![Page 1: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/1.jpg)
DFL-210/800/1600/2500 Training Material
DFL fundamentalPart II
Created on 2007
©Copyright 2007. All rights reserved
![Page 2: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/2.jpg)
Topic in NAT
• NAT behavior and DFL SAT & NAT• Do we must has NAT rule between SAT and
Allow for LAN • SAT Case Study : Things that NAT breaks
![Page 3: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/3.jpg)
3
NAT – Source Address Translate
INSIDE OUTSIDE
Packet1Source: 2.2.2.2
Destination: 1.1.1.1
Packet1Source: 192.168.1.100
Destination: 1.1.1.1
192.168.1.100 1.1.1.1
Packet2Source: 1.1.1.1
Destination: 2.2.2.2
Packet2Source: 1.1.1.1
Destination: 192.168.1.1
NAT
The NAT router replaces the private address of green PC (192.168.1.100) with a Public routable Address (2.2.2.2)
![Page 4: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/4.jpg)
DFL – Source Address Translate
![Page 5: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/5.jpg)
5
NAT – Destination Address Translate
INSIDE OUTSIDE
Packet1Source: 192.168.1.1
Destination: 1.1.1.1
Packet1Source: 192.168.1.1Destination: 172.16.90.91
192.168.1.1 1.1.1.1
Packet2Source: 1.1.1.1
Destination: 2.2.2.2
Packet2Source: 172.16.90.91
Destination: 192.168.1.1
NAT
The NAT router is translating Both the Source and Destination Address in both directions.
![Page 6: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/6.jpg)
DFL – Destination Address Translate
Orig. Dest. SAT Dest.----------------------------------------------------------------------------------------
172.16.90.1 1.1.1.1172.16.90.2 1.1.1.2172.16.90.3 1.1.1.3…. ….172.16.90.254 1.1.1.254
![Page 7: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/7.jpg)
7
NAT – Dynamic NAT
INSIDE OUTSIDE
In this NAT design, a pool of public ip addresses serves private addresses 12 times as large.
NATOutside source1.1.1.1-1.1.1.20
(20 total addresses)
Inside source10.10.10.1-10.10.10.254
(254 total addresses)
Internet
![Page 8: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/8.jpg)
8
NAT - NAPT
INSIDE OUTSIDE
Packet1Source: 2.2.2.2
Source port : 1026
Packet1Source: 192.168.1.1
Source port : 1026
Inside
Packet2Source: 2.2.2.2
Source port : 3000
Packet2Source: 192.168.1.101
Source port : 1026
NAT
By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address.
Outside
![Page 9: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/9.jpg)
DFL - NAPT
![Page 10: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/10.jpg)
Do we must has NAT rule between SAT and Allow for LAN
![Page 11: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/11.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
![Page 12: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/12.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
![Page 13: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/13.jpg)
LAN user to web serverSAT & NAT
![Page 14: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/14.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
# Name ActionSource
IntSource
Net
Destination
Int
Destination Net
Service SAT parameter
1 SAT_Web_In
SAT any all-nets core wan_ip http-in SAT_Dest:Websrv_priv_ip
2 SAT_Web_Out
SAT lan Websrv_priv_ip
any all-nets 80 > all SAT_Src:wan_ip
3 FwdFast_Web_Out
FwdFast lan Websrv_priv_ip
any all-nets 80 > all
4 Fwd_Web_In
FwdFast wan1 all-nets core wan_ip http-in
5 NAT_lan_Web_In
NAT lan lannet core wan_ip http-in
![Page 15: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/15.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4
4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5
5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0
External traffic to Internal web server (SAT & FwdFast)
![Page 16: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/16.jpg)
External traffic to Internal web server (SAT & FwdFast)
A (SYN) B A (SYN,ACK) B A (ACK) B A (request GET) B A (request has succeeded) B A (FIN,ACK) B A (ACK) B A (FIN,ACK) B A (ACK) B
![Page 17: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/17.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4
4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5
5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0
External traffic to Internal web server (SAT & FwdFast)
![Page 18: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/18.jpg)
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules –vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core: 1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 1
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 0
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0
4 FwdFa wan1:0.0.0.0/0 core: 1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 05 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 1
Internal traffic to Internal web server (SAT & NAT)
![Page 19: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/19.jpg)
Case Study : Things that NAT breaks
![Page 20: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/20.jpg)
Things that NAT breaks
1) The Protocols cryptographically requires the addresses are unaltered.
(e.g. IPSec or Kerberos 4,5)
2) There are embedded IP addresses in the data portion.
(e.g. H.323, SNMP, RSVP, FTP…)
3) An application requires pre-set or negotiated source/destination port values.
(e.g. Rlogin, TFTP)
TFTPRlogin
![Page 21: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/21.jpg)
Things that NAT breaks
FTP active mode and FTP server is at outside
![Page 22: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/22.jpg)
Things that NAT breaks
FTP passive mode and FTP server is at inside
![Page 23: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/23.jpg)
Things that NAT breaks
FTP passive mode and FTP server is at inside with FTP ALG
![Page 24: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/24.jpg)
Hands-onNAT ALG and Second IP
![Page 25: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/25.jpg)
User Authentication
![Page 26: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/26.jpg)
User Authentication
• Admin Users• User Authentication Type• Authentication server• Authentication Rule
![Page 27: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/27.jpg)
Admin User
Treeview: User Authentication => Local User Database
![Page 28: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/28.jpg)
User Authentication Type
• Authentication User and User Groups• PPTP Users and User Groups• L2TP Users and User Groups• Xauth User• IKE ID list
![Page 29: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/29.jpg)
Authentication server
![Page 30: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/30.jpg)
User Auth Rule
Treeview: User Authentication => User Authentication Rule =>Add New
![Page 31: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/31.jpg)
Authentication Users and User Groups
- Scenario
![Page 32: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/32.jpg)
Authentication Users and User Groups – Process flow
![Page 33: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/33.jpg)
Hands-onAuthentication Users and User Groups
• Configuration concept– User Database ( local, external)– IP address object (incl. credential)– WebUI before Rules– User Authentication Rule– IP Rule
![Page 34: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/34.jpg)
Authentication Users and User Groups – User Database
![Page 35: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/35.jpg)
Authentication Users and user Groups – IP address object
![Page 36: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/36.jpg)
Authentication Users and user Groups – WebUI before rules
![Page 37: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/37.jpg)
Authentication Users and user Groups – User Authentication Rule
![Page 38: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/38.jpg)
Authentication Users and user Groups – IP Rule
![Page 39: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/39.jpg)
Authentication Users and user Groups – VSA (for user credential in RADIUS)
IAS configuration
1) IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”.
2) Press “Add” to add a new attribute for VSA.
3) Type 5089 in “Enter Vendor Code”.
4) Click on “Configure Attribute” Enter the attributes.
![Page 40: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/40.jpg)
Xauth
![Page 41: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/41.jpg)
Xauth
the exchange of Attribute Payload using ISAKMP message
![Page 42: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/42.jpg)
Xauth
![Page 43: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/43.jpg)
Identification List
![Page 44: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/44.jpg)
Identification List
CountryState
LocalityOrganization nameOrganization UnitCommon Name
ASN.1 DN
![Page 45: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/45.jpg)
Identification List
![Page 46: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/46.jpg)
Hands-onUser Authentication
![Page 47: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/47.jpg)
PPTP/L2TP
![Page 48: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/48.jpg)
PPTP/L2TP
• Architecture• Function• Protocol use• Authentication • Encryption
![Page 49: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/49.jpg)
PPTP
Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47
![Page 50: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/50.jpg)
PPTP
PPTP extended GRE header
![Page 51: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/51.jpg)
55
L2TP
![Page 52: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/52.jpg)
L2TP modes
![Page 53: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/53.jpg)
L2TP in IP/UDP Encapsulation
UDP port 1701
![Page 54: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/54.jpg)
L2TP Decapsulation
![Page 55: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/55.jpg)
Thing need to be concerned
• Windows performs L2TP over IPSec by default– Click Start > Run: Type regedit– Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Ras
Man > Parameters.
– Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK.
– Reboot.
![Page 56: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/56.jpg)
Thing need to be concerned
![Page 57: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/57.jpg)
Thing need to be concerned
![Page 58: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/58.jpg)
62
L2TP over IPSec – Configuration Concept
• Configuration Concept – Server– User Database (local, external)– IP address object– IPSec tunnel– L2TP tunnel– Authentication– IP Rule
![Page 59: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/59.jpg)
L2TP over IPSec – Configuration Concept
1
2
3
1
2
3
2
![Page 60: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/60.jpg)
64
PPTP LAN-to-LANScenario
![Page 61: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/61.jpg)
65
PPTP LAN-to-LANConfiguration Concept
• Configuration Concept – Server– IP address object– User Database (local, external)– PPTP tunnel (Server)– Authentication– IP Rule
![Page 62: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/62.jpg)
66
PPTP LAN-to-LANCentral Office – IP Address
Tree view: Objects => Address Book
![Page 63: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/63.jpg)
67
PPTP LAN-to-LAN Central Office – User Database
Tree view: User Authentication => Local User Database
![Page 64: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/64.jpg)
68
PPTP LAN-to-LANCentral Office - Tunnel
Tree view: Interfaces => PPTP/L2TP Servers
![Page 65: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/65.jpg)
69
PPTP LAN-to-LAN Central Office – User Authentication Rule
Tree view: User Authentication => User Authentication Rules
![Page 66: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/66.jpg)
70
PPTP LAN-to-LAN Central Office – IP Rule
Tree view: Rules => IP Rules
![Page 67: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/67.jpg)
71
PPTP LAN-to-LAN Configuration Concept
• Configuration Concept – Client– IP address– PPTP tunnel (Client)– IP Rule
![Page 68: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/68.jpg)
72
PPTP LAN-to-LANNew York - Address
Tree view: Objects => Address Book
![Page 69: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/69.jpg)
73
PPTP LAN-to-LANNew York – PPTP Client
Tree view: Interfaces => PPTP/L2TP Client
![Page 70: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/70.jpg)
74
PPTP LAN-to-LAN New York - IPRule
Tree view: Rules => IP Rules
![Page 71: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/71.jpg)
75
PPTP LAN-to-LANDone and Activate
Configuration Done!!!
