Chapter 11 - PowerPoint PPT Presentation

Chapter 11
1 / 55

  • Uploaded on
  • Presentation posted in: General

Chapter 11. Routing. Objectives. Configure Windows Server 2003 as a router Create and configure demand-dial connections for routing Configure Network Address Translation (NAT) for Internet connectivity Install Internet Connection Sharing (ICS) Configure Internet Connection Firewall (ICF).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Chapter 11

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Chapter 11

Chapter 11




  • Configure Windows Server 2003 as a router

  • Create and configure demand-dial connections for routing

  • Configure Network Address Translation (NAT) for Internet connectivity

  • Install Internet Connection Sharing (ICS)

  • Configure Internet Connection Firewall (ICF)

Router installation and configuration

Router Installation and Configuration

  • Windows Server 2003

    • Can be used as a router

    • Can perform routing for TCP/IP and AppleTalk

    • Does not support IPX/SPX for routing

  • Implementing Windows Server 2003 as a router

    • Main benefit is cost

    • Server must be connected to at least two networks

Router installation and configuration continued

Router Installation and Configuration (Continued)

  • Internet Security and Acceleration Server (ISA)

    • Provides proxy services

  • Routing and Remote Access snap-in

    • Used to add routing

Enabling rras as a router

Enabling RRAS as a Router

Enabling ip routing

Enabling IP Routing

Routing tables

Routing Tables

  • Routers

    • Make decisions about how to move packets from one network to another in the fastest way possible

  • Routing table

    • List of networks that are known to the router

    • Each entry contains

      • IP address of the network

      • Subnet mask of the network

      • Gateway used to reach the network

      • Router interface used to reach the gateway

      • Metric that measures how far away the network is

Routing tables continued

Routing Tables (Continued)

  • ROUTE PRINT command

    • Used to view routing table

  • Static routing

    • Entries that are added manually

    • Used when security is required

    • Addition of new network means routing table of each server must be changed

    • Introduction of error each time a change is made

Routing tables continued1

Routing Tables (Continued)

  • Dynamic routing

    • Entries that are added automatically based on a routing protocol

    • Routers talk to each other to build their routing tables

Routing protocols

Routing Protocols

  • Responsible for

    • Calculating best path from one network to another

    • Advertising routes for dynamic routing

  • Routing Information Protocol (RIP)

    • No configuration necessary under most circumstances

    • Hops

      • Number of routers through which the data must pass

    • Distance-vector routing

      • Path with the least number of hops

Routing protocols continued

Routing Protocols (Continued)

  • Does not differentiate between different link speeds

  • Each RIP router sends broadcast packet every 30 seconds

  • Open Shortest Path First (OSPF)

    • Determines the best path from one network to another based on cost

    • Not normally implemented on Windows routers

    • Each interface on a router is assigned a cost

  • Routing protocols continued1

    Routing Protocols (Continued)

    • Routing table

      • Builds a picture of the entire network

    • When communicating with other routers

      • Only sends changes in its routing table

      • Changes sent only when they occur, not every 30 seconds

    Configuring rip

    Configuring RIP

    • RIP properties

      • Can configure type of events to be logged

      • Can configure IP addresses from which router accepts updates

      • General tab

        • Periodic update mode removes entries from routing table if router that advertised them is disabled or unreachable

        • Auto static update mode adds RIP learned routes to the routing table as static entries

    Configuring rip continued

    Configuring RIP (Continued)

    • RIP routers

      • Advertise routes learnt from other routers then increment number of hops by 1

    • RIP properties

      • Security tab

        • Allows you to configure which incoming and outgoing routes are accepted on this interface

      • Neighbors tab

        • Used only if broadcasts and multicasts are limited on the network

    Configuring rip continued1

    Configuring RIP (Continued)

    • Advanced tab

      • Can adjust how often routing table announcements are sent

      • Can adjust how long entries in the routing table last before they expire

      • Can adjust how long after they expire before they are removed from the routing table

