Shulou(Shulou.com)06/03 Report--

With the rapid development of network technology, there are more and more ways for local area networks of enterprises and institutions to access INTERNET shared resources. for most of them, DDN dedicated line has become a widely adopted way because of its stable performance and good expansibility. DDN connection is simple in hardware requirements, requiring only a router (router) and a proxy server (proxy server). However, the configuration of the system is a thorny problem for many network managers. Taking the CISCO router as an example, the author introduces several successful configuration methods for reference:

I. configuration of accessing INTERNET resources directly through the router

1. General idea and equipment connection method

In general, the local area network within the organization uses the reserved address on the INTERNET:

10.0.0.0According to 8Rose 10.0.0.0mm 10.255.255.255

172.16.0.0Universe 172.16.0.0triple 172.31.255.255

192.168.0.0Universe 192.168.0.0triple 192.168.255.255

Under normal circumstances, when the workstation within the unit directly uses routing to access the outside world, it will be filtered out by the router because the workstation uses the reserved address on the Internet, resulting in the inability to access Internet resources. The solution to this problem is to use the NAT (Network Address Translation) address translation function provided by the routing operating system to convert the private address of the intranet into a legal address on the Internet, so that users who do not have a legal IP address can access the external Internet through NAT. This has the advantage of eliminating the need for a proxy server, reducing investment, saving legitimate IP addresses, and improving the security of the internal network.

There are two types of NAT: Single mode and global mode.

Using NAT's single mode, like its name, you can map a large number of local LAN hosts to a single Internet address. All hosts in the local area network are regarded as an Internet user for external Internet networks. Hosts on the local LAN continue to use local addresses.

Using NAT's global mode, the router interface maps a large number of local LAN hosts to a certain range of Internet addresses (IP address pool). When the local host port connects with the host on the Internet, an IP address in the IP address pool is automatically assigned to the local host. After the connection is broken, the dynamically assigned IP address will be released, and the released IP address can be used by other local hosts.

Below, taking the network environment of our unit as an example, the configuration method and process are listed for your reference.

Our unit uses China Unicom optical cable (V.35) to access INTERNET, the router is CISCO2610, and the local area network uses INTEL550 100-megabit switch. Unicom has provided us with the following four IP addresses:

211.90.137.25 (255.255.255.252) for the WAN port of the local router

211.90.137.26 (255.255.255.252) for the port of the other party (China Unicom)

211.90.139.41 (255.255.255.252) at your disposal

211.90.139.42 (255.255.255.252) at your disposal

2. Router configuration

(1) schematic diagram of network connection:

Description: all the workstations in the school are connected to the switch, the router is also connected to the internal switch through the Ethernet port, the Ethernet port on the router uses an internal private address, and two valid IP addresses assigned by Unicom are used at both ends of the optical fiber. In this connection mode, as long as NAT is set inside the router, all workstations within the unit can access INTERNTE, and each workstation only needs to set up a gateway pointing to the Ethernet port of the router (192.168.0.3) to access the Internet without setting up a proxy, and saves two valid IP addresses for their own control (such as setting up the unit's own WEB and E-MAIL servers). But it also has some disadvantages: it can not enjoy the CACHE service provided by the proxy server to improve the access speed. Therefore, this configuration scheme is suitable for units with a small number of workstations, and the two methods described later can be used for a large number of workstations within the unit. The specific configuration on the router is as follows:

(2) Router configuration

En

Config t

Ip nat pool c2610 211.90.139.41 211.90.139.42 netmask 255.255.255.252

(define an address pool c2601 that contains two free legal IP addresses for NAT translation)

Int e0/0

Ip address 192.168.0.3 255.255.255.0

Ip nat inside

Exit

(set the IP address of the Ethernet port and set it as the port to connect to the intranet)

Interface s0/0

Ip address 211.90.137.25 255.255.255.252

Ip nat outside

Exit

(set the IP address of the WAN port and set it as the port to connect to the extranet)

Ip route 0.0.0.0 0.0.0.0 211.90.137.26

(set up dynamic routing)

Access-list 2 permit 192.168.0.1 0.0.0.255

(create access control list)

! Dynamic NAT

!

Ip nat inside source list 2 pool c2610 overload

(create dynamic address translation)

Line console 0

Exec-timeout 0 0

!

Line vty 0 4

End

Wr

(save settings)

3. Configuration of workstation

It is required to use a static IP address, set it in the TCP/IP attribute, set the network shutdown to 192.168.0.3 (router Ethernet IP address), and set DNS as the address provided by the access provider. There is no need to make any special settings in browsers and other Internet tools.

2. Configuration of accessing INTERNET resources through proxy server

1. General idea and equipment connection method

Using the proxy server to access INTERNET resources, the advantage is that the CACHE service provided by the proxy server can be used to improve the access speed and efficiency of INTERNET. It is more suitable for units with more workstations. The disadvantage is that it needs to be equipped with a special computer as a proxy server, which increases the investment cost, and needs to occupy two more legal IP addresses than the first method, so the network security is not high.

Using this scheme to access the Internet, the device connection method is as follows:

Two network cards are installed on the proxy server, one connects to the intranet and sets the internal private address; the other connects to the router Ethernet port, sets the legal address assigned by Unicom (211.90.139.42), and sets its gateway to 211.90.139.41 (router Ethernet port)

The router Ethernet port also sets the legitimate IP address assigned by Unicom (211.90.139.41)

In this way, after the device is connected, install the agent software on the proxy server and set up the agent on the workstation to access the INTERNET.

2. Router configuration

(1) schematic diagram of network connection:

Description: in the above figure, all computers in the unit communicate directly with the intranet card (192.168.0.4) on the proxy server through the switch, and then access the INTERNET through the router under the control of the proxy service software.

(2) Router configuration

En

Config t

Int e0/0

Ip address 211.90.139.41 255.255.255.252

Exit

(set the IP address of the etheric port)

Interface s0/0

Ip address 211.90.137.25 255.255.255.252

Exit

(set the IP address of the WAN port)

Ip route 0.0.0.0 0.0.0.0 211.90.137.26

Ip routing

(set up dynamic routing and activate routing)

End

Wr

(save settings)

3. Settings of proxy server

The proxy server must install two network cards, one for connecting to the internal local area network, and set the IP address as the internal private address (for example: 192.168.0.4 netmask 255.255.255.0) without setting up a gateway. The other block is used to connect to the router, set the legal address assigned by Unicom (211.90.139.42 netmask 255.255.255.252), and set its gateway to: 211.90.139.41 (router Ethernet port).

After setting up the network card according to the above method, install a set of agent software. (for example, MS PROXY SERVER 2.0, WINGATE, etc., please refer to other materials for installation and debugging of agent software)

4. Setting up the workstation

(1) INTERNET EXPLORER setting

Tools menu-> internet options-> Connect-> LAN Settings-> use proxy Server-> address: 192.168.0.4 Port: 80-> OK

(2) for other software settings, please refer to the software description.

III. Configuration of the coexistence of direct access and proxy access

1. General idea and equipment connection method

Through the configuration of the two methods described above, the access to INTERNET can be realized smoothly, but each method has both advantages and disadvantages, and the advantages of the two methods are complementary. It is impossible to combine the advantages of the two methods. Method three is a solution that can have both a fish and a bear's paw. It integrates the advantages of one and two methods, which not only saves the IP address, but also improves the access efficiency of INTERNET through the CACHE provided by the proxy server.

Using this scheme to access the Internet, the device connection method is as follows:

Two network cards are installed on the proxy server, and both network cards are connected to the switch. when setting the IP address, both network cards set internal private addresses, but the two addresses should not belong to one network (that is, the network address of the IP address is different), one is used to communicate with the internal network (network card 1), and the other is used to communicate with the router (network card 2), otherwise the agent can not be realized.

Do not install the NETBEUI protocol on the proxy server, only install the TCP/IP protocol. (note: this step must be done, otherwise normal communication will be affected due to proxy server NETBIOS computer name conflicts due to redundant connections between the proxy server and the switch.)

The router Ethernet port also sets an internal private address because it is on the same network as the address of Nic 2 (that is, the network address of IP address is the same as that of Nic 2)

2. Router settings

(1) schematic diagram of network connection

(2) Router configuration

En

Config t

Ip nat pool c2610 211.90.139.41 211.90.139.42 netmask 255.255.255.252

(define an address pool c2601 that contains two free legal IP addresses for NAT translation)

Int e0/0

Ip address 192.168.1.1 255.255.255.0

Ip nat inside

Exit

(set the IP address of the Ethernet port and set it as the port to connect to the intranet)

Interface s0/0

Ip address 211.90.137.25 255.255.255.252

Ip nat outside

Exit

(set the IP address of the WAN port and set it as the port to connect to the extranet)

Ip route 0.0.0.0 0.0.0.0 211.90.137.26

(set up dynamic routing)

Access-list 2 permit 192.168.0.1 0.0.0.255

(create access control list)

! Dynamic NAT

!

Ip nat inside source list 2 pool c2610 overload

(create dynamic address translation)

Line console 0

Exec-timeout 0 0

!

Line vty 0 4

End

Wr

(save settings)

2. Settings of proxy server

Two network cards are installed on the proxy server, and both network cards are connected to the switch. the network card 1 sets the IP address as 192.168.0.4 without a gateway; the network card 2 sets the IP address as 192.168.1.2 and its gateway as 192.168.1.1 (router Ethernet port).

After setting up the network card according to the above method, install a set of agent software. (for example, MS PROXY SERVER 2.0, WINGATE, etc., please refer to other materials for installation and debugging of agent software)

Note: when installing the agent software (take MS-PROXY 2.0 as an example), when specifying the LAT table, the address range 192.168.0.0-192.168.255.255 should be excluded, otherwise the agent will not work properly.

3. Setting up the workstation

In this configuration, workstations can surf the Internet either by setting agents or directly by setting gateways.

If you only surf the Internet through an agent, the setting method is exactly the same as that of method 2.

If you only access the Internet through the gateway, the workstation must set a static IP address, and the IP address should be set to 192.168.1.X

On the same network segment as the Ethernet port of the router, set the gateway to 192.168.1.1 and set DNS as the address provided by the access provider.

If you want the two methods to coexist, you need to set two static IP addresses in TCP/IP: 192.168.0.X and 192.168.1.X, and set the gateway to 192.168.1.1, where DNS is the address provided by the accessor. When in use, you only need to turn on or off the proxy settings in the browser and other software to switch between the proxy and the gateway.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.