Configuration cases of proxy servers and routers in LAN

With the rapid development of network technology, more and more ways are available for enterprises and institutions to access Internet shared resources. In most cases, ddnleased lines are widely used with their stable performance and good scalability, DDN connection is simple in terms of hardware requirements. Only one router and proxy server are required, however, system configuration is a tough issue for many network administrators. The following uses a Cisco router as an example to describe several successful configuration methods for reference:
1. configure access to Internet resources through a vro
1. Overall Ideas and device Connection Methods
Generally, the LAN in the organization uses the reserved IP address on the Internet:
10.0.0.0/8:10. 0.0.0 ~ 10.20.255.255
172.16.0.0/12: 172.16.0.0 ~ 172.31.255.255
192.168.0.0/16: 192.168.0.0 ~ 192.168.255.255
Under normal circumstances, when a workstation inside the Organization directly uses a route for external access, it will be filtered out by the router because the workstation uses a reserved address on the Internet, as a result, Internet resources cannot be accessed. The solution to this problem is to use the NAT (Network Address Translation) address translation function provided by the routing operating system to convert private addresses on the Intranet to valid addresses on the Internet, this allows users with invalid IP addresses to access the Internet through NAT. In this way, you do not need to configure a proxy server to reduce investment, save valid IP addresses, and improve the security of the internal network.
Nat has two types: single mode and global mode.
The Nat single mode maps many local LAN hosts into an Internet address just like its name. All hosts in the LAN are regarded as Internet users for External Internet networks. The host in the local LAN continues to use the local address.
In the global mode of NAT, the router interface maps many local LAN hosts to a certain Internet address range (IP address pool ). When the local host port is connected to a host on the Internet, an IP address in the IP address pool is automatically assigned to the local host. After the connection is interrupted, the dynamically assigned IP address is released, the released IP address can be used by other local hosts.
The following uses the network environment of our Organization as an example to list the configuration methods and processes for your reference.
Our company uses China Unicom Optical Cable (V.35) to connect to the Internet. The router is cisco2610 and the LAN uses the intel550 M switch. China Unicom provides us with the following four IP addresses:
211.90.137.25 (255.255.255.252) is used for the WAN port of the local router.
211.90.137.26 (255.255.255.252) is used for the Peer (China Unicom) Port
211.90.139.41 (255.255.255.252) for your own control
211.90.139.42 (255.255.255.252) for your own control
2. vro Configuration
(1) network connection:

Note: All workstations in the school are connected to switches. Routers are also connected to internal switches through Ethernet ports. The Ethernet ports on the routers use internal private addresses, two valid IP addresses allocated by China Unicom are used at both ends of the optical fiber. In this connection mode, you only need to set Nat inside the vro to allow all workstations within the organization to access internte, on each workstation, you only need to set the gateway pointing to the Ethernet port of the router (192.168.0.3) to access the Internet without a proxy, and saves two valid IP addresses available for your own freedom (such as setting up your own web and E-MAIL servers ). But there are also disadvantages: you cannot enjoy the cache service provided by the proxy server to speed up access. Therefore, this configuration scheme is suitable for a unit with a small number of workstations. You can use the two methods described later when the number of workstations within the unit is large. The vro configuration is as follows:
(2) vro Configuration
En
Config t
Ip nat pool c2610 211.90.139.41 211.90.139.42 netmask 255.255.255.252
(Define an address pool c2601, which contains two idle valid IP addresses for Nat translation)
Int E0/0
IP address 192.168.0.3 255.255.255.0
Ip nat inside
Exit
(Set the IP address of the Ethernet port and the port used to connect to the Intranet)
Interface S0/0
IP address 211.90.137.25 255.255.255.252
Ip nat outside
Exit
(Set the IP address of the WAN port and set it as the port connecting to the external network)
IP Route 0.0.0.0 0.0.0.0 211.90.137.26
(Set Dynamic Routing)
Access-List 2 permit 192.168.0.1 0.0.255
(Create an Access Control List)
! Dynamic Nat
!
Ip nat inside source list 2 pool c2610 overload
(Create dynamic address translation)
Line console 0
Exec-timeout 0 0
!
Line vty 0 4
End
WR
(Save the settings)
3. workstation configuration
Static IP addresses are required. You must set the IP addresses in the TCP/IP attribute, set the IP address of the gateway to 192.168.0.3 (the Ethernet IP address of the router), and set the DNS address to the IP address provided by the access provider, no special settings are required in Web browsers and other online tools.
2. Configure Internet resource access through the Proxy Server
1. Overall Ideas and device Connection Methods
The proxy server can be used to access Internet resources. The advantage is that the cache service provided by the proxy server can be used to improve Internet access speed and efficiency. It is suitable for use in units with a large number of workstations. The disadvantage is that a dedicated computer is needed as the proxy server, which increases the investment cost. In addition, the first method requires two more valid IP addresses, and the network security is not high.
Use this method to access the Internet. The device connection method is as follows:
Two NICs are installed on the proxy server. One is connected to the Intranet and the other is set to the internal private address. The other is connected to the Ethernet port of the router and the legitimate address allocated by China Unicom (211.90.139.42 ), set the gateway to 211.90.139.41 (vro Ethernet port)
The router Ethernet port is also configured with a valid IP address allocated by China Unicom (211.90.139.41)
In this way, after the device is connected, install the agent software on the proxy server, and set a proxy on the workstation to access the Internet.

