7/31/2019 Vra

1/7

[Application]

Internet Access with NAT device 1/3

Objective:

Every PC at all subnets (or allowed subnets) can access the Internet via oneInternet Gateway (NAT device) with ADSL/CableModem line or via one ProxyServer.

Principle:

With default route settings on DGS-3324R, the packets with destination to

the Internet will be routed to NAT device, and then to the Internet. Thereturned packet will based on NAT devices routing table (either static route orRIP learned) to route back to the associated network.

Servers192.168.4.x/24

Gw192.168.4.254

Internet

Internet Gateway192.168.1.1

192.168.3.x/24

Gw192.168.3.254

192.168.2.x/24

Gw192.168.2.254

192.168.1.x/24

Gw192.168.1.254

Net1 Net2 Net3 Net4

.254 .254.254 .254

DGS-3324SR

Broadband AccessxDSL, CableModem, ETTH

7/31/2019 Vra

2/7

At DGS-3324SR:

1. Create IP Networks referring to previous BasicIPRoute setup example.

2. Create the default route so that Internet IP will be routed to Internet Gatewaycreate iproute default 192.168.1.1

3. If Internet Gateway supports RIP, enable the RIP at DGS-3324SR at sameinterfaceconfig rip ipif all tx_mode v2_only rx_mode v2_only state enable

enable rip

At Internet Gateway (NAT Device) or Proxy Server:

1. If supporting RIP, enable the RIP at LAN interface.2. If not supporting RIP, add the Static Route for the networks (eg, Net2 and

Net3, but not Net4) allowed to the Internet.192.168.2.0 mask 255.255.255.0 192.168.1.254

192.168.3.0 mask 255.255.255.0 192.168.1.254

(net4 is not allowed, therefore, not adding static route entry for net4)

At Client PC1. DNS = ISPs DNS address

TEST:

Net2 PC can access the Internet via Internet Gateway.Net3 PC can access the Internet via Internet Gateway. Etc.

[Application]

Internet Access with NAT device 2/3

7/31/2019 Vra

3/7

Trouble shooting

Symptom:

Net1, Net2, Net3, and Net4 can ping each other, but only Net1can access the Internet. What are the possible causes?

[Application]

Internet Access with NAT device 3/3

7/31/2019 Vra

4/7

[Application]

Shared Server Application 1/3

Shared Servers (Mail Server, data server, Internet Access servers) can beaccess by all user groups, but the access between groups are not allowed

(for the performance or security consideration)L2 solution: 802.1q Asymmetric VLAN or Traffic Segmentation

L3 solution: L3 switch + ACL to limit the access between group.

L3 Switch

Servers

V2 V3 V4

7/31/2019 Vra

5/7

Objective:Only Net4 (192.168.4.x) Servers can be accessed by Net2, Net3, Net4.Net2, Net3, Net4 cannot access each other

192.168.3.x/24

Gw192.168.3.254

192.168.2.x/24

Gw192.168.2.254

Servers192.168.4.x/24

Gw192.168.4.254

192.168.1.x/24

Gw192.168.1.254

Net1 Net2 Net3 Net4

.254 .254.254 .254

DGS-3324SR

[Application]

Shared Server Application 2/3

7/31/2019 Vra

6/7

# create access_profile rule

# permit only 192.168.4.x to be accessed by other subnet

create access_profile ip destination_ip_mask 255.255.255.0 profile_id

config access_profile profile_id 1 add access_id 1 ip destination_ip 192.168.4.0 port 1:1 permit

config access_profile profile_id 1 add access_id 2 ip destination_ip 192.168.4.0 port 1:7 permit

config access_profile profile_id 1 add access_id 3 ip destination_ip 192.168.4.0 port 1:13 permit

config access_profile profile_id 1 add access_id 4 ip destination_ip 192.168.4.0 port 1:19 permit

# permit 192.168.1.x and 192.168.2.x, 192.168.3.x can access themselves.

create access_profile ip source_ip_mask 255.255.255.0 destination_ip_mask 255.255.255.0 profile_id 2

config access_profile profile_id 2 add access_id 1 ip source_ip 192.168.1.0 destination_ip 192.168.1.0 port 1:1 permit

config access_profile profile_id 2 add access_id 2 ip source_ip 192.168.2.0 destination_ip 192.168.2.0 port 1:7 permit

config access_profile profile_id 2 add access_id 3 ip source_ip 192.168.3.0 destination_ip 192.168.3.0 port 1:13 permit

config access_profile profile_id 2 add access_id 4 ip source_ip 192.168.4.0 destination_ip 192.168.4.0 port 1:19 permit

#### other nets added here

# deny others.

create access_profile ip source_ip_mask 0.0.0.0 profile_id 3

config access_profile profile_id 3 add access_id 1 ip source_ip 0.0.0.0 port 1:1 deny

config access_profile profile_id 3 add access_id 2 ip source_ip 0.0.0.0 port 1:7 deny

config access_profile profile_id 3 add access_id 3 ip source_ip 0.0.0.0 port 1:13 denyconfig access_profile profile_id 3 add access_id 4 ip source_ip 0.0.0.0 port 1:19 deny

Rules:1. If Dest. IP=192.168.4.x, permit

2. If Src. IP=192.168.4.x, permit

3. If DestIP=192.168.1.x and destIP=192.168.1.x, permit

4. If DestIP=192.168.2.x and SrcIP=192.168.2.x, permit

5. If DestIP=192.168.3.x and SrcIP=192.168.3.x, permit

6. Deny Others

[Application]

Shared Server Application 3/3

[Application]

Shared Server Application 3/3

[Application]

Shared Server Application 3/3

7/31/2019 Vra

7/7

Test:1. Net1 (192.168.2.x), Net2, Net3 PCs can Ping Net4 PC (192.168.4.x).

2. Net1, Net2, Net3 PCs cannot ping each other.

[Application]

Shared Server Application 4/4