Connecting two Class C private networks under one domain.

I would like to know if it is possible to connect two Class C Networks under
one Domain, even further, one of the networks would access the other through
two routers and a frame relay, right now i have layer 3 connectivity between
both networks but since one of the networks is behind an ISA Server just one
can be access.

My idea is to add another ethernet interface to my main office router and
route all trafic from my remote router through this interface to a third NIC
in my ISA Server, add this network as reliable or internal to ISA Server.

the esquema would look like this:


(Internet)
| (2.2) (2.1)
(Router Local)-------(Frame Relay)-------(Remote Router)
(3.1) | |(Public IP) |
(1.2)
(3.2) | |(Public IP) |
(ISA Server) (Remote Network) (1.0 /24)
|(4.1)
|
(Local Network 1.2) (4.0)

Mi ISA Server actually have two nic's one ponts to my internal network and
the another points to my cisco router which gives me internet access, i
should add another nic to my isa server so i can configure another internal
(reliable) network, then, i guess, add this network to my domain and the LAT
of the ISA Server.

Right now my remote network access internet through the remote routers which
do NAT so they can do it. But i like to change that and make it to access
internet throught the ISA Sever.

It is possible?

Every body tells me to use VPN, but i think it can be done just routing.

Am i right?

Thanks in advance

"mosquito_hippy" <(E-Mail Removed)> wrote in message
news:838D896C-ADD2-4104-A825-(E-Mail Removed)...
> I would like to know if it is possible to connect two Class C Networks
under
> one Domain,

Not with ISA between them.

Is the Frame Relay a private link? or does it simply link you to the
Internet?

If it is a private point-to-point link then this is the pattern:

(Internet)
|
(Internet Router)
|
(ISA)
|
(LAN Router)---(Frame Relay)---(Remote LAN Router)
| |
(Local Network) (Remote Network)

The ISA must include the IP# Range from both LANs in the LAT, and any Active
Directory FQDNs from both LANs must be in the LDT. If it is ISA2004 then
there is no LAT but has replaced by "internal networks" and "external
networks". A little different concept, but the overall principle is the
same.

If the Frame Relay is the "Internet connection" for the LAN then you will
have to create a solution using VPN.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks for answering.

Unfortunately my ISP just gave me one enter point for both Frame Relay and
Internet, but my Frame Relay is a private connection, but both of them enters
through he same router, that's way i think i could add an ethernet interface
to this router and route trafic of the remote network through this interface.

Another question, can i use VPN in a private network?, i mean between
non-routable private networks.

"Phillip Windell" wrote:

> "mosquito_hippy" <(E-Mail Removed)> wrote in message
> news:838D896C-ADD2-4104-A825-(E-Mail Removed)...
> > I would like to know if it is possible to connect two Class C Networks
> under
> > one Domain,
>
> Not with ISA between them.
>
> Is the Frame Relay a private link? or does it simply link you to the
> Internet?
>
> If it is a private point-to-point link then this is the pattern:
>
> (Internet)
> |
> (Internet Router)
> |
> (ISA)
> |
> (LAN Router)---(Frame Relay)---(Remote LAN Router)
> | |
> (Local Network) (Remote Network)
>
> The ISA must include the IP# Range from both LANs in the LAT, and any Active
> Directory FQDNs from both LANs must be in the LDT. If it is ISA2004 then
> there is no LAT but has replaced by "internal networks" and "external
> networks". A little different concept, but the overall principle is the
> same.
>
> If the Frame Relay is the "Internet connection" for the LAN then you will
> have to create a solution using VPN.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"mosquito_hippy" <(E-Mail Removed)> wrote in message
news:A1B1E136-82CA-49A7-95D0-(E-Mail Removed)...
> Thanks for answering.
>
> Unfortunately my ISP just gave me one enter point for both Frame Relay and
> Internet, but my Frame Relay is a private connection, but both of them
enters
> through he same router, that's way i think i could add an ethernet
interface
> to this router and route trafic of the remote network through this
interface.

Then buy another router. There is no law that states that it must go into
the same router as the other Internet Link, and your ISP cannot dictate that
it does. Don't stay with a "bad design" because that is the way some ISP
rigged it up.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I just have one wire from my ISP. Phisically it's just one wire logically
there are two wires. One for internet and other the frame relay.

If i understood you correctly my only way out is to take my ISA Server out
and buy another router.

It make sense but i'm affraid it's to expensive for my boss taste.

Officially i have to implement a VPN.

Another question, do you know any link where i could find information on
regard of back-to-back VPN between an ISA Server and a router cisco.

Thanks in advance.

"Phillip Windell" wrote:

> "mosquito_hippy" <(E-Mail Removed)> wrote in message
> news:A1B1E136-82CA-49A7-95D0-(E-Mail Removed)...
> > Thanks for answering.
> >
> > Unfortunately my ISP just gave me one enter point for both Frame Relay and
> > Internet, but my Frame Relay is a private connection, but both of them
> enters
> > through he same router, that's way i think i could add an ethernet
> interface
> > to this router and route trafic of the remote network through this
> interface.
>
> Then buy another router. There is no law that states that it must go into
> the same router as the other Internet Link, and your ISP cannot dictate that
> it does. Don't stay with a "bad design" because that is the way some ISP
> rigged it up.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"mosquito_hippy" <(E-Mail Removed)> wrote in message
news:A1B79F79-BECA-4666-93CF-(E-Mail Removed)...
> I just have one wire from my ISP. Phisically it's just one wire logically
> there are two wires. One for internet and other the frame relay.

That stinks. There is no way I'd let an ISP do that to us.

> If i understood you correctly my only way out is to take my ISA Server out
> and buy another router.

No, that is not what I said.

> Officially i have to implement a VPN.

No that won't work either. The VPN works over the Internet part of the Link,
not the frame relay.

Your ISP created the mess, they are probably the only ones who might be able
to come up with a solution. Remember, some ISPs don't care about doing it
right or doing it secure, they only want to stick something in place that is
convienient for them so they can collect their "fees".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" wrote:

> "mosquito_hippy" <(E-Mail Removed)> wrote in message
> news:A1B79F79-BECA-4666-93CF-(E-Mail Removed)...
> > I just have one wire from my ISP. Phisically it's just one wire logically
> > there are two wires. One for internet and other the frame relay.
>
> That stinks. There is no way I'd let an ISP do that to us.

Well i let them do that to us.

>
> > If i understood you correctly my only way out is to take my ISA Server out
> > and buy another router.
>
> No, that is not what I said.

that's what is in the esquema.

> > Officially i have to implement a VPN.
>
> No that won't work either. The VPN works over the Internet part of the Link,
> not the frame relay.

I already trayed it and it worked it just i don't feel confortable
implementing it.

There is something i did'nt mention to you our remote router is giving
access to internet to the remote network with nat/pat. The traffic sent to
the local router is then routed directly to internet.



>
> Your ISP created the mess, they are probably the only ones who might be able
> to come up with a solution. Remember, some ISPs don't care about doing it
> right or doing it secure, they only want to stick something in place that is
> convienient for them so they can collect their "fees".
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"mosquito_hippy" <(E-Mail Removed)> wrote in message
news1C0F205-FBB4-40B7-98CB-(E-Mail Removed)...
> "Phillip Windell" wrote:
> > > If i understood you correctly my only way out is to take my ISA Server
out
> > > and buy another router.
> >
> > No, that is not what I said.
>
> that's what is in the esquema.

No, you don't take out the ISA,..the new router (LAN Router) goes behind the
ISA, the old one (Internet Router) is on the outside of ISA. Here's the
diagram again:

(Internet)
|
(Internet Router)
|
(ISA)
|
(LAN Router)---(Frame Relay)---(Remote LAN Router)
| |
(Local Network) (Remote Network)

It doesn't really matter now anyway, it won't work with what the ISP stuck
you with. There is nothing else I can do with this.

