Network Guru’s, I have a question

OK, To set this up. Suppose you aquire a company that runs an internal class A private address (10.0.0.0 / 255). You are taxed with setting up a VPN link between the 2 networks and you run a private class A address as well. That being said you can establish a VPN connection however when they make a call to any resources on another network the DNS record points to your local 10 net address. Since it is local the local machine assume they do not need to go through the gateway (VPN Tunnel). This is a simple layer 2 function that breaks in this type of setup. Here is the diagram.
Call me stumped. I need to do this without changing the entire network IP schema for one or both of the locations.
jc

Can you use DNS forwarding. This way if it can’t find it at one network it will forward it the other.

Thanks for the idea. If I do set up DNS fowarding then how do I deliver the packets across the gateway since the resolution will be local and not present itself to the gateway?
There has got to be something we are missing here.
jc

The IP setup for the 2nd network should be anything except the same Ip setup as the 1st network. For example, the 1st network is 10.10.1.1 , the 2nd network should be anything but 10.10.1.1. It doesn’t really matter what you set it up as. Keeping it similar is just convention, so that admin’s can easily keep track of their subnets.

Secondly, if you have 2 domains, you need to setup “Trusts” between the two domains, if you want the two networks to talk without any problems. It just works better this way.

I assume you have a domain controller? Is DNS setup on each network?

I am no network guru or even novice, however, I don’t see how you can accomplish this at all. Here is why:

You need to connect to a database on system 10.0.0.133. 10.0.0.133 can exist in both networks, which system are you really trying to connect with? You might find system 10.0.0.133 “locally” but need to communicate with the 10.0.0.133 on the remote lan.

I think your solution will need to control the IP address scheme for this to work.

Great diagram by the way. Is that Visio?

Look at your Outside Addresses. They are different. You can set static route on your outbound.

Even w/DNS, it would resolve to the “local” lan first, find what it thinks it’s looking for, and not realize it is in fact looking for the “other” network.

Even if you pointed DNS to look at the “other” first, what happens when you need something from the “local”.

Withought differentiating IP’s, I’m not sure how you can get this to work either.

Thanks BC, Now you see my problem.
If we were talking about a couple servers and a few users it would be fine. But were talking about 2 distinct companies being brought into the Stamas Forest as distinct domains. Thus the normal serivce will still be resident to the local networks however things like communication between business groups and a shared exchange server cluster will be located out of the home office.

Here is the same issue with a much less going on. Take for instance you have a VPN set up for your company. You have a 10.0.0.0 network at the office. The vpn is for traveling sales people. How do they get to network resources when traveling if the hotel is set up using a 10 net. There has to be some solution out there. Every company in the world with traveling salepeople and such much have to address this type of an issue in some manner other than just accepting that when ever they run into this that they don’t work?? My head is starting to hurt.
jc

Bingo Slopp. Now you see my delema, How do your salespeople handle this when traveling? The same issue has to arrise fairly often.
jc

JC

Can you just run NAT at one side of the VPN tunnel?

NAT serves three main purposes:

Provides a type of firewall by hiding internal IP addresses

Enables a company to use more internal IP addresses. Since they’re used internally only, there’s no possibility of conflict with IP addresses used by other companies and organizations.

Allows a company to combine multiple ISDN connections into a single Internet connection.

More on NAT:

http://www.webopedia.com/TERM/N/NAT.html

(had to do some research on this one )

Use domain name service. Company A=Host.CompanyA.com and Company B=Host.CompanyB.com. These are two different Servers and two totally different networks. Your DNS resolution will send your requests to the external IP Addresses.

Quote:

---

OK, To set this up. Suppose you aquire a company that runs an internal class A private address (10.0.0.0 / 255). You are taxed with setting up a VPN link between the 2 networks and you run a private class A address as well. That being said you can establish a VPN connection however when they make a call to any resources on another network the DNS record points to your local 10 net address. Since it is local the local machine assume they do not need to go through the gateway (VPN Tunnel). This is a simple layer 2 function that breaks in this type of setup. Here is the diagram.
Call me stumped. I need to do this without changing the entire network IP schema for one or both of the locations.
jc

---

For all us other dorks or non computer geeks….
What da F@&!

Yeah, I am well versed in NAT.
If I set up NAT then I could effectively resolve to different IP address which would make it route “To” the other network however when the DNS call hit the “Nat’ed” Ip it will still return the 10 net address from the other side and then only route locally. If I did use NAT I would then have to set up a secondary DNS server to handle these calls as well as bind this “new” networks IP addresses to all my servers. This would work under many situations however I then run into the “Web Services” which pull dynamic content from the differing data elements (databases) so I would have to do the same thing on both ends of the wire. It would likily be easier to fly to SF and do a complete migration. Lordy lordy lordy.
jc

MyThai, DNS is layer 3, the resolution of the DNS name is either local or remote, there is really nothing gained using hostname.
jc

My head hurts too!!! I am !Ian

Jeremy. What type of traffic do you believe will flow across this VPN Tunnel? Layer 2 is the link layer (MAC Address) and Layer 3 is the network layer (IP Routing).

Here’s another thought. When I use my Web Browser and type in http://www.in-depthangling.com, do I really care where it’s located or it’s ip address? That is the purpose of DNS. Also, if this web server has to make connection to 2nd tier or 3rd tier backend servers, how does this affect my workstation? My workstation is communicating with in-depthangling.com (Web Server) and no one else. Just a thought.

Have a great day.

The traffice between networks will be everything that would normally be found on a company network. smtp, dns, http, chap, ipsec, l2tp, etc, etc…

When I say DNS is layer 3 I mean it is a layer 3 function meaning that DNS does not route packets and by chancing the DNS name it does not change the allocated IP or IP’s of the machine.

Err,

I would have never thought of that front end back end concept.

DNS can actually give you any ip address you want?

Thanks for the advice.

jc

Do you think SF has any good fisheries near-by? If so, I’ll tag along JC!

All I know is that my trip is planed for the second week in January…. Looks like I will have my hands full.
jc

I have to ask how big of a task would it be to change the second site’s IP schema?? I know this can be complicated, but we are going through the growing pains of not enough forethought and ran out of addresses in our business centers. We are now allocating 1024 to DHCP instead 254 available addresses.

What is your VPN appliance. We use Watchguard and they don’t pass netbios traffic worth a darn. Constantly causing me problem when we fail over to the BOVPN.

If you can change the subnet at Site B, then by replicating your DNS from site A all resources should be available via BOVPN.

Am I over simplifying this?? I can show this to my buddy we call the “Packet” and see what he says. Let me know if I can be of any assistance.

JC I called my help desk which is in India of all places – I am sorry to say I feel dumber for having done so. I give!

I have been doing this for more years than I care to admit and am typically the go to guy for about every other Tech in the Cedar Rapids Area. From the outside there is really no easy answer and changing the IP schema is the “by the book” resolution but as anyone worth there salt knows, there are always solutions out there you just have to be creative.

As for your issues, If you use ISA server you will have no issues with netbois and such. If you have an AD environment you will be able to pass traffic via DDNS without much of an issue. Watchguard, Sonicwall, and celestix are all good devices but the Celestix is the best for interoperability with Windows Networks.

As for changing IP schemas, Simple deal. The only trick is that you need enough time to change hardware devices, set up DHCP, configure all new routing tables and be on hand to toubleshoot any hidden processes that you missed. I am guessing a weekend is well more than you will need.

jc

Sounds to me like you know what needs done, now you just gotta get’er done.

Good luck!!!

And as for being worth the salt, my motto is keep it simple stupid. Seems to work better for me.

Toot Toot. Kinda reminds me of a funny skit from Saturday Night Live….

so jc, how does all this mumbo jumbo talk help you catch more and bigger bass? This is the BASS forum isn’t it!

I was thinking the same. A guy this smart shouldn’t be fishing for bass, he should challenge himself and fish for a true predator!

I just figured that the Quality people out there would be on In-Depth. If your network is running like it is supposed to you would be smart enough to read the bass forum. -grin-
And if I can get this deal working fro my chair I will have more time to catch these…