Support User Manuals

Allied Telesis AR440S Network Card User Manual

Open as PDF

of 53

Headquarters

Page 41 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

# FIREWALL configuration

enable firewall

create firewall policy=hq

enable firewall policy=hq icmp_f=all

# Define a firewall dynamic definition to work with dynamic

# interfaces. This provides for the dynamic PPP/L2TP interfaces that

# incoming Windows VPN connections use.

create firewall policy=hq dy=roaming

add firewall policy=hq dy=roaming user=any

# Specify the private and public interfaces. The roaming interface is

# private - you can trust it because it comes from an authenticated

# Windows VPN connection.

add firewall policy=hq int=dyn-roaming type=private

add firewall policy=hq int=vlan1 type=private

add firewall policy=hq int=eth0 type=public

# Create a NAT definition for traffic from the headquarters LAN to

# use when accessing the Internet.

add firewall poli=hq nat=enhanced int=vlan1 gblin=eth0

# Create another NAT definition for roaming VPN clients to use when

# accessing the Internet via the headquarters router.

add firewall poli=hq nat=enhanced int=dyn-roaming gblin=eth0

# Create a rule to allow incoming ISAKMP negotiation to pass through

# the firewall.

add firewall poli=hq ru=1 ac=allo int=eth0 prot=udp po=500

ip=200.200.200.1 gblip=200.200.200.1 gblp=500

# Create a rule to support NAT-T. If there is a NAT gateway in the

# VPN path, NAT-T "port floats" IKE to port 4500, and also

# encapsulates IPsec inside the same port.

add firewall poli=hq ru=2 ac=allo int=eth0 prot=udp po=4500

ip=200.200.200.1 gblip=200.200.200.1 gblp=4500

# Create a rule for the roaming VPN clients. Windows uses L2TP (port

# 1701) inside IPsec. This rule allows traffic that comes from IPsec

# and uses port 1701.

add firewall poli=hq ru=3 ac=allo int=eth0 prot=udp po=1701

ip=200.200.200.1 gblip=200.200.200.1 gblp=1701 enc=ips

# Create a pair of rules to allow office-to-office payload traffic to

# pass through the firewall without applying NAT.

# The rule for the public interface uses encapsulation=ipsec to

# identify incoming VPN traffic.

add firewall poli=hq ru=4 ac=non int=eth0 prot=all enc=ips

# The rule for the private interface uses both source and destination

# addresses to identify outgoing VPN traffic.

add firewall poli=hq ru=5 ac=non int=vlan1 prot=all

ip=192.168.140.1-192.168.140.254

set firewall poli=hq ru=5 rem=192.168.141.0-192.168.144.254

previous next