Home
/
Nortel
/
BCM50e
/
Configuration

Nortel BCM50e, Configuration

Share

Page: 133 / 311

Nortel BCM50e Configuration Download Page 133

Chapter 11 Filter configuration

133

BCM50e Integrated Router Configuration - Advanced

Filter Types and NAT

There are two classes of filter rules,

Generic Filter

(Device) rules and protocol

filter (

TCP/IP

) rules. Generic filter rules act on the raw data that’s going through

between LAN and WAN. Protocol filter

rules act on the IP packets. Generic and

TCP/IP filter rules are discussed in more detail in the next section. When NAT
(Network Address Translation) is enabled, the inside IP address and port number
are replaced on a connection-by-connection basis, which makes it impossible to
know the exact address and port on the wire. Therefore, the Business Secure
Router applies the protocol filters to the native IP address and port number before
NAT for outgoing packets and after NAT for incoming packets. On the other
hand, the generic, or device filters are applied to the raw packets that appear on
the wire. They are applied at the point when the Business Secure Router is
receiving and sending the packets; for example. the interface. The interface can be
an Ethernet port or any other hardware port, as illustrated in

.

Figure 64

Protocol and Device Filter Sets

Firewall Versus Filters

Firewall configuration is discussed in

Chapter 10, “Introducing the firewall,” on

chapters

of this manual. Further comparisons are also made between

filtering, NAT and the firewall.

«
...
131
132
133
134
135
...
»

Summary of Contents for BCM50e

Page 1: ...BCM50e Business Secure Router Document Number N0115789 Document Version 1 0 Date August 2006 BCM50e Integrated Router Configuration Advanced ...

Page 2: ...xpress or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All...

Page 3: ...pe Middle East Africa 25 Technical Support CTAS 25 CALA Caribbean Latin America 26 Technical Support CTAS 26 APAC Asia Pacific 26 Technical Support GNTS 26 Chapter 1 Getting to know your BCM50e Integrated Router 29 Introducing the BCM50e Integrated Router 29 Features 29 Physical features 30 4 Port switch 30 Autonegotiating 10 100 Mb s Ethernet LAN 30 Autosensing 10 100 Mb s Ethernet LAN 30 Autoneg...

Page 4: ...ork Management 34 SNMP 34 Network Address Translation NAT 34 Traffic Redirect 34 Port Forwarding 35 DHCP Dynamic Host Configuration Protocol 35 Full network management 35 Road Runner support 35 Logging and tracing 35 Upgrade Business Secure Router Firmware 36 Embedded FTP and TFTP Servers 36 Applications for the BCM50e Integrated Router 36 Secure broadband internet access and VPN 36 Chapter 2 Intr...

Page 5: ...WAN setup 51 Chapter 4 LAN setup 53 Introduction to LAN setup 53 Accessing the LAN menus 53 LAN port filter setup 53 TCP IP and DHCP ethernet setup menu 54 IP Alias Setup 57 Chapter 5 Internet access 61 Introduction to internet access setup 61 Ethernet encapsulation 61 Configuring the PPTP client 63 Configuring the PPPoE client 64 Basic setup complete 66 Chapter 6 Remote Node setup 67 Introduction...

Page 6: ...er Setup 87 Chapter 9 Network Address Translation NAT 89 Using NAT 89 SUA Single User Account Versus NAT 89 Applying NAT 89 NAT setup 92 Address Mapping Sets 92 SUA Address Mapping Set 93 User Defined Address Mapping Sets 95 Ordering Your Rules 96 Configuring a server behind NAT 99 General NAT examples 103 Internet access only 103 Example 2 Internet access with an inside server 105 Example 3 Multi...

Page 7: ...ing a TCP IP Filter Rule 123 Configuring a Generic Filter Rule 128 Example Filter 130 Filter Types and NAT 133 Firewall Versus Filters 133 Applying a Filter 134 Applying LAN Filters 134 Applying Remote Node Filters 135 Chapter 12 SNMP Configuration 137 SNMP Configuration 137 SNMP Traps 138 Chapter 13 System security 141 System security 141 System password 141 Configuring external RADIUS server 142...

Page 8: ...g the FTP command from the command line 161 Example of FTP commands from the command line 162 GUI based FTP clients 162 TFTP and FTP over WAN Management Limitations 162 Backup configuration using TFTP 163 TFTP command example 164 GUI based TFTP clients 164 Restore configuration 165 Restore Using FTP 165 Restore using FTP session example 167 Uploading Firmware and Configuration Files 167 Firmware f...

Page 9: ... setting 179 Resetting the Time 182 Chapter 17 Remote Management 183 Remote Management 183 Remote Management Limitations 185 Chapter 18 Call scheduling 187 Introduction 187 Appendix A Setting up your computer IP address 191 Windows 95 98 Me 191 Installing components 192 Configuring 193 Verifying Settings 194 Windows 2000 NT XP 195 Verifying Settings 199 Macintosh OS 8 9 199 Verifying Settings 200 ...

Page 10: ...ates 213 Using a certificate when accessing the Business Secure Router example 221 Appendix D PPPoE 223 PPPoE in action 223 Benefits of PPPoE 223 Traditional dial up scenario 223 How PPPoE works 224 Business Secure Router as a PPPoE client 224 Appendix E PPTP 227 What is PPTP 227 How can we transport PPP frames from a PC to a broadband modem over Ethernet 227 PPTP and the Business Secure Router 22...

Page 11: ... with Class A and Class B networks 240 Appendix H Command Interpreter 243 Command Syntax 243 Command usage 243 Sys commands 244 Exit Command 252 Ethernet Commands 252 IP commands 253 IPSec commands 259 Sys firewall commands 265 Bandwidth management commands 266 Certificates commands 270 Appendix I NetBIOS filter commands 275 Introduction 275 Display NetBIOS filter settings 276 NetBIOS filter confi...

Page 12: ...t 282 Nortel WLAN handsets 2210 2211 phone options 283 TFTP server IP address assignment 283 WLAN IP Telephony Manager IP Address Assignment 284 Appendix K Log descriptions 285 VPN IPSec logs 293 VPN responder IPSec log 295 Table 81 shows RFC 2408 ISAKMP payload types that the log displays Refer to the RFC for detailed information on each type Log commands 299 Configuring what you want the Busines...

Page 13: ...gure 15 Menu 4 internet access setup Ethernet 62 Figure 16 Internet access setup PPTP 64 Figure 17 Internet access setup PPPoE 65 Figure 18 Menu 11 Remote Node Setup 68 Figure 19 Menu 11 1 Remote Node profile for Ethernet Encapsulation 69 Figure 20 Menu 11 1 Remote Node profile for PPPoE Encapsulation 71 Figure 21 Menu 11 1 Remote Node Profile for PPTP Encapsulation 73 Figure 22 Menu 11 1 2 Remote...

Page 14: ...enu 4 Internet access NAT example 104 Figure 44 NAT Example 2 105 Figure 45 Menu 15 2 Specifying an inside server 106 Figure 46 NAT example 3 107 Figure 47 Example 3 Menu 11 1 2 108 Figure 48 Example 3 Menu 15 1 1 1 109 Figure 49 Example 3 Final Menu 15 1 1 110 Figure 50 Example 3 Menu 15 2 111 Figure 51 Menu 15 3 Trigger Port Setup 112 Figure 52 Menu 21 Filter and Firewall Setup 115 Figure 53 Men...

Page 15: ...51 Figure 78 Menu 24 3 2 System Maintenance Syslog Logging 152 Figure 79 Call Triggering packet example 155 Figure 80 Menu 24 4 System Maintenance Diagnostic 157 Figure 81 WAN LAN DHCP 158 Figure 82 Menu 24 5 System Maintenance Backup Configuration 161 Figure 83 FTP Session Example 162 Figure 84 Telnet into Menu 24 6 166 Figure 85 Restore using FTP session example 167 Figure 86 Telnet Into Menu 24...

