a bit of advanced routing

I'm not entirely certain how this works, but the guys at Sprint seemed to adopt a bit of a condescending tone asking if our router didn't have multiple interfaces.. so I guess there's probably something I'm missing here.

My company is going to be using Sprint in order to supply cell phones to a certain area. In order to do this we have had to go through a weird set up process and it falls to me to work out how we are going to access their trouble-ticket systems from our network. What is baffling to me is that they have required from us two separate IP addresses with which we will connect to their system, so that they could allow those connections. I'm guessing that all connections not originating from an IP in their database are rejected.

There are two different ways we need to be able to connect through. A main website just for general information purposes (such as call center employees doing basic troubleshooting and information on lines) and a VPN for submitting trouble-tickets. From what I have been led to believe, you initiate the VPN connection from within the web interface, however the VPN connection requires that you use a separate IP address than the IP address you use for the website. We have a small block of IPs so that part isn't really an issue to me, however I'm rather stumped on how to change the IP address altogether once you switch over to the VPN connection.

My first thought was to just set a certain computer or few computers that would handle trouble tickets, since that seems incredibly easy, but if you access the VPN through the website, I'm fairly lost. What also baffled me, and maybe it's makes more sense to someone with experience, is that they said that it needed to be done this way because there was no way to differentiate traffic between the two without having it originate from separate IP addresses. Perhaps I'm a complete noob when it comes to routing... well okay, I am... but aren't most VPN signals transmitted on completely different ports than websites? Or even you could have them go to different addresses yourself.

Anyway, I'm pretty lost, and I'm not even sure exactly what keywords or phrases to google to lead myself to some information to help. In case it's relevant we're running a Watchguard Firebox X550e. If anyone can help or even point me in the right direction it would be extremely appreciated.
_________________
I'm the evil midnight bomber what bombs at midnight, yeah baby!

It pretty much just sounds like they do not want tier 1 techs at your company opening help desk tickets, but want them to be able to access their tech support database. My initial thought is that they want to be able to differentiate which traffic is coming from your tier 1 group, and your tier 2 groups.

Do you run everything on a flat subnet, or do you have different groups on different subnets?

Optimistically I would get each group on a different subnet, but to do this efficiently you will need a layer 3 switch.

Otherwise, you should be able to do this with a NAT rule to push traffic from whichever IP's you want to have VPN access out over the second address. This is at least how I am differentiating outbound traffic on my asa.

Simply put, just make a NAT rule that puts the source of the translated packet as the second IP address.
_________________
this is the internet.
Unless proven otherwise, you are a 50yr old man with a bucket of KFC in one hand and your penis in the other.

I tried playing around with a NAT... however for whatever reason I can't seem to get a NAT to work for outgoing traffic, only routing incoming traffic (reason #1: Watchguard System Manager is complicated, probability 30%. Reason #2: Incompetence of the user, probability 70%).

I went ahead and submitted an incident to Watchguard's technical support people, as much as I wanted to avoid doing that... but it seems a bit hard to find any answers regarding the router by searching for them, at least ones that relate to my specific issue.

This happens a lot, actually. My job requires me to know things that I don't know all the time. I went from being general help desk IT person to running the whole IT situation here, which is difficult since I'm not exactly qualified to run it. So on a related but different topic... are there any recommendations on which way I should turn to learn things like this, or anything else I might need? At least as far as basics that I need to learn, i.e. research X and build up from there, or read up on this particular type of stuff, or shoot for this certification. I really hate feeling dumb, and every time my company expands, I feel more so.


edit: Oh, and everything is on one subnet. Forgot to answer that question... >_<
_________________
I'm the evil midnight bomber what bombs at midnight, yeah baby!

Honestly I have just fiddled and picked it up as I've gone along. If anything get yourself a few different network devices and set up a lab so you can run different scenarios to see what happens.

What I would suggest to give you a good overview of everything would be a Cisco 2912 Switch, a Pix 501, and a Cisco 2611. Now all of this may not be the latest and greatest, and the commands will be different than they are today, but it will give you a good overview of some networking concepts.

You may just shop around ebay and see what you can find, but if you play your cards right, you should be able to acquire these items for less than $100. Also if your wondering why I'm recomending Cisco even though your running a watchguard, the commands are fairly simple, and the help system within the OS is very easy to use.
_________________
this is the internet.
Unless proven otherwise, you are a 50yr old man with a bucket of KFC in one hand and your penis in the other.

That sounds like a good suggestion. I'll see what I can pick up. Probably could even have the company pay for it... They're usually okay with dropping a little bit of money to help me learn some stuff. It's just everything that I can do is little things like that, I doubt that they'd pay to send me to any classes or any formal training, even though that's what I'd really like.
_________________
I'm the evil midnight bomber what bombs at midnight, yeah baby!

While I found it a little hard to follow your request, he is correct that the likely solution is a seperate NAT or PAT pool for the systems that need to access this external resource on a particular address. The NAT addresses don't have to be split from your main subnet on most edge devices, though for proper security they really should be in their own vlan to prevent people from changing their address to one within the new NAT pool.

It is not at all uncommon for security, medical, or financial vendors to restrict access to resources to particular remote addresses.

If there is only one computer, a 1:1 nat would be simplest. If there are a group of computers that need to appear to be sourced from a particular public address, use PAT.

http://www.watchguard.com/infocenter/editorial/135177.asp

Also watchguards are infuriating. Get a Cisco or Sonicwall to learn on. Find a copy of Cisco Packet Tracer if you just want to play with switches and routers in a lab.

Regarding learning networking, Cisco Packet Tracer and the book for CCENT certification will work. It's technically the easy half of the CCNA, which really isn't a difficult certification and covers the basics well. Packet Tracer is free to certain students, and you can find copies of it all over the net, though unofficially. It's a decent simulator if somewhat limited.

Yea, completely forgot about packet tracer, I just know having hands on experience is always just a little easier to work with since things can be easier to grasp, at least for myself.
_________________
this is the internet.
Unless proven otherwise, you are a 50yr old man with a bucket of KFC in one hand and your penis in the other.

Thank you for your help and suggestions! I think I'm closer to completing this for work, and then I'm most definitely going to get my hands on on the rest of that to play with. It's become pretty apparent that I'm nowhere near as proficient with this sort of thing as I need to be.
_________________
I'm the evil midnight bomber what bombs at midnight, yeah baby!