How to connect two LANs with a firewall

Firewall Model Hillstone M3108

Before the company's production network is a separate LAN, now need to be from the office network can be connected to a remote production network operation station to monitor the production process. After internal discussion and communication with the manufacturers, in order to save costs, we use a firewall to connect two networks, with the way of Remote Desktop implementation (by remote connection of the operation station set to cannot be modified). The line surface will be configured as notes for everyone to share.

In general, three steps are required,

The first step is to configure the firewall itself, port address, policy, default route, etc.

The second step is to configure the Operation station, set up a good gateway. The gateway address is the port address on the firewall that is connected to the production network. Because our production network each operation station has not set the gateway, uses two net cards two network cable's redundancy way.

The third step is to configure a route on the core switch so that the office network can access the production network. We only allow access to a single operation station for security.

The following is a detailed configuration

A. Firewall configuration

As shown in the figure above, because only the office network part of the computer access to a single operation station (industrial computer), so only set a policy on it. Note the "part" "One-way" "one" and other keywords.

Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/zwjs/

Two security domains correspond to two ports on the firewall, Office corresponding office network, MCS corresponding production network

Two address book, the address Book in the source address is to allow remote connection operation station IP, the address Book in the destination address is added is "a certain station" Operation station (industrial computer) IP

A service thin, inside only two service (port), an RDP (3389 port), is the remote connection command MSTSC to use, a ping, is to maintain convenience. That is to say, only the two services are allowed, and the rest are prohibited. and for security. In fact, is not very safe, mstsc permission is very large, you can completely control the other computer, so the operation of the station system to modify the permissions, can only see can not be changed, so Remote Desktop is not afraid of even.

The name of the security domain, Address Book, and service book is customized to facilitate management.

Two. Operation Station Configuration Gateway

The gateway to the operation station to be accessed is set to the address of the MCS-wide corresponding port. Our production network operation station is not set the gateway, because it is dual network card dual-line redundancy.

Three. Core switch Configuration Routing

The following routes are added to the core switch (we use cisco6509)

Iproute Operation Station IP 255.255.255.255 firewall offic domain corresponding port address

When the office computer access to the Operation station, give it to indicate access routes, if you want to find the operating station IP, first find the firewall offic domain corresponding port address.

Special case:

The group is connected with the subsidiary company, the routing, the subsidiary's router and the core is also the route, the subsidiary office network and its production network connection through the firewall connection, the group's computer wants to visit, is more than the collection writers connection to do several routes, starts from the group core, cooperated with the TRACERT command, the layer one layer to do down Until you can find the access

Operator station address, just OK.

This article is from the "Shadow" blog, please be sure to keep this source http://1957949.blog.51cto.com/1947949/1193301