Wondering if I could get some input

[bryantp]

I want to setup a dirty Internet connection - essentially an Internet connection that is secure and will not allow an user to see our network.

We are on a private network behind two cisco routers that receive our feed (internal and external) from the corporate office.

Office - internal network - HDQ - internal servers / external network (Internet).

This is to allow office visitors a way to access the Internet but not see our network on level.

Thanks in advance for your input.

 

[bryantp]

No suggestions or input? Have I stumped this crowd?

 

[Jon855]

I think just assign a different workgroup name and well, make sure your VPN/NETWORK will block that one ip in which you should have DMZ'ed to the internet. Can't be that too all hard i thunk.

 

[spidey07]

well that's asking a lot. It can be done but it is very complicated. A detailed network design and whiteboarding session could come up with some ideas.

A couple approaches:
1) use 802.1x for VLAN assisgnment and access list assignment. For this you would change all clients to 802.1x and reconfigure the swithes to place users in a "guest" network or vlan if they are not authenticated
2) use some sort of mac-address authentication for assigning vlans
3) use wireless networking and create guest network SSID in addition to the production/secure SSIDs and use access lists appropriately.

bottom line - it won't be easy to do it properly. The term for this kind of network is "guest." Most companies are smart and simply don't allow a computer to plug in to their network.

 

[nweaver]

We use VLAN's to accomplish this. The visitor vlan is not allowed to route any traffic to lab or corp networks. Corp can route traffic to lab/visitor vlan, test can route traffic to visitor, but not corp.


btw, changing a workgroup name does nothing...