Setting up Remote Access Service (RAS) on a Windows NT server at the office to let users dial in from home is simple (for information on how to do so, see Michael D. Reilly, "Remote Access Service," May 1997). Users can then access the network at the office or connect to the Internet through the office LAN from their machines at home. But what if you want to connect several machines from home or from a remote office? Unfortunately, RAS is not optimal in these situations. A better solution is to set up a small LAN at the remote site and use a router and ISDN to connect users to the RAS server at the office.
Figure 1 shows a typical scenario. Often, the office will have numerous file and print servers, database servers, and a mail server. The office environment you see in Figure 1 includes Microsoft BackOffice servers running Microsoft Exchange, Windows Internet Name Service (WINS), Domain Name System (DNS), and a connection to the Internet through a Cisco 2501 router. The remote site has several servers and desktops, and it connects to the office through an Ascend Pipeline 75 (P75) bridge/router. The Ascend P75 dials into a US Robotics ISDN modem on an NT server running RAS. Desktop users at the remote site can connect to any server at the office or browse any
site on the Internet as if they were sitting at the office. You need three distinct IP network segments to create this environment, although you can use subnetting, imaginary (non-routed) IP addresses, or a proxy server if you want to get fancy.
An alternative scenario is to have a dedicated Ascend P75 at the main office rather than a RAS server. However, the setup for that configuration is entirely within the Ascend routers. The scenario we are describing here shows how to integrate the Ascend P75 with NT RAS. This scenario also has the advantage of not requiring any dedicated hardware at the office, and it can support regular dial-in RAS clients and routed environments.
The NT server running RAS needs to have a fixed IP address because you need to configure some static routes to it. In Figure 1, the server ras1.dcnw.com has an IP address of 126.96.36.199, and the default gateway is set to point to the Cisco 2501. You need to set up RAS on the server using the settings you see in Table 1.
RAS assigns the remote clients connecting to ras1.dcnw.com an IP address in the 192.168.50.0 network (these clients can also request a predetermined IP address). In our example in Figure 1, the router at the remote site requests the address 192.168.50.25. If you set up the configuration incorrectly (e.g., if the router requests and receives a wrong IP address), the clients at the remote site will not be able to connect to any hosts at the office or beyond. The remote clients will not even be able to ping the remote hosts, even though the router and ISDN are activated. This scenario can result in huge ISDN phone bills with no connectivity to justify the cost.
You need to configure the remote router to dial the RAS modem over ISDN, to satisfy RAS authentication, and to route IP packets properly. This example uses the Ascend P75 router. To configure this router, you can use a serial connection or you can Telnet to the router's IP address (once you give it one). In either case, you get a character-based screen that lets you navigate through various menus to fill in the configuration parameters.
The first challenge is to correctly provision the ISDN line. After the telephone company installs and tests the line, you need to open the Ascend P75 menu and configure first the system and then the Ethernet and ISDN operations. This configuring requires that you enter several hardware and phone line parameters, including the Service Profile Identifier (SPID) numbers that identify your line. The telephone company typically helps you to configure this aspect of the router to ensure that you have service.
This article will concentrate on only the configuration of the router that is relevant to the connection to the NT network at the office and on the Ascend configuration screens that you need to work with for that connectivity. For a complete guide to all the Ascend configuration screens, consult the Ascend documentation. Furthermore, to set up the system as described in this article, you need to configure the Ascend P75 router to emulate numbered serial routing (you assign one IP address to the router's Ethernet port and the other to the WAN port). For this type of emulation, you must have version 4.6C or later of the Ascend Pipeline software.
In the Washington, DC area, Bell Atlantic provides Basic Rate Interface (BRI) ISDN service. After the telephone company has tested the router, you can begin to configure the router for the office connectivity by going to the Configure option from the Main menu. In the example you see in Figure 1, we configured the Ascend P75 router with the values you see in Table 2.
The fields in this menu need some explanation. The first eight items in the Main/Configure screen depend on the ISDN line and equipment that the telephone company provides--the telephone company helped you enter this information while testing the router. The remaining information relates to your connection to the office, and the telephone company cannot help you here. Unfortunately, the Ascend terminology does not correlate exactly to Microsoft nomenclature. Therefore, Table 2 shows the Ascend field names and the values we entered, plus the terms an NT engineer is familiar with, in parentheses.
The ninth item, My Name, refers to the NT domain and account you use at the office that the Ascend P75 will use for authentication. The next item, My Addr, is the IP address of the Ethernet interface of the Ascend P75 (i.e., the IP address of the Ascend P75 as seen from the network at the home office, as shown in Table 2). Note that unlike Microsoft, Ascend uses the /XX notation for IP addresses. For documentation of this notation, see the Ascend literature; by the way, /24 refers to a subnet mask of 255.255.255.0, which is what we will use for the remote location. Next, the Dial # is the telephone number that the Ascend P75 dials when activated to connect to the office. The remaining values affect the IP configuration and NT authentication that the RAS server uses--set these as shown in Table 2. Compare the values in Table 2 with those in Figure 1, so that you understand the Ascend Pipeline terminology in the environment of an NT WAN.
After you configure the remote router, you need to set up a profile. Select the Ethernet option from the Ascend Main menu, enter any name for the profile, and enter basic setup information for the connection to the RAS server. Table 3 shows the values we selected for the example in Figure 1.
