Nortel 252 Page 324 Configuration Download

Page: 324 / 345

324

Appendix J Log descriptions

NN47923-501

Table 86

shows sample log messages during packet transmission.

Table 87

shows RFC-2408 ISAKMP payload types that the log displays. Refer to

the RFC for detailed information on each type.

Table 86

Sample IPSec logs during packet transmission

LOG MESSAGE

DESCRIPTION

!! WAN IP changed to <IP>

If the Business Secure Router’s WAN IP

changes, all configured “My IP Addr” are

changed to “0.0.0.0”. If this field is configured as

0.0.0.0, the Business Secure Router uses the

current Business Secure Router WAN IP

address (static or dynamic) to set up the VPN

tunnel.

!! Cannot find IPSec SA

The Business Secure Router cannot find a

phase 2 SA that corresponds with the SPI of an

inbound packet (from the peer); the packet is

dropped.

!! Cannot find outbound SA for
rule <%d>

The packet matches the rule index number (#d),

but Phase 1 or Phase 2 negotiation for outbound

(from the VPN initiator) traffic is not finished yet.

!! Discard REPLAY packet

If the Business Secure Router receives a packet

with the wrong sequence number it discards it.

!! Inbound packet authentication
failed

The authentication configuration settings are

incorrect. Check them.

!! Inbound packet decryption
failed

The decryption configuration settings are

incorrect. Check them.

Rule <#d> idle time out,
disconnect

If an SA has no packets transmitted for a period

of time (configurable via CI command), the

Business Secure Router drops the connection.

Table 87

RFC-2408 ISAKMP payload types

Log Display

Payload Type

Security Association

PROP

Proposal

TRANS

Transform

Key Exchange

Identification

CER

Certificate

Summary of Contents for 252

Page 1: ...BSR252 Business Secure Router Document Number NN47923 501 Document Version 1 1 Date March 2007 Nortel Business Secure Router 252 Configuration Advanced ...

Page 2: ...o be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are ...

Page 3: ... EMEA Europe Middle East Africa 27 Technical Support CTAS 27 CALA Caribbean Latin America 28 Technical Support CTAS 28 APAC Asia Pacific 28 Technical Support GNTS 28 Chapter 1 Getting to know your Nortel Business Secure Router 252 31 Introducing the Nortel Business Secure Router 252 31 Features 32 Physical features 32 High speed Internet access 32 ADSL standards 32 Networking compatibility 33 Mult...

Page 4: ...ring 36 Packet filtering 36 Universal Plug and Play UPnP 36 Call scheduling 36 PPPoE 36 Dynamic DNS support 37 IP Multicast 37 IP Alias 37 Central Network Management 37 SNMP 37 Network Address Translation NAT 38 Traffic Redirect 38 Port Forwarding 38 DHCP Dynamic Host Configuration Protocol 38 Full network management 38 Logging and tracing 39 Upgrade Business Secure Router Firmware 39 Embedded FTP...

Page 5: ...al setup 49 Introduction to general setup 49 Configuring general setup 49 Configuring dynamic DNS 52 Chapter 3 WAN and Dial Backup Setup 55 Introduction to WAN and dial backup setup 55 WAN setup 55 Traffic redirect setup 57 Dial backup 59 Advanced WAN setup 59 Remote node profile Backup ISP 61 Editing PPP options 64 Editing TCP IP options 65 Editing logon script 68 Remote node filter 71 Chapter 4 ...

Page 6: ...te Node profile 86 Encapsulation and Multiplexing scenarios 87 Edit IP Bridge 90 Remote Node filter 93 Editing ATM Layer Options 95 VC based Multiplexing non PPP Encapsulation 95 LLC based Multiplexing or PPP Encapsulation 95 Advance Setup Options 96 Chapter 7 IP Static Route Setup 99 IP Static Route Setup 99 Chapter 8 Dial in User Setup 103 Dial in User Setup 103 Chapter 9 Network Address Transla...

Page 7: ...th inside servers 122 Configuring Trigger Port forwarding 127 Chapter 10 Introducing the firewall 131 Using SMT menus 131 Activating the firewall 131 Chapter 11 Filter configuration 133 Introduction to filters 133 Filter Structure 134 Configuring a Filter Set 136 Configuring a Filter Rule 139 Configuring a TCP IP Filter Rule 139 Configuring a Generic Filter Rule 144 Example Filter 146 Filter Types...

Page 8: ... 166 System Information 167 Console port speed 169 Log and trace 169 Syslog logging 170 CDR 171 Packet triggered 172 Filter log 172 PPP log 173 Firewall log 174 Call Triggering packet 174 WAN DHCP 176 Chapter 15 Firmware and configuration file maintenance 179 Filename conventions 179 Backup configuration 180 Backup configuration 181 Using the FTP command from the command line 181 Example of FTP co...

Page 9: ...S prompt example 191 FTP Session Example of Firmware File Upload 192 TFTP file upload 192 TFTP upload command example 193 Uploading via console port 194 Uploading Firmware File Via Console Port 194 Uploading Xmodem firmware using HyperTerminal 195 Uploading configuration file via console port 195 Uploading Xmodem configuration file using HyperTerminal 197 Chapter 16 System Maintenance menus 8 to 1...

Page 10: ...rifying Settings 226 Macintosh OS X 227 Verifying settings 228 Appendix B Triangle Route 229 The Ideal Setup 229 The Triangle Route Problem 229 The Triangle Route Solutions 230 IP aliasing 230 Appendix C Importing certificates 233 Import Business Secure Router certificates into Netscape Navigator 233 Importing the Business Secure Router Certificate into Internet Explorer 234 Enrolling and Importin...

Page 11: ...ower Adapter Specifications 255 Appendix F IP subnetting 257 IP addressing 257 IP classes 257 Subnet masks 259 Subnetting 259 Example two subnets 260 Example four subnets 262 Example eight subnets 263 Subnetting with Class A and Class B networks 264 Appendix G Command Interpreter 267 Command Syntax 267 Command usage 267 Sys commands 268 Exit Command 276 Ethernet Commands 276 IP commands 277 IPSec ...

Page 12: ...ommands 309 Appendix J Log descriptions 311 VPN IPSec logs 319 VPN responder IPSec log 321 Log commands 328 Configuring what you want the Business Secure Router to log 329 Displaying logs 329 Log command example 330 Appendix K Brute force password guessing protection 331 Appendix L SIP 333 SIP Identities 333 SIP Number 333 SIP Service Domain 334 SIP Call Progression 334 SIP Servers 335 SIP User Ag...

Page 13: ...Contents 13 Nortel Business Secure Router 252 Configuration Advanced SIP Register Server 337 RTP 337 Index 341 ...

Page 14: ...14 Contents NN47923 501 ...

Page 15: ...11 3 Remote Node Network Layer Options 66 Figure 15 Menu 11 2 3 Remote Node Setup Script 70 Figure 16 Menu 11 2 4 dial backup remote node filter 71 Figure 17 Menu 3 LAN setup 73 Figure 18 Menu 3 1 LAN Port Filter Setup 74 Figure 19 Menu 3 LAN Setup 74 Figure 20 Menu 3 2 TCP IP and DHCP Ethernet setup 75 Figure 21 Menu 3 2 1 IP Alias setup 78 Figure 22 Menu 4 Internet Access Setup 82 Figure 23 Menu...

Page 16: ...Sets 116 Figure 44 15 2 1 NAT Server Configuration 117 Figure 45 Menu 15 2 NAT Server Setup 118 Figure 46 Multiple servers behind NAT example 119 Figure 47 NAT Example 1 120 Figure 48 Menu 4 Internet access NAT example 120 Figure 49 NAT Example 2 121 Figure 50 Menu 15 2 Specifying an inside server 122 Figure 51 NAT example 3 123 Figure 52 Example 3 Menu 11 3 124 Figure 53 Example 3 Menu 15 1 1 1 1...

Page 17: ...1 System Maintenance Information 168 Figure 82 Menu 24 2 2 System Maintenance Change Console Port Speed 169 Figure 83 Menu 24 3 System Maintenance Log and Trace 170 Figure 84 Menu 24 3 2 System Maintenance Syslog Logging 170 Figure 85 Call Triggering packet example 174 Figure 86 Menu 24 4 System Maintenance Diagnostic 176 Figure 87 WAN LAN DHCP 177 Figure 88 Menu 24 5 System Maintenance Backup Con...

Page 18: ...g Schedule Sets to a Remote Node PPPoE 216 Figure 116 WIndows 95 98 Me network configuration 218 Figure 117 Windows 95 98 Me TCP IP properties IP address 219 Figure 118 Windows 95 98 Me TCP IP Properties DNS configuration 220 Figure 119 Windows XP Start menu 221 Figure 120 Windows XP Control Panel 221 Figure 121 Windows XP Control Panel Network Connections Properties 222 Figure 122 Windows XP Loca...

Page 19: ...import wizard 5 246 Figure 147 Personal certificate import wizard 6 246 Figure 148 Access the Business Secure Router via HTTPS 247 Figure 149 SSL client authentication 247 Figure 150 Business Secure Router secure login screen 248 Figure 151 Single PC per router hardware configuration 250 Figure 152 Business Secure Router as a PPPoE Client 251 Figure 153 Console or dial backup port pin layouts 254 ...

Page 20: ...20 Figures NN47923 501 ...

Page 21: ...ble 13 Menu 11 2 3 remote node script menu fields 70 Table 14 DHCP Ethernet setup menu fields 75 Table 15 LAN TCP IP setup menu fields 77 Table 16 IP Alias setup menu field 78 Table 17 Menu 4 Internet access setup 82 Table 18 Menu 11 1 Remote Node Profile 88 Table 19 Menu 11 3 Remote Node Network Layer Options 91 Table 20 Menu 11 8 Advance Setup Options 97 Table 21 IP Static Route Menu Fields 101 ...

Page 22: ...r GUI based FTP clients 182 Table 43 General commands for GUI based TFTP clients 184 Table 44 Budget management 203 Table 45 Call History Fields 204 Table 46 Time and Date Setting Fields 206 Table 47 Menu 24 11 Remote Management control 210 Table 48 Menu 26 1 Schedule Set Setup 215 Table 49 General specifications 253 Table 50 Console or dial backup port pin assignments 254 Table 52 Allowed IP addr...

Page 23: ...ror logs 311 Table 77 System maintenance logs 311 Table 78 UPnP logs 312 Table 79 Content filtering logs 312 Table 80 Attack logs 313 Table 81 Access logs 315 Table 82 ACL setting notes 318 Table 83 ICMP notes 318 Table 84 Sys log 319 Table 85 Sample IKE key exchange logs 322 Table 86 Sample IPSec logs during packet transmission 324 Table 87 RFC 2408 ISAKMP payload types 324 Table 88 PKI logs 325 ...

Page 24: ...24 Tables NN47923 501 ...

Page 25: ...and the SMT Text conventions This guide uses the following text conventions Note This guide explains how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router See the basic manual for how to use the WebGUI to configure your Business Secure Router Not all features can be configured through all interfaces Enter means for you to type o...

Page 26: ...te the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at www adobe com to download a free copy of the Adobe Reader How to get help If you do not see an appropriate number in this list go to www nortel com cs A single keys...

Page 27: ...eral questions and first line support you can enter ERC 338 Web Site www nortel com cs Presales Support CSAN Telephone 1 800 4NORTEL 1 800 466 7835 Use Express Routing Code ERC 1063 EMEA Europe Middle East Africa Technical Support CTAS Telephone European Free phone 00800 800 89009 European Alternative Calls are not free from all countries in Europe Middle East or Africa Fax 44 191 555 7980 E mail ...

Page 28: ...esk 61 2 8870 5511 Sydney Technical Support GNTS Telephone 612 8870 8800 Fax 612 8870 5569 E mail asia_support nortel com Australia 1 800 NORTEL 1 800 667 835 China 010 6510 7770 India 011 5154 2210 Indonesia 0018 036 1004 Japan 0120 332 533 Malaysia 1800 805 380 New Zealand 0800 449 716 Philippines 1800 1611 0063 Singapore 800 616 2004 South Korea 0079 8611 2001 Taiwan 0800 810 500 ...

Page 29: ...Preface 29 Nortel Business Secure Router 252 Configuration Advanced Thailand 001 800 611 3007 Service Business Centre Pre Sales Help Desk 61 2 8870 5511 ...

Page 30: ...30 Preface NN47923 501 ...

Page 31: ...terfaces and a high speed Asymmetrical Digital Subscriber Line Plus ADSL2 port into a single package The Business Secure Router is ideal for high speed Internet browsing and making LAN to LAN connections to remote networks By integrating Digital Subscriber Line DSL and Network Address Translation NAT the Business Secure Router provides easy installation and Internet access By integrating firewall ...

Page 32: ...ctor of the International Telecommunications Union G 992 1 ADSL2 G dmt bis G 992 3 ADSL2 G 992 5 Table 1 Feature specifications Feature Specification Number of static routes 12 Number of NAT sessions 4096 Number of SUA Single User Account servers 12 Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels Client and or Branch Office 10 Maximum number of...

Page 33: ...nt I 610 F4 F5 OAM Networking compatibility Your Business Secure Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer DSLAM providers making configuration as simple as possible Multiplexing The Business Secure Router supports VC based and LLC based multiplexing Encapsulation The Business Secure Router supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 e...

Page 34: ...er you can get the current time and date from an external server when you turn on your Business Secure Router You can also set the time manually Reset button The Business Secure Router reset button is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to setup IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server...

Page 35: ...fer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up to 32 user profiles witho...

Page 36: ...cure Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other UPnP enabled devices can d...

Page 37: ...e same Ethernet interface The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network Central Network Management With Central Network Management CNM an enterprise or service provider network administrator can manage your Business Secure Router The enterprise or service...

Page 38: ...on Protocol With DHCP Dynamic Host Configuration Protocol individual client computers can obtain the TCP IP configuration at start up from a centralized DHCP server The Business Secure Router has built in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to all systems that support the DHCP client The Business Secure Router can a...

Page 39: ...embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Applications for the Nortel Business Secure Router 252 Secure broadband internet access and VPN The Nortel Business Secure Router 252 provides broadband Internet access through ADSL The Business Secure Router also provides IP address sharing and a firewall protected local network with ...

Page 40: ...l Business Secure Router 252 continue with the rest of this guide for configuration instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment Caution Electro static Discharge can disrupt the router Use appropriate handling precautions to avoid ESD Avoid touching th...

Page 41: ...r 1 Getting to know your Nortel Business Secure Router 252 41 Nortel Business Secure Router 252 Configuration Advanced Note Please use only No 26 AWG American Wire Gauge or larger telecommunication line cord ...

Page 42: ...42 Chapter 1 Getting to know your Nortel Business Secure Router 252 NN47923 501 ...

Page 43: ... access the SMT System Management Terminal menus via the console port how to navigate the SMT and how to configure SMT menus Accessing the SMT via the console port Make sure you have the physical connection properly set up as described in the hardware installation chapter When configuring using the console port you need a computer equipped with communications software configured to the following p...

Page 44: ...sword PlsChgMe is the default and press ENTER As you type the password the screen displays an X for each character you type Note that if there is no activity for longer than five minutes after you log on your Business Secure Router will automatically log you off and display a blank screen If you see a blank screen press ENTER to bring up the logon screen again Navigating the SMT interface The SMT ...

Page 45: ...in a menu press ENTER to move to the next field You can also use the UP or DOWN arrow keys to move to the previous or the next fields respectively When you are at the top of a menu press the UP arrow key to move to the bottom of a menu Entering information Fill in or press SPACE BAR then press ENTER to select from choices There are two types of fields The first requires you to type in the appropri...

Page 46: ...ormation 2 WAN Setup Use this menu to configure the backup WAN connection 3 LAN Setup Use this menu to apply LAN filters configure LAN DHCP and TCP IP settings 4 Internet Access Setup Configure your Internet Access setup Internet address gateway IP address and logon with this menu 11 Remote Node Setup Use this menu to configure detailed remote node settings your ISP is also a remote node as well a...

Page 47: ...ress ENTER 5 Retype your new system password in the Retype to confirm field for confirmation and press ENTER Note that as you type a password the screen displays an asterisk for each character you type 23 System Security Use this menu to change your password and enable network user authentication 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehen...

Page 48: ...48 Chapter 2 Introducing the SMT NN47923 501 SMT menus at a glance Figure 6 SMT overview ...

Page 49: ...o open Menu 1 general setup The Menu 1 General Setup screen appears as shown in Figure 7 Fill in the required fields Figure 7 Menu 1 General Setup Menu 1 General Setup System Name Domain Name First System DNS Server From ISP IP Address N A Second System DNS Server From ISP IP Address N A Third System DNS Server From ISP IP Address N A Edit Dynamic DNS No Route IP Yes Bridge No Press ENTER to Confi...

Page 50: ...be up to 30 alphanumeric characters long Spaces dashes and underscores _ are accepted Business Secure Router Domain name Enter the domain name if you know it here If you leave this field blank the ISP assigns a domain name via DHCP You can go to menu 24 8 and type sys domain name to see the current domain name used by your router The domain name entered by you is given priority over the ISP assign...

Page 51: ... ISP changes to None after you save your changes If you select From ISP for the second or third DNS server but the ISP does not provide a second or third IP address From ISP changes to None after you save your changes Select User Defined if you have the IP address of a DNS server The IP address can be public or a private address on your local LAN Enter the DNS server s IP address in the field to t...

Page 52: ...te DNS entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate Private DNS entry changes to None after you save your changes Edit dynamic DNS Press SPACE BAR and then ENTER to select Yes or No default Select Yes to configure Menu 1 1 Configure Dynamic DNS discussed next No default After you complete this menu press ENTER at the prompt Press ENTER to Confirm to sa...

Page 53: ... mail mailserver User Enter your username Password Enter the password assigned to you Enable Wildcard Your Business Secure Router supports DYNDNS Wildcard Press SPACE BAR and then ENTER to select Yes or No This field is N A when you choose DDNS client as your service provider Offline This field is only available when CustomDNS is selected in the DDNS Type field Press SPACE BAR and then ENTER to se...

Page 54: ...P address is public or private static or dynamic Yes Use Specified IP Address Press SPACE BAR to select Yes and then press ENTER to update the IP address of the host names to the IP address specified below Only select Yes if the Business Secure Router uses or is behind a static public IP address No Use IP Address Enter the static public IP address if you select Yes in the Use Specified IP Address ...

Page 55: ... how to configure the WAN using Menu 2 and dial backup using menus 2 1 and 11 1 Introduction to WAN and dial backup setup This chapter explains how to configure the settings for your WAN port and how to configure the Business Secure Router for a dial backup connection WAN setup From the main menu enter 2 to open Menu 2 ...

Page 56: ...direct Metric Dial Backup Metric The Business Secure Router uses the connection with the lowest metric value first The default WAN connection is 1 as your broadband connection through the WAN port must always be your preferred method of accessing the WAN The default priority of the routes is WAN Traffic Redirect and then Dial Backup dial backup does not apply to all Business Secure Router models Y...

Page 57: ...Yes or off No No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the dial backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 b s 115200 AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of the WAN device connected to your Dial Backup port for specific AT comm...

Page 58: ...nel to determine if the WAN connection is down Configuration Backup Gateway IP Address Enter the IP address of your backup gateway in dotted decimal notation The Business Secure Router automatically forwards traffic to this IP address if the Internet connection of the Business Secure Router terminates Metric This field sets the priority for this route among the routes the Business Secure Router us...

Page 59: ...ake sure you have set up the switch and port connection see the Hardware Installation chapter then configure Menu 2 WAN Setup Menu 2 1 Advanced WAN Setup Menu 11 2 Remote Node Profile Backup ISP as shown in Figure 12 on page 62 Refer also to the traffic redirect section for information on an alternate backup WAN connection Advanced WAN setup To edit the advanced setup for the Dial Backup port move...

Page 60: ...r the AT Command string to make a call atdt Drop Enter the AT Command string to drop a call represents a one second wait For example ath can be used if your modem has a slow response time ath Answer Enter the AT Command string to answer a call ata Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR Data Terminal Ready signal is dropped afte...

Page 61: ...cure Router times out and stops if it cannot set up an outgoing call within the timeout value 60 seconds Retry Count Enter a number of times for the Business Secure Router to retry a busy or no answer phone number before blacklisting the number 0 to disable the blacklist control Retry Interval sec Enter a number of seconds for the Business Secure Router to wait before trying another call after a c...

Page 62: ...e Nailed Up Connection No Session Options Edit Filter Sets No Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Press ENTER to Confirm or ESC to Cancel Table 10 Fields in Menu 11 2 Remote Node Profile Backup ISP Field Description Example Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters LAoffice Active Press SPACE BAR and then ENTER to s...

Page 63: ...ld set to 0 0 0 0 default if the remote gateway has a dynamic IP address Enter the remote gateway s IP address here if it is static 0 0 0 0 default Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 2 2 Remote Node Network Layer Options Please see Editing TCP IP options for more information No default Edit Script Options Press SPACE BAR to sele...

Page 64: ... connection act as a dial up connection No default Session Options Edit Filter sets This field leads to another hidden menu Use SPACE BAR to select Yes and press ENTER to open menu 11 2 4 to edit the filter sets See Remote node filter for more details No default Idle Timeout Enter the number of seconds of idle time when there is no traffic from the Business Secure Router to the remote node that ca...

Page 65: ...select Yes Press ENTER to open Menu 11 3 Network Layer Options Menu 11 2 1 Remote Node PPP Options Encapsulation Standard PPP Compression No Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 11 Remote node PPP options menu fields FIELD DESCRIPTION EXAMPLE Encapsulation Press SPACE BAR and then ENTER to select CISCO PPP if your Dial Backup WAN device uses Cisco PPP encapsulatio...

Page 66: ...ork Layer Options Menu Fields Field Description Example IP Address Assignment If your ISP did not assign you an explicit IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address subnet mask in the following fields Dynamic default Rem IP Address Leave this field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically send i...

Page 67: ...e Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server When you select Full Feature you must configure at least one address mapping set See the Network Address Translation NAT chapter for a full discussion on this feature None default Address Mapping Set Metric Enter a number from 1 ...

Page 68: ...ase Similarly you specify word as the Expect string and your password as the Send string for the second prompt in set 2 Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group The Business Secure Router supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or select None to dis...

Page 69: ...e script When both the Expect and the Send fields of the current set are empty the Business Secure Router terminates the script processing and start PPP negotiation This implies two things first the sets must be contiguous the sets after an empty one are ignored Second the last set must match the final message sent by the server For instance if the server prints login successful Starting PPP after...

Page 70: ...nd Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 13 Menu 11 2 3 remote node script menu fields Field Description Example Active Press SPACE BAR and then ENTER to select either Yes to enable the AT strings or No to disable them No default Set 1 6 Expect Enter an Expect string to match After matching the Expect string the Business Secure Router returns the string in the Send...

Page 71: ...the Business Secure Router to prevent certain packets from triggering calls You can specify up to four filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepted in this field Refer to Chapter 11 Filter configuration on page 133 for more information about defining the filters Figure 16 Menu 11 2 4 dial backup remote node filter Menu 11 2 4 Remote Node F...

Page 72: ...72 Chapter 3 WAN and Dial Backup Setup NN47923 501 ...

Page 73: ...ections Accessing the LAN menus From the main menu enter 3 to open Menu 3 LAN setup Figure 17 Menu 3 LAN setup LAN port filter setup With Menu 3 you can specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets are useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter...

Page 74: ...LAN Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown in Figure 20 Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and DH...

Page 75: ...cast None IP Address N A Edit IP Alias No Third DNS Server From ISP IP Address N A DHCP Server Address N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Follow the instructions in Table 14 to configure the DHCP fields Table 14 DHCP Ethernet setup menu fields Field Description Example DHCP This field enables and disables the DHCP server If set to Server your Business Secure Rout...

Page 76: ...but leave the IP address set to 0 0 0 0 User Defined changes to None after you save your changes If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you save your changes Select DNS Relay to have the Business Secure Router act as a DNS proxy The Business Secure Router s LAN IP address displays in the IP Address field below read onl...

Page 77: ... Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router 255 255 255 0 RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Only or None Both default Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 default Multicast IGMP Internet Group Multicast Proto...

Page 78: ...tocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 16 IP Alias setup menu field Field Description Example IP Alias Choose Yes to configure the LAN network for the Business Secure Router Yes IP Address Enter the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 IP Subnet Mask Your Business Secure Rout...

Page 79: ... and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the Business Secure Router 1 Outgoing Protocol Filters Enter the filter sets you wish to apply to the outgoing traffic between this node and the Business Secure Router 2 Table 16 IP Alias setup menu field ...

Page 80: ...80 Chapter 4 LAN setup NN47923 501 ...

Page 81: ...t you can access in Menu 11 Before you configure your Business Secure Router for Internet access you must collect your Internet account information Use your Internet account information from your ISP to fill in this menu Note that if you are using PPPoA or PPPoE encapsulation the only ISP information you need is a logon name and password You only need to know the Ethernet Encapsulation Gateway IP ...

Page 82: ... purposes only ChangeMe Encapsulation Press SPACE BAR to select the method of encapsulation used by your ISP Choices are PPPoE PPPoA RFC 1483 or ENET ENCAP ENET ENCAP Multiplexing Press SPACE BAR to select the method of multiplexing used by your ISP Choices are VC based or LLC based LLC based VPI Enter the Virtual Path Identifier VPI that the telephone company gives you 8 VCI Enter the Virtual Cha...

Page 83: ...ber of idle seconds that elapse before the Business Secure Router automatically disconnects the PPPoE session 0 IP Address Assignment Press SPACE BAR to select Static or Dynamic address assignment Dynamic IP Address Enter the IP address supplied by your ISP if applicable N A Network Address Translation Press SPACE BAR to select None SUA Only or Full Feature For more details about the single user a...

Page 84: ...84 Chapter 5 Internet access NN47923 501 ...

Page 85: ... that node s profile in menu 11 1 as well as configure specific settings in three submenus edit IP and bridge options in menu 11 3 edit ATM options in menu 11 6 and edit filter sets in menu 11 5 Outgoing Authentication Protocol Generally speaking you should employ the strongest authentication protocol possible for obvious reasons However some vendor s implementation includes a specific authenticat...

Page 86: ...ed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern The following table describes the fields specific to PPPoE encapsulation Remote Node setup This section describes the protocol independent parameters for a remote node Remote Node prof...

Page 87: ...lexing methods because they cannot be automatically determined What methods you use also depends on how many VCs you have and how many different network protocols you need The extra overhead that ENET ENCAP encapsulation entails makes it a poor choice in a LAN to LAN application Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA R...

Page 88: ... Profile Rem Node Name ChangeMe Route IP Active Yes Bridge No Encapsulation ENET ENCAP Edit IP Bridge No Multiplexing LLC based Edit ATM Options No Service Name N A Edit Advance Options N A Incoming Telco Option Rem Login N A Allocated Budget min N A Rem Password N A Period hr N A Outgoing Schedule Sets N A My Login N A Nailed Up Connection N A My Password N A Session Options Authen N A Edit Filte...

Page 89: ...r Business Secure Router Outgoing My Login Type the login name assigned by your ISP when the Business Secure Router calls this remote node My Password Type the password assigned by your ISP when the Business Secure Router calls this remote node Authen This field sets the authentication protocol used for outgoing calls Options for this field are CHAP PAP Your Business Secure Router will accept eith...

Page 90: ... Period hr is 1 hour Schedule Sets This field is only applicable for PPPoE and PPPoA encapsulation You can apply up to four schedule sets here For more details please refer to the Call scheduling chapter Nailed up Connection This field is only applicable for PPPoE and PPPoA encapsulation This field specifies if you want to make the connection to this remote node a nailed up connection More details...

Page 91: ...IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr N A NAT SUA Only Address Mapping Set N A Metric 2 Private No RIP Direction None Version RIP 1 Multicast None Enter here to CONFIRM or ESC to CANCEL Table 19 Menu 11 3 Remote Node Network Layer Options Field Description Example IP Address Assignment Press SPACE BAR and then ENTER to select Dynamic if the remote node is using a dynamically assigned...

Page 92: ...SUA Only is selected in the NAT field the SMT uses NAT server set 1 in menu 15 2 see Chapter 9 Network Address Translation NAT on page 105 for details 2 Metric The metric represents the cost of transmission for routing purposes IP routing uses hop count as the cost measurement with a minimum of 1 for directly connected networks Type a number that approximates the cost for this link The number need...

Page 93: ...prevent certain packets from triggering calls You can specify up to 4 filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepted in this field For more information on defining the filters please refer to Chapter 11 Filter configuration For PPPoE or PPPoA encapsulation you have the additional option of specifying remote node call filter sets After you co...

Page 94: ...see Traffic redirect setup on page 57 Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters Device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters Device filters Enter here...

Page 95: ...on in menu 11 1 VC based Multiplexing non PPP Encapsulation For VC based multiplexing by prior agreement a protocol is assigned a specific virtual circuit for example VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Figure 28 Menu 11 6 for VC based Multiplexing LLC based Multiplexing or PPP Encapsulation For LLC based multiplexing or PPP encapsulation one VC carri...

Page 96: ... Profile Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation VPI 8 VCI 35 ATM QoS Type UBR ENTER here to CONFIRM or ESC to CANCEL Menu 11 1 Remote Node Profile Rem Node Name MyISP Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing LLC based Edit ATM Options No Service Name Edit Advance Options Yes Incoming Telco Option Rem Login Alloc...

Page 97: ...to enable PPPoE pass through In addition to the Contivity 251 s built in PPPoE client you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Contivity 251 Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for application where NAT is not appropria...

Page 98: ...98 Chapter 6 Remote Node setup NN47923 501 ...

Page 99: ...pter 7 IP Static Route Setup This chapter shows you how to configure static routes with your Business Secure Router IP Static Route Setup Enter 12 from the main menu Select one of the IP static routes as shown in Figure 32 to configure IP static routes in menu 12 1 ...

Page 100: ...c Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 ________ 11 ________ 12 ________ Enter selection number ...

Page 101: ...5 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your Business Secure Router that forwards the packet to the destination On the LAN the gateway must be a router on the same segment as your Business Secure Ro...

Page 102: ...102 Chapter 7 IP Static Route Setup NN47923 501 ...

Page 103: ... Router From the main menu enter 14 to display Menu 14 Dial in User Setup Figure 34 Menu 14 Dial in User Setup Type a number and press ENTER to edit the user profile Menu 14 Dial in User Setup 1 ________ 9 ________ 17 ________ 25 ________ 2 ________ 10 ________ 18 ________ 26 ________ 3 ________ 11 ________ 19 ________ 27 ________ 4 ________ 12 ________ 20 ________ 28 ________ 5 ________ 13 ______...

Page 104: ... 1 Edit Dial in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile This field is case sensitive Active Press SPACE BAR to select Yes and press ENTER to enable the user profile Password Enter a password up to 31 characters long for this user profile After you complete this menu press ENTER at the prompt Press ENTER to confirm or ESC to canc...

Page 105: ... Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Applying NAT You apply NAT via menus 4 or 11 3 Figure 37 on page 107 Figure 36 shows you how to apply NAT for Internet access in menu 4 Enter 4 from the main menu to go to Menu 4 Internet Access Setup Note You must create a firewall rule in addition to setting up SUA NAT ...

Page 106: ... IP Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation ENET ENCAP Multiplexing LLC based VPI 8 VCI 35 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Dynamic IP Address N A Network Address Translation SUA Only Address Mapping Set N A Press EN...

Page 107: ...FIRM or ESC to CANCEL Press Space Bar to Toggle Table 23 Applying NAT in Menus 4 11 3 Field Description Options Network Address Translation When you select this option the SMT uses Address Mapping Set 1 menu 15 1 Address Mapping Sets on page 108 for further discussion Choose Full Feature if you have multiple public WAN IP addresses for your Business Secure Router When you select Full Feature you m...

Page 108: ...en you select SUA Only the SMT uses the pre configured Set 255 read only The server set is a list of LAN servers mapped to external ports To use this set a server rule must be set up inside the NAT address mapping set To configure NAT enter 15 from the main menu to bring up the screen shown in Figure 38 Figure 38 Menu 15 NAT Setup Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping ...

Page 109: ...nced Figure 39 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the screen shown in Figure 40 see SUA Single User Account Versus NAT on page 105 The fields in this menu cannot be changed Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number ...

Page 110: ...bal End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Press ENTER to Confirm or ESC to Cancel Note Menu 15 1 255 is read only Table 24 SUA Address Mapping Rules Field Description Example Set Name This is the name of the set you selected in menu 15 1 or enter the name of a new set you want to create SUA Idx This is the index or rule number 1 Local Start IP Local St...

Page 111: ...s 0 0 0 0 and the end IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above With Server you can specify multiple servers of different types behind NAT to this machine Examples is foun...

Page 112: ...nfigured rule your configured rule is pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 2 3 4 5 6 7 8 9 10 Action Edit...

Page 113: ...deleted NAT_SET Action The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a rule before the rule selected The rules after the selected rule are then moved down by one rule Delete means to delete the selected rule and all the rules after the selected one advance one rule None disables the Select Rule item Edit Select Rule When you choos...

Page 114: ... Type Press SPACE BAR and then ENTER to select from a total of five types If you choose Server you can specify multiple servers of different types behind NAT to this computer See Example 3 Multiple public IP addresses with inside servers on page 122 for an example One to On e Local IP Start Only local IP fields are N A for server Global IP fields must be set for Server Enter the starting local IP ...

Page 115: ...p 2 Enter 2 to go to Menu 15 2 NAT Server Setup Global IP Start Enter the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server 0 0 0 0 End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types N A After you finish configu...

Page 116: ... press ENTER to open Menu 15 2 1 NAT Server Configuration see the next figure Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ...

Page 117: ...arded in the End Port field Table 27 15 2 1 NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry Name Enter a name to identify this port forwarding rule Active Press SPACE BAR and then ENTER to select Yes to enable the NAT server entry Start Port Enter a port number in the Start Port field To forward only one port enter it again in...

Page 118: ...ess ESC at any time to cancel Figure 45 Menu 15 2 NAT Server Setup You assign the private network IP addresses The NAT network appears as a single host on the Internet A is the FTP Telnet SMTP server Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No ...

Page 119: ...ervers behind NAT example General NAT examples The following are some examples of NAT configuration Internet access only In the Internet access example shown in Figure 47 you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Business Secure Router ...

Page 120: ...examples on page 119 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically preconfigured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation ENET ENCAP Multiplexing LLC based VPI 8 VCI 35 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Dynamic IP Address N A Network Address Translation S...

Page 121: ...n Advanced Example 2 Internet access with an inside server Figure 49 NAT Example 2 In this case you do exactly as shown in Figure 49 use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in Figure 50 Business Secure Router ...

Page 122: ...the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 2 Map the second IGA to the second internal FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping 4 You also map your third IGA to the web server and mail server on the LAN If y...

Page 123: ...52 2 Enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENTER to confirm 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as...

Page 124: ...te Node Network Layer Options IP Options Bridge Options IP Address Assignment Dynamic Ethernet Addr Timeout min N A Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 1 Metric 15 Private No RIP Direction None Version RIP 1 Multicast None Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle ...

Page 125: ...tel Business Secure Router 252 Configuration Advanced Figure 53 Example 3 Menu 15 1 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel ...

Page 126: ...15 from the main menu 9 Now enter 2 from this menu and configure it as shown in Example 3 Menu 15 2 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule ...

Page 127: ...re 56 Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 002 Yes 25 25 192 168 1 20 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Note Only one LAN comp...

Page 128: ...ription Field Description Example Rule This is the rule index number 1 Name Enter a unique name for identification purposes You can enter up to 15 characters in this field All characters are permitted including spaces Real Audio Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The Business Secure Router forwards the traffic with t...

Page 129: ...ss of the LAN computer that sent the traffic to a server on the WAN Start Port Enter a port number or the starting port number in a range of port numbers 7070 End Port Enter a port number or the ending port number in a range of port numbers 7070 Press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 28 Menu 15 3 Trigger Port setup desc...

Page 130: ...130 Chapter 9 Network Address Translation NAT NN47923 501 ...

Page 131: ...he screen shown in Figure 57 Figure 57 Menu 21 Filter and Firewall Setup Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 58 Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the WebGUI to configure firewall rules Menu 21 Filter and Fire...

Page 132: ... vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the WebGUI to configure the firewall Press ENTER to Confirm or ESC to Cancel Note Configure the firewall rules using the WebGUI or CLI co...

Page 133: ...are subdivided into device and protocol filters Data filtering screens the data to determine if the packet is allowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet is allowed to trigger a call Remote n...

Page 134: ...h filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules are configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming Telnet sessions A summary of their filter rules is shown in the figures that follow Figure 60 illustrates the logic flow when executing a filter rule Also see Figure 64...

Page 135: ...pes of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Start Fetch First Filter Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Ru...

Page 136: ... for NetBIOS over TCP IP packets by default To configure another filter set follow the procedure below 1 Enter 21 in the main menu to open menu 21 Figure 61 Menu 21 Filter and Firewall Setup 2 Enter 1 to bring up the menu 21 1 Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number ...

Page 137: ...y The screen shown in Figure 63 shows the summary of the existing rules in the filter set Table 29 and Table 30 contain a brief description of the abbreviations used in the previous menus Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 _______________ 4 _______________ 10 ________...

Page 138: ...ain is complete N means there are no more rules to check You can specify an action to be taken for example forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule n Action No...

Page 139: ...u create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filter field or vice versa the Business Secure Router warns you and prevents you from saving Configuring a TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule Using TCP IP rules you can base the rule on t...

Page 140: ...e Table 31 TCP IP Filter Rule Menu fields Field Description Options Active Press SPACE BAR and then ENTER to select Yes to activate the filter rule or No to deactivate it Yes No IP Protocol Protocol refers to the upper layer protocol for example TCP is 6 UDP is 17 and ICMP is 1 Type a value between 0 and 255 A value of 0 matches ANY protocol 0 255 IP Source Route Press SPACE BAR and then ENTER to ...

Page 141: ... and then ENTER to select the comparison to apply to the source port in the packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This field is applicable only when the IP Protocol field is 6 TCP Press SPACE BAR and then ENTER to select Yes to have the rule match packets that want to establish a TCP connection SYN 1 and ACK 0 if No it is ignored Yes No More Pres...

Page 142: ...rop Action Not Matched Press SPACE BAR and then ENTER to select the action for a packet not matching the rule Check Next Rule Forward Drop After you configure Menu 21 1 1 1 TCP IP Filter Rule press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel This data is displayed on Menu 21 1 1 Filter Rules Summary Table 31 TCP IP Filter Rule Menu fields Field Des...

Page 143: ...es Action Matched Action Not Matched More No Filter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched ...

Page 144: ...packet to check with the Offset from 0 and the Length fields both in bytes The Business Secure Router applies the Mask using the bit wise AND action to the data portion before comparing the result against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either fiel...

Page 145: ...ordinates for example 2 3 refers to the second filter set and the third rule of that set Filter Type Use SPACE BAR and then ENTER to select a rule type Parameters displayed below each type will be different TCP IP filter rules are used to filter IP packets while generic filter rules allow filtering of non IP packets Generic Filter Rule TCP IP Filter Rule Active Select Yes to turn on the filter rul...

Page 146: ... from the following None No packets are logged Action Matched Only packets that match the rule parameters are logged Action Not Matched Only packets that do not match the rule parameters are logged Both All packets are logged None Action Matched Action Not Matched Both Action Matched Select the action for a packet matching the rule Check Next Rule Forward Drop Action Not Matched Select the action ...

Page 147: ... Set Configuration 3 Enter the index of the filter set you wish to configure for example 3 and press ENTER 4 Enter a descriptive name or comment in the Edit Comments field and press ENTER 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 3 Filter Rules Summary 6 Enter 1 to configure the first filter rule the only filter rule of this set Make the entries in this menu as shown in...

Page 148: ...ction is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched whether or not there are more rules to be checked there are none in this example Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Sour...

Page 149: ...n Figure 71 5 After you enter the set numbers press ENTER to confirm and leave menu 11 1 4 Filter Types and NAT There are two classes of filter rules Generic Filter Device rules and protocol filter TCP IP rules Generic filter rules act on the raw data that s going through between LAN and WAN Protocol filter rules act on the IP packets Generic and TCP IP filter rules are discussed in more detail in...

Page 150: ...iving and sending the packets for example the interface The interface can be an Ethernet port or any other hardware port as illustrated in Figure 69 Figure 69 Protocol and Device Filter Sets Firewall Versus Filters Firewall configuration is discussed in Chapter 10 Introducing the firewall on page 131 chapters of this manual Further comparisons are also made between filtering NAT and the firewall A...

Page 151: ...m the Business Secure Router Figure 70 Filtering LAN Traffic Applying Remote Node Filters Go to menu 11 1 4 shown in Figure 71 note that call filter sets are only present for PPPoE encapsulation and enter the numbers of the filter sets as appropriate You can cascade up to four filter sets by entering their numbers separated by commas The Business Secure Router already has filters to prevent NetBIO...

Page 152: ...e 71 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 153: ...This chapter explains SNMP configuration menu 22 SNMP Configuration To configure SNMP enter 22 from the main menu to display Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Note SNMP is only available if TCP IP is configured ...

Page 154: ...ty Type the Set community which is the password for incoming Set requests from the management station PlsChgMe R W default Trusted Host If you enter a trusted host your Business Secure Router will only respond to SNMP messages from this address A blank default field means your Business Secure Router will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the ...

Page 155: ...tware reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done ...

Page 156: ...156 Chapter 12 SNMP Configuration NN47923 501 ...

Page 157: ...rver and 802 1x in this menu System password Figure 73 Menu 23 System security Nortel recommends you change the default password If you forget your password you have to restore the default configuration file For more information see Restoring the factory default configuration settings in Nortel Business Secure Router 252 Configuration Basics NN47923 500 Menu 23 System Security 1 Change Password 2 ...

Page 158: ...ystem Security RADIUS Server as shown in Figure 75 Figure 75 Menu 23 2 System Security RADIUS server Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x Enter Menu Selection Number Menu 23 2 System Security RADIUS Server Authentication Server Active No Server Address 0 0 0 0 Port 1812 Shared Secret Accounting Server Active No Server Address 0 0 0 0 Port 1813 Shared Secret Press ...

Page 159: ...y is not sent over the network This key must be the same on the external authentication server and Business Secure Router Accounting Server Active Press SPACE BAR to select Yes and press ENTER to enable user authentication through an external accounting server Server Address Enter the IP address of the external accounting server in dotted decimal notation Port The default port of the RADIUS server...

Page 160: ...23 System Security Figure 76 Menu 23 System Security 2 Enter 4 to display Menu 23 4 System Security IEEE802 1x Figure 77 Menu 23 4 System Security IEEE802 1x Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x Enter Menu Selection Number Menu 23 4 System Security IEEE802 1x Port Control Authentication Required ReAuthentication Timer in second 1800 Idle Timeout in second 3600 Aut...

Page 161: ...owing fields are not available when you select No Authentication Required or No Access Allowed ReAuthentication Timer in second Specify how often a client has to reenter the username and password to stay connected to the network This field is activated only when you select Authentication Required in the Port Control field Enter a time interval between 10 and 9 999 in seconds The default time inter...

Page 162: ...pecified RADIUS server for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the user name is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Rout...

Page 163: ... SMT menus 24 1 to 24 4 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your Business Secure Router These tools include updates on system status port status and log and trace capabilities Select menu 24 in the main menu to open Menu 24 System Maintenance as shown in Figure 78 ...

Page 164: ...cifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open System Maintenance Status Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6...

Page 165: ...un 06 2006 Node Lnk Status TxPkts RxPkts Errors Tx B s Rx B s Up Time 1 ENET N A 0 0 0 0 0 0 00 00 My WAN IP from ISP 0 0 0 0 Ethernet WAN Status 100M Full Duplex Tx Pkts 608 Line Status Initializing Collisions 0 Rx Pkts 821 Upstream Speed 0 kbps CPU Load 1 19 Downstream Speed 0 kbps Press Command COMMANDS 1 Reset Counters ESC Exit Table 37 Menu 24 1 System Maintenance Status Field Description Nod...

Page 166: ...IP from ISP This is the IP address of the ISP remote node Ethernet This shows statistics for the LAN Status This shows the current status of the LAN Tx Pkts This is the number of transmitted packets to the LAN Rx Pkts This is the number of received packets from the LAN Collision This is the number of collisions WAN This shows statistics for the WAN Line Status This shows the current status of the ...

Page 167: ...d Console Port Speed System Information System Information gives you information about your system as shown in Figure 81 More specifically it gives you information on your routing protocol Ethernet address and IP address Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Please enter selection ...

Page 168: ...e Displays the system name of your Business Secure Router This information can be changed in Menu 1 General Setup Routing Refers to the routing protocol used Firmware Version Refers to the system firmware version ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version Standard This refers to the operational protocol the Business Secure Router and the DSLAM Digital Subscriber Li...

Page 169: ...tem Maintenance Change Console Port Speed Log and trace The Business Secure Router has a syslog facility for message logging and a trace function for viewing call triggering packets DHCP This field shows the DHCP setting None Relay or Server of the Business Secure Router After you complete this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any tim...

Page 170: ...4 Menu 24 3 2 System Maintenance Syslog Logging Configure the syslog parameters described in Table 39 to activate syslog and then choose what you want to log Menu 24 3 System Maintenance Log and Trace 2 Syslog Logging 4 Call Triggering Packet Press ENTER to Confirm or ESC to Cancel Menu 24 3 2 System Maintenance Syslog Logging Syslog Active No Syslog Server IP Address Log Facility Local 1 Press EN...

Page 171: ...irm or ESC to cancel CDR Message Format SdcmdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C01 Outgoing Call dev xx ch xx dev device No ch channel No L02 Tunnel Connected L2TP ...

Page 172: ...061626364656 66768696a6b6c6d6e6f7071727374 Jul 19 11 28 56 192 168 102 2 RAS Packet Trigger Protocol 1 Data 4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600 220008cd40000020405b4 Jul 19 11 29 06 192 168 102 2 RAS Packet Trigger Protocol 1 Data 45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500 4000077600000 Filter log Message Format SdcmdSyslogSend SYSLOG_FILLOG...

Page 173: ...c5f502fnord010080 S05 R01mF Mar 03 12 00 52 202 132 155 97 RAS GEN ffffffffffff0080 S05 R01mF Mar 03 12 00 57 202 132 155 97 RAS GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 RAS IP Src 192 168 1 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S04 R01mF PPP Log Message Format SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Clos...

Page 174: ...dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number Action nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1 80 137 172 21 1 80 137 UDP default permit 2 0 B 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 192 168 77 88 520 192 168 77 88 520 UDP...

Page 175: ...Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination Port 0x000D 13 Sequence Number 0x05B8D000 95997952 Ack Number 0x00000000 0 Header Length 24 Flags 0x02 S Window Size 0x2000 8192 Checksum 0xE06A 57450 Urgent Ptr 0x0000 0 Options 0000 02 04 02 00 RAW DATA ...

Page 176: ...tel Business Secure Router 252 Configuration Basics NN47923 500 The Business Secure Router can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP Using the WAN Release and Renewal fields in menu 24 4 you can release or renew the assigned WAN IP address subnet ma...

Page 177: ...Release Enter 2 to release your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings PPPoE PPPoA Setup Test This feature is only available for dial up connections using PPPoE or PPPoA encapsulation Enter 4 to test the Internet setup You can also test the Internet setup in Menu 4 Internet Access Refer to Chapter 5 Internet access on page 81 for more details Reboot System Enter...

Page 178: ...178 Chapter 14 System information and diagnosis NN47923 501 ...

Page 179: ...ustomized the Business Secure Router settings they can be saved back to your computer under a filename of your choosing The system firmware sometimes referred to as the ras file has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the B...

Page 180: ... you press y when prompted in the SMT menu to go into debug mode Backup configuration Using Option 5 from Menu 24 System Maintenance you can back up the current Business Secure Router configuration to your computer Backup is highly recommended once your Business Secure Router is functioning properly FTP is the preferred method for backing up your current configuration to your computer Table 41 Fil...

Page 181: ...e Backup Configuration Using the FTP command from the command line 1 Launch the FTP client on your computer 2 Enter open followed by a space and the IP address of your Business Secure Router 3 Press ENTER when prompted for a username 4 Enter your password as requested the default password is PlsChgMe Menu 24 5 System Maintenance Backup Configuration To transfer the configuration file to your works...

Page 182: ...ommands that you can see in GUI based FTP clients 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 config rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 42 General commands for GUI based FTP clients Command Description Host Address Enter the address of the h...

Page 183: ...rtel does not recommend using TFTP over WAN although it can work To use TFTP your computer must have both Telnet and TFTP clients To back up the configuration file follow the procedure shown next 1 Use Telnet from your computer to connect to the Business Secure Router and log on Because TFTP does not have any security checks the Business Secure Router records the IP address of the Telnet client an...

Page 184: ...Router to the file destination on the computer and renames it config rom GUI based TFTP clients Table 43 describes some of the fields that appear in GUI based TFTP clients Note Telnet connection must be active and the SMT must be in CI mode before and during the TFTP transfer For details on TFTP commands see TFTP command example on page 184 consult the documentation of your TFTP client program For...

Page 185: ...Maintenance Backup Configuration Figure 91 shows the screen which indicates that the Xmodem download has started Figure 91 Menu 24 5 System Maintenance Starting Xmodem Download Screen Run the HyperTerminal program by clicking Transfer then Receive File as shown in Figure 92 Remote File This is the filename on the Business Secure Router The filename for the firmware is ras and for the configuration...

Page 186: ...evious back up configuration do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster note that you must wait for the system to automatically restart after the file transfer is complete Backup Configuration completed OK Hit any key to continue...

Page 187: ...iguration file config rom on your computer to the Business Secure Router See Filename conventions on page 179 for more information about filename conventions Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and the configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type nnadmin and ...

Page 188: ...ore via console port Restore configuration via console port by following the HyperTerminal procedure Procedures using other serial communications programs are similar Display menu 24 6 and enter y at the prompt Figure 96 System Maintenance Restore Configuration Figure 97 indicates that the Xmodem download has started ftp put config rom rom 0 200 Port command okay 150 Opening data connection for ST...

Page 189: ...ation Screen Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure Restore configuration on page 186 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File Starting XMODEM download CRC mode CCCCCCCCC Save to ROM Hit any key to start s...

Page 190: ...ad the system firmware follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your system Then type nnadmin and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on the system 4 The system reboots automatically after a succes...

Page 191: ...as transfers the firmware on your computer firmware bin to the Business Secure Router and renames it ras Similarly put config rom rom 0 transfers the configuration file on your computer Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your ...

Page 192: ...te Management on page 209 section to read about configurations that disallow TFTP and FTP over WAN TFTP file upload The Business Secure Router also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP also works over WAN Nortel does not recommend doing this 1 To use TFTP your computer must have both Telnet and TFTP clients To transfer the firmwa...

Page 193: ...o transfer files between the Business Secure Router and the computer The file name for the firmware is ras Note that the telnet connection must be active and the Business Secure Router must be in CI mode before and during the TFTP transfer For details about TFTP commands see TFTP upload command example on page 193 consult the documentation of your TFTP client program For UNIX use get to transfer f...

Page 194: ... Upload Firmware to display Menu 24 7 1 System Maintenance Upload System Firmware then follow the instructions as shown in Figure 102 Figure 102 Menu 24 7 1 as seen using the Console Port After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications ...

Page 195: ...modem Upload 2 After the configuration upload process is complete restart the Business Secure Router by entering atgo Uploading configuration file via console port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in Figure 104 Type the configuration file s location or click Brows...

Page 196: ... To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the system Warning 1 Proceeding with the upload will erase the current configuration file 2 The system s console port s...

Page 197: ... file using HyperTerminal 1 Click Transfer then Send File to display the screen shown in Figure 105 Figure 105 Example Xmodem Upload 2 After the configuration upload process is complete restart the Business Secure Router by entering atgo Type the configuration file s location or click Browse to search for it Choose the Xmodem protocol Click Send ...

Page 198: ...198 Chapter 15 Firmware and configuration file maintenance NN47923 501 ...

Page 199: ...lity as the SMT while adding some low level setup and diagnostic functions Enter the CI from the SMT by selecting menu 24 8 Access can be by Telnet or by a serial connection to the console port although some commands are only available with a serial connection See the included disk or www nortel com for more detailed information about CI commands Enter 8 from Menu 24 System Maintenance Note Use of...

Page 200: ...osed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Firmware Update 8 Command Interpreter Mode 9 Call Control 10 Time and Date Se...

Page 201: ... The Business Secure Router provides two call control functions budget management and call history Note that this menu is only applicable when Encapsulation is set to PPPoE or PPPoA in menu 4 or menu 11 1 With the budget management function you can set a limit on the total outgoing call time of the Business Secure Router within certain times When the total outgoing call time exceeds the limit the ...

Page 202: ... management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up the Budget Management menu Figure 108 Menu 24 9 System Maintenance Call Control 1 Budget Management 2 Call History Enter Menu Selection Number ...

Page 203: ...he remote node Menu 24 9 1 Budget Management Remote Node 1 ChangeMe 2 GUI Connection Time Total Budget No Budget No Budget Elapsed Time Total Period No Budget No Budget Reset Node 0 to update screen Table 44 Budget management Field Description Example Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total conne...

Page 204: ...call Max Min Total Enter Entry to Delete 0 to exit Table 45 Call History Fields Field Description Phone Number The PPPoE service names are shown here Dir This shows whether the call is incoming or outgoing Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This i...

Page 205: ...iness Secure Router error logs and firewall logs Select menu 24 in the main menu to open Menu 24 System Maintenance Figure 110 Menu 24 System Maintenance Enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your Business Secure Router as shown in Figure 111 Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Spee...

Page 206: ...s Not all time servers support all protocols so check with your ISP or network administrator or use trial and error to find a protocol that works The main differences between the time protocols are the format Daytime RFC 867 format is the day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP R...

Page 207: ...pean Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Mar Last Sun The time you type in the hr field depends on your time zone In Germany for instance type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date mm nth week hr Configure the day and...

Page 208: ... Time The Business Secure Router resets the time in three instances After you make changes to and leave menu 24 10 After starting up the Business Secure Router starts up if a time server configured in menu 24 10 After starting the Business Secure Router in 24 hour intervals ...

Page 209: ...siness Secure Router interface if any from which computers You can manage your Business Secure Router from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Note When you Choose WAN only or ALL LAN WA...

Page 210: ...NS Service Port 53 Access LAN only Secure Client IP 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 47 Menu 24 11 Remote Management control Field Description Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you can use to remotely manage the Business Secure Router Port This field shows the port number ...

Page 211: ...on it does not begin if a Web session is already running 7 There is a firewall rule that blocks remote management Certificate Press SPACE BAR and then ENTER to select the certificate that the Business Secure Router uses to identify itself The Business Secure Router is the SSL server and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Busin...

Page 212: ...212 Chapter 17 Remote Management NN47923 501 ...

Page 213: ...ideo cassette recorder you can specify a time period for the VCR to record You can apply up to 4 schedule sets in Menu 11 1 Remote Node Profile From the main menu enter 26 to access Menu 26 Schedule Setup as shown in Figure 113 Figure 113 Menu 26 Schedule Setup Menu 26 Schedule Setup Schedule Schedule Set Name Set Name 1 AlwaysOn 7 _______________ 2 _______________ 8 _______________ 3 ____________...

Page 214: ...dule sets for a remote node To set up a schedule set select the schedule set you want to setup from menu 26 1 12 and press ENTER to see Menu 26 1 Schedule Set Setup as shown in Figure 114 Figure 114 Menu 26 1 Schedule Set Setup Note To delete a schedule set enter the set number and press SPACE BAR and then ENTER or delete in the Edit Name field Menu 26 1 Schedule Set Setup Active Yes Start Date yy...

Page 215: ...e How Often field above enter the date the set should activate here in year month date format 2000 01 01 Weekday Day If you selected Weekly in the How Often field above select the days when the set should activate and recur by going to that days and pressing SPACE BAR to select Yes After you complete this menu press ENTER to exit Yes No N A Start Time Enter the start time when you wish the schedul...

Page 216: ... PPPoE You can apply up to four schedule sets separated by commas for one remote node Change the schedule set numbers to your preferences Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Bridge No Encapsulation PPPoA Edit IP Bridge No Multiplexing LLC based Edit ATM Options No Service Name N A Edit Advance Options N A Incoming Telco Option Rem Login Allocated Budget min 0 R...

Page 217: ...he purchase of a third party TCP IP application package TCP IP is already installed on computers using Windows NT 2000 XP or Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers ha...

Page 218: ...IP protocol and Client for Microsoft Networks If you need the adapter a In the Network window click Add b Select Adapter and click Add c Select the manufacturer and model of your network adapter and click OK If you need TCP IP a In the Network window click Add b Select Protocol and click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and cl...

Page 219: ... changes take effect Configuring 1 In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 117 Windows 95 98 Me TCP ...

Page 220: ...ly installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Business Secure Router and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and click...

Page 221: ...on Advanced Windows 2000 NT XP 1 For Windows XP click Start Control Panel In Windows 2000 NT click Start Settings Control Panel Figure 119 Windows XP Start menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 120 Windows XP Control Panel ...

Page 222: ...ight click Local Area Connection and then click Properties Figure 121 Windows XP Control Panel Network Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 122 Windows XP Local Area Connection Properties ...

Page 223: ...teway fields Click Advanced Figure 123 Windows XP Advanced TCP IP settings 6 If you do not know your gateway IP address remove any previously installed gateways in the IP Settings tab and click OK Ë Do one or more of the following if you want to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in...

Page 224: ... Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP addresses If you know your DNS server IP addresses click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab...

Page 225: ...Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel Figure 125 Macintosh OS 8 9 Apple Menu ...

Page 226: ...o the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your Business Secure Router and restart your computer if prompted Verifyin...

Page 227: ...d click System Preferences to open the System Preferences window Figure 127 Macintosh OS X Apple menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 128 Macintosh OS X Network ...

Page 228: ...ly Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Click Apply Now and close the window 6 Turn on your Business Secure Router and restart your computer if prompted Verifying settings Check your TCP IP properties in the Network window ...

Page 229: ...more than one connection to the Internet through one or more ISPs If an alternate gateway is on the LAN and its IP address is in the same subnet as the Business Secure Router LAN IP address the triangle route also called asymmetrical route problem can occur The steps below describe the triangle route problem A traffic route is a path for sending or receiving data packets between two Ethernet devic...

Page 230: ...knowledged Figure 130 Triangle Route Problem The Triangle Route Solutions IP aliasing Using IP alias you can partition your network into logical sections over the same Ethernet interface Your Business Secure Router supports up to three logical LAN interfaces with the Business Secure Router being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returni...

Page 231: ...tion Advanced 2 The Business Secure Router reroutes the packet to Gateway B which is in Subnet 2 3 The reply from WAN goes to the Business Secure Router 4 The Business Secure Router ends the response to the computer in Subnet 1 Figure 131 IP Alias Business Secure Router WAN ...

Page 232: ...232 Appendix B Triangle Route NN47923 501 ...

Page 233: ...cates Import Business Secure Router certificates into Netscape Navigator In Netscape Navigator you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority Select Accept This Certificate Permanently in Figure 132 to do this Figure 132 Security Certificate ...

Page 234: ...ification authority To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certification authority The following example procedure shows how to import the Business Secure Router s self signed server certificate into your operating system as a trusted certification ...

Page 235: ... C Importing certificates 235 Nortel Business Secure Router 252 Configuration Advanced 2 Click Install Certificate to open the Install Certificate wizard Figure 134 Certificate General Information before Import ...

Page 236: ...236 Appendix C Importing certificates NN47923 501 3 Click Next to begin the Install Certificate wizard Figure 135 Certificate Import Wizard 1 ...

Page 237: ...Appendix C Importing certificates 237 Nortel Business Secure Router 252 Configuration Advanced 4 Select where you want to store the certificate and click Next Figure 136 Certificate Import Wizard 2 ...

Page 238: ...rtificates NN47923 501 5 Click Finish to complete the Import Certificate wizard Figure 137 Certificate Import Wizard 3 6 Click Yes to add the Business Secure Router certificate to the root store Figure 138 Root Certificate Store ...

Page 239: ...ificates is selected on the Business Secure Router You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active see Certificates in Nortel Business Secure Router 252 Configuration Basics NN47923 500 for details Apply for a certificate from a Certification Authority CA that is trusted by the Business Secure Router see th...

Page 240: ...g certificates NN47923 501 Figure 140 Business Secure Router Trusted CA screen The CA sends you a package containing the CA s trusted certificates your personal certificates and a password to install the personal certificates ...

Page 241: ...ar to the one shown in Figure 141 Figure 141 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix Installing your personal certificates You need a password in advance The CA can issue the password or you can specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to Figure 142 ...

Page 242: ...242 Appendix C Importing certificates NN47923 501 1 Click Next to begin the wizard Figure 142 Personal certificate import wizard 1 ...

Page 243: ...ecure Router 252 Configuration Advanced 2 The file name and path of the certificate you double clicked automatically appears in the File name text box Click Browse if you wish to import a different certificate Figure 143 Personal certificate import wizard 2 ...

Page 244: ...244 Appendix C Importing certificates NN47923 501 3 Enter the password given to you by the CA Figure 144 Personal certificate import wizard 3 ...

Page 245: ...cure Router 252 Configuration Advanced 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 145 Personal certificate import wizard 4 ...

Page 246: ... Finish to complete the wizard and begin the import process Figure 146 Personal certificate import wizard 5 6 Figure 147 shows the screen that appears when the certificate is correctly installed on your computer Figure 147 Personal certificate import wizard 6 ...

Page 247: ...HTTPS 1 Enter https Business Secure Router IP Address in your browser s web address field Figure 148 Access the Business Secure Router via HTTPS 2 When Authenticate Client Certificates is selected on the Business Secure Router you are asked to select a personal certificate to send to the Business Secure Router This screen displays even if you only have a single certificate as shown in Figure 149 F...

Page 248: ...248 Appendix C Importing certificates NN47923 501 3 The Business Secure Router login screen appears Figure 150 Business Secure Router secure login screen ...

Page 249: ...ity in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP to...

Page 250: ...and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and runs between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE clie...

Page 251: ...Appendix D PPPoE 251 Nortel Business Secure Router 252 Configuration Advanced Figure 152 Business Secure Router as a PPPoE Client Business Secure Router Business Secure Router ...

Page 252: ...252 Appendix D PPPoE NN47923 501 ...

Page 253: ...ecure Router is DCE when you connect a computer to the console port The Business Secure Router is DTE when you connect a modem to the dial backup port Table 49 General specifications Power Specification I P AC 100 240V 50 60Hz O P DC 18V 1 1A MTBF 218200 hrs Mean Time Between Failures Operation Temperature 0º C 40º C ADSL Specification for WAN ADSL ADSL2 ADSL2 with TR 067 compliance Ethernet Speci...

Page 254: ...DCE RTS PIN 9 NON Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON The CON AUX port also has these pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments Business Secure Routers with a CON AUX port also have a 9 pin adapter for the console cable with these pi...

Page 255: ...fications Use only power supplies listed in the user instructions Phihong Model PSA21R 180 Leader Model MU18 2180100 XX XX can be A1 A2 A3 B2 or C5 for the different plugs used WAN LAN Ethernet Cable Pin Layout Straight Through Crossover Switch 1 IRD Adapter 1 OTD Switch 1 IRD Switch 1 IRD 2 IRD 2 OTD 2 IRD 2 IRD 3 OTD 3 IRD 3 OTD 3 OTD 6 OTD 6 IRD 6 OTD 6 OTD ...

Page 256: ...256 Appendix E Hardware specifications NN47923 501 ...

Page 257: ...t Class A addresses have a 0 in the left most bit In a class A address the first octet is the network number and the remaining three octets make up the host ID Class B addresses have a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from th...

Page 258: ...id range of 128 to 191 The first octet of a class C address begins with 110 and therefore has a range of 192 to 223 Table 51 Classes of IP addresses IP Address Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note Host IDs of all zeros or all one...

Page 259: ...is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask i...

Page 260: ... octets of the address make up the network number class C You want to have two separate networks Table 54 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255 255 255 0 24 0000 0000 255 255 255 128 25 1000 0000 255 255 255 192 26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 11...

Page 261: ...ctet bit values indicate host ID bits borrowed to form network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet Table 55 Subnet 1 Network number Last Octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subn...

Page 262: ...combinations of 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all 0s is the subnet itself all 1s is the broadcast address on the subnet Table 57 Subnet 1 Network number Last octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subne...

Page 263: ...1111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 60 Subnet 4 Network number Last Octet Bit Value IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 19...

Page 264: ...ary for class B subnet planning 7 192 193 222 223 8 224 225 254 255 Table 62 Class C subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 63 Class B subnet planning No Borrowed Host...

Page 265: ...54 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1 024 62 11 255 255 255 224 27 2 048 30 12 255 255 255 240 28 4 096 14 13 255 255 255 248 29 8 192 6 14 255 255 255 252 30 16 384 2 15 255 255 255 254 31 32 768 1 Table 63 Class B subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet ...

Page 266: ...266 Appendix F IP subnetting NN47923 501 ...

Page 267: ...command keywords exactly as shown Do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of netbios filter and whether to turn it on or off Command usage A list of valid commands can be found by typing...

Page 268: ...password countrycode countrycode Sets or displays the country code datetime date year month date Sets or displays the system s current date time hour min sec Sets or displays the system time period day Sets how often the Business Secure Router gets the date and time from the time server sync Gets the date and time from the time server domainname Displays the domain name that the device sends to th...

Page 269: ...ds alerts or both for firewall attack logs cdr 0 none 1 log Records Call Detail Record logs display Displays the category settings error 0 none 1 log 2 alert 3 both Records sends alerts or both for system error logs icmp 0 none 1 log Records ICMP logs ike 0 none 1 log 2 alert 3 both Records sends alerts or both for access control logs ipsec 0 none 1 log 2 alert 3 both Records the access control lo...

Page 270: ...s Use sys logs save after you configure the log settings mail alertAddr mail address Sends alerts to this e mail address clearLog 0 no 1 yes Enables the switch to clear the log after sending logs via e mail display Displays the logs and alerts mail settings logAddr mail address Sends logs to this e mail address schedule display Displays the mail schedule schedule hour 0 23 Sets the hour to send lo...

Page 271: ...server domainName IP Specifies the IP address of the syslog server the syslogs are sent consolidate switch 0 on 1 off Turns log consolidation on or off period Sets the consolidation period in seconds msglist Displays the consolidated messages updateSvrIP minute Sets how often to resolve the mail and syslog server domain name to an IP address switch bmlog 0 no 1 yes Turns the broadcast or multicast...

Page 272: ...idle timeout value tcpfin Sets the TCP FIN session idle timeout value udp Sets the UDP session idle timeout value gre Sets the GRE session idle timeout value esp Sets the ESP session idle timeout value ah Sets the AH session idle timeout value others Sets the idle timeout value for other sessions trcdisp parse brief disp Sets the level of detail that should be displayed parse displays the most det...

Page 273: ...he packet trace buffer channel name none incoming outgoing bothway Sets the packet trace direction for a given channel string on off Enables or disables the sending of a log to the trace packet buffer when configuration changes are made or displays the current setting if neither on off is specified switch on off Enables or disables packet trace or displays the current setting if neither on nor off...

Page 274: ...e these commands to configure remote server management access telnet ftp web icmp snmp dns value Sets the server access type load Loads server information disp Displays server information port telnet ftp web snmp port Sets the server port save Saves server information secureip telnet ftp web icmp snmp dns ip Sets server secure IP address pwderrtm minute Sets or displays the password error blocking...

Page 275: ...of peer device connected to the socket Remote Socket and task control block Owner filter netbios disp Displays the current NetBIOS filter modes config 0 Between LAN and WAN 3 IPSec Pass through 4 Trigger Dial on off Sets NetBIOS filters ddns debug level Enables or disables DDNS service display iface name Displays DDNS information restart Restarts DDNS logout This command has no effect cpu display ...

Page 276: ...nfig Displays LAN configuration information driver cnt disp name Displays the Ethernet driver counters status ch_name Shows the LAN status version Displays the Ethernet device type edit load 1 LAN Loads Ethernet 1 LAN data from the System Parameters Table mtu value Sets the Ethernet data Maximum Transmission Unit accessblock 0 disable 1 enable Blocks Internet access speed auto 10 half 10 full 100 ...

Page 277: ... 0 1 Disables or enables the alias for the specified interface arp status iface Displays an interface s IP Address Resolution Protocol status attpret on off Allows or disallows the device to receive ARP from a different network or not force on off Enables or disables the ARP timeout function dhcp iface client release Releases the DHCP client IP address renew Renews the DHCP client IP address statu...

Page 278: ...his command currently does not work icmp status Displays the ICMP statistics counter discovery iface on off Sets the ICMP router discovery flag ifconfig iface ipaddr broadcast addr mtu value dynamic Configures a network interface ping hostid Pings a remote host route status if Displays the routing table add dest_addr defaul t bits gateway metric Adds a route addiface dest_addr defaul t bits gatewa...

Page 279: ...e Enables the RIP debug trace mode iface in mode Sets the Business Secure Router to use the RIP information it receives iface out mode Sets the Business Secure Router to broadcast its routing table dialin_user show in out both none Shows the dial in user RIP direction tcp status Displays the TCP statistic counters telnet host port Creates a Telnet connection to the specified host tftp support Disp...

Page 280: ...tes and keyword blocking display Displays the content filtering customize action flags actionFlags act 1 7 enable disable Sets the content filtering customize action flags logFlags type 1 3 enabl e disable Sets the content filtering customize log flags add string trust untrust keyword Adds a trusted Web site forbidden Web site or keyword blocking string delete string trust untrust keyword Deletes ...

Page 281: ...ording reports data url Records the most visited Web sites ip Records the LAN IP addresses that sent and received the most traffic srv Records the most heavily used protocols or service ports stroute display rule buf Displays the list of static routes or detailed information on a specified rule load rule Loads the specified static route rule into the buffer save Saves a rule from the buffer to the...

Page 282: ...rface iface join group Adds an interface to a group iface leave group Removes an interface from a group iface query Sends an IGMP query on the specified interface iface rsptime time Sets the IGMP response time iface start Turns on IGMP on the specified interface iface stop Turns off IGMP on the specified interface iface ttl threshold Sets the IGMP Time To Live threshold iface v1compat on off Turns...

Page 283: ...ds Command Description debug type 0 Disable 1 Original on off 2 IKE on off 3 IPSec SPI on off 4 XAUTHon off 5 CERT on off 6 All Turns the trace for IPsec debug information on or off level 0 None 1 User 2 Low 3 High Sets the debug level The higher the number the more detailed display Shows debugging information including type and level switch on off As long as there is one active IPSec rule all pac...

Page 284: ...disconnects the tunnel show_runtime sa Displays runtime phase 1 and phase 2 SA information spd When a dynamic rule accepts a request and a tunnel is established a runtime SPD is created according to the peer s local IP address This command displays these runtime SPDs updatePeerIp Forces the system to immediately update IPSec rules that use a domain name as the secure gateway IP address display rul...

Page 285: ...ess Sets the My IP Address peerIdType 0 IP 1 DNS 2 Email Sets the peer ID type peerIdContent content Sets the peer ID content secureGwAddr IP address Domain name Sets the secure gateway address authMethod 0 PreSharedKey 1 RSASignature Sets the authentication method certificate certificate name Specifies the certificate to use for authentication preShareKey ASCII 0xHEX Types 8 to 32 case sensitive ...

Page 286: ...Specifies whether the rule is for a branch office or Contivity Client VPN connection authOptions 0 Username Password 1 Group ID Password Sets the Business Secure Router to either send just the username and password to the remote Contivity IPSec router or a group ID and password as well onDemand on off Sets whether or not outgoing packets can automatically trigger a VPN connection to the remote Con...

Page 287: ...icy policySave Saves the IP policy ipsecList Displays a summary of the IPSec phase 2 rules policyList Displays the IP policies policyDelete rule index Deletes the specified IP policy policyConfig Uses these commands to configure an IP policy for an IPSec office tunnel rule saIndex rule index Binds the IP policy to an IPSec rule active Yes No Turns the IP policy on or off lcAddrStart IP Sets the lo...

Page 288: ...IP address or subnet mask swSkipOverlapIP on off Turn this option on to have the device allow rules with overlapping source and destination IP addresses adjTcpMss off auto user defined value Sets the adjust TCP Maximum Segment Size contivityDial Initiates the Contivity Client VPN connection contivityDrop Ends the Contivity Client VPN connection contivityState Displays information about the Contivi...

Page 289: ...r disables client termination display user cfg Displays configuration and or remote user logon status of client termination unless a parameter is specified displays all save Saves any client termination configuration changes to ROM auth local on off Enables or disables Local User Database authentication method local psk on off Enables or disables the Pre Shared Key authentication method for the Lo...

Page 290: ...pool Currently 3 IP pools are supported so the valid index is 1 3 save After changing the IP pool configuration use the save command to save the modification to the ROM active Enables or disables the loaded IP pool poolName Sets the IP pool s name startAddr Sets the IP pool s starting IP address subnet Sets the IP pool s subnet size Sets the number of IP addresses in the IP pool status Displays th...

Page 291: ...th a single key A setting of 0 kb disables the Rekey Data Count rekey data count must be more than 5 domain Sets the domain name for client termination dns primary secondary IP Sets primary or secondary DNS server IP addresses to be assigned to remote users wins primary secondary IP Sets primary or secondary WINS server IP addresses to be assigned to remote users banner on off banner text Sets whe...

Page 292: ...nd Description wan adsl bert Displays ADSL ber cellcnt Displays the ADSL cell counter chandata Displays the ADSL operational mode standard and ADSL channel data line rate close Closes the ADSL line defbitmap Displays ADSL defect bitmap status dyinggasp Sends ADSL dyinggasp linedata far Shows ADSL far end noise margin and carrier load information near Shows ADSL near end noise margin and carrier lo...

Page 293: ...Need to save after this command Remove removeNodeI d vpi vci Sets remote node ID and VPI VCI value to remove the specific entry System will save automatically Active yes no Enables disables VC auto hunting feature display Displays the hunt pool Clear Clears the configuration Save Saves current setting to the ROM file timer Sets the waiting time before checking the hunting table result Send Sends V...

Page 294: ...splays the firewall log type and count clear Clears the firewall log count dynamicrule display Displays the firewall s dynamic rules tcprst rst Turns TCP reset sending on or off rst113 Turns TCP reset sending for port 113 on or off display Displays the TCP reset sending settings dos smtp Enables or disables the SMTP DoS defender display Displays the SMTP DoS defender setting ignore Sets if the fir...

Page 295: ...ets the queueing mechanism to fairness based WRR or priority based PRR efficient Turns on the work conserving feature disable Disables bandwidth management for traffic going out the LAN interface wan enable bandwidth xxx Enables bandwidth management for traffic going out the WAN interface You can also specify the b s of bandwidth wrr prr Sets the queueing mechanism to fairness based WRR or priorit...

Page 296: ... borrow bandwidth from its parent class when borrowing is turned on and vice versa wan add bandwidth xxx name xxx Adds a class with bandwidth xxx b s in WAN The name is for your information priority x Sets the class priority The range is between 0 the lowest to 7 the highest borrow on off The class can borrow bandwidth from its parent class when borrowing is turned on and vice versa del Deletes th...

Page 297: ...ass wan add Daddr mask Dmask Dport Saddr mask Smask Sport protocol Adds a filter for class in WAN The filter contains destination address netmask destination port source address netmask source port and protocol Use 0 for items that you do not want the filter to include del Deletes the LAN filter that belongs to the specified WAN class show interface lan Displays the LAN interface settings wan Disp...

Page 298: ...ify one The first time you use the command turns it on the second time turns it off and so on wan Displays the bandwidth usage of the specified WAN class or all of the WAN classes if you do not specify one The first time you use the command turns it on the second time turns it off and so on moveFilter channName from to Changes the filter order channName LAN WAN from filter index number to filter i...

Page 299: ...ame required The format is subject name dn ip dns email value If the name contains spaces put it in quotes key size specifies the key size It has to be an integer from 512 to 2 048 The default is 1 024 bits create scep_enroll name CA addr CA cert auth key subject key size Creates a certificate request and enrolls for a certificate immediately online using SCEP protocol name specifies a descriptive...

Page 300: ...icate importation to be successful a certification request corresponding to the imported certificate must already exist on Business Secure Router After the importation the certification request is automatically deleted If a descriptive name is not specified for the imported certificate the certificate adopts the descriptive name of the certification request export name Exports the PEM encoded cert...

Page 301: ...from stdin name specifies the name the imported CA certificate is saved as export name Exports the PEM encoded certificate to stdout for the user to copy and paste name specifies the name of the certificate to be exported view name Views the information of the specified trusted CA certificate name specifies the name of the certificate to be viewed verify name timeout Verifies the certification pat...

Page 302: ... of the specified trusted remote host certificate name specifies the name of the certificate to be viewed verify name timeout Verifies the certification path of the specified trusted remote host certificate name specifies the name of the certificate to be verified timeout specifies the timeout value in seconds optional The default timeout value is 20 seconds delete name Deletes the specified trust...

Page 303: ...Views the specified directory service name specifies the name of the directory server to be viewed list Lists all directory service names and basic information rename old name new name Renames the specified directory service old name specifies the name of the directory server to be renamed new name specifies the new name the directory server is saved as edit name addr port login pswd Edits the spe...

Page 304: ...ius For example type radius auth to display the authentication server settings Table 73 IEEE 802 1X commands Command Description debug level level Sets the IEEE 802 1x debug message level trace Displays all supplicants information in the supplicant table user user Displays all supplicants information related to the username Table 74 RADIUS commands Command Description auth Displays the current RAD...

Page 305: ...ts that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPPoA NetBIOS packets cause unwanted calls You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow N...

Page 306: ...r numbered 0 3 to configure NetBIOS Filter Status Between LAN and WAN Block IPSec Packets Forward Trigger Dial Disabled Table 75 NetBIOS filter default settings Name Description Example Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN or from the WAN to the LAN Forward IPSec Packets This field displays whether NetBIOS packets sent thr...

Page 307: ...nnection Use off to allow NetBIOS packets to be sent through a VPN connection For type 4 use on to allow NetBIOS packets to initiate dial backup calls Use off to block NetBIOS packets from initiating dial backup calls Example commands Command sys filter netbios config 0 on This command blocks LAN to WAN and WAN to LAN NetBIOS packets Command sys filter netbios config 1 off This command forwards WA...

Page 308: ...308 Appendix H NetBIOS filter commands NN47923 501 ...

Page 309: ...ed in Chapter 15 Firmware and configuration file maintenance on page 179 Figure 156 Option to Enter Debug Mode Enter ATHE to view all available Business Secure Router boot module commands as shown in Figure 157 on page 310 With ATBAx you can change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that foll...

Page 310: ...time ATDA y m d change system date to year month day or show current date ATDS dump RAS stack ATDT dump Boot Module Common Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test ...

Page 311: ...information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface ...

Page 312: ...ewall Table 79 Content filtering logs Category Log Message Description URLFOR IP Domain Name The Business Secure Router allows access to this IP address or domain name and forwards traffic to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All web traffic is disabled except for trusted domain...

Page 313: ...nd attack land OSPF The firewall detected an OSPF land attack land ICMP type d code d The firewall detected an ICMP land attack see the section on ICMP messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an ...

Page 314: ... IGMP The firewall detected an IGMP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default rout...

Page 315: ... the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy OSPF set d OSPF access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy set d Access matched the default policy of the listed ACL set and th...

Page 316: ...id not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match ESP set d rule d ESP access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access ...

Page 317: ...k The firewall detected a DoS attack and sent a TCP packet in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported...

Page 318: ...r Table 83 ICMP notes Type Code Description 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway can discard internet datagrams if it does not have the buffer space needed to ...

Page 319: ...agment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 84 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note This mess...

Page 320: ...A 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA NONCE ID ID 012 01 Jan 08 02 26 Send HASH Clear IPSec Log y n ...

Page 321: ...ecv Main Mode request from 192 168 100 100 002 01 Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH...

Page 322: ...me peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party is using 3DES encryption but the other party is using DES encryption so the connection fails Verifying Local ID failed Verifying Remote ID failed During IKE Phase ...

Page 323: ...address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the IP address type and IP address of the incoming packet vs My Remote IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log dis...

Page 324: ... SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPLAY packet If the Business Secure Router receives a packet with the wrong sequence number it discards it Inbound packet authentication failed The auth...

Page 325: ...he CMP online certificate enrollment failed The Destination field records the certification authority server s IP address and port Failed to resolve CMP CA server url The CMP online certificate enrollment failed because the certification authority server s IP address cannot be resolved Rcvd ca cert subject name The router received a certification authority certificate with subject name as recorded...

Page 326: ...hose address and port are recorded in the Source field The maximum size of directory data that the router allows is also recorded Cert trusted subject name The router has verified the path of the certificate with the listed subject name Due to reason codes cert not trusted subject name Due to the reasons listed the certificate with the listed subject name has not passed the path verification The r...

Page 327: ...abase method failed due to timeout 26 Database method failed 27 Path was not verified 28 Maximum path length reached Table 90 IEEE 802 1X logs Log Message Description Local User Database accepts user A user was authenticated by the local user database Local User Database reports user credential error A user was not authenticated by the local user database because of an incorrect user password Loca...

Page 328: ...idle timeout expired The router logged off a user whose idle timeout period expired User logout because of user request A user logged off Local User Database does not support authentication mothed A user tried to use an authentication method that the local user database does not support it only supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the R...

Page 329: ...uter you must do this in order to record logs Displaying logs Use the sys logs display command to show all of the logs in the Business Secure Router s log Use the sys logs category display command to show the log settings for all of the log categories Table 91 Log categories and available settings Log Categories Available Parameters access 0 1 2 3 attack 0 1 2 3 error 0 1 2 3 ike 0 1 2 3 ipsec 0 1...

Page 330: ...ve ras sys logs display access time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 ...

Page 331: ...nutes after the third time an incorrect password is entered Table 92 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default sys pwderrtm...

Page 332: ...332 Appendix K Brute force password guessing protection NN47923 501 ...

Page 333: ...t of the signaling SIP handles telephone calls and can interface with traditional circuit switched telephone networks SIP Identities A SIP account uses an identity sometimes referred to as a SIP address A complete SIP identity is called a SIP URI Uniform Resource Identifier The URI of a SIP account identifies the SIP account in a way similar to the way an e mail address identifies an e mail accoun...

Page 334: ...INVITE request to B This message is an invitation for B to participate in a SIP telephone call 2 B sends a response indicating that the telephone is ringing 3 B sends an OK response after the call is answered 4 A then sends an ACK message to acknowledge that B has answered the call 5 Now A and B exchange voice media talk 6 After talking A hangs up and sends a BYE request 7 B replies with an OK res...

Page 335: ...erver can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communications even though it is a client server protocol In Figure 160 either A or B can act as a SIP user agent client to initiate a call A and B can also both act as a SIP user agent server to receive the call Figure 160 SIP User Agent Server SIP Proxy Server A SIP proxy server receives requests fro...

Page 336: ...t originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example client device A calls someone who is using client device C 1 Client device A sends a call invitation for C to the SIP redirect server B 2 The SIP redirect server sends the invitation back to A with C s IP address or ...

Page 337: ...Server A SIP register server maintains a database of SIP identity to IP address or domain name mapping The register server checks your username and password when you register RTP When you make a VoIP call using SIP the RTP Real time Transport Protocol is used to handle voice data transfer See RFC 1889 for details on RTP ...

Page 338: ...ugh Network Address Translators the VoIP device can the presence and types of NAT routers firewalls or both between it and the public Internet With STUN the VoIP device can also find the public IP address that NAT assigned so the VoIP device can embed it in the SIP data stream See STUN Simple Traversal of User Datagram Protocol UDP Through Network Address Translators NATs RFC 3489 for details on S...

Page 339: ...siness Secure Router creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN The firewall rule is created for both directions to allow voice packets The firewall rule is deleted when the call is terminated SIP ALG and Multiple WAN When the Business Secure Router has two WAN ports and uses the second highest priority WAN port as a back up ...

Page 340: ... Secure Router without STUN use the ip alg enable ALG_SIP command to activate the SIP ALG Signaling session timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the Business Secure Router If the SIP client does not have this mechanism and makes no call duri...

Page 341: ...up 180 Brute Force Password Guessing Protection 36 Budget Management 202 BYE Request 334 C Call Back Delay 61 Call Control 201 Call History 204 Call Scheduling 36 213 Maximum Number of Schedule Sets 213 PPPoE 216 Precedence 214 Precedence Example 214 Call Triggering Packet 174 Central Network Management 37 CHAP 63 89 CHAP PAP 89 Client server Protocol 335 Collision 166 Command Interpreter Mode 199...

Page 342: ...nfiguration 133 Configuring 136 Example 146 Generic Filter Rule 144 Generic Rule 145 NAT 149 Remote Node 151 Structure 134 TCP IP Rule 140 Filters Executing a Filter Rule 134 IP Filter Logic Flow 142 Firewall 35 Activating 131 SMT Menus 131 Flow Control 43 FTP 211 FTP File Transfer 190 FTP Restrictions 183 211 FTP Server 39 123 Full Network Management 38 G Gateway IP Address 101 General Setup 49 H...

Page 343: ...ter Setup 73 LAN Setup 73 74 LAN to LAN application 87 Link type 165 LLC 95 LLC based Multiplexing 95 Log 169 Log Facility 171 Logging 39 Logging In to the SMT 44 Login Screen 44 M Main Menu 45 Mean Time Between Failures 253 Metric 67 92 101 MTBF 253 Multicast 68 77 92 Multimedia 333 Multiplexing 33 82 87 multiplexing 95 My Login 62 My Password 62 My WAN Address 67 92 N Nailed Up Connection 64 Nai...

Page 344: ...6 Remote Node Setup 86 Remote Node Filter 71 93 Remote Node Index Number 165 Required fields 45 Reset Button 34 Resetting the Time 208 Restore Configuration 186 retry count 61 retry interval 61 RFC 1889 337 RFC 3489 338 RFC 1483 88 RFC 2364 87 RIP 67 77 79 92 Direction 79 Version 79 RTP 337 S Schedule Sets Duration 215 Server 108 111 114 115 121 122 206 Session Initiation Protocol 333 setup a sche...

Page 345: ...er rule 139 technical publications 26 Terminal Emulation 43 text conventions 25 TFTP File Transfer 192 TFTP Restrictions 183 211 Time and Date 34 Time and Date Setting 205 206 Time Zone 207 Timeout 64 Trace 169 Tracing 39 trademarks 2 Traffic Redirect 38 Setup 57 Triangle 229 Triangle Route Solutions 230 Trigger Port Forwarding 127 U Uniform Resource Identifier 333 Universal Plug and Play 36 Upgra...

Search results

Summary of Contents for 252

Reviews:

Related manuals for 252

Brands by name

Popular brands

Nortel 252, Configuration

Search results

Summary of Contents for 252

Reviews:

Related manuals for 252

Brands by name

Popular brands