background image

ASUS VPN ADSL Router

5

Table of Contents

5. System Information .............................................................. 35

6. Configuring LAN Settings .................................................... 36

6.1 LAN IP Address ............................................................................. 36

6.1.1 LAN IP Configuration Parameters ......................................... 36

6.1.2 Configuring the LAN IP Address ............................................ 36

6.2 DHCP (Dynamic Host Configuration Protocol) ............................... 38

6.2.1 What is DHCP? .................................................................... 38

6.2.2 Why use DHCP? .................................................................. 39

6.2.3 Configuring DHCP Server ..................................................... 39

6.2.4 Viewing Current DHCP Address Assignments ....................... 40

6.3 DNS .............................................................................................. 40

6.3.1 About DNS ............................................................................ 40

6.3.2 Assigning DNS Addresses .................................................... 42

6.3.3 Configuring DNS Relay ......................................................... 42

6.4 Viewing LAN Statistics ................................................................... 43

7. Configuring WAN/ADSL Settings ........................................ 44

7.1 ADSL Connection .......................................................................... 44

7.2 WAN Configuration ........................................................................ 45

7.2.1 MPoA Bridged and PPPoE Relay: ......................................... 45

7.2.2 MPoA Routed: ...................................................................... 45

7.2.3 IPoA Routed: ........................................................................ 45

7.2.4 PPPoA Routed and PPPoE Routed: ..................................... 46

7.3 Viewing WAN/ADSL Statistics ....................................................... 47

8. Configuring Routes .............................................................. 48

8.1 Overview of IP Routes ................................................................... 48

8.1.1 Do I need to define IP routes? ............................................... 48

8.2 DNS Relay Configuration .............................................................. 49

8.3 Static Routing ................................................................................ 49

8.3.1 Static Route Configuration Parameters ................................. 49

8.3.2 Adding Static Routes ............................................................. 50

8.3.3 Modifying Static Routes ........................................................ 50

8.3.4 Deleting Static Routes .......................................................... 51

8.3.5 Viewing the Static Routing Table ........................................... 51

Summary of Contents for SL6000

Page 1: ......

Page 2: ...VPN ADSL Router SL6000 SL6300 User s Manual ...

Page 3: ... FROM ANY DEFECT OR ERROR IN THIS MANUAL OR PRODUCT Product warranty or service will not be extended if 1 the product is repaired modified or altered unless such repair modification of alteration is authorized in writing by ASUS or 2 the serial number of the product is defaced or missing Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of ...

Page 4: ...933 8713 General Email tmd1 asus com Web Site usa asus com Technical Support Support Fax 1 502 933 8713 General Support 1 502 995 0883 Notebook Support 1 510 739 3777 x5110 Support Email tsd asus com ASUS COMPUTER GmbH Germany and Austria Address Harkortstr 25 40880 Ratingen BRD Germany General Email sales asuscom de for marketing requests only General Fax 49 2102 9599 31 Web Site www asuscom de T...

Page 5: ...onfiguring Your Computers 15 3 2 1 Before you begin 15 3 2 2 Windows XP PCs 15 3 2 3 Windows 2000 PCs 16 3 2 4 Windows Me PCs 17 3 2 5 Windows 95 98 PCs 18 3 2 6 Windows NT 4 0 workstations 19 3 2 7 Assigning static Internet information to your PCs 20 3 3 Quick Configuration of SL6000 SL6300 20 3 3 1 Buttons Used in Setup Wizard 21 3 3 2 Setting Up the SL6000 SL6300 21 3 3 3 Testing Your Setup 31 ...

Page 6: ...es 42 6 3 3 Configuring DNS Relay 42 6 4 Viewing LAN Statistics 43 7 Configuring WAN ADSL Settings 44 7 1 ADSL Connection 44 7 2 WAN Configuration 45 7 2 1 MPoA Bridged and PPPoE Relay 45 7 2 2 MPoA Routed 45 7 2 3 IPoA Routed 45 7 2 4 PPPoA Routed and PPPoE Routed 46 7 3 Viewing WAN ADSL Statistics 47 8 Configuring Routes 48 8 1 Overview of IP Routes 48 8 1 1 Do I need to define IP routes 48 8 2 ...

Page 7: ...e Outbound ACL Rules 69 9 4 5 Display Outbound ACL Rules 69 9 5 Configuring Group ACL Rules 70 9 5 1 Add Delete a User Group 70 9 6 Configuring Self Access Rules 72 9 6 1 Add a Self Access Rule 72 9 6 2 View Self Access Summary 72 9 6 3 Delete Self Access Rule 72 9 7 Configuring Service List 73 9 7 1 Options in Service Configuration Page 74 9 7 2 Add a Service 74 9 7 3 Modify a Service 74 9 7 4 De...

Page 8: ...ing Manual Keys 97 10 3 1 VPN Tunnel Configuration Parameters Manual Key 99 10 3 2 Add a Rule for VPN Connection Using Manual Key 101 10 3 3 Modify VPN Rules 102 10 3 4 Delete VPN Rules 103 10 3 5 Display VPN Rules 103 10 4 VPN Statistics 103 11 System Log 106 12 System Management 107 12 1 Global Setting Configuration 107 12 2 User Account Management 109 12 3 Modify System Information 109 12 4 Set...

Page 9: ...ks Subnets 116 A 1 IP Addresses 116 A 1 1 Structure of an IP address 116 A 1 2 Network classes 117 A 2 Subnet masks 118 B Troubleshooting 119 B 1 Recall default configuration by RESET button 122 B 2 Diagnosing Problem using IP Utilities 125 B 2 1 ping 125 B 2 2 nslookup 126 C Glossary 127 Table of Contents ...

Page 10: ...work Address Translation Firewall and IPSec VPN func tions to provide secure Internet access for your LAN Automatic network address assignment through DHCP Server Services including IP route and DNS configuration RIP and IP perfor mance monitoring Configuration program accessible via a web browser such as Microsoft Internet Explorer Note that Netscape is not supported 1 2 System Requirements In or...

Page 11: ...pendix C Boldface type text is used for items you select from menus and drop down lists and text strings you type when prompted by the program 1 3 3 Special messages This document uses the following icons to call your attention to specific instructions or explanations Notes Provides clarification or nonessential information on the current topic Definition Explains terms or acronyms that may be unf...

Page 12: ...through type Phone cable RJ 11 2 2 Front Panel The front panel contains LED indicators that show the status of the unit Figure 2 2 Front Panel LEDs Table 2 1 Front Panel Label and LEDs Label Color Function POWER green On Unit is powered on Off Unit is powered off STATUS green On ADSL link is established and active Flashing Trying to create an ADSL connection Off No ADSL link TRAFFIC green Flashing...

Page 13: ...ndard RJ 11 telephone jack on your wall but routed through an ADSL system by your phone company and may have an optional splitter to allow telephone use on the same line 2 P1 P4 Connects to your PC s Ethernet port or to the uplink port on your LAN s hub switch using the provided RJ 45 crossover cable 3 Console RJ 45 port for advanced console management An additional RS232 to RJ45 cable is required...

Page 14: ...scribeADSLservice with your Internet service provider ISP These instructions provide a basic configurationthatshouldbecompatiblewithyourhomeorsmallofficenetwork setup Refertothesubsequentchaptersforadditionalconfigurationinstructions 3 1 Connecting the Hardware In 3 1 you should connect the device to an ADSL line the power outlet and your computer or network WARNING Before you begin turn the power...

Page 15: ...make connections with either type of cables 3 1 3 Attach the power adapter Connect the AC power adapter to the POWER connector on the back of the device and plug in the adapter to a wall outlet or a power strip 3 1 4 Turn on the SL6000 SL6300 and your computers Press the Power switch on the rear panel of SL6000 SL6300 to the ON position Turn on and boot up your computer s and any LAN devices such ...

Page 16: ...m installed on your PC 3 2 2 Windows XP PCs 1 In the Windows task bar click the Start button and then click Control Panel 2 Double click the Network Connections icon 3 In the LAN or High Speed Internet window right click on icon corre sponding to your network interface card NIC and select Properties Often this icon is labeled Local Area Connection The Local Area Connection dialog box displays with...

Page 17: ...d then click Add 6 Select Internet Protocol TCP IP in the Network Protocols list and then click OK You may be prompted to install files from your Windows 2000 installa tion CD or other media Follow the instructions to install the files 7 If prompted click OK to restart your computer with the new settings Next configure the PCs to accept IP information assigned by the SL6000 SL6300 8 In the Control...

Page 18: ...rosoft in the Manufacturers box 7 Select Internet Protocol TCP IP in the Network Protocols list and then click OK You may be prompted to install files from your Windows Me installa tion CD or other media Follow the instructions to install the files 8 If prompted click OK to restart your computer with the new settings Next configure the PCs to accept IP information assigned by the SL6000 SL6300 9 I...

Page 19: ...s list box 6 Click OK to return to the Network dialog box and then click OK again You may be prompted to install files from your Windows 95 98 instal lation CD Follow the instructions to install the files 7 Click OK to restart the PC and complete the TCP IP installation Next configure the PCs to accept IP information assigned by the SL6000 SL6300 8 Open the Control Panel window and then click the ...

Page 20: ...hen click OK You may be prompted to install files from your Windows NT installa tion CD or other media Follow the instructions to install the files After all files are installed a window displays to inform you that a TCP IP service called DHCP can be set up to dynamically assign IP information 6 Click Yes to continue and then click OK if prompted to restart your computer Next configure the PCs to ...

Page 21: ...hapter 6 for more information The IP address of your ISP s Domain Name System DNS server On each PC to which you want to assign static information follow the instructions on previous pages relating only to checking for and or installing the IP protocol Once it is installed continue to follow the instructions for displayingeachoftheInternetProtocol TCP IP properties Insteadofenabling dynamic assign...

Page 22: ...this button to proceed to the next configuration page If there are no changes required in the current configuration page you can click this button to proceed to the next configuration page Back Click this button to go back to the previous configuration page 3 3 2 Setting Up the SL6000 SL6300 Follow these instructions to setup SL6000 SL6300 1 At any PC connected to one of the four LAN ports on the ...

Page 23: ...k such as 192 168 1 2 but ex cluding 192 168 1 1 and 192 168 1 255 2 Enter your user name and password and then click OK to enter the Configuration Manager The first time you log into this program use these defaults Default User Name admin Default Password admin Note You can change the password at any time see section 12 2 User Account Management The SetupWizard home page displays each time you lo...

Page 24: ... configuration page by clicking on the Next button When changing passwords make sure you enter the existing login password in the Login Password field make any changes for the passwords and click the Apply button to save the changes You might get online help from the Setup Wizard by click the Help button and get Figure 3 5 Figure 3 4 Setup Wizard Password Configuration Page Figure 3 5 Setup Wizard...

Page 25: ...ceed to the next configuration page by click ing on the Next button Figure 3 6 Setup Wizard System Identity Configuration Page 5 Set the time zone for SL6000 SL6300 by selecting your time zone from the Time Zone drop down list shown in Figure 3 7 Time Zone Con figuration Click Apply to save the settings and then click on the Next button to go to the next configuration page Figure 3 7 Time Zone Con...

Page 26: ...ed to set the date and time here You might get online help from the Setup Wizard by click the Help button and get Figure 3 8 Figure 3 8 Time Zone Help 6 It is recommended that you keep the default LAN IP settings at this point until after you have completed the rest of the configurations and confirm that your Internet connection is working Click on the Next button to proceed to the next configurat...

Page 27: ...p the default settings for DHCP server until after you have completed the rest of the configurations and con firm that your Internet connection is working Click on the Next but ton to proceed to the next configuration page Figure 3 10 Setup Wizard DHCP Server Configuration Page ...

Page 28: ...nfiguration Page Configuration Parameters 1 Channel Select the ATM Interface that is to be configured or viewed 2 VPI and VCI These settings are used to specify the Virtual Path Iden tifier VPI and Virtual Channel Identifier VCI that is used for con necting the Broadband Gateway to the ISP s ATM Switch using the specified ATM Interface VPI Enter the VPI of the ATM Connection to the ISP s ATM Switc...

Page 29: ...to traffic over this interface is that applied to Real Time Variable Bit Rate VBR rt traffic VBR nrt The quality of service applied to traffic over this interface is that applied to Non Real Time Variable Bit Rate VBR nrt traffic UBR The quality of service applied to traffic over this interface is that applied to Unspecified Bit Rate UBR traffic ATM Service Configuration Parameters a MPoA Bridged ...

Page 30: ...pecified if any LAN inter face is in bridge mode or if any ATM interface carries bridged services MPoA Bridge PPPoE Relay the Broadband Gateway software will automatically prompt you for the bridge interface settings in this case IP Address Enter the IP address for the bridge interface Subnet Mask Address Enter the Subnet Mask for the bridge inter face You are now finished customizing basic settin...

Page 31: ...hat they meet the needs of your network Follow the instructions to change them if necessary If you are unfamiliar with these settings try using the device without modification or contact your ISP for assistance Before you modifying any settings review Chapter 4 for general information about accessing and using the Configuration Manager program We strongly recommendthatyoucontactyourISPpriortochang...

Page 32: ...to Configuration Manager The Configuration Manager program is pre installed on the SL6000 SL6300 To access the program you need the following A computer connected to the LAN port of SL6000 SL6300 as described in the Quick Start Guide chapter A web browser installed on the computer The program is designed to work best with Microsoft Internet Explorer 5 5 or later versions Note that Netscape is not ...

Page 33: ...y folder icons or depending on whether the group of menus are expanded or not You can click on any of these to display a specific configuration page Figure 4 2 Typical Configuration Manager Page A separate page displays in the right hand side frame for each menu For example the configuration page displayed in Figure 4 2 is intended for DHCP configuration Setup Menu Frame Configuration Frame 2 Ente...

Page 34: ...es the function for each button or icon Table 4 1 Description of Commonly Used Buttons and Icons Apply Stores any changes you have made on the current page Add Adds a new configuration to the system e g a static route or a firewall ACL rule and etc Modify Modifies the existing configuration in the system e g a static route or a firewall ACL rule and etc Delete Deletes the selected item e g a stati...

Page 35: ...34 ASUS VPN ADSL Router Chapter 4 Chapter 4 4 3 The Home Page of Configuration Manager The Setup Wizard page displays when you first access the Configuration Manager Figure 4 3 Setup Wizard Page ...

Page 36: ...stem Information This chapter describes your SL6000 SL6300 system information and configuration summary when you click the System Info in the left column You may get all information as shown in Figure 5 1 Figure 5 1 LAN IP Address Configuration Page ...

Page 37: ...residing on your LAN The LAN IP address identifies the SL6000 SL6300 as a node on your network that is its IP address must be in the same subnet as the PCs on your LAN The default LAN IP for SL6000 SL6300 is 192 168 1 1 Definition A network node can be thought of as any interface where a device connects to the network such as the SL6000 SL6300 s LAN port and the network interface cards on your PCs...

Page 38: ...the WAN port on SL6000 SL6300 to the Internet Subnet Mask The LAN subnet mask identifies which parts of the LAN IP Address refer to your network as a whole and which parts refer specifically to nodes on the network Your device is pre configured with a default subnet mask of 255 255 255 0 6 1 2 Configuring the LAN IP Address Follow these steps to change the default LAN IP address 1 Log into Configu...

Page 39: ...WhenyouenableDHCPonanetwork youallowadevice suchastheSL6000 SL6300 to assign temporary IP addresses to your computers whenever they connect to your network The assigning device is called a DHCP server and the receiving device is a DHCP client Note If you followed the Quick Start Guide instructions you either configured each LAN PC with an IP address or you specified that it will receive IP informa...

Page 40: ...6 2 3 Configuring DHCP Server Note By default SL6000 SL6300 is configured as a DHCP server on the LAN side with a predefined IP address pool of 192 168 1 10 through 192 168 1 108 subnet mask 255 255 255 0 To change this range of addresses follow the procedures described in this section First you must configure your PCs to accept DHCP information assigned by a DHCP server 1 Log into Configuration M...

Page 41: ...t gateway is the IP address that the computers first contact to communicate with the Internet Typically it is SL6000 SL6300 s LAN port IP address DNS Server IP Address The IP address of the Domain Name System server to be used by computers that receive IP addresses from this pool The DNS server translates common Internet names that you type into your web browser into their equivalent numeric IP ad...

Page 42: ...e ID of the device that leases an IP address from the DHCP server Assigned IP Address The address that has been leased from the pool IP Address Expired on The time when the leased address is to be terminated 6 3 DNS 6 3 1 About DNS Domain Name System DNS servers map the user friendly domain names that users type into their Web browsers e g yahoo com to the equivalent numerical IP addresses that ar...

Page 43: ...t on the VPNADSLRouter e g 192 168 1 1 When you specify the LAN port IP address the device performs DNS relay as described in the following section Note If you specify the actual DNS addresses on the PCs or in the DHCP pool the DNS relay feature is not used 6 3 3 Configuring DNS Relay When you specify the device s LAN port IP address as the DNS address then SL6000 SL6300 automatically performs DNS...

Page 44: ...P pool or stati cally on a PC then that address will be used instead of the DNS relay address 6 4 Viewing LAN Statistics You can view statistics of your LAN traffic on SL6000 SL6300 You will not typically need to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view LAN IP statistics click Statistics on the LAN sub...

Page 45: ...mode for yourWAN in this chapter 7 1 ADSL Connection There are severalADSLline configurations available on SL6000 and SL6300 forAnnexAandAnnex B respectively Figure 7 1 shows the available modes of SL6000 Multi G DMT G Lite and ANSI You may click Connect to create the ADSL connection and click Disconnect to end down your ADSL connection The ADSL line status is also shown no matter it s activating ...

Page 46: ...ss Assignment Select this option if the MPoA Routed Service interface is to have its IP address configured statically IPAddress Enter the MPoARouted service interface s IPAddress Con tact your ISP for details Subnet Mask Enter the MPoARouted service interface s Subnet Mask Contact your ISP for details 7 2 3 IPoA Routed DHCP IP Address Assignment Select this option if the IPoA Routed Service interf...

Page 47: ...to be used Password The password for setting up the PPPoA PPPoE Service Con tact your ISP for the specific password to be used for initial setup DoD Dial on Demand The SL6000 SL6300 attempts to connect to your ISP when an outgoing traffic is detected Inactivity Timeout The amount of time that specifies the PPP con nection must elapse due to inactivity Figure 7 2 WAN Configuration Page ...

Page 48: ... to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view WAN ADSL statistics click Statistics on the WAN submenu Figure 7 3 shows the WAN ADSL Statistics page Figure 7 3 WAN Statistics Page To see the updated statistics since you opened the page simply click Refresh ...

Page 49: ...provide the most appropriate path for all your Internet traffic On your LAN computers a default gateway directs all Internet traffic to the LAN port on the SL6000 SL6300 Your LAN computers know their default gateway either because you assigned it to them when you modified their TCP IP properties or because you configured them to receive the information dynamically from a server whenever they ac ce...

Page 50: ...ssisdirectedtoSL6000 SL6300 insteadofautomatically getting DNS server address from the ISP Click Apply after typing your ISP s Primary Secondary DNS server address Figure 8 1 DNS Relay Configuration Page 8 3 Static Routing 8 3 1 Static Route Configuration Parameters The following table defines the available configuration parameters for static routing configuration ...

Page 51: ... in Figure 8 2 se lect the route from the service drop down list or click on the icon of the route to be modified in the Static Routing Table 2 Click Modify to modify the selected route Table 8 1 Static Route Configuration Parameters Destination IP Address Specifies the IP address of the destination computer or an entire destination network It can also be specified as all zeros to indicate that th...

Page 52: ...able All IP enabled computers and routers maintain a table of IP addresses that are commonly accessed by their users For each of these destination IP addresses the table lists the IP address of the first hop the data should take This table is known as the device s routing table To view the SL6000 SL6300 s routing table click theRouting sub menu under Networking The Static Routing Table displays in...

Page 53: ...0 SL6300 to examine each data packet it receives to determine whether it meets criteria set forth in the rule The criteria can include the net work or Internet protocol it is carrying the direction in which it is traveling for example from the LAN to the Internet or vice versa the IP address of the sending computer the destination IP address and other characteristics of the packet data If the pack...

Page 54: ...itself Default Inbound Access Rules No default inbound access rule is configured That is all traffic from external hosts to the internal hosts is denied Default Outbound Access Rules The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT 9 3 Configuring Inbound ACL Rules By creating ACL rules in Inbound ACL configuration p...

Page 55: ...54 ASUS VPN ADSL Router Chapter 9 Chapter 9 Figure 9 1 Inbound ACL Configuration Page ...

Page 56: ... the rule as an allow rule This rule when bound to the Firewall will allow matching packets to pass through Deny Select this button to configure the rule as a deny rule This rule when bound to the Firewall will not allow matching packets to pass through Move to This option allows you to set a priority for this rule The SL6000 SL6300 Firewall acts on packets based on the priority of the rules Set a...

Page 57: ...et When this option is selected the following fields become available for entry Subnet Address Enter the appropriate IP address in the blank field Subnet Mask Enter the corresponding subnet mask in the blank field IP Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Start IP Enter the ...

Page 58: ...n IP subnet When selected the following fields become available for entry Subnet Address Enter the appropriate IP address in the blank field Subnet Mask Enter the corresponding subnet mask in the blank field IP Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Start IP Enter the starti...

Page 59: ... allows you to apply this rule to an application with a specific source port number Port Enter the destination port number Range Select this option if you want this rule to apply to applications with this port range The following fields become available for entry when this option is selected Begin Port Enter the starting port number of the range End Port Enter the ending port number of the range S...

Page 60: ... IP address of the computer that you want the incoming traffic to be directed Time Range Only Always available for the time being Application Filters FTP Only None available for the time being HTTP Only None available for the time being RPC Only None available for the time being SMTP Only None available for the time being Log Select Enable radio button to enable logging for this ACL rule otherwise...

Page 61: ...e changes to any or all of the following fields source destination IP source destination port protocol port mapping log and VPN Please see Table 9 1 for explanation of these fields 5 Assign a priority for this rule by selecting a number from the Move to drop down list Note that the number indicates the priority of the rule with 1 being the highest Higher priority rules will be examined prior to th...

Page 62: ...rol list table at the lower half of the Inbound ACL Configuration page 9 3 4 Delete Inbound ACL Rules To delete an inbound ACL rule follow the instructions below 1 Log into Configuration Manager as admin click the Firewall menu and then click Inbound ACL submenu 2 Select the rule number from the ID drop down list or click on the icon of the rule to be modified in the inbound ACL table 3 Click on t...

Page 63: ...ion page as shown in Figure 9 3 you can control allow or deny Internet or external network access for computers on your LAN Options in this configuration page allow you to Add a rule and set parameters for it Modify an existing rule Delete an existing rule View configured ACL rules Figure 9 3 Outbound ACL Configuration Page ...

Page 64: ...re the rule as an allow rule This rule when bound to the Firewall will allow matching packets to pass through Deny Select this button to configure the rule as a deny rule This rule when bound to the Firewall will not allow matching packets to pass through Move to This option allows you to set a priority for this rule The SL6000 SL6300 Firewall acts on packets based on the priority of the rules Set...

Page 65: ...t When this option is selected the following fields become available for entry Subnet Address Enter the appropriate IP address in the blank field Subnet Mask Enter the corresponding subnet mask in the blank field IP Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Start IP Enter the s...

Page 66: ...opriate IP address in the blank field Subnet Mask Enter the corresponding subnet mask in the blank field IP Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Start IP Enter the starting IP address of the range End IP Enter the ending IP address of the range IP Pool This option allows y...

Page 67: ...is option if you want this rule to apply to applications with this port range The following fields become available for entry when this option is selected Begin Port Enter the starting port number of the range End Port Enter the ending port number of the range Service This option allows you to select any of the pre configured services selectable from the drop down list instead of the destination p...

Page 68: ... you want the incoming traffic to be directed Interface Select the external interface as the NAT IP address Time Range Only Always available for the time being Application Filters FTP Only None available for the time being HTTP Only None available for the time being RPC Only None available for the time being SMTP Only None available for the time being Log Select Enable radio button to enable loggi...

Page 69: ...ource destination IP source destination port protocol port mapping log and VPN Please see Table 9 2 for explanation of these fields 5 Assign a priority for this rule by selecting a number from the Move to drop down list Note that the number indicates the priority of the rule with 1 being the highest Higher priority rules will be examined prior to the lower priority rules by the firewall 6 Click on...

Page 70: ...l list table at the lower half of the Outbound ACL Configuration page 9 4 4 Delete Outbound ACL Rules To delete an outbound ACL rule follow the instructions below 1 Log into Configuration Manager as admin click the Firewall menu and then click Outbound ACL submenu 2 Select the rule number from the ID drop down list or click on the icon of the rule to be deleted in the outbound ACL table 3 Click on...

Page 71: ... as either Allow or Deny Figure 9 5 2 Choose the Rule Type that you d like to add from the drop down list 3 Select the user group from the drop down list 4 Choose the Source IP from the drop down list from where you d like to allow the traffic 5 Choose the Destination IP from the drop down list to where you d like to allow the traffic 6 Choose the Source Port from the drop down list from where you...

Page 72: ...oose the rule id from the drop down list To delete an existing rule choose the rule id in the drop down list and click on De lete the button The detail inbound outbound ACL rule configurations are also described in 9 3 ConfiguringInboundACLRulesand9 4ConfiguringOutboundACLRules Figure 9 5 Group Access Control Configuration Page ...

Page 73: ...om the drop down list and enter the port number that you want to configure 3 Choose the direction from LAN WAN that you want to add 4 Finally click on the Add button Figure 9 6 Figure 9 6 Self Access Configuration Page 9 6 2 View Self Access Summary You can see the list of all the self access rules that are currently configured for your SL6000 SL6300 with all their attributes 9 6 3 Delete Self Acc...

Page 74: ...oundACLrule configuration You may use Service Configuration Page to Add a service and set parameters for it Modify an existing service Delete an existing service View configured services Figure 9 7 shows the Firewall Service Configuration page The configured services are listed at the lower half of the same page Figure 9 7 Firewall Service Configuration Page ...

Page 75: ...e 9 7 Note that when you open the Service Configuration page a list of existing services are also displayed in the lower half of the con figuration page such as those shown in Figure 9 7 2 Select Add New from the service drop down list 3 Enter a desired name preferably a meaningful name that signifies the nature of the service in the Service Name field Note that only al phanumeric characters are a...

Page 76: ...ce follow the instructions below 1 Log into Configuration Manager as admin click the Firewall menu and then click Service submenu 2 Select the service from the service drop down list or click on the icon of the service to be deleted in the service list table 3 Click on the Delete button to delete this service Note that the service deleted will be removed from the service list table located at the ...

Page 77: ...o a stuck state where they cannot accept connections from legitimate users SYN is short for SYNchronize this is the first step in opening an Internet connection YoucanselectthisboxifyouwishtoprotectthenetworkfromTCPSynflooding 9 8 2 Winnuke Attack Check Certain older versions of the MS Windows OS are vulnerable to this attack If the computers in the LAN are not updated with recent versions patches...

Page 78: ...ingontheMaximumTransmissionUnit Bydefault it s set to 45 If the Maximum Transmission Unit MTU of the interface is 1500 default for Ethernet then there can be a maximum of 45 fragments per IP packet If the MTU is less then this number there can be more number of fragments Figure 9 8 DoS Configuration Page IfanyoftheabovecheckisdisabledthenFirewallwillnolongerofferprotection against the disabled ite...

Page 79: ...he Filter type first from the drop down list 2 Then choose the Add New option in the drop down list enter the Filter name in the text box 3 Choose the Protocol from the drop down list 4 Enter the Port value 5 Choose the action as Allow or Deny depending on whether you d like to allow or deny the commands You can also chose to log mes sages whenever SL6000 SL6300 drops or allows a packet based on t...

Page 80: ...be 80 Log You can enable or disable logging of messages whenever Broadband Gateway denies or allows a packet based on the filter that you ve set By clicking on enable you d enable logging of such messages Commands You can refer to the commands by clicking on the Help button FTP You can filter any or all of FTP commands such as PORT RETR STOR PASV etc HTTP You can filter certain file extensions suc...

Page 81: ...NAT pool name in the drop down list and click on the Delete button Table 9 5 NAT Pool configuration parameters NAT Pool Name Type the NAT pool name that you would like to add NAT Pool Type You can select the NAT Pool Type from the drop down list Static This type of NAT allows one address to be mapped exactly to one computer in the network When a packet matches a policy with static NAT record no po...

Page 82: ...he IP address of the interface connected to the Internet will be used as the NAT IP address Note If the static type NAT record is used in an Internet policy then packets from LAN to Internet with attributes that match this policy will be subject to NAT such that the source IP address of the packet gets modified to the corresponding IP address which is a public address The source IP address of the ...

Page 83: ...ress 1 To add a new IP Pool name choose the Add New option in the drop down list 2 Enter the IP pool name in the text box and choose the IP pool type from the drop down list 3 Enter the IP address values depending on the pool type you chose and finally click on the Add button 4 To view the existing or the configured IP pools choose the IP pool name in the drop down list 5 To delete an existing IP ...

Page 84: ...the drop down list If you select IP Range you have to specify Start IP Starting IP address in the IP Range End IP Ending IP address in the IP Range If you select Subnet you have to specify IP Address IP address in the respective Subnet Subnet Mask Subnet mask of the corresponding network If you select IP Address you have to specify IP Address Single IP Address Figure 9 11 IP Pool Configuration Pag...

Page 85: ...stores them in a dynamic rule list and uses them for every connection from the user It deletes this list after the user logs out of the GoC System s firewall 1 To add a new User you ve to add a User group first Choose the Add New option in the drop down list enter the User Group Name in the text box 2 Choose the Add New option in the drop down list enter the User Name in the text box 3 Enter the P...

Page 86: ...that you would like to add User Name Type the User name that you would like to add Confirm Password Type the User s password again to confirm Inactivity Timeout Type the timeout period which is used to delete the User related associations whenever there is no traffic across this connection Figure 9 12 Firewall User Configuration Page ...

Page 87: ...rday can have the following periods a 9 00 and 12 00 Hrs Such varying time periods can be configured into a single time range record Access rules can be activated based on these time periods 1 To add a new Time Range choose the Add New option in the drop down list enter the Time Range Name in the text box 2 Only if you d like to have a multiple time period range such as the one mentioned above you...

Page 88: ...me range Record Days of week You can set the days range for the new schedule In the left side list You can select the starting day of the range In the right side list You can select the ending day of the range Time Type the time during which you d like to allow the traffic in hh mm format Figure 9 13 Time Range Configuration Page ...

Page 89: ...atistics The Firewall Statistics page displays details regarding the active connections Figure 9 14 shows a sample firewall statistics for active connections To see an updated statistics click on Refresh button Figure 9 14 Firewall active connections statistics ...

Page 90: ...esses and ports Table 10 1 lists the default connections that are provisioned on the gateway Table 10 1 Default connections in SL6000 SL6300 Name Type Port Protocol State Purpose allow ike io passby 500 UDP Enabled To allow IKE traffic allow all passby Enabled To allow plain traffic Proposals Each proposal represents a set of authentication encryption parameters Once configured a proposal can be t...

Page 91: ...t rule has the highest priority 1 The allow all default rule has the lowest priority At any point of time it is recommended to maintain this priority If you add connections below the allow all rule lower priority it will not have any effect as the corresponding packets will match the allow all rule and go without encryption Important Note that pre configured Proposals Connections are read only and...

Page 92: ...ateway address and the local gateway address preshared secret for remote gateway authentication appropriate priority for the connection Use them to configure basicAccess Rule that will be used to establish a tunnel from local secure group to remote secure group with basic parameters Options in this screen allow you to Add an Access List and set basic parameters for it Modify an Access List Delete ...

Page 93: ...riority by specifying a number for its position in the list of rules 1 This number marks the highest priority Other numbers Select other numbers to indicate the priority you wish to assign to the rule Local Secure Group This option allows you to set the local secure network to which this rule should apply This option allows you to apply this rule inclusively on all computers in the internal networ...

Page 94: ...up above Remote Secure Gateway Enter the appropriate IP address for the remote secure gateway Key Management Two modes are supported preshared key and manual key Preshared Key Select Preshared Key from the Key Management drop down list IKE Proposal Settings Preshared Key Enter the shared secret this should match the secret key at the other end Encryption Authentication Select the IKE authenticatio...

Page 95: ...Encryption Authentication ESP 3DES HMAC MD5 Encryption Authentication ESP DES HMAC SHA1 Encryption Authentication ESP DES HMAC MD5 Authentication AH SHA1 Authentication AH MD5 Strong Encryption ESP 3DES Encryption ESP DES Authentication ESP SHA1 Authentication ESP MD5 Operation Mode PFS Group Select one of the following Perfect Forward Secrecy Defiie Hellman Group from the drop down list NO PFS de...

Page 96: ...10 2 2 Add a Rule for VPN Connection Using Preshared Key VPN Tunnel Configuration Page as illustrated in the Figure 10 1 is used to configure a rule for VPN connection using preshared key Figure 10 1 VPN Tunnel Configuration Page Preshared Key Mode ...

Page 97: ... type select Preshared Key preshared key for IKE encryption authentication algorithm for IKE lifetime for IKE encryption authentication algorithm for IPSec opera tion mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 10 4 for explanation of these fields 7 Assign a priority for this rule by selecting a number from the Move to drop down list Note that the number indicates th...

Page 98: ...e is enabled in System Service Configuration page 3 Select the rule number from the ID drop down list or click on the icon of the rule to be deleted in the VPN Connection Status table 4 Click on the Delete button to delete this VPN rule Note that the VPN rule deleted will be removed from the VPN Connection Status table located at the lower half of the same configuration page 10 2 5 Display VPN Rul...

Page 99: ...ble Select this radio button to disable this rule Move to This option allows you to set a priority for this rule The VPN service in SL6000 SL6300 acts on packets based on the priority of the rule with 1 being the highest priority Set a priority by specifying a number for its position in the list of rules 1 This number marks the highest priority Other numbers Select other numbers to indicate the pr...

Page 100: ...the starting IP address of the range End IP Enter the ending IP address of the range Remote Secure Group This option allows you to set the remote destination secure network to which this rule should apply This option allows you to apply this rule inclusively on all computers in the external network Use the Type drop down list to select one of the following IP Address Subnet IP Range Select any of ...

Page 101: ...n ESP 3DES HMAC SHA1 Strong Encryption Authentication ESP 3DES HMAC MD5 Encryption Authentication ESP DES HMAC SHA1 Encryption Authentication ESP DES HMAC MD5 Authentication AH SHA1 Authentication AH MD5 Strong Encryption ESP 3DES Encryption ESP DES Authentication ESP SHA1 Authentication ESP MD5 Operation Mode Encryption Key Enter the encryption key to be used To enter in hex start with 0x Authent...

Page 102: ...Log into Configuration Manager as admin click the VPN menu and then click Tunnel submenu The VPN Tunnel Configuration page dis plays as shown in Figure 10 2 Note that when you open the VPN Tunnel Configuration page a list of existing rules for VPN connections are also displayed in the lower half of the configuration page such as those shown in Figure 10 2 2 Prior to adding a VPN rule make sure tha...

Page 103: ...on to create the new VPN rule The new VPN rule will then be displayed in the VPN Connection Status table at the lower half of the VPN Configuration page 10 3 3 Modify VPN Rules To modify a VPN rule follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click Tunnel submenu 2 Prior to modifying a VPN rule make sure that the VPN service is en abled in Sys...

Page 104: ...ted will be removed from the VPN Connection Status table located at the lower half of the same configuration page 10 3 5 Display VPN Rules To see existing VPN rules follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click Tunnel submenu 2 The VPN rule table located at the lower half of the VPN Configuration page shows all the configured VPN rules 10...

Page 105: ... in the engine IKE Statistics IKE negotiation statistics IKE Phase1 Negotiation Done Number of IKE phase 1 negotiations performed Failed IKE Negotiations Done Number of failed IKE phase 1negotiations Quick Mode Negotiation Performed Number of IKE quick mode negotiations performed Number of ISAKMP SAs Number of phase 1 SA s ESP Statistics Number of ESP statistics Active Inbound ESP SAs Number of ac...

Page 106: ...SAs Number of active inbound AH SA s Active Outbound AH SAs Number of active outbound AH SA s Total Inbound AH SAs Number of inbound AH SA s since the system has started Total Outbound AH SAs Number of outbound AH SA s since the system has started Figure10 3showsalltheparametersavailable for VPN connections To see an updated statistics click on the Refresh button Figure 10 3 VPN Statistics Page ...

Page 107: ...em Log ThischaptershowstheSystemLogConfigurationpage whichyoumightenable disablethelogfilesforAccess System Firewall VPN Ontheotherhand you might also enable the log file backup via Email function here Figure 11 1 Figure 11 1 System Log Configuration Page ...

Page 108: ...m Management menu 12 1 Global Setting Configuration As shown in Figure 12 1 you can use the Global Setting page to enable or disable services supported by SL6000 SL6300 including firewall VPN DNS Relay DHCP RIP and SNTP To disable or enable individual service follow the steps below 1 Log into Configuration Manager as admin click the System Management menu and then click Global Setting submenu Figu...

Page 109: ...t the same as the login pass word you may use to connect to your ISP Figure 12 2 User Account Setting Page Password configuration page see Figure 12 2 allows you to change supervisor or user s password Follow the steps below to change password 1 Log into Configuration Manager as admin click the System Manage ment menu and then click User Account submenu The User Account Configuration page displays...

Page 110: ...located and contact person information for this device Notethatallfieldsallowonlyalphanumericcharacters Whenyouaredone entering system specific information click on Apply button to save the changes Figure 12 3 System Identity Page 12 4 Setup Time Zone SL6000 SL6300 keeps a record of the current date and time which it uses to calculate and report various performance data Note Changing the SL6000 SL...

Page 111: ...ce there is no real time clock inside SL6000 SL6300 the system date and time are maintained by exter nal network time server Time Zone configuration parameters Date Current Date Time Current Time Location Time Time Zone SNTP Server Maximum of 5 services can be configured Update Interval SNTP update time interval 2 Click on Apply button to save the changes Figure 12 4 Time Zone Configuration Page ...

Page 112: ...enu The Default Setting Configuration page displays as shown in Figure 12 5 2 Click on Apply button to set the system configuration back to factory default Note that SL6000 SL6300 will reboot to make the factory de fault configuration in effect Figure 12 5 Default Setting Configuration Page 12 5 2 Backup System Configuration Follow the steps below to backup system configuration 1 Log into Configur...

Page 113: ...n click Restore submenu The Restore Configuration page displays as shown in Figure 12 7 2 Enter the path and name of the system configuration file that you want to restore in the Configuration File text box Alternatively you may click on the Browse button to search for the system configuration file on your hard drive 3 Clickon Apply buttontorestorethesystemconfiguration NotethatSL6000 SL6300 will ...

Page 114: ... Firmware Upgrade Page 1 Log into Configuration Manager click the System Management menu and then click Firmware Upgrade submenu The Firmware Upgrade page displays as shown in Figure 12 8 2 In the Firmware text box enter the path and name of the firmware im age file Alternatively you may click on Browse button to search for it on your hard drive 3 Click on Apply button to update the firmware Note ...

Page 115: ... 13 Chapter 13 13 System Reset To reset your SL6000 SL6300 log into Configuration Manager click the System Management menu and then click Reset submenu Click on the Apply button to reset the modem router Figure 13 1 System Reset Page ...

Page 116: ...uter 115 Chapter 14 Chapter 14 14 Logout Configuration Manager To logout of Configuration Manager click Logout then click on the Apply button in the Configuration Manager Logout Figure 14 1 Configuration Manager Logout ...

Page 117: ... as decimal numbers separated by dots is called dotted decimal notation The IP address 20 56 0 211 is read twenty dot fifty six dot zero dot two eleven A 1 1 Structure of an IP address IP addresses have a hierarchical design similar to that of telephone numbers Forexample a7 digittelephonenumberstartswitha3 digitprefixthatidentifies a group of thousands of telephone lines and ends with four digits...

Page 118: ...hosts Because of their huge size these networks are used for WANs and by organizations at the infrastructure level of the Internet such as your ISP Class B networks are smaller but still quite large each able to hold over 65 000 hosts There can be up to 16 384 class B networks in existence A class B network might be appropriate for a large organization such as a business or government agency Class...

Page 119: ... address all of the bits in field1 through field 3 are part of the network ID but note how the mask specifies that the first bit in field 4 is also included Since this extra bit has only two values 0 and 1 this means there are two subnets Each subnet uses the remaining 7 bits in field4 for its host IDs which range from 0 to 127 instead of the usual 0 to 255 for a class C address Similarly to split...

Page 120: ...AN LED does not illuminate after Ethernet cable is attached Verify that an Ethernet cable like the one provided is securely connected to the Ethernet port of your ADSL or cable modem and the WAN port of SL6000 SL6300 Make sure that your ADSL or cable modem is powered on Wait 30 secondstoallowSL6000 SL6300tonegotiateaconnectionwithyourbroadband modem LINK LAN LED does not illuminate after Ethernet ...

Page 121: ...tically Verify with your ISP that the DNS server specified for the PC is valid Correct the address or configure the PC to receive this information au tomatically Verify that a Network Address Translation rule has been defined on the SL6000 SL6300 to translate the private address to your public IP address The assigned IP address must be within the range specified in the NAT rules Or configure the P...

Page 122: ... Cannot access the Configuration Manager program from your browser Use the ping utility discussed in the following section to check whether your PC can communicate with the SL6000 SL6300 s LAN IP address by default 192 168 1 1 If it cannot check the Ethernet cabling Verify that you are using Internet Explorer v5 5 or later Netscape is not supported Support for Javascript must be enabled in your br...

Page 123: ...rectly please attach the RS232 to RJ45 cable between the router s console port and your PC s COM port after the router is powered ON You can choose Yes if you do not normally use other telnet software Enter any name for this New Connection 2 Setup the telnet connection to the SL6000 SL6300 as follows In Windows operating system click START Program Accessories Communica tions HyperTerminal 1 Start ...

Page 124: ...and click OK Select Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow Control NONE and click OK The router will reboot and show some sys tem messages Hyper Terminal will show below message press and release the RESET button one time now 3 Press the RESET button on the back of the SL6000 SL6300 ...

Page 125: ...ime when you see Load ing CPU 0 If you see Loading CPU 1 it would be too too late to press the RESET button a sec ond time 4 Press the RESET button on the back of the SL6000 SL6300 a second time When you see Loading CPU 0 while the dots are increasing about 5 sec after push ing the RESET button 6 This process is complete and the SL6000 SL6300 will recover its fac tory default settings after a few ...

Page 126: ... your LAN or a public IP address for an Internet site if known If the target computer receives the message a Command Prompt window displays like that shown in Figure B 1 Figure B 1 Using the ping Utility If the target computer cannot be located you will receive the message Request timed out Using the ping command you can test whether the path to the SL6000 SL6300 is working using the preconfigured...

Page 127: ... computers you can execute the nslookup command from the Start menu Click the Start button and then click Run In the Open text box type nslookup Click OK ACommand Prompt window displays with a bracket prompt At the prompt type the name of the Internet address you are interested in such as www absnews com The window will display the associate IP address if known as shown in Figure B 2 Figure B 2 Us...

Page 128: ... and uploading the download rate is higher than the upload rate The asymmetrical rates benefit home users because they typically download much more data from the Internet than they upload ATM authenticate To verify a user s identity such as by prompting for a password Binary The basetwo systemofnumbers thatusesonlytwodigits 0and1 torepresent all numbers In binary the number 1 is written as 1 2 as ...

Page 129: ...ic Host Configuration Protocol server A DHCP server is a computer that is responsible for assigning IP addresses to the computers on a LAN See DHCP DNS Domain Name System TheDNSmapsdomainnamesintoIPaddresses DNSinformationisdistributed hierarchically throughout the Internet among computers called DNS servers When you start to access a web site a DNS server looks up the requested domain name to fin...

Page 130: ...tering rules are defined to operate on an interface or multiple interfaces and in a particular direction upstream downstream or both firewall AnymethodofprotectingacomputerorLANconnectedtotheInternet from intrusion or attack from the outside Some firewall protection can be provided by packet filtering and Network Address Translation services FTP File Transfer Protocol A program used to transfer fi...

Page 131: ...s with adjacent routers A multicast group of computers is one whose members have designated as interested in receiving specific content from the others Multicasting to an IGMP group can be used to simultaneously update the address books of a group of mobile computer users or to send company newsletters to a distribution list Internet The global collection of interconnected networks used for both p...

Page 132: ...nt of the SL6000 SL6300 are LEDs MAC address Media Access Control address The permanent hardware address of a device assigned by its manufacturer MAC addresses are expressed as six pairs of characters Mask See network mask Mbps Abbreviation for Megabits per second or one million bits per second Network data rates are often expressed in Mbps NAT Network Address Translation A service performed by ma...

Page 133: ...computerandprovidesthephysicalinterface to your network cabling which for Ethernet NICs is typically an RJ 45 connector See Ethernet RJ 45 packet Data transmitted on a network consists of units called packets Each packet contains a payload the data plus overhead information such as where it came from source address and where it should go destination address Ping Packet Internet or Inter Network Gr...

Page 134: ...versions of RIP version I and version II RJ 11 Registered Jack Standard 11 The standard plug used to connect telephones fax machines modems etc to a telephone jack It is a 6 pin connector usually containing four wires RJ 45 Registered Jack Standard 45 The 8 pin plug used in transmitting data over phone lines Ethernet cabling usually uses this type of connector Routing Forwarding data between your ...

Page 135: ...lications such as HTTP FTP Telnet etc TCP IP refers to this whole suite of protocols Telnet An interactive character based program used to access a remote computer While HTTP the web protocol and FTP only allow you to download files from a remote computer Telnet allows you to log into and use a computer from a remote location TFTP Trivial File Transfer Protocol A protocol for file transfers TFTP i...

Page 136: ... text graphic images audio or video to the user Web browsers use Hyper Text Transfer Protocol HTTP Popular web browsers include Netscape Navigator and Microsoft Internet Explorer See also HTTP web site WWW Web page A web site file typically containing text graphics and hyperlinks cross references to the other pages on that web site as well as to pages on other web sites When a user accesses a web ...

Page 137: ...136 ASUS VPN ADSL Router Appendix Appendix ...

Reviews: