2008 netdefend firewall series technical training firewall fundamental - part 2 ©copyright 2008....
TRANSCRIPT
2008 NetDefend Firewall Series Technical TrainingFirewall Fundamental - Part 2
©Copyright 2008. All rights reserved
Hands-On
1. Publish Web Server that located in LAN side
2. WAN Load Sharing
3. IPsec Hub and Spoke
Hands-On 1• Publish Web Server that located in LAN side
From DFL-1600 LAN user can access both DFL-210 and DFL-860 web server using Public IP 202.3.1.2 and 202.2.1.2
Each LAN Users of each DFL can access their own web server using their own public IP
Hands-On 1
• Set WAN IP, WAN Subnet, WAN Gateway and assign one object for Web Server
Hands-On 1
• Add SAT Rule
Hands-On 1
• Add Allow Rule
Hands-On 1
• Add NAT for LAN traffic Rule
Hands-On 1
• Enable Log for each Rule, for troubleshooting purpose
Hands-On 1
• Review all IP Rule
Why do we must put LAN_to_WAN rule between SAT and Allow?
Hands-On 1
PC 1 : 192.168.1.100LAN IP : 192.168.1.1WAN IP : 202.1.1.2Web Server : 192.168.1.50
PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80
Firewall translate it to 192.168.1.50192.168.1.100:1050 192.168.1.50:80
Web Server reply it directly to PC 1192.168.1.50:80 192.168.1.100:1050
Reply packet will never arrive, because PC 1 expect reply packet come from 202.1.1.2 and not from 192.168.1.50
PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80
Firewall translate it and doing NAT here192.168.1.1:35879 192.168.1.50:80
Web Server reply it to Firewall first192.168.1.50:80 192.168.1.1:35879
Packet send back to PC1 and restore both address translation202.1.1.2:80 192.168.1.100:1050
Reply packet will arrive at PC 1 as expected
Hands-On 2
• WAN Load Sharing
Http Traffic goes through WAN 1
Telnet Traffic goes through WAN 2
Hands-On 2
• Create object (IP, Subnet and Gateway) for both WAN
Hands-On 2
• Make sure, there is no default gateway for both WAN interface
Hands-On 2
• Add route for WAN1 with metric 10
Hands-On 2
• Add another routing table
• Add route for WAN 2 with metric 0
Hands-On 2
• Add routing rule for telnet traffic
Hands-On 2
• Add IP Rules like this below :
• Enable Log for each Rule, for troubleshooting purpose
Hands-On 2
Hands-On 3
• IPsec Hub and Spoke
Hands-On 3
• Spoke SurabayaLocal Net : 192.168.2.0/24
Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.1.0/24 (Spoke Bandung)
Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)
Create Address Book like this below :
Hands-On 3
• Create Authentication Object, for example : 1234567890
Hands-On 3
• Add default gateway to WAN interface
Hands-On 3
• Create IPsec for tunneling to Jakarta / Bandung
Hands-On 3
• Create Interface Group like this below :
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
Hands-On 3
• Spoke BandungLocal Net : 192.168.1.0/24
Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.2.0/24 (Spoke Surabaya)
Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)
Create Address Book like this below :
Hands-On 3
• Create Authentication Object, for example : 1234567890
Hands-On 3
• Add default gateway to WAN 1 interface
Hands-On 3
• Create IPsec for tunneling to Jakarta / Surabaya
Hands-On 3
• Create Interface Group like this below :
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
Hands-On 3
• Hub Jakarta
Tunnel JKT-SBY
Local Net : 192.168.1.0/24 (Spoke Bandung) and 192.168.0.0/24 (Hub Jakarta)
Remote Net : 192.168.2.0/24 (Spoke Surabaya)
Remote Gateway : 202.3.1.2 (Spoke Surabaya WAN)
Tunnel JKT-BDG
Local Net : 192.168.2.0/24 (Spoke Surabaya) and 192.168.0.0/24 (Hub Jakarta)
Remote Net : 192.168.1.0/24 (Spoke Bandung)
Remote Gateway : 202.2.1.2 (Spoke Bandung WAN)
Hands-On 3
• Create Address Book like this below :
Hands-On 3
• Create Authentication Object, for example : 1234567890
Hands-On 3
• Add default gateway to WAN 1 interface
Hands-On 3
• Create IPsec for tunneling to Surabaya
Hands-On 3
• Create IPsec for tunneling to Bandung
Hands-On 3
• Create Interface Group like this below :
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
Hands-On 3
• Cek Main Routing Table and IPsec Status at Hub :
Tunnel to Surabaya
Tunnel to Bandung
Hands-On 3
• Cek Main Routing Table and IPsec Status at Spoke Bandung :
Tunnel to Jakarta and Surabaya
Hands-On 3
• Cek Main Routing Table and IPsec Status at Spoke Surabaya :
Tunnel to Jakarta and Bandung
Questions & AnswersQuestions & Answers
THANK YOUTHANK YOU
D-Link Call Center : 021-5731610D-Link Call Center : 021-5731610
D-Link Support Email : D-Link Support Email : [email protected]
D-Link Support Website : D-Link Support Website : http://support.dlink.co.id