manualshive.com logo in svg

Clavister SG4300 Series, Getting Started Manual, Page: 49 / 68

Share
Download
Clavister SG4300 Series Getting Started Manual Download Page 49

Comments:

<empty>

Setting the default gateway on the interface has the additional effect that CorePlus automatically
creates a route in the default main routing table that has the network all-nets routed on the interface.
This means that we do not need to explicitly create this route.

Even though an all-nets route is automatically added, no traffic can flow without the addition of an
IP rule which explicitly allows traffic to flow. Let us assume we want to allow web surfing from the
protected network ge3_net on the interface ge3. A simple rule to do this would have an Action of
Allow and would be defined with the following commands.

Firstly, we must change the current CLI context to be the default IPRuleSet called main using the
command:

Device:/> cc IPRuleSet main

Additional IP rulesets can be defined which is why we do this, with the rule set main existing by
default. Notice that the CLI prompt changes to reflect the current context:

Device:/main>

Now add an IP rule called lan_to_wan to allows the traffic through to the public Internet:

Device:/main> add IPRule name=lan_to_wan

Action=Allow SourceInterface=ge3
SourceNetwork=InterfaceAddresses/ge3_net
DestinationInterface=ge2
DestinationNetwork=all-nets
Service=http-all

This IP rule would be correct if the internal network hosts have public IP addresses but in most
scenarios this will not be true and internal hosts will have private IP addresses. In that case, we must
use NAT to send out traffic so that the apparent source IP address is the IP of the interface
connected to the ISP. To do this we simply change the Action of the above command from Allow to
NAT:

Device:/main> add IPRule name=lan_to_wan

Action=NAT SourceInterface=ge3
SourceNetwork=InterfaceAddresses/ge3_net
DestinationInterface=ge2
DestinationNetwork=all-nets
Service=http-all

The service used in the IP rule is http-all which will allow most web surfing but does not include the
DNS protocol to resolve URLs into IP addresses. To solve this problem, a custom service could be
used in the above rule which combines http-all with the dns-all service. However, the recommended
method which provides the most clarity to a configuration is to create a separate IP rule for DNS:

Device:/main> add IPRule name=lan_to_wan_dns

Action=NAT SourceInterface=ge3
SourceNetwork=InterfaceAddresses/ge3_net
DestinationInterface=ge2
DestinationNetwork=all-nets
Service=dns-all

It is recommended that at least one DNS server is also defined in CorePlus. This DSN server or
servers (a maximum of three can be configured) will be used when CorePlus itself needs to resolve
URLs which is the case when a URL is specified in a configuration instead of an IP address. If we

3.4. CLI Setup

Chapter 3. CorePlus Configuration

49

Summary of Contents for SG4300 Series

Page 1: ...Started Guide Clavister SG4300 Series Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com Build 91006 Published 2009 09 29 Copyright 2009 Clavi...

Page 2: ...ose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revis...

Page 3: ...3 Console Port Connection 16 2 4 Connecting Power 18 3 CorePlus Configuration 20 3 1 Management Workstation Connection 20 3 2 Web Interface and Wizard Setup 24 3 3 Manual Web Interface Setup 31 3 4 C...

Page 4: ...splay 9 2 1 A Typical 1000 Base LX SX Module 14 2 2 Installing a 1000 Base LX SX Module 14 2 3 A typical 1000 Base TX module 14 2 4 Installing a 1000 Base TX Module 15 2 5 The SG4300 Series RS 232 Con...

Page 5: ...in text Special sections of text which the reader should pay special attention to are indicated by icons on the the left hand side of the page followed by a short paragraph in italicized text There ar...

Page 6: ...liance 2 A mounting kit for 19 racks The side brackets for this kit are already attached but can be removed for flat surface operation 3 Attachable rubber feet for flat surface mounting 4 An Ethernet...

Page 7: ...1 1 Unpacking the Product Chapter 1 Product Overview 7...

Page 8: ...e of 4 LEDs which show SFP port status These are illuminated green when a link is established 6 x RJ45 Gigabit Ethernet ports with logical interface names ge1 to ge6 These connections are capable of l...

Page 9: ...en this is indicated along with how much time is left before timeout If CorePlus is in lockdown mode then this is shown CPU and Connections This shows the CPU load and the total number of current stat...

Page 10: ...peed iii If the link is full duplex FD or half duplex HD This is not shown if the linkspeed is Gigabit since it will always be full duplex iv The IP address assigned to the interface Hardware Monitor...

Page 11: ...1 3 The Keypad and Display Chapter 1 Product Overview 11...

Page 12: ...tal with the rating limit for the circuit The maximum ampere ratings are usually printed on the devices near the AC power connectors Do not install the appliance in an environment where the operating...

Page 13: ...be followed A rack or cabinet used for mounting should be adequately secured to prevent it from becoming unstable and or falling over Devices installed in a rack or cabinet should be mounted as low as...

Page 14: ...urchased separately Installation of different types SFP units is usually done in a similar way With the units shown the modules are inserted into sockets with the label facing upwards The module slide...

Page 15: ...000 Base TX Module Note The installation images above do not feature the SG4300 Series However the SFP installation principles are the same on all Clavister hardware models 2 2 Installing SFP Modules...

Page 16: ...d Wizard Setup If the RS 232 port is used for setup no password is initially needed and the CLI commands required are described in Section 3 4 CLI Setup Note Setting a console password The serial cons...

Page 17: ...sole port follow these steps 1 Check that the console connection settings are configured as described above 2 Connect one of the connectors on the RS 232 cable supplied directly to the console port on...

Page 18: ...eries 2 Plug the other end of the power cord into a grounded power outlet 3 Power on the appliance using the On Off switch at the back of the unit 4 The SG4300 Series will boot up and CorePlus will st...

Page 19: ...2 4 Connecting Power Chapter 2 Installation 19...

Page 20: ...tandard web browser running on a standalone computer also referred to as the management workstation can be used to access the CorePlus Web Interface This provides an intuitive graphical interface for...

Page 21: ...below and in the setup wizard as the WAN interface In this manual we will assume that the physical ge2 interface of the SG4300 Series is used for Internet connection although it could be any other un...

Page 22: ...ault management interface To enter these settings on a PC running Windows XP the following steps are needed Click the Start button Right click on My Network Places and select Properties Right click th...

Page 23: ...Note Apple Mac Workstation Setup To set up an Apple Mac as the workstation see Appendix D Apple Mac IP Setup 3 1 Management Workstation Connection Chapter 3 CorePlus Configuration 23...

Page 24: ...mporarily turned off to allow the setup wizard to run If there is no response from CorePlus and the reason is not clear refer to the help checklist in Section 3 5 Troubleshooting Setup The CorePlus Se...

Page 25: ...changes have been made and activated either through the wizard Web Interface or CLI then the wizard cannot be run since the wizard requires that CorePlus has the factory defaults The Wizard Assumes In...

Page 26: ...e forgotten restoring to factory defaults will restore the original admin admin combination The password should be composed in a way which makes it difficult to guess Wizard step 2 Set the date and ti...

Page 27: ...the next wizard screen All fields need to be entered except for the Secondary DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s...

Page 28: ...y the ISP DNS servers are set automatically after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in th...

Page 29: ...NS server specified should be the DNS supplied by your ISP When specifying a hostname as a server instead of an IP address the hostname should be prefixed with the string dns For example the hostname...

Page 30: ...key to do this For the SG4300 Series this key can be found written on the label on the underside of the unit If you are already registered as a customer then you will need to login to the Customer We...

Page 31: ...be different any interface can perform any logical function With the SG4300 Series the ge1 interface is the default management interface The other interfaces can be used as required For this section...

Page 32: ...must have the prefix dns Once the values are set correctly we can press the OK button to save the values while we move on to more steps in CorePlus configuration Although changed values like this are...

Page 33: ...e activating a new configuration Sometimes activating configuration changes in small batches can be appropriate in order to check that a small set of changes work as planned It is however not advisabl...

Page 34: ...setup is done Also these addresses are private IP addresses and in reality an ISP would use public IP addresses instead Let s now add the gateway IP4 Address object which we will call wan_gw and assig...

Page 35: ...r Enter the details of the object into the properties fields for the IP4 Address Below we have entered the IP address 10 5 4 1 for the address object called wan_gw This is the IP of the ISP s router w...

Page 36: ...to a given destination network and destination interface A route defined in a CorePlus routing table which specifies on which interface CorePlus can find the traffic s destination IP address If multi...

Page 37: ...be created which are combinations of existing services We could have specified the rule Action to be Allow but only if all the hosts on the protected local network have public IP addresses By using N...

Page 38: ...dress objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default route for this interface using the given default...

Page 39: ...n CorePlus routing table which specifies that the network all nets can be found on the interface connected to the ISP and this route must also have the correct Default Gateway IP address specified Thi...

Page 40: ...erface object needs to be created Let us assume that the PPTP tunnel will be called wan_pptp with a a remote endpoint 10 5 4 1 which has been defined as the IP4 Address object pptp_endpoint Go to Inte...

Page 41: ...o do this go to System DHCP DHCP Servers and select Add DHCP Server We can now specify the server properties In addition it is important to specify the Default gateway for the server This will be hand...

Page 42: ...w through the Clavister Security Gateway As discussed earlier the CorePlus will drop any traffic unless an IP rule explicitly allows it Let us suppose that we wish to allow the pinging of external hos...

Page 43: ...connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In order to gain cont...

Page 44: ...ted For example we can delete the drop all IP rule created in the previous paragraph by right clicking the rule and selecting Delete in the context menu The rule now appears with a line scored through...

Page 45: ...then the Upload License button to send it to CorePlus As soon as upload of the license is complete the 2 hour restriction will be removed and CorePlus will be restricted only by the restrictions of th...

Page 46: ...console port and a username password combination will not be required a password for this console can be set later Device If connecting remotely through an SSH Secure Shell client an administration u...

Page 47: ...can be used as desired For the sake of example we will assume that the ge2 interface will be used for connection to the public Internet and the ge3 interface will be used for connection to a protected...

Page 48: ...ress object which is located in a folder we must qualify the object s name with the name of the folder When we specify for example the address ge2_ip we must qualify it with the folder name InterfaceA...

Page 49: ...he internal network hosts have public IP addresses but in most scenarios this will not be true and internal hosts will have private IP addresses In that case we must use NAT to send out traffic so tha...

Page 50: ...route is added the connection to the Internet is configured but no traffic can flow to or from the Internet since there is no IP rule defined that allows it As was done in the previous option A above...

Page 51: ...network for this route is the Remote Network specified for the tunnel and for the public Internet this should be all nets As with all automatically added routes if the PPTP tunnel object is deleted th...

Page 52: ...ed to maintain the accuracy of the system date and time The command below sets up synchronization with the two NTP servers at hostname pool ntp org and IP address 10 5 4 76 Device set DateTime TimeSyn...

Page 53: ...nded to create a drop all rule as the last rule in the main IP rule set This rule has an Action of Drop with the source and destination network set to all nets and the source and destination interface...

Page 54: ...nected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connected to the management interface Is the management int...

Page 55: ...ill show the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces 3 5 Troubleshooting Setup Chapter 3 CorePlus Configurati...

Page 56: ...defined so all traffic is dropped At least one IP rule needs to be defined before traffic can traverse the Clavister Security Gateway In addition to IP rules routes need to be defined so that traffic...

Page 57: ...vister company website at http www clavister com or contact your local sales representative Staying Informed Clavister maintains an RSS feed of announcements that can be subscribed to at https forums...

Page 58: ...3 6 Going Further with CorePlus Chapter 3 CorePlus Configuration 58...

Page 59: ...rranty service can be obtained within the warranty period with the following steps 1 Obtain a Return Material Authorization RMA number from Clavister This must be obtained before the product is sent b...

Page 60: ...vister support can be contacted by email at support clavister com Customer Remedies Clavister s entire liability according to this warranty shall be at Clavister s option either return of the price pa...

Page 61: ...e A 2 Regulatory and Safety Standards Safety UL CE EMC FCC class A CE class A VCCI class A Figure A 3 Environmental Humidity 20 to 95 noncondensing Operational Temperature 0 to 45 C Vibration 0 41 Grm...

Page 62: ...Appendix B Declarations of Conformity 62...

Page 63: ...Appendix B Declarations of Conformity 63...

Page 64: ...ddsjorden har terst llts F r LAN kablage g ller dessutom att om LAN et t cker ett omr de som betj nas av mer n ett str mf rs rjningssystem m ste deras respektive skyddsjord vara ihopkopplade LAN kabla...

Page 65: ...essere installato un collegamento a terra di sicurezza non interrompibile che vada dalla fonte d alimentazione principale ai terminali d entrata al cavo d alimentazione oppure al set cavo d alimentazi...

Page 66: ...nes en la red de energ a el ctrica Manejar con precauci n los componentes de metal de la LAN que est n al descubierto Este aparato no contiene pieza alguna susceptible de reparaci n por parte del usua...

Page 67: ...ity Gateway To do this a selected Ethernet interface on the Mac must be configured correctly with a static IP The setup steps for this with Mac OS X are 1 Go to the Apple Menu and select System Prefer...

Page 68: ...5 Now set the following values IP Address 192 168 1 30 Subnet Mask 255 255 255 0 Router 192 168 1 1 6 Click Apply to complete the static IP setup Appendix D Apple Mac IP Setup 68...

Reviews:

No comments