Configure Network Lists
Configure
Network Lists
The Configuration | Policy Management | Traffic Management
screens let you configure network lists, rules, filters, security associations
(SA), Network Address Translation (NAT), and bandwidth policies. Together, these
features let you control the data traffic through the VPN Concentrator,
including what is or isn’t protected. The six feature links on this screen
include the following:
-
Network lists—Enable you to create and
name lists of network addresses that can be treated as single objects. This can
simplify configuring features and filters. Network lists are often a requirement
of features like LAN-to-LAN VPNs and IPSec SA filtering.
-
Rules—Let you filter interface data or
limit the data to be protected by IPSec. These named rules enable you to specify
protocol, source, and destination addresses (or network lists), port numbers,
and what specified action you want to happen to any traffic that meets all
criteria. If even one parameter doesn’t match, the system ignores the rest of
this rule and examines the packet in accordance with the next rule, and so
forth. This is similar to each line in router or firewall ACLs.
-
Filters—Can be used to limit interface
traffic, limit groups and user access, and limit application of IPSec security
associations.
-
SAs—Enable you to add, configure, modify,
and delete security associations (SAs) to be applied during IPSec tunnel
establishment.
-
NAT—Translates private network addresses
into “real world” public network addresses, allowing traffic routing between
networks with overlapping private network addresses.
-
Bandwidth—Defines policies to reserve a
minimum amount of bandwidth per session, as well as to limit users within groups
to a maximum amount of bandwidth. Once configured, bandwidth policies can be
applied to an interface, a group, or both. A policy applied to an interface only
applies to each user on the interface. A policy to a group applies only to the
users in that group.
Configuring Network Lists
Clicking the Network Lists link brings up the Configuration
| Policy Management | Traffic Management | Network Lists screen, as shown in Figure
16-4. In this section, you can define and name lists of networks to be
treated as single objects. Network lists can be used for the following common
activities:
-
Configure IPSec LAN-to-LAN connections (Configuration |
System | Tunneling Protocols | IPSec LAN-to-LAN)
-
Configure filter rules (Configuration | Policy Management |
Traffic Management | Rules)
-
Configure split tunneling (Configuration | User Management)
for groups and users in remote access network implementations
Figure 16-4: Network
List creation and management screen
While a single network list can contain a maximum of 200 network
entries, no limit exists to the number of network lists that can be created.
The Network List box displays the names of any existing network
lists. If no lists were defined, the field shows “--Empty--”. The
Add/Modify/Copy/Delete buttons are used to create and manage existing lists. As
with everything on the Concentrator, any changes are made live to the active
configuration with no Confirmation or Undo options. Click the Save Needed icon
in the upper-right corner of the Manager window to save the active configuration
to the boot configuration.
LAN-to-LAN Network Lists
VPN LAN-to-LAN implementations need a list of the LANs
secured behind each endpoint device. In this example, the Main Office would have
a list for each LAN-to-LAN connection, plus one for its local LANs. The peer
Concentrator would have its own LAN(s) list and Main Office list. These should
be reverse images of each other. Any networks not included on the list are
invisible to the peer and unable to communicate with the peer network.
Clicking the Add button brings up the Configuration | Policy
Management | Traffic Management | Network Lists | Add screen, as shown in Figure
16-5. The screens associated with the other buttons are similar.
-
In the List Name box, type the name for the network list.
The name must be unique on this device and is limited to a maximum of 48
case-sensitive characters. Spaces are allowed. For example, you might use local
LANs for the networks attached to this device.
|
Note |
If the Generate Local List feature (next section) is used, wait to
enter this name until after the system generates the network list. |
-
In the Network List box, type the networks to be included in
this network list. Each entry must be a single line using the format
n.n.n.n/w.w.w.w, where w.w.w.w is the wildcard mask (example:
192.168.1.0/0.0.0.255). If the mask is omitted, the Manager will supply the
default classful mask. The maximum number of network/wildcard entries in a
single network list is 200. The entries for this scenario would be the
following:
Generate Local
List
The VPN Concentrator has a Generate Local List feature
button on the Add or Modify screen, so you needn’t explicitly define the
entries. Clicking the Generate Local List button causes the Manager to generate
a network list automatically, containing the first 200 private networks
reachable from the Ethernet 1 (Private) interface. The list is created by
reading the routing table (Monitoring | Routing Table). For the feature to work,
both devices must be VPN Concentrators and both Concentrators must have inbound
RIP routing enabled on the Ethernet 1 (Private) interface (Configuration |
Interfaces | Ethernet 1), as shown in Figure 16-6.
After the Manager refreshes the screen after creating the
list, you can edit the Network List entries and enter a name in the List Name
box.
183 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
