Asus SL1200 User Manual Download Page 105

Page: 105 / 175

Chapter 9 - Configuring Firewall/NAT Settings

ASUS SL1200

Field

Description

Sequence Number Out

of Range Check

Check or un-check this option to enable or disable protection

against TCP out of range sequence number attacks. An

attacker can send a TCP packet to cause an intrusion

detection system (IDS) to become unsynchronized with

the data in a connection. Subsequent frames sent in that

connection may then be ignored by the IDS. This may

indicate an unsuccessful attempt to hijack a TCP session.

ICMP Verbose

Check or un-check this option to enable or disable protection

against ICMP error message attacks. ICMP messages can

be used to flood your network with undesired traffic. By

default, this option is enabled.

Maximum IP Fragment

Count

Enter the maximum number of fragments the Firewall should

allow for every IP packet. This option is required if your

connection to the ISP is through PPPoE. This data is used

during transmission or reception of IP fragments. When

large sized packets are sent via the router, the packets are

chopped into fragments as large as MTU (Maximum Trans-

mission Unit). By default, this number is set to 45. If MTU of

the interface is 1500 (default for Ethernet), then there can

be a maximum of 45 fragments per IP packet. If the MTU is

less, then there can be more number of fragments and this

number should be increased.

Minimum IP Fragment

Size

Enter the Minimum size of IP fragments to be allowed

through Firewall. This limit will not be enforced on the last

fragment of the packet. If the Internet traffic is such that it

generates many small sized fragments, this value can be

decreased. This can be found if there are lots of packet loss,

degradation in speed and if the following log message is

generated very often:”fragment

of size less than configured

minimum fragment size detected”.

Summary of Contents for SL1200

Page 1: ...User Manual E2923 November 2006 SL1200 Internet Security Router ...

Page 2: ...ose In no event shall ASUS its directors officers employees or agents be liable for any indirect special incidental or consequential damages including damages for loss of profits loss of business loss of use or data interruption of business and the like even if ASUS has been advised of the possibility of such damages arising from any defect or error in this manual or product Specifications and inf...

Page 3: ... CA 94538 USA General fax 1 510 608 4555 Web site address usa asus com Technical support General support tel 1 502 995 0883 Online support http support asus com Notebook tel 1 510 739 3777 x5110 Support fax 1 502 933 8713 ASUS COMPUTER GmbH Germany Austria Company address Harkort Str 25 D 40880 Ratingen Germany General tel 49 2102 95990 Web site address www asus com de General fax 49 2102 959911 O...

Page 4: ...nce to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving ant...

Page 5: ...ures 5 2 4 1 Firewall Features 5 2 4 2 VPN 9 3 Quick Start 11 3 1 Part 1 Connecting the hardware 11 3 1 1 Connect to an ADSL or a cable modem 11 3 1 2 Connect computers or a LAN 11 3 1 3 Attach the power adapter 12 3 1 4 Turning on the ASUS SL1200 12 3 2 Part 2 Configuring Your Computers 13 3 2 1 Before you begin 13 3 2 2 Windows XP PCs 14 3 2 3 Windows 2000 PCs 14 3 2 4 Windows 95 98 and ME PCs 1...

Page 6: ...y used buttons and icons 30 4 3 Configuration Manager s Home Page 31 4 4 Overview of System Configuration 31 5 Configuring LAN Settings 32 5 1 LAN IP Address 32 5 1 1 LAN IP Configuration Parameters 33 5 1 2 Configuring the LAN IP Address 33 5 2 Dynamic Host Control Protocol DHCP 34 5 2 1 What is a DHCP 34 5 2 2 Why use a DHCP 34 5 2 3 Configuring a DHCP Server 35 5 2 4 Viewing Current DHCP Addres...

Page 7: ...figuration Parameters 45 6 4 2 Configuring Static IP for WAN 46 6 5 Viewing WAN Statistics 47 7 Configuring Routes 48 7 1 Overview of IP Routes 48 7 1 1 Do I need to define IP routes 48 7 2 Dynamic Routing Using Routing Information Protocol RIP 49 7 2 1 Dynamic Routing RIP Configuration Parameters 49 7 2 2 Configuring RIP 50 7 3 Static Routing 51 7 3 1 Static Route Configuration Parameters 51 7 3 ...

Page 8: ... 1 Static One to One NAT 61 9 2 2 Dynamic NAT 62 9 2 3 Network Address and Port Translation NAPT or Port Address Translation PAT 63 9 2 4 Reverse Static NAT 64 9 2 5 Reverse NAPT Virtual Server 64 9 3 Configuring Inbound ACL Rules 64 9 3 1 Inbound ACL Rule Configuration Parameters 65 9 3 2 Access Inbound ACL Rule Configuration Page Firewall ACL 69 9 3 3 Add Inbound ACL Rules 69 9 3 4 Modify Inboun...

Page 9: ...er Rules 78 9 5 4 Modify URL Filter Rules 79 9 5 5 Delete URL Filter Rules 79 9 5 6 View Configured URL Filter Rules 79 9 6 Configuring Advanced Firewall Features Firewall Advanced 80 9 6 1 Configuring Self Access Rules 81 9 6 2 Configuring Service List 83 9 6 3 Configuring DoS Settings 86 9 7 Firewall Policy List Firewall Policy List 90 9 7 1 Configuring IP Pool 90 9 7 2 Configuring NAT Pool 94 9...

Page 10: ... static NAT VPN for VPN traffic 122 11 System Management 130 11 1 Configure System Services 130 11 2 Change the Login Password 131 11 3 Modify System Information 132 11 4 Setup Date and Time 131 11 4 1 View the System Date and Time 133 11 5 SNMP Setup 134 11 5 1 SNMP Configuration Parameters 134 11 5 2 Configuring SNMP 134 11 5 3 View the System Date and Time 133 11 5 4 View the System Date and Ti...

Page 11: ...et masks 145 14 Troubleshooting 148 14 1 Diagnosing problems using IP utilities 151 14 1 1 ping 151 14 1 2 ns lookup 152 15 Glossary 153 List of Figures Figure 2 1 Front Panel LEDs 3 Figure 2 2 Rear Panel Connections 4 Figure 3 1 Overview of Hardware Connections 12 Figure 3 2 Login Screen 19 Figure 3 3 Setup Wizard Home Page 20 Figure 3 4 Setup Wizard Password Configuration Page 20 Figure 3 5 Setu...

Page 12: ...4 3 Setup Wizard Home Page 31 Figure 4 4 System Information Page 31 Figure 5 1 LAN IP Address Configuration Page 33 Figure 5 2 DHCP Configuration Page 35 Figure 5 3 LAN Statistics Page 40 Figure 6 1 WAN PPoE Configuration Page 41 Figure 6 2 WAN Dynamic IP DHCP client Configuration Page 45 Figure 6 3 WAN Static IP Configuration Page 46 Figure 6 4 WAN Statistics Page 47 Figure 7 1 RIP Configuration ...

Page 13: ... 7 Inbound ACL Configuration Page 65 Figure 9 8 Inbound ACL Configuration Example 69 Figure 9 9 Outbound ACL Configuration Page 71 Figure 9 10 Outbound ACL Configuration Example 76 Figure 9 11 URL Filter Configuration Page 78 Figure 9 12 URL Filter Example 80 Figure 9 13 Self Access Rule Configuration Page 81 Figure 9 14 Service List Configuration Page 84 Figure 9 15 DoS Configuration Page 89 Figu...

Page 14: ...0 1 VPN Tunnel Configuration Page Pre shared Key Mode 112 Figure 10 2 VPN Statistics Page 116 Figure 10 3 Typical Intranet Network Diagram 117 Figure 10 4 Intranet VPN Policy Configuration on ISR1 118 Figure 10 5 Intranet VPN Policy Configuration on ISR2 120 Figure 10 6 Typical Extranet Network Diagram 122 Figure 10 7 Extranet Example VPN Policy Configuration on ISR1 124 Figure 10 8 Extranet Examp...

Page 15: ...igure 11 3 System Information Configuration Page 132 Figure 11 4 Date and Time Configuration Page 133 Figure 11 5 SNMP Configuration 135 Figure 11 6 Existing SNMP Configuration 135 Figure 11 7 Default Setting Configuration Page 136 Figure 11 8 Backup System Configuration Page 137 Figure 11 9 Restore System Configuration Page 137 Figure 11 10 Windows File Browser 138 Figure 11 11 Firmware Upgrade P...

Page 16: ...3 WAN Static IP Configuration Parameters 45 Table 7 1 Dynamic Routing RIP Configuration Parameters 49 Table 7 2 Static Route Configuration Parameters 51 Table 8 1 DDNS Configuration Parameters 56 Table 9 1 Inbound ACL Rule Configuration Parameters 65 Table 9 2 Outbound ACL Rule Configuration Parameters 72 Table 9 3 URL Filter Configuration Parameters 77 Table 9 4 Self Access Configuration Paramete...

Page 17: ...nslated Firewall Rule for VPN Packets on ISR1 119 Table 10 7 Inbound Un translated Firewall Rule for VPN Packets on ISR1 119 able 10 8 Outbound Un translated Firewall Rule for VPN Packets on ISR1 121 Table 10 9 Inbound Un translated Firewall Rule for VPN Packets on ISR1 121 Table 11 1 Fixed DHCP Lease Configuration 134 Table 12 1 Supported ALG 141 Table 13 1 IP Address structure 146 Table 14 1 Pro...

Page 18: ...N Automatic network address assignment through DHCP Server Services including IP route DNS and DDNS configuration RIP and IP performance monitoring Configuration program accessible via a web browser such as Microsoft Internet Explorer 5 5 Netscape 7 0 2 or later 1 2 System Requirements In order to use the ASUS SL1200 for Internet access you must have the following ADSL or cable modem and the corre...

Page 19: ... used to identify terms defined in the Glossary Boldface type text is used for items you select from menus and drop down lists and commands you type when prompted by the program 1 3 3 Symbols This document uses the following icons to call your attention to specific instructions or explanations Note Provides clarification or non essential information on the current topic Definition Explains terms o...

Page 20: ...issing contact your retailer 2 2 Front Panel The front panel contains LED indicators that show the status of the unit Figure 2 1 Front Panel LEDs Table 2 1 Front Panel Label and LEDs Label Color Function POWER green On Unit is powered on Off Unit is powered off WAN green On WAN link established and active Flashing Data is transmitted via WAN connection Off No WAN link LAN1 LAN4 green On LAN link i...

Page 21: ...lied power adapter Reset Resets the device CONSOLE RJ 45 serial port for console management WAN Connects to your WAN device such as ADSL or cable modem P1 P4 Connects to the device to your PC s Ethernet port or to the uplink port on your LAN s hub switch using the cable provided 2 3 Rear Panel The rear panel contains the ports and power connections ...

Page 22: ...ss Translation NAT to share a single high speed Internet connection NAT saves the cost of multiple connections required for the hosts on the LAN segments connected to the router It conceals network address and prevents them from becoming public It maps unregistered IP addresses of hosts connected to the LAN with valid ones for Internet access The router s firewall also provides reverse NAT capabil...

Page 23: ...ng services in an internal machine Reverse NAPT It is also called inbound mapping port mapping and virtual server Any packet coming to the router can be relayed to the internal host based on the protocol port number or IP Address specified in the rule This is useful when multiple services are hosted on different internal machines For a complete listing of all NAT ALGs supported refer to Chapter 12...

Page 24: ...provides a solution which is highly secure and that offers scalability and extensibility 2 4 1 3 Defense against DoS Attacks The firewall has an Attack Defense Engine that protects internal networks from known types of Internet attacks It provides automatic protection from Denial of Service DoS attacks such as SYN flooding IP smurfing LAND Ping of Death and all re assembly attacks It can drop ICMP...

Page 25: ...allow rule In the absence of such rules the packets will be dropped by the router s firewall As it is not feasible to create policies for numerous applications dynamically without compromising security intelligence in the form of Application Level Gateways ALG is built to parse packets for applications and open dynamic associations The firewall provides a number of ALGs for popular applications su...

Page 26: ...in the WELF format ICMP logging to show code and type 2 4 2 VPN The wide use of a very open public network such as the Internet comes with a lot of advantages as well as risks These risks include the lack of confidentiality of data being sent and the authenticity of the identities of the parties involved in the exchange of data The VPN supported in the ASUS SL1200 is intended to resolve these issu...

Page 27: ...nd Reassembly IPSec Support Hardware Encryption Algorithm DES 3DES Hardware Authentication Algorithm MD5 SHA 1 Transforms ESP AH Key Management IKE Pre shared key Mode configuration for IKE Main Mode Aggressive Mode Quick Mode Site to Site VPN connection is an alternative WAN infrastructure that is used to connect branch offices home offices or business partners sites to all or portions of a compa...

Page 28: ...quent chapters for additional configuration instructions 3 1 Part 1 Connecting the Hardware This section gives you instructions on connecting the device to an ADSL or a cable modem which in turn is connected to a phone jack or a cable outlet the power outlet and your computer or network Before you begin turn the power off for all devices These include your computer s your LAN hub switch if applica...

Page 29: ...itch port labeled LAN1 LAN4 on the router Either the crossover or straight through Ethernet cable can be used to connect the built in switch and computers hubs or switches 3 1 3 Attach the power adapter Connect the AC power adapter to the POWER connector on the back of the device and plug in the adapter to a wall outlet or a power strip 3 1 4 Turning on the ASUS SL1200 After plugging in the router...

Page 30: ... Check the LED indicators refer to Table 3 1 to determine if the hardware setup is working properly 3 2 Part 2 Configuring Your Computers This section provides instructions for configuring the Internet settings on your computers to work with the router 3 2 1 Before you begin By default the ASUS SL1200 automatically assigns all required Internet settings to your PCs You need only to configure the P...

Page 31: ...button labeled Obtain DNS server address automatically 6 Click OK twice to confirm your changes and close the Control Panel 3 2 3 Windows 2000 PCs Check for the IP protocol and if necessary install it 1 In the Windows task bar click Start Settings Control Panel 2 Double click the Network and Dial up Connections icon 3 In the Network and Dial up Connections window right click the Local Area Connect...

Page 32: ... automatically 12 Click OK twice to confirm and save your changes and then close the Control Panel 3 2 4 Windows 95 98 and Me PCs 1 In the Windows task bar click Start Settings Control Panel 2 Double click the Network icon In the Network dialog box look for an entry started w TCP IP and the name of your network adapter and then click Properties You may have to scroll down the list to find this ent...

Page 33: ...estart your computer click OK to do so with the new settings 3 2 5 Windows NT 4 0 workstations Check for the IP protocol and if necessary install it 1 In the Windows NT task bar click Start Settings Control Panel 2 In the Control Panel window double click the Network icon 3 In the Network dialog box click the Protocols tab The Protocols tab displays a list of currently installed network protocols ...

Page 34: ...y want to assign IP addresses to some or all of your PCs directly often called statically rather than allowing the ASUS SL1200 to assign them This option may be desirable but not required if You have obtained one or more public IP addresses that you want to always associate with specific computers for example if you are using a computer as a public web server You maintain different subnets on your...

Page 35: ... on logging in into the Configuration Manager a preinstalled web based program in the ASUS SL1200 This section also gives instructions on configuring the basic settings for your Internet connection Your ISP should provide you with the necessary information to complete this step This section intends to quickly get the ASUS SL1200 up and running and instructions in this section are concise You may r...

Page 36: ...RL in the address location box and press Enter http 192 168 1 1 This is the predefined IP address for the LAN port on the router A login screen displays as shown in Figure 3 2 Figure 3 2 Login Screen If you have problems connecting to the router you may either check if your PC is configured to accept IP address assignment from the router or set the IP address of your PC to any IP address in the 19...

Page 37: ... 4 Setup Wizard Password Configuration Page 4 Click Next to enter the password configuration page as shown in Figure 3 4 Change the password if desired Otherwise click Next to proceed to the next page When changing passwords make sure you enter the existing login password in the Login Password field make any changes for the passwords and click Apply to save the changes ...

Page 38: ...rd Date Time Configuration Page 6 In the Date Time Setup page select your time zone from the Time Zone drop down list Click Apply to save the settings and then click the Next to go to the next configuration page There is no real time clock inside the router The system date and time are maintained by the external network time server There is no need to set the date and time here unless you do not h...

Page 39: ... settings at this point until after you have completed the rest of the configurations and confirm that your Internet connection is working Click Next to proceed to the next configuration page Figure 3 7 Setup Wizard LAN IP Configuration Page Figure 3 8 Setup Wizard DHCP Server Configuration Page ...

Page 40: ...king Click Next to proceed to the next configuration page 9 In the WAN Configuration page you configure the WAN settings for the router Depending on the connection mode required by your ISP you can select from the three connection modes in the Connection Mode drop down list see Figure 3 9 PPPoE Dynamic and Static Figure 3 9 Setup Wizard WAN PPPoE Configuration Page Figure 3 10 Setup Wizard WAN Dyn...

Page 41: ...ave the PPPoE settings b Dynamic IP Connection Mode see Figure 3 10 You do not need to enter primary secondary DNS IP addresses DHCP client is able to automatically obtain this information for you from your ISP However if you prefer to use your favorite DNS servers you may enter them in the space provided Host name is optional You may leave it empty if your ISP did not provide such information If ...

Page 42: ...nection open your web browser and type the URL of any external website such as http www asus com The LED labeled WAN should be blinking rapidly and may appear solid as the device connects to the site You should also be able to browse the web site through your web browser If the LEDs do not light up as expected or the web page does not display see Chapter 14 for troubleshooting suggestions 3 3 4 De...

Page 43: ... 168 1 10 through 192 168 1 108 The Internet Security Router maintains a pool of private IP addresses for dynamic assignment to your LAN computers To use this service you must have set up your computers to accept IP information dynamically as described in Part 2 of the Quick Start Guide See section 5 2 for an explanation of the DHCP service LAN Port IPAddress S t a t i c I P a d d r e s s 192 168 ...

Page 44: ...am is preinstalled on the router To access the program you need the following A computer connected to the LAN or WAN port on the router as described in the Quick Start Guide chapter A web browser installed on the computer The program is designed to work best with Netscape 7 0 2 Microsoft Internet Explorer 5 5 or later You may access the program from any computer connected to the router via the LAN...

Page 45: ...user name and password and then click OK The first time you log into the program use these default settings Default User Name admin Default Password admin You can change the password at any time See section 11 2 Change the Login Password The Setup Wizard page displays each time you log into the program See Figure 4 3 ...

Page 46: ...lated menus are grouped into categories such as LAN and WAN and indicated by expandable folder icons You can click on any of these folders to display a specific configuration page The right frame displays the information for a selected Configuration page 4 2 1 Setup Menu Navigation Tips To expand a group of related menus click on the sign next to the corresponding file folder icon To contract a gr...

Page 47: ...Adds the existing configuration to the system such as a static route or a firewall ACL rule Modifies the existing configuration in the system such as a static route or a firewall ACL rule Deletes the selected item such as a static route or a firewall ACL rule Launches the online help for the current topic in a separate browser window Help is available from any main topic page Redisplays the curren...

Page 48: ...ou first access the Configuration Manager Figure 4 3 Setup Wizard Home Page 4 4 Overview of System Configuration To view the overall system configuration log into Configuration Manager as administrator and then click the System Info menu Figure 4 4 shows the information available in the System Info page Figure 4 4 System Information Page ...

Page 49: ... identifies the Internet Security Router as a node on your network That is its IP address must be in the same subnet as the PCs on your LAN The default LAN IP for the Internet Security Router is 192 168 1 1 A network node can be thought of as any interface where a device connects to the network such as the Internet Security Router s LAN port and the network interface cards on your PCs See Chapter ...

Page 50: ...the LAN IP Address refer to your network as a whole and which parts refer specifically to nodes on the network Your device is pre configured with a default subnet mask of 255 255 255 0 5 1 1 LAN IP Configuration Parameters Table 5 1describes the configuration parameters available for LAN IP configuration 5 1 2 Configuring the LAN IP Address To change the default LAN IP address 1 Log into Configura...

Page 51: ...e DHCP on a network you allow a device such as the router to assign temporary IP addresses to your computers whenever they connect to your network The assigning device is called a DHCP server and the receiving device is a DHCP client If you followed the Quick Start Guide instructions you either configured each LAN PC with an IP address or you specified that it will receive IP information dynamical...

Page 52: ...ise updated 5 2 3 Configuring a DHCP Server By default the router is configured as a DHCP server on the LAN side with a predefined IP address pool from 192 168 1 10 to 192 168 1 42 subnet mask 255 255 255 0 To change this range of addresses follow the procedures described in this section To configure a DHCP server You must first configure your PCs to accept DHCP informa tion assigned by a DHCP ser...

Page 53: ...omputers that receive IP addresses from this pool The default gateway is the device that the DHCP client computers first contacted to communicate with the Internet Typically it is the router s LAN port IP address Primary Secondary DNS Server IPAddress The IP address of the Domain Name System server to be used by computers that receive IP addresses from this pool The DNS server translates common In...

Page 54: ...ar to that shown in Figure 5 2 The bottom half of the same page shows the existing DHCP address assignments The DHCP Server Address Table lists any IP addresses that are currently leased to LAN devices Table 5 3 lists the information for each leased addresses Table 5 3 DHCP Address Assignment Field Description MAC Address A hardware ID of the device that leases an IP address from the DHCP server A...

Page 55: ...ers is down or is encountering heavy traffic ISPs typically provide primary and secondary DNS addresses and may provide additional addresses Your LAN PCs learn these DNS addresses in one of the following ways Statically If your ISP provides you with their DNS server addresses you can assign them to each PC by modifying the PCs IP properties Dynamically from a DHCP pool You can configure the DHCP S...

Page 56: ...the advantage that you will not need to reconfigure the PCs or the router if the ISP changes their DNS addresses Configured on the router You can also specify the ISP s DNS addresses in the WAN Configuration page as shown in Figure 6 1 WAN PPPoE Configuration Page Figure 6 2 WAN Dynamic IP DHCP client Configuration Page or Figure 6 3 WAN Static IP Configuration Page To configure DNS relay 1 Enter ...

Page 57: ...ically need to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view LAN IP statistics click Statistics on the LAN submenu Figure 5 3 shows the LAN Statistics page Figure 5 3 LAN Statistics Page To display the updated statistics since you opened the page click Refresh ...

Page 58: ...with your ISP You will learn to configure IP address DHCP and DNS server for your WAN in this chapter 6 1 WAN Connection Mode The router supports three modes of WAN connection PPPoE dynamic IP and static IP You may select your ISP s required connection mode from the Connection Mode drop down list in WAN Configuration page as shown in Figure 6 1 Figure 6 1 WAN PPPoE Configuration Page ...

Page 59: ...enter the IP addresses in the spaces provided Connection Options The default setting for this option is Disable You can also select either Dial On Demand or Keep Alive if desired Dial On Demand enter the inactivity timeout period at which you want to disconnect the Internet connection when there is no traffic The minimum value of inactivity timeout is 30 seconds RIP and SNTP services may interfere...

Page 60: ...re 6 1 unless you want to use your preferred DNS servers 4 Optional Enter the IP addresses for the primary and secondary DNS servers if you want to use your preferred DNS servers Otherwise skip this step 5 Choose a connection option and enter the appropriate setting if desired The default setting is Disable 6 Click Apply to save the PPPoE settings when you are done with the configuration You will ...

Page 61: ...d a MAC address previously with your ISP you may need to enter that MAC address here 6 3 2 Configuring Dynamic IP for WAN To configure dynamic IP settings 1 Select Dynamic from the Connection Mode drop down list as shown in Figure 6 2 2 Optional Enter the host name if required by your ISP 3 Optional Enter the IP addresses for the primary and secondary DNS servers if you want to use your preferred ...

Page 62: ...connection mode Table 6 3 WAN Static IP Configuration Parameters Setting Description IPAddress WAN IP address provided by your ISP Subnet Mask WAN subnet mask provided by your ISP Typically it is set as 255 255 255 0 Gateway Address Gateway IP address provided by your ISP It must be in the same subnet as the WAN on the router Primary Secondary DNS You must at least enter the IP address of the prim...

Page 63: ...s information should be provided by your ISP 3 Enter the Subnet Mask for the WAN This information should be provided by your ISP Typically it is 255 255 255 0 4 Enter the gateway address provided by your ISP in the space provided 5 Enter the IP address of the primary DNS server This information should be provided by your ISP Secondary DNS server is optional 6 Click Apply to save the static IP sett...

Page 64: ...ply click Refresh 6 5 Viewing WAN Statistics You can view statistics of your WAN traffic You will not need to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view WAN IP statistics click Statistics on the WAN submenu Figure 6 4 shows the WAN Statistics page ...

Page 65: ...e the most appropriate path for all your Internet traffic On your LAN computers a default gateway directs all Internet traffic to the LAN port on the router Your LAN computers know their default gateway either because you assigned it to them when you modified their TCP IP properties or because you configured them to receive the information dynamically from a server whenever they access the Interne...

Page 66: ...is mode if you want this interface to send and receive routing information to from other routers The default setting is Enable RIP Version Send Select the RIP version for sending the routing information Three options are available Version 1 Version 2 and Both The default setting is Version 2 RIP Version Receive Select the RIP version for receiving the routing information Three options are availabl...

Page 67: ...xt Authentication Key Enter the authentication key for shared by all the routers exchanging routing information The default authentication key is admin 7 2 2 Configuring RIP To configure RIP 1 Click the Routing menu to open the routing configuration page 2 In the RIP Configuration page click the Enable or Disable radio button depending on whether you want to enable or disable RIP service Skip this...

Page 68: ...which parts refer to a computer on the network The default route uses a netmask of 0 0 0 0 Refer to 13 3 Subnet masks for more details on network masks Gateway IPAddress Gateway IP address 5 To enable or disable RIP passive mode click the Enable or Disable radio button 6 Select RIP version for sending and receiving routing information from the respective drop down list 7 To enable or disable authe...

Page 69: ...ines the default gateway for your LAN enter 0 0 0 0 in both the Destination IP Address and Destination Netmask fields Figure 7 2 Static Route Configuration 3 Click Add to add a new route 7 3 3 Deleting a Static Route To delete a static route from the routing table 1 In the Static Routes configuration page as shown in Figure 7 2 select the route from the service drop down list or click on the icon ...

Page 70: ...his table is known as the device s routing table To view the SL 1200 s routing table just open the Routing configuration page by clicking on the Routing menu The Routing Table displays at the bottom half of the Routing configuration page as shown in Figure 7 3 Figure 7 3 Routing Table The routing table displays a row for each existing route containing the IP address and the subnet mask of the dest...

Page 71: ... and FTP server using a domain name instead of the IP address Dynamic DNS supports the DDNS clients with the following features Update DNS records addition when an external interface comes up Force DNS update HTTP Dynamic DNS Client HTTP DDNS client uses the mechanism provided by the popular DDNS service providers for updating the DNS records dynamically In this case the service provider updates D...

Page 72: ...work Diagram for HTTP DDNS Whenever the IP address of the configured DDNS interface changes DDNS update is sent to the specified DDNS service provider The router should be configured with the DDNS username and password obtained from the DDNS service provider ...

Page 73: ...ost1 and the DNS Zone Name is yourdomain com The fully qualified domain name FQDN is host1 yourdomain com HTTP DDNS Specific Settings DDNS Service For HTTP DDNS only dyndns Visit http www dyndns org for more details zoneedit Visit http www zoneedit com for more details dyn tokyo Visit http www dns tokyo jp for more details DDNS User name For HTTP DDNS only Enter the user name provided by your DDNS...

Page 74: ...page See section 8 2 Access DDNS Configuration Page 4 In the DDNS Configuration page select Enable for the DDNS State and HTTP DDNS for the DDNS Type The HTTP DDNS Configuration is then displayed as shown in Figure 8 2 5 Enter the domain name in the DNS Zone Name field 6 Select a DDNS service from the DDNS Service drop down list 7 Enter the username and password provided by your DDNS service provi...

Page 75: ...efine an ACL rule you instruct the Internet Security Router to examine each data packet it receives to determine whether it meets the criteria set in the rule The criteria can include the network or internet protocol it is carrying the direction in which it is traveling for example from the LAN to the Internet or vice versa the IP address of the sending computer the destination IP address and othe...

Page 76: ...packet and then either drops or forwards the packet by looking for a match in the ACL rule table based on the header information The ACL rule checking starts from the rule with the smallest rule ID until a match is found or all the ACL rules are examined If no match is found the packet is dropped Otherwise the packet is either dropped or forwarded based on the action defined in the matched ACL rul...

Page 77: ...orwarded to the external network using NAT It is not necessary to remove the default ACL rule from the ACL rule table It is better to create higher priority ACL rules to override the default rule 9 2 NAT Overview Network Address Translation NAT allows the use of a single device such as the router to act as an agent between the Internet public network and a local private network This means that a N...

Page 78: ...n the mapping Figure 9 1 illustrates the IP address mapping relationship between the four private IP addresses and the four globally valid IP addresses This mapping is static This mapping will not change over time until this mapping is manually changed by the administrator This means that a host will always use the same global valid IP address for all its outgoing traffic Figure 9 1 Static NAT Map...

Page 79: ...rnal IP address on a first come first serve basis Figure 9 2 shows that PC B C and D are mapped to a globally valid IP address respectively while PC A does not map to any globally valid IP address If PC A wants to go to the Internet PC A must wait until a global valid IP address is available For example in Figure 9 3 PC B must disconnect from the Internet first to allow PC A to access Internet Fig...

Page 80: ...ally valid Internet address and the port number is translated with an available port from the pool of network ports Figure 9 4 shows that all the hosts on the local network gain access to the Internet by mapping to only one globally valid IP address and different port numbers from a free pool of network ports Figure 9 4 NAPT Map Any Internal PCs to a Single Global IP Address Figure 9 5 Reverse Sta...

Page 81: ...r Any packet coming to the router can be relayed to the internal host based on the protocol the port number or the IP address specified in the ACL rule This is useful when multiple services are hosted on different internal machines Figure 9 6 shows that web server TCP 80 is hosted on PC A telnet server TCP 23 on PC B DNS server UDP 53 on PC C and FTP server TCP 21 on PC D This means that the inbou...

Page 82: ... Action Allow Select this button to configure the rule as an allow rule This rule when bound to the Firewall will allow matching packets to pass through Deny Select this button to configure the rule as a deny rule This rule when bound to the Firewall will not allow matching packets to pass through Move to This option allows you to set a priority for this rule The router s firewall acts on packets ...

Page 83: ...P addresses for applying this rule The following fields become available for entry when this option is selected Begin Enter the starting IP address of the range End Enter the ending IP address of the range IP Pool This option allows you to associate a pre configured IP pool with this rule The available IP pool can be selected from the IP pool drop down list Destination IP This option allows you to...

Page 84: ...e to apply to all applications with an arbitrary destination port number Single Range Select any of these and enter details as described in the Source Port section above Service This option allows you to select any of the pre configured services from the drop down list instead of the destination port The following are examples of services BATTLE NET PC ANYWHERE FINGER DIABLO II L2TP H323GK CUSEEME...

Page 85: ...ected This option is called reverse NAPT or virtual server NAT Pool Select this option to associate a pre configured NAT pool to the rule Only reverse static NAT and reverse NAPT pool can be used to associate with an inbound ACL rule Time Ranges Select a pre configured time range during which the rule is active Select Always to make the rule active at all times Log Click on the Enable or Disable r...

Page 86: ...lf of the configuration page such as those shown in Figure 9 8 Figure 9 8 Inbound ACL Configuration Example 9 3 3 Add Inbound ACL Rules To add an inbound ACL rule 1 Open the Outbound ACL Rule Configuration Page See section 9 3 2 Access Inbound ACL Rule Configuration Page 2 Select Add New from the ID drop down list 3 Set desired action Allow or Deny from the Action drop down list 4 Make changes to ...

Page 87: ...the Outbound ACL Rule Configuration Page see section 9 3 2 Access Inbound ACL Rule Configuration Page 2 Click on the icon of the rule to be modified in the inbound ACL table or select the rule number from the ID drop down list 3 Make desired changes to any or all of the following fields action source destination IP source destination port protocol port mapping time ranges application filtering log...

Page 88: ...Rule Configuration page as described in section 9 3 2 Access Inbound ACL Rule Configuration Page 9 4 Configuring Outbound ACL Rules By creating ACL rules in outbound ACL configuration page as shown in Figure 9 9 you can control allow or deny Internet or external network access for computers on your LAN Options in this configuration page allow you to Add a rule and set parameters for it Modify an e...

Page 89: ... a priority for this rule router s firewall acts on packets based on the priority of the rules Set a priority by specifying a number for its position in the list of rules 1 First This number marks the highest priority Other numbers Select other numbers to indicate the priority you wish to assign to the rule Source IP This option allows you to set the source network to which this rule should apply ...

Page 90: ... Source IP section above Source Port This option allows you to set the source port to which this rule should apply Use the drop down list to select one of the following options Any Select this option if you want this rule to apply to all applications with an arbitrary source port number Single This option allows you to apply this rule to an application with a specific source port number Port Numbe...

Page 91: ... will not be available NAT This option allows you to select the type of NAT for the outbound traffic None Select this option if you do not intend to use NAT in this outbound ACL rule IPAddress Select this option to specify the IP address that you want the outbound traffic to use This option is called NAPT or overload NAT Pool Select this option to associate a pre configured NAT pool to the rule On...

Page 92: ...or Deny from the Action drop down list 4 Make changes to any or all of the following fields source destination IP source destination port protocol NAT time ranges application filtering log and VPN Please see Table 9 2 for explanation of these fields 5 Assign a priority for this rule by selecting a number from the Move to drop down list The number indicates the priority of the rule with 1 being the...

Page 93: ...t 3 Make desired changes to any or all of the following fields action source destination IP source destination port protocol NAT time ranges application filtering log and VPN See Table 9 2 for explanation of these fields 4 Click on the Modify button to modify this ACL rule The new settings for this ACL rule will then be displayed in the outbound access control list table at the bottom half of the ...

Page 94: ... in URL s Any URL containing one or more of these keywords will be blocked This is a policy independent feature It cannot be associated to ACL rules This feature can be independently enabled disabled but works only if firewall is enabled 9 5 1 URL Filter Configuration Parameters Table 9 3 describes the configuration parameters available for an URL filter rule Table 9 3 URL Filter Configuration Par...

Page 95: ...a list of existing URL filter rules is also displayed at the bottom half of the configuration page such as those shown in Figure 9 11 Figure 9 11 URL Filter Configuration Page 9 5 3 Add URL Filter Rules To add an URL Filter 1 Open the URL Configuration page See section 9 5 2 Access URL Filter Configuration Page 2 Select Add New from the ID drop down list 3 Enter a keyword to the Keyword field 4 Cl...

Page 96: ...ed URL Filter Rules To see existing URL filter rules just open the URL Filter Configuration page as described in section 9 5 2 Access URL Filter Configuration Page 9 5 7 URL Filter Rule Example Figure 9 12 shows an URL filter rule example It demonstrates How to add the keyword abcnews Any URL containing this keyword will be blocked Set the proxy web server port number to 80 you may use a different...

Page 97: ... configure rules for controlling packets targeting the Internet Security Router itself Services Use this option to configure services applications using specified port numbers Each service record contains the name of service record the IP protocol value and its corresponding port number Denial of Service DoS Use this option to configure DoS parameters This option lists the default set of DoS attac...

Page 98: ...f Access rule View existing Self Access rules Figure 9 13 Self Access Rule Configuration Page Table 9 4 Self Access Configuration Parameters Field Description Protocol Select protocol from drop down list TCP UDP ICMP Port Enter the Port Number Direction Select the direction from which the traffic will be allowed From LAN Select Enable or Disable to allow or deny traffic from the LAN internal netwo...

Page 99: ...lf Access Rule Configuration Page 2 Select Add New from the Self Access rule drop down list 3 Select a protocol from the Protocol drop down list If you select TCP or UDP protocol you will need to enter port number as well 4 Click on Add to create the new Self Access rule The new rule will then be displayed in the Self Access Rule list table at the bottom half of the Self Access Rule Configuration ...

Page 100: ...lete a Self Access rule 1 Open the Self Access Rule Configuration page See section 9 6 1 2 Access Self Access Rule Configuration Page 2 Click on the icon of the Self Access rule to be deleted in the Self Access rule table or select the Self Access rule from the Self Access rule drop down list 3 Click on Delete to delete the rule The rule deleted will be removed from the Self Access rule table loca...

Page 101: ...on Parameters Field Description Service Name Enter the name of the Service to be added Only alphanumeric characters are allowed in a name Protocol Enter the type of protocol the service uses Port Enter the port number that is set for this service 9 6 2 2 Access Service List Configuration Page Firewall Advanced Service Log into Configuration Manager as administrator Click Firewall Advanced Service ...

Page 102: ...lick on Add to create the new service The new service will then be displayed in the service list table at the bottom half of the Service Configuration page 9 6 2 4 Modify a Service To modify a service 1 Open the Service List Configuration Page See section 9 6 2 2 Access Service List Configuration Page 2 Select the service from the service drop down list or click on the icon of the service to be mo...

Page 103: ...f the Service Configuration page shows all the configured services 9 6 3 Configuring DoS Settings The router has a proprietary Attack Defense Engine that protects internal networks from Denial of Service DoS attacks such as SYN flooding IP smurfing LAND Ping of Death and all re assembly attacks It can drop ICMP redirects and IP loose strict source routing packets For example a security device with...

Page 104: ...select this box to protect the mail server in your network against MIME flooding FTP Bounce Check or un check this option to enable or disable protection against FTP bounce attack In its simplest terms the attack is based on the misuse of the PORT command in the FTP protocol An attacker can establish a connection between the FTP server machine and an arbitrary port on another system This connectio...

Page 105: ... for every IP packet This option is required if your connection to the ISP is through PPPoE This data is used during transmission or reception of IP fragments When large sized packets are sent via the router the packets are chopped into fragments as large as MTU Maximum Trans mission Unit By default this number is set to 45 If MTU of the interface is 1500 default for Ethernet then there can be a m...

Page 106: ... DoS protection is also displayed at the bottom half of the configuration page such as those shown in Figure 9 15 These protections are enabled by default when firewall is enabled 9 6 3 3 Configuring DoS Settings By default most DoS protection against all supported attack types are enabled Figure 9 15 shows the default configuration for DoS settings You may check or un check individual type of att...

Page 107: ...olicies Time Ranges This option allows you to configure time windows for user access to the networks across the rRouter 9 7 1 Configuring IP Pool 9 7 1 1 IP Pool Configuration Parameters Table 9 7 describes the configuration parameters available for an IP pool Table 9 7 IP Pool Configuration Parameters Field Description IP Pool Name Enter the name of the local IP IP Pool Type Select the type of IP...

Page 108: ...ch as those shown in Figure 9 16 Figure 9 16 IP Pool Configuration Page 9 7 1 3 Add an IP Pool To add an IP Pool 1 Open the IP Pool Configuration page See section 9 7 1 2 Access IP Pool Configuration Page 2 Select Add New Pool from the IP Pool drop down list 3 Enter a pool name into the Name field 4 Select a pool type from the IP Pool Type drop down list 5 If IP Range pool type is selected enter s...

Page 109: ...ype and IP address 4 Click on Modify to save the new settings The new settings for this pool will then be displayed in the IP Pool list table 9 7 1 5 Delete an IP Pool To delete an IP Pool click on the icon of the IP pool to be deleted or follow the instruction below 1 Open the IP Pool Configuration page See section 9 7 1 2 Access IP Pool Configuration Page 2 Click on the icon of the IP pool to be...

Page 110: ...l ACL rules inbound outbound or group ACL by selecting IP Pool from the Source IP Type drop down list and then choose an IP pool from the IP pool dropdown list In this example IP pool is used to associate to source IP However it can be used to associate to destination IP as well As shown in Figure 9 19 MISgroup1 is not allow to play the network game Quake II at all times Figure 9 19 IP Pool Exampl...

Page 111: ...e Internal Address Start IP Enter the starting IP address End IP Enter the ending IP address Internet IP Range For the External Address Start IP Enter the starting IP address End IP Enter the ending IP address Dynamic Select this type of NAT to map a set of internal corporate machines to a set of public IP addresses Make entries for the LAN IP Range and the Internet IP Range as described above Ove...

Page 112: ...To add a NAT Pool 1 Open the NAT Pool Configuration page See section 9 7 2 2 Access NAT Pool Configuration Page 2 Select Add New Pool from the NAT Pool drop down list 3 Enter a pool name into the Name field 4 Select a pool type from the Type drop down list 5 If Static or Dynamic pool type is selected enter the original IP addresses start IP Address and end IP Address and mapped IP addresses start ...

Page 113: ...dify to save the new settings The new settings for this pool will then be displayed in the NAT Pool List table 9 7 2 5 Delete a NAT Pool To delete a NAT Pool click on the icon of the NAT pool to be deleted or follow the instruction below 1 Open the NAT Pool Configuration page See section 9 7 2 2 Access NAT Pool Configuration Page 2 Click on the icon of the NAT pool to be deleted in the NAT Pool Li...

Page 114: ...gure 9 22 Figure 9 22 NAT Pool Example Create a Static NAT Pool 2 Associate the NAT pool to an outbound ACL rule by selecting NAT Pool from the NAT type drop down list and then choose an existing NAT pool from the NAT pool drop down list Figure 9 23 NAT Pool Example Associate a NAT Pool to an ACL Rule ...

Page 115: ...n 14 00 and 18 30 Hrs Office hours on weekends Saturday Sunday can have the following periods 9 00 to 12 00 Hrs Such varying time periods can be configured into a single time range record Access rules can be activated based on these time periods 9 7 3 1 Time Range Configuration Parameters Table 9 9 describes the configuration parameters available for a time range Table 9 9 Time Range Configuration...

Page 116: ...ed at the bottom half of the configuration page such as those shown in Figure 9 24 Figure 9 24 Time Range Configuration Page 9 7 3 3 Add a Time Range To add a Time Range 1 Open the Time Range Configuration page See section 9 7 3 2 Access Time Range Configuration Page 2 Select Add New Time Range from the Time Range drop down list 3 Enter a name into the Time Range Name field 4 Select Add New Schedu...

Page 117: ...ollowing fields Days of week and hours 5 Click on Modify to save the new settings 9 7 3 5 Delete a Time Range To delete a Time Range click on the icon of the Time Range to be deleted 9 7 3 6 Delete a Schedule in a Time Range To delete a schedule in a Time Range 1 Open the Time Range Configuration page See section 9 7 3 2 Access Time Range Configuration Page 2 Click on the icon of the Time Range to...

Page 118: ...eate a Time Range 2 Associate the time range to an outbound ACL rule by selecting an existing time range from the Time Range drop down list Figure 9 26 shows that MISgroup1 is denied FTP access during office hours Figure 9 26 Time Range Example Deny FTP Access for MISgroup1 During Office Hours ...

Page 119: ...tatistics Firewall Statistics The Firewall Statistics page displays details regarding the active connections Figure 9 27 shows a sample firewall statistics for active connections To see an updated statistics click on Refresh Figure 9 27 Firewall Active Connections Statistics ...

Page 120: ...e security gateway It contains the parameters local remote IP Addresses and ports Table 10 1 lists the default connections that are provisioned on the gateway Table 10 1 Default connections in the router Name Type Port Protocol State Purpose allow ike io passby 500 UDP Enabled To allow the IKE traffic to the Internet Security Router allow all passby Enabled To allow the plain traffic Do not delete...

Page 121: ...m D i f f i e H e l l m a n Group Key Manage ment Lifetime secs ike preshared 3des sha1 dh2 3DES SHA 1 2 Pre shared Keys 3600 ike preshared 3des md5 dh2 3DES MD5 2 Pre shared Keys 3600 ike pre shareddes sha1 dh2 DES SHA 1 2 Pre shared Keys 3600 ike pre shareddes md5 dh2 DES MD5 2 Pre shared Keys 3600 ike preshared 3des sha1 dh1 3DES SHA 1 1 Pre shared Keys 3600 ike preshared 3des md5 dh1 3DES MD5 ...

Page 122: ...the traffic that flows between the endpoints of the tunnel Table 10 3 lists the default IPSec proposals available on the router Name Encryption Algorithm Authentication Algorithm Encapsulation Lifetime Mbytes sec ipsec esp 3des sha1 3DES SHA 1 ESP 75 3600 ipsec esp 3des md5 3DES MD5 ESP 75 3600 ipsec esp des sha1 DES SHA 1 ESP 75 3600 ipsec esp des md5 DES MD5 ESP 75 3600 ipsec ah sha1 SHA 1 AH 75...

Page 123: ... all default rule has the lowest priority At any point of time it is recommended to maintain this priority If you add connections below the allow all rule lower priority it will not have any effect as the corresponding packets will match the allow all rule and go without encryption These pre configured Proposals Connections are read only and cannot be modified If you have to specify a proposal oth...

Page 124: ...ws you to set a priority for this rule The router s firewall acts on packets based on the priority of the rules Set a priority by specifying a number for its position in the list of rules 1 First This number marks the highest priority Other numbers Select other numbers to indicate the priority you wish to assign to the rule Local Secure Group This option allows you to set the local secure network ...

Page 125: ...Address Subnet IP Range Select any of these and enter details as described in the Local Secure Group above Remote Gateway You have a choice of entering either the IP address or the FQDN fully qualified domain name for the remote secure gateway Any Select this option to accept connection request from any computer IPAddress Select this option to specify an IP address for the remote secure gateway FQ...

Page 126: ... DES SHA1 DH1 DES MD5 DH1 3DES SHA1 DH5 DES SHA1 DH5 DES MD5 DH5 Note It is recommended that you choose All to have all the IKE proposals associated with the current tunnel and allow IKE to automatically select one among the set of IKE pro posals to communicate with its peer However if a specific proposal is required then it can be chosen from the list Life Time Enter the IKE security association ...

Page 127: ...SP SHA1 Authentication ESP MD5 PFS Group PFS stands for perfect forward secrecy You may choose to use the same keys generated when the IKE tunnel is created for all re negotiations or you can choose to generate new keys for every re negotiation Select None to use the same keys for all the re negotiations Select a specific DH Diffie Hellman group to generate new keys for every re negotiation The su...

Page 128: ...lds and buttons represent the basic VPN parameters Use them to configure basic Access Rule that will be used to establish a tunnel from local secure group to remote secure group with basic parameters Options in this screen allow you to Add an Access List and set basic parameters for it Modify an Access List Delete an existing Access List 10 3 1 Add a Rule for VPN Connection Using Pre shared Key VP...

Page 129: ... gateway key management type select Preshared Key pre shared key for IKE encryption authentication algorithm for IKE lifetime for IKE encryption authentication algorithm for IPSec operation mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 10 4 for explanation of these fields 7 Assign a priority for this rule by selecting a number from the Move to drop down list Note that ...

Page 130: ... encryption authentication algorithm for IPSec operation mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 10 4 for explanation of these fields 6 Click on Modify to modify this VPN rule The new settings for this VPN rule will then be displayed in the VPN Connection Status table at the bottom half of the VPN Configuration page 10 3 3 Delete VPN Rules To delete an outbound A...

Page 131: ...c SAs Table 10 5 gives description for the VPN statistics parameters Entry Descriptions VPN Statistics Global IPSEC SA Statistics Overall packet statistics AH Packets Number of AH packets ESP Packets Number of ESP packets Triggers Number of triggers Packets Dropped Number of packets dropped Packets Passed Total number of packets passed by VPN Partial Packets Total count of partial packets Packets ...

Page 132: ...SA s Active Outbound ESP SAs Number of active outbound ESP SA s Total Inbound ESP SAs Number of inbound ESP SA s since the system has started Total Outbound ESP SAs Number of active outbound ESP SA s since the system has started AH Statistics SA statistics for all AH SAs Active Inbound AH SAs Number of active inbound AH SA s Active Outbound AH SAs Number of active outbound AH SA s Total Inbound AH...

Page 133: ...his section describes these scenarios and presents step by step instructions for configuring these scenarios 10 5 1 Intranet Scenario firewall VPN and no NAT for VPN traffic This is a common scenario where traffic to the public Internet goes through the Firewall NAT only and traffic between private networks is allowed without NAT before IPSec processing The same authority administers the networks ...

Page 134: ...r the Internet scenario Figure 10 3 shows the typical Intranet connections The ADSL or cable modem is not required if the two networks are connected via Ethernet connections The setting of each configuration step is illustrated in a figure For instructions on configuration of each step refer to the next section for details Figure 10 3 Typical Intranet Network Diagram ...

Page 135: ...wall rules 1 Configure outbound Firewall rule to allow packets from 192 168 1 0 255 255 255 0 to 192 168 2 0 255 255 255 0 without any NAT 2 Configure inbound Firewall rule to allow packets from 192 168 2 0 255 2 55 255 0 to 192 168 1 0 255 255 255 0 without any NAT Table 10 6 and Table 10 7 provide the parameters to be configured for the outbound and inbound Firewall rule fields For a general des...

Page 136: ...PN Enable Table 10 6 Outbound Un translated Firewall Rule for VPN Packets on ISR1 The outbound Un translated Firewall rule has to be added the existing rule ID 1001 Field Value Source IP Type Subnet Address 192 168 2 0 Mask 255 255 255 0 Destination IP Type Subnet Address 192 168 1 0 Mask 255 255 255 0 NAT None Action Allow VPN Enable Table 10 7 Inbound Un translated Firewall Rule for VPN Packets ...

Page 137: ...n on ISR2 Step 2 Configure Firewall rules 1 Configure outbound Firewall rule to allow packets from 192 168 2 0 255 255 255 0 to 192 168 1 0 255 255 255 0 without any NAT 2 Configure inbound Firewall rule to allow packets from 192 168 1 0 255 255 255 0 to 192 168 2 0 255 255 255 0 without any NAT Table 10 8 and Table 10 9 provide the parameters to be configured for the outbound and inbound Firewall...

Page 138: ...PN Enable Table 10 8 Outbound Un translated Firewall Rule for VPN Packets on ISR1 The outbound Un translated Firewall rule has to be added the existing rule ID 1001 Field Value Source IP Type Subnet Address 192 168 1 0 Mask 255 255 255 0 Destination IP Type Subnet Address 192 168 2 0 Mask 255 255 255 0 NAT None Action Allow VPN Enable Table 10 9 Inbound Un translated Firewall Rule for VPN Packets ...

Page 139: ...d be under different administrative authorities Hence there is a possibility that the IP addresses of both networks are in the same subnet The typical extranet set up is shown in Figure 10 6 Figure 10 6 Typical Extranet Network Diagram Both networks behind the ISR1 and ISR2 are 192 168 1 0 2 55 255 255 0 To avoid routing problems in such scenario network IP addresses must be mapped to different on...

Page 140: ...ule to allow IKE packets into the Internet Security Router 10 5 2 1 Setup the Routers On ISR1 1 Configure LAN interface of ISR1 with IP address 192 168 1 1 2 Configure DHCP pool with IP addresses from 192 168 1 10 to 192 168 1 110 on ISR1 3 Configure WAN interface of ISR1 with IP address 212 1 1 212 4 Add a route on ISR1 with gateway as 123 1 1 123 5 Save the configuration On ISR2 1 Configure LAN ...

Page 141: ... following addresses 1 Use 192 168 11 0 255 255 255 0 for the Local Secure Group 2 Use 192 168 12 0 255 255 255 0 for the Remote Secure Group Figure 10 7 Extranet Example VPN Policy Configuration on ISR1 Step 2 Configure Static NAT Pools 1 Configure outgoing static NAT pool static NAT for translating addresses in range 192 168 1 1 192 168 1 254 to 192 168 11 1 192 16 8 11 254 Figure 10 8 Extranet ...

Page 142: ... Extranet Example Outbound ACL Rule on ISR1 Step 3 Configure Extranet access rules 1 Configure outbound Firewall rules to map the source IP address of outbound packets from 192 168 1 x range to 192 168 11 x defined by Outgoing_NAT pool range before sending the packet to VPN 2 Configure inbound Firewall rules to map the destination IP address of inbound packets from 192 168 11 x range to 192 168 1 ...

Page 143: ...gure VPN rules Refer to the section 10 3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR2 using automatic keying with the following addresses 1 Use 192 168 12 0 255 255 255 0 as Local Secure Group 2 Use 192 168 11 0 255 255 255 0 as Remote Secure Group Figure 10 12 Extranet Example VPN Policy Configuration on ISR2 ...

Page 144: ...l Configuration on ISR2 2 Configure incoming static NAT pool reverse static NAT for translating addresses in range 192 168 12 1 192 168 12 254 to 192 168 1 1 192 1 68 1 254 Figure 10 14 Extranet Example Incoming NAT Pool Configuration on ISR2 Step 3 Configure Extranet rules 1 Configure outbound Firewall rules to map the source IP address of outbound packets from 192 168 1 x range to 192 168 12 x d...

Page 145: ...net Example Outbound ACL Rule on ISR2 2 Configure inbound Firewall rules to map the destination IP address of inbound packets from 192 168 12 x range to 192 168 1 x range after the packet is processed by VPN Figure 10 16 Extranet Example Inbound ACL Rule on ISR2 ...

Page 146: ...o any of the following The IP address of the host on the LAN behind ISR2 used in the ping command may not be correct Check and give the correct IP address Default route is not configured for ISR1 or ISR2 Configure the default routes as necessary Firewall rules corresponding to VPN connection may not be configured properly If any of the network addresses is not correctly configured correct the para...

Page 147: ...menu 11 1 Configure System Services As shown in Figure 11 1 you can use the System Services Configuration page to enable or disable services supported by the Internet Security Router All services firewall VPN DNS DHCP and RIP are all enabled atthe factory To disable or enable individual service follow the steps below 1 Log into Configuration Manager as administrator Click System Management System ...

Page 148: ...types of users administrator username admin and guest username guest Administrator has the privilege to modify the system settings while guest can only view the system settings Passwords of both the admin and guest accounts can be changed by the administrator This username and password is only used for logging into the Configuration Manager it is not the same as the login password you may use to c...

Page 149: ...rm New Password text field The password can be up to 16 characters long When logging in you must type the new password in the same upper and lower case characters that you use here 4 Click on button to save the new password 11 3 Modify System Information As illustrated in Figure 11 3 you can use System Information Setup page to enter system specific information such as system name unique name for ...

Page 150: ...only fields configurable in this configuration page are the Time Zone IP address of time servers and the desired update interval Select your time zone from the Time Zone dropdown list change the IP address of the time servers and the update interval if desired and then click on button to save the changes 11 4 1 View the System Date and Time To view the updated system date and time 1 Log into Confi...

Page 151: ...SL1200 Trap Address Trap message is sent by the ASUS SL1200 to tell the SNMP management station that something has happened on the router This field is used to enter the IP address of the SNMP management station that is supposed to receive trap messages from the ASUS SL1200 11 5 SNMP Setup Simple Network Management Protocol SNMP is used for network management You may use the SNMP configuration pag...

Page 152: ...eset System Configuration At times you may want to revert to factory default settings to eliminate problems resulted from incorrect system configuration To reset system configuration 1 Log into Configuration Manager as administrator Click System Management Configuration Default Settings The Default Settings Configuration page displays as shown in Figure 11 7 2 Click Apply to set the system configu...

Page 153: ...e reset switch the first time You will see the Alarm LED flash once in about 5 seconds 3 When you see the Alarm LED flash once press the reset switch again You will then see the Alarm LED flash twice in about five seconds This indicates that the Internet Security Router is about to revert to the factory default settings If you change your mind you may press the reset switch again or turn the power...

Page 154: ...Restore The Restore Configuration page displays as shown in Figure 11 9 Figure 11 9 Restore System Configuration Page 2 Enter the path and name of the system configuration file that you want to restore in the Configuration File text box Alternatively you may click on Browse to search for the system configuration file on your hard drive A window similar to the one shown in Figure 11 10 will pop up ...

Page 155: ...rom time to time provide you with an update to the firmware running on the Internet Security Router All system software is contained in a single file called an image Configuration Manager provides an easy way to upload the new firmware image To upgrade the image follow this procedure Figure 11 11 Firmware Upgrade Page 1 Log into Configuration Manager Click System Management Firmware Upgrade The Fi...

Page 156: ... drive 3 Click Apply to update the firmware It may take up to 5 minutes for the firmware upgrade After the transfer of firmware is completed the Internet Security Router will reboot to make the new firmware in effect 11 8 Reset the Internet Security Router To reset the Internet Security Router click Apply in the Configuration Manager Reset page Figure 11 12 Configuration Manager Reset Page ...

Page 157: ...ion Manager click Apply in the Configuration Manager Logout page If you are using IE as your browser a window similar to the one shown in Figure 11 14 will prompt for confirmation before closing your browser Figure 11 13 Configuration Manager Logout Page Figure 11 14 Confirmation for Closing Browser IE ...

Page 158: ...0 RTSP 554 TCP 554 RTSP554 RealPlayer 8 Plus QuickTime Version 6 UDP 53 DNS TCP 80 HTTP RTSP 7070 TCP 7070 RTSP7070 RealPlayer 8 Plus UDP 53 DNS QuickTime Version 6 TCP 80 HTTP Net2Phone UDP 6801 N2P Net2Phone CommCenter Release 1 5 0 TCP 80 HTTP TCP 443 HTTPS UDP 53 DNS CUSeeMe TCP 7648 CUSEEME CUSeeMe Version 5 0 0 043 TCP 80 HTTP UDP 53 DNS Netmeeting TCP 1720 H323 UDP 53 DNS Netmeeting with IL...

Page 159: ... DNS FTP TCP 21 FTP WFTPD version 2 03 Redhat Linux 7 3 UDP 53 DNS Security ALGs L2TP UDP 1701 L2TP W i n d o w s 2 0 0 0 Server built in UDP 53 DNS PPTP TCP 1723 PPTP W i n d o w s 2 0 0 0 Server built in UDP 53 DNS IPSec Only Tunnel Mode with ESP UDP 500 IKE W i n d o w s 2 0 0 0 Server built in ESP UDP 53 DNS Chats AOL Chat TCP 5190 AOL AOL Instant Messenger Version 5 0 2938 TCP 80 HTTP UDP 53 ...

Page 160: ...47624 MSG1 Flight Simulator 2002 Profes sional Edition TCP 28801 MSN ZONE TCP 443 HTTPS TCP 80 HTTP UDP 53 DNS Quake II Gaming Zone UDP 27910 QUAKE Quake II TCP 28801 MSN ZONE TCP 443 HTTPS TCP 80 HTTP UDP 53 DNS Age Of Empires Gaming Zone TCP 47624 MSG1 Age of Empires Gold Edition TCP 28801 MSN ZONE TCP 443 HTTPS TCP 80 HTTP UDP 53 DNS Diablo II BATTLENET TCP BATTLENET UDP TCP 4000 DIABLO II DIAB...

Page 161: ...Software Version Chats POP3 TCP 110 POP3 Outlook Express 5 UDP 53 DNS IMAP TCP 143 IMAP4 Outlook Express 5 UDP 53 DNS SMTP TCP 25 SMTP Outlook Express 5 UDP 53 DNS HTTPS TLS SSL TCP 443 HTTPS Internet Explorer 5 TCP 80 HTTP UDP 53 DNS LDAP TCP 389 ILS Openldap 2 0 25 UDP 53 DNS NNTP TCP 119 NNTP Outlook Express 5 UDP 53 DNS ...

Page 162: ...ers separated by dots is called dotted decimal notation The IP address 20 56 0 211 is read twenty dot fifty six dot zero dot two eleven 13 1 1 Structure of an IP address IP addresses have a hierarchical design similar to that of telephone numbers For example a 7 digit telephone number starts with a 3 digit prefix that identifies a group of thousands of telephone lines and ends with four digits tha...

Page 163: ...ver 2 billion hosts Because of their huge size these networks are used for WANs and by organizations at the infrastructure level of the Internet such as your ISP Class B networks are smaller but still quite large each able to hold over 65 000 hosts There can be up to 16 384 class B networks in existence A class B network might be appropriate for a large organization such as a business or governmen...

Page 164: ...s with any class C address all of the bits in field1 through field 3 are part of the network ID but note how the mask specifies that the first bit in field 4 is also included Since this extra bit has only two values 0 and 1 this means there are two subnets Each subnet uses the remaining 7 bits in field4 for its host IDs which range from 0 to 127 instead of the usual 0 to 255 for a class C address ...

Page 165: ... illuminate after Ethernet cable is attached Verify that an Ethernet cable like theone provided is securely connected to the Ethernet port of your ADSL or cable modem and the WAN port of the Internet Security Router Make sure that your ADSL or cable modem is powered on Wait 30 seconds to allow the Internet Security Router to negotiate a connection with your broadband modem LINK LAN LED does not il...

Page 166: ...ion automatically Verify with your ISP that the DNS server specified for the PC is valid Correct the address or configure the PC to receive this information automatically Verify that a Network Address Translation rule has been defined on the Internet Security Router to translate the private address to your public IP address The assigned IP address must be within the range specified in the NAT rule...

Page 167: ...default values Cannot access the Con figuration Manager pro gram from your browser Use the ping utility discussed in the following section to check whether your PC can communicate with the Internet Security Router s LAN IP address by default 192 168 1 1 If it cannot check the Ethernet cabling Verify that you are using Internet Explorer v5 5 Netscape 7 0 2 or later Support for Javascript must be en...

Page 168: ...ite If the target computer receives the message a Command Prompt window appears as shown in Figure 14 1 Figure 14 1 Using the ping utility C ping 192 168 1 1 Pinging 192 168 1 1 with 32 bytes of data Reply from 192 168 1 1 bytes 32 time 10ms TTL 225 Reply from 192 168 1 1 bytes 32 time 10ms TTL 225 Reply from 192 168 1 1 bytes 32 time 10ms TTL 225 Reply from 192 168 1 1 bytes 32 time 10ms TTL 225 ...

Page 169: ...ooks up the name on your DNS server usually lo cated with your ISP If that name is not an entry in your ISP s DNS table the request is then referred to another higher level server and so on until the entry is found The server then returns the associated IP address On Windows based computers you can execute the nslookup command from the Start menu Click the Start button then click Run In the Open t...

Page 170: ...orks with a data rate of 1000 Mbps binary The base two system of numbers which uses only two digits 0 and 1 to represent all numbers In binary the number 1 is written as 1 2 as 10 3 as 11 4 as 100 etc Although expressed as decimal numbers for convenience IP addresses in actual use are binary numbers e g the IP address 209 191 4 240 is 11010001 10111111 00000100 11 110000 in binary See also bit IP ...

Page 171: ...ion The ping command makes use of ICMP IGMP Internet Group Management Protocol An Internet protocol that enables a computer to share information about its membership in multicast groups with adjacent routers A multicast group of computers is one whose members have designated as interested in receiv ing specific content from the others Multicasting to an IGMP group can be used to simultaneously upd...

Page 172: ...ur computer and pro vides the physical interface to your network cabling which for Ethernet NICs is typically an RJ 45 connector See Ethernet RJ 45 packet Data transmitted on a network consists of units called packets Each packet contains a payload the data plus overhead information such as where it came from source address and where it should go destination address ping Packet Internet or Inter N...

Page 173: ... destination IP address and current network conditions A device that performs routing is called a router SNMP Simple Network Management Protocol The TCP IP protocol used for network management STP Spanning Tree Protocol The bridge protocol to avoid packet looping in a complicate network subnet A subnet is a portion of a network The subnet is distin guished from the larger network by a subnet mask ...

Page 174: ...tocol for file transfers TFTP is easier to use than File Transfer Protocol FTP but not as capable or secure Trunk Two or more ports are combined as one virtual port also called as Link Aggregation TTL Time To Live A field in an IP packet that limits the life span of that pack et Originally meant as a time duration the TTL is usually represented instead as a maximum hop count each router that recei...

Page 175: ... or video to the user Web browsers use Hyper Text Transfer Protocol HTTP Popu lar web browsers include Netscape Navigator and Micro soft Internet Explorer See also HTTP web site WWW Web page A web site file typically containing text graphics and hyperlinks cross references to the other pages on that web site as well as to pages on other web sites When a user accesses a web site the first page that...

Search results

Summary of Contents for SL1200

Reviews:

Related manuals for SL1200

Brands by name

Popular brands

Asus SL1200, User Manual

Search results

Summary of Contents for SL1200

Reviews:

Related manuals for SL1200

Brands by name

Popular brands