2008 NetDefend Firewall Series Technical TrainingFirewall Fundamental - Part 2

©Copyright 2008. All rights reserved

Hands-On

1. Publish Web Server that located in LAN side

2. WAN Load Sharing

3. IPsec Hub and Spoke

Hands-On 1• Publish Web Server that located in LAN side

From DFL-1600 LAN user can access both DFL-210 and DFL-860 web server using Public IP 202.3.1.2 and 202.2.1.2

Each LAN Users of each DFL can access their own web server using their own public IP

Hands-On 1

• Set WAN IP, WAN Subnet, WAN Gateway and assign one object for Web Server

Hands-On 1

• Add SAT Rule

Hands-On 1

• Add Allow Rule

Hands-On 1

• Add NAT for LAN traffic Rule

Hands-On 1

• Enable Log for each Rule, for troubleshooting purpose

Hands-On 1

• Review all IP Rule

Why do we must put LAN_to_WAN rule between SAT and Allow?

Hands-On 1

PC 1 : 192.168.1.100LAN IP : 192.168.1.1WAN IP : 202.1.1.2Web Server : 192.168.1.50

PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80

Firewall translate it to 192.168.1.50192.168.1.100:1050 192.168.1.50:80

Web Server reply it directly to PC 1192.168.1.50:80 192.168.1.100:1050

Reply packet will never arrive, because PC 1 expect reply packet come from 202.1.1.2 and not from 192.168.1.50

PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80

Firewall translate it and doing NAT here192.168.1.1:35879 192.168.1.50:80

Web Server reply it to Firewall first192.168.1.50:80 192.168.1.1:35879

Packet send back to PC1 and restore both address translation202.1.1.2:80 192.168.1.100:1050

Reply packet will arrive at PC 1 as expected

Hands-On 2

• WAN Load Sharing

Http Traffic goes through WAN 1

Telnet Traffic goes through WAN 2

Hands-On 2

• Create object (IP, Subnet and Gateway) for both WAN

Hands-On 2

• Make sure, there is no default gateway for both WAN interface

Hands-On 2

• Add route for WAN1 with metric 10

Hands-On 2

• Add another routing table

• Add route for WAN 2 with metric 0

Hands-On 2

• Add routing rule for telnet traffic

Hands-On 2

• Add IP Rules like this below :

• Enable Log for each Rule, for troubleshooting purpose

Hands-On 2

Hands-On 3

• IPsec Hub and Spoke

Hands-On 3

• Spoke SurabayaLocal Net : 192.168.2.0/24

Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.1.0/24 (Spoke Bandung)

Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)

Create Address Book like this below :

Hands-On 3

• Create Authentication Object, for example : 1234567890

Hands-On 3

• Add default gateway to WAN interface

Hands-On 3

• Create IPsec for tunneling to Jakarta / Bandung

Hands-On 3

• Create Interface Group like this below :

Hands-On 3

• Create IP Rule for tunnel and put it on the top :

Hands-On 3

• Spoke BandungLocal Net : 192.168.1.0/24

Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.2.0/24 (Spoke Surabaya)

Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)

Create Address Book like this below :

Hands-On 3

• Create Authentication Object, for example : 1234567890

Hands-On 3

• Add default gateway to WAN 1 interface

Hands-On 3

• Create IPsec for tunneling to Jakarta / Surabaya

Hands-On 3

• Create Interface Group like this below :

Hands-On 3

• Create IP Rule for tunnel and put it on the top :

Hands-On 3

• Hub Jakarta

Tunnel JKT-SBY

Local Net : 192.168.1.0/24 (Spoke Bandung) and 192.168.0.0/24 (Hub Jakarta)

Remote Net : 192.168.2.0/24 (Spoke Surabaya)

Remote Gateway : 202.3.1.2 (Spoke Surabaya WAN)

Tunnel JKT-BDG

Local Net : 192.168.2.0/24 (Spoke Surabaya) and 192.168.0.0/24 (Hub Jakarta)

Remote Net : 192.168.1.0/24 (Spoke Bandung)

Remote Gateway : 202.2.1.2 (Spoke Bandung WAN)

Hands-On 3

• Create Address Book like this below :

Hands-On 3

• Create Authentication Object, for example : 1234567890

Hands-On 3

• Add default gateway to WAN 1 interface

Hands-On 3

• Create IPsec for tunneling to Surabaya

Hands-On 3

• Create IPsec for tunneling to Bandung

Hands-On 3

• Create Interface Group like this below :

Hands-On 3

• Create IP Rule for tunnel and put it on the top :

Hands-On 3

• Cek Main Routing Table and IPsec Status at Hub :

Tunnel to Surabaya

Tunnel to Bandung

Hands-On 3

• Cek Main Routing Table and IPsec Status at Spoke Bandung :

Tunnel to Jakarta and Surabaya

Hands-On 3

• Cek Main Routing Table and IPsec Status at Spoke Surabaya :

Tunnel to Jakarta and Bandung

Questions & AnswersQuestions & Answers

THANK YOUTHANK YOU

D-Link Call Center : 021-5731610D-Link Call Center : 021-5731610

D-Link Support Email : D-Link Support Email : security@dlink.co.id

D-Link Support Website : D-Link Support Website : http://support.dlink.co.id