two routers in one network

  • Thread starter Thread starter Charles MacLean
  • Start date Start date
C

Charles MacLean

We need to install a second router (Linksys VP41) to establish a VPN router
to router with a customer. Presently we have an Adtran 624 that doesn't
support this type of connection so we have to add the second router (Linksys
VP41) just for the router to router VPN with our customer. Adtran does our
NAT and VoIP duties so it can't be replaced. Our network address is
192.168.2.0 and we are running 6 VPN client connections to other customers
that are mapped to some of our public IP addresses. All clients on the LAN
are connected to a single 3Com 48 port switch. All the workstations are XP
Pro or Win2K Workstation. We have four servers with static IPs one of which
is our DHCP server.

My question is does the network need to be subnetted so one router hands its
traffic to the next. In this scenario I envision the default gateway for
all the workstations and servers would be the Linksys 41s LAN IP address.
The Linksys in turn would use the Adtran as its gateway which would be on a
different subnet like 192.168.1.0. It in turn would route the traffic to
the Internet over our T1.

The problem is as soon as I insert the Linksys between the switch and the
Adtran all traffic to the Internet gets blocked. Is this correct logic?
What an I doing wrong?

Regards,

Charles MacLean
MTS, Inc.
 
The way to do it, unfortuately, is the way you say you can't. If you have
only 1 public IP address, the Linksys need to replace the AdTran. If the
AdTran is serving as a CSU/DSU for a T-1, obviuosly the Linksys won't
replace it. If it's just ethernet, the Linksys should easily be able to
handle your NAT and VoiP duties as well as the AdTran.

For a network-to-network VPN, you probably won't have much luck passing it
thru a NAT router. If the router supports it, as some (very few) newer
rouers do, you may be able to configure it to pass an IPSec VPN unscathed.
But if it translates the ports, you're all done. You'll never get the
"phase-2" to connect because the NAT alters the headers and the IPSec
checksum will fail.

If you want to give it a try, you'll need to configure the Linksys with a
different IP subnet on each side. So its public Interface will need a STATIC
IP address on the 192.168.2.0 network, with any ports you are currently
forwarding from the AdTran forwarded to the Linksys. Then you'll need to set
the private side to some other network, like 192.168.1.0 as you mentioned.
Then forward the same ports on the linksys to the new IP addresses of the
computers on your LAN. This puts you in a "double NAT" mode where ports are
translated twice once by the Linksys and again by the AdTran. The Linksys is
in a sort of DMZ, so is only being NATted once as far as the VPN goes. In my
experience, IPSec just usually won't work that way (Internet will work just
fine). The Linksys needs a public IP address on it's public Interface.

Another possibility is to set the AdTran up as a bridge rather than a router
(If you need the protocol conversion to ATM, PPOA, Frame Relay or whatever).
Then the Linksys would get the Public IP address and all should be well.

....kurt
 
Back
Top