In our example, most of the values you see in Table 3 for the Ethernet/Connections/<profilename> screen were already entered in the Main configuration screen you see in Table 2, with the exception of the Encaps Option. Here we specify that the connection will use Point-to-Point Protocol (PPP), which lets us connect over PPP to the RAS server. If you then select the IP Options field, you see another screen with several critical values that you need to enter. Table 4 shows the values for this screen. Note again the Ascend Pipeline terminology for the different interfaces. Comparing the values in Table 4 with Figure 1 should make the configuration clearer; again, the terms that are familiar to an NT network engineer are included in parentheses.
After you configure the remote router, you can dial the RAS server, pass RAS authentication, and ping the RAS server from the remote router. To test this configuration, you need to select the System/Sys Diag/Term Serv menu option and enter the ping command from the ASCEND% prompt. When you try to ping the RAS server, the remote router will automatically activate the ISDN line, and you will be able to ping 192.168.53.1, 192.168.53.2, 192.168.50.25, and 192.168.50.1. You can ping the two interfaces on the remote router because they are local, and you can ping the two adjacent hosts. If you cannot ping these IP addresses, you need to correct the router configuration before continuing.
Although you can ping the adjacent hosts from the remote router, you can't ping past the RAS server yet, and you can't ping through the router from the remote desktops. To do the latter, you need to configure some static routes on the remote router and the local router at the office to ensure that packets are moving in the correct direction.
Before you configure the static routes on the routers, you want to ensure that the remote desktops use the remote router's Ethernet interface as their default gateway and that the office desktops use the Ethernet interface of the local router as theirs. This configuration lets you transfer packets to the proper router if they are not for the local subnets. At this stage, we need to correct a couple of routes.
First, we need to ensure that the remote router forwards packets to the office network if they are not for systems on the remote site's network. To do this, select the Ethernet/Static Routes/Default option from the Ascend Main/Edit menu. Enter the route you see in Table 5.
The settings in Table 5 create a routing table entry on the Ascend P75 router that lets you send packets not destined for the local network, over the WAN interface to the office. To look at the routing table, go to the ASCEND% prompt and type
show ip routes
The routing table on the Ascend P75 router will look similar to Table 6.
The routing table is straightforward: Packets on the remote site's network (192.168.53.0) are sent to the Ethernet (ie0) interface of the remote router. Packets to the office network (188.8.131.52) and packets to other networks are sent to the ISDN (wan7) interface of the remote router. After you set up this routing table, you can ping from a remote desktop through the remote router as far as the ISDN interface of the RAS server.
Up to now, we've been sending packets arriving at the RAS server to the local router if they were not for the office network (184.108.40.206) or the immediately adjacent ISDN segment (192.168.50.0). That means any data destined for the remote office will never reach it, so we need to set up the RAS system as an IP router with the appropriate route table. First, enable IP routing by selecting the checkbox on the Routing tab in the RAS properties window. Now you need to add a static route to the RAS server to redirect that traffic. To add a static route to the RAS server, go to a command prompt on the RAS server and issue the ROUTE ADD command. Based on the IP addresses in Figure 1, the command is
route -p add 192.168.53.0 mask 255.255.255.0 192.168.50.25
This command redirects all packets for the remote site network (192.168.53.0) to the ISDN interface of the remote router, 192.168.50.25 (as Figure 1 illustrates), rather than sending them to the default gateway (the Cisco 2501 router at 220.127.116.11) that all the systems on the NT network use. When you add a route with the ROUTE ADD command, the route disappears if you reboot the system. In this example, the p switch re-establishes the route automatically if the system restarts (for information on the ROUTE command, see the TCP/IP section of the NT Server documentation).
The routing table on the RAS server should match the settings you see in Table 7. With this routing table, you can send packets for hosts on the remote site's network (192.168.53.0) to the ISDN interface (192.168.50.25) and send packets for hosts on either the office's network (18.104.22.168) or on other networks to the Ethernet interface (22.214.171.124). If the packet is addressed to a host on a different network, the system routes it to the default gateway on the Ethernet side of the RAS server (i.e., to the local router--126.96.36.199).
With the configuration complete at this stage, the system will correctly deliver packets arriving at the remote router and the RAS server. However, the system will send packets that originate from any desktop at the office and are destined for hosts on networks other than 188.8.131.52 to the default gateway (i.e., the local router) of the originator's system. This configuration poses a problem for the remote site, so you need to make one more change to the routing structure. This time, you need to add two static routes on the local router to forward packets for the remote site back to the RAS server. The two routes you need are
ip route 192.168.50.0 255.255.255.0 184.108.40.206
ip route 192.168.53.0 255.255.255.0 220.127.116.11
Note that these routes are added onto the Cisco 2501 router using Cisco-specific syntax, not using NT ROUTE ADD commands. By adding these two static routes, the system forwards any packet arriving at the local (Cisco) router for a host on the remote network to the RAS server, ras1.dcnw.com, at 18.104.22.168. Once the packets are at the RAS server, the RAS routing table will forward them to the remote (Ascend) router, and the remote router will forward them to the remote host.
Now that you have connectivity from the remote site to the office and through to the Internet, you can set up the remote desktops just as if they were sitting at the office. In particular, you can set them up so that they use the BackOffice and other servers at the main office, including
* WINS and DNS servers for name resolution
* Exchange Server for email, fax service, and groupware activities
* SQL Server for database operations
You can make many enhancements to this basic configuration for improving network performance and reducing communications costs. For example, you can install a WINS service somewhere in the remote site as a replication partner of the WINS server at the office, rather than have the remote site's desktops go across the router to do name resolution. In addition, you might want to install some filters in the remote router to stop various types of traffic from activating the ISDN link unnecessarily, and set RAS to disconnect the remote router after some period of inactivity. You can easily add all these features after you establish connectivity by following the procedures we outlined above.