Page 16: ...Figure 113 Ideal Setup 203 Figure 114 Triangle Route Problem 204 Figure 115 IP Alias 205 Figure 116 Security Certificate 207 Figure 117 Login Screen 208 Figure 118 Certificate General Information before Import 209 Figure 119 Certificate Import Wizard 1 210 Figure 120 Certificate Import Wizard 2 211 Figure 121 Certificate Import Wizard 3 212 Figure 122 Root Certificate Store 212 Figure 123 Certific...

Page 17: ...E Client 225 Figure 137 Transport PPP frames over Ethernet 227 Figure 138 Business Secure Router as a PPTP client 228 Figure 139 PPTP protocol overview 229 Figure 140 Example message exchange between PC and an ANT 230 Figure 141 Ethernet cable pin assignments 231 Figure 142 NetBIOS Display Filter Settings Command Example 276 Figure 143 Example VPN initiator IPSec log 294 Figure 144 Example VPN res...

Page 18: ...18 Figures N0115789 ...

Page 19: ...lds in Menu 11 1 PPPoE Encapsulation Specific 72 Table 15 Fields in Menu 11 1 PPTP Encapsulation 73 Table 16 Remote Node Network Layer Options Menu Fields 75 Table 17 Menu 11 1 Remote Node profile Traffic Redirect Field 79 Table 18 Menu 11 1 5 Traffic Redirect setup 80 Table 19 IP Static Route Menu Fields 84 Table 20 Menu 14 1 Edit Dial in User 88 Table 21 Applying NAT in Menus 4 11 1 2 91 Table 2...

Page 20: ...1 Valid commands 175 Table 42 Budget management 177 Table 43 Call History Fields 178 Table 44 Time and Date Setting Fields 180 Table 45 Menu 24 11 Remote Management control 184 Table 46 Menu 26 1 Schedule Set Setup 189 Table 47 General specifications 231 Table 49 Allowed IP address range By class 234 Table 48 Classes of IP addresses 234 Table 50 Natural Masks 235 Table 51 Alternative Subnet Mask N...

Page 21: ...2 UPnP logs 286 Table 73 Content filtering logs 286 Table 74 Attack logs 287 Table 75 Access logs 289 Table 76 ACL setting notes 292 Table 77 ICMP notes 292 Table 78 Sys log 293 Table 79 Sample IKE key exchange logs 296 Table 80 Sample IPSec logs during packet transmission 298 Table 81 RFC 2408 ISAKMP payload types 299 Table 82 PKI logs 299 Table 83 Certificate path verification failure reason cod...

Page 22: ...22 Tables N0115789 ...

Page 23: ...he SMT Text conventions This guide uses the following text conventions Note This guide explains how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router See the basic manual for how to use the WebGUI to configure your Business Secure Router Not all features can be configured through all interfaces Enter means for you to type one or...

Page 24: ... the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at www adobe com to download a free copy of the Adobe Reader How to get help If you do not see an appropriate number in this list go to www nortel com cs A single keystr...

Page 25: ...questions and first line support you can enter ERC 338 Web Site www nortel com cs Presales Support CSAN Telephone 1 800 4NORTEL 1 800 466 7835 Use Express Routing Code ERC 1063 EMEA Europe Middle East Africa Technical Support CTAS Telephone European Free phone 00800 800 89009 European Alternative Calls are not free from all countries in Europe Middle East or Africa Fax 44 191 555 7980 E mail emeah...

Page 26: ...sk 61 2 8870 5511 Sydney Technical Support GNTS Telephone 612 8870 8800 Fax 612 8870 5569 E mail asia_support nortel com Australia 1 800 NORTEL 1 800 667 835 China 010 6510 7770 India 011 5154 2210 Indonesia 0018 036 1004 Japan 0120 332 533 Malaysia 1800 805 380 New Zealand 0800 449 716 Philippines 1800 1611 0063 Singapore 800 616 2004 South Korea 0079 8611 2001 Taiwan 0800 810 500 ...

Page 27: ...Preface 27 BCM50e Integrated Router Configuration Advanced Thailand 001 800 611 3007 Service Business Centre Pre Sales Help Desk 61 2 8870 5511 ...

Page 28: ...28 Preface N0115789 ...

Page 29: ...etwork Address Translation NAT firewall and Virtual Private Network VPN capability the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network Features This section lists the key features of the Business Secure Router Table 1 Feature Specifications Feature Specification Number of static routes 12 Number of NAT sessions...

Page 30: ...hernet cable Number of concurrent IKE Phase 1 Security Associations These correspond to the gateway policies 10 Number of concurrent IPSec VPN tunnels Phase 2 Security Associations These correspond to the network policies and are also monitorable and manageable For example five IKE gateway policies could each use 12 IPSec tunnels for a total of 60 phase 2 IPSec VPN tunnels This total includes both...

Page 31: ...page Use this button to restore the factory default password to PlsChgMe and the IP address to 192 168 1 1 subnet mask 255 255 255 0 and DHCP server enabled with a pool of 126 IP addresses starting at 192 168 1 2 Nonphysical features IPSec VPN capability Establish Virtual Private Network VPN tunnels to connect home or office computers to your company network using data encryption and the Internet ...

Page 32: ...siness Secure Router firewall supports TCP UDP inspection DoS detection and protection real time alerts reports and logs Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router s management interfaces You can specify a wait time that must expire before you can enter a fo...

Page 33: ...rk protocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using a TCP IP based network PPTP supports on demand multiprotocol and virtual private networking over public networks such as the Internet The Business Secure Router supports one PPTP server connection at any given time Dynamic DNS support With Dynamic DNS Domain Name S...

Page 34: ...ades and do troubleshooting for you SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Business Secure Router supports SNMP agent functionality which means that a manager station can manage and monitor the Business Secure Router through the network The Business Secure Route...

Page 35: ...to all systems that support the DHCP client The Business Secure Router can also act as a surrogate DHCP server where it relays IP address assignment from another DHCP server to the clients Full network management The embedded web configurator is an all platform web based utility that you can use to easily manage and configure the Business Secure Router Most functions of the Business Secure Router ...

Page 36: ...ons for the BCM50e Integrated Router Secure broadband internet access and VPN You can connect a cable DSL or other modem to the BCM50e Integrated Router via Ethernet WAN port for broadband Internet access The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management VPN is an ideal cost effective way to connect branch offices and busines...

Page 37: ...Chapter 1 Getting to know your BCM50e Integrated Router 37 BCM50e Integrated Router Configuration Advanced Figure 1 Secure Internet Access and VPN Application BCM50e Integrated Router ...

Page 38: ...38 Chapter 1 Getting to know your BCM50e Integrated Router N0115789 ...

Page 39: ...ou how to navigate the SMT and how to configure SMT menus Initial screen When you turn on your Business Secure Router it performs several internal tests as well as line initialization After the tests the Business Secure Router asks you to press ENTER to continue as shown in Figure 2 Figure 2 Initial screen Logging on to the SMT The logon screen appears after you press ENTER prompting you to enter ...

Page 40: ...igating the SMT interface The SMT is an interface that you use to configure your Business Secure Router Table 2 lists several operations you must be familiar with before attempting to modify the configuration Table 2 Main menu commands Operations Keystrokes Descriptions Move down to another menu ENTER To move forward to a submenu type in the number of the desired submenu and press ENTER Move up to...

Page 41: ...types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields All fields with the symbol must be filled in order be able to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This symbol refers to an option that is Not Applicable Save your configur...

Page 42: ...e information 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial up connection 3 LAN Setup Use this menu to apply LAN filters configure LAN DHCP and TCP IP settings 4 Internet Access Setup Configure your Internet Access setup Internet address gateway IP address and logon with this menu 11 Remote Node Setup Use this menu to configure detai...

Page 43: ...ord in the Retype to confirm field for confirmation and press ENTER Note that as you type a password the screen displays an asterisk for each character you type 22 SNMP Configuration Use this menu to configure SNMP related parameters 23 System Security Use this menu to change your password and enable network user authentication 24 System Maintenance From displaying system status to uploading firmw...

Page 44: ...44 Chapter 2 Introducing the SMT N0115789 SMT menus at a glance Figure 6 SMT overview ...

Page 45: ...to open Menu 1 general setup The Menu 1 General Setup screen appears as shown in Figure 7 Fill in the required fields Figure 7 menu 1 general setup Menu 1 General Setup System Name Business Secure Router Domain Name www nortel com First System DNS Server From ISP IP Address N A Second System DNS Server From ISP IP Address N A Third System DNS Server From ISP IP Address N A Edit Dynamic DNS No Pres...

Page 46: ...e up to 30 alphanumeric characters long Spaces dashes and underscores _ are accepted Business Secure Router Domain name Enter the domain name if you know it here If you leave this field blank the ISP assigns a domain name via DHCP You can go to menu 24 8 and type sys domain name to see the current domain name used by your router The domain name entered by you is given priority over the ISP assigne...

Page 47: ... changes to None after you save your changes If you select From ISP for the second or third DNS server but the ISP does not provide a second or third IP address From ISP changes to None after you save your changes Select User Defined if you have the IP address of a DNS server The IP address can be public or a private address on your local LAN Enter the DNS server s IP address in the field to the r...

Page 48: ...es must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address A Private DNS entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate Private DNS entry changes to None after you save your changes Edit dynamic DNS Press SPACE BAR and then ENTER to select Yes or No default Select Yes...

Page 49: ...vice provider www dyndns org default Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes DDNS Type Press SPACE BAR and then ENTER to select DynamicDNS if you have a dynamic IP address Select StaticDNS if you have a static IP address Select CustomDNS to have dyns org provide DNS service for a domain name that you already have from a source other than dyndns org ...

Page 50: ...s When both fields are set to No the Business Secure Router must have a public WAN IP address in order for DDNS to work DDNS Server Auto Detect IP Address Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically update the IP address of the host names with the public IP address that the Business Secure Router uses or is behind You can set this field to Yes whether t...

Page 51: ...tion Advanced Chapter 3 WAN Setup This chapter describes how to configure the WAN using menu 2 Introduction to WAN setup This chapter explains how to configure settings for your WAN port WAN setup From the main menu enter 2 to open menu 2 ...

Page 52: ...and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field IP address attached on LAN IP Address This field is applicable only if you choose the IP address attached on LAN method in the Assigned By f...

Page 53: ...ns Accessing the LAN menus From the main menu enter 3 to open Menu 3 LAN setup Figure 10 Menu 3 LAN setup LAN port filter setup With Menu 3 you can specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets are useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Setu...

Page 54: ...nd DHCP setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown in Figure 13 Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP an...

Page 55: ...on None IP Address N A Version N A Second DNS Server From ISP Multicast None IP Address N A Edit IP Alias No Third DNS Server From ISP IP Address N A DHCP Server Address N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 7 DHCP Ethernet setup menu fields Field Description Example DHCP This field enables and disables the DHCP server If set to Server your Business Secure Rou...

Page 56: ...ut leave the IP address set to 0 0 0 0 User Defined changes to None after you save your changes If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you save your changes Select DNS Relay to have the Business Secure Router act as a DNS proxy The Business Secure Router s LAN IP address displays in the IP Address field below read only...

Page 57: