the untrusted/public interface (WAN) to a specific port on this 8 port switch and configure it accordingly. You will also need to get another unmanaged switch to plug the PCs you want isolated from the rest of your network.

Juniper SRX firewalls work similarly to the ASAs. But SRXs use security zones and ASAs use security levels.
 

William17

Thread Starter
Joined
Dec 3, 2011
Messages
7
Well, if you're going to use a Cisco ASA which the entry model (ASA 5505) has a 8 port switch built in, you would create a sub-interface/virtual interface to a particular VLAN ID. You would then assign a port on the 8 port switch to the same VLAN ID. You would need to do this for both internal networks. You would also need to define the untrusted/public interface (WAN) to a specific port on this 8 port switch and configure it accordingly. You will also need to get another unmanaged switch to plug the PCs you want isolated from the rest of your network.

Juniper SRX firewalls work similarly to the ASAs. But SRXs use security zones and ASAs use security levels.

Thanks a lot.
I will look into this two firewalls
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,665
No problem.

The equivalent Juniper firewall to the ASA 5505 is the SRX100.
 
Joined
Dec 5, 2011
Messages
1
Well, if you're going to use a Cisco ASA which the entry model (ASA 5505) has a 8 port switch built in, you would create a sub-interface/virtual interface to a particular VLAN ID. You would then assign a port on the 8 port switch to the same VLAN ID. You would need to do this for both internal networks. You would also need to define the untrusted/public interface (WAN) to a specific port on this 8 port switch and configure it accordingly. You will also need to get another unmanaged switch to plug the PCs you want isolated from the rest of your network.

Juniper SRX firewalls work similarly to the ASAs. But SRXs use security zones and ASAs use security levels.
Of course while he can use the ASA 5505 he cannot use the "entry model (Base)" of that version obviously and would require the sec plus.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top