Author
|
Thread
|
|
|
SuperDuck
Being Railroaded by the Dan-Man
Joined: 18 Mar 2003
Posts: 563
Location: , location, location!
|
a bit of advanced routing
|
|
I'm not entirely certain how this works, but the guys at Sprint seemed to adopt a bit of a condescending tone asking if our router didn't have multiple interfaces.. so I guess there's probably something I'm missing here.
My company is going to be using Sprint in order to supply cell phones to a certain area. In order to do this we have had to go through a weird set up process and it falls to me to work out how we are going to access their trouble-ticket systems from our network. What is baffling to me is that they have required from us two separate IP addresses with which we will connect to their system, so that they could allow those connections. I'm guessing that all connections not originating from an IP in their database are rejected.
There are two different ways we need to be able to connect through. A main website just for general information purposes (such as call center employees doing basic troubleshooting and information on lines) and a VPN for submitting trouble-tickets. From what I have been led to believe, you initiate the VPN connection from within the web interface, however the VPN connection requires that you use a separate IP address than the IP address you use for the website. We have a small block of IPs so that part isn't really an issue to me, however I'm rather stumped on how to change the IP address altogether once you switch over to the VPN connection.
My first thought was to just set a certain computer or few computers that would handle trouble tickets, since that seems incredibly easy, but if you access the VPN through the website, I'm fairly lost. What also baffled me, and maybe it's makes more sense to someone with experience, is that they said that it needed to be done this way because there was no way to differentiate traffic between the two without having it originate from separate IP addresses. Perhaps I'm a complete noob when it comes to routing... well okay, I am... but aren't most VPN signals transmitted on completely different ports than websites? Or even you could have them go to different addresses yourself.
Anyway, I'm pretty lost, and I'm not even sure exactly what keywords or phrases to google to lead myself to some information to help. In case it's relevant we're running a Watchguard Firebox X550e. If anyone can help or even point me in the right direction it would be extremely appreciated. _________________ I'm the evil midnight bomber what bombs at midnight, yeah baby!
|
Thu Jun 09, 2011 12:49 pm
|
|
|
|
SuperDuck
Being Railroaded by the Dan-Man
Joined: 18 Mar 2003
Posts: 563
Location: , location, location!
|
|
|
I tried playing around with a NAT... however for whatever reason I can't seem to get a NAT to work for outgoing traffic, only routing incoming traffic (reason #1: Watchguard System Manager is complicated, probability 30%. Reason #2: Incompetence of the user, probability 70%).
I went ahead and submitted an incident to Watchguard's technical support people, as much as I wanted to avoid doing that... but it seems a bit hard to find any answers regarding the router by searching for them, at least ones that relate to my specific issue.
This happens a lot, actually. My job requires me to know things that I don't know all the time. I went from being general help desk IT person to running the whole IT situation here, which is difficult since I'm not exactly qualified to run it. So on a related but different topic... are there any recommendations on which way I should turn to learn things like this, or anything else I might need? At least as far as basics that I need to learn, i.e. research X and build up from there, or read up on this particular type of stuff, or shoot for this certification. I really hate feeling dumb, and every time my company expands, I feel more so.
edit: Oh, and everything is on one subnet. Forgot to answer that question... >_< _________________ I'm the evil midnight bomber what bombs at midnight, yeah baby!
|
Fri Jun 10, 2011 4:40 pm
|
|
|
Bobacus
Gov. Surplus FTW!
Joined: 28 Dec 2004
Posts: 741
Location: Watching you make out at the movies
|
Honestly I have just fiddled and picked it up as I've gone along. If anything get yourself a few different network devices and set up a lab so you can run different scenarios to see what happens.
What I would suggest to give you a good overview of everything would be a Cisco 2912 Switch, a Pix 501, and a Cisco 2611. Now all of this may not be the latest and greatest, and the commands will be different than they are today, but it will give you a good overview of some networking concepts.
You may just shop around ebay and see what you can find, but if you play your cards right, you should be able to acquire these items for less than $100. Also if your wondering why I'm recomending Cisco even though your running a watchguard, the commands are fairly simple, and the help system within the OS is very easy to use. _________________ this is the internet.
Unless proven otherwise, you are a 50yr old man with a bucket of KFC in one hand and your penis in the other.
|
Fri Jun 10, 2011 7:33 pm
|
|
|
|
The.Real.Cast
Obama Lemming Looking for the Cliff
Joined: 14 Aug 2003
Posts: 2626
|
|
|
While I found it a little hard to follow your request, he is correct that the likely solution is a seperate NAT or PAT pool for the systems that need to access this external resource on a particular address. The NAT addresses don't have to be split from your main subnet on most edge devices, though for proper security they really should be in their own vlan to prevent people from changing their address to one within the new NAT pool.
It is not at all uncommon for security, medical, or financial vendors to restrict access to resources to particular remote addresses.
If there is only one computer, a 1:1 nat would be simplest. If there are a group of computers that need to appear to be sourced from a particular public address, use PAT.
http://www.watchguard.com/infocenter/editorial/135177.asp
Also watchguards are infuriating. Get a Cisco or Sonicwall to learn on. Find a copy of Cisco Packet Tracer if you just want to play with switches and routers in a lab.
Regarding learning networking, Cisco Packet Tracer and the book for CCENT certification will work. It's technically the easy half of the CCNA, which really isn't a difficult certification and covers the basics well. Packet Tracer is free to certain students, and you can find copies of it all over the net, though unofficially. It's a decent simulator if somewhat limited.
|
Sun Jun 12, 2011 9:35 am
|
|
|
|
|
|