manualshive.com logo in svg

Niveo NR-70, User Manual

Share
Download
Niveo NR-70 User Manual Download Page 154

 

}

 

messages, the endpoint will renegotiate the SAs with the peer. 

10.3.1.4 IPSec NAT Traversal 

Network Address Translation (NAT) is a technology that allows multiple hosts on a 
private network to share a single or a small group of public IP addresses. Undoubtedly, 
NAT can help conserve the remaining IP address space and provide the benefit of 
network security assurance; however, it has introduced problems for end-to-end 
protocols like IPSec. NAT is incompatible with IPSec, which is one of the most popular 
VPN technologies.   

Why doesn’t NAT work with IPSec? One main reason is that NAT devices modify the 
IP header of a packet, this causes an AH-protected packet to fail checksum validation; 
and they cannot modify the ports in the encrypted TCP header of an ESP-protected 
packet. The solution is IPSec NAT Traversal, or NAT-T. 

The IPSec working group of the IEEE has created standards for NAT-T that are 
defined in RFC 3947 (Negotiation of NAT-Traversal in the IKE) and RFC 3948 (UDP 
Encapsulation of IPsec ESP Packets). IPSec NAT-T is designed to solve the problems 
inherent in using IPSec with NAT. 

During IKE phase 1 negotiation, the two IPSec NAT-T-capable endpoints can 
automatically determine:   

  Whether both of the IPSec endpoints can perform IPSec NAT-T. 

  If there are any NAT devices along the path between them. 

If both of these two conditions are true, the two endpoints will automatically use IPSec 
NAT-

T to send IPSec protected packets. If either endpoint doesn’t support IPSec 

NAT-T, they will perform normal IPSec negotiations (beyond the first two messages) 
and IPSec protection. If both endpoints support IPSec NAT-T, but there is no NAT 
device between them, they will perform normal IPSec protection. 

 

Note: 

IPSec NAT-T is only defined for ESP traffic. AH traffic cannot traverse NAT 

devices, therefore, do not use AH if any 

NAT device

 is present on your network. 

The Device supports IPSec NAT-T feature. With NAT-T, the Device will add a UDP 
header to the ESP-protected packets after detecting one of more NAT devices along 
the data path during IKE phase 1 negotiation. This new UDP header sits between the 
ESP header and the outer IP header, and usually uses UDP port 4500. 

10.3.1.5 IPSec List 

You can view the IPSec entry configuration and status information in the 

IPSec List.

 

Note when the connection type is 

Answer-Only

, the 

Connect

 button is invalid. 

Summary of Contents for NR-70

Page 1: ...User Manual NR 70 Router Prelimary version 2 8...

Page 2: ...uced transmitted transcribed stored in a retrieval system or translated into any language without written permission from the copyright holders The scope of delivery and other details are Other tradem...

Page 3: ...pter 3 Start Menu 11 3 1 Setup Wizard 11 3 1 1 Running the Setup Wizard 11 3 1 2 Setup Wizard WAN1 Settings 12 3 2 Interface Status 13 3 3 Interface Traffic 13 3 4 Restart Device 15 Chapter 4 Network...

Page 4: ...ication 37 4 6 UpnP 38 4 7 Number of WAN 39 Chapter 5 Advanced Menu 40 5 1 NAT DMZ 40 5 2 Static Route 51 5 3 Policy Routing 53 5 4 Anti NetSniper 56 5 5 Plug and Play 56 5 6 Port Mirroring 57 5 7 Sys...

Page 5: ...iltering Settings 127 9 3 2 Domain Block Notification 128 9 4 MAC Address Filtering 129 Chapter 10 VPN Menu 132 10 1 Introduction to VPN Technologies 132 10 2 PPTP 133 10 3 IPSec 144 Chapter 11 System...

Page 6: ...action Text Box Allows you to enter text information List Box Allows you to select one or more items from a static multiple line text box Drop down List Allows you to choose one item from a list When...

Page 7: ...wn in the following table Parameter Default Value Description User Name admin Both the User Name and Password are case sensitive Password admin LAN IP Address 192 168 1 1 255 255 255 0 You can use thi...

Page 8: ...oduct Figure 1 1 Front Panel_NR70 LED Description PWR The Power LED indicator is on when the Device is powered on SYS The LED indicator blinks twice per second when the system is working properly and...

Page 9: ...pin or paperclip to press and hold the Reset button for more than 5 seconds and then release the button After that the Device will restart with the factory default settings Note The reset operation wi...

Page 10: ...C with an Ethernet card and TCP IP installed 3 Network devices like hub switch wireless access point 4 Network cables 5 Screwdriver 6 Power outlet 1 4 Installation Procedure Follow these steps to inst...

Page 11: ...hands dry 1 Power off your PC s CableDSL modem and the Device 2 Connect the Cable DSL modem to the Device s WAN port 3 Connect one end of an Ethernet cable to one of the LAN ports on the Device and t...

Page 12: ...computer to a LAN port of the Device or connect the computer to the Device through wireless Step 2 Install TCP IP protocol on your computer If it is already installed please skip this step Step 3 Con...

Page 13: ...fault the computer s IP address must be an unused IP address in the 192 168 1 0 24 subnet Pinging 192 168 1 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed...

Page 14: ...of the Device s web based utility launch your web browser and enter the Device s default IP address 192 168 1 1 in the URL filed Then press the Enter key Figure 2 1 Address Bar Step 2 A login screen p...

Page 15: ...the UTT website to find more products Forum Click to go to the forum home page on the UTT website to participate in product discussions Feedback Click to send us your feedback by email 1 On left side...

Page 16: ...ct the Device to the Internet Even unfamiliar with the product you still can follow the instructions to complete the setup easily 3 1 1Running the Setup Wizard The first page appears is Setup Wizard i...

Page 17: ...izard WAN1 Settings There are three connection types you can configure for WAN Internet connection PPPoE Static IP and DHCP For the detail information you can refer to the chapter 4 1 WAN Figure 3 3 S...

Page 18: ...of each physical interface If you want to view the rate chart of an interface click the corresponding interface name hyperlink In the interface rate chart the abscissa x axis shows the time axis and...

Page 19: ...rate of the physical interface since last opened the current page Total Displays the total RX or TX traffic of the physical interface since last opened the current page LAN WANx Click the interface n...

Page 20: ...cking the Restart button the system will pop up a dialog Then you can click the OK button to restart the Device or click the Cancel button to cancel the operation Figure 3 7 Restart Device Note Becaus...

Page 21: ...various settings We will describe the settings for each connection type respectively Figure 4 1 Select Connection Type 4 1 1PPPoE Connection The Point to Point Protocol over Ethernet PPPoE is a networ...

Page 22: ...None If selected no protocol will be used PAP If selected PAP Password Authentication Protocol protocol will be used for PPP authentication CHAP If selected CHAP Challenge Handshake Authentication Pro...

Page 23: ...ernet connection when the value is zero MTU When dialing the Device will automatically negotiate MTU maximum transmission unit with the peer device Please leave the default value of 1480 bytes unless...

Page 24: ...er the IP address of your ISP s secondary DNS server if it is available 4 1 3DHCP Connection The Dynamic Host Configuration Protocol DHCP is a standardized network protocol used on IP networks for dyn...

Page 25: ...also display the time left before the lease expires day hour minute second for current IP address which is assigned by your ISP s DHCP server IP Address Subnet Mask and Gateway IP When the connection...

Page 26: ...ck the OK button to delete the connection Note The default WAN1 connection can t be deleted but edited 4 1 7Dial or Hang up a PPPoE connection If the connection type is PPPoE when you click the WAN1 h...

Page 27: ...balancing mode detection interval retry times and ID binding and so on 4 2 1Internet Connection Detection Mechanism When using multiple Internet connections the Device should has the ability to real...

Page 28: ...ately For example by default if the Device has sent three detection packets and received two packets during a detection period it will consider that the connection is back to normal Note If you don t...

Page 29: ...n s to let the LAN users use them to access the Internet In this case if there is more than one backup connection the Device will control and balance the traffic among these connections 3 Once one or...

Page 30: ...en click to move the selected connection s to the Backup list box Select one or more Internet connections in the Backup list box and then click to move the selected connection s to the Primary list bo...

Page 31: ...re 4 11 Detection and Bandwidth Settings Interface Select the physical interface you want to set load balancing Detection Interval Specify the time interval at which the Device periodically sends dete...

Page 32: ...pplications such as online banking QQ etc cannot be used normally due to the identity change We provide ID binding feature to solve this problem After you enable Identity Binding the Device will assig...

Page 33: ...tion 10M HD 10M Half Duplex 10M FD 10M Full Duplex 100M HD 100M Half Duplex 100M FD 100M Full Duplex and 1000M FD 1000M Full Duplex In most cases please leave the default value If a compatibility prob...

Page 34: ...he Device can act as a DHCP server to assign network addresses and deliver other TCP IP configuration parameters such as gateway IP address DNS server IP address etc to the LAN hosts 4 4 1DHCP Server...

Page 35: ...e in the DHCP protocol packets which is used to carry the IP address of AC AP analyze the AC address carried by option 43 to discover AC The available options are Disable HEX Length ASCII Length and C...

Page 36: ...fy the LAN hosts related settings 4 4 2Static DHCP This section describes the static DHCP list and the way to configure a static DHCP Using the DHCP Server to automatically configure TCP IP properties...

Page 37: ...r the setting is successful the Device will assign the preset IP address for the specified computer in a fixed way 2 The assigned IP addresses must be within the range provided by the DHCP server 4 4...

Page 38: ...time expires 4 4 4DHCP Client List When acting as a DHCP client the Device can dynamically obtain an IP address and other TCP IP configuration parameters from a DHCP server The information of those DH...

Page 39: ...of 192 168 1 10 2 Configuration Steps Step 1 Go to Network DHCP Server DHCP Server Settings page Step 2 Select Enable DHCP Server enter 192 168 1 10 and 192 168 1 59 in the Start IP Address and End IP...

Page 40: ...ave applied PPPoE connection with dynamically assigned IP address from the ISP you can use DDNS to allow the external computers to access the Device by a static domain name In order to use DDNS servic...

Page 41: ...Device User Name Enter the user name of the account It should be the same with the user name that you entered when registering the DDNS account Password Enter the key that you got when registering th...

Page 42: ...hat you entered when registering the DDNS account Password Enter the key that you got when registering the DDNS account 4 5 3DDNS Verification To verify whether DDNS is updated successfully you can us...

Page 43: ...ilities of other devices on the network The Device can implement NAT traversal by enabling UPnP When you enable UPnP the Device allows any LAN UPnP enabled device to perform a variety of actions inclu...

Page 44: ...er of WAN interface and click the Save button to save the settings Figure 4 26 Number of WAN Settings Note 1 After the number of WAN interface is changed you need to restart the Device for the setting...

Page 45: ...network the Device can forward those requests to computers equipped to handle the requests For example if you set the port number 21 ftp to be forwarded to IP address 192 168 1 2 then all the related...

Page 46: ...ervice available options are TCP UDP and TCP UDP Start External Port Specify the lowest port number provided by the Device The external ports are opened for outside users to access IP Address Specify...

Page 47: ...ess Then all the requests for syslog from outside users to 200 200 200 88 2514 will be forwarded to 192 168 16 88 514 The following figure shows the detailed settings Figure 5 3 Port Forwarding settin...

Page 48: ...ice s WAN1 interface s IP address The organization wants a LAN server IP Address 192 168 16 88 to open SMTP service Protocol TCP Port 25 to the outside users And the Device will use 2025 as the extern...

Page 49: ...rom the Internet As the internal network can be effectively isolated from the outside world the NAT can also provide the benefit of network security assurance The Device provides flexible NAT features...

Page 50: ...it is often simply referred to as NAT NAPT provides many to one mappings between multiple internal IP addresses and a single external IP addresses that is these multiple internal IP addresses will be...

Page 51: ...range of the NAT rule The LAN hosts that belong to this address range will use the NAT rule Bind to Specify an Internet connection to which the NAT rule is bound The LAN hosts that match the NAT rule...

Page 52: ...Internal IP and End Internal IP Specify the internal address range of the NAT rule The LAN hosts that belong to this address range will preferential use the NAT rule Bind to Specify an Internet conne...

Page 53: ...202 1 1 132 29 202 1 1 133 29 202 1 1 134 29 respectively 2 Analysis Firstly we need configure a static IP Internet connection on the WAN1 interface in the Basic WAN page or through the Setup Wizard...

Page 54: ...et connection s gateway IP address 218 1 21 2 29 is used as the Device s WAN1 interface s IP address Note that 218 1 21 0 29 and 218 1 21 7 29 cannot be used as they are the subnet number and broadcas...

Page 55: ...ave the settings Till now you have finished configuring the NAT rule and then you can view its configuration in the NAT Rule List 5 1 1 12 DMZ The DMZ Demilitarized Zone feature allows one local compu...

Page 56: ...if there is an available DMZ host 5 2 Static Route A static route is manually configured by the network administrator which is stored in a routing table By using routing table the Device can select a...

Page 57: ...related information will be displayed in the setup page Then modify it and click the Save button Delete Static Route s Select the leftmost check boxes of them and then click the Delete button 5 2 1 2...

Page 58: ...ckets are forwarded to the next hop gateway or router The available options are the name of each physical interface Note 1 When creating a static route you should specify the next hop IP address by th...

Page 59: ...deleting it please clear the check mark Edit a Policy Routing Entry Click its Edit hyperlink the related information will be displayed in the setup page Then modify it and click the Save button Delete...

Page 60: ...g entry Interface Specify an outbound interface through which the packets matching the Policy Routing entry are forwarded Src IP Specify the source IP addresses of the packets to which the Policy Rout...

Page 61: ...uting list the packet will be forwarded through normal routing channel in other words destination based routing is performed 5 4 Anti NetSniper This section describes Advanced Anti NetSniper page Anti...

Page 62: ...at the same time For example if a LAN user with IP address 1 1 1 1 has connected to the Device to access the Internet another user with IP address 1 1 1 1 cannot access the Internet through the Devic...

Page 63: ...rts this protocol and can send its activity logs to an external syslog server It helps the network administrator monitor analyze and troubleshoot the Device and network Figure 5 20 Syslog settings Ena...

Page 64: ...ss to USB disk SD card for digital data 5 9 Sharing Management After plugging a USB SD card into the Device administrator could share the Data on the USB SD card to LAN users through the FTP function...

Page 65: ...hare data to local area users All the sources you have shared are displayed on the Shared Directory List Figure 5 22 FTP Server Enable FTP Server Select to enable FTP Server Remote Access Select to en...

Page 66: ...tp xxx xxx xxx xxx 21 xxx xxx xxx xxx stands for the IP address of the LAN port in the address bar to open the shared resources folder Such as when the IP address of the LAN port is 192 168 1 1 you co...

Page 67: ...unt of admin has the right to write and read data and who also can upload the changes on the volume to the server through IE The account of guest only has the right to read data Click the Add new item...

Page 68: ...Access Grant this account the right to read or read and write Enable FTP Access Select Yes to allow this account to access FTP server select No to forbid this account to access FTP server...

Page 69: ...t status information of each user including Rx Tx rate Rx Tx total traffic Internet behavior online time etc Figure 6 1 User Behavior Analysis Pie Charts Current Network Traffic Analysis Displays the...

Page 70: ...our PC the rate chart cannot be displayed properly To view the rate chart click the Please install SVG Viewer if the page cannot display properly hyperlink to download and install the SVG Viewer 1 Use...

Page 71: ...al traffic transmitted received by the user Online Time Displays the online time of the user User Group Displays the user group to which the user belongs Internet Application Displays the online activ...

Page 72: ...ss check box is selected Illegal User A illegal user s IP and MAC address pair matches an IP MAC binding whose Allow Internet Access check box is unselected or the IP address or MAC address is the sam...

Page 73: ...nitiated from LAN the Device will process it according to the following cases 1 A packet with IP address 192 168 16 65 and MAC address 00 15 c5 67 41 0f is allowed to pass and then it will be further...

Page 74: ...If you have added the IP and MAC address pair of a trusted LAN host in the IP MAC Binding List and later changed this host s IP address or MAC address you must also change the corresponding binding i...

Page 75: ...the setup page and then configure it lastly click the Save button Edit an IP MAC Binding Click its Edit hyperlink the related information will be displayed in the setup page Then modify it and click t...

Page 76: ...evice will immediately scan the LAN to detect active hosts connected to the Device learn and display dynamic ARP information that is IP and MAC address pairs Note that if you have added a LAN host s I...

Page 77: ...whose Allow check box is unselected or the IP address or MAC address is the same with an IP MAC binding s but not both 6 2 1 5Configure an Internet Whitelist If you want to configure an Internet whit...

Page 78: ...nding List Method Two Bind an IP address which is different from any LAN host s to each illegal user s MAC address in the IP MAC Binding List Method Three Add these users IP and MAC address pairs in t...

Page 79: ...to connect the Ethernet hosts to a remote Access Concentrator AC over a simple bridging access device And it provides extensive access control management and accounting benefits to ISPs and network ad...

Page 80: ...name and a service name identical to the one in the PADI and any number of other service names which indicate other services that the PPPoE server can offer If a PPPoE server receives a PADI packet b...

Page 81: ...et at anytime to indicate the session has been terminated The PADT packet s SESSION ID must be set to indicate which session is to be terminated Once received a PADT no further PPP packets even normal...

Page 82: ...ion mode by which the PPPoE server authenticates a PPPoE client The available options are PAP CHAP and Auto In most cases please leave the default value of Auto which means that the Device will automa...

Page 83: ...he corresponding PPPoE account If you want to disable the PPPoE account temporarily instead of deleting it please click it to remove the check mark Edit a PPPoE Account Click the Edit hyperlink the re...

Page 84: ...sh a PPPoE session firstly After that only this user can use the account Manual If selected you can configure up to four MAC addresses that are bound to the account Only the users with one of these MA...

Page 85: ...pecify the maximum download bandwidth of a PPPoE dial in user that uses the current PPPoE account Remarks Specify the description of the PPPoE account Note 1 If you want to assign a static IP address...

Page 86: ...er Status Displays the PPPoE account status If a PPPoE dial in user has established the PPPoE session to the Device successfully with the PPPoE account it displays Connected Else it displays Disconnec...

Page 87: ...t box The import contents are User Name Password and Description of each PPPoE account one PPPoE account per line and the import format of a PPPoE account is User Name Space Password Space Description...

Page 88: ...y the normal employees and its Rx and Tx bandwidth are both 512 Kbit s its Max Sessions is 90 the other is advanced account which is used only for MAC address 0021859b4544 with a static IP address 10...

Page 89: ...lt values for the other parameters Then click the Save button to save the settings Figure 6 19 Configuring the Universal PPPoE Account Example Step 3 Creating the advanced PPPoE Account whose user nam...

Page 90: ...The Device provide Web authentication feature This new feature will enhance network security If you enable the Web authentication on the Device those non PPPoE dial in users cannot access the Internet...

Page 91: ...Management User Group page Expiration Time Specify how long the user will be log off if there is no traffic after the user logging in Exception IP Group Select the user groups that don t need web auth...

Page 92: ...t Settings User Name Specify a unique user name of the web authentication account It should be between 1 and 31 characters long The Device will use the User Name and Password to authenticate a user Pa...

Page 93: ...b Authentication Client Status 6 4 1 4The steps for using Web Authentication If you want to use web authentication for a non PPPoE dial in user do the following Step 1 Go to the User Management Web Au...

Page 94: ...then click the Save button the system will pop up a prompt page Figure 6 26 Web Authentication Prompt Page 6 5 User Group This section describes User Management User Group page You can group users tha...

Page 95: ...figure it lastly click Save Figure 6 28 User Group Settings Group Name Specify the unique name for the user group Group Type Select the type of the user group Address Group or Account Group Note The u...

Page 96: ...escribes APP Control Schedule page you can configure and view schedules A schedule consists of a start date an end date and optional time periods 1 Schedule List In Schedule List you can add view modi...

Page 97: ...e range 7 2 Application Control This section describes APP Control Application Control page you can configure and view application management list An application control entry consists of a date and a...

Page 98: ...4 Application Management List continued Enable Internet Application Management Select the check box to enable Internet application management Notes To use this feature you need to enable application...

Page 99: ...ontrol Application Control page next click Add to go to Internet Application Management Settings page and then configure it lastly click Save Figure 7 5 Internet Application Management Settings Group...

Page 100: ...licy Database for more information about how to update policy 3 Example for Application Control Requirements In this example a company has four departments Technology Department 192 168 1 11 192 168 1...

Page 101: ...then clear the Select All check box next to IM Software In the Schedule Settings section clear the Every Day check box and select the Mon Tue Wed Thu and Fri check boxes Next choose 09 00 and 18 00 a...

Page 102: ...on to add this policy to Application Management List 3 Enabling Internet Application Management Lastly you need to enable Internet application management to make the policies take effect The configura...

Page 103: ...inued 7 3 QQ Whitelist This section describes App Control QQ Whitelist page This feature allows you to add a list of QQ numbers that are exempt from the Internet application management policies set in...

Page 104: ...ll QQ numbers with description to a text file Import Accounts To add multiple QQ numbers at once click Import Accounts to go to Import QQ Numbers page and then enter them in the text box lastly click...

Page 105: ...management policies Add To add a new MSN account click Add to go to MSN Whitelist Settings page and then configure it lastly click Save 7 5 TradeManager This section describes App Control TradeManager...

Page 106: ...the Device will automatically push a notice message to the user The Device provides daily routine notice and account expiration notice If you enable daily routine notice feature and specify a notice...

Page 107: ...ox to enable Daily Routine Notification IP Address Range Specify the range of IP addresses to which the notification will be sent Notification Titile Specify the title of the notice message Redirectio...

Page 108: ...e Select the check box to enable account expiration notification feature Notify X Days before Expiration Date Specify the number of days before the account expiration date so that the notification wil...

Page 109: ...online activities When an audited event occurs the Device stores a record of the event to the audit log 1 View Audit Log Figure 7 14 Internet Application Audit Note The Device can record the last 400...

Page 110: ...n Audit page Enable Email Audit Log Select the check box to enable email audit log If enabled you can view emails sending and receiving activities of internal users in Application Audit page Enable Ap...

Page 111: ...Type Displays the type of the policy Description Displays the description of the policy It is usually used to describe the purpose of the policy Update Click to update the policy over the Internet Upd...

Page 112: ...d Rate Limiting On the QoS Fixed Rate Limiting page you can specify the upload download limiting value for each LAN host in order to allocate bandwidth equally and avoid few hosts occupying too much b...

Page 113: ...each IP address that matches the rule Rate Limiting Mode Share The specified Max Tx Rx rate is shared by all IP addresses that match the rule Max Tx Rx Rate Specify the maximum upload rate and downlo...

Page 114: ...dwidth Specify the download speed of Internet connection 0 means unlimited rate Game Settings Select the game you want to boost 8 3 P2P Rate Limit P2P software usually occupies too much bandwidth whic...

Page 115: ...imum upload speed for the members in the group 0 means unlimited rate Max Rx Rate Specify the maximum download speed for the members in the group 0 means unlimited rate Exception IP Group Specify the...

Page 116: ...sessions per restricted host 0 means no restriction Notes 1 If some applications such as online games performance is degraded due to the maximum sessions limiting you can increase the Max Sessions and...

Page 117: ...basic internal attack defense settings to enhance network security The internal attack defense includes three parts Virus Prevention It can effectively protect the Device against popular virus attack...

Page 118: ...t value Enable SYN Flood Prevention If selected the Device will be effectively protected against SYN flood defense If the number of SYN packets from one source IP address e g 192 168 16 36 to a single...

Page 119: ...emergence of gambling pornography and other illegal websites which are contrary to the state laws and regulations broadband network provide fast surfing to the Internet users while fast spreading worm...

Page 120: ...ll be dropped immediately As these dropped packets are no longer further processed by route NAT and other modules it will reduce CPU load and improve the Device performance The action of an access con...

Page 121: ...ove an access control rule to above another rule in the list the operation is as follows Select the ID of a rule that you want to move from the Rule drop down list and another rule s ID from the Mode...

Page 122: ...rule applies There are two options IP Range Specify the start and the end addresses User Group Select it to choose an address group Dest IP Specify the destination IP addresses of the packets to which...

Page 123: ...own list to set Dest Port and Source Port for yourself Dest Port Specify a range of destination ports to which the access control rule applies Source Port Specify a range of source ports to which the...

Page 124: ...he full domain of all web pages are match When inputting a substring of domain the URL contains the substring of all web pages are match Note 1 The URL address is not case sensitive Please don t input...

Page 125: ..._DNS Filtering The setting of Rule Name Enable Src IP Action Schedule Settings is the same with IP Filtering please refer to the section 12 2 1 4 1 IP Filtering Filtering Type Here please select DNS F...

Page 126: ...uring working time 2 User defined rule 2 Allow them to access WEB during working time 3 User defined rule 3 Deny them to access all other services during working time Configuration Procedure Step 1 Co...

Page 127: ...s Control page Set the Src IP from 192 168 1 9 to 192 168 1 20 select Allow from the Action select IP Filtering from Filtering Type select 6 TCP from Protocol select 80 web from Common Service select...

Page 128: ...to Firewall Access Control page Set the Src IP from 192 168 1 9 to 192 168 1 20 select Deny from the Action select IP Filtering from Filtering Type select all All from Protocol select Mon to Fri from...

Page 129: ...m IP address is 29 58 246 93 and http www cnn com IP address is 157 166 255 18 Analysis We need to create two access control rules to meet requirements Rule 1 Deny them access to http www bbc com Rule...

Page 130: ...Control _Example 2_step 1 Step 2 Configuring Access Control Rule 2 Go to Firewall Access Control page Set the Src IP from 192 168 1 80 to 192 168 1 90 select Deny from the Action select URL Filtering...

Page 131: ...Figure 9 12 Access Control _Example 2_step 2 9 3 Domain Filtering This section describes the steps and notes to setup Domain Filtering on the Firewall Domain Filtering page...

Page 132: ...sers to access any other domain names Only Allow Domain Names in Domain Name List If selected the Device will allow the LAN users to access the domain names in the Domain Name list but block the users...

Page 133: ...st the Device will block or allow it according to the Filtering Mode 2 You can use the wildcard in a domain name to match multiple domain names For example if you have created www 163 in the Domain Na...

Page 134: ...ump to any other web page Redirecting URL Specify the redirecting URL to which the requested web page will jump Leave it blank if you don t want the requested web page to jump to any other web page No...

Page 135: ...ddress Filtering List from connecting to the Device but allow all other wireless clients MAC Address Filtering List Displays the MAC address filtering entries You can add or delete them by clicking th...

Page 136: ...Figure 9 16 MAC Address Filtering Settings...

Page 137: ...rigin authentication data integrity as well as replay protection IPSec provides two security mechanisms encryption and authentication Encryption mechanism is used to ensure data confidentiality preven...

Page 138: ...h offices or mobile users traveling employees telecommuters etc use the Windows built in PPTP client software to initiate PPTP connections to the server the Device deployed at the head office acts as...

Page 139: ...e users and transmit those packets destined for the head office internal network to the Device at the head office thus the mobile users can access both the branch office and head office internal netwo...

Page 140: ...AP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol MS CHAPV2 The Microsoft version of the Challenge Handshake Authentication Protocol ANY The Device will automaticall...

Page 141: ...h the remote VPN appliance when dialing Unless special application please leave the default value of 1478 bytes 10 2 1 4 Account Settings Figure 10 4 PPTP Server_Account Settings Tunnel Name Specify t...

Page 142: ...fy the subnet IP address of the remote network In most cases you may enter the IP address of the remote VPN appliance s LAN interface If you choose Mobile User as the Tunnel Type the system will autom...

Page 143: ...n Select the way of data encryption mode Note when you choose MS CHAPV2 as PPP aunthentication mode you must select MPPE as data encryption mode Remote Subnet IP Address Specify the IP address of the...

Page 144: ...he head office and branch office to securely communicate with each other over the Internet In addition some mobile users traveling employees telecommuters etc want to securely access the head office s...

Page 145: ...ress 200 200 202 123 255 255 255 0 The VPN appliance PPTP Client at the branch office LAN Subnet 192 168 16 0 255 255 255 0 LAN Interface IP Address 192 168 16 1 255 255 255 0 WAN Interface IP Address...

Page 146: ...to LAN PPTP Server Account for the Branch Office Click the Account Settings tab and make settings as the following figure lastly click the Save button Figure 10 9 PPTP Server Settings_LAN to LAN 2 Cre...

Page 147: ...PN PPTP page click the Add Client button and then make settings as the following figure lastly click the Save button Figure 10 11 PPTP Client settings 3 Configuring a Windows XP based Computer as a PP...

Page 148: ...ncryption from the Data encryption drop down list l Select the Unencrypted password PAP Challenge Handshake Authentication Protocol CHAP and Microsoft CHAP MS CHAP check boxes in the Allow these proto...

Page 149: ...it key to encrypt and decrypt the packets ensuring high performance encryption 3DES Triple Data Encryption Standard 3DES is a data encryption algorithm supported by IPSec As a variant of the 56 bit DE...

Page 150: ...used to protect further IKE exchanges and Phase 2 is used to negotiate the parameters and key material required to establish IPSec SAs The IPSec SAs are then used to authenticate and encrypt the user...

Page 151: ...cceptable security services such as Encryption algorithm DES 3DES or AES 98 99 256 Authentication algorithm MD5 or SHA 1 Diffie Hellman group Refer to Diffie Hellman Exchange described later in this s...

Page 152: ...ts certificates if it is being used The weakness of using aggressive mode is that it does not provide identity protection because the identities of both sides are exchanged in clear text However aggre...

Page 153: ...t renegotiation improves security but at the expense of higher CPU utilization and possible delays during the renegotiation process Therefore the SA lifetime is often set to a relatively long time the...

Page 154: ...ng IPSec with NAT During IKE phase 1 negotiation the two IPSec NAT T capable endpoints can automatically determine Whether both of the IPSec endpoints can perform IPSec NAT T If there are any NAT devi...

Page 155: ...rs Therein the basic parameters for each type are different but the advanced parameters are the same The following will describe the basic parameters for each connection type respectively and then des...

Page 156: ...IP text box and its mask in the Subnet Mask text box if you want to define a host please enter the IP address of that host in the Subnet IP text box and 255 255 255 255 in the Subnet Mask text box Bin...

Page 157: ...IPSec endpoints should use aggressive mode for phase 1 IKE negotiation Figure 10 14 IPSec Settings_Originate Only The parameters Gateway IP Domain Name Remote Subnet IP Remote Subnet Mask Remote Bind...

Page 158: ...Domain Name Email Address IP Address and Other In this connection type it is a required parameter You must select one type and then specify ID Value Local to allow the remote IPSec device to authentic...

Page 159: ...te to allow the local Device to authenticate the remote IPSec device ID Value Remote Specify the identity of the remote IPSec device In this connection type it is an optional parameter Please enter an...

Page 160: ...ase 1 They refer to phase 1 proposal that specifies a set of security algorithms for phase 1 negotiation A phase 1 proposal includes an encryption algorithm an authentication algorithm and a DH group...

Page 161: ...500 Keepalive Frequency Specify a time interval in seconds at which the Device will periodically send keepalive packets to the NAT device to keep the NAT mapping active so that the NAT mapping doesn t...

Page 162: ...ce Go to the VPN IPSec IPSec Settings page make the following settings leave the default values for the other parameters and then click the Save button Connection Type Bidirectional Gateway IP Domain...

Page 163: ...aes256 md5 3 Viewing the IPSec tunnel status After you have configured IPSec parameters on both Devices the IPSec tunnel establishment can be triggered manually On the Device you can go to the VPN IPS...

Page 164: ...with a dynamic IP address DHCP Internet connection Now we want to establish an IPSec tunnel between them and use the following proposals i e encryption and authentication algorithms the phase 1 propos...

Page 165: ...Configuring the Device at the branch office Go to the VPN IPSec IPSec Settings page make the following settings leave the default values for the other parameters and then click the Save button Connec...

Page 166: ...ished you can see that the SA Status displays Established and the Out Pkts and In Pkts will go on increasing as long as there is some network traffic being passed through the IPSec tunnel 1 Viewing th...

Page 167: ...Figure 10 21 Initiator s IPSec List...

Page 168: ...f you want to change the password go to System Administrator page do the following setup Step 1 Click the Edit icon with the user name as admin to enter into the configuration page Step 2 Modify the f...

Page 169: ...onize with SNTP Server It is recommended to use the Synchronize with SNTP Server function to obtain the standard time and the device will automatically get the standard time from the Internet after it...

Page 170: ...on file to you local PC import the configuration file to the Device and reset the Device to factory default settings Figure 11 4 Configuration 1 Backup Configuration File In Application Configuration...

Page 171: ...253 with a subnet mask of 255 255 255 0 4 After the reset operation is complete you must restart the Device for the default settings to take effect 11 5 Firmware Upgrade On the Application Firmware pa...

Page 172: ...before upgrade Normally the upgrade does not affect the current configuration of the Device However this situation might happen if the right steps are not followed properly 4 It is strongly recommend...

Page 173: ...urity it is strongly recommended that you don t enable remote management functions unless necessary If you are sure to enable them you had better change the default password 11 7 Scheduled Task This s...

Page 174: ...ime cycle or when the Device will perform the task The available options are Weekly Daily Hourly Minutely Start time Specify the time at which the Device will start to perform the task Its settings wi...

Page 175: ...ation such as current system time system up time system resources usage information SN firmware version etc Through system information administrator can identify and diagnose the source of network pro...

Page 176: ...When the percentage is between 50 and 70 below 70 the color is yellow When the percentage is equal to or above 70 the color is red 2 The above resources usage information indicates the load of the Dev...

Page 177: ...l be enabled Enable DHCP Log If selected the Device will store and display the DHCP related logs in the System Log Enable Notification Log If selected the Device will store and display the notice rela...

Page 178: ...Connection Local Area Connection right click Local Area Connection and choose Properties Step 2 In the Properties dialogue double click Internet Protocol Version 4 TCP IPv4 Step 3 In the Internet Prot...

Page 179: ...ain an IP address and other TCP IP parameters automatically from the Device you should enable the Device s DHCP server function in Application DHCP Server page Step 1 On the Windows taskbar click Star...

Page 180: ...2 How to reset the Device to factory default settings Case I Know the administrator password Under normal circumstances you can directly go to the System Configuration page click Reset button and rest...

Page 181: ...Notes The reset operation will clear all custom settings on the Device so do it with caution...

Page 182: ...otocol IPINIP 4 IP in IP Tunnel Driver TCP 6 Transmission Control Protocol EGP 8 Exterior Gateway Protocol IGP 9 Interior Gateway Protocol PUP 12 PARC Universal Packet Protocol UDP 17 User Datagram Pr...

Page 183: ...f the day chargen 19 tcp Character generator chargen 19 udp Character generator ftp data 20 tcp FTP data ftp 21 tcp FTP control telnet 23 tcp smtp 25 tcp Simple Mail Transfer Protocol time 37 tcp tims...

Page 184: ...re Call sunrpc 111 udp SUN Remote Procedure Call auth 113 tcp Identification Protocol uucp path 117 tcp nntp 119 tcp Network News Transfer Protocol ntp 123 udp Network Time Protocol epmap 135 tcp DCE...

Page 185: ...sakmp 500 udp Internet Key Exchange exec 512 tcp Remote Process Execution biff 512 udp login 513 tcp Remote Login who 513 udp cmd 514 tcp syslog 514 udp printer 515 tcp talk 517 udp ntalk 518 udp efs...

Page 186: ...sql s 1433 tcp Microsoft SQL Server ms sql s 1433 udp Microsoft SQL Server ms sql m 1434 tcp Microsoft SQL Monitor ms sql m 1434 udp Microsoft SQL Monitor wins 1512 tcp Microsoft Windows Internet Nam...

Reviews:

No comments

Brands by name

Popular brands

Load more brands