1 / 55

Chapter 11

Chapter 11. Routing. Objectives. Configure Windows Server 2003 as a router Create and configure demand-dial connections for routing Configure Network Address Translation (NAT) for Internet connectivity Install Internet Connection Sharing (ICS) Configure Internet Connection Firewall (ICF).

gisela-randall
Télécharger la présentation

Chapter 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 11 Routing

  2. Objectives • Configure Windows Server 2003 as a router • Create and configure demand-dial connections for routing • Configure Network Address Translation (NAT) for Internet connectivity • Install Internet Connection Sharing (ICS) • Configure Internet Connection Firewall (ICF)

  3. Router Installation and Configuration • Windows Server 2003 • Can be used as a router • Can perform routing for TCP/IP and AppleTalk • Does not support IPX/SPX for routing • Implementing Windows Server 2003 as a router • Main benefit is cost • Server must be connected to at least two networks

  4. Router Installation and Configuration (Continued) • Internet Security and Acceleration Server (ISA) • Provides proxy services • Routing and Remote Access snap-in • Used to add routing

  5. Enabling RRAS as a Router

  6. Enabling IP Routing

  7. Routing Tables • Routers • Make decisions about how to move packets from one network to another in the fastest way possible • Routing table • List of networks that are known to the router • Each entry contains • IP address of the network • Subnet mask of the network • Gateway used to reach the network • Router interface used to reach the gateway • Metric that measures how far away the network is

  8. Routing Tables (Continued) • ROUTE PRINT command • Used to view routing table • Static routing • Entries that are added manually • Used when security is required • Addition of new network means routing table of each server must be changed • Introduction of error each time a change is made

  9. Routing Tables (Continued) • Dynamic routing • Entries that are added automatically based on a routing protocol • Routers talk to each other to build their routing tables

  10. Routing Protocols • Responsible for • Calculating best path from one network to another • Advertising routes for dynamic routing • Routing Information Protocol (RIP) • No configuration necessary under most circumstances • Hops • Number of routers through which the data must pass • Distance-vector routing • Path with the least number of hops

  11. Routing Protocols (Continued) • Does not differentiate between different link speeds • Each RIP router sends broadcast packet every 30 seconds • Open Shortest Path First (OSPF) • Determines the best path from one network to another based on cost • Not normally implemented on Windows routers • Each interface on a router is assigned a cost

  12. Routing Protocols (Continued) • Routing table • Builds a picture of the entire network • When communicating with other routers • Only sends changes in its routing table • Changes sent only when they occur, not every 30 seconds

  13. Configuring RIP • RIP properties • Can configure type of events to be logged • Can configure IP addresses from which router accepts updates • General tab • Periodic update mode removes entries from routing table if router that advertised them is disabled or unreachable • Auto static update mode adds RIP learned routes to the routing table as static entries

  14. Configuring RIP (Continued) • RIP routers • Advertise routes learnt from other routers then increment number of hops by 1 • RIP properties • Security tab • Allows you to configure which incoming and outgoing routes are accepted on this interface • Neighbors tab • Used only if broadcasts and multicasts are limited on the network

  15. Configuring RIP (Continued) • Advanced tab • Can adjust how often routing table announcements are sent • Can adjust how long entries in the routing table last before they expire • Can adjust how long after they expire before they are removed from the routing table • Split-horizon processing and poison-reverse processing • Used to prevent routing loops in the case of a router failure

  16. Security Tab, RIP Interface Properties

  17. Neighbors tab, RIP Interface Properties

  18. Advanced tab, RIP interface properties

  19. Demand-Dial Connections • Used to establish a connection between two routers when there is data to be sent • Demand-dial connections • Used to minimize the amount of phone time used on dial-up connections between routers • Can be used to initiate VPN connections between Windows routers • Can be created for Point-to-Point Protocol over Ethernet (PPPoE) connections • PPPoE • Used by many high-speed Internet providers to control access to their network • Authentication requires username and password

  20. Creating Demand-dial Connections • For demand-dial connection to function properly • Server must be enabled to perform demand-dial routing • Port must be configured to allow demand-dial routing • Demand-dial interface must be created • Demand-dial Interface Wizard • Creates demand-dial connections

  21. Enabling demand-dial routing

  22. Configuring a Port for Demand-dial Routing

  23. Interface Name, Demand-Dial Interface Wizard

  24. Demand-dial Interface Properties • Can be used to configure • Security settings • Idle timeout • Options tab • If “Persistent connection” option is chosen, servers are connected whenever RRAS is functional • If “Demand dial” option chosen, you can set an idle timeout • Security tab • Provides standard security options available on a VPN connection

  25. Options tab, demand-dial interface properties

  26. Dial-out Hours • Controls when a demand-dial connection can be active • Typical configuration of dial-out hours • Allows a connection every few hours • Data is moved from one network to another in batches every few hours • If users are expected to access resources using the demand-dial connection at all times • Dial-out hours should be left at the default of 24 hours per day, seven days per week

  27. Dial-out Hours (Continued)

  28. Demand-dial Filters • Used to reduce amount of time a demand-dial connection is active • Control which types of network traffic trigger a demand-dial connection • Configuration is similar to a firewall rule • Can initiate a demand-dial connection • For specific traffic • For all traffic except that specified by a rule

  29. Demand-dial filters (Continued)

  30. Adding a demand-dial filter

  31. Network Address Translation (NAT) • Uses a single Internet IP address to provide Internet access to all client computers • Included with Windows Server 2003 • Address ranges reserved for internal use • 10.0.0.0 through 10.255.255.255 • 172.16.0.0 through 172.31.255.255 • 192.168.0.0 through 192.168.255.255

  32. Network Address Translation (Continued) • Proxy server • If implemented, clients must be configured to use the proxy server • Provides caching to speed up Internet connectivity • Most implementations are FTP aware and translate FTP packets properly

  33. How NAT Works • Modifies IP headers of packets that are forwarded through a router • Builds a table to keep track of translations • Table lists • Original source IP address • Original source port number • New source port number • New source IP address • Always the external interface on the router • Does not need to be included in the table

  34. Outgoing request through NAT

  35. Incoming response through NAT

  36. Installing NAT • NAT protocol • Automatically installed when RRAS is configured to be a router • NAT Interface properties • For proper NAT functionality • One interface must be configured as a public interface • At least one interface must be configured as private interface • Basic firewall • Allows you to configure static packet filters

  37. Installing NAT (Continued) • Services and Ports tab • Allows you to host services behind NAT but still allow access from Internet • ICMP tab • Dictates the types of ICMP packets the interface responds to • Address Pool tab • Defines a range of IP addresses that are handed out to client computers

  38. NAT/Basic Firewall tab, NAT interface properties

  39. Configuring NAT • NAT/Basic Firewall – Properties • General tab • Controls the level of logging that is performed • Translation tab • Configures how long mappingsare kept in the NAT table • Address Assignment tab • Can configure NAT to act as a DHCP server • Name Resolution tab • Configures the NAT router to act as a DNS proxy • Settings on this tab need not be enabled if internal DNS servers exist

  40. Translation Tab, NAT/Basic Firewall Properties

  41. Name Resolution Tab, NAT/Basic Firewall Properties

  42. Internet Connection Sharing (ICS) • Provides automated way for a small office to connect to the Internet using Windows Server 2003 as a router • Automatically performs NAT • Configures network connections • Because NAT is used, server must have at least two network cards • Configuration used by ICS cannot be changed

  43. Internet Connection Sharing (Continued) • The following changes are made • Internal network connection is configured with • IP address 192.168.0.1 • Subnet mask 255.255.255.0 • Autodial enabled for dial-up/VPN/PPPOE connections • Static route for default gateway enabled when dial-up/VPN/PPPOE connection is activated • The ICS service is started • DHCP allocator is configured to distribute IP addresses from 192.168.0.2 to 192.168.0.254 • The DNS proxy is enabled

  44. Enabling ICS

  45. Internet Connection Sharing (Continued) • ICS server can only have one internal IP address • Network bridging • Allows interfaces to share a single IP address • Bridge • Controls network traffic based on MAC addresses • Allows computers on two different physical network segments to be on the same IP network • When network bridging is enabled • Choose multiple network cards in a server to act as a single IP network

  46. Internet Connection Firewall • A stateful packet filter that can be used to protect any server running Windows Server 2003 • Stateful firewall • Requires only one rule for outbound traffic • Keeps track of TCP connections that are created by internal clients • Automatically allows response packets to return

  47. Internet Connection Firewall (Continued) • Enabling ICF • ICF is configured per connection • If ICF enabled on a server that is not a router • Only that server is protected • If ICF enabled on a router • All computers on internal network are protected

  48. Enabling ICF

  49. Configuring ICF • When ICF is enabled • All packets addressed to server are dropped • Configuring services • Allows requests from the network to access services on the server running ICF • Services defined are the firewall rules for ICF

  50. Services Defined for ICF and ICS

More Related