beautypg.com

Headquar ters – Allied Telesis AlliedWare AR440S User Manual

Page 41

background image

Headquar

ters

Page 41 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

#

FIREWALL configuration

enable firewall

create firewall policy=hq

enable firewall policy=hq icmp_f=all

#

Define a firewall dynamic definition to work with dynamic

#

interfaces. This provides for the dynamic PPP/L2TP interfaces that

#

incoming Windows VPN connections use.

create firewall policy=hq dy=roaming

add firewall policy=hq dy=roaming user=any

#

Specify the private and public interfaces. The roaming interface is

#

private - you can trust it because it comes from an authenticated

#

Windows VPN connection.

add firewall policy=hq int=dyn-roaming type=private

add firewall policy=hq int=vlan1 type=private

add firewall policy=hq int=eth0 type=public

#

Create a NAT definition for traffic from the headquarters LAN to

#

use when accessing the Internet.

add firewall poli=hq nat=enhanced int=vlan1 gblin=eth0

#

Create another NAT definition for roaming VPN clients to use when

#

accessing the Internet via the headquarters router.

add firewall poli=hq nat=enhanced int=dyn-roaming gblin=eth0

#

Create a rule to allow incoming ISAKMP negotiation to pass through

#

the firewall.

add firewall poli=hq ru=1 ac=allo int=eth0 prot=udp po=500

ip=200.200.200.1 gblip=200.200.200.1 gblp=500

#

Create a rule to support NAT-T. If there is a NAT gateway in the

#

VPN path, NAT-T "port floats" IKE to port 4500, and also

#

encapsulates IPsec inside the same port.

add firewall poli=hq ru=2 ac=allo int=eth0 prot=udp po=4500

ip=200.200.200.1 gblip=200.200.200.1 gblp=4500

#

Create a rule for the roaming VPN clients. Windows uses L2TP (port

#

1701) inside IPsec. This rule allows traffic that comes from IPsec

#

and uses port 1701.

add firewall poli=hq ru=3 ac=allo int=eth0 prot=udp po=1701

ip=200.200.200.1 gblip=200.200.200.1 gblp=1701 enc=ips

#

Create a pair of rules to allow office-to-office payload traffic to

#

pass through the firewall without applying NAT.

#

The rule for the public interface uses encapsulation=ipsec to

#

identify incoming VPN traffic.

add firewall poli=hq ru=4 ac=non int=eth0 prot=all enc=ips

#

The rule for the private interface uses both source and destination

#

addresses to identify outgoing VPN traffic.

add firewall poli=hq ru=5 ac=non int=vlan1 prot=all

ip=192.168.140.1-192.168.140.254

set firewall poli=hq ru=5 rem=192.168.141.0-192.168.144.254

See also other documents in the category Allied Telesis Hardware: