top of page
Search
Celal

The End User's Journey To The Internet

Everybody who is an end-user wonders about how to connect the Internet from their computers. This article is a little for the end-user and a little for beginner network engineers :). You decide. First of all, you need to carry out some steps to connect to the internet. If you are an enterprise company and you have your application and server, follow the following list.

  • This real-IP must be announced to the external world with help of the BGP protocol

  • Need a device which has capable of NAT(network address translation)

The following diagram shows the logic.

For home users, it is not like this. The logic is the same but there is only one component which is called modem. A modem which has capable of routing and nat is only a single box with simple features. The simple modem doesn't include the BGP feature. ISP(Internet Service Provider) assigns one their real-IP address which is taken from IANA to your modem wan interface and configure BGP on their own network devices instead of you. The modem only does NAT. Home users do nothing, they just connect to the Internet:)

Everything is simple for home users :) But It's not that easy for corporate (enterprise )networks. Let's look at how to do this in corporate networks.


We assume that we applied to IANA to take our reap IP and took our IP address from RIPE. Now we can configure our network devices.

After that, I will do some configuration and continue step by step.

I used Eve-ng to create this lab. I added all configurations at the bottom of the page.


The components of this lab;

Cisco Rrt/Sw

PaloAlto-VM


I simulated provider-side myself. I added some interfaces and assigned some internet addresses to these interfaces. You can see the all configuration file at the bottom of the page.


Let's start configuring the BGP side;

We have two redundant routers and should decide the primary router for traffic to get rid of asymmetric routing (which means that, the traffic does not come back from where it started to go out). I decided on BGP-RT1 :). The traffic will go out from BGP-RT1 and will return from this router.


BGP-RT1 config;

interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.248
!
interface Ethernet0/1
IPip address 10.32.0.6 255.255.255.252

router ospf 1 #Used For Dynamic Redundancy
 network 192.168.1.1 0.0.0.0 area 0
 default-information originate always #To Propagate DfltRoute to Neighbors
!
router bgp 15151
 bgp router-id 192.168.1.1
 bgp log-neighbor-changes
 redistribute ospf 1 match external #Redistribute Ospf to Bgp
 neighbor 10.32.0.5 remote-as 13131
 neighbor 10.32.0.5 prefix-list default in #Accept Only DefaultRoute
 neighbor 192.168.1.2 remote-as 15151
 neighbor 192.168.1.2 next-hop-self
 neighbor 192.168.1.2 route-map local-pref out #LocalPreference set 200
!
ip prefix-list default seq 5 permit 0.0.0.0/0
!
ip prefix-list real-IP seq 5 permit 24.24.24.0/24
!
route-map local-pref permit 10
 set local-preference 200

BGP-RT2 config;

interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.248
!
interface Ethernet0/1
 ip address 10.35.0.6 255.255.255.252
!
router ospf 1 #Used For Dynamic Redundancy
 network 192.168.1.2 0.0.0.0 area 0
 default-information originate always To Propagate DfltRoute to Neighbors
!
router bgp 15151
 bgp router-id 192.168.1.2
 bgp log-neighbor-changes
 redistribute ospf 1 match external #Redistribute Ospf to Bgp
 neighbor 10.35.0.5 remote-as 41141
 neighbor 10.35.0.5 prefix-list default in #Accept Only DefaultRoute
 neighbor 10.35.0.5 route-map prepend out #it is used to return back the traffic over BGP-RT1
 neighbor 192.168.1.1 remote-as 15151
 neighbor 192.168.1.1 next-hop-self
!
ip prefix-list default seq 5 permit 0.0.0.0/0
!
ip prefix-list real-IP seq 5 permit 24.24.24.0/24
!
route-map prepend permit 10
 match ip address prefix-list real-IP
 set as-path prepend 15151 15151 15151 15151 # to show away from BGP-RT1

Firewall Side(PaloAlto);

There is a lot of article about PaloAlto HA configuration on the internet. Now I will talk about OSPF, Nat, and Police configuration on PaloAlto.

Our zones and interfaces are below;


1-) Routing configuration;

We assume that RIPE has been assigned the IP address(24.24.24.0/24) to you. We need to announce this network to the world, therefore we used the BGP protocol above. My topology may seem confusing to you. I could announce directly the real IP address on BGP routers by writing static route( ip route 24.24.24. 255.255.255.0 null 0). But I didn't it. I defined the firewall as the distribution point for real-IPs. I will announce my real-IP address over the firewall to the BGP router with OSPF and then will redistribute OSPF to BGP on BGP-RT1 and BGP-RT2. Thus, my real-IP will be announced to ISP1 and ISP2. That's all.


a) Static route configuration;

I can assign my real-IP address to any interface but I didn't it. If I had assigned Real-IPs to an interface, it would be only used for this interface. Instead of this, I defined it as static. Now it can be used anywhere on the firewall.

b) OSPF configuration;


2-) Nat rules;

I will translate the end-user private network(192.168.10.0/24) to 24.24.24.24 Real-IP address. Because the outside world does not know our private network.


3-)Police

This rule must be written on the firewall to allow end-users internet traffic. you can allow only HTTP and HTTPS services if you want

4-) Troubleshooting

Look at the BGP router output;

Look at the firewall Ospf output;


End-user test;

Thanks for reading.



Comments


bottom of page