|
pwindell -> RE: Site to Site Suggestions (15.Apr.2008 3:45:27 PM)
|
I am wanting to link a remote office, in the same town as me, about 5KM apart to my main office network.
We use a 2.4GHz high powered wireless link, which at the moment works fine.
Then ISA really has nothing to do with it for the most part. It is a matter of how you deploy your Microwave link (MW) and how you have the two network segments addressed and,... most importantly,... having a correct routing scheme design,..which is something that I am always adament & a bit maniacal about .
I am laying out the plan clearly below,...if you run into Nay-Sayers who won't listen,...then give them a copy of this. It is essentially the identical design used to connect two sites with a private commercial grade Frame-relay or T1 line. You're just using a Microwave Bridge instead, but it is the same principle, other than you have to "pinch" the MW link between two Routers because it doesn't normally have routers like a Frame Relay or T1 does.
1. The MW link is obviously up and running
2. The two offices need to be running two different subnets from each other
3. There needs to be two LAN Routers between them, one at each site. The Microwave Link transcievers sit between the two Routers. Why two routers instead of one??? Glad you asked. Because of your requirement that each site use only their own "firewall" and not get to the one on the opposite side. If you did not have that requirement it could be done with one Router on only one side.
If you were to try to cut corners and "go cheap" and try to do this with one router you would be left with maintaining a ton of local Static Routes on every single client on one of the sites (choose your "lucky" site for that). Then the users that might know how could just run "route /f" from a command prompt,..reboot,...which would wipe out the static routes and let them use the firewall the LAN Router Defaults to which may not be the one they are supposed to use.
4. You will have 3 subnets,...one for each site,...and the Microwave Link will be one all by itself and you can use a 4-Address/2-Host segment for that (255.255.255.252). If you want to limit access to the opposite sides it would be done with ACLs on the LAN Routers between the Sites
5. Each Site will use their own LAN Router as their Default Gateway,...then the LAN Router uses the local "firewall" as the Default Gateway. Note: See what happens if there were only one router?,...everyone ends up using the same firewall.
6. On the ISA the Internal Network Definition must contain all the IP Ranges of all subnets. Repeat the equivalent on the other Site's Firewall. This is not optional.
7. This one is optional since you don't want the firewall & ISA to communicate with the opposite side. If you desire, add Static Routes on the ISA that tell it to use local LAN Router as the "gateway" for all the subnets (same ones you listed in #6). Repeat the equivalent on the other Site's Firewall.
[LAN#1]---------<ISA>-----[Internet]
|
<LAN Router #1>
|
MW Tranceiver #1
{
}
[2-host subnet]
{
}
MW Tranceiver #2
|
<LAN Router #2>
|
[LAN#2]-------<Firewall>-----[Internet]
|
|
|
|