  • Split-horizon processing and poison-reverse processing

    • Used to prevent routing loops in the case of a router failure

  • Security tab rip interface properties

    Security Tab, RIP Interface Properties

    Neighbors tab rip interface properties

    Neighbors tab, RIP Interface Properties

    Advanced tab rip interface properties

    Advanced tab, RIP interface properties

    Demand dial connections

    Demand-Dial Connections

    • Used to establish a connection between two routers when there is data to be sent

    • Demand-dial connections

      • Used to minimize the amount of phone time used on dial-up connections between routers

      • Can be used to initiate VPN connections between Windows routers

      • Can be created for Point-to-Point Protocol over Ethernet (PPPoE) connections

    • PPPoE

      • Used by many high-speed Internet providers to control access to their network

      • Authentication requires username and password

    Creating demand dial connections

    Creating Demand-dial Connections

    • For demand-dial connection to function properly

      • Server must be enabled to perform demand-dial routing

      • Port must be configured to allow demand-dial routing

      • Demand-dial interface must be created

    • Demand-dial Interface Wizard

      • Creates demand-dial connections

    Enabling demand dial routing

    Enabling demand-dial routing

    Configuring a port for demand dial routing

    Configuring a Port for Demand-dial Routing

    Interface name demand dial interface wizard

    Interface Name, Demand-Dial Interface Wizard

    Demand dial interface properties

    Demand-dial Interface Properties

    • Can be used to configure

      • Security settings

      • Idle timeout

    • Options tab

      • If “Persistent connection” option is chosen, servers are connected whenever RRAS is functional

      • If “Demand dial” option chosen, you can set an idle timeout

    • Security tab

      • Provides standard security options available on a VPN connection

    Options tab demand dial interface properties

    Options tab, demand-dial interface properties

    Dial out hours

    Dial-out Hours

    • Controls when a demand-dial connection can be active

    • Typical configuration of dial-out hours

      • Allows a connection every few hours

      • Data is moved from one network to another in batches every few hours

    • If users are expected to access resources using the demand-dial connection at all times

      • Dial-out hours should be left at the default of 24 hours per day, seven days per week

    Dial out hours continued

    Dial-out Hours (Continued)

    Demand dial filters

    Demand-dial Filters

    • Used to reduce amount of time a demand-dial connection is active

    • Control which types of network traffic trigger a demand-dial connection

    • Configuration is similar to a firewall rule

    • Can initiate a demand-dial connection

      • For specific traffic

      • For all traffic except that specified by a rule

    Demand dial filters continued

    Demand-dial filters (Continued)

    Adding a demand dial filter

    Adding a demand-dial filter

    Network address translation nat

    Network Address Translation (NAT)

    • Uses a single Internet IP address to provide Internet access to all client computers

    • Included with Windows Server 2003

    • Address ranges reserved for internal use

      • through

      • through

      • through

    Network address translation continued

    Network Address Translation (Continued)

    • Proxy server

      • If implemented, clients must be configured to use the proxy server

      • Provides caching to speed up Internet connectivity

    • Most implementations are FTP aware and translate FTP packets properly

    How nat works

    How NAT Works

    • Modifies IP headers of packets that are forwarded through a router

    • Builds a table to keep track of translations

    • Table lists

      • Original source IP address

      • Original source port number

      • New source port number

    • New source IP address

      • Always the external interface on the router

      • Does not need to be included in the table

    Outgoing request through nat

    Outgoing request through NAT

    Incoming response through nat

    Incoming response through NAT

    Installing nat

    Installing NAT

    • NAT protocol

      • Automatically installed when RRAS is configured to be a router

    • NAT Interface properties

      • For proper NAT functionality

        • One interface must be configured as a public interface

        • At least one interface must be configured as private interface

      • Basic firewall

        • Allows you to configure static packet filters

    Installing nat continued

    Installing NAT (Continued)

    • Services and Ports tab

      • Allows you to host services behind NAT but still allow access from Internet

    • ICMP tab

      • Dictates the types of ICMP packets the interface responds to

    • Address Pool tab

      • Defines a range of IP addresses that are handed out to client computers

    Nat basic firewall tab nat interface properties

    NAT/Basic Firewall tab, NAT interface properties

    Configuring nat

    Configuring NAT

    • NAT/Basic Firewall – Properties

      • General tab

        • Controls the level of logging that is performed

      • Translation tab

        • Configures how long mappingsare kept in the NAT table

      • Address Assignment tab

        • Can configure NAT to act as a DHCP server

      • Name Resolution tab

        • Configures the NAT router to act as a DNS proxy

        • Settings on this tab need not be enabled if internal DNS servers exist

    Translation tab nat basic firewall properties

    Translation Tab, NAT/Basic Firewall Properties

    Name resolution tab nat basic firewall properties

    Name Resolution Tab, NAT/Basic Firewall Properties

    Internet connection sharing ics

    Internet Connection Sharing (ICS)

    • Provides automated way for a small office to connect to the Internet using Windows Server 2003 as a router

    • Automatically performs NAT

    • Configures network connections

    • Because NAT is used, server must have at least two network cards

    • Configuration used by ICS cannot be changed

    Internet connection sharing continued

    Internet Connection Sharing (Continued)

    • The following changes are made

      • Internal network connection is configured with

        • IP address

        • Subnet mask

      • Autodial enabled for dial-up/VPN/PPPOE connections

      • Static route for default gateway enabled when dial-up/VPN/PPPOE connection is activated

      • The ICS service is started

      • DHCP allocator is configured to distribute IP addresses from to

      • The DNS proxy is enabled

    Enabling ics

    Enabling ICS

    Internet connection sharing continued1

    Internet Connection Sharing (Continued)

    • ICS server can only have one internal IP address

    • Network bridging

      • Allows interfaces to share a single IP address

    • Bridge

      • Controls network traffic based on MAC addresses

      • Allows computers on two different physical network segments to be on the same IP network

    • When network bridging is enabled

      • Choose multiple network cards in a server to act as a single IP network

    Internet connection firewall

    Internet Connection Firewall

    • A stateful packet filter that can be used to protect any server running Windows Server 2003

    • Stateful firewall

      • Requires only one rule for outbound traffic

      • Keeps track of TCP connections that are created by internal clients

      • Automatically allows response packets to return

    Internet connection firewall continued

    Internet Connection Firewall (Continued)

    • Enabling ICF

      • ICF is configured per connection

      • If ICF enabled on a server that is not a router

        • Only that server is protected

      • If ICF enabled on a router

        • All computers on internal network are protected

    Enabling icf

    Enabling ICF

    Configuring icf

    Configuring ICF

    • When ICF is enabled

      • All packets addressed to server are dropped

    • Configuring services

      • Allows requests from the network to access services on the server running ICF

      • Services defined are the firewall rules for ICF

    Services defined for icf and ics

    Services Defined for ICF and ICS

    Icmp options for icf

    ICMP Options for ICF

    Logging options for icf

    Logging Options for ICF



    • Windows Server 2003

      • Can be configured as a low-cost router for TCP/IP and AppleTalk

    • Static routing

      • Requires administrators to configure routing tables

    • Dynamic routing

      • Allows routers to communicate

      • Automatically builds routing tables

    • RIP

      • A distance-vector routing algorithm that calculates paths based on hops

    Summary continued

    Summary (Continued)

    • OSPF

      • A link-state routing algorithm that calculates paths based on a configurable metric called cost

    • Demand-dial connections

      • Activated when required

      • Requires static routes

      • Can be configured with dial-out hours to limit the times they are active

    • NAT

      • Many computers can access the Internet using a single IP address

      • Modifies the IP headers of packets that are routed through the NAT router

    Summary continued1

    Summary (Continued)

    • DHCP allocator and DNS proxy

      • Can be configured as part of NAT

    • ICS

      • Automated way to configure a router for NAT

      • Network bridging required if there is more than one internal interface

      • Is a stateful packet filter

  • Login