2. vro Configuration
(1) network connection:
Note: All computers in the Organization communicate directly with the Intranet NIC (192.168.0.4) on the proxy server through the switch, and then access the Internet through the router under the control of the proxy service software.
(2) vro Configuration
En
Config t
Int E0/0
IP address 211.90.139.41 255.255.255.252
Exit
(Set the IP address of the Ethernet port)
Interface S0/0
IP address 211.90.137.25 255.255.255.252
Exit
(Set the IP address of the WAN port)
IP Route 0.0.0.0 0.0.0.0 211.90.137.26
IP routing
(Set a dynamic route and activate the route)
End
WR
(Save the settings)
3. Proxy Server Settings
The proxy server must be installed with two NICs, one for connecting to the internal LAN and setting the IP address as an internal private address (for example, 192.168.0.4 netmask 255.255.255.0) without a gateway. The other is used to connect to the vro, set the valid address allocated by China Unicom (211.90.139.42 netmask 255.255.255.252), and set its gateway to 211.90.139.41 (vro Ethernet port ).
After setting the NIC according to the above method, install a set of agent software. (For example, Ms Proxy Server 2.0 and Wingate. For agent software installation and debugging methods, see other materials)
4. workstation settings
(1) Internet Explorer Settings
Tool menu-> Internet Options-> connection-> LAN Settings-> use proxy server-> address: 192.168.0.4 port: 80-> OK
(2) For settings of other software, see the software description.
Iii. configuration of coexistence of direct access and proxy access
1. Overall Ideas and device Connection Methods
The two methods described above can achieve smooth Internet access. However, each method has advantages and some disadvantages, and the advantages of the two methods are complementary. How can we combine the advantages of the two methods into one? method 3 is a solution that can be used simultaneously by both the fish and the bear's paw. It integrates the advantages of the first and second methods, that is, it saves IP addresses and Improves Internet access efficiency through the cache provided by the proxy server.
Use this method to access the Internet. The device connection method is as follows:
Two NICs are installed on the proxy server. Both NICs are connected to the vswitch. When an IP address is set, both NICs are set to an internal private address, however, these two addresses should not belong to one network (that is, the network address of the IP address is different), one is used to communicate with the Intranet (NIC 1), and the other is used to communicate with the router (NIC 2 ), otherwise, the proxy cannot be implemented.
Do not install the netbeui protocol on the proxy server. Only the TCP/IP protocol is installed. (Note: This step must be done. Otherwise, the proxy server NetBIOS computer name conflict will be caused by redundant connection lines between the proxy server and the switch, thus affecting normal communication)
The vro Ethernet port also sets an internal private address, which is in the same network as the IP address of Network Card 2 (that is, the network address of the IP address is the same as that of Network Card 2)
2. vro settings
(1) network connection

(2) vro Configuration
En
Config t
Ip nat pool c2610 211.90.139.41 211.90.139.42 netmask 255.255.255.252
(Define an address pool c2601, which contains two idle valid IP addresses for Nat translation)
Int E0/0
IP address 192.168.1.1 255.255.255.0
Ip nat inside
Exit
(Set the IP address of the Ethernet port and the port used to connect to the Intranet)
Interface S0/0
IP address 211.90.137.25 255.255.255.252
Ip nat outside
Exit
(Set the IP address of the WAN port and set it as the port connecting to the external network)
IP Route 0.0.0.0 0.0.0.0 211.90.137.26
(Set Dynamic Routing)
Access-List 2 permit 192.168.0.1 0.0.255
(Create an Access Control List)
! Dynamic Nat
!
Ip nat inside source list 2 pool c2610 overload
(Create dynamic address translation)
Line console 0
Exec-timeout 0 0
!
Line vty 0 4
End
WR
(Save the settings)
2. Proxy Server Settings
Two NICs are installed on the proxy server. Both NICs are connected to the vswitch. Nic 1 is set to 192.168.0.4 without a gateway. Nic 2 is set to 192.168.1.2, set the gateway to 192.168.1.1 (router Ethernet port ).
After setting the NIC according to the above method, install a set of agent software. (For example, Ms Proxy Server 2.0 and Wingate. For agent software installation and debugging methods, see other materials)
Note: When installing the agent software (taking MS-PROXY 2.0 as an example), when specifying the lat table, the address range 192.168.0.0-192.168.255.255 should be excluded, otherwise the agent will not work properly.
3. workstation settings
In this configuration, the workstation can either set a proxy or set a gateway to directly access the internet.
If you only access the Internet through proxy, the setting method is the same as method 2.
If you only access the Internet through the gateway, you must set a static IP address for the workstation. The IP address should be 192.168.1.x,
In the same network segment as the router Ethernet port, set the gateway to 192.168.1.1 and the DNS address provided by the access provider.
If you want two methods to coexist, you need to set two static IP addresses in TCP/IP: 192.168.0.x and 192.168.1.x, and set the gateway to 192.168.1.1. The DNS is the address provided by the access provider. You only need to enable or disable proxy settings in a browser or other software to switch between the proxy and gateway.