![Page 72: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/72.jpg)
76
PPTP LAN-to-LANVerification on CO site
![Page 73: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/73.jpg)
Hands onPPTP LAN-to-LAN
![Page 74: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/74.jpg)
Trouble Shooting
![Page 75: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/75.jpg)
Trouble Shooting
• Troubleshooting by Layers• 7 - Application• 6 - Presentation• 5 - Session• 4 - Transport• 3 – Network• 2 – Data Link• 1 - Physical
![Page 76: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/76.jpg)
Approach
![Page 77: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/77.jpg)
Trouble shooting
What's in your Tool bag
![Page 78: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/78.jpg)
Tool bag – WebUI- Layer1
![Page 79: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/79.jpg)
Tool bag – CLI - Layer1
DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/8129 - Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : 10.254.0.180 Hw Address : 0013:463d:876a PBR Membership: main
Software Statistics: Soft received : 123117 Soft sent : 175208 Send failures : 0 Dropped : 36 IP Input Errs : 0
Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0
![Page 80: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/80.jpg)
Tool bag – WEbUI - Layer3
![Page 81: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/81.jpg)
Tool bag – CLI - Layer3
DFL-800:/> routes -all -vFlags Network Iface Gateway Local IP Metric----- ------------------ -------------- --------------- --------------- ------ 127.0.0.1 core (Iface IP) 0 10.254.0.180 core (Iface IP) 0 192.168.120.254 core (Iface IP) 0 172.17.100.254 core (Iface IP) 0 192.168.12.1 core (Iface IP) 0 220.132.138.26 core (Iface IP) 0 192.168.1.0/24 ipsec_t1 90 10.254.0.0/24 wan1 100 192.168.120.0/24 wan2 100 172.17.100.0/24 dmz 100 192.168.12.0/24 lan 100 224.0.0.0/4 core (Iface IP) 0 0.0.0.0/0 ADSL1 90
![Page 82: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/82.jpg)
Tool bag – CLI - Layer3
DFL-800:/> ping 168.95.1.1 -srcip=192.168.12.150 -recvif=lan length=1400 -verbose
Rule and routing information for ping:PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route "0.0.0.0/0 via ADSL1, no gw" in PBR table "main"
Sending 1 1400-byte ping to 168.95.1.1 from 220.132.138.26.
Reply from 168.95.1.1 seq=0 time=150 ms TTL=248
Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 150.0 ms
> ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]
![Page 83: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/83.jpg)
Trouble shooting - logging
Log is our best friend• Log severity default• Log reference
![Page 84: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/84.jpg)
Trouble shooting - logging
![Page 85: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/85.jpg)
Trouble shooting – IPRule set
DFL-800:/> rules 1-5 -ruleset=main -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 Drop lan:192.168.1.0/24 wan1:0.0.0.0/0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan:192.168.1.0/24 core:192.168.1.1 "ping-inbound" "ping_fw" Use: 1
>rules [range] –[ruleset | schedule | verbose]
![Page 86: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/86.jpg)
Trouble Shooting in IPRule
Clear counter in >rules –v• >connections -close –all• >reconfigure• >rules -v
![Page 87: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/87.jpg)
Trouble ShootingFinal Solution
• Final solution– Problem can not identify– Packet capture between Inside and Outside.– Time accuracy between capture and log
![Page 88: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/88.jpg)
Trouble ShootingFinal Solution
Time Accuracy in DFL
![Page 89: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/89.jpg)
Trouble ShootingFinal Solution
Time Accuracy in DFL
![Page 90: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/90.jpg)
Trouble ShootingFinal Solution
Time Accuracy in DFL
>time -sync –forceDFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated!
DFL-800:/> time -sync -force Attempting to synchronize system time...
DFL-800:/> Server time: 2007-06-13 18:08:24 (UTC+08:00)Local time: 2007-06-13 18:05:24 (UTC+08:00) (diff: -180)
Local time successfully changed to server time.
![Page 91: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/91.jpg)
Trouble ShootingFinal Solution
Time Accuracy on Traffic analyzer
![Page 92: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/92.jpg)
Trouble ShootingFinal Solution
Time format on Traffic analyzer
![Page 93: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/93.jpg)
Trouble ShootingFinal Solution
Time format on Traffic analyzer
![Page 94: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/94.jpg)
Trouble ShootingFinal Solution
Capture option on Traffic analyzer
![Page 95: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/95.jpg)
Trouble ShootingFinal Solution
![Page 96: DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved](https://reader035.vdocuments.us/reader035/viewer/2022062712/56649c905503460f94949f49/html5/thumbnails/96.jpg)
END