Shulou(Shulou.com)06/01 Report--

Firewall model hillstone M3108

The company's previous production network is a separate local area network, and now we need to remotely connect an operating station in the production network from the office network to monitor the production process. After internal discussion and communication with the manufacturer, in order to save cost, we use a firewall to connect the two networks and implement it in the way of remote desktop (set by the remotely connected operating station so that it can not be modified). The line will organize the configuration into notes for everyone to share. Generally speaking, three steps are needed, the first step is to configure the firewall itself, and the second step is to configure the operating station and set up the gateway. The gateway address is the port address on the firewall connected to the production network. Because each operating station in our production network does not have a gateway, it uses the redundant mode of two network cards and two network wires. The third step is to configure a route on the core switch so that the office network can access the production network. For the sake of security, we are only allowed to visit a certain operating station. The following is the detailed configuration of one. The firewall configuration is shown in the figure above. Since only some computers in the office network are allowed to access a certain operating station (industrial control computer) one-way, only one policy can be set. Pay attention to keywords such as "partial", "one-way" and "certain station".

The two security domains correspond to the two ports on the firewall, the office corresponds to the office network, and the mcs corresponds to the two address books of the production network. The address book in the source address adds the IP that allows remote connection to the operation station, and the address book in the destination address adds the IP of a "certain" operation station (industrial computer). There are only two services (port), one RDP (port 3389), which is used by the remote connection command MSTSC, and a PING. It's for maintenance convenience. In other words, only these two services are allowed, and all other services are prohibited. And for safety. In fact, it is not very safe, MSTSC authority is very large, can completely control the other side of the computer, so the operating station system has to modify permissions, can only look at can not be changed, so that the remote desktop is not afraid. The names of security domains, address books, and service books are customized and easy to manage.

two。 The gateway of the operation station to be accessed by the gateway is set to the address of the port corresponding to the whole area of the mcs. The operating stations in our production network do not set up gateways because of the dual network card and dual-line redundancy.

three。 Core switch configure routing add the following route to the core switch (we use cisco6509) iproute operating station IP 255.255.255.255 firewall offic domain corresponding port address when the office computer visits the operating station, indicate the access route to it, if you want to find the operating station IP, first find the firewall offic domain corresponding port address. Special circumstances: there is a dedicated line connection between the group and the subsidiary, and there is also a route between the router and the core of the subsidiary, and the office network of the subsidiary is connected to its production network through a firewall. if the computer of the group wants to access it, it needs to do several more routes than the connection of the local port. start from the core of the group, cooperate with the tracert command, and go on layer by layer until you can find what you want to visit.

The address of the operating station is OK.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.