> > No that won't work either. The VPN works over the Internet part of the
Link,
> > not the frame relay.
>
> I already trayed it and it worked it just i don't feel confortable
> implementing it.

You can't take two physically separate connections (different "pairs" in the
same cable) and have one run inside a logical Tunnel running on the other
"pair". the physical separation prevents that, not only that, but the
"second" connection is actually created by the VPN and cannot pre-exist on a
another physically separate pair of wires.

Probably what really happend is that you created a VPN Tunnel over the
Internet Link and the "frame relay" was just sitting there doing nothing.

> There is something i did'nt mention to you our remote router is giving
> access to internet to the remote network with nat/pat. The traffic sent
to
> the local router is then routed directly to internet.

That just makes it all even "murkier". Where is the Frame Relay on thier
end? That frame relay from you has to have another "end" somewhere.....

Your only hope is that the existing router can use an additional *internal*
adapter that can be patched in behind the ISA (effectively going around
ISA). The router would have to keep the two links totally separated and
never route between them. Configure that one wrong and you are in a real
mess.

(Internet)
|
(Internet Router)---(Frame Relay)---(Remote LAN Router)
| | |
(ISA) <Private link> |
| | |
(Local Network) (Remote Network)

That is the best I can do without being there and literally seeing this
stuff with my own eyes.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks any way.



"Phillip Windell" wrote:

> "mosquito_hippy" <(E-Mail Removed)> wrote in message
> news1C0F205-FBB4-40B7-98CB-(E-Mail Removed)...
> > "Phillip Windell" wrote:
> > > > If i understood you correctly my only way out is to take my ISA Server
> out
> > > > and buy another router.
> > >
> > > No, that is not what I said.
> >
> > that's what is in the esquema.
>
> No, you don't take out the ISA,..the new router (LAN Router) goes behind the
> ISA, the old one (Internet Router) is on the outside of ISA. Here's the
> diagram again:
>
> (Internet)
> |
> (Internet Router)
> |
> (ISA)
> |
> (LAN Router)---(Frame Relay)---(Remote LAN Router)
> | |
> (Local Network) (Remote Network)
>
> It doesn't really matter now anyway, it won't work with what the ISP stuck
> you with. There is nothing else I can do with this.
>
> > > No that won't work either. The VPN works over the Internet part of the
> Link,
> > > not the frame relay.
> >
> > I already trayed it and it worked it just i don't feel confortable
> > implementing it.
>
> You can't take two physically separate connections (different "pairs" in the
> same cable) and have one run inside a logical Tunnel running on the other
> "pair". the physical separation prevents that, not only that, but the
> "second" connection is actually created by the VPN and cannot pre-exist on a
> another physically separate pair of wires.
>
> Probably what really happend is that you created a VPN Tunnel over the
> Internet Link and the "frame relay" was just sitting there doing nothing.
>
> > There is something i did'nt mention to you our remote router is giving
> > access to internet to the remote network with nat/pat. The traffic sent
> to
> > the local router is then routed directly to internet.
>
> That just makes it all even "murkier". Where is the Frame Relay on thier
> end? That frame relay from you has to have another "end" somewhere.....
>
> Your only hope is that the existing router can use an additional *internal*
> adapter that can be patched in behind the ISA (effectively going around
> ISA). The router would have to keep the two links totally separated and
> never route between them. Configure that one wrong and you are in a real
> mess.
>
> (Internet)
> |
> (Internet Router)---(Frame Relay)---(Remote LAN Router)
> | | |
> (ISA) <Private link> |
> | | |
> (Local Network) (Remote Network)
>
> That is the best I can do without being there and literally seeing this
> stuff with my own eyes.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
>