Upload
fredy-mendoza-ortiz
View
235
Download
0
Embed Size (px)
Citation preview
7/31/2019 Vra
1/7
[Application]
Internet Access with NAT device 1/3
Objective:
Every PC at all subnets (or allowed subnets) can access the Internet via oneInternet Gateway (NAT device) with ADSL/CableModem line or via one ProxyServer.
Principle:
With default route settings on DGS-3324R, the packets with destination to
the Internet will be routed to NAT device, and then to the Internet. Thereturned packet will based on NAT devices routing table (either static route orRIP learned) to route back to the associated network.
Servers192.168.4.x/24
Gw192.168.4.254
Internet
Internet Gateway192.168.1.1
192.168.3.x/24
Gw192.168.3.254
192.168.2.x/24
Gw192.168.2.254
192.168.1.x/24
Gw192.168.1.254
Net1 Net2 Net3 Net4
.254 .254.254 .254
DGS-3324SR
Broadband AccessxDSL, CableModem, ETTH
7/31/2019 Vra
2/7
At DGS-3324SR:
1. Create IP Networks referring to previous BasicIPRoute setup example.
2. Create the default route so that Internet IP will be routed to Internet Gatewaycreate iproute default 192.168.1.1
3. If Internet Gateway supports RIP, enable the RIP at DGS-3324SR at sameinterfaceconfig rip ipif all tx_mode v2_only rx_mode v2_only state enable
enable rip
At Internet Gateway (NAT Device) or Proxy Server:
1. If supporting RIP, enable the RIP at LAN interface.2. If not supporting RIP, add the Static Route for the networks (eg, Net2 and
Net3, but not Net4) allowed to the Internet.192.168.2.0 mask 255.255.255.0 192.168.1.254
192.168.3.0 mask 255.255.255.0 192.168.1.254
(net4 is not allowed, therefore, not adding static route entry for net4)
At Client PC1. DNS = ISPs DNS address
TEST:
Net2 PC can access the Internet via Internet Gateway.Net3 PC can access the Internet via Internet Gateway. Etc.
[Application]
Internet Access with NAT device 2/3
7/31/2019 Vra
3/7
Trouble shooting
Symptom:
Net1, Net2, Net3, and Net4 can ping each other, but only Net1can access the Internet. What are the possible causes?
[Application]
Internet Access with NAT device 3/3
7/31/2019 Vra
4/7
[Application]
Shared Server Application 1/3
Shared Servers (Mail Server, data server, Internet Access servers) can beaccess by all user groups, but the access between groups are not allowed
(for the performance or security consideration)L2 solution: 802.1q Asymmetric VLAN or Traffic Segmentation
L3 solution: L3 switch + ACL to limit the access between group.
L3 Switch
Servers
V2 V3 V4
7/31/2019 Vra
5/7
Objective:Only Net4 (192.168.4.x) Servers can be accessed by Net2, Net3, Net4.Net2, Net3, Net4 cannot access each other
192.168.3.x/24
Gw192.168.3.254
192.168.2.x/24
Gw192.168.2.254
Servers192.168.4.x/24
Gw192.168.4.254
192.168.1.x/24
Gw192.168.1.254
Net1 Net2 Net3 Net4
.254 .254.254 .254
DGS-3324SR
[Application]
Shared Server Application 2/3
7/31/2019 Vra
6/7
# create access_profile rule
# permit only 192.168.4.x to be accessed by other subnet
create access_profile ip destination_ip_mask 255.255.255.0 profile_id
config access_profile profile_id 1 add access_id 1 ip destination_ip 192.168.4.0 port 1:1 permit
config access_profile profile_id 1 add access_id 2 ip destination_ip 192.168.4.0 port 1:7 permit
config access_profile profile_id 1 add access_id 3 ip destination_ip 192.168.4.0 port 1:13 permit
config access_profile profile_id 1 add access_id 4 ip destination_ip 192.168.4.0 port 1:19 permit
# permit 192.168.1.x and 192.168.2.x, 192.168.3.x can access themselves.
create access_profile ip source_ip_mask 255.255.255.0 destination_ip_mask 255.255.255.0 profile_id 2
config access_profile profile_id 2 add access_id 1 ip source_ip 192.168.1.0 destination_ip 192.168.1.0 port 1:1 permit
config access_profile profile_id 2 add access_id 2 ip source_ip 192.168.2.0 destination_ip 192.168.2.0 port 1:7 permit
config access_profile profile_id 2 add access_id 3 ip source_ip 192.168.3.0 destination_ip 192.168.3.0 port 1:13 permit
config access_profile profile_id 2 add access_id 4 ip source_ip 192.168.4.0 destination_ip 192.168.4.0 port 1:19 permit
#### other nets added here
# deny others.
create access_profile ip source_ip_mask 0.0.0.0 profile_id 3
config access_profile profile_id 3 add access_id 1 ip source_ip 0.0.0.0 port 1:1 deny
config access_profile profile_id 3 add access_id 2 ip source_ip 0.0.0.0 port 1:7 deny
config access_profile profile_id 3 add access_id 3 ip source_ip 0.0.0.0 port 1:13 denyconfig access_profile profile_id 3 add access_id 4 ip source_ip 0.0.0.0 port 1:19 deny
Rules:1. If Dest. IP=192.168.4.x, permit
2. If Src. IP=192.168.4.x, permit
3. If DestIP=192.168.1.x and destIP=192.168.1.x, permit
4. If DestIP=192.168.2.x and SrcIP=192.168.2.x, permit
5. If DestIP=192.168.3.x and SrcIP=192.168.3.x, permit
6. Deny Others
[Application]
Shared Server Application 3/3
[Application]
Shared Server Application 3/3
[Application]
Shared Server Application 3/3
7/31/2019 Vra
7/7
Test:1. Net1 (192.168.2.x), Net2, Net3 PCs can Ping Net4 PC (192.168.4.x).
2. Net1, Net2, Net3 PCs cannot ping each other.
[Application]
Shared Server Application 4/4