which connection type is the best for Lan to Lan connection

[colapig]

Here is the requirement that I got from my customer:
Site A (static IP) -----VPN----- Site B (dynamic IP)
Site A ip segment (192.168.1.0/24)
Site B ip segment (192.168.2.0/24)
1. the user in Site A can access the servers in Site B
2. Site B user can't access site A
3. Site A user browse Internet through Site A internet connect
4. Site B user browse Internet through Site B internet connection

Which connection type that can be used to meet this requirement?


Thanks,

[thisjun]

I think site to site VPN and using SecureNAT without DHCP function is good.
1. create localbridge at SiteA.
2. enable SecureNAT without DHCP at SiteB.
3. create cascade connection between A and B.
4. add route to SiteB at router in SiteA.

[colapig]

thanks a lot for your reply.
I creared 2 virtual hubs in siteA and use L2 switch to connect these 2 hubs (hub1 and hub2).
created local bridge for hub 1.
created a user account in hub2 for cascade connection
created a virtual hub (hub 3) in siteB
created a virtual local bridge for hub 3
establish cascade connection from hub 3 to hub 2
added a static route in site A and site B router to redirect all site A traffic to site B vpn server and site B traffice to site A vpn server
everything works fine now, but I don't know how to do restriction like deny Site A user to access site B resources, only allow site B user to access site A resources.

[raafat]

but I don't know how to do restriction like deny
> Site A user to access site B resources, only allow site B user to access
> site A resources.


You could use ACLs to do that

[raafat]

By the way, how many servers in the site B would your customer like to connect Site A' users to ?

[colapig]

I have 3 servers in site B. All user in site A and B are want to access these servers. Can you tell me which ACL can do this restrict ?

[raafat]

May please tell me more about your network, can you use VLAN technology ?

i suggest to create a bridge at site A, then set up clients on the three serves so that once they boot they connect to that bridge, then they will get ip addresses from the same subnet of the site A, that way, site A's users can access all servers and site B, too, at the same time there is no need for ACLs, or routing-level modifications, my opinion that three servers don't deserve L2 connection, using two different subnets better since you don't want site A's users to access site B's users or vice versa, also you can setup DNS entries so that site A's users access your servers via DNS, or you can give your servers static ip addresses (settings are applied on the virtual adapters)so that site A's users connect to the servers without any support from you every time servers connect the softether server at site A

the more info you give me about your network, the more good setup you will get from me (:

Good luck

[colapig]

that's a good idea. it can solve the issue. But I would like to know how to use ACL to this function.

[thisjun]

Deny syn packet from SiteA.