![Page 1: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/1.jpg)
2008 NetDefend Firewall Series Technical TrainingFirewall Fundamental - Part 2
©Copyright 2008. All rights reserved
![Page 2: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/2.jpg)
Hands-On
1. Publish Web Server that located in LAN side
2. WAN Load Sharing
3. IPsec Hub and Spoke
![Page 3: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/3.jpg)
Hands-On 1• Publish Web Server that located in LAN side
From DFL-1600 LAN user can access both DFL-210 and DFL-860 web server using Public IP 202.3.1.2 and 202.2.1.2
Each LAN Users of each DFL can access their own web server using their own public IP
![Page 4: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/4.jpg)
Hands-On 1
• Set WAN IP, WAN Subnet, WAN Gateway and assign one object for Web Server
![Page 5: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/5.jpg)
Hands-On 1
• Add SAT Rule
![Page 6: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/6.jpg)
Hands-On 1
• Add Allow Rule
![Page 7: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/7.jpg)
Hands-On 1
• Add NAT for LAN traffic Rule
![Page 8: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/8.jpg)
Hands-On 1
• Enable Log for each Rule, for troubleshooting purpose
![Page 9: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/9.jpg)
Hands-On 1
• Review all IP Rule
Why do we must put LAN_to_WAN rule between SAT and Allow?
![Page 10: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/10.jpg)
Hands-On 1
PC 1 : 192.168.1.100LAN IP : 192.168.1.1WAN IP : 202.1.1.2Web Server : 192.168.1.50
PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80
Firewall translate it to 192.168.1.50192.168.1.100:1050 192.168.1.50:80
Web Server reply it directly to PC 1192.168.1.50:80 192.168.1.100:1050
Reply packet will never arrive, because PC 1 expect reply packet come from 202.1.1.2 and not from 192.168.1.50
PC 1 open web server using Public IP 202.1.1.2192.168.1.100:1050 202.1.1.2:80
Firewall translate it and doing NAT here192.168.1.1:35879 192.168.1.50:80
Web Server reply it to Firewall first192.168.1.50:80 192.168.1.1:35879
Packet send back to PC1 and restore both address translation202.1.1.2:80 192.168.1.100:1050
Reply packet will arrive at PC 1 as expected
![Page 11: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/11.jpg)
Hands-On 2
• WAN Load Sharing
Http Traffic goes through WAN 1
Telnet Traffic goes through WAN 2
![Page 12: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/12.jpg)
Hands-On 2
• Create object (IP, Subnet and Gateway) for both WAN
![Page 13: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/13.jpg)
Hands-On 2
• Make sure, there is no default gateway for both WAN interface
![Page 14: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/14.jpg)
Hands-On 2
• Add route for WAN1 with metric 10
![Page 15: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/15.jpg)
Hands-On 2
• Add another routing table
• Add route for WAN 2 with metric 0
![Page 16: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/16.jpg)
Hands-On 2
• Add routing rule for telnet traffic
![Page 17: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/17.jpg)
Hands-On 2
• Add IP Rules like this below :
![Page 18: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/18.jpg)
• Enable Log for each Rule, for troubleshooting purpose
Hands-On 2
![Page 19: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/19.jpg)
Hands-On 3
• IPsec Hub and Spoke
![Page 20: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/20.jpg)
Hands-On 3
• Spoke SurabayaLocal Net : 192.168.2.0/24
Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.1.0/24 (Spoke Bandung)
Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)
Create Address Book like this below :
![Page 21: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/21.jpg)
Hands-On 3
• Create Authentication Object, for example : 1234567890
![Page 22: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/22.jpg)
Hands-On 3
• Add default gateway to WAN interface
![Page 23: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/23.jpg)
Hands-On 3
• Create IPsec for tunneling to Jakarta / Bandung
![Page 24: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/24.jpg)
Hands-On 3
• Create Interface Group like this below :
![Page 25: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/25.jpg)
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
![Page 26: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/26.jpg)
Hands-On 3
• Spoke BandungLocal Net : 192.168.1.0/24
Remote Net : 192.168.0.0/24 (Hub Jakarta) and 192.168.2.0/24 (Spoke Surabaya)
Remote Gateway : 202.1.1.2 (Hub Jakarta WAN)
Create Address Book like this below :
![Page 27: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/27.jpg)
Hands-On 3
• Create Authentication Object, for example : 1234567890
![Page 28: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/28.jpg)
Hands-On 3
• Add default gateway to WAN 1 interface
![Page 29: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/29.jpg)
Hands-On 3
• Create IPsec for tunneling to Jakarta / Surabaya
![Page 30: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/30.jpg)
Hands-On 3
• Create Interface Group like this below :
![Page 31: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/31.jpg)
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
![Page 32: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/32.jpg)
Hands-On 3
• Hub Jakarta
Tunnel JKT-SBY
Local Net : 192.168.1.0/24 (Spoke Bandung) and 192.168.0.0/24 (Hub Jakarta)
Remote Net : 192.168.2.0/24 (Spoke Surabaya)
Remote Gateway : 202.3.1.2 (Spoke Surabaya WAN)
Tunnel JKT-BDG
Local Net : 192.168.2.0/24 (Spoke Surabaya) and 192.168.0.0/24 (Hub Jakarta)
Remote Net : 192.168.1.0/24 (Spoke Bandung)
Remote Gateway : 202.2.1.2 (Spoke Bandung WAN)
![Page 33: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/33.jpg)
Hands-On 3
• Create Address Book like this below :
![Page 34: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/34.jpg)
Hands-On 3
• Create Authentication Object, for example : 1234567890
![Page 35: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/35.jpg)
Hands-On 3
• Add default gateway to WAN 1 interface
![Page 36: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/36.jpg)
Hands-On 3
• Create IPsec for tunneling to Surabaya
![Page 37: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/37.jpg)
Hands-On 3
• Create IPsec for tunneling to Bandung
![Page 38: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/38.jpg)
Hands-On 3
• Create Interface Group like this below :
![Page 39: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/39.jpg)
Hands-On 3
• Create IP Rule for tunnel and put it on the top :
![Page 40: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/40.jpg)
Hands-On 3
• Cek Main Routing Table and IPsec Status at Hub :
Tunnel to Surabaya
Tunnel to Bandung
![Page 41: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/41.jpg)
Hands-On 3
• Cek Main Routing Table and IPsec Status at Spoke Bandung :
Tunnel to Jakarta and Surabaya
![Page 42: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/42.jpg)
Hands-On 3
• Cek Main Routing Table and IPsec Status at Spoke Surabaya :
Tunnel to Jakarta and Bandung
![Page 43: 2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved](https://reader036.vdocuments.mx/reader036/viewer/2022062421/56649cc95503460f94990942/html5/thumbnails/43.jpg)
Questions & AnswersQuestions & Answers
THANK YOUTHANK YOU
D-Link Call Center : 021-5731610D-Link Call Center : 021-5731610
D-Link Support Email : D-Link Support Email : [email protected]
D-Link Support Website : D-Link Support Website : http://support.dlink.co.id