Home
/
Asus
/
Internet Security Router
/
User Manual

Asus Internet Security Router, User Manual

Share

Page: 123 / 167

Asus Internet Security Router User Manual Download Page 123

Internet Security Router User

’

s Manual

Chapter 10. Configuring VPN

107

Figure 10.17. Extranet Example

–

Inbound ACL Rule on ISR2

10.6.2.4 Establish Tunnel and Verify

„

Start continuous ping from a host on the LAN behind ISR1 to a host on the LAN behind ISR2. The first
few pings would fail. After a few seconds, The host on the LAN behind ISR1 should start getting ping
response.

„

Ping from a host on the LAN behind ISR2 to a host on the LAN behind ISR1. Ping should be
successful.

„

The ping might fail due to any of the following:

„

The IP address of the host on the LAN behind ISR2 used in the ping command may not be correct.
Check and give the correct IP address.

„

Default route is not configured for ISR1 or ISR2. Configure the default routes as necessary.

„

Firewall rules corresponding to VPN connection may not be configured properly. If any of the
network addresses is not correctly configured, correct the parameters and apply the configuration.

„

Local and remote network addresses may not be configured correctly. The network addresses used
in VPN connection rule are 192.168.11.0/255.255.255.0 and 192.168.12.0/255.255.255.0.

«
...
121
122
123
124
125
...
»

Summary of Contents for Internet Security Router

Page 1: ...Internet Security Router User s Manual Revision 1 1 Oct 30 2003 ...

Page 2: ... EVEN IF ASUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES ARISING FROM ANY DEFECT OR ERROR IN THIS MANUAL OR PRODUCT Product warranty or service will not be extended if 1 the product is repaired modified or altered unless such repair modification of alteration is authorized in writing by ASUS or 2 the serial number of the product is defaced or missing Products and corporate names appearing...

Page 3: ... Firewall Features 4 2 4 1 1 Address Sharing and Management 4 2 4 1 1 ACL Access Control List 5 2 4 1 2 Stateful Packet Inspection 5 2 4 1 3 Defense against DoS Attacks 5 2 4 1 4 Application Command Filtering 6 2 4 1 5 Application Level Gateway ALG 6 2 4 1 6 URL Filtering 6 2 4 1 7 Log and Alerts 6 2 4 1 8 Remote Access 7 2 4 2 VPN 7 3 Quick Start Guide 9 3 1 Part 1 Connecting the Hardware 9 3 1 1...

Page 4: ...urity Router 14 3 3 3 Testing Your Setup 20 3 3 4 Default Router Settings 20 4 Getting Started with the Configuration Manager 21 4 1 Log into Configuration Manager 21 4 2 Functional Layout 22 4 2 1 Setup Menu Navigation Tips 22 4 2 2 Commonly Used Buttons and Icons 22 4 3 The Home Page of Configuration Manager 23 4 4 Overview of System Configuration 23 5 Configuring LAN Settings 25 5 1 LAN IP Addr...

Page 5: ...eters 34 6 4 2 Configuring Static IP for WAN 34 6 5 Viewing WAN Statistics 35 7 Configuring Routes 37 7 1 Overview of IP Routes 37 7 1 1 Do I need to define IP routes 37 7 2 Dynamic Routing using RIP Routing Information Protocol 38 7 2 1 Enabling Disabling RIP 38 7 3 Static Routing 38 7 3 1 Static Route Configuration Parameters 38 7 3 2 Adding Static Routes 38 7 3 3 Deleting Static Routes 38 7 3 4...

Page 6: ... ACL Rule Configuration Parameters 49 9 3 2 Access Inbound ACL Rule Configuration Page Firewall è Inbound ACL 52 9 3 3 Add Inbound ACL Rules 52 9 3 4 Modify Inbound ACL Rules 53 9 3 5 Delete Inbound ACL Rules 53 9 3 6 Display Inbound ACL Rules 53 9 4 Configuring Outbound ACL Rules 53 9 4 1 Outbound ACL Rule Configuration Parameters 54 9 4 2 Access Outbound ACL Rule Configuration Page Firewall è Ou...

Page 7: ...rvice 63 9 6 2 4 Modify a Service 64 9 6 2 5 Delete a Service 64 9 6 2 6 View Configured Services 64 9 6 3 Configuring DoS Settings 64 9 6 3 1 DoS Protection Configuration Parameters 64 9 6 3 2 Access DoS Configuration Page Firewall è Advanced è DoS 66 9 6 3 3 Configuring DoS Settings 66 9 7 Firewall Policy List Firewall è Policy List 66 9 7 1 Configuring Application Filter 67 9 7 1 1 Application ...

Page 8: ... 2 Access Time Range Configuration Page Firewall è Policy List è Time Range 81 9 7 4 3 Add a Time Range 81 9 7 4 4 Modify a Time Range 81 9 7 4 5 Delete a Time Range 82 9 7 4 6 Delete a Schedule in a Time Range 82 9 7 4 7 Time Range Example 82 9 8 Firewall Statistics Firewall è Statistics 83 10 Configuring VPN 85 10 1 Default Parameters 85 10 2 VPN Tunnel Configuration Parameters 87 10 3 Establish...

Page 9: ...ccess User Group Configuration Page Remote Access è User Group 110 11 2 3 Add a User Group and or a User 110 11 2 4 Modify a User Group or a User 111 11 2 5 Delete a User Group or a User 111 11 2 6 User Group and Users Configuration Example 112 11 3 Configure Group ACL Rules 112 11 3 1 Group ACL Specific Configuration Parameters 112 11 3 2 Access Group ACL Configuration Page Remote Access è Group ...

Page 10: ... 5 1 Reset System Configuration 126 12 5 2 Backup System Configuration 127 12 5 3 Restore System Configuration 127 12 6 Upgrade Firmware 128 12 7 Reset the Internet Security Router 129 12 8 Logout Configuration Manager 130 13 ALG Configuration 131 14 IP Addresses Network Masks and Subnets 135 14 1 IP Addresses 135 14 1 1 Structure of an IP address 135 14 2 Network classes 135 14 3 Subnet masks 136...

Page 11: ...21 Figure 4 2 Typical Configuration Manager Page 22 Figure 4 3 Setup Wizard Home Page 23 Figure 4 4 System Information Page 24 Figure 5 1 LAN IP Address Configuration Page 26 Figure 5 2 DHCP Configuration Page 27 Figure 5 3 LAN Statistics Page 30 Figure 6 1 WAN PPPoE Configuration Page 31 Figure 6 2 WAN Dynamic IP DHCP client Configuration Page 33 Figure 6 3 WAN Static IP Configuration Page 34 Fig...

Page 12: ...mple Add an FTP Filter to Deny FTP Delete Command 70 Figure 9 21 FTP Filter Example Associate FTP Filter Rule to an ACL Rule 71 Figure 9 22 HTTP Filter Example Configuring HTTP Filter Rule 71 Figure 9 23 HTTP Filter Example Associate HTTP Filter Rule to an ACL Rule 72 Figure 9 24 Modify an Application Filter 73 Figure 9 25 IP Pool Configuration Page 74 Figure 9 26 Network Diagram for IP Pool Confi...

Page 13: ...n Example 112 Figure 11 3 Goup ACL Configuration Page 113 Figure 11 4 Login Console 114 Figure 11 5 Login Status Screen 114 Figure 11 6 Network Diagram for Inbound Remote Access 114 Figure 11 7 User and User Group Configuration Example 115 Figure 11 8 Group ACL Configuration Example 115 Figure 11 9 VPN Virtual IP Configuration Page 116 Figure 11 10 Network Diagram for VPN Remote Access 117 Figure ...

Page 14: ...ry 20 Table 4 1 Description of Commonly Used Buttons and Icons 22 Table 5 1 LAN IP Configuration Parameters 25 Table 5 2 DHCP Configuration Parameters 28 Table 5 3 DHCP Address Assignment 28 Table 6 1 WAN PPPoE Configuration Parameters 32 Table 6 2 WAN Dynamic IP Configuration Parameters 32 Table 6 3 WAN Static IP Configuration Parameters 34 Table 7 1 Static Route Configuration Parameters 38 Table...

Page 15: ...ameter 87 Table 10 5 VPN Statistics 95 Table 10 6 Outbound Un translated Firewall Rule for VPN Packets on ISR1 98 Table 10 7 Inbound Un translated Firewall Rule for VPN Packets on ISR1 98 Table 10 8 Outbound Un translated Firewall Rule for VPN Packets on ISR1 99 Table 10 9 Inbound Un translated Firewall Rule for VPN Packets on ISR1 100 Table 11 1 User Group Configuration Parameters 109 Table 11 2 ...

Page 16: ......

Page 17: ...rnet access you must have the following ADSL or cable modem and the corresponding service up and running with at least one public Internet address assigned to your WAN One or more computers each containing an Ethernet 10Base T 100Base T network interface card NIC Optional An Ethernet hub switch if you are connecting the device to more than four computers on an Ethernet network For system configura...

Page 18: ...tion or non essential information on the current topic Definition Explains terms or acronyms that may be unfamiliar to many readers These terms are also included in the Glossary WARNING Provides messages of high importance including messages relating to personal safety or system integrity ...

Page 19: ...nt panel contains LED indicators that show the status of the unit Figure 2 1 Front Panel LEDs Table 2 1 Front Panel Label and LEDs Label Color Function POWER green On Unit is powered on Off Unit is powered off ALARM green For factory testing only WAN green On WAN link established and active Flashing Data is transmitted via WAN connection Off No WAN link LAN1 LAN4 green On LAN link is established F...

Page 20: ... to the Internet Security Router This feature conceals network address and prevents them from becoming public It maps unregistered IP addresses of hosts connected to the LAN with valid ones for Internet access The Internet Security Router Firewall also provides reverse NAT capability which enables SOHO users to host various services such as e mail servers web servers etc The NAT rules drive the tr...

Page 21: ...r and protocol Use of the wild card for composing filter rules Filter Rule priorities Time based filters Application specific filters User group based filters for remote access 2 4 1 2 Stateful Packet Inspection The Internet Security Router Firewall uses stateful packet inspection that extracts state related information required for the security decision from the packet and maintains this informat...

Page 22: ...way ALG Applications such as FTP games etc open connections dynamically based on the respective application parameter To go through the firewall on the Internet Security Router packets pertaining to an application require a corresponding allow rule In the absence of such rules the packets will be dropped by the Internet Security Router Firewall As it is not feasible to create policies for numerous...

Page 23: ...ork such as the Internet comes with a lot of advantages and associated risks These risks include the lack of confidentiality of data being sent and the authenticity of the identities of the parties involved in the exchange of data The VPN supported in the Internet Security Router is intended to resolve these issues at an affordable price The VPN supported by the Internet Security Router is IPSec c...

Page 24: ...ons over a public networking infrastructure VPN have become the logical solution for remote access connectivity Deploying a remote access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructure of Internet Service Providers At the same time VPNs allow mobile workers telecommuters and day extenders to take advantage of broadband connectivity ...

Page 25: ...pplicable and the Internet Security Router Figure 3 1 illustrates the hardware connections Please follow the steps that follow for specific instructions 3 1 1 Step 1 Connect an ADSL or a cable modem For the Internet Security Router Connect one end of the Ethernet cable to the port labeled WAN on the rear panel of the device Connect the other end to the Ethernet port on the ADSL or cable modem 3 1 ...

Page 26: ...erify that the LEDs are illuminated as indicated in Table 3 1 Table 3 1 LED Indicators This LED should be POWER Solid green to indicate that the device is turned on If this light is not on check if the power adapter is attached to the Internet Security Router and if it is plugged into a power source LAN1 LAN4 Solid green to indicate that the device can communicate with your LAN or flashing when th...

Page 27: ...rd NIC and select Properties Often this icon is labeled Local Area Connection The Local Area Connection dialog box displays with a list of currently installed network items 4 Ensure that the check box to the left of the item labeled Internet Protocol TCP IP is checked and click Properties button 5 In the Internet Protocol TCP IP Properties dialog box click the radio button labeled Obtain an IP add...

Page 28: ... the list includes such an entry then the TCP IP protocol has already been enabled Skip to step 8 3 If Internet Protocol TCP IP does not display as an installed component click Add button 4 In the Select Network Component Type dialog box select Protocol and then click Add button 5 Select Microsoft in the Manufacturers list box and then click TCP IP in the Network Protocols list box and then click ...

Page 29: ... static IP addresses to your PCs In some cases you may want to assign IP addresses to some or all of your PCs directly often called statically rather than allowing the Internet Security Router to assign them This option may be desirable but not required if You have obtained one or more public IP addresses that you want to always associate with specific computers for example if you are using a comp...

Page 30: ... Function Click this button to save the information and proceed to the next configuration page Click this button to go back to the previous configuration page 3 3 2 Setting Up the Internet Security Router Follow these instructions to setup the Internet Security Router 1 Before accessing the Configuration Manager in the Internet Security Router make sure that the HTTP proxy setting is disabled in y...

Page 31: ...rd home page displays each time you log into the Configuration Manager shown in Figure 3 3 on page 15 Figure 3 3 Setup Wizard Home Page Figure 3 4 Setup Wizard Password Configuration Page 4 Click on the button to enter the password configuration page as shown in Figure 3 4 Change the password in the spaces provided if desired Otherwise proceed to the next configuration page by clicking on the butt...

Page 32: ...Time Zone drop down list Click to save the settings and then click on the button to go to the next configuration page There is no real time clock inside the Internet Security Router The system date and time are maintained by the external network time server There is no need to set the date and time here unless you don t have access to a time server and you want the Internet Security Router to main...

Page 33: ...completed the rest of the configurations and confirm that your Internet connection is working Click on the button to proceed to the next configuration page 9 Now we are at the last page of the Setup Wizard which is to configure the WAN settings for the Internet Security Router Depending on the connection mode required for your ISP you can select from the following three connection modes from the C...

Page 34: ...c IP Configuration Page a PPPoE Connection Mode see Figure 3 9 You don t need to enter primary secondary DNS IP addresses as PPPoE is able to automatically obtain this information for you from your ISP However if you prefer to use your favorite DNS servers you may enter them in the space provided Connection Mode drop down list Connection Mode drop down list ...

Page 35: ...n the space provided Host name is optional You may leave it empty if your ISP did not provide such information If you had previously registered a specific MAC address with your ISP for Internet connections enter the registered MAC address here and make sure you check the MAC cloning check box Click on button to save the dynamic IP settings Figure 3 11 Setup Wizard WAN Static IP Configuration Page ...

Page 36: ...rk Table 3 2 lists some of the most important default settings these and other features are described fully in the subsequent chapters If you are familiar with network configuration settings review the settings in Table 3 2 to verify that they meet the needs of your network Follow the instructions to change them if necessary If you are unfamiliar with these settings try using the device without mo...

Page 37: ...eed the following A computer connected to the LAN or WAN port on the Internet Security Router as described in the Quick Start Guide chapter A web browser installed on the computer The program is designed to work best with Microsoft Internet Explorer 5 5 Netscape 7 0 2 or later You may access the program from any computer connected to the Internet Security Router via the LAN or WAN ports However th...

Page 38: ...hese to display a specific configuration page Figure 4 2 Typical Configuration Manager Page A separate page displays in the right hand side frame for each menu For example the configuration page displayed in Figure 4 2 is intended for DHCP configuration 4 2 1 Setup Menu Navigation Tips To expand a group of related menus click on the sign next to the corresponding file folder icon To contract a gro...

Page 39: ...ne help for the current topic in a separate browser window Help is available from any main topic page Redisplays the current page with updated statistics or settings Selects the item for editing Deletes the selected item 4 3 The Home Page of Configuration Manager The Setup Wizard home page displays when you first access the Configuration Manager Figure 4 3 Setup Wizard Home Page 4 4 Overview of Sy...

Page 40: ...Chapter 4 Getting Started with the Configuration Manager Internet Security Router User s Manual 24 Figure 4 4 System Information Page ...

Page 41: ... set of IP addresses that you want to use with your network Note The Internet Security Router itself can function as a DHCP server for your LAN computers as described in section 5 2 3 Configuring DHCP Server but not for its own LAN port 5 1 1 LAN IP Configuration Parameters Table 5 1describes the configuration parameters available for LAN IP configuration Table 5 1 LAN IP Configuration Parameters ...

Page 42: ...etwork administrators to centrally manage the assignment and distribution of IP information to computers on a network When you enable DHCP on a network you allow a device such as the Internet Security Router to assign temporary IP addresses to your computers whenever they connect to your network The assigning device is called a DHCP server and the receiving device is a DHCP client Note If you foll...

Page 43: ... Security Router is configured as a DHCP server on the LAN side with a predefined IP address pool of 192 168 1 10 through 192 168 1 42 subnet mask 255 255 255 0 To change this range of addresses follow the procedures described in this section First you must configure your PCs to accept DHCP information assigned by a DHCP server 1 Log into Configuration Manager as administrator click the LAN menu a...

Page 44: ...s of the Internet Security Router as it will serve as DNS proxy for the LAN computers and forward the DNS request from the LAN to DNS servers and relay the results back to the LAN computers Note that both the primary and secondary DNS servers are optional Primary Secondary WINS Server IP Address optional The IP address of the WINS servers to be used by computers that receive IP addresses from the ...

Page 45: ...he PC or in the DHCP pool or you can specify the address of the LAN port on the Internet Security Router e g 192 168 1 1 When you specify the LAN port IP address the device performs DNS relay as described in the following section Note If you specify the actual DNS addresses on the PCs or in the DHCP pool the DNS relay feature is not used 5 3 3 Configuring DNS Relay When you specify the device s LA...

Page 46: ... is the LAN IP address Similarly if after enabling DNS relay you specify a DNS address other than the LAN IP address in a DHCP pool or statically on a PC then that address will be used instead of the DNS relay address 5 4 Viewing LAN Statistics You can view statistics of your LAN traffic on the Internet Security Router You will not typically need to view this data but you may find it helpful when ...

Page 47: ...AN in this chapter 6 1 WAN Connection Mode Three modes of WAN connection are supported by the Internet Security Router PPPoE dynamic IP and static IP You may select one of the WAN connection modes required by your ISP from the Connection Mode drop down list in WAN Configuration page as shown in Figure 6 1 Figure 6 1 WAN PPPoE Configuration Page 6 2 PPPoE 6 2 1 WAN PPPoE Configuration Parameters Ta...

Page 48: ...ep Alive Enable this option if you wish to keep your Internet connection active even when there is no traffic Enter the value for the Echo Interval at which you want the Internet Security Router to send out some data periodically to your ISP The default value of Echo Interval is 60 second 6 2 2 Configuring PPPoE for WAN Follow the instructions below to configure PPPoE settings 1 Select PPPoE from ...

Page 49: ...gure dynamic IP settings 1 Select Dynamic from the Connection Mode drop down list as shown in Figure 6 2 2 Optional Enter host name in the space provided if required by your ISP 3 Optional Enter the IP addresses for the primary and secondary DNS servers if you want to use your preferred DNS servers otherwise skip this step 4 If you had previously registered a specific MAC address with your ISP for...

Page 50: ...n the same subnet as the WAN on the Internet Security Router Primary Secondary DNS You must at least enter the IP address of the primary DNS server Secondary DNS is optional 6 4 2 Configuring Static IP for WAN Figure 6 3 WAN Static IP Configuration Page Follow the instructions below to configure static IP settings 1 Select Static from the Connection Mode drop down list as shown in Figure 6 3 2 Ent...

Page 51: ...ry of the WAN configuration at the bottom half of the configuration page 6 5 Viewing WAN Statistics You can view statistics of your WAN traffic You will not typically need to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view WAN IP statistics click Statistics on the WAN submenu Figure 6 4 shows the LAN Statisti...

Page 52: ......

Page 53: ...provide the most appropriate path for all your Internet traffic On your LAN computers a default gateway directs all Internet traffic to the LAN port on the Internet Security Router Your LAN computers know their default gateway either because you assigned it to them when you modified their TCP IP properties or because you configured them to receive the information dynamically from a server whenever...

Page 54: ...e route that creates the default gateway Note that destination IP must be a network ID The default route uses a destination IP of 0 0 0 0 Refer to Appendix 13 for an explanation of network ID Destination Netmask Indicates which parts of the destination address refer to the network and which parts refer to a computer on the network Refer to Appendix 13 for an explanation of network masks The defaul...

Page 55: ...users For each of these destination IP addresses the table lists the IP address of the first hop the data should take This table is known as the device s routing table To view the Internet Security Router s routing table click the Routing menu The Static Routing Table displays at the bottom half of the Static Routing Configuration page as shown in Figure 7 1 The Static Routing Table displays a row...

Page 56: ......

Page 57: ...6 DDNS Client and HTTP DDNS Client RFC 2136 DDNS Client domain com ISR Windows 2000 DNS Server sl1000 domain com Figure 8 1 Network Diagram for RFC 2136 DDNS Any interface status change to an external interface sends a DDNS update to the DNS server When connection to Primary DNS server fails the Internet Security Router updates the Secondary DNS server When a DNS update is forced by the administra...

Page 58: ...on to disable the DDNS Service DDNS Type select a DDNS service type HTTP or RFC 2136 DDNS HTTP DDNS Click this radio button if HTTP DDNS is desired RFC 2136 DDNS Click this radio button if RFC 2136 DDNS is desired DNS Zone Name Enter the registered domain name provided by your ISP into this field Note The host name of Internet Security Router has to be configured in the System Information Setup pa...

Page 59: ...Figure 8 3 Note that when you open the DDNS Configuration page a list of existing DDNS configuration is displayed at the bottom half of the configuration page such as those shown in Figure 8 3 8 3 Configuring RFC 2136 DDNS Client Figure 8 3 RFC 2136 DDNS Configuration Page Follow these instructions to configure the RFC 2136 DDNS 1 First you need to ask your system administrator to turn on the DNS ...

Page 60: ...se instructions to configure the HTTP DDNS 1 First you should have already registered a domain name to the DDNS service provider If you have not done so please visit www dns tokyo jp or www dyndns org for more details 2 Make sure that you have a host name configured for the Internet Security Router otherwise go to the System Information Configuration page System Management è System Identity to con...

Page 61: ...on engine in the Internet Security Router maintains a state table that is used to keep track of connection states of all the packets passing through the firewall The firewall will open a hole to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine Otherwise the packet will...

Page 62: ... hosts is denied Default Outbound Access Rules The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT WARNING It is not necessary to remove the default ACL rule from the ACL rule table It is better to create higher priority ACL rules to override the default rule 9 2 NAT Overview Network Address Translation allows use of a ...

Page 63: ...eater than n Each internal IP address is mapped to one external IP address on a first come first serve basis Figure 9 2 shows that PC B C and D are mapped to a globally valid IP address respectively while PC A does not map to any globally valid IP address If PC A wants to go to the Internet PC A must wait until a global valid IP address is available For example in Figure 9 3 PC B must disconnect f...

Page 64: ...h the globally valid Internet address and the port number is translated with an un used port from the pool of network ports Figure 9 4 shows that all the hosts on the local network gain access to the Internet by mapping to only one globally valid IP address and different port numbers from a free pool of network ports Figure 9 4 NAPT Map Any Internal PCs to a Single Global IP Address Figure 9 5 Rev...

Page 65: ...and or IP address specified in the ACL rule This is useful when multiple services are hosted on different internal machines Figure 9 6 shows that web server TCP 80 is hosted on PC A telnet server TCP 23 on PC B DNS server UDP 53 on PC C and FTP server TCP 21 on PC D This means that the inbound traffic of these four services will be directed to respective host hosting these services 9 3 Configuring...

Page 66: ...st to select one of the following options Any This option allows you to apply this rule to all the computers in the source network such as those on the Internet IP Address This option allows you to specify an IP address on which this rule will be applied IP Address Specify the appropriate network address Subnet This option allows you to include all the computers that are connected in an IP subnet ...

Page 67: ...rt number Single Range Select any of these and enter details as described in the Source Port section above Service This option allows you to select any of the pre configured services selectable from the drop down list instead of the destination port The following are examples of services BATTLE NET PC ANYWHERE FINGER DIABLO II L2TP H323GK CUSEEME MSN ZONE ILS ICQ_2002 ICQ_2000 MSN AOL RPC RTSP7070...

Page 68: ... Disable radio button 9 3 2 Access Inbound ACL Rule Configuration Page Firewall è Inbound ACL Log into Configuration Manager as admin click the Firewall menu and then click the Inbound ACL submenu The Firewall Inbound ACL Configuration page displays as shown in Figure 9 7 Note that when you open the Inbound ACL Configuration page a list of existing ACL rules is also displayed at the bottom half of...

Page 69: ...the following fields action source destination IP source destination port protocol port mapping time ranges application filtering log and VPN Please see Table 9 1 for explanation of these fields 4 Click on the button to modify this ACL rule The new settings for this ACL rule will then be displayed in the inbound access control list table at the bottom half of the Inbound ACL Configuration page 9 3...

Page 70: ...will allow matching packets to pass through Deny Select this button to configure the rule as a deny rule This rule when bound to the Firewall will not allow matching packets to pass through Mave to This option allows you to set a priority for this rule The Internet Security Router Firewall acts on packets based on the priority of the rules Set a priority by specifying a number for its position in ...

Page 71: ...own list to select one of the following options Any This option allows you to apply this rule to all the computers in the destination network such as those on the Internet IP Address Subnet Range and IP Pool Select any of these and enter details as described in the Source IP section above Source Port This option allows you to set the source port to which this rule should apply Use the drop down li...

Page 72: ...ddress that you want the outbound traffic to use Note this option is called NAPT or overload NAT Pool Select this option to associate a pre configured NAT pool to the rule Note that only static dynamic and overload NAT pool can be used to associate with an outbound ACL rule Interface Select this option to use the WAN interface IP address for the outbound traffic Note that WAN IP must be configured...

Page 73: ...riority rules by the firewall 6 Click on the button to create the new ACL rule The new ACL rule will then be displayed in the outbound access control list table at the bottom half of the Outbound ACL Configuration page Figure 9 10 illustrates how to create a rule to allow outbound HTTP traffic This rule allows outbound HTTP traffic to be directed to any host on the external network for a host in y...

Page 74: ...ywords that should not appear in URL s Any URL containing one or more of these keywords will be blocked This is a policy independent feature i e it cannot be associated to ACL rules This feature can be independently enabled disabled but works only if firewall is enabled 9 5 1 URL Filter Configuration Parameters Table 9 3 describes the configuration parameters available for an URL filter rule Table...

Page 75: ...e To delete an URL Filter rule just click on the in front of the rule to be deleted or follow the instructions below 1 Open the URL Configuration page see section 9 5 2 Access URL Filter Configuration Page 2 Click on the icon of the rule to be deleted in the URL Filter Configuration Summary table or select the rule number from the ID drop down list 3 Click on the button to delete this rule 9 5 6 V...

Page 76: ...controlling packets targeting the Internet Security Router itself Services Use this option to configure services applications using specified port numbers Each service record contains the name of service record the IP protocol value and its corresponding port number DoS Use this option to configure DoS Denial of Service parameters This option lists the default set of DoS attacks against which the ...

Page 77: ...Router From WAN Select Enable or Disable to allow or deny traffic from WAN external network to the Internet Security Router 9 6 1 2 Access Self Access Rule Configuration Page Firewall è Advanced è Self Access Log into Configuration Manager as admin click the Firewall menu click the Advanced submenu and then click the Self Access submenu The Firewall Self Access Rule Configuration page displays as ...

Page 78: ...ing Self Access rule and add a new rule instead 4 Click on the button to save the changes The new settings for this Self Access rule will then be displayed in the Self Access rule table located at the bottom half of the Self Access Rule Configuration page 9 6 1 5 Delete a Self Access Rule To delete a Self Access rule click on the icon of the rule to be deleted or follow the instruction below 1 Ope...

Page 79: ...u click the Advanced submenu and then click the Service submenu The Service List Configuration page displays as shown in Figure 9 14 Note that when you open the Service List Configuration page a list of existing configured services is also displayed at the bottom half of the configuration page such as those shown in Figure 9 14 9 6 2 3 Add a Service To add a service follow the instructions below 1...

Page 80: ...e configuration page 9 6 2 6 View Configured Services To see a list of existing services follow the instructions below 1 Open the Service List Configuration Page see section 9 6 2 2 Access Service List Configuration Page 2 The service list table located at the bottom half of the Service Configuration page shows all the configured services 9 6 3 Configuring DoS Settings The Internet Security Router...

Page 81: ...ption to enable or disable protection against TCP sequence number prediction attacks For TCP packets sequence number is used to guard against accidental receipt of unintended data and malicious use by the attackers if the ISN Initial Sequence Number is generated randomly Forged packets w valid sequence numbers can be used to gain trust from the receiving host Attackers can then gain access to the ...

Page 82: ...n is also displayed at the bottom half of the configuration page such as those shown in Figure 9 15 Note that most of these protections are enabled by default when firewall is enabled 9 6 3 3 Configuring DoS Settings By default most DoS protection against all supported attack types are enabled Figure 9 15 shows the default configuration for DoS settings You may check or un check individual type of...

Page 83: ...o filter operations such as VRFY EXPN etc which reveal excess information about the recipient RPC allows you to filter programs based on the assigned RPC program numbers 9 7 1 1 Application Filter Configuration Parameters Table 9 7 describes the configuration parameters available for application filter Table 9 7 Application Filter Configuration Parameters Field Description Filter Type Select the t...

Page 84: ...or deny mail data VRFY Allow or deny verifying the existence of the user EXPN Allow or deny identification for a mailing list TURN Allow or deny the switching roles of the client and server to send mail in the reverse direction SEND Allow or deny initiating a mail transaction HTTP Deny Following Files Add the following command to an HTTP filter to Java Applet Deny all class files Java archive Deny...

Page 85: ...les Note that the configuration for RPC and SMTP is similar to that for FTP and will not be presented here 9 7 1 3 1 FTP Example Add a FTP Filter Rule to Block FTP DELETE Command 10 64 2 0 ISR Private Network 192 168 1 0 24 FTP Server 10 64 2 254 Inside FW Outside FW Figure 9 17 Network Diagram for FTP Filter Example Blocking FTP Delete Command 1 Open the Application Filer Rule Configuration page ...

Page 86: ...o keep the logging for this rule disabled 7 Click on the first FTP commands field a Firewall Configuration Assistant page is displayed Figure 9 19 FTP Filter Example Firewall Configuration Assistant 8 Select the desired FTP command from the FTP Command drop down list and then click on the button The selected FTP command will be added into the selected Deny FTP Commands field Figure 9 20 FTP Filter...

Page 87: ...k JAVA Applets and Java Archives 1 Open the Application Filer Rule Configuration page Firewall è Policy List è Application Filter Figure 9 22 HTTP Filter Example Configuring HTTP Filter Rule 2 Select HTTP from the Filter Type drop down list 3 Select Add New Filter from the Filter Rule drop down list 4 Enter a name for this rule in this example HTTPrule1 5 Change the port number if necessary Howeve...

Page 88: ... on or button to save the settings Figure 9 23 HTTP Filter Example Associate HTTP Filter Rule to an ACL Rule 9 7 1 4 Modify an Application Filter To modify an IP Pool follow the instructions below 1 Open the Application Filter Configuration page see section 9 7 1 2Access Application Filter Configuration Page Firewall è Policy List è Application Filter 2 Select the application filter to modify Clic...

Page 89: ...he filter rule from the Filter Rule drop down 3 Click on the button to delete this filter 9 7 2 Configuring IP Pool 9 7 2 1 IP Pool Configuration Parameters Table 9 8 describes the configuration parameters available for an IP pool Table 9 8 IP Pool Configuration Parameters Field Description IP Pool Name Enter the name of the local IP IP Pool Type Select the type of IP Pool IP Range This option all...

Page 90: ...ow the instructions below 1 Open the IP Pool Configuration page see section 9 7 2 2 Access IP Pool Configuration Page Firewall è Policy List è IP Pool 2 Select Add New Pool from the IP Pool drop down list 3 Enter a pool name into the Name field 4 Select a pool type from the IP Pool Type drop down list 5 If IP Range pool type is selected enter start IP address and end IP address If Subnet pool type...

Page 91: ...n IP Pool To delete an IP Pool click on the icon of the IP pool to be deleted or follow the instruction below 1 Open the IP Pool Configuration page see section 9 7 2 2 Access IP Pool Configuration Page Firewall è Policy List è IP Pool 2 Click on the icon of the IP pool to be deleted in the IP Pool List table or select the IP pool from the IP Pool drop down list 3 Click on the button to delete this...

Page 92: ...P however it can be used to associate to destination IP as well As shown in Figure 9 28 MISgroup1 is not allow to play networked game Quake II at all times Figure 9 28 IP Pool Example Deny QUAKE II Connection for MISgroup1 9 7 3 Configuring NAT Pool 9 7 3 1 NAT Pool Configuration Parameters Table 9 9 describes the configuration parameters available for a NAT pool Table 9 9 NAT Pool Configuration P...

Page 93: ...type of NAT to use a single public IP address to connect multiple internal corporate LAN machines to external Internet network NAT IP Address Enter NAT IP address for the overload Interface Select this type of NAT to specify the Dynamic Interface whose IP address should be used for subjecting traffic to NAT 9 7 3 2 Access NAT Pool Configuration Page Firewall è Policy List è NAT Pool Log into Confi...

Page 94: ...t table 9 7 3 4 Modify a NAT Pool To modify a NAT Pool follow the instructions below 1 Open the NAT Pool Configuration page see section 9 7 3 2 Access NAT Pool Configuration Page Firewall è Policy List è NAT Pool 2 Click on the icon of the NAT pool to be modified in the NAT Pool List table or select the NAT pool from the NAT Pool drop down list 3 Make desired changes to any or all of the following...

Page 95: ...4 2 1 10 64 2 2 10 64 2 3 192 168 1 12 192 168 1 13 Figure 9 30 Network Diagram for NAT Pool Example 1 Create a NAT pool for static NAT see Figure 9 31 Figure 9 31 NAT Pool Example Create a Static NAT Pool 2 Associate the NAT pool to an outbound ACL rule by selecting NAT Pool from the NAT type drop down list and then choose an existing NAT pool from the NAT pool drop down list ...

Page 96: ... lunch period between 14 00 and 18 30 Hrs Office hours on weekends Saturday Sunday can have the following periods 9 00 to 12 00 Hrs Such varying time periods can be configured into a single time range record Access rules can be activated based on these time periods 9 7 4 1 Time Range Configuration Parameters Table 9 10 describes the configuration parameters available for a time range Table 9 10 Ti...

Page 97: ...s Time Range Configuration Page Firewall è Policy List è Time Range 2 Select Add New Time Range from the Time Range drop down list 3 Enter a name into the Time Range Name field 4 Select Add New Schedule from the Schedule drop down list 5 Select Days of Week For example from Sunday to Saturday 6 Enter day hours For example from 08 00 to 18 00 7 Click on the button to create the new schedule 9 7 4 4...

Page 98: ... è Time Range 2 Click on the icon of the Time Range to be deleted in the Time Range list table or select the Time Range from the Time Range drop down list 3 Select the Schedule from the drop down list 4 Click on the button to delete this schedule 9 7 4 7 Time Range Example 1 Create a time range see Figure 9 31 Figure 9 34 Time Range Example Create a Time Range 2 Associate the time range to an outb...

Page 99: ... 8 Firewall Statistics Firewall è Statistics The Firewall Statistics page displays details regarding the active connections Figure 9 36 shows a sample firewall statistics for active connections To see an updated statistics click on button Figure 9 36 Firewall active connections statistics ...

Page 100: ......

Page 101: ...w ike io passby 500 UDP Enabled To allow the IKE traffic to the Internet Security Router allow all passby Enabled To allow the plain traffic WARNING Do not delete or modify default VPN policies Proposals Each proposal represents a set of authentication encryption parameters Once configured a proposal can be tied to a connection Upon session establishment one of the proposals specified is selected ...

Page 102: ...red des sha1 dh5 DES SHA 1 5 Pre shared Keys 3600 ike preshared des md5 dh5 DES MD5 5 Pre shared Keys 3600 Pre configured IPSec proposals IPSec proposals decide the type of encryption and authentication for the traffic that flows between the endpoints of the tunnel Table 10 3 lists the default IPSec proposals available on the Internet Security Router Table 10 3 Pre configured IPSec proposals in th...

Page 103: ... page This way you can control the proposals that become part of a connection Note For the negotiation to succeed the peer gateway should also be configured with matching parameters However any specific proposal can be chosen if needed This chapter includes the procedure to configure the Access List through GUI Basic Access List Configuration Access List using IKE Access List using Manual Keys Adv...

Page 104: ...ange End IP Enter the ending IP address of the range Remote Secure Group only available for site to site VPN mode This option allows you to set the remote destination secure network to which this rule should apply This option allows you to apply this rule inclusively on all computers in the external network Use the Type drop down list to select one of the following IP Address Subnet IP Range Selec...

Page 105: ...ec Encryption Authentication Select one of the following pre configured IKE proposals from the drop down list If All is selected all the pre configured proposals will be associated with existing tunnel and one among the set of IPSec proposals will be selected automatically and used by IPSec to communicate with its peer All Strong Encryption Authentication ESP 3DES HMAC SHA1 Strong Encryption Authe...

Page 106: ... start with 0x Inbound SPI Inbound AH SPI Inbound ESP SPI Enter the inbound security parameter index If chained encryption authentication is selected for the VPN tunnel please enter both the inbound ESP and AH SPIs Outbound SPI Outbound AH SPI Outbound ESP SPI Enter the outbound security parameter index If chained encryption authentication is selected for the VPN tunnel please enter both the outbo...

Page 107: ...shown in Figure 10 1 2 Prior to adding a VPN rule make sure that the VPN service is enabled in System Service Configuration page 3 Select Add New from the ID drop down list 4 Enter a desired name preferably a meaningful name that signifies the nature of the VPN connection in the Name field Note that only alphanumeric characters are allowed in a name 5 Click on Enable or Disable radio button to ena...

Page 108: ...elect Preshared Key pre shared key for IKE encryption authentication algorithm for IKE lifetime for IKE encryption authentication algorithm for IPSec operation mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 10 4 for explanation of these fields 6 Click on the button to modify this VPN rule The new settings for this VPN rule will then be displayed in the VPN Connection St...

Page 109: ... rule for VPN connection using manual key To add a rule for a VPN connection follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the VPN Tunnel submenu The VPN Tunnel Configuration page displays as shown in Figure 10 2 Note that when you open the VPN Tunnel Configuration page a list of existing rules for VPN connections are also displayed at th...

Page 110: ...on page 3 Select the rule number from the ID drop down list or click on the icon of the rule to be modified in the VPN Connection Status table 4 Click on Enable or Disable radio button to enable or disable this rule 5 Make changes to any or all of the following fields local remote secure group remote gateway key management type select Preshared Key pre shared key for IKE encryption authentication ...

Page 111: ...rrently being reassembled Non First Fragments Currently in the Engine Number of non first fragments currently in the engine IKE Statistics IKE negotiation statistics IKE Phase1 Negotiation Done Number of IKE phase 1 negotiations performed Failed IKE Negotiations Done Number of failed IKE phase 1negotiations Quick Mode Negotiation Performed Number of IKE quick mode negotiations performed Number of ...

Page 112: ...es are configured to let the VPN traffic goes through This section describes these scenarios and presents step by step instructions for configuring these scenarios 10 6 1 Intranet Scenario firewall VPN and no NAT for VPN traffic This is a common scenario where traffic to the public Internet goes through the Firewall NAT only and traffic between private networks is allowed without NAT before IPSec ...

Page 113: ...able modem is not required if the two networks are connected via Ethernet connections The setting of each configuration step is illustrated in a figure For instructions on configuration of each step please refer to the corresponding section for details Internet 192 168 1 10 ISR1 ISR2 ADSL Cable Modem ADSL Cable Modem 192 168 1 11 192 168 1 12 192 168 2 22 192 168 2 21 192 168 2 20 LAN 192 168 1 1 ...

Page 114: ...gured for the outbound and inbound Firewall rule fields For a general description on configuring any inbound outbound Firewall rule please refer to sections 9 3 and 9 4 Table 10 6 Outbound Un translated Firewall Rule for VPN Packets on ISR1 Field Value Type Subnet Address 192 168 1 0 Source IP Mask 255 255 255 0 Type Subnet Address 192 168 2 0 Destination IP Mask 255 255 255 0 NAT None Action Allo...

Page 115: ...1 0 255 255 255 0 without any NAT 2 Configure inbound Firewall rule to allow packets from 192 168 1 0 255 255 255 0 to 192 168 2 0 255 255 255 0 without any NAT Table 10 8 and Table 10 9 provide the parameters to be configured for the outbound and inbound Firewall rule fields For a general description on configuring any inbound outbound Firewall rule please refer to sections 9 3 and 9 4 Table 10 8...

Page 116: ...255 0 NAT None Action Allow VPN Enable 10 6 1 3 Establish Tunnel and Verify Ping continuously from a host in the LAN behind ISR1 to a host in the LAN behind ISR2 The first few pings might fail After a few seconds the host in the LAN behind ISR1 should start getting ping response 10 6 2 Extranet Scenario firewall static NAT VPN for VPN traffic In case of the extranet scenario the networks protected...

Page 117: ...behind ISR2 The LAN behind ISR2 would be viewed as 192 168 12 0 24 by the LAN behind ISR1 The configuration of each of the Internet Security Routers for extranet scenario consists of the following steps Configure VPN Connection rules Configure Firewall rules to allow inbound and outbound VPN traffic by performing one to one NAT Configure a Firewall Self Access rule to allow IKE packets into the In...

Page 118: ...onfigure VPN policies on ISR1 using automatic keying with the following addresses 1 Use 192 168 11 0 255 255 255 0 for the Local Secure Group 2 Use 192 168 12 0 255 255 255 0 for the Remote Secure Group Figure 10 8 Extranet Example VPN Policy Configuration on ISR1 Step 2 Configure Static NAT Pools 1 Configure outgoing static NAT pool static NAT for translating addresses in range 192 168 1 1 192 16...

Page 119: ...T for translating addresses in range 192 168 11 1 192 168 11 254 to 192 168 1 1 192 168 1 254 Figure 10 10 Extranet Example Incoming NAT Pool Configuration on ISR1 Step 3 Configure Extranet access rules 1 Configure outbound Firewall rules to map the source IP address of outbound packets from 192 168 1 x range to 192 168 11 x defined by Outgoing_NAT pool range before sending the packet to VPN ...

Page 120: ...ISR1 2 Configure inbound Firewall rules to map the destination IP address of inbound packets from 192 168 11 x range to 192 168 1 x defined by Incoming_NAT pool range after the packet is processed by VPN Figure 10 12 Extranet Example Inbound ACL Rule on ISR1 10 6 2 3 Configure VPN Rules on ISR2 Step 1 Configure VPN rules ...

Page 121: ...resses 1 Use 192 168 12 0 255 255 255 0 as Local Secure Group 2 Use 192 168 11 0 255 255 255 0 as Remote Secure Group Figure 10 13 Extranet Example VPN Policy Configuration on ISR2 Step 2 Configure Static NAT Pools 1 Configure outgoing static NAT pool static NAT for translating addresses in range 192 168 1 1 192 168 1 254 to 192 168 12 1 192 168 12 254 Figure 10 14 Extranet Example Outgoing NAT Po...

Page 122: ...nfiguration on ISR2 Step 3 Configure Extranet rules 1 Configure outbound Firewall rules to map the source IP address of outbound packets from 192 168 1 x range to 192 168 12 x defined by Outgoing_NAT pool range before sending the packet to VPN Figure 10 16 Extranet Example Outbound ACL Rule on ISR2 2 Configure inbound Firewall rules to map the destination IP address of inbound packets from 192 168...

Page 123: ...d be successful The ping might fail due to any of the following The IP address of the host on the LAN behind ISR2 used in the ping command may not be correct Check and give the correct IP address Default route is not configured for ISR1 or ISR2 Configure the default routes as necessary Firewall rules corresponding to VPN connection may not be configured properly If any of the network addresses is ...

Page 124: ......

Page 125: ...owing actions Add modify delete a new user group and user information including user name password and etc to the group For VPN remote access virtual IP address assignment is required for each remote access user Add modify delete group access policies 11 2 Manage User Groups and Users The Remote Access option allows you to configure users and groups 11 2 1 User Group Configuration Parameters Table...

Page 126: ...cess menu and then click the User Group submenu The User Group Configuration page displays as shown in Figure 11 2 Note that when you open the User Group Configuration page a list of users is displayed at the bottom half of the configuration page such as those shown in Figure 11 2 11 2 3 Add a User Group and or a User To add a user group and a new user follow the instructions below 1 Open the User...

Page 127: ...he Confirm Password field 8 Click on the button to add the new user 11 2 4 Modify a User Group or a User To modify a user group and or a user follow the instructions below 1 Open the User Group Configuration page see section 11 2 2 Access User Group Configuration Page Remote Access è User Group 2 Select an existing user group from the user group drop down list If you just want to modify the attrib...

Page 128: ...xample Example Figure 11 2 displays the screen with entries to Add a new user group and a new user Group Sales User Alan 11 3 Configure Group ACL Rules Group ACL is used to control access privileges for remote or local user groups Its configuration is similar to that for firewall inbound outbound ACL rules except two additional fields rule type and group name see Figure 11 3 For procedures to conf...

Page 129: ...e Group ACL Rules The configuration parameters for group ACL rules are similar to those of firewall inbound outbound ACL rules except rule type and group name as indicated in Figure 11 3 You have to configure these two parameters in addition to the common parameters shared by firewall inbound outbound and group ACL rules Please refer to sections 9 3 3 9 3 4 and 9 3 5 for instructions on configurin...

Page 130: ...ul login the screen appears as in Figure 11 5 Figure 11 5 Login Status Screen Internet ISR User Name Richard Group Name RoadWarrior Private Network 192 168 1 0 24 FTP Server 192 168 1 200 LAN Port 192 168 1 1 WAN Port 61 222 32 38 User Name Gloria Group Name RoadWarrior Figure 11 6 Network Diagram for Inbound Remote Access ...

Page 131: ...ing shows the steps required to configure the Internet Security Router for the remote users Richard and Gloria to access the FTP server located in the protected network i e corporate LAN Figure 11 6 shows the network diagram for this example 1 Create remote access users and groups if necessary Figure 11 7 illustrates the creation of a new user Gloria For details on how to add new users and or new ...

Page 132: ...e Remote Access menu and then click the VPN Virtual IP submenu The VPN Virtual IP Configuration page displays as shown in Figure 11 9 Note that when you open the VPN Virtual IP Configuration page a list of existing VPN virtual IP assignments is also displayed at the bottom half of the configuration page such as those shown in Figure 11 9 Figure 11 9 VPN Virtual IP Configuration Page 11 6 2 Assign ...

Page 133: ...field if necessary Note that a routing entry must exist between the virtual network and the LAN 3 Click on the icon in the Virtual IP List table to select an existing virtual IP assignment or select a user from the User Name drop down list 4 Change the virtual IP address in the IP Address field 5 Click to save the virtual IP settings Note that a list of existing virtual IP assignments is displayed...

Page 134: ...ile Gloria to have secure access to a different group of computers in the LAN Note that third party VPN client software such as SafeNet SoftRemote 9 0 is required to use the VPN remote access feature in the Internet Security Router Two modes main mode and aggressive mode are supported for VPN remote access 11 7 1 Main Mode Remote Access Main Mode remote access is a mechanism where identity protect...

Page 135: ...for Richard and Gloria The settings for this policy are illustrated in Figure 11 13 Note that only one policy is needed for both Richard and Gloria because they belong to the same group RoadWarrior If Richard and Gloria belong to different groups one VPN policy is required for each user Figure 11 13 Main Mode Remote Access Example Remote VPN Connection Setup for RoadWarrior Group ...

Page 136: ...se policies are instantiated the remote user is allowed secure access through the Internet Security Router Again the example see Figure 11 10 used to illustrate the main mode remote access is used here Follow the instructions below to configure for aggressive mode remote access 1 Create remote access user for Richard and Gloria For details on how to do this please refer to section 11 2 Manage User...

Page 137: ...is policy are illustrated in Figure 11 16 Note that only one policy is needed for both Richard and Gloria because they belong to the same group RoadWarrior If Richard and Gloria belong to different groups one VPN policy is required for each user Figure 11 16 Aggressive Mode Remote Access Example Remote VPN Connection Setup for RoadWarrior Group ...

Page 138: ......

Page 139: ...m Services As shown in Figure 12 1 you can use the System Services Configuration page to enable or disable services supported by the Internet Security Router All services firewall VPN DNS DHCP and RIP are all enabled at the factory To disable or enable individual service follow the steps below 1 Log into Configuration Manager as admin click the System Management menu and then click the System Serv...

Page 140: ...w the steps below to change password 1 Log into Configuration Manager as admin click the System Management menu and then click the User Account submenu The User Account Configuration page displays as shown in Figure 12 2 2 Enter existing password in the Login Password field 3 Type the new password in the New Password text field and again in the Confirm New Password text field The password can be u...

Page 141: ...hich it uses to calculate and report various performance data Note Changing the Internet Security Router date and time does not affect the date and time on your PCs Figure 12 4 Date and Time Configuration Page There is no real time clock inside the Internet Security Router The system date and time are maintained by external network time server The only fields configurable in this configuration pag...

Page 142: ...onfiguration page displays as shown in Figure 12 5 2 Click on button to set the system configuration back to factory default Note that the Internet Security Router will reboot to make the factory default configuration in effect Figure 12 5 Default Setting Configuration Page Sometimes you may find that you have no way to access the Internet Security Router e g you forget your password The only way ...

Page 143: ...ck the Backup submenu The Backup Configuration page displays as shown in Figure 12 6 2 Click on button to backup the system configuration Figure 12 6 Backup System Configuration Page 12 5 3 Restore System Configuration Follow the steps below to backup system configuration 1 Log into the Configuration Manager as admin click the System Management menu click the Configuration submenu and then click t...

Page 144: ...Figure 12 8 will pop up for you to select the configuration file to restore Figure 12 8 Windows File Browser 3 Click on button to restore the system configuration Note that the Internet Security Router will reboot to make the new system configuration in effect 12 6 Upgrade Firmware ASUSTeK may from time to time provide you with an update to the firmware running on the Internet Security Router All ...

Page 145: ...d name of the firmware image file Alternatively you may click on button to search for it on your hard drive 3 Click on button to update the firmware Note it may take up to 5 minutes for the firmware upgrade Note that after the transfer of firmware is completed the Internet Security Router will reboot to make the new firmware in effect 12 7 Reset the Internet Security Router To reset the Internet S...

Page 146: ...Configuration Manager click on the button in the Configuration Manager Logout page If you are using IE as your browser a window similar to the one shown in Figure 12 12 will prompt for confirmation before closing your browser Figure 12 11 Configuration Manager Logout Page Figure 12 12 Confirmation for Closing Browser IE ...

Page 147: ...lPlayer 8 Plus UDP 53 DNS QuickTime Version 6 RTSP 7070 TCP 80 HTTP UDP 6801 N2P TCP 80 HTTP TCP 443 HTTPS Net2Phone UDP 53 DNS Net2Phone CommCenter Release 1 5 0 TCP 7648 CUSEEME TCP 80 HTTP CUSeeMe UDP 53 DNS CUSeeMe Version 5 0 0 043 TCP 1720 H323 Netmeeting UDP 53 DNS TCP 1720 H323 TCP 389 ILS Netmeeting with ILS UDP 53 DNS TCP 1720 H323 UDP 1719 H323GK Netmeeting with GK UDP 53 DNS Windows Ne...

Page 148: ...Instant Messenger Version 5 0 2938 TCP 5191 ICQ_2000 TCP 80 HTTP ICQ Chat NB Application should be configured to use TCP 5191 UDP 53 DNS ICQ 2000b TCP 6667 IRC TCP 80 HTTP IRC UDP 53 DNS MIRC v6 02 TCP 1863 MSN TCP 80 HTTP MSIM UDP 53 DNS MSN Messenger Service Version 3 6 0039 Games TCP 47624 MSG1 TCP 28801 MSN ZONE TCP 443 HTTPS TCP 80 HTTP Flight Simulator 2002 Gaming Zone UDP 53 DNS Flight Simu...

Page 149: ...DP 53 DNS Diablo II BATTLE NET TCP BATTLE NET UDP UDP 6112 Diablo II Diablo II Other common Applications TCP 110 POP3 POP3 UDP 53 DNS Outlook Express 5 TCP 143 IMAP4 IMAP UDP 53 DNS Outlook Express 5 TCP 25 SMTP SMTP UDP 53 DNS Outlook Express 5 TCP 443 HTTPS TCP 80 HTTP HTTPS TLS SSL UDP 53 DNS Internet Explorer 5 TCP 389 ILS LDAP UDP 53 DNS Openldap 2 0 25 TCP 119 NNTP NNTP UDP 53 DNS Outlook Ex...

Page 150: ......

Page 151: ...ephone numbers For example a 7 digit telephone number starts with a 3 digit prefix that identifies a group of thousands of telephone lines and ends with four digits that identify one specific line in that group Similarly IP addresses contain two kinds of information Network ID Identifies a particular network within the Internet or Intranet Host ID Identifies a particular computer or device on the ...

Page 152: ...of an IP address are the network ID and what parts are the host ID bits set to 1 mean this bit is part of the network ID and bits set to 0 mean this bit is part of the host ID Subnet masks are used to define subnets what you get after dividing a network into smaller pieces A subnet s network ID is created by borrowing one or more bits from the host ID portion of the address The subnet mask identif...

Page 153: ...ty Router User s Manual Chapter 14 IP Addresses Network Masks and Subnets 137 Class C 255 255 255 0 These are called default because they are used when a network is initially configured at which time it has no subnets ...

Page 154: ......

Page 155: ... and or hub is turned on Verify that your cable is sufficient for your network requirements A 100 Mbit sec network 100BaseTx should use cables labeled Cat 5 10Mbit sec cables may tolerate lower quality cables Internet Access PC cannot access Internet Use the ping utility discussed in the following section to check whether your PC can communicate with the Internet Security Router s LAN IP address b...

Page 156: ... 192 168 1 1 If it cannot check the Ethernet cabling Verify that you are using Internet Explorer v5 5 Netscape 7 0 2 or later Support for Javascript must be enabled in your browser Support for Java may also be required Verify that the PC s IP address is defined as being on the same subnet as the IP address assigned to the LAN port on the Internet Security Router Changes to Configuration Manager ar...

Page 157: ...same command at a command prompt or through a system administration utility 15 1 2 nslookup You can use the nslookup command to determine the IP address associated with an Internet site name You specify the common name and the nslookup command looks up the name on your DNS server usually located with your ISP If that name is not an entry in your ISP s DNS table the request is then referred to anot...

Page 158: ... the nslookup Utility There may be several addresses associated with an Internet name This is common for web sites that receive heavy traffic they use multiple redundant servers to carry the same information To exit from the nslookup utility type exit and press Enter at the command prompt ...

Page 159: ...different types of data over the same medium DSL is a broadband technology broadcast To send data to all computers on a network DHCP Dynamic Host Configuration Protocol DHCP automates address assignment and management When a computer connects to the LAN DHCP assigns it an IP address from a shared pool of IP addresses after a specified time limit DHCP returns the address to the pool DHCP relay Dyna...

Page 160: ... sent first from your computer to a router and then from one router to another until it finally reaches a router that is directly connected to the recipient Each individual leg of the data s journey is called a hop hop count The number of hops that data has taken on its route to its destination Alternatively the maximum number of hops that a packet is allowed to take before being discarded see als...

Page 161: ...IP address when talking to a computer on your LAN NAT rule A defined method for translating between public and private IP addresses on your LAN network A group of computers that are connected together allowing them to communicate with each other and share resources such as software files etc A network can be small such as a LAN or very large such as the Internet network mask A network mask is a se...

Page 162: ...Protocol The TCP IP protocol used for network management subnet A subnet is a portion of a network The subnet is distinguished from the larger network by a subnet mask which selects some of the computers of the network and excludes all others The subnet s computers remain physically connected to the rest of the parent network but they are treated as though they were on a separate network See also ...

Page 163: ... uses Hyper Text Transfer Protocol HTTP to download information from and upload to web sites and displays the information which may consist of text graphic images audio or video to the user Web browsers use Hyper Text Transfer Protocol HTTP Popular web browsers include Netscape Navigator and Microsoft Internet Explorer See also HTTP web site WWW Web page A web site file typically containing text g...

Page 164: ......

Page 165: ...ned 26 DHCP relay 143 DHCP server 143 defined 26 pools 26 viewing assigned addresses 28 DHCP Server Configuration page 27 Diagnosing problems after installation 20 DNS 28 29 143 defined 29 relay 29 Domain name 143 Domain Name System See DNS download 144 DSL defined 144 Dynamically assigned IP addresses 27 Eth 0 interface defined 20 Ethernet defined 144 Ethernet cable 9 Features 1 Filtering rule 14...

Page 166: ...onfiguration page 26 LAN network mask 25 LAN Statistics page 30 LAN subnet mask 25 LEDs 3 145 troubleshooting 139 Login to Configuration Manager 21 MAC addresses 145 in DHCP Address Table 28 Mask See Network mask Mbps 145 NAT defined 46 145 Dynamic 47 NAPT 48 Overload 48 PAT 48 Reverse NAPT 49 Reverse Static 49 Static 46 Virtual Server 49 Navigating 22 Netmask See Network mask Network See LAN Netw...

Page 167: ...Routing Configuration page 37 Secondary DNS 32 33 34 Setup Wizard 23 Setup Wizard page 15 23 Static IP addresses 13 Static routes adding 38 Statically assigned IP addresses 27 Subnet 146 Subnet mask See Network mask Subnet masks 136 System requirements for Configuration Manager 21 System requirements 1 TCP IP 146 Testing setup 20 Time and date changing 125 Troubleshooting 139 TTL 146 Twisted pair ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands