Routers, RAS, and ISDN

Making the connection with your remote sites

Setting up Remote Access Service (RAS) on a Windows NT server at the officeto let users dial in from home is simple (for information on how to do so, seeMichael D. Reilly, "Remote Access Service," May 1997). Users can thenaccess the network at the office or connect to the Internet through the officeLAN from their machines at home. But what if you want to connect severalmachines from home or from a remote office? Unfortunately, RAS is not optimal inthese situations. A better solution is to set up a small LAN at the remote siteand use a router and ISDN to connect users to the RAS server at the office.

Figure 1 shows a typical scenario. Often, the office will havenumerous file and print servers, database servers, and a mail server. The officeenvironment you see in Figure 1 includes Microsoft BackOffice servers runningMicrosoft Exchange, Windows Internet Name Service (WINS), Domain Name System(DNS), and a connection to the Internet through a Cisco 2501 router. The remotesite has several servers and desktops, and it connects to the office through anAscend Pipeline 75 (P75) bridge/router. The Ascend P75 dials into a US RoboticsISDN modem on an NT server running RAS. Desktop users at the remote site canconnect to any server at the office or browse any

site on the Internet as if they were sitting at the office. You need threedistinct IP network segments to create this environment, although you can usesubnetting, imaginary (non-routed) IP addresses, or a proxy server if you wantto get fancy.

An alternative scenario is to have a dedicated Ascend P75 at the mainoffice rather than a RAS server. However, the setup for that configuration isentirely within the Ascend routers. The scenario we are describing here showshow to integrate the Ascend P75 with NT RAS. This scenario also has theadvantage of not requiring any dedicated hardware at the office, and it cansupport regular dial-in RAS clients and routed environments.

RAS Configuration
The NT server running RAS needs to have a fixed IP address because you needto configure some static routes to it. In Figure 1, the server ras1.dcnw.com hasan IP address of 161.108.80.8, and the default gateway is set to point to theCisco 2501. You need to set up RAS on the server using the settings you see inTable 1.

RAS assigns the remote clients connecting to ras1.dcnw.com an IP address inthe 192.168.50.0 network (these clients can also request a predetermined IPaddress). In our example in Figure 1, the router at the remote site requests theaddress 192.168.50.25. If you set up the configuration incorrectly (e.g., if therouter requests and receives a wrong IP address), the clients at the remote sitewill not be able to connect to any hosts at the office or beyond. The remoteclients will not even be able to ping the remote hosts, even though the routerand ISDN are activated. This scenario can result in huge ISDN phone bills withno connectivity to justify the cost.

Router Configuration
You need to configure the remote router to dial the RAS modem over ISDN, tosatisfy RAS authentication, and to route IP packets properly. This example usesthe Ascend P75 router. To configure this router, you can use a serial connectionor you can Telnet to the router's IP address (once you give it one). In eithercase, you get a character-based screen that lets you navigate through variousmenus to fill in the configuration parameters.

The first challenge is to correctly provision the ISDN line. After thetelephone company installs and tests the line, you need to open the Ascend P75menu and configure first the system and then the Ethernet and ISDN operations.This configuring requires that you enter several hardware and phone lineparameters, including the Service Profile Identifier (SPID) numbers thatidentify your line. The telephone company typically helps you to configure thisaspect of the router to ensure that you have service.

This article will concentrate on only the configuration of the router thatis relevant to the connection to the NT network at the office and on the Ascendconfiguration screens that you need to work with for that connectivity. For acomplete guide to all the Ascend configuration screens, consult the Ascenddocumentation. Furthermore, to set up the system as described in this article,you need to configure the Ascend P75 router to emulate numbered serial routing(you assign one IP address to the router's Ethernet port and the other to theWAN port). For this type of emulation, you must have version 4.6C or later ofthe Ascend Pipeline software.

In the Washington, DC area, Bell Atlantic provides Basic Rate Interface(BRI) ISDN service. After the telephone company has tested the router, you canbegin to configure the router for the office connectivity by going to theConfigure option from the Main menu. In the example you see in Figure 1, weconfigured the Ascend P75 router with the values you see in Table 2.

The fields in this menu need some explanation. The first eight items in theMain/Configure screen depend on the ISDN line and equipment that the telephonecompany provides--the telephone company helped you enter this information whiletesting the router. The remaining information relates to your connection to theoffice, and the telephone company cannot help you here. Unfortunately, theAscend terminology does not correlate exactly to Microsoft nomenclature.Therefore, Table 2 shows the Ascend field names and the values we entered, plusthe terms an NT engineer is familiar with, in parentheses.

The ninth item, My Name, refers to the NT domain and account you use at theoffice that the Ascend P75 will use for authentication. The next item, My Addr,is the IP address of the Ethernet interface of the Ascend P75 (i.e., the IPaddress of the Ascend P75 as seen from the network at the home office, as shownin Table 2). Note that unlike Microsoft, Ascend uses the /XX notation for IPaddresses. For documentation of this notation, see the Ascend literature; by theway, /24 refers to a subnet mask of 255.255.255.0, which is what we will use forthe remote location. Next, the Dial # is the telephone number that the AscendP75 dials when activated to connect to the office. The remaining values affectthe IP configuration and NT authentication that the RAS server uses--set theseas shown in Table 2. Compare the values in Table 2 with those in Figure 1, sothat you understand the Ascend Pipeline terminology in the environment of an NTWAN.

After you configure the remote router, you need to set up a profile. Selectthe Ethernet option from the Ascend Main menu, enter any name for the profile,and enter basic setup information for the connection to the RAS server. Table 3shows the values we selected for the example in Figure 1.

In our example, most of the values you see in Table 3 for the Ethernet/Connections/screen were already entered in the Mainconfiguration screen you see in Table 2, with the exception of the EncapsOption. Here we specify that the connection will use Point-to-Point Protocol(PPP), which lets us connect over PPP to the RAS server. If you then select theIP Options field, you see another screen with several critical values that youneed to enter. Table 4 shows the values for this screen. Note again the AscendPipeline terminology for the different interfaces. Comparing the values in Table4 with Figure 1 should make the configuration clearer; again, the terms that arefamiliar to an NT network engineer are included in parentheses.

After you configure the remote router, you can dial the RAS server, passRAS authentication, and ping the RAS server from the remote router. To test thisconfiguration, you need to select the System/Sys Diag/Term Serv menu option andenter the ping command from the ASCEND% prompt. When you try to ping the RASserver, the remote router will automatically activate the ISDN line, and youwill be able to ping 192.168.53.1, 192.168.53.2, 192.168.50.25, and192.168.50.1. You can ping the two interfaces on the remote router because theyare local, and you can ping the two adjacent hosts. If you cannot ping these IPaddresses, you need to correct the router configuration before continuing.

IP Routing
Although you can ping the adjacent hosts from the remote router, you can'tping past the RAS server yet, and you can't ping through the router from theremote desktops. To do the latter, you need to configure some static routes onthe remote router and the local router at the office to ensure that packets aremoving in the correct direction.

Before you configure the static routes on the routers, you want to ensurethat the remote desktops use the remote router's Ethernet interface as theirdefault gateway and that the office desktops use the Ethernet interface of thelocal router as theirs. This configuration lets you transfer packets to theproper router if they are not for the local subnets. At this stage, we need tocorrect a couple of routes.

First, we need to ensure that the remote router forwards packets to theoffice network if they are not for systems on the remote site's network. To dothis, select the Ethernet/Static Routes/Default option from the Ascend Main/Editmenu. Enter the route you see in Table 5.

The settings in Table 5 create a routing table entry on the Ascend P75router that lets you send packets not destined for the local network, over theWAN interface to the office. To look at the routing table, go to the ASCEND%prompt and type

The routing table on the Ascend P75 router will look similar to Table 6.

The routing table is straightforward: Packets on the remote site's network(192.168.53.0) are sent to the Ethernet (ie0) interface of the remote router.Packets to the office network (161.108.80.0) and packets to other networks aresent to the ISDN (wan7) interface of the remote router. After you set up thisrouting table, you can ping from a remote desktop through the remote router asfar as the ISDN interface of the RAS server.

Up to now, we've been sending packets arriving at the RAS server to thelocal router if they were not for the office network (161.108.80.0) or theimmediately adjacent ISDN segment (192.168.50.0). That means any data destinedfor the remote office will never reach it, so we need to set up the RAS systemas an IP router with the appropriate route table. First, enable IP routing byselecting the checkbox on the Routing tab in the RAS properties window. Now youneed to add a static route to the RAS server to redirect that traffic. To add astatic route to the RAS server, go to a command prompt on the RAS server andissue the ROUTE ADD command. Based on the IP addresses in Figure 1, the commandis

This command redirects all packets for the remote site network(192.168.53.0) to the ISDN interface of the remote router, 192.168.50.25 (asFigure 1 illustrates), rather than sending them to the default gateway (theCisco 2501 router at 161.108.80.1) that all the systems on the NT network use.When you add a route with the ROUTE ADD command, the route disappears if youreboot the system. In this example, the ­p switch re-establishes the routeautomatically if the system restarts (for information on the ROUTE command, seethe TCP/IP section of the NT Server documentation).

The routing table on the RAS server should match the settings you see inTable 7. With this routing table, you can send packets for hosts on the remotesite's network (192.168.53.0) to the ISDN interface (192.168.50.25) and sendpackets for hosts on either the office's network (161.108.80.0) or on othernetworks to the Ethernet interface (161.108.80.8). If the packet is addressed toa host on a different network, the system routes it to the default gateway onthe Ethernet side of the RAS server (i.e., to the local router--161.108.80.1).

With the configuration complete at this stage, the system will correctlydeliver packets arriving at the remote router and the RAS server. However, thesystem will send packets that originate from any desktop at the office and aredestined for hosts on networks other than 161.108.80.0 to the default gateway(i.e., the local router) of the originator's system. This configuration poses aproblem for the remote site, so you need to make one more change to the routingstructure. This time, you need to add two static routes on the local router toforward packets for the remote site back to the RAS server. The two routes youneed are

Note that these routes are added onto the Cisco 2501 router usingCisco-specific syntax, not using NT ROUTE ADD commands. By adding these twostatic routes, the system forwards any packet arriving at the local (Cisco)router for a host on the remote network to the RAS server, ras1.dcnw.com, at161.108.80.8. Once the packets are at the RAS server, the RAS routing table willforward them to the remote (Ascend) router, and the remote router will forwardthem to the remote host.

Network Services
Now that you have connectivity from the remote site to the office andthrough to the Internet, you can set up the remote desktops just as if they weresitting at the office. In particular, you can set them up so that they use theBackOffice and other servers at the main office, including

You can make many enhancements to this basic configuration for improvingnetwork performance and reducing communications costs. For example, you caninstall a WINS service somewhere in the remote site as a replication partner ofthe WINS server at the office, rather than have the remote site's desktops goacross the router to do name resolution. In addition, you might want to installsome filters in the remote router to stop various types of traffic fromactivating the ISDN link unnecessarily, and set RAS to disconnect the remoterouter after some period of inactivity. You can easily add all these featuresafter you establish connectivity by following the procedures we outlined above.