manualshive.com logo in svg

Nortel 222, User Manual, Page: 320 / 349

Share
Download
Nortel 222 User Manual Download Page 320

320

Appendix K Log descriptions

NN47922-501

Firewall rule match: GRE 

(set:%d, rule:%d)

GRE access matched the listed firewall rule and the 
Business Secure Router blocked or forwarded it according 
to the rule’s configuration. 

Firewall rule match: 

OSPF (set:%d, rule:%d)

OSPF access matched the listed a firewall rule and the 
Business Secure Router blocked or forwarded it according 
to the rule’s configuration. 

Firewall rule match: 

(set:%d, rule:%d)

Access matched the listed firewall rule and the Business 
Secure Router blocked or forwarded it according to the 
rule’s configuration. 

Firewall rule NOT match: 

TCP  (set:%d, rule:%d)

TCP access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

UDP (set:%d, rule:%d)

UDP access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

ICMP (set:%d, rule:%d, 

type:%d, code:%d)

ICMP access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

IGMP (set:%d, rule:%d)

IGMP access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

ESP (set:%d, rule:%d)

ESP access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

GRE (set:%d, rule:%d)

GRE ac access did not match the listed firewall rule and 
the Business Secure Router logged it. 

Firewall rule NOT match: 

OSPF (set:%d, rule:%d)

OSPF access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Firewall rule NOT match: 

(set:%d, rule:%d)

Access did not match the listed firewall rule and the 
Business Secure Router logged it. 

Filter default policy 

DROP!

IP address or protocol matched a default filter policy and 
the Business Secure Router dropped the packet to block 
access. 

Filter default policy 

FORWARD!

IP address or protocol matched a default filter policy. 
Access was allowed and the router forwarded the packet.

Filter match DROP <set 

%d/rule %d>

IP address or protocol matched the listed filter rule and the 
Business Secure Router dropped the packet to block 
access.

Filter match FORWARD 

<set %d/rule %d>

IP address or protocol matched the listed filter rule. Access 
was allowed and the router forwarded the packet.

Table 85   

Access logs

Log Message

Description

Summary of Contents for 222

Page 1: ...BSR222 Business Secure Router Document Number NN47922 501 Document Version 1 3 Date March 2007 Nortel Business Secure Router 222 Configuration Advanced ...

Page 2: ...o be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are ...

Page 3: ... Middle East Africa 27 Technical Support CTAS 27 CALA Caribbean Latin America 28 Technical Support CTAS 28 APAC Asia Pacific 28 Technical Support GNTS 28 Chapter 1 Getting to know your Nortel Business Secure Router 222 31 Introducing the Nortel Business Secure Router 222 31 Features 31 Physical features 32 4 Port switch 32 Autonegotiating 10 100 Mb s Ethernet LAN 32 Autosensing 10 100 Mb s Etherne...

Page 4: ...eduling 35 PPPoE 35 PPTP Encapsulation 36 Dynamic DNS support 36 IP Multicast 36 IP Alias 36 Central Network Management 36 SNMP 37 Network Address Translation NAT 37 Traffic Redirect 37 Port Forwarding 37 DHCP Dynamic Host Configuration Protocol 37 Full network management 38 Road Runner support 38 Logging and tracing 38 Upgrade Business Secure Router Firmware 38 Embedded FTP and TFTP Servers 38 Ap...

Page 5: ...tup 47 Introduction to general setup 47 Configuring general setup 47 Configuring dynamic DNS 50 Chapter 3 WAN and Dial Backup Setup 53 Introduction to WAN and dial backup setup 53 WAN setup 53 Dial backup 55 Configuring dial backup in menu 2 55 Advanced WAN setup 57 Remote node profile Backup ISP 59 Editing PPP options 62 Editing TCP IP options 63 Editing logon script 66 Remote node filter 69 Chap...

Page 6: ... Introduction to Remote Node setup 85 Remote Node setup 85 Remote Node profile setup 86 Ethernet Encapsulation 86 PPPoE Encapsulation 88 Outgoing Authentication Protocol 89 Nailed Up Connection 90 PPTP Encapsulation 91 Edit IP 92 Remote Node filter 95 Traffic Redirect setup 98 Chapter 7 IP Static Route Setup 101 IP Static Route Setup 101 Chapter 8 Dial in User Setup 105 Dial in User Setup 105 Chap...

Page 7: ...side server 123 Example 3 Multiple public IP addresses with inside servers 124 Configuring Trigger Port forwarding 129 Chapter 10 Introducing the firewall 133 Using SMT menus 133 Activating the firewall 133 Chapter 11 Filter configuration 135 Introduction to filters 135 Filter Structure 136 Configuring a Filter Set 138 Configuring a Filter Rule 141 Configuring a TCP IP Filter Rule 141 Configuring ...

Page 8: ...troduction to System Status 165 System Status 166 System information and console port speed 168 System Information 169 Console port speed 171 Log and trace 171 Syslog logging 171 CDR 172 Packet triggered 173 Filter log 173 PPP log 174 Firewall log 175 Call Triggering packet 175 WAN DHCP 177 Chapter 15 Firmware and configuration file maintenance 179 Filename conventions 179 Backup configuration 180...

Page 9: ...Firmware file upload 190 Configuration file upload 191 FTP file upload command from the DOS prompt example 191 FTP Session Example of Firmware File Upload 192 TFTP file upload 192 TFTP upload command example 193 Uploading via console port 194 Uploading Firmware File Via Console Port 194 Uploading Xmodem firmware using HyperTerminal 195 Uploading configuration file via console port 195 Uploading Xm...

Page 10: ...tings 225 Macintosh OS 8 9 225 Verifying Settings 226 Macintosh OS X 227 Verifying settings 228 Appendix B Triangle Route 229 The Ideal Setup 229 The Triangle Route Problem 229 The Triangle Route Solutions 230 IP aliasing 230 Appendix C Importing certificates 233 Import Business Secure Router certificates into Netscape Navigator 233 Importing the Business Secure Router Certificate into Internet Ex...

Page 11: ...a PC to a broadband modem over Ethernet 253 PPTP and the Business Secure Router 254 PPTP protocol overview 254 Control and PPP connections 255 Call connection 255 PPP data connection 256 Appendix F Hardware specifications 257 Cable pin assignments 257 AC Power Adapter Specifications 259 Appendix G IP subnetting 261 IP addressing 261 IP classes 261 Subnet masks 263 Subnetting 263 Example two subnet...

Page 12: ...icates commands 301 IEEE 802 1X commands 307 RADIUS commands 307 Appendix I NetBIOS filter commands 309 Introduction 309 Display NetBIOS filter settings 310 NetBIOS filter configuration 310 Example commands 311 Appendix J Boot Commands 313 Appendix K Log descriptions 315 VPN IPSec logs 323 VPN responder IPSec log 325 Log commands 332 Configuring what you want the Business Secure Router to log 333 ...

Page 13: ...ute force password guessing protection 335 Appendix M SIP 337 SIP Identities 337 SIP Number 337 SIP Service Domain 338 SIP Call Progression 338 SIP Servers 339 SIP User Agent Server 339 SIP Proxy Server 339 SIP Redirect Server 340 SIP Register Server 341 RTP 341 Index 345 ...

Page 14: ...14 Contents NN47922 501 ...

Page 15: ...4 Menu 11 2 2 remote node network layer options 64 Figure 15 Menu 11 2 3 remote node setup script 68 Figure 16 Menu 11 2 4 dial backup remote node filter 69 Figure 17 Menu 3 LAN setup 71 Figure 18 Menu 3 1 LAN port filter setup 72 Figure 19 Menu 3 TCP IP and DHCP setup 72 Figure 20 Figure 21 4 menu 3 2 TCP IP and DHCP Ethernet setup 73 Figure 21 Menu 3 2 1 IP Alias setup 76 Figure 22 Menu 4 intern...

Page 16: ... 111 Figure 42 Menu 15 1 255 SUA Address Mapping Rules 112 Figure 43 Menu 15 1 1 First Set 114 Figure 44 Menu 15 1 1 1 Editing or configuring an individual rule in a set 116 Figure 45 Menu 15 2 NAT Server Sets 118 Figure 46 15 2 1 NAT Server Configuration 119 Figure 47 Menu 15 2 NAT Server Setup 120 Figure 48 Multiple servers behind NAT example 121 Figure 49 NAT Example 1 121 Figure 50 Menu 4 Inte...

Page 17: ... Menu 23 4 System Security IEEE802 1x 162 Figure 80 Menu 24 System Maintenance 166 Figure 81 Menu 24 1 System Maintenance Status 167 Figure 82 Menu 24 1 System Maintenance Status 167 Figure 83 System Information and Console Port Speed 169 Figure 84 Menu 24 2 1 System Maintenance Information 170 Figure 85 Menu 24 2 2 System Maintenance Change Console Port Speed 171 Figure 86 Menu 24 3 System Mainte...

Page 18: ...y 204 Figure 114 Menu 24 System Maintenance 205 Figure 115 Menu 24 10 System Maintenance Time and Date Setting 206 Figure 116 Menu 24 11 Remote Management Control 210 Figure 117 Menu 26 Schedule Setup 213 Figure 118 Menu 26 1 Schedule Set Setup 214 Figure 119 Applying Schedule Sets to a Remote Node PPPoE 216 Figure 120 WIndows 95 98 Me network configuration 218 Figure 121 Windows 95 98 Me TCP IP p...

Page 19: ...re 149 Personal certificate import wizard 4 245 Figure 150 Personal certificate import wizard 5 246 Figure 151 Personal certificate import wizard 6 246 Figure 152 Access the Business Secure Router via HTTPS 247 Figure 153 SSL client authentication 247 Figure 154 Business Secure Router secure login screen 248 Figure 155 Single PC per Router Hardware Configuration 250 Figure 156 Business Secure Rout...

Page 20: ...20 Figures NN47922 501 Figure 168 SIP User Agent Server 339 Figure 169 SIP Proxy Server 340 Figure 170 SIP Redirect Server 341 Figure 171 Business Secure Router SIP ALG 343 ...

Page 21: ...fields 68 Table 13 DHCP Ethernet setup menu fields 73 Table 14 LAN TCP IP setup menu fields 75 Table 15 IP Alias setup menu field 76 Table 16 Menu 4 internet access setup menu fields 80 Table 17 New fields in menu 4 PPTP Screen 82 Table 18 New fields in menu 4 PPPoE screen 83 Table 19 Fields in menu 11 1 87 Table 20 Fields in Menu 11 1 PPPoE Encapsulation Specific 90 Table 21 Fields in Menu 11 1 P...

Page 22: ...formation 170 Table 43 System Maintenance Menu Syslog Parameters 172 Table 44 System Maintenance menu diagnostic 178 Table 45 Filename Conventions 180 Table 46 General commands for GUI based FTP clients 182 Table 47 General commands for GUI based TFTP clients 184 Table 48 Valid commands 201 Table 49 Budget management 203 Table 50 Call History Fields 204 Table 51 Time and Date Setting Fields 206 Ta...

Page 23: ...e 79 NetBIOS filter default settings 310 Table 80 System error logs 315 Table 81 System maintenance logs 315 Table 82 UPnP logs 316 Table 83 Content filtering logs 316 Table 84 Attack logs 317 Table 85 Access logs 319 Table 86 ACL setting notes 322 Table 87 ICMP notes 322 Table 88 Sys log 323 Table 89 Sample IKE key exchange logs 326 Table 90 Sample IPSec logs during packet transmission 328 Table ...

Page 24: ...24 Tables NN47922 501 ...

Page 25: ...and the SMT Text conventions This guide uses the following text conventions Note This guide explains how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router See the basic manual for how to use the WebGUI to configure your Business Secure Router Not all features can be configured through all interfaces Enter means for you to type o...

Page 26: ...cal manuals and release notes free directly from the Internet Go to www nortel com documentation Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at www adob...

Page 27: ...ress Routing Code ERC 196 If you do not yet have a PIN Code or for general questions and first line support you can enter ERC 338 Web Site www nortel com cs Presales Support CSAN Telephone 1 800 4NORTEL 1 800 466 7835 Use Express Routing Code ERC 1063 EMEA Europe Middle East Africa Technical Support CTAS Telephone European Free phone 00800 800 89009 European Alternative Calls are not free from all...

Page 28: ...mt nortel com APAC Asia Pacific Service Business Centre Pre Sales Help Desk 61 2 8870 5511 Sydney Technical Support GNTS Telephone 612 8870 8800 Fax 612 8870 5569 E mail asia_support nortel com Australia 1 800 NORTEL 1 800 667 835 China 010 6510 7770 India 011 5154 2210 Indonesia 0018 036 1004 Japan 0120 332 533 Malaysia 1800 805 380 New Zealand 0800 449 716 ...

Page 29: ...ss Secure Router 222 Configuration Advanced Philippines 1800 1611 0063 Singapore 800 616 2004 South Korea 0079 8611 2001 Taiwan 0800 810 500 Thailand 001 800 611 3007 Service Business Centre Pre Sales Help Desk 61 2 8870 5511 ...

Page 30: ...30 Preface NN47922 501 ...

Page 31: ...Local Area Network LAN By integrating Network Address Translation NAT firewall and Virtual Private Network VPN capability the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network The embedded WebGUI assists in easy setup and management of the Business Secure Router via an Internet browser Features This section lists...

Page 32: ...terfaces automatically adjust to either a crossover or straight through Ethernet cable Autonegotiating 10 100 Mb s Ethernet WAN The 10 100 Mb s Ethernet WAN port attaches to the Internet via broadband modem or router and automatically detects if it is on a 10 or a 100 Mb s Ethernet Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of concurrent VPN IPSec Connec...

Page 33: ... is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to PlsChgMe IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server enabled with a pool of 126 IP addresses starting at 192 168 1 2 Nonphysical features IPSec VPN capability Establish Virtual Private Network VPN tunnels to connect home or office computers to yo...

Page 34: ...eb sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up 32 user profiles without a network authentication server In addition centralized user and accounting management is possible on...

Page 35: ...eb proxies The Business Secure Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other ...

Page 36: ...or this service with a Dynamic DNS service provider IP Multicast The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts IGMP Internet Group Management Protocol is the protocol used to support multicast groups The Business Secure Router supports versions 1 and 2 IP Alias Using IP Alias you can partition a physical network into logical networks over the sa...

Page 37: ...edirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet thus acting as an auxiliary backup when your regular WAN connection fails Port Forwarding Use this feature to forward incoming service requests to a server on your local network You can enter a single port number or a range of port numbers to be forwarded and the local IP address of the ...

Page 38: ...e port or over a Telnet connection Road Runner support In addition to standard cable modem services the Business Secure Router supports Time Warner s Road Runner Service Logging and tracing The Business Secure Router supports the following logging and tracing functions to help with management Built in message logging and packet tracing Unix syslog facility support Upgrade Business Secure Router Fi...

Page 39: ... 222 via Ethernet WAN port for broadband Internet access The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense of leased lines between sites The LAN computers can share the VPN tunnels for secure conne...

Page 40: ...NN47922 301 for hardware connection instructions After installing your Nortel Business Secure Router 222 continue with the rest of this guide for configuration instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment ...

Page 41: ... access the SMT System Management Terminal menus via the console port how to navigate the SMT and how to configure SMT menus Accessing the SMT via the console port Make sure you have the physical connection properly set up as described in the hardware installation chapter When configuring using the console port you need a computer equipped with communications software configured to the following p...

Page 42: ...sword PlsChgMe is the default and press ENTER As you type the password the screen displays an X for each character you type Note that if there is no activity for longer than five minutes after you log on your Business Secure Router will automatically log you off and display a blank screen If you see a blank screen press ENTER to bring up the logon screen again Navigating the SMT interface The SMT ...

Page 43: ...in a menu press ENTER to move to the next field You can also use the UP or DOWN arrow keys to move to the previous or the next fields respectively When you are at the top of a menu press the UP arrow key to move to the bottom of a menu Entering information Fill in or press SPACE BAR then press ENTER to select from choices There are two types of fields The first requires you to type in the appropri...

Page 44: ...ve information 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial up connection 3 LAN Setup Use this menu to apply LAN filters configure LAN DHCP and TCP IP settings 4 Internet Access Setup Configure your Internet Access setup Internet address gateway IP address and logon with this menu 11 Remote Node Setup Use this menu to configure deta...

Page 45: ...password in the Retype to confirm field for confirmation and press ENTER Note that as you type a password the screen displays an asterisk for each character you type 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Security Use this menu to change your password and enable network user authentication 24 System Maintenance From displaying system status to uploading ...

Page 46: ...46 Chapter 2 Introducing the SMT NN47922 501 SMT menus at a glance Figure 6 SMT overview ...

Page 47: ...enu to open Menu 1 general setup The Menu 1 General Setup screen appears as shown in Figure 7 Fill in the required fields Figure 7 menu 1 general setup Menu 1 General Setup System Name Business Secure Router Domain Name www nortel com First System DNS Server From ISP IP Address N A Second System DNS Server From ISP IP Address N A Third System DNS Server From ISP IP Address N A Edit Dynamic DNS No ...

Page 48: ...be up to 30 alphanumeric characters long Spaces dashes and underscores _ are accepted Business Secure Router Domain name Enter the domain name if you know it here If you leave this field blank the ISP assigns a domain name via DHCP You can go to menu 24 8 and type sys domain name to see the current domain name used by your router The domain name entered by you is given priority over the ISP assign...

Page 49: ... ISP changes to None after you save your changes If you select From ISP for the second or third DNS server but the ISP does not provide a second or third IP address From ISP changes to None after you save your changes Select User Defined if you have the IP address of a DNS server The IP address can be public or a private address on your local LAN Enter the DNS server s IP address in the field to t...

Page 50: ...ies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address A Private DNS entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate Private DNS entry changes to None after you save your changes Edit dynamic DNS Press SPACE BAR and then ENTER to select Yes or No default Select Ye...

Page 51: ...S service provider www dyndns org default Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes DDNS Type Press SPACE BAR and then ENTER to select DynamicDNS if you have a dynamic IP address Select StaticDNS if you have a static IP address Select CustomDNS to have dyns org provide DNS service for a domain name that you already have from a source other than dyndns...

Page 52: ...ss When both fields are set to No the Business Secure Router must have a public WAN IP address in order for DDNS to work DDNS Server Auto Detect IP Address Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically update the IP address of the host names with the public IP address that the Business Secure Router uses or is behind You can set this field to Yes whether ...

Page 53: ...es how to configure the WAN using menu 2 and dial backup using menus 2 1 and 11 1 Introduction to WAN and dial backup setup This chapter explains how to configure settings for your WAN port and how to configure the Business Secure Router for a dial backup connection WAN setup From the main menu enter 2 to open menu 2 ...

Page 54: ...le MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field IP address attached on LAN IP Address This field is applicable only if you choose the IP address ...

Page 55: ...e auxiliary port Dial Backup or CON AUX for use in the event that the regular WAN connection is dropped first make sure you have set up the switch and port connection see the Hardware Installation chapter then configure Menu 2 WAN Setup Menu 2 1 Advanced WAN Setup Menu 11 1 Remote Node Profile Backup ISP as shown in Figure 26 on page 87 Refer also to the traffic redirect section for information on...

Page 56: ...Toggle Table 7 Menu 2 dial backup setup Field Description Example Dial Backup Active Use this field to turn the dial backup feature on Yes or off No No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9 600 19 200 38 400 57 600 115 200 or 230 400 b s 115200 AT Command String Init Enter th...

Page 57: ...dit Advanced Setup To edit the advanced setup for the Dial Backup port move the cursor to this field press the SPACE BAR to select Yes and then press ENTER to go to Menu 2 1 Advanced Setup Yes After you complete this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Note Consult the manual of your WAN device connected to your Dial B...

Page 58: ...e a call atdt Drop Enter the AT Command string to drop a call represents a one second wait For example ath can be used if your modem has a slow response time ath Answer Enter the AT Command string to answer a call ata Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR Data Terminal Ready signal is dropped after the AT Command String Drop i...

Page 59: ...ithin the timeout value 60 seconds Retry Count Enter a number of times for the Business Secure Router to retry a busy or no answer phone number before blacklisting the number 0 to disable the blacklist control Retry Interval sec Enter a number of seconds for the Business Secure Router to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop ...

Page 60: ...ions Edit Filter Sets No Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Press ENTER to Confirm or ESC to Cancel Table 9 Fields in menu 11 2 remote node profile Backup ISP Field Description Example Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters LAoffice Active Press SPACE BAR and then ENTER to select Yes to enable the remote node or...

Page 61: ...ield set to 0 0 0 0 default if the remote gateway has a dynamic IP address Enter the remote gateway s IP address here if it is static 0 0 0 0 default Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 2 2 Remote Node Network Layer Options See Editing TCP IP options on page 63 for more information No default Edit Script Options Press SPACE BAR t...

Page 62: ... connection act as a dial up connection No default Session Options Edit Filter sets This field leads to another hidden menu Use SPACE BAR to select Yes and press ENTER to open menu 11 2 4 to edit the filter sets See Remote node filter on page 69 for more details No default Idle Timeout Enter the number of seconds of idle time when there is no traffic from the Business Secure Router to the remote n...

Page 63: ...elect Yes Press ENTER to open Menu 11 2 2 Network Layer Options Menu 11 2 1 Remote Node PPP Options Encapsulation Standard PPP Compression No Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 10 Remote node PPP options menu fields FIELD DESCRIPTION EXAMPLE Encapsulation Press SPACE BAR and then ENTER to select CISCO PPP if your Dial Backup WAN device uses Cisco PPP encapsulati...

Page 64: ...Static and enter the IP address subnet mask in the following fields Dynamic default Rem IP Address Leave this field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically send its IP address if you do not know it Enter the remote gateway s IP address here if you know it static 0 0 0 0 default Rem Subnet Mask Leave this field set to 0 0 0 0 to have the ISP or other remote r...

Page 65: ...te s priority The smaller the number the higher priority the route has 15 default Private This parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcasts If No the route to this remote node is propagated to other hosts through RIP broadcasts No default RIP Direction Pres...

Page 66: ...ect string and your password as the Send string for the second prompt in set 2 You can use two variables USERNAME and PASSWORD all upper case to represent the actual username and password in the script so they do not show in clear text They are replaced with the outgoing login name and password in the remote node when the Business Secure Router sees them in a Send string Note that both variables m...

Page 67: ...Business Secure Router starts PPP prematurely right after sending your password to the server If there are errors in the script and it gets stuck at a set for longer than the Dial Timeout in menu 2 default 60 seconds the Business Secure Router times out and drops the line To debug a script go to Menu 24 4 to initiate a manual call and watch the trace display to see if the sequence of messages and ...

Page 68: ...nd Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 12 Menu 11 2 3 remote node script menu fields Field Description Example Active Press SPACE BAR and then ENTER to select either Yes to enable the AT strings or No to disable them No default Set 1 6 Expect Enter an Expect string to match After matching the Expect string the Business Secure Router returns the string in the Send...

Page 69: ...the Business Secure Router to prevent certain packets from triggering calls You can specify up to four filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepted in this field Refer to Chapter 11 Filter configuration on page 135 for more information about defining the filters Figure 16 Menu 11 2 4 dial backup remote node filter Menu 11 2 4 Remote Node F...

Page 70: ...70 Chapter 3 WAN and Dial Backup Setup NN47922 501 ...

Page 71: ...ections Accessing the LAN menus From the main menu enter 3 to open Menu 3 LAN setup Figure 17 Menu 3 LAN setup LAN port filter setup With Menu 3 you can specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets are useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter...

Page 72: ... and DHCP setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown in Figure 20 Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP ...

Page 73: ...ection None IP Address N A Version N A Second DNS Server From ISP Multicast None IP Address N A Edit IP Alias No Third DNS Server From ISP IP Address N A DHCP Server Address N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 13 DHCP Ethernet setup menu fields Field Description Example DHCP This field enables and disables the DHCP server If set to Server your Business Secur...

Page 74: ...but leave the IP address set to 0 0 0 0 User Defined changes to None after you save your changes If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you save your changes Select DNS Relay to have the Business Secure Router act as a DNS proxy The Business Secure Router s LAN IP address displays in the IP Address field below read onl...

Page 75: ... Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router 255 255 255 0 RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Only or None Both default Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 default Multicast IGMP Internet Group Multicast Proto...

Page 76: ...tocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 15 IP Alias setup menu field Field Description Example IP Alias Choose Yes to configure the LAN network for the Business Secure Router Yes IP Address Enter the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 IP Subnet Mask Your Business Secure Rout...

Page 77: ... and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the Business Secure Router 1 Outgoing Protocol Filters Enter the filter sets you wish to apply to the outgoing traffic between this node and the Business Secure Router 2 Table 15 IP Alias setup menu field ...

Page 78: ...78 Chapter 4 LAN setup NN47922 501 ...

Page 79: ...ss setup Use the information from your ISP along with the instructions in this chapter to set up your Business Secure Router to access the Internet There are three different menu 4 screens depending on whether you chose Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine which encapsulation type you should use Ethernet encapsulation If you choose Ethernet in menu 4 you will see Figu...

Page 80: ...r Internet Service Provider e g myISP This information is for identification purposes only Encapsulation Press SPACE BAR and then press ENTER to choose Ethernet The encapsulation method influences your choices for the IP Address field Service Type Press SPACE BAR and then ENTER to select Standard RR Toshiba Road Runner Toshiba authentication method RR Manager Road Runner Manager authentication met...

Page 81: ...ed with your static IP Gateway IP Address Enter the gateway IP address associated with your static IP Network Address Translation With the NAT you can translate an Internet protocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Choose None to disabl...

Page 82: ...ation about PPPoE see Appendix E PPPoE on page 253 Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation PPTP Service Type N A My Login username My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Table 17 New fields in menu 4 PPTP ...

Page 83: ...gin My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation Full Feature Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 18 New fields in menu 4 PPPoE screen Field Description Example Encapsulation Press SPACE BAR and then press ENTER to choose PPPoE The encapsulation m...

Page 84: ...Secure Router embedded WebGUI You can also define additional firewall rules or modify existing ones but exercise extreme caution in doing so See the chapters on firewalls in Nortel Business Secure Router 222 Configuration Basics NN47922 500 for more information on the firewall Note When the firewall is activated the default policy can communicate to the Internet if the communication originates fro...

Page 85: ...hen you use menu 4 to set up Internet access you are actually configuring a remote node The following describes how to configure Menu 11 1 Remote Node Profile Menu 11 1 2 Remote Node Network Layer Options and Menu 11 1 4 Remote Node Filter Remote Node setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup Figure 25 Enter 1 to open Menu 11 1 Remote Node Profile and configu...

Page 86: ... Encapsulation There are two variations of menu 11 1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet The first menu 11 1 screen you see is for Ethernet encapsulation shown in Figure 26 Menu 11 Remote Node Setup 1 ChangeMe ISP SUA 2 GUI BACKUP_ISP SUA Enter Node to Edit ...

Page 87: ...ress Space Bar to Toggle Table 19 Fields in menu 11 1 Field Description Example Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters LAoffice Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Yes Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or ...

Page 88: ...e Router calls this remote node Valid for PPPoE encapsulation only Retype to Confirm Type your password again to make sure that you have entered it correctly Server IP This field is valid only when Road Runner is selected in the Service Type field The Business Secure Router finds the Road Runner Server IP automatically if this field is left blank If it does not then you must enter the authenticati...

Page 89: ...tiated protocol is stronger than specified If you encounter a case where the peer disconnects right after a successful authentication make sure that you specify the correct authentication protocol when connecting to such an implementation Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Encapsulation PPPoE Edit IP No Service Type Standard Telco Option Service Name Allocated...

Page 90: ...e Router accepts either CHAP or PAP when requested by this remote node CHAP accept CHAP only PAP accept PAP only CHAP PAP Telco Option Allocated Budget The field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control 0 default Period hr This field is the time period in which the budget is reset For example if we are allowed to call this...

Page 91: ...Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 21 shows how to configure fields in menu 11 1 not previously discussed Table 21 Fields in Menu 11 1 PPTP Encapsulation Field Description Example Encaps...

Page 92: ...or connection name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your DSL modem N My ISP Schedules You can apply up to four call schedule sets here Nailed Up Connections Press SPACE BAR and then ENTER to select Yes if you want to make the connection to this remote node a nailed up connection No Table 21 Fields in Menu 11 1 PPTP Encap...

Page 93: ... A Network Address Translation SUA Only Metric N A Private N A RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 22 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If your ISP did not assign you an explicit IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Sta...

Page 94: ...ingle User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server When you select Full Feature you must configure at least one address mapping set See Chapter 9 Network Address Translation NAT f...

Page 95: ... refer to Chapter 11 Filter configuration on page 135 For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Version Press SPACE BAR and then ENTER to select the RIP version from RIP 1 RIP 2B RIP 2M or None N A Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group The Busines...

Page 96: ... to display Menu 11 1 Remote Node Profile as shown in Figure 32 Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters Device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters...

Page 97: ...s Service Name N A Edit Filter Sets No Outgoing My Login N A My Password N A Edit Traffic Redirect No Retype to Confirm N A Server N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 23 Menu 11 1 Remote Node profile Traffic Redirect Field Field Description Example Edit Traffic Redirect Press SPACE BAR to select Yes or No Select No default if you do not want to configure thi...

Page 98: ...c 5 Timeout sec 3 Press ENTER to Confirm or ESC to Cancel Table 24 Menu 11 1 5 Traffic Redirect setup Field Description Example Active Press SPACE BAR and select Yes to enable or No to disable traffic redirect setup The default is No Yes Configuration Backup Gateway IP Address Enter the IP address of your backup gateway in dotted decimal notation The Business Secure Router automatically forwards t...

Page 99: ...affic is forwarded to the backup gateway A good number is 2 to 5 seconds 3 Period sec Enter the time interval in seconds between WAN connection checks A good number is 5 to 60 seconds 5 Timeout sec Enter the number of seconds the Business Secure Router waits for a ping response from the IP Address in the Check WAN IP Address field before it times out The number in this field should be less than th...

Page 100: ...100 Chapter 6 Remote Node setup NN47922 501 ...

Page 101: ... main menu Select one of the IP static routes as shown in Figure 34 to configure IP static routes in menu 12 1 Figure 34 Menu 12 IP Static Route Setup Note The Reserved static route entry is for the default WAN route You cannot modify or delete a static default route Menu 12 IP Static Route Setup 1 Reserved 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 ...

Page 102: ...is is for identification purposes only Active This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identi...

Page 103: ...s parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node is propagated to other hosts through RIP broadcasts After you complete filling in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or pre...

Page 104: ...104 Chapter 7 IP Static Route Setup NN47922 501 ...

Page 105: ... Router From the main menu enter 14 to display Menu 14 Dial in User Setup Figure 36 Menu 14 Dial in User Setup Type a number and press ENTER to edit the user profile Menu 14 Dial in User Setup 1 ________ 9 ________ 17 ________ 25 ________ 2 ________ 10 ________ 18 ________ 26 ________ 3 ________ 11 ________ 19 ________ 27 ________ 4 ________ 12 ________ 20 ________ 28 ________ 5 ________ 13 ______...

Page 106: ... 1 Edit Dial in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile This field is case sensitive Active Press SPACE BAR to select Yes and press ENTER to enable the user profile Password Enter a password up to 31 characters long for this user profile After you complete this menu press ENTER at the prompt Press ENTER to confirm or ESC to canc...

Page 107: ...Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Applying NAT You apply NAT via menus 4 or 11 1 2 Figure 39 on page 109 Figure 38 shows you how to apply NAT for Internet access in menu 4 Enter 4 from the main menu to go to Menu 4 Internet Access Setup Note You must create a firewall rule in addition to setting up SUA NAT...

Page 108: ...o select Yes and then press ENTER to bring up Menu 11 1 2 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm...

Page 109: ...NCEL Table 27 Applying NAT in Menus 4 11 1 2 Field Description Options Network Address Translation When you select this option the SMT uses Address Mapping Set 1 menu 15 1 Address Mapping Sets on page 110 for further discussion Choose Full Feature if you have multiple public WAN IP addresses for your Business Secure Router When you select Full Feature you must configure at least one address mappin...

Page 110: ...hen you select SUA Only the SMT uses the pre configured Set 255 read only The server set is a list of LAN servers mapped to external ports To use this set a server rule must be set up inside the NAT address mapping set To configure NAT enter 15 from the main menu to bring up the screen shown in Figure 40 Figure 40 Menu 15 NAT Setup Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping...

Page 111: ...nced Figure 41 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the screen shown in Figure 42 see SUA Single User Account Versus NAT on page 107 The fields in this menu cannot be changed Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number ...

Page 112: ...bal End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Press ENTER to Confirm or ESC to Cancel Note Menu 15 1 255 is read only Table 28 SUA Address Mapping Rules Field Description Example Set Name This is the name of the set you selected in menu 15 1 or enter the name of a new set you want to create SUA Idx This is the index or rule number 1 Local Start IP Local St...

Page 113: ...s 0 0 0 0 and the end IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above With Server you can specify multiple servers of different types behind NAT to this machine Examples is foun...

Page 114: ...e remaining rules are ignored If there are any empty rules before your new configured rule your configured rule is pushed up by that number of empty rules For example if you Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 2 3 4 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Note The Type Local and...

Page 115: ...rules This is a required field If this field is left blank the entire set is deleted NAT_SET Action The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a rule before the rule selected The rules after the selected rule are then moved down by one rule Delete means to delete the selected rule and all the rules after the selected one advanc...

Page 116: ... Type Press SPACE BAR and then ENTER to select from a total of five types If you choose Server you can specify multiple servers of different types behind NAT to this computer See Example 3 Multiple public IP addresses with inside servers on page 124 for an example One to On e Local IP Start Only local IP fields are N A for server Global IP fields must be set for Server Enter the starting local IP ...

Page 117: ...p 2 Enter 2 to go to Menu 15 2 NAT Server Setup Global IP Start Enter the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server 0 0 0 0 End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types N A After you finish configu...

Page 118: ... press ENTER to open Menu 15 2 1 NAT Server Configuration see the next figure Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ...

Page 119: ...ed in the End Port field Table 31 15 2 1 NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry Name Enter a name to identify this port forwarding rule Active Press SPACE BAR and then ENTER to select Yes to enable the NAT server entry Start Port Enter a port number in the Start Port field To forward only one port enter it again in th...

Page 120: ...ess ESC at any time to cancel Figure 47 Menu 15 2 NAT Server Setup You assign the private network IP addresses The NAT network appears as a single host on the Internet A is the FTP Telnet SMTP server Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No ...

Page 121: ...e General NAT examples The following are some examples of NAT configuration Internet access only In the Internet access example shown in Figure 49 you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Figure 49 NAT Example 1 Business Secure Router Business Secure Router ...

Page 122: ...xamples on page 121 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 1 2 is specifically preconfigured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Login Server IP N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Netwo...

Page 123: ...n Advanced Example 2 Internet access with an inside server Figure 51 NAT Example 2 In this case you do exactly as shown in Figure 51 use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in Figure 52 Business Secure Router ...

Page 124: ...the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 2 Map the second IGA to the second internal FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping 4 You also map your third IGA to the web server and mail server on the LAN If y...

Page 125: ... 54 2 Enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENTER to confirm 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP a...

Page 126: ...shows how to configure the first rule Menu 11 1 2 Remote Node Network Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation Full Feature Metric N A Private N A RIP Direction None Version N A Enter here to CONFIRM or ESC to CANCEL ...

Page 127: ...tel Business Secure Router 222 Configuration Advanced Figure 55 Example 3 Menu 15 1 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel ...

Page 128: ...15 from the main menu 9 Now enter 2 from this menu and configure it as shown in Example 3 Menu 15 2 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule ...

Page 129: ...re 58 Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 002 Yes 25 25 192 168 1 20 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Note Only one LAN comp...

Page 130: ...l Table 32 Menu 15 3 Trigger Port setup description Field Description Example Rule This is the rule index number 1 Name Enter a unique name for identification purposes You can enter up to 15 characters in this field All characters are permitted including spaces Real Audio Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The Busine...

Page 131: ...siness Secure Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN Start Port Enter a port number or the starting port number in a range of port numbers 7070 End Port Enter a port number or the ending port number in a range of port numbers 7070 Press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel...

Page 132: ...132 Chapter 9 Network Address Translation NAT NN47922 501 ...

Page 133: ...he screen shown in Figure 59 Figure 59 Menu 21 Filter and Firewall Setup Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 60 Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the WebGUI to configure firewall rules Menu 21 Filter and Fire...

Page 134: ... vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the WebGUI to configure the firewall Press ENTER to Confirm or ESC to Cancel Note Configure the firewall rules using the WebGUI or CLI co...

Page 135: ...are subdivided into device and protocol filters Data filtering screens the data to determine if the packet is allowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet is allowed to trigger a call Remote n...

Page 136: ...h filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules are configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming Telnet sessions A summary of their filter rules is shown in the figures that follow Figure 62 illustrates the logic flow when executing a filter rule Also see Figure 66...

Page 137: ...pes of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Start Fetch First Filter Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Ru...

Page 138: ...includes filtering for NetBIOS over TCP IP packets by default To configure another filter set follow the procedure below 1 Enter 21 in the main menu to open menu 21 Figure 63 Menu 21 Filter and Firewall Setup Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number ...

Page 139: ...ilter Rules Summary The screen shown in Figure 65 shows the summary of the existing rules in the filter set Table 33 and Table 34 contain a brief description of the abbreviations used in the previous menus Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 _______________ 4 _________...

Page 140: ...ain is complete N means there are no more rules to check You can specify an action to be taken for example forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule n Action No...

Page 141: ...u create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filter field or vice versa the Business Secure Router warns you and prevents you from saving Configuring a TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule Using TCP IP rules you can base the rule on t...

Page 142: ...ess ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 35 TCP IP Filter Rule Menu fields Field Description Options Active Press SPACE BAR and then ENTER to select Yes to activate the filter rule or No to deactivate it Yes No IP Protocol Protocol refers to the upper layer protocol for example TCP is 6 UDP is 17 and ICMP is 1 Type a value between 0 and 255 A value of 0 matches ANY pro...

Page 143: ...Enter the IP mask to apply to the Source IP Addr 0 0 0 0 Port Enter the source port of the packets that you wish to filter The range of this field is 0 to 65 535 This field is ignored if it is 0 0 65535 Port Comp Press SPACE BAR and then ENTER to select the comparison to apply to the source port in the packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This f...

Page 144: ... logged None Action Matched Action Not Matched Both Action Matched Press SPACE BAR and then ENTER to select the action for a matching packet Check Next Rule Forward Drop Action Not Matched Press SPACE BAR and then ENTER to select the action for a packet not matching the rule Check Next Rule Forward Drop After you configure Menu 21 1 1 1 TCP IP Filter Rule press ENTER at the message Press ENTER to ...

Page 145: ...es Action Matched Action Not Matched More No Filter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched ...

Page 146: ...ta portion before comparing the result against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select Generic Filter Rule in the Filter Type field in menu 21 1 4 1 and press ENTER to ...

Page 147: ...ish to compare The range for this field is from 0 to 255 0 255 Length Enter the byte count of the data portion in the packet that you wish to compare The range for this field is 0 to 8 0 8 Mask Enter the mask in Hexadecimal notation to apply to the data portion before comparison Value Enter the value in Hexadecimal notation to compare with the data portion More If Yes a matching packet is passed t...

Page 148: ...u 21 Filter and Firewall Setup 2 Enter 1 to open Menu 21 1 Filter Set Configuration Action Not Matched Select the action for a packet not matching the rule Check Next Rule Forward Drop After you complete filling in Menu 21 1 1 1 Generic Filter Rule press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel This data is now be displayed on Menu 21 1 1 Filter...

Page 149: ...s only one filter rule in this set The screen shows you that you have configured and activated A Y a TCP IP filter rule Type IP Pr 6 for destination Telnet ports DP 23 M N means an action can be taken immediately The action is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched whether or not there are more rules to be checked ther...

Page 150: ...Node Profile 3 Go to the Edit Filter Sets field press SPACE BAR to select Yes and press ENTER 4 This brings you to menu 11 1 4 Apply a filter set our example is filter set 3 as shown in Figure 73 5 After you enter the set numbers press ENTER to confirm and leave menu 11 1 4 Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N ...

Page 151: ...now the exact address and port on the wire Therefore the Business Secure Router applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applied at the point when the Business Secure Router is receiving and s...

Page 152: ... can choose up to four filter sets from twelve by entering their numbers separated by commas for example 3 4 6 11 Input filter sets filter incoming traffic to the Business Secure Router and output filter sets filter outgoing traffic from the Business Secure Router For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Figure 72 Filtering LAN Traff...

Page 153: ... as appropriate You can cascade up to four filter sets by entering their numbers separated by commas The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls and to block incoming Telnet FTP and HTTP connections Figure 73 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets pro...

Page 154: ...154 Chapter 11 Filter configuration NN47922 501 ...

Page 155: ... menu to display Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Figure 74 Menu 22 SNMP Configuration Note SNMP is only available if TCP IP is configured Menu 22 SNMP Configuration SNMP Get Community PlsChgMe RO Set Community PlsChgMe RW Trusted Host 0 0 0 0 Trap Community Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cance...

Page 156: ...m this address A blank default field means your Business Secure Router will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the Trap community which is the password sent with each trap to the SNMP manager Public Destination Type the IP address of the station to send your SNMP traps to 0 0 0 0 After you complete this menu press ENTER at the prompt Press ENT...

Page 157: ...n the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files CI command sys reboot and others 6b For fatal error A trap is sent with the message of the fatal code if the system reboots because of fatal errors Table 38 SNMP Traps Trap Trap Name Description ...

Page 158: ...158 Chapter 12 SNMP Configuration NN47922 501 ...

Page 159: ...rver and 802 1x in this menu System password Figure 75 Menu 23 System security Nortel recommends you change the default password If you forget your password you have to restore the default configuration file For more information see Restoring the factory default configuration settings in Nortel Business Secure Router 222 Configuration Basics NN47922 500 Menu 23 System Security 1 Change Password 2 ...

Page 160: ...ystem Security RADIUS Server as shown in Figure 77 Figure 77 Menu 23 2 System Security RADIUS server Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x Enter Menu Selection Number Menu 23 2 System Security RADIUS Server Authentication Server Active No Server Address 0 0 0 0 Port 1812 Shared Secret Accounting Server Active No Server Address 0 0 0 0 Port 1813 Shared Secret Press ...

Page 161: ...y is not sent over the network This key must be the same on the external authentication server and Business Secure Router Accounting Server Active Press SPACE BAR to select Yes and press ENTER to enable user authentication through an external accounting server Server Address Enter the IP address of the external accounting server in dotted decimal notation Port The default port of the RADIUS server...

Page 162: ...23 System Security Figure 78 Menu 23 System Security 2 Enter 4 to display Menu 23 4 System Security IEEE802 1x Figure 79 Menu 23 4 System Security IEEE802 1x Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x Enter Menu Selection Number Menu 23 4 System Security IEEE802 1x Port Control Authentication Required ReAuthentication Timer in second 1800 Idle Timeout in second 3600 Aut...

Page 163: ...owing fields are not available when you select No Authentication Required or No Access Allowed ReAuthentication Timer in second Specify how often a client has to reenter the username and password to stay connected to the network This field is activated only when you select Authentication Required in the Port Control field Enter a time interval between 10 and 9 999 in seconds The default time inter...

Page 164: ...pecified RADIUS server for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the user name is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Rout...

Page 165: ... SMT menus 24 1 to 24 4 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your Business Secure Router These tools include updates on system status port status and log and trace capabilities Select menu 24 in the main menu to open Menu 24 System Maintenance as shown in Figure 80 ...

Page 166: ...sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open System Maintenance Status 3 There are three commands in Menu 24 1 System Maintenance Status Entering 1 drops the WAN connection 9 resets the counters and ESC takes you back to the previous screen Menu 24 System Maintenance 1 System Status 2 System Inf...

Page 167: ... IP Address IP Mask DHCP WAN 00 13 49 00 00 02 0 0 0 0 0 0 0 0 Client LAN 00 13 49 00 00 01 192 168 1 1 255 255 255 0 Server System up Time 0 00 15 Name Routing IP RAS F W Version VBSR222_2 6 0 0 003b1 07 19 2006 Press Command COMMANDS 1 Drop WAN 9 Reset Counters ESC Exit Table 41 System Maintenance Status Menu Fields Field Description Port Identifies a port WAN or LAN on the Business Secure Route...

Page 168: ...ddress of the port listed on the left IP Address The IP address of the port listed on the left IP Mask The IP mask of the port listed on the left DHCP The DHCP setting of the port listed on the left System up Time The total time the Business Secure Router has been on RAS F W Version The release of firmware currently on the Business Secure Router and the date the release was created Name This is th...

Page 169: ...d Console Port Speed System Information System Information gives you information about your system as shown in Figure 84 More specifically it gives you information on your routing protocol Ethernet address and IP address Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Please enter selection ...

Page 170: ...outer system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used RAS F W Version The release of firmware currently on the Business Secure Router and the date the release was created Ethernet Address Refers to the Ethernet MAC Media Access Control address of your Business Secure Router IP ...

Page 171: ...Business Secure Router has a syslog facility for message logging and a trace function for viewing call triggering packets Figure 86 Menu 24 3 System Maintenance Log and Trace Syslog logging The Business Secure Router uses the syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance Syslog Logg...

Page 172: ...ESC to Cancel Table 43 System Maintenance Menu Syslog Parameters Parameter Description Syslog Active Press SPACE BAR and then ENTER to turn syslog on or off Syslog Server IP Address Enter the IP Address of the server that logs the CDR Call Detail Record and system messages For example the syslog server Log Facility Press SPACE BAR and then ENTER to select a Local option Using the log facility you ...

Page 173: ... 06 192 168 102 2 RAS board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx x Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Jul 19 11 28 39 192 168 102 2 RAS Packet Trigger Protocol 1 Data 4500003c100100001...

Page 174: ...MP S04 R01mF Mar 03 11 59 20 202 132 155 97 RAS GEN 00a0c5f502fnord010080 S05 R01mF Mar 03 12 00 52 202 132 155 97 RAS GEN ffffffffffff0080 S05 R01mF Mar 03 12 00 57 202 132 155 97 RAS GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 RAS IP Src 192 168 1 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S04 R01mF PPP Log Message Format SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String St...

Page 175: ...st Destination Address dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number Action nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1 80 137 172 21 1 80 137 UDP default permit 2 0 B 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 192 168 77 88 52...

Page 176: ...ve 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination Port 0x000D 13 Sequence Number 0x05B8D000 95997952 Ack Number 0x00000000 0 Header Length 24 Flags 0x02 S Window Size 0x2000 8192 Checksum 0xE06A 57450 Urgent Ptr 0x0000 0 Options 0000 02 04 02 00 RAW DATA 0000 45 00 00 2C 00 02...

Page 177: ...CP is discussed in Nortel Business Secure Router 222 Configuration Basics NN47922 500 The Business Secure Router can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 1 2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP Using the WAN Release and Renewal fields in menu 24 4 you can release or renew the assigned ...

Page 178: ...elease your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings Internet Setup Test This feature is only available for dial up connections using PPPoE or PPTP encapsulation Enter 4 to test the Internet setup You can also test the Internet setup in Menu 4 Internet Access Refer to Chapter 5 Internet access on page 79 for more details Reboot System Enter 11 to reboot the Busine...

Page 179: ...ustomized the Business Secure Router settings they can be saved back to your computer under a filename of your choosing The system firmware sometimes referred to as the ras file has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the B...

Page 180: ... you press y when prompted in the SMT menu to go into debug mode Backup configuration Using Option 5 from Menu 24 System Maintenance you can back up the current Business Secure Router configuration to your computer Backup is highly recommended once your Business Secure Router is functioning properly FTP is the preferred method for backing up your current configuration to your computer Table 45 Fil...

Page 181: ...sing the FTP command from the command line 1 Launch the FTP client on your computer 2 Enter open followed by a space and the IP address of your Business Secure Router 3 Press ENTER when prompted for a username 4 Enter your password as requested the default password is PlsChgMe Menu 24 5 System Maintenance Backup Configuration To transfer the configuration file to your workstation follow the proced...

Page 182: ...ommands that you can see in GUI based FTP clients 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 config rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 46 General commands for GUI based FTP clients Command Description Host Address Enter the address of the h...

Page 183: ...rtel does not recommend using TFTP over WAN although it can work To use TFTP your computer must have both Telnet and TFTP clients To back up the configuration file follow the procedure shown next 1 Use Telnet from your computer to connect to the Business Secure Router and log on Because TFTP does not have any security checks the Business Secure Router records the IP address of the Telnet client an...

Page 184: ...Router to the file destination on the computer and renames it config rom GUI based TFTP clients Table 47 describes some of the fields that appear in GUI based TFTP clients Note Telnet connection must be active and the SMT must be in CI mode before and during the TFTP transfer For details on TFTP commands see TFTP command example on page 184 consult the documentation of your TFTP client program For...

Page 185: ...Maintenance Backup Configuration Figure 94 shows the screen which indicates that the Xmodem download has started Figure 94 Menu 24 5 System Maintenance Starting Xmodem Download Screen Run the HyperTerminal program by clicking Transfer then Receive File as shown in Figure 95 Remote File This is the filename on the Business Secure Router The filename for the firmware is ras and for the configuration...

Page 186: ...evious back up configuration do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster note that you must wait for the system to automatically restart after the file transfer is complete Backup Configuration completed OK Hit any key to continue...

Page 187: ...uter to the Business Secure Router See Filename conventions on page 179 for more information about filename conventions Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your Business Secure Router Then type nnadmin and SMT pa...

Page 188: ...re via console port Restore configuration via console port by following the HyperTerminal procedure Procedures using other serial communications programs are similar Display menu 24 6 and enter y at the prompt Figure 99 System Maintenance Restore Configuration Figure 100 indicates that the Xmodem download has started ftp put config rom rom 0 200 Port command okay 150 Opening data connection for ST...

Page 189: ...rmation Screen Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure Restore configuration on page 186 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File Starting XMODEM download CRC mode CCCCCCCCC Save to ROM Hit any key to start...

Page 190: ...ad the system firmware follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your system Then type nnadmin and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on the system 4 The system reboots automatically after a succes...

Page 191: ...as transfers the firmware on your computer firmware bin to the Business Secure Router and renames it ras Similarly put config rom rom 0 transfers the configuration file on your computer Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your ...

Page 192: ...te Management on page 209 section to read about configurations that disallow TFTP and FTP over WAN TFTP file upload The Business Secure Router also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP also works over WAN Nortel does not recommend doing this 1 To use TFTP your computer must have both Telnet and TFTP clients To transfer the firmwa...

Page 193: ...o transfer files between the Business Secure Router and the computer The file name for the firmware is ras Note that the telnet connection must be active and the Business Secure Router must be in CI mode before and during the TFTP transfer For details about TFTP commands see TFTP upload command example on page 193 consult the documentation of your TFTP client program For UNIX use get to transfer f...

Page 194: ... Upload Firmware to display Menu 24 7 1 System Maintenance Upload System Firmware then follow the instructions as shown in Figure 105 Figure 105 Menu 24 7 1 as seen using the Console Port After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications ...

Page 195: ...modem Upload 2 After the configuration upload process is complete restart the Business Secure Router by entering atgo Uploading configuration file via console port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in Figure 107 Type the configuration file s location or click Brows...

Page 196: ...e To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the system Warning 1 Proceeding with the upload will erase the current configuration file 2 The system s console port ...

Page 197: ... file using HyperTerminal 1 Click Transfer then Send File to display the screen shown in Figure 108 Figure 108 Example Xmodem Upload 2 After the configuration upload process is complete restart the Business Secure Router by entering atgo Type the configuration file s location or click Browse to search for it Choose the Xmodem protocol Click Send ...

Page 198: ...198 Chapter 15 Firmware and configuration file maintenance NN47922 501 ...

Page 199: ...lity as the SMT while adding some low level setup and diagnostic functions Enter the CI from the SMT by selecting menu 24 8 Access can be by Telnet or by a serial connection to the console port although some commands are only available with a serial connection See the included disk or www nortel com for more detailed information about CI commands Enter 8 from Menu 24 System Maintenance Note Use of...

Page 200: ...osed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Firmware Update 8 Command Interpreter Mode 9 Call Control 10 Time and Date Se...

Page 201: ...d commands Command Description sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether This commands display Ethernet information and configure Ethernet settings ip This commands display IP information and configure IP settings ipsec This commands display IPSec information and configure IPSec settings bm This command...

Page 202: ...e total outgoing call time exceeds the limit the current call is dropped and any future outgoing calls are blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in Figure 111 Figure 111 Call Control Budget management Menu 24 9 1 shows the budget management statisti...

Page 203: ...he remote node Menu 24 9 1 Budget Management Remote Node 1 ChangeMe 2 GUI Connection Time Total Budget No Budget No Budget Elapsed Time Total Period No Budget No Budget Reset Node 0 to update screen Table 49 Budget management Field Description Example Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total conne...

Page 204: ...call Max Min Total Enter Entry to Delete 0 to exit Table 50 Call History Fields Field Description Phone Number The PPPoE service names are shown here Dir This shows whether the call is incoming or outgoing Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This i...

Page 205: ...ness Secure Router error logs and firewall logs Select menu 24 in the main menu to open Menu 24 System Maintenancet Figure 114 Menu 24 System Maintenance Enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your Business Secure Router as shown in Figure 115 Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Spee...

Page 206: ...s Not all time servers support all protocols so check with your ISP or network administrator or use trial and error to find a protocol that works The main differences between the time protocols are the format Daytime RFC 867 format is the day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP R...

Page 207: ...pean Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Mar Last Sun The time you type in the hr field depends on your time zone In Germany for instance type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date mm nth week hr Configure the day and...

Page 208: ... Time The Business Secure Router resets the time in three instances After you make changes to and leave menu 24 10 After starting up the Business Secure Router starts up if a time server configured in menu 24 10 After starting the Business Secure Router in 24 hour intervals ...

Page 209: ...siness Secure Router interface if any from which computers You can manage your Business Secure Router from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Note When you Choose WAN only or ALL LAN WA...

Page 210: ...NS Service Port 53 Access LAN only Secure Client IP 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 52 Menu 24 11 Remote Management control Field Description Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you can use to remotely manage the Business Secure Router Port This field shows the port number ...

Page 211: ...on it does not begin if a Web session is already running 7 There is a firewall rule that blocks remote management Certificate Press SPACE BAR and then ENTER to select the certificate that the Business Secure Router uses to identify itself The Business Secure Router is the SSL server and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Busin...

Page 212: ...212 Chapter 17 Remote Management NN47922 501 ...

Page 213: ...ideo cassette recorder you can specify a time period for the VCR to record You can apply up to 4 schedule sets in Menu 11 1 Remote Node Profile From the main menu enter 26 to access Menu 26 Schedule Setup as shown in Figure 117 Figure 117 Menu 26 Schedule Setup Menu 26 Schedule Setup Schedule Schedule Set Name Set Name 1 AlwaysOn 7 _______________ 2 _______________ 8 _______________ 3 ____________...

Page 214: ...dule sets for a remote node To set up a schedule set select the schedule set you want to setup from menu 26 1 12 and press ENTER to see Menu 26 1 Schedule Set Setup as shown in Figure 118 Figure 118 Menu 26 1 Schedule Set Setup Note To delete a schedule set enter the set number and press SPACE BAR and then ENTER or delete in the Edit Name field Menu 26 1 Schedule Set Setup Active Yes Start Date yy...

Page 215: ...e How Often field above enter the date the set should activate here in year month date format 2000 01 01 Weekday Day If you selected Weekly in the How Often field above select the days when the set should activate and recur by going to that days and pressing SPACE BAR to select Yes After you complete this menu press ENTER to exit Yes No N A Start Time Enter the start time when you wish the schedul...

Page 216: ... 119 Figure 119 Applying Schedule Sets to a Remote Node PPPoE You can apply up to four schedule sets separated by commas for one remote node Change the schedule set numbers to your preferences Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Encapsulation Ethernet Edit IP No Service Type Standard Session Options Service Name N A Edit Filter Sets No Outgoing My Login N A My ...

Page 217: ...he purchase of a third party TCP IP application package TCP IP is already installed on computers using Windows NT 2000 XP or Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers ha...

Page 218: ...IP protocol and Client for Microsoft Networks If you need the adapter a In the Network window click Add b Select Adapter and click Add c Select the manufacturer and model of your network adapter and click OK If you need TCP IP a In the Network window click Add b Select Protocol and click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and cl...

Page 219: ... changes take effect Configuring 1 In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 121 Windows 95 98 Me TCP ...

Page 220: ...ly installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Business Secure Router and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and click...

Page 221: ...on Advanced Windows 2000 NT XP 1 For Windows XP click Start Control Panel In Windows 2000 NT click Start Settings Control Panel Figure 123 Windows XP Start menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 124 Windows XP Control Panel ...

Page 222: ...ight click Local Area Connection and then click Properties Figure 125 Windows XP Control Panel Network Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 126 Windows XP Local Area Connection Properties ...

Page 223: ...teway fields Click Advanced Figure 127 Windows XP Advanced TCP IP settings 6 If you do not know your gateway IP address remove any previously installed gateways in the IP Settings tab and click OK Ë Do one or more of the following if you want to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in...

Page 224: ... Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP addresses If you know your DNS server IP addresses click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab...

Page 225: ...Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel Figure 129 Macintosh OS 8 9 Apple Menu ...

Page 226: ...o the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your Business Secure Router and restart your computer if prompted Verifyin...

Page 227: ...d click System Preferences to open the System Preferences window Figure 131 Macintosh OS X Apple menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 132 Macintosh OS X Network ...

Page 228: ...ly Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Click Apply Now and close the window 6 Turn on your Business Secure Router and restart your computer if prompted Verifying settings Check your TCP IP properties in the Network window ...

Page 229: ... more than one connection to the Internet through one or more ISPs If an alternate gateway is on the LAN and its IP address is in the same subnet as the Business Secure Router LAN IP address the triangle route also called asymmetrical route problem can occur The steps below describe the triangle route problem A traffic route is a path for sending or receiving data packets between two Ethernet devi...

Page 230: ...knowledged Figure 134 Triangle Route Problem The Triangle Route Solutions IP aliasing Using IP alias you can partition your network into logical sections over the same Ethernet interface Your Business Secure Router supports up to three logical LAN interfaces with the Business Secure Router being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returni...

Page 231: ...tion Advanced 2 The Business Secure Router reroutes the packet to Gateway B which is in Subnet 2 3 The reply from WAN goes to the Business Secure Router 4 The Business Secure Router ends the response to the computer in Subnet 1 Figure 135 IP Alias Business Secure Router WAN ...

Page 232: ...232 Appendix B Triangle Route NN47922 501 ...

Page 233: ...cates Import Business Secure Router certificates into Netscape Navigator In Netscape Navigator you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority Select Accept This Certificate Permanently in Figure 136 to do this Figure 136 Security Certificate ...

Page 234: ...ification authority To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certification authority The following example procedure shows how to import the Business Secure Router s self signed server certificate into your operating system as a trusted certification ...

Page 235: ... C Importing certificates 235 Nortel Business Secure Router 222 Configuration Advanced 2 Click Install Certificate to open the Install Certificate wizard Figure 138 Certificate General Information before Import ...

Page 236: ...236 Appendix C Importing certificates NN47922 501 3 Click Next to begin the Install Certificate wizard Figure 139 Certificate Import Wizard 1 ...

Page 237: ...Appendix C Importing certificates 237 Nortel Business Secure Router 222 Configuration Advanced 4 Select where you want to store the certificate and click Next Figure 140 Certificate Import Wizard 2 ...

Page 238: ...rtificates NN47922 501 5 Click Finish to complete the Import Certificate wizard Figure 141 Certificate Import Wizard 3 6 Click Yes to add the Business Secure Router certificate to the root store Figure 142 Root Certificate Store ...

Page 239: ...ificates is selected on the Business Secure Router You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active see Certificates in Nortel Business Secure Router 222 Configuration Basics NN47922 500 for details Apply for a certificate from a Certification Authority CA that is trusted by the Business Secure Router see th...

Page 240: ...g certificates NN47922 501 Figure 144 Business Secure Router Trusted CA screen The CA sends you a package containing the CA s trusted certificate your personal certificates and a password to install the personal certificates ...

Page 241: ...ar to the one shown in Figure 145 Figure 145 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix Installing your personal certificates You need a password in advance The CA can issue the password or you can specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to Figure 146 ...

Page 242: ...242 Appendix C Importing certificates NN47922 501 1 Click Next to begin the wizard Figure 146 Personal certificate import wizard 1 ...

Page 243: ...ecure Router 222 Configuration Advanced 2 The file name and path of the certificate you double clicked automatically appears in the File name text box Click Browse if you wish to import a different certificate Figure 147 Personal certificate import wizard 2 ...

Page 244: ...244 Appendix C Importing certificates NN47922 501 3 Enter the password given to you by the CA Figure 148 Personal certificate import wizard 3 ...

Page 245: ...cure Router 222 Configuration Advanced 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 149 Personal certificate import wizard 4 ...

Page 246: ... Finish to complete the wizard and begin the import process Figure 150 Personal certificate import wizard 5 6 Figure 151 shows the screen that appears when the certificate is correctly installed on your computer Figure 151 Personal certificate import wizard 6 ...

Page 247: ...HTTPS 1 Enter https Business Secure Router IP Address in your browser s web address field Figure 152 Access the Business Secure Router via HTTPS 2 When Authenticate Client Certificates is selected on the Business Secure Router you are asked to select a personal certificate to send to the Business Secure Router This screen displays even if you only have a single certificate as shown in Figure 153 F...

Page 248: ...248 Appendix C Importing certificates NN47922 501 3 The Business Secure Router login screen appears Figure 154 Business Secure Router secure login screen ...

Page 249: ...ality in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP ...

Page 250: ...and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE client...

Page 251: ...Appendix D PPPoE 251 Nortel Business Secure Router 222 Configuration Advanced Figure 156 Business Secure Router as a PPPoE Client Business Secure Router ...

Page 252: ...252 Appendix D PPPoE NN47922 501 ...

Page 253: ...lution is to build PPTP into the ANT ADSL Network Termination where PPTP is used only over the short haul between the PC and the modem over Ethernet For the rest of the connection the PPP frames are transported with PPP over AAL5 RFC 2364 The PPP connection however is still between the PC and the ISP The various connections in this setup are depicted in the following diagram The drawback of this s...

Page 254: ...rd PPTP packets to the server In the case above as the remote PPTP Client initializes the PPTP connection the user must configure the PPTP clients The Business Secure Router initializes the PPTP connection hence there is no need to configure the remote PPTP clients Figure 158 Business Secure Router as a PPTP client PPTP protocol overview PPTP is very similar to L2TP since L2TP is based on both PPT...

Page 255: ...OS In Microsoft s implementation the PC and hence the Business Secure Router is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an RFC 2364 server Control and PPP connections Each PPTP session has distinct control connection and PPP data connection Call connection The control connection runs over TCP Similar to L2TP a tunnel control connection is first established befo...

Page 256: ...age exchange between PC and an ANT PPP data connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 257: ... Secure Router is DCE when you connect a computer to the console port The Business Secure Router is DTE when you connect a modem to the dial backup port Table 54 General specifications Power Specification I P AC 120V 60Hz O P DC 12V 1200 mA MTBF 416 107 hrs Mean Time Between Failures Operation Temperature 0º C 40º C Ethernet Specification for WAN 10 100Mb s Half Full autonegotiation Ethernet Speci...

Page 258: ...DCE RTS PIN 9 NON Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON The CON AUX port also has these pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments Business Secure Routers with a CON AUX port also have a 9 pin adapter for the console cable with these pi...

Page 259: ...g Model PSA21R 180 Note Not to remove the plug and plug into a wall outlet by itself always attach the plug to the power supply first before insert into the wall Leader Model MU18 2180100 XX XX can be A1 A2 A3 B2 or C5 for the different plugs used WAN LAN Ethernet Cable Pin Layout Straight Through Crossover Switch 1 IRD Adapter 1 OTD Switch 1 IRD Switch 1 IRD 2 IRD 2 OTD 2 IRD 2 IRD 3 OTD 3 IRD 3 ...

Page 260: ...260 Appendix F Hardware specifications NN47922 501 ...

Page 261: ...t Class A addresses have a 0 in the left most bit In a class A address the first octet is the network number and the remaining three octets make up the host ID Class B addresses have a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from th...

Page 262: ...id range of 128 to 191 The first octet of a class C address begins with 110 and therefore has a range of 192 to 223 Table 56 Classes of IP addresses IP Address Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note Host IDs of all zeros or all one...

Page 263: ...is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask i...

Page 264: ... octets of the address make up the network number class C You want to have two separate networks Table 59 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255 255 255 0 24 0000 0000 255 255 255 128 25 1000 0000 255 255 255 192 26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 11...

Page 265: ...ctet bit values indicate host ID bits borrowed to form network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet Table 60 Subnet 1 Network number Last Octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subn...

Page 266: ...combinations of 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all 0s is the subnet itself all 1s is the broadcast address on the subnet Table 62 Subnet 1 Network number Last octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subne...

Page 267: ...1111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 65 Subnet 4 Network number Last Octet Bit Value IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 19...

Page 268: ...ary for class B subnet planning 7 192 193 222 223 8 224 225 254 255 Table 67 Class C subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 68 Class B subnet planning No Borrowed Host...

Page 269: ...54 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1 024 62 11 255 255 255 224 27 2 048 30 12 255 255 255 240 28 4 096 14 13 255 255 255 248 29 8 192 6 14 255 255 255 252 30 16 384 2 15 255 255 255 254 31 32 768 1 Table 68 Class B subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet ...

Page 270: ...270 Appendix G IP subnetting NN47922 501 ...

Page 271: ...command keywords exactly as shown Do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of netbios filter and whether to turn it on or off Command usage A list of valid commands can be found by typing...

Page 272: ...password countrycode countrycode Sets or displays the country code datetime date year month date Sets or displays the system s current date time hour min sec Sets or displays the system time period day Sets how often the Business Secure Router gets the date and time from the time server sync Gets the date and time from the time server domainname Displays the domain name that the device sends to th...

Page 273: ...ds alerts or both for firewall attack logs cdr 0 none 1 log Records Call Detail Record logs display Displays the category settings error 0 none 1 log 2 alert 3 both Records sends alerts or both for system error logs icmp 0 none 1 log Records ICMP logs ike 0 none 1 log 2 alert 3 both Records sends alerts or both for access control logs ipsec 0 none 1 log 2 alert 3 both Records the access control lo...

Page 274: ...s Use sys logs save after you configure the log settings mail alertAddr mail address Sends alerts to this e mail address clearLog 0 no 1 yes Enables the switch to clear the log after sending logs via e mail display Displays the logs and alerts mail settings logAddr mail address Sends logs to this e mail address schedule display Displays the mail schedule schedule hour 0 23 Sets the hour to send lo...

Page 275: ... IP Specifies the IP address of the syslog server the syslogs are sent consolidate switch 0 on 1 off Turns log consolidation on or off period Sets the consolidation period in seconds msglist Displays the consolidated messages updateSvrIP minute Sets how often to resolve the mail and syslog server domain name to an IP address switch bmlog 0 no 1 yes Turns the broadcast or multicast log on or off di...

Page 276: ... Turns TOS debug message on or off listPerHost Displays all hosts session counts sessPerHost Sets the session per host limit timeout display Displays all TOS Temporarily Open Session timeout information icmp Sets the ICMP session idle timeout value igmp Sets the IGMP session idle timeout value tcpsyn Sets the SYN TCP session idle timeout value tcp Sets the TCP session idle timeout value tcpfin Set...

Page 277: ... Erases the trace log call Shows call events encapmask mask Shows which type of encapsulation the trace log records or sets the encapsulation if you specify the encapsulation s hexadecimal character trcpacket Uses trace packets to capture parts of packets in order to see the packet flow from one interface to another create entry size Creates a packet trace buffer destroy Removes the packet trace b...

Page 278: ...ef listing of packet contents version Displays the RAS code and driver versions view filename Displays the specified text file wdog switch on off Turns the watchdog firmware protection feature on or off cnt value Sets 0 34 463 or displays the current watchdog count in 1 6 sec units romreset Restores the factory default configuration file server Use these commands to configure remote server managem...

Page 279: ...nformation socket Displays the system socket s ID type control block address PCB IP address and port number of peer device connected to the socket Remote Socket and task control block Owner filter netbios disp Displays the current NetBIOS filter modes config 0 Between LAN and WAN 3 IPSec Pass through 4 Trigger Dial on off Sets NetBIOS filters roadrunner debug level Enables or disables Road Runner ...

Page 280: ...play Displays the CPU utilization Table 70 Exit Command Command Description exit Ends the command interpreter session Table 71 Ether Commands Command Description config Displays LAN configuration information driver cnt disp name Displays the Ethernet driver counters status ch_name Shows the LAN status version Displays the Ethernet device type edit load 1 LAN Loads Ethernet 1 LAN data from the Syst...

Page 281: ...ationship between physical port and channel set port type Sets physical port to a specific channel spt Displays channel setting stored in SPT Table 72 IP commands Command Description address addr Displays the host IP address alias iface Sets an alias for the specified interface aliasdis 0 1 Disables or enables the alias for the specified interface arp status iface Displays an interface s IP Addres...

Page 282: ...1 Configures the system DNS server settings lan edit 0 first 1 second 2 third 0 from ISP 1 usr def 2 D NS Relay 3 n one IP address if choosing 1 Configures the LAN DNS server settings display Shows the LAN DNS server settings httpd debug on off Enables or disables the HTTP debug flag This command currently does not work icmp status Displays the ICMP statistics counter discovery iface on off Sets t...

Page 283: ...l commands accept gateway Drops an entry from the RIP refuse list activate Enables RIP merge on off Sets the RIP merge flag refuse gateway Adds an entry to the RIP refuse list request addr port Sends a RIP request to the specified address and port reverse on off RIP Poisoned Reverse status Displays RIP statistic counters trace Enables the RIP debug trace mode iface in mode Sets the Business Secure...

Page 284: ...onFlags type 1 3 enabl e disable Enables or disables content filtering exempt zone action flags that determine to which IP addresses content filtering applies add ip1 ip2 Sets a range of IP addresses to be in the exempt zone delete ip1 ip2 Removes a range of IP addresses from the exempt zone reset Returns the exempt zone settings to the previous configuration customize Uses the customize commands ...

Page 285: ...essibility timeout timeout Sets the number of seconds the device waits for a response from the target checktime period Sets the number of seconds the device waits between attempts to connect to the target active on off Enables or disables traffic redirect save Saves traffic redirect configuration disp Displays the traffic redirect configuration debug value Sets the traffic redirect debug value rpt...

Page 286: ...rivate yes no Turns private mode on or off active yes no Enables or disables a static route rule dropIcmp 0 1 Sets whether or not the device allows ICMP fragment packets igmp debug level Sets IGMP debug level forwardall on off Activates or deactivates IGMP forwarding to all interfaces flag querier on off Turns on or off IGMP stop query flag iface iface grouptm timeout Sets IGMP group timeout for t...

Page 287: ... Live threshold iface v1compat on off Turns on or off IGMP version 1 compatibility on the specified interface robustness num Sets the IGMP robustness variable status Displays the IGMP status alg display Shows whether the Application Layer Gateway is enabled or disabled siptimeout timeout in second or 0 for no timeout Sets the SIP timeout period enable ALG_FTP ALG_H323 ALG_SIP Turns on the ALG disa...

Page 288: ... type and level switch on off As long as there is one active IPSec rule all packets go into the IPSec process to check against the SPD When this switch is turned on packets are not be put through the IPSec process even if there are active IPSec rules timer chk_conn 0 255 Sets the idle timeout for IPSec connections The system disconnects an IPSec connection with no traffic for the timeout period Th...

Page 289: ...le index Displays the specified IPSec rule s IP policies dial rule index policy index Triggers the specified phase two connection route lan on off After IPSec processes a packet and sends it to the LAN side this switch controls whether or not IPSec can be applied to the packet again wan on off After IPSec processes a packet and sends it to the WAN side this switch controls whether or not IPSec can...

Page 290: ...aracters preceded by 0x zero x which is not counted as part of the 16 to 62 characters p1EncryAlgo 0 DES 1 3DES 2 AES Sets the phase 1 encryption algorithm p1AuthAlgo 0 MD5 1 SHA1 Sets the phase 1 authentication algorithm p1SaLifeTime seconds Sets the phase 1 SA lifetime keyGroup 0 DH1 1 DH2 Sets the key group for phase 1 IKE setup nailUp Yes No Turns nailed up feature on or off activeProtocol 0 A...

Page 291: ...ice netbios ntp none Sets which specific services can automatically trigger a VPN connection to the remote Contivity VPN switch groupID group ID Sets the Contivity Client tunnel s user s group ID groupPasswd group password Sets the Contivity Client tunnel s user s group password username name Sets the Contivity Client tunnel s user s username password password Sets the Contivity Client tunnel s us...

Page 292: ... 1 ICMP 6 TCP 17 UDP Sets the IP policy s protocol controlPing Yes No Turns control ping on or off controlPingAddr IP Sets the control ping IP address lcAddrType 0 single 1 range 2 subnet Sets the local address type lcAddrEndMask IP Sets the local ending IP address or subnet mask lcPortStart port Sets the local starting port number lcPortEnd port Sets the local ending port number rmAddrType 0 sing...

Page 293: ...ity Client VPN connection contivityState Displays information about the Contivity Client VPN connection contivitySplit contivityTimecnt 0 65535 Sets the Contivity Client keep alive interval in seconds exemptHost Uses the exemptHost commands to configure specific IP addresses that are not to be part of a VPN tunnel display Displays the exempt host settings load index Loads an exempt host active Yes...

Page 294: ... disables the Pre Shared Key authentication method for the Local User Database radius on off Enables or disables the RADIUS Server authentication method radius groupId Configures Group ID fields for RADIUS Server authentication method radius groupPwd Configures Group Password fields for RADIUS Server authentication method radius psk on off Enables or disables Pre Shared Key authentication type for...

Page 295: ...ddresses in the IP pool status Displays the current runtime IP pool status of Client Termination natt active yes no Enables or disables NAT Traversal portSwitch enable disable Enables or disables Client IKE Source Port Switching portNum Sets the NAT Traversal UDP port valid UDP port 1025 65535 failover 1 2 3 IP Sets the client failover IP address keepalive active yes no Enables or disables client ...

Page 296: ...on off banner text Sets whether or not the banner appears when a remote user logs on to the gateway Also sets the banner text if specified up to 256 characters password clientStorage on off Sets whether or not the Contivity VPN clients can save their logon passwords instead of always having to manually enter them manage on off Enables or disables the password management facilities including maximu...

Page 297: ...he firewall cnt disp Displays the firewall log type and count clear Clears the firewall log count dynamicrule display Displays the firewall s dynamic rules tcprst rst Turns TCP reset sending on or off rst113 Turns TCP reset sending for port 113 on or off display Displays the TCP reset sending settings dos smtp Enables or disables the SMTP DoS defender display Displays the SMTP DoS defender setting...

Page 298: ...nism to fairness based WRR or priority based PRR efficient Turns on the work conserving feature disable Disables bandwidth management for traffic going out the LAN interface wan enable bandwidth xxx Enables bandwidth management for traffic going out the WAN interface You can also specify the b s of bandwidth wrr prr Sets the queueing mechanism to fairness based WRR or priority based PRR efficient ...

Page 299: ...w on off The class can borrow bandwidth from its parent class when borrowing is turned on and vice versa wan add bandwidth xxx name xxx Adds a class with bandwidth xxx b s in WAN The name is for your information priority x Sets the class priority The range is between 0 the lowest to 7 the highest borrow on off The class can borrow bandwidth from its parent class when borrowing is turned on and vic...

Page 300: ...Dmask Dport Saddr mask Smask Sport protocol Adds a filter for class in WAN The filter contains destination address netmask destination port source address netmask source port and protocol Use 0 for items that you do not want the filter to include del Deletes the LAN filter that belongs to the specified WAN class show interface lan Displays the LAN interface settings wan Displays the WAN interface ...

Page 301: ...sses if you do not specify one The first time you use the command turns it on the second time turns it off and so on wan Displays the bandwidth usage of the specified WAN class or all of the WAN classes if you do not specify one The first time you use the command turns it on the second time turns it off and so on moveFilter channName from to Changes the filter order channName LAN WAN from filter i...

Page 302: ...t is subject name dn ip dns email value If the name contains spaces put it in quotes key size specifies the key size It has to be an integer from 512 to 2 048 The default is 1 024 bits create scep_enroll name CA addr CA cert auth key subject key size Creates a certificate request and enrolls for a certificate immediately online using SCEP protocol name specifies a descriptive name for the enrolled...

Page 303: ... saved as For my certificate importation to be successful a certification request corresponding to the imported certificate must already exist on Business Secure Router After the importation the certification request is automatically deleted If a descriptive name is not specified for the imported certificate the certificate adopts the descriptive name of the certification request export name Expor...

Page 304: ...ies the name the imported CA certificate is saved as export name Exports the PEM encoded certificate to stdout for the user to copy and paste name specifies the name of the certificate to be exported view name Views the information of the specified trusted CA certificate name specifies the name of the certificate to be viewed verify name timeout Verifies the certification path of the specified tru...

Page 305: ...e Views the information of the specified trusted remote host certificate name specifies the name of the certificate to be viewed verify name timeout Verifies the certification path of the specified trusted remote host certificate name specifies the name of the certificate to be verified timeout specifies the timeout value in seconds optional The default timeout value is 20 seconds delete name Dele...

Page 306: ...ectory service name specifies the name of the directory server to be viewed list Lists all directory service names and basic information rename old name new name Renames the specified directory service old name specifies the name of the directory server to be renamed new name specifies the new name the directory server is saved as edit name addr port login pswd Edits the specified directory servic...

Page 307: ...must be preceded by radius For example type radius auth to display the authentication server settings Table 77 IEEE 802 1X commands Command Description debug level level Sets the IEEE 802 1x debug message level trace Displays all supplicants information in the supplicant table user user Displays all supplicants information related to the username Table 78 RADIUS commands Command Description auth D...

Page 308: ...308 Appendix H Command Interpreter NN47922 501 ...

Page 309: ...ts that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow Ne...

Page 310: ...r numbered 0 3 to configure NetBIOS Filter Status Between LAN and WAN Block IPSec Packets Forward Trigger Dial Disabled Table 79 NetBIOS filter default settings Name Description Example Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN or from the WAN to the LAN Forward IPSec Packets This field displays whether NetBIOS packets sent thr...

Page 311: ...nnection Use off to allow NetBIOS packets to be sent through a VPN connection For type 4 use on to allow NetBIOS packets to initiate dial backup calls Use off to block NetBIOS packets from initiating dial backup calls Example commands Command sys filter netbios config 0 on This command blocks LAN to WAN and WAN to LAN NetBIOS packets Command sys filter netbios config 1 off This command forwards WA...

Page 312: ...312 Appendix I NetBIOS filter commands NN47922 501 ...

Page 313: ...ssed in Chapter 15 Firmware and configuration file maintenance on page 179 Figure 164 Option to Enter Debug Mode Enter ATHE to view all available Business Secure Router boot module commands as shown in Figure 165 With ATBAx you can change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for ex...

Page 314: ... ATDA y m d change system date to year month day or show current date ATDS dump RAS stack ATDT dump Boot Module Common Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Prog...

Page 315: ...information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface ...

Page 316: ...ewall Table 83 Content filtering logs Category Log Message Description URLFOR IP Domain Name The Business Secure Router allows access to this IP address or domain name and forwards traffic to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All web traffic is disabled except for trusted domain...

Page 317: ...nd attack land OSPF The firewall detected an OSPF land attack land ICMP type d code d The firewall detected an ICMP land attack see the section on ICMP messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an ...

Page 318: ... IGMP The firewall detected an IGMP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default rout...

Page 319: ... the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy OSPF set d OSPF access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy set d Access matched the default policy of the listed ACL set and th...

Page 320: ...id not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match ESP set d rule d ESP access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access ...

Page 321: ...k The firewall detected a DoS attack and sent a TCP packet in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported...

Page 322: ...r Table 87 ICMP notes Type Code Description 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway can discard internet datagrams if it does not have the buffer space needed to ...

Page 323: ...agment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 88 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note This mess...

Page 324: ...A 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA NONCE ID ID 012 01 Jan 08 02 26 Send HASH Clear IPSec Log y n ...

Page 325: ...ecv Main Mode request from 192 168 100 100 002 01 Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH...

Page 326: ...me peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party is using 3DES encryption but the other party is using DES encryption so the connection fails Verifying Local ID failed Verifying Remote ID failed During IKE Phase ...

Page 327: ...address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the IP address type and IP address of the incoming packet vs My Remote IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log dis...

Page 328: ... SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPLAY packet If the Business Secure Router receives a packet with the wrong sequence number it discards it Inbound packet authentication failed The auth...

Page 329: ...he CMP online certificate enrollment failed The Destination field records the certification authority server s IP address and port Failed to resolve CMP CA server url The CMP online certificate enrollment failed because the certification authority server s IP address cannot be resolved Rcvd ca cert subject name The router received a certification authority certificate with subject name as recorded...

Page 330: ...hose address and port are recorded in the Source field The maximum size of directory data that the router allows is also recorded Cert trusted subject name The router has verified the path of the certificate with the listed subject name Due to reason codes cert not trusted subject name Due to the reasons listed the certificate with the listed subject name has not passed the path verification The r...

Page 331: ...abase method failed due to timeout 26 Database method failed 27 Path was not verified 28 Maximum path length reached Table 94 IEEE 802 1X logs Log Message Description Local User Database accepts user A user was authenticated by the local user database Local User Database reports user credential error A user was not authenticated by the local user database because of an incorrect user password Loca...

Page 332: ...idle timeout expired The router logged off a user whose idle timeout period expired User logout because of user request A user logged off Local User Database does not support authentication mothed A user tried to use an authentication method that the local user database does not support it only supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the R...

Page 333: ...uter you must do this in order to record logs Displaying logs Use the sys logs display command to show all of the logs in the Business Secure Router s log Use the sys logs category display command to show the log settings for all of the log categories Table 95 Log categories and available settings Log Categories Available Parameters access 0 1 2 3 attack 0 1 2 3 error 0 1 2 3 ike 0 1 2 3 ipsec 0 1...

Page 334: ...ve ras sys logs display access time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 ...

Page 335: ...nutes after the third time an incorrect password is entered Table 96 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default sys pwderrtm...

Page 336: ...336 Appendix L Brute force password guessing protection NN47922 501 ...

Page 337: ...t of the signaling SIP handles telephone calls and can interface with traditional circuit switched telephone networks SIP Identities A SIP account uses an identity sometimes referred to as a SIP address A complete SIP identity is called a SIP URI Uniform Resource Identifier The URI of a SIP account identifies the SIP account in a way similar to the way an e mail address identifies an e mail accoun...

Page 338: ...INVITE request to B This message is an invitation for B to participate in a SIP telephone call 2 B sends a response indicating that the telephone is ringing 3 B sends an OK response after the call is answered 4 A then sends an ACK message to acknowledge that B has answered the call 5 Now A and B exchange voice media talk 6 After talking A hangs up and sends a BYE request 7 B replies with an OK res...

Page 339: ...erver can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communications even though it is a client server protocol In Figure 168 either A or B can act as a SIP user agent client to initiate a call A and B can also both act as a SIP user agent server to receive the call Figure 168 SIP User Agent Server SIP Proxy Server A SIP proxy server receives requests fro...

Page 340: ...t originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example client device A calls someone who is using client device C 1 Client device A sends a call invitation for C to the SIP redirect server B 2 The SIP redirect server sends the invitation back to A with C s IP address or ...

Page 341: ...Server A SIP register server maintains a database of SIP identity to IP address or domain name mapping The register server checks your username and password when you register RTP When you make a VoIP call using SIP the RTP Real time Transport Protocol is used to handle voice data transfer See RFC 1889 for details on RTP ...

Page 342: ...ugh Network Address Translators the VoIP device can the presence and types of NAT routers firewalls or both between it and the public Internet With STUN the VoIP device can also find the public IP address that NAT assigned so the VoIP device can embed it in the SIP data stream See STUN Simple Traversal of User Datagram Protocol UDP Through Network Address Translators NATs RFC 3489 for details on S...

Page 343: ...siness Secure Router creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN The firewall rule is created for both directions to allow voice packets The firewall rule is deleted when the call is terminated SIP ALG and Multiple WAN When the Business Secure Router has two WAN ports and uses the second highest priority WAN port as a back up ...

Page 344: ... Secure Router without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling session timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the Business Secure Router If the SIP client does not have this mechanism and makes no call duri...

Page 345: ...sing Protection 35 Budget Management 202 BYE Request 338 C Call Back Delay 59 Call Control 202 Call History 204 Call Scheduling 35 213 Maximum Number of Schedule Sets 213 PPPoE 216 Precedence 214 Precedence Example 214 Call Triggering Packet 175 Central Network Management 36 CHAP 61 90 Client server Protocol 339 Command Interpreter Mode 199 Community 155 Conditions that prevent TFTP and FTP from w...

Page 346: ...guring 138 Example 148 Generic Filter Rule 146 Generic Rule 147 NAT 151 Remote Node 153 Structure 136 TCP IP Rule 142 Filters Executing a Filter Rule 136 IP Filter Logic Flow 144 Firewall 34 Activating 133 SMT Menus 133 Flow Control 41 FTP 211 FTP File Transfer 190 FTP Restrictions 183 211 FTP Server 38 125 Full Network Management 38 G Gateway IP Addr 94 Gateway IP Address 81 102 General Setup 47 ...

Page 347: ...gin Name 80 Login Screen 42 M MAC Address 54 Main Menu 43 Mean Time Between Failures 257 Metric 65 90 94 103 MTBF 257 Multicast 65 75 95 Multimedia 337 My IP Addr 91 My Login 60 88 My Login Name 80 My Password 60 80 81 88 My Server IP Addr 91 My WAN Address 64 N Nailed Up Connection 62 90 Nailed up Connection 90 Nailed Up Connections 92 NAT 65 94 151 Applying NAT in the SMT Menus 107 Configuring 1...

Page 348: ...e 208 Restore Configuration 186 retry count 59 retry interval 59 RFC 1889 341 RFC 3489 342 RIP 65 75 77 94 Direction 77 Version 77 95 RoadRunner Support 38 Route 88 RTP 341 S Schedule Sets Duration 215 Schedules 90 92 Server 80 81 88 110 113 116 117 123 124 206 Server IP 88 Service Name 88 Service Type 80 87 Session Initiation Protocol 337 setup a schedule 214 SIP Account 337 SIP ALG 342 SIP Appli...

Page 349: ... filter rule 141 technical publications 26 Terminal Emulation 41 text conventions 25 TFTP File Transfer 192 TFTP Restrictions 183 211 Time and Date 33 Time and Date Setting 205 206 Time Zone 207 Timeout 62 82 83 90 Trace 171 Tracing 38 trademarks 2 Traffic Redirect 37 Setup 98 Triangle 229 Triangle Route Solutions 230 Trigger Port Forwarding 129 U Uniform Resource Identifier 337 Universal Plug and...

Reviews:

No comments