1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Remote connection problem(build a separated lan in two VPN connected lan)

Discussion in 'Networking' started by William17, Dec 3, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7
    Hi everyone

    I am facing a weird situation here.

    right now, I have a VPN formed with 2 LAN in two different place.
    Site 1 has IP like 192.168.1.XX
    and Site 2 has IP like 192.168.2.XX

    I can connect to computer in either site without a problem.


    My Problem is...
    In Site 1, there are couple computers that form a private LAN which is not connecting to Site 1 LAN nor to the WAN.
    but now I need to add a computer from Site 2 to this private group.
    I understand that I have to connect this private group to internet for this to be done.

    but is there way to do it so this private LAN, including computer from Site 1 and Site 2 can still be isolated from the rest of network and WAN?

    It seems that I need to build a VPN inside a VPN.
    but I am not sure how is it going to work.

    Please give me some advise.
     
  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    A network diagram will be helpful here.

    Keep in mind doing a VPN tunnel within a VPN tunnel is possible but you're going to take a performance hit. Both from the hardware aspect of the overhead associated with processing VPN traffic but also from the decreased size available for the data payload in layer 2 frames you can send. You'll have to tweak the MTU settings to account for the double VPN frame encapsulation to ensure you don't have fragmentation.

    There may be other ways to provide secure access to this isolated environment but without knowing what your network looks like on that end, there's no way to make a recommendation.
     
  3. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7
    [​IMG]

    Here is my network diagram.
    Original PC group 3 is only in Site 1 and form a private network.
    I wish to add a PC from Site 2 to it.
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    What's your VPN server?

    Depending on your VPN solution, you can create two separate tunnels for the connectivity. One for your general traffic and one for the private/isolated network you want to create.
     
  5. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7
    my VPN server is my firewall
    I can add more VPN policies on it. that can create an extra VPN tunnel.

    but how do separate it from the rest of LAN?
     
  6. michelle_denise

    michelle_denise

    Joined:
    Dec 4, 2011
    Messages:
    1
    Go to "RUN" Type in "gpedit.msc" / go to Computer Configuration / Windows Setting / Security Setting / Local Policy / User Rights Assignment / and in the right panel find "Allow Logon through Terminal Services" double click on is and add the user name that you want to give the access to... give that a try and let us know.

    Please visit for more : http://www.techyv.com/questions/network-connection-problem-computer-running-xp
     
  7. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7
  8. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    How much separation do you need? Total isolation down to layer 2?
     
  9. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7
    I am sorry that I don't quite understand the difference.
    can you please explain?

    or suggest me which one is more common for application.
    the isolated group is for some information I don't want common user in the LAN to get access.

    Thanks




    OK. I did some more reading.
    I believe I need it to be isolated down to layer 2.
    Since I am still using same set of firewall.
    I can only isolate the data transaction.



    Just be curious.
    Is this really possible to completely isolate my group 3 LAN.
    It still relies on Internet to form the VPN tunnel.
    So how can it be possible to be isolated from physical layer???
     
  10. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    So I don't know what type of firewall/router you have. It can be done and I have done it in many different implementations. You need a firewall/router which supports multiple virtual routing interfaces. This firewall/router must also support 802.1Q tagging. But typically, firewall/routers which support multiple virtual routing interfaces will also support 802.1Q.
     
  11. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7

    I checked my firewall, and it doesn't have multiple virtual routing interface.
    I will look for a new set of firewalls.

    Can you give me some suggestion about how the routing is done?

    Thanks
     
  12. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    Well, if you're going to use a Cisco ASA which the entry model (ASA 5505) has a 8 port switch built in, you would create a sub-interface/virtual interface to a particular VLAN ID. You would then assign a port on the 8 port switch to the same VLAN ID. You would need to do this for both internal networks. You would also need to define the untrusted/public interface (WAN) to a specific port on this 8 port switch and configure it accordingly. You will also need to get another unmanaged switch to plug the PCs you want isolated from the rest of your network.

    Juniper SRX firewalls work similarly to the ASAs. But SRXs use security zones and ASAs use security levels.
     
  13. William17

    William17 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    7

    Thanks a lot.
    I will look into this two firewalls
     
  14. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,296
    No problem.

    The equivalent Juniper firewall to the ASA 5505 is the SRX100.
     
  15. M_Guy

    M_Guy

    Joined:
    Dec 5, 2011
    Messages:
    1
    Of course while he can use the ASA 5505 he cannot use the "entry model (Base)" of that version obviously and would require the sec plus.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1029593

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice