Asus RX3041H User Manual Download Page 84

Page: 84 / 143

Chapter 9. Configuring Firewall/NAT Settings

RX3041H User’s Manual

Field

Description

PASV Allow

initiation

a passive data connection.

PORT

Allow or deny Port Number to participate in an active data connection.

RETR

Allow or deny getting a file from the FTP server.

RMD

Allow Removing a directory.

RNFR Allow

Rename

from.

RNTO Allow

Rename

to.

DELE

Allow Deletion of a file.

SITE

Allow Site parameters (Specific services provided by the FTP server).

STOR

Allow or deny of putting a file to the FTP server.

SMTP Commands

Add the following command to an SMTP filter to:

MAIL

Allow or deny initiating a mail transaction.

RCPT

Allow or deny identifying an individual recipient of the mail data.

DATA

Allow or deny mail data.

VRFY

Allow or deny verifying the existence of the user.

EXPN

Allow or deny identification for a mailing list.

TURN

Allow or deny the switching roles of the client and server, to send mail in the
reverse direction.

SEND

Allow or deny initiating a mail transaction.

HTTP (Deny
Following Files)

Add the following command to an HTTP filter to:

Java Applet

Deny all *.class files.

Java-archive

Deny all *.jar files.

MS Archive

Deny all *.msar files.

ActiveX

Deny all *.ocx files.

RPC Numbers

RPC numbers

Add this command to an RPC filter to allow or deny RPC program numbers.

9.8.1.2

Add an Application Filter

The application filter configuration is best explained with a few examples. Note that the configuration for RPC
and SMTP is similar to that for FTP and will not be presented here.

Summary of Contents for RX3041H

Page 1: ...RX3041H User s Manual Revision 1 3 Aug 19 2004 ...

Page 2: ...ii ...

Page 3: ...ss Control List 5 2 4 1 3 Stateful Packet Inspection 5 2 4 1 4 Defense against DoS Attacks 6 2 4 1 5 Application Command Filtering 6 2 4 1 6 Application Level Gateway ALG 7 2 4 1 7 URL Filtering 7 2 4 1 8 Log and Alerts 7 2 4 1 9 Remote Access 7 3 Quick Start Guide 9 3 1 Part 1 Connecting the Hardware 9 3 1 1 Step 1 Connect an ADSL or a cable modem 9 3 1 2 Step 2 Connect computers or a LAN 9 3 1 3...

Page 4: ... 4 2 1 Setup Menu Navigation Tips 22 4 2 2 Commonly Used Buttons and Icons 22 4 3 Overview of System Configuration 23 5 Configuring LAN Settings 25 5 1 LAN IP Address 25 5 1 1 LAN IP Configuration Parameters 25 5 1 2 Configuring the LAN IP Address 25 5 2 DHCP Dynamic Host Control Protocol 26 5 2 1 Introduction 26 5 2 1 1 What is DHCP 26 5 2 1 2 Why use DHCP 26 5 2 2 DHCP Server Configuration 27 5 ...

Page 5: ...atic IP 37 6 4 1 WAN Static IP Configuration Parameters 37 6 4 2 Configuring Static IP for WAN 37 6 5 Viewing WAN Statistics 38 7 Configuring Routes 41 7 1 Overview of IP Routes 41 7 1 1 Do I need to define IP routes 41 7 2 Dynamic Routing using RIP Routing Information Protocol 41 7 2 1 Dynamic Routing RIP Configuration Parameters 41 7 2 2 Configuring RIP 42 7 3 Static Routing 43 7 3 1 Static Rout...

Page 6: ...One NAT 52 9 2 2 Dynamic NAT 53 9 2 3 NAPT Network Address and Port Translation or PAT Port Address Translation 54 9 2 4 Reverse Static NAT 55 9 2 5 Reverse NAPT Virtual Server 55 9 3 ACL Rule Configuration Parameters 55 9 4 Configuring Inbound ACL Rules 57 9 4 1 Add an Inbound ACL Rule 58 9 4 2 Modify an Inbound ACL Rule 58 9 4 3 Delete an Inbound ACL Rule 59 9 4 4 Display Existing Inbound ACL Ru...

Page 7: ... DoS Protection Configuration Parameters 66 9 7 3 2 Configuring DoS Settings 67 9 8 Firewall Policy List Firewall Î Policy List 68 9 8 1 Configuring Application Filter 69 9 8 1 1 Application Filter Configuration Parameters 69 9 8 1 2 Add an Application Filter 70 9 8 1 2 1 FTP Example Add a FTP Filter Rule to Block FTP DELETE Command 71 9 8 1 2 2 HTTP Example Add a HTTP Filter Rule to Block JAVA Ap...

Page 8: ...ify a User Group or a User 87 10 2 4 Delete a User Group or a User 87 10 2 5 User Group and Users Configuration Example 88 10 3 Configure Group ACL Rules 88 10 3 1 Group ACL Specific Configuration Parameters 88 10 3 2 Add a Group ACL Rule 88 10 3 3 Modify a Group ACL Rule 89 10 3 4 Delete a Group ACL Rule 90 10 3 5 Display Existing Group ACL Rules 90 10 4 Remote User Login Process 90 10 5 Configur...

Page 9: ...1 Reset to Factory Settings 99 11 6 1 1 Reset to Factory Settings Using Configuration Manager 99 11 6 1 2 Reset to Factory Settings Using Reset Button 100 11 6 2 Backup System Configuration 100 11 6 3 Restore System Configuration 100 11 7 Upgrade Firmware 101 11 8 Reset the RX3041H 102 11 9 Logout Configuration Manager 102 A ALG Configuration 105 B System Specifications 109 B 1 Hardware Specificat...

Page 10: ...tion Page 17 Figure 3 9 Setup Wizard WAN PPPoE Configuration Page 18 Figure 3 10 Setup Wizard WAN Dynamic IP Configuration Page 18 Figure 3 11 Setup Wizard WAN Static IP Configuration Page 19 Figure 4 1 Configuration Manager Login Screen 21 Figure 4 2 Typical Configuration Manager Page 22 Figure 4 3 System Information Page 23 Figure 5 1 LAN IP Address Configuration 26 Figure 5 2 DHCP Configuration...

Page 11: ...ets to the Internal Host Base on the Protocol Port Number or IP Address 54 Figure 9 7 Inbound ACL configuration Example 58 Figure 9 8 Inbound ACL List 58 Figure 9 9 Outbound ACL Configuration Example 60 Figure 9 10 Outbound ACL List 60 Figure 9 11 URL Filter Configuration Example 62 Figure 9 12 URL Filter List 62 Figure 9 13 Self Access Rule Configuration Example 63 Figure 9 14 Service List Config...

Page 12: ...uration Example 89 Figure 10 4 Group ACL List 89 Figure 10 5 Login Console 90 Figure 10 6 Login Status Screen 90 Figure 10 7 Network Diagram for Inbound Remote Access 91 Figure 10 8 User and User Group Configuration Example 92 Figure 10 9 Group ACL Configuration Example 92 Figure 11 1 System Services Configuration 93 Figure 11 2 Password Configuration 94 Figure 11 3 Management Station Configuratio...

Page 13: ... WAN Dynamic IP Configuration Parameters 36 Table 6 3 WAN Static IP Configuration Parameters 37 Table 7 1 Dynamic Routing RIP Configuration Parameters 41 Table 7 2 Static Route Configuration Parameters 43 Table 8 1 DDNS Configuration Parameters 46 Table 9 1 ACL Rule Configuration Parameters 55 Table 9 2 URL Filter Configuration Parameters 61 Table 9 3 Self Access Configuration Parameters 63 Table ...

Page 14: ...Table 11 3 Fixed DHCP Lease Configuration Parameters 98 Table A 1 Supported ALG 105 Table B 1 Hardware Specification 109 Table B 2 System Default Settings 109 Table C 1 IP Address structure 113 xiv ...

Page 15: ...u must have the following ADSL or cable modem and the corresponding service up and running with at least one public Internet address assigned to your WAN One or more computers each containing an Ethernet 10Base T 100Base T network interface card NIC Optional An Ethernet hub switch if you are connecting the device to more than four computers on an Ethernet network For system configuration using the...

Page 16: ...c instructions or explanations Note Provides clarification or non essential information on the current topic Definition Explains terms or acronyms that may be unfamiliar to many readers These terms are also included in the Glossary WARNING Provides messages of high importance including messages relating to personal safety or system integrity ...

Page 17: ...n On Unit is powered on POWER Green Off Unit is powered off On System malfunctioned if this LED stays on Note that the LED is lit during system booting and is turned off afterwards This LED is also used along w reset button during system configuration reset Please refer to the section 11 6 1 2 Reset to Factory Settings Using Reset Button for further details ALARM Green Off System functions normall...

Page 18: ...ng Reset Button for further details CONSOLE Console Port For ASUSTeK internal use only WAN WAN Port Connects to your WAN device such as an ADSL or a cable modem P1 P4 LAN Ports Connects to your PC s Ethernet port or to the uplink port on the hub or the switch 2 4 Major Features 2 4 1 Firewall and NAT Features The firewall implemented in your router provides the following features to protect your n...

Page 19: ...valid Internet address to an internal host address All packets coming to that external address are relayed to the internal address This is useful when hosting services in an internal machine Reverse NAPT Also called inbound mapping port mapping and virtual server Any packet coming to the router can be relayed to the internal host based on the protocol port number or IP Address specified in the rul...

Page 20: ...Opentear Syndrop Jolt ICMP Attacks Ping of Death Smurf Twinge Flooders ICMP Flooder UDP Flooder SYN Flooder Port Scans TCP XMAS Scan TCP Null Scan TCP SYN Scan TCP Stealth Scan TCP Attacks TCP sequence number prediction TCP out of sequence attacks Protection with PF Rules Echo Chargen Ascend Kill Miscellaneous Attacks IP Spoofing LAND Targa Tentacle MIME Flood Winnuke FTP Bounce IP unaligned time ...

Page 21: ...abled but works only if firewall is enabled 2 4 1 8 Log and Alerts Events in the network that could be attempts to affect its security are recorded in the RX3041H System log file Event details are recorded in WELF WebTrends Enhanced Log Format format so that statistical tools can be used to generate custom reports The RX3041H Firewall can also forward Syslog information to a Syslog server on a pri...

Page 22: ......

Page 23: ...f applicable and the router Figure 3 1 illustrates the hardware connections Please follow the steps that follow for specific instructions 3 1 1 Step 1 Connect an ADSL or a cable modem For the RX3041H Connect one end of the Ethernet cable to the port labeled WAN on the rear panel of the device Connect the other end to the Ethernet port on the ADSL or cable modem 3 1 2 Step 2 Connect computers or a ...

Page 24: ...cated in Table 3 1 If the LEDs illuminate as expected the RX3041H is working properly Table 3 1 LED Indicators This LED should be POWER Solid green to indicate that the device is turned on If this light is not on check if the AC adapter is attached to the RX3041H and if it is plugged into a power source LAN1 LAN4 Solid green to indicate that the device can communicate with your LAN or flashing whe...

Page 25: ...d network items 4 Ensure that the check box to the left of the item labeled Internet Protocol TCP IP is checked and click Properties button 5 In the Internet Protocol TCP IP Properties dialog box click the radio button labeled Obtain an IP address automatically Also click the radio button labeled Obtain DNS server address automatically 6 Click OK button twice to confirm your changes and close the ...

Page 26: ...col TCP IP does not display as an installed component click Add button 4 In the Select Network Component Type dialog box select Protocol and then click Add button 5 Select Microsoft in the Manufacturers list box and then click TCP IP in the Network Protocols list box and then click OK button You may be prompted to install files from your Windows 95 98 or Me installation CD or other media Follow th...

Page 27: ...wing the RX3041H to assign them This option may be desirable but not required if You have obtained one or more public IP addresses that you want to always associate with specific computers for example if you are using a computer as a public web server You maintain different subnets on your LAN However during the first time configuration of your RX3041H you must assign an IP address in the 192 168 ...

Page 28: ...ions to setup the RX3041H 1 Before accessing the Configuration Manager in the RX3041H make sure that the HTTP proxy setting is disabled in your browser In IE click Tools Î Internet Options Î Connections tab Î LAN settings and then uncheck Use proxy server for your LAN 2 On any PC connected to one of the four LAN ports on the RX3041H open your Web browser and type the following URL in the address l...

Page 29: ...e page displays each time you log into the Configuration Manager shown in Figure 3 3 on page 15 Figure 3 3 Setup Wizard Home Page Figure 3 4 Setup Wizard Password Configuration Page 4 Click on the button to enter the password configuration page as shown in Figure 3 4 Change the password in the spaces provided if desired Otherwise proceed to the next configuration page by clicking on the button ...

Page 30: ...Wizard Date Time Configuration Page 6 Set the time zone for your router by selecting one from the Time Zone drop down list Click to save the settings and then click on the button to go to the next configuration page There is no real time clock inside the router The system date and time may be maintained by external time servers There is no need to set the date and time here unless you don t have a...

Page 31: ...ns and confirm that your Internet connection is working properly Click on the button to proceed to the next configuration page 9 Now we are at the last page of the Setup Wizard which is to configure the WAN settings for the router Depending on the connection mode required for your ISP select one from the Connection Mode drop down list see Figure 3 9 PPPoE Dynamic and Static PPPoE is usually used b...

Page 32: ...ick Start Guide RX3041H User s Manual 18 Connection Mode drop down list Figure 3 9 Setup Wizard WAN PPPoE Configuration Page Connection Mode drop down list Figure 3 10 Setup Wizard WAN Dynamic IP Configuration Page ...

Page 33: ...on t need to enter primary secondary DNS IP addresses as DHCP client is able to automatically obtain this information for you from your ISP However if you prefer to use your favorite DNS servers you may enter them in the space provided Host name is optional You may leave it empty if your ISP did not provide such information If you had previously registered a specific MAC address with your ISP for ...

Page 34: ...ice is pre configured with default settings for use with a typical home or small office network Table 3 2 lists some of the most important default settings these and other features are described fully in the subsequent chapters For a complete list of default settings please refer to the section B 2 Default Settings If you are familiar with network configuration settings review the settings in Tabl...

Page 35: ...ions as described in the Quick Start Guide chapter A web browser on your computer Configuration Manager is compatible with Microsoft Internet Explorer 5 5 Netscape 7 0 2 or newer Although you may log into the Configuration Manager from any computer that can reach your router via the LAN or WAN connections the instructions provided here assumes that your computer is connected to the LAN port of you...

Page 36: ...group of menus are expanded or not You can click on any of these to display a specific configuration page Setup Menu Frame Configuration Frame Figure 4 2 Typical Configuration Manager Page A separate page displays in the right hand side frame for each menu For example the configuration page displayed in Figure 4 2 is intended for DHCP configuration 4 2 1 Setup Menu Navigation Tips To expand a grou...

Page 37: ... a firewall ACL rule and etc Deletes the selected item e g a static route or a firewall ACL rule and etc Launches the online help for the current topic in a separate browser window Help is available from any main topic page Redisplays the current page with updated statistics or settings Selects the item for editing Deletes the selected item 4 3 Overview of System Configuration To view the overall ...

Page 38: ......

Page 39: ...rue IP address that you want to use with your network Note The RX3041H itself can function as a DHCP server for your LAN computers as described in section 5 2 2 but not for its own LAN port 5 1 1 LAN IP Configuration Parameters Table 5 1describes the configuration parameters available for LAN IP configuration Table 5 1 LAN IP Configuration Parameters Setting Description IP Address The LAN IP addre...

Page 40: ...HCP server and the receiving device is a DHCP client Note If you followed the Quick Start Guide instructions you either configured each LAN PC with an IP address or you specified that it will receive IP information dynamically automatically If you chose to have the information assigned dynamically then you configured your PCs as DHCP clients that will accept IP addresses assigned from a DCHP serve...

Page 41: ...ard the DNS request from the LAN to DNS servers and relay the results back to the LAN computers Note that both the primary and secondary DNS servers are optional Primary Secondary WINS Server IP Address optional The IP address of the WINS servers to be used by computers that receive IP addresses from the DHCP IP address pool You don t need to enter this information unless your network has WINS ser...

Page 42: ...e IP addresses that are currently provided to the LAN devices Table 5 3 describes the information for each of the parameters shown in the DHCP lease table Table 5 3 DHCP Address Assignment Parameters Field Description MAC Address A hardware ID of the device that leases an IP address from the DHCP server Assigned IP Address The address that has been leased from the pool IP Address Expired on The ti...

Page 43: ... add the new fixed DHCP lease entry 5 2 3 3 Delete a Fixed DHCP Lease To delete a fixed DHCP lease just click on the icon in front of the specific fixed DHCP lease 5 2 3 4 Viewing Fixed DHCP Lease Table To see existing fixed DHCP lease just open the Fixed DHCP Lease configuration page by clicking the LAN Î Fixed DHCP Lease menu 5 3 DNS 5 3 1 About DNS Domain Name System DNS servers map the user fr...

Page 44: ...at the ISP It then relays the DNS server s response to the PC When performing DNS relay the RX3041H must maintain the IP addresses of the DNS servers it contacts It can learn these addresses in either or both of the following ways Learned through PPPoE or Dynamic IP Connection If the RX3041H uses a PPPoE see section 6 2 2 Configuring PPPoE for WAN or Dynamic IP see section 6 3 2 Configuring Dynami...

Page 45: ... for your LAN but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view LAN IP statistics open the LAN Statistics page by clicking the LAN Î Statistics menu Figure 5 5 shows a sample LAN Statistics To see the updated statistics click on the button Figure 5 5 LAN Statistics Page ...

Page 46: ......

Page 47: ...en to route packets addressed to networks not explicitly listed in the routing table Select from the drop down list the interface to be used as the default gateway Unnumbered PPPoE Click on the Enable or Disable radio button to enable or disable this option Traditionally each network interface must have a unique IP address However an unnumbered interface does not have to have a unique IP address T...

Page 48: ...ue for MSS clamping if MSS clamping is enabled Connection Options The default setting for this option is Disable You can also select either Dial On Demand or Keep Alive if desired Dial On Demand Enter the inactivity timeout period at which you want to disconnect the Internet connection when there is no traffic The minimum value of inactivity timeout is 30 seconds RIP and SNTP services may interfer...

Page 49: ...option The default setting is Disable 6 Optional Enter host name in the space provided if required by your ISP 7 If you are connecting to the Internet using PPPoE you probably only have to enter User Name and Password in the PPPoE configuration page as shown in Figure 6 1 unless you want to use your preferred DNS servers 8 Optional Enter the service name and or access concentrator name if required...

Page 50: ...obtain the DNS IP addresses configured at your ISP However if there are other DNS servers you would rather use enter the IP addresses in the spaces provided MAC Cloning The default is to use the MAC address of the WAN interface However if you had registered a MAC address previously with your ISP you may need to enter that MAC address here 6 3 2 Configuring Dynamic IP for WAN Connection Mode drop d...

Page 51: ...etting Description IP Address WAN IP address provided by your ISP Subnet Mask WAN subnet mask provided by your ISP Typically it is set as 255 255 255 0 Gateway Address Gateway IP address provided by your ISP It must be in the same subnet as the WAN on the RX3041H Primary Secondary DNS You must at least enter the IP address of the primary DNS server Secondary DNS is optional 6 4 2 Configuring Stati...

Page 52: ...lick to save the static IP settings when you are done with the configuration You ll see a summary of the WAN configuration at the bottom half of the configuration page Figure 6 6 WAN Static IP Configuration 6 5 Viewing WAN Statistics You w not typically need to view this data your ISP to diagnose network and Internet d ill but you may find it helpful when working with ata transmission problems To ...

Page 53: ...RX3041H User s Manual Chapter 6 Configuring WAN Settings 39 Figure 6 7 WAN Statistics Page To see the updated statistics click on the button ...

Page 54: ......

Page 55: ...self a default gateway is defined to direct all outbound Internet traffic to a router at your ISP This default gateway is assigned automatically by your ISP whenever the device negotiates an Internet connection The process for adding a default route is described in section 7 3 2 Adding a Static Route You may need to define routes if your home setup includes two or more networks or subnets if you c...

Page 56: ...n mode from the drop down list Two modes are available Clear Text and MD5 The default setting is Clear Text Authentication Key Enter the authentication key for shared by all the routers exchanging routing information The default authentication key is admin 7 2 2 Configuring RIP Follow these instructions to configure RIP 1 Open the routing configuration page by clicking on the Routing menu 2 In the...

Page 57: ... Appendix A for an explanation of network ID Destination Netmask Indicates which parts of the destination address refer to the network and which parts refer to a computer on the network Refer to Appendix A for an explanation of network masks The default route uses a netmask of 0 0 0 0 Gateway IP Address Gateway IP address 7 3 2 Adding a Static Route Follow these instructions to add a static route ...

Page 58: ...rs maintain a table of IP addresses that are commonly accessed by their users For each of these destination IP addresses the table lists the IP address of the first hop the data should take This table is known as the device s routing table To view the RX3041H s routing table just open the Routing configuration page by clicking on the Routing menu The Routing Table displays at the bottom half of th...

Page 59: ...ly RFC 2136 DDNS Client and HTTP DDNS Client RFC 2136 DDNS Client domain com ISR Windows 2000 DNS Server isr domain com Figure 8 1 Network Diagram for RFC 2136 DDNS Any interface status change to an external interface sends a DDNS update to the DNS server When connection to Primary DNS server fails the RX3041H updates the Secondary DNS server When a DNS update is forced by the administrator update...

Page 60: ...to disable the DDNS Service DDNS Type select a DDNS service type HTTP or RFC 2136 DDNS HTTP DDNS Click this radio button if HTTP DDNS is desired RFC 2136 DDNS Click this radio button if RFC 2136 DDNS is desired DNS Zone Name Enter the registered domain name provided by your ISP into this field Note The host name of RX3041H has to be configured in the System Information Setup page properly For exam...

Page 61: ...Microsoft Knowledge Base article Q317590 Configure DNS Dynamic Update in Windows 2000 for details 2 Make sure that you have a host name configured for the RX3041H otherwise open the System Identity configuration page to configure one Please refer to the section 11 3 Configure System Identity for more details 3 Open the DDNS configuration page by clicking on the DDNS menu 4 Select Enable for the DD...

Page 62: ...DNS menu 4 In the DDNS configuration page select Enable for the DDNS State and HTTP DDNS for the DDNS Type Figure 8 4 HTTP DDNS Configuration 5 Enter the domain name in the DNS Zone Name field 6 Select a DDNS service from the DDNS Service drop down list 7 Enter the username and password provided by your DDNS service providers 8 Click on button to send a DNS update request to your DDNS service prov...

Page 63: ...ions below 1 Open the DDNS configuration page by clicking on the DDNS menu 2 Click on the icon of the host table entry to be modified in the host table or select the host table entry from the host table drop down list 3 You may then make desired changes to the host name and or the IP address 4 Click on the button to save the changes The new settings for this host table entry will then be displayed...

Page 64: ......

Page 65: ... inspection engine in the RX3041H maintains a state table that is used to keep track of connection states of all the packets passing through the firewall The firewall will open a hole to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine Otherwise the packet will be drop...

Page 66: ...Access Rules The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT WARNING It is not necessary to remove the default ACL rule from the ACL rule table It is better to create higher priority ACL rules to override the default rule 9 2 NAT Overview Network Address Translation allows use of a single device such as the RX3041H ...

Page 67: ...n n Each internal IP address is mapped to one external IP address on a first come first serve basis Figure 9 2 shows that PC B C and D are mapped to a globally valid IP address respectively while PC A does not map to any globally valid IP address If PC A wants to go to the Internet PC A must wait until a global valid IP address is available For example in Figure 9 3 PC B must disconnect from the I...

Page 68: ...obally valid Internet address and the port number is translated with an un used port from the pool of network ports Figure 9 4 shows that all the hosts on the local network gain access to the Internet by mapping to only one globally valid IP address and different port numbers from a free pool of network ports Figure 9 4 NAPT Map Any Internal PCs to a Single Global IP Address Figure 9 5 Reverse Sta...

Page 69: ...meters Table 9 1 describes the configuration parameters available for firewall ACL rules Table 9 1 ACL Rule Configuration Parameters Field Description ID Add New Click on this option to add a new ACL rule Rule Number Select a rule from the drop down list to modify its attributes Action Allow Select this button to configure the rule as an allow rule This rule when bound to the Firewall will allow m...

Page 70: ...h as those on the LAN for inbound ACL rules and those on the Internet for outbound ACL rules IP Address Subnet Range and IP Pool Select any of these options and enter details as described in the Source IP section above Source Port This option allows you to set the source port to which this rule should apply Use the drop down list to select one of the following options Any Select this option if you...

Page 71: ...irected Note this option is called reverse NAPT or virtual server For outbound ACL rules Select this option to specify the IP address that you want the outbound traffic to use Note this option is called NAPT or overload NAT Pool Select this option to associate a pre configured NAT pool to the rule For inbound ACL rules only reverse static NAT and reverse NAPT pool can be used For outbound ACL rule...

Page 72: ... service for any host on the Internet to access to FTP server in the local network w IP address 192 168 1 123 Figure 9 7 Inbound ACL configuration Example 5 Assign a priority for this rule by selecting a number from the Move to drop down list Note that the number indicates the priority of the rule with 1 being the highest Higher priority rules will be examined prior to the lower priority rules by ...

Page 73: ... rule number from the ID drop down list 3 Click on the button to delete this ACL rule Note that the ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page 9 4 4 Display Existing Inbound ACL Rules To see existing inbound ACL rules just open the Inbound ACL Rule configuration page by clicking on the Firewall Î Inbound ACL menu 9 5 Configuri...

Page 74: ...bound ACL rule follow the instructions below 1 Open the Outbound ACL Rule configuration page by clicking on the Firewall Î Outbound ACL menu 2 Click on the icon of the rule to be modified in the outbound ACL table or select the rule number from the ID drop down list 3 Make desired changes to any or all of the following fields action source destination IP source destination port protocol NAT time r...

Page 75: ...ailable for an URL filter rule Table 9 2 URL Filter Configuration Parameters Field Description URL Filter State Click on Enable or Disable radio button to enable or disable URL filtering Proxy Server Port Enter the proxy server web server port number configured for your web browser Note that the proxy server port change requires you to disable and enable the firewall to take effect ID Add New Clic...

Page 76: ...he icon of the rule to be deleted in the URL Filter Configuration Summary table or select the rule number from the ID drop down list 3 Click on the button to delete this rule 9 6 5 View Existing URL Filter Rules To see existing URL filter rules just open the URL Filter configuration page by clicking on the Firewall Î URL Filter menu 9 7 Configuring Advanced Firewall Features Firewall Î Advanced Th...

Page 77: ...y traffic from the LAN internal network to the RX3041H From WAN Select Enable or Disable to allow or deny traffic from WAN external network to the RX3041H 9 7 1 2 Add a Self Access Rule To add a Self Access rule follow the instructions below 1 Open the Self Access Rule configuration page by clicking on the Firewall Î Advanced Î Self Access menu 2 Select Add New from the Self Access rule drop down ...

Page 78: ...elete a Self Access Rule To delete a Self Access rule click on the icon of the rule to be deleted or follow the instruction below 1 Open the Self Access Rule configuration page by clicking on the Firewall Î Advanced Î Self Access menu 2 Click on the icon of the Self Access rule to be deleted in the Self Access rule table or select the Self Access rule from the Self Access rule drop down list 3 Cli...

Page 79: ...ble 9 4 for explanation of these fields Figure 9 14 Service List Configuration 5 Click on the button to create the new service The new service will then be displayed in the service list table at the bottom half of the Service configuration page Edit icon Service drop down list Figure 9 15 Service List 9 7 2 3 Modify a Service To modify a service follow the instructions below 1 Open the Service Lis...

Page 80: ...cted Windows systems in the Internet The RX3041H Firewall also provides protection from a variety of common Internet attacks such as IP Spoofing Ping of Death Land Attack Reassembly and SYN flooding For a complete list of DoS protection provided by the RX3041H please see Table 2 3 9 7 3 1 DoS Protection Configuration Parameters Table 9 5 describes the configuration parameters available for DoS Pro...

Page 81: ... ignored by the IDS This may indicate an unsuccessful attempt to hijack a TCP session ICMP Verbose Check or un check this option to enable or disable protection against ICMP error message attacks ICMP messages can be used to flood your network w undesired traffic By default this option is enabled Maximum IP Fragment Count Enter the maximum number of fragments the Firewall should allow for every IP...

Page 82: ...Policy List Firewall policy list provides a convenient way to manage firewall ACL rules inbound outbound ACL rules and group ACL rules Application Filters This option allows you to configure Command Filters for FTP HTTP RPC and SMTP applications Configure filters here before attaching them to policies IP Pools This option allows you to configure logical names for IP Pools and set appropriate IP ad...

Page 83: ...meters available for application filter Table 9 6 Application Filter Configuration Parameters Field Description Filter Type Select the type of filter FTP HTTP RPC and SMTP Filter Name Enter a name for the filter Protocol Select the protocol that Application Filter uses TCP UDP Port Enter the port number that the Application Filter uses Log This option includes buttons to enable and disable logging...

Page 84: ...ying an individual recipient of the mail data DATA Allow or deny mail data VRFY Allow or deny verifying the existence of the user EXPN Allow or deny identification for a mailing list TURN Allow or deny the switching roles of the client and server to send mail in the reverse direction SEND Allow or deny initiating a mail transaction HTTP Deny Following Files Add the following command to an HTTP fil...

Page 85: ...lication Filter menu 2 Select FTP from the Filter Type drop down list 3 Select Add New Filter from the Filter Rule drop down list 4 Enter a name for this rule in this example FTPRule1 5 Change the port number if necessary However it is recommended that you keep the Default setting Filter Type drop down list Filter Rule drop down list Figure 9 19 FTP Filter Example Configuring FTP Filter Rule 6 Cho...

Page 86: ... an FTP Filter to Deny FTP Delete Command 9 Repeat step 8 if more commands are to be added otherwise proceed to the next step 10 Click on button to create this FTP application filter rule FTP Command drop down list FTP filter drop down list Figure 9 22 FTP Filter Example Associate FTP Filter Rule to an ACL Rule 11 Associate the newly added FTP application filter rule to a firewall ACL rule inbound...

Page 87: ... HTTP Filter Example Configuring HTTP Filter Rule 6 Choose to enable to disable the logging option The default setting is to keep the logging for this rule disabled 7 Check the web application files to block in this example Java Applets and Java Archives 8 Enter additional web application files to block Enter the file extension in the Deny Following Files fields if desired Figure 9 23 shows that f...

Page 88: ...cy List Î Application Filter menu 2 Select the application filter to modify Click on the icon of the application filter to be modified in the Application Filter List table or select the filter type from the Filter Type drop down list and then s the filter rule from the Filter Rule drop down elect umber 3 Make desired changes to any or all of the following fields Port n logging option etc Filter Ty...

Page 89: ...IP pool Table 9 7 IP Pool Configuration Parameters Field Description IP Pool Name Enter the name of the local IP IP Pool Type Select the type of IP Pool IP Range This option allows you to configure the range of IP addresses Start IP Enter the starting IP address of the range End IP Enter the ending IP address of the range Subnet This option allows you to include all the computers that are connecte...

Page 90: ...the IP Pool List table or select the IP pool from the IP Pool drop down list 3 Make desired changes to any or all of the following fields Pool name Pool type and IP address 4 Click on the button to save the new settings The new settings for this pool will then be displayed in the IP Pool list table 9 8 2 4 Delete an IP Pool To delete an IP Pool click on the icon of the IP pool to be deleted or fol...

Page 91: ...groups see Figure 9 28 Figure 9 28 IP Pool Example Add Two IP Pools MISgroup1 and MISgroup2 2 Associate an IP pool to firewall ACL rules inbound outbound or group ACL by selecting IP Pool from the Source IP Type drop down list and then choose an IP pool from the IP pool drop down list In this example IP pool is used to associate to source IP however it can be used to associate to destination IP as...

Page 92: ...ic Select this type of NAT to set a one to one Mapping between the Internal Address and the External Address LAN IP range For the Internal Address Start IP Enter the starting IP address End IP Enter the ending IP address Internet IP Range For the External Address Start IP Enter the starting IP address End IP Enter the ending IP address Dynamic Select this type of NAT to map a set of internal corpo...

Page 93: ... and mapped IP addresses start NAT IP Address and end NAT IP Address If Overload pool type is selected enter the NAT IP address If you want to use the IP address assigned for the WAN port as the NAT IP address select the Interface pool type NAT Pool drop down list NAT Pool Type drop down Figure 9 30 NAT Pool configuration 6 Click on the button to create the new NAT pool The new NAT pool will then ...

Page 94: ...olicy List Î NAT Pool menu 2 Click on the icon of the NAT pool to be deleted in the NAT Pool List table or select the NAT pool from the NAT Pool drop down list 3 Click on the button to delete this NAT pool 9 8 3 5 NAT Pool Example Figure 9 31 shows the network diagram for this NAT pool example 10 64 2 0 24 ISR Static NAT Pool LAN Port 192 168 1 1 WAN Port 10 64 2 254 192 168 1 11 10 64 2 1 10 64 2...

Page 95: ... can have the following periods Pre lunch period between 9 00 and 13 00 Hrs Post lunch period between 14 00 and 18 30 Hrs Office hours on weekends Saturday Sunday can have the following periods 9 00 to 12 00 Hrs Such varying time periods can be configured into a single time range record Access rules can be activated based on these time periods 9 8 4 1 Time Range Configuration Parameters Table 9 9 ...

Page 96: ... follow the instructions below 1 Open the Time Range configuration page by clicking the Firewall Î Policy List Î Time Range menu 2 Click on the icon of the Time Range to be modified in the Time Range list table or select the Time Range from the Time Range drop down list 3 Select the Schedule from the schedule drop down list 4 Make desired changes to any or all of the following fields Days of week ...

Page 97: ...n outbound ACL rule by selecting an existing time range from the Time Range drop down list Figure 9 36 shows that MISgroup1 is denied FTP access during office hours Time Range drop down list Figure 9 36 Time Range Example Deny FTP Access for MISgroup1 During OfficeHours 9 9 Firewall Statistics Firewall Î Statistics The Firewall Statistics page displays details regarding the active connections Figu...

Page 98: ...Chapter 9 Configuring Firewall NAT Settings RX3041H User s Manual 84 Figure 9 37 Firewall Statistics ...

Page 99: ...new user group and user information including user name password and etc to the group Add modify delete group access policies 10 2 Manage User Groups and Users The Remote Access option allows you to configure users and groups 10 2 1 User Group Configuration Parameters Table 10 1 describes the configuration parameters available for remote access user group and users Table 10 1 User Group Configurat...

Page 100: ...me field Make sure that this name is unique among the existing groups Note that the group name is case sensitive For example Group1 and group1 are treated as separate groups 4 Click on the Enable or Disable radio button in the Group State field to enable or disable this group 5 Enter inactivity timeout period Default is 300 seconds 6 If you want to add a user to this newly created group continue w...

Page 101: ...p to step 6 Note that the group name cannot be changed To change the group name you must first delete the existing group and then create a new group with the desired name 4 Select an existing user from the user drop down list 5 Make desired changes in the User State Password and Confirm Password fields Note that the user name cannot be changed To change the user name you must delete the existing u...

Page 102: ...e 10 2 describes the group ACL specific configuration parameters The rest of the configuration parameters are the same as those for firewall inbound outbound ACL rules Please refer to Table 9 1 for details on common configuration parameters Table 10 2 Group ACL Specific Configuration Parameters Field Description Type Select the type of traffic to which this rule should apply Inbound Select this if...

Page 103: ...e highest Higher priority rules will be examined prior to the lower priority rules by the firewall 8 Click on the button to create the new ACL rule The new ACL rule will then be displayed in the group ACL table at the bottom half of the Group ACL configuration page Figure 10 4 Group ACL List 10 3 3 Modify a Group ACL Rule To modify a group ACL rule follow the instructions below 1 Open the Time Ran...

Page 104: ...nfiguration page 10 3 5 Display Existing Group ACL Rules To see existing group ACL rules just open the Group ACL Rule configuration page by clicking on the Firewall Î Remote Access Î Group ACL menu 10 4 Remote User Login Process For a user belonging to a user group to connect to the Internet Access Router he or she must do a special login first to activate user group based policies otherwise the R...

Page 105: ...ir corporate network without compromising on security The steps required for configuring the RX3041H for remote access is best explained with an example The following shows the steps required to configure the RX3041H for the remote users Richard and Gloria to access the FTP server located in the protected network i e corporate LAN Figure 10 7 shows the network diagram for this example 1 Create rem...

Page 106: ...up ACL Configuration Example 2 Create an inbound group ACL rule see Figure 10 9 to allow remote access users Richard and Gloria to access FTP server in the corporate network 3 Remote users Richard and Gloria can then login into the RX3041H to access the FTP server by entering the following URL in the browser http 61 222 32 38 login ...

Page 107: ...enable or disable services supported by the router All services except DDNS RIP SNTP and uPnP are all enabled at the factory To disable or enable individual service follow the steps below 1 Open the System Services configuration page by clicking the System Management Î System Services menu 2 Click on the Enable or Disable radio button for individual service to enable or disable the desired service...

Page 108: ... Configure Management Stations At times you may want to limit the hosts that can be used to configure the router The default setting allows the system administrator to login from any computers as long as the username and password are correctly entered This may provide opportunities for unauthorized users to gain access to the Configuration Manager of the router as long as he or she possesses the k...

Page 109: ...the range End Enter the ending IP address of the range Subnet This option allows you to specify all the computers that are connected in an IP subnet to become the management station group When this option is selected the following fields become available for entry Network Address Enter the appropriate IP address Subnet Mask Enter the corresponding subnet mask 11 2 2 2 Add a Management Station Grou...

Page 110: ...g the System Management Î Password menu 2 Select a management group number from the ID drop down list 3 Click on the button to delete the management station group 11 3 Configure System Identity System specific information such as system name unique name for this device system location where this device is located and contact person information for this device can be modified in the System Identity...

Page 111: ...vice is enabled and the configured SNTP servers are accessible Time Zone Enter the time zone for your region SNTP Server 1 5 Enter the IP address of the SNTP servers Up to 5 SNTP servers can be configured for the router to obtain correct date and time Update Interval Enter the update interval in minutes for the router to get the update date and time from the time servers The default setting is 60 ...

Page 112: ...escription SNMP Click on the Enable or Disable radio button to enable or disable the SNMP support RO Community Name Community string is a clear text string that is used as password between the SNMP management station and the RX3041H This Read Only community name is used by the SNMP management station to read the settings in the RX3041H RW Community Name Community string is a clear text string that...

Page 113: ...ttom of the configuration page Figure 11 8 Existing SNMP Configuration 11 6 System Configuration Management 11 6 1 Reset to Factory Settings 11 6 1 1 Reset to Factory Settings Using Configuration Manager to res nfiguration At times you may want to revert to the factory default settings to eliminate problems resulted from incorrect system configuration Follow the steps below et system co 1 Open the...

Page 114: ... at least 5 seconds 2 Power on the router and wait around 5 seconds pres 3 After the ALARM LED flashes once press the reset button again You will then see LED flash twice in about 5 seconds This indicates that the RX3041H is about to revert to the factory default settings If you change your mind you may press the reset button again or turn the power off to cancel the action If the system configura...

Page 115: ...te that the RX3041H will reboot to make the new system configuration in effect 11 7 Upgrade Firmware ASUSTeK may from time to time provide you with an update to the firmware running on the RX3041H All system software is contained in a single file called an image Configuration Manager provides an easy way to upload the new firmware image To upgrade the image follow this procedure 1 Open the Firmwar...

Page 116: ...t to the Configuration Manager click on the System Info menu to check if the new firmware is properly upgraded Note that you may need to clear the cache of your web browser to see the new System Info page Following is the procedure to clear the browser cache for Microsoft Internet Explorer a Click on Tools menu b Click on Internet Options menu c Click on Delete Files button to clear the browser ca...

Page 117: ...ogout page by clicking the Logout menu and then click on the button in the Logout page If you are using IE a window similar to the one shown in Figure 11 19 will pop up for logout confirmation before closing your browser window Figure 11 18 Logout Page Figure 11 19 Confirmation for Closing Browser IE ...

Page 118: ......

Page 119: ...Plus UDP 53 DNS QuickTime Version 6 RTSP 7070 TCP 80 HTTP UDP 6801 N2P TCP 80 HTTP TCP 443 HTTPS Net2Phone UDP 53 DNS Net2Phone CommCenter Release 1 5 0 TCP 7648 CUSEEME TCP 80 HTTP CUSeeMe UDP 53 DNS CUSeeMe Version 5 0 0 043 TCP 1720 H323 Netmeeting UDP 53 DNS TCP 1720 H323 TCP 389 ILS Netmeeting with ILS UDP 53 DNS TCP 1720 H323 UDP 1719 H323GK Netmeeting with GK UDP 53 DNS Windows Netmeeting V...

Page 120: ...essenger Version 5 0 2938 TCP 5191 ICQ_2000 TCP 80 HTTP ICQ Chat NB Application should be configured to use TCP 5191 UDP 53 DNS ICQ 2000b TCP 6667 IRC TCP 80 HTTP IRC UDP 53 DNS MIRC v6 02 TCP 1863 MSN TCP 80 HTTP MSIM UDP 53 DNS MSN Messenger Service Version 3 6 0039 Games TCP 47624 MSG1 TCP 28801 MSN ZONE TCP 443 HTTPS TCP 80 HTTP Flight Simulator 2002 Gaming Zone UDP 53 DNS Flight Simulator 200...

Page 121: ...S Diablo II BATTLE NET TCP BATTLE NET UDP UDP 6112 Diablo II Diablo II Other common Applications TCP 110 POP3 POP3 UDP 53 DNS Outlook Express 5 TCP 143 IMAP4 IMAP UDP 53 DNS Outlook Express 5 TCP 25 SMTP SMTP UDP 53 DNS Outlook Express 5 TCP 443 HTTPS TCP 80 HTTP HTTPS TLS SSL UDP 53 DNS Internet Explorer 5 TCP 389 ILS LDAP UDP 53 DNS Openldap 2 0 25 TCP 119 NNTP NNTP UDP 53 DNS Outlook Express 5 ...

Page 122: ......

Page 123: ...le port For use by ASUS only Temperature 0 C 40 C 32 F 105 F Operation Humidity 10 90 non condensing Temperature 20 C 65 C 4 F 149 F Environmental Specification Storage Humidity 10 90 non condensing B 2 Default Settings Table B 2 lists the default settings for your router Parameters not listed in this table do not have default settings Table B 2 System Default Settings LAN IP Address 192 168 1 1 I...

Page 124: ...mote Access User Group Inactivity Timeout 300 seconds Firewall Inbound ACL Deny all inbound traffic Outbound ACL Allow all outbound traffic NAT WAN interface Time Ranges always Application Filtering none Log disable Enable URL Filter Proxy Port 80 Advanced Î Self Access From LAN ICMP TCP 23 80 10081 UDP 161 162 53 Enable SYN Flooding ICMP Verbose Max IP Fragment Count 45 Min IP Fragment Size 512 b...

Page 125: ... Disable DDNS RIP SNTP UPnP Username admin cannot be changed Administrator Password admin Username guest cannot be changed Password Guest Password guest System Identity System Name RX3041H Date 1 1 2000 moth day year Time 00 00 00 hour min sec Time Zone GMT 8 00 Date Time SNTP Update Interval 60 minutes Disable RO Read Only Community Name public SNMP RW Read and Write Community Name private ...

Page 126: ......

Page 127: ...mbers For example a 7 digit telephone number starts with a 3 digit prefix that identifies a group of thousands of telephone lines and ends with four digits that identify one specific line in that group Similarly IP addresses contain two kinds of information Network ID Identifies a particular network within the Internet or Intranet Host ID Identifies a particular computer or device on the network T...

Page 128: ...address are the network ID and what parts are the host ID bits set to 1 mean this bit is part of the network ID and bits set to 0 mean this bit is part of the host ID Subnet masks are used to define subnets what you get after dividing a network into smaller pieces A subnet s network ID is created by borrowing one or more bits from the host ID portion of the address The subnet mask identifies these...

Page 129: ... User s Manual Appendix C IP Addresses Network Masks and Subnets 115 Class C 255 255 255 0 These are called default because they are used when a network is initially configured at which time it has no subnets ...

Page 130: ......

Page 131: ...nd to the RX3041H Make sure the PC and or hub is turned on Verify that your cable is sufficient for your network requirements A 100 Mbit sec network 100BaseTx should use cables labeled Cat 5 10Mbit sec cables may tolerate lower quality cables Internet Access PC cannot access Internet Use the ping utility discussed in the following section to check whether your PC can communicate with the router by...

Page 132: ...rnet cabling Verify that you are using Internet Explorer v5 5 Netscape 7 0 2 or later Support for Javascript must be enabled in your browser Support for Java may also be required Verify that the PC s IP address is assigned as being on the same subnet as the IP address assigned to the LAN port of the router Changes to Configuration Manager are not being retained Be sure to click on button to save c...

Page 133: ... command prompt or through a system administration utility D 1 2 Nslookup You can use the nslookup command to determine the IP address associated with an Internet site name You specify the common name and the nslookup command looks up the name on your DNS server usually located with your ISP If that name is not an entry in your ISP s DNS table the request is then referred to another higher level s...

Page 134: ...okup Utility There may be several addresses associated with an Internet name This is common for web sites that receive heavy traffic they use multiple redundant servers to carry the same information To exit from the nslookup utility type exit and press Enter at the command prompt ...

Page 135: ...ifferent types of data over the same medium DSL is a broadband technology broadcast To send data to all computers on a network DHCP Dynamic Host Configuration Protocol DHCP automates address assignment and management When a computer connects to the LAN DHCP assigns it an IP address from a shared pool of IP addresses after a specified time limit DHCP returns the address to the pool DHCP relay Dynam...

Page 136: ...st from your computer to a router and then from one router to another until it finally reaches a router that is directly connected to the recipient Each individual leg of the data s journey is called a hop hop count The number of hops that data has taken on its route to its destination Alternatively the maximum number of hops that a packet is allowed to take before being discarded see also TTL hos...

Page 137: ...alking to a computer on your LAN NAT rule A defined method for translating between public and private IP addresses on your LAN network A group of computers that are connected together allowing them to communicate with each other and share resources such as software files etc A network can be small such as a LAN or very large such as the Internet network mask A network mask is a sequence of bits ap...

Page 138: ...IP protocol used for network management subnet A subnet is a portion of a network The subnet is distinguished from the larger network by a subnet mask which selects some of the computers of the network and excludes all others The subnet s computers remain physically connected to the rest of the parent network but they are treated as though they were on a separate network See also network mask subn...

Page 139: ...ransfer Protocol HTTP to download information from and upload to web sites and displays the information which may consist of text graphic images audio or video to the user Web browsers use Hyper Text Transfer Protocol HTTP Popular web browsers include Netscape Navigator and Microsoft Internet Explorer See also HTTP web site WWW Web page A web site file typically containing text graphics and hyperl...

Page 140: ......

Page 141: ...P relay 121 DHCP server 121 defined 26 pools 26 viewing assigned addresses 28 DHCP Server Configuration page 28 Diagnosing problems after installation 20 DNS 27 29 121 defined 29 relay 30 Domain name 121 Domain Name System See DNS download 122 DSL defined 122 Dynamically assigned IP addresses 26 Eth 0 interface defined 20 Ethernet defined 122 Ethernet cable 9 Features 1 Filtering rule 122 Firewall...

Page 142: ... 31 LAN subnet mask 25 LEDs 3 123 troubleshooting 117 Login to Configuration Manager 21 MAC address in DHCP Address Table 28 in Fixed DHCP Lease Table 29 MAC addresses 123 Management Station Configuration 95 Mask See Network mask Mbps 123 NAT defined 52 123 Dynamic 53 NAPT 54 Overload 54 PAT 54 Reverse NAPT 55 Reverse Static 55 Static 52 Virtual Server 55 Navigating 22 Netmask See Network mask Net...

Page 143: ...tion page 42 43 44 Secondary DNS 34 36 37 Setup Wizard 23 Setup Wizard page 15 23 Static IP addresses 13 Static routes adding 43 Statically assigned IP addresses 26 Subnet 124 Subnet mask See Network mask Subnet masks 114 System requirements for Configuration Manager 21 System requirements 1 TCP IP 124 Testing setup 20 Time and date changing 96 Troubleshooting 117 TTL 124 Twisted pair 125 Typograp...

Search results

Summary of Contents for RX3041H

Reviews:

Related manuals for RX3041H

Brands by name

Popular brands

Asus RX3041H, User Manual

Search results

Summary of Contents for RX3041H

Reviews:

Related manuals for RX3041H

Brands by name

Popular brands