1 PC accessing two separate networks.

[gerr]

I have two subnets at my home and both run through my Cisco router. One is my private LAN with access to the Internet, ie your standard home network. The other is a semi-public network that I share with friends through an encrypted GRE tunnel system(DMVPN) over the Internet. I have a server on that semi-public network and I can access my friend's servers from my server, but not from my main PC on my private network.

Is there a way I can access both networks from only my main pc using two nic's?

 

[arnep]

Assuming you have two switches, on two different LAN ports of your Cisco, you should be able to access your friends servers once you get the routing right. There are two ways: NAT your private PCs IP out on the semi-private network, our add routes on your friends routers to you private network (the traffic must know how to get "back" again). Do you have some examples from your cisco configurations (without sensitive information) what could help?

 

[gerr]

Someone mentioned something similar about Natting my private into the public, but can that be done for a single PC only and not open up my entire private network?

I would prefer not to have the other people adjust thier configs just for me, so would prefer something locally done.

I have one switch, but have 2 vlans on it.

I was hoping there was some sort of PC based solution rather than having to reconfigure my router/switch.

 

[gerr]

oh ya, basically running a typical router-on-a-stick config from my Cisco 2821 to a 2960 switch.

The DMVPN model we are based off is...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml

 

[bill001g]

I am going to bet unless you restricted it that your traffic already is being sent to friends server but does not know how to get back.

I am going to assume you have defined sub interface on the router for your 2 vlans. This means the router know how to route between those subnets. You should be able to ping between them. When your vpn connection comes up your router will learn the subnets from your friends network..I assume via OSPF unless you are running static. Really all you would have to do is advertise your private network to the remote location and he will be able to get back to you. You would then restrict the traffic with a access list on the sub interfaces.

Now you other option as pointed out is to NAT between the 2 sub interfaces. You could use a simple 1-1 static nat so all your traffic would now appear to be another device on the public network. The key to making this work is that when your PC on the private network sends traffic to its gateway it knows to send it to other vlan. It should do this by default. The only real difference is you do not advertise your private network to the remote location.

 

[gerr]

It defeats the purpose of having 2 vlans if I open my private one to the semi-public vlan. I want to keep my private vlan private, but would like if possible to access the semi-public vlan from one PC on the private network. I also don't want the semi-public vlan to have access to the shares on my main PC either. That's the tricky part. I thought if I had 2 NIC's and restricted the one connected to the semi-public vlan to IP traffic only on the adapter, ie not turn on Microsoft Client on it, I might be able to do it, but not sure.

 

[bill001g]

The problem is your private vlan is not really private unless you are using access lists to filter. All someone does to access your private vlan is put a static route in their router pointing to yours.

To prevent this you need to place a access list on the tunnel that only allows the access to your private machines on the ports you allow. If you use the NAT method you need to be careful to filter the correct address which depends which way you apply the access list.

Maybe my responses here were too generic but I generally assume anyone who can configure DMVPN has a very high level of cisco skills.

 

[gerr]

My private vlan is private as I am not advertising it in EIGRP, but I see what you mean about someone adding a static route, so will likely just add an access-list preventing access to it via the DMVPN network. Not worried about the Internet gaining access to it as I use NAT & CBAC to secure it.

And ya, I am one exam away from my CCNP.

I have been over this many times with my co-workers, which is why I went here to see if there was some sort of PC solution rather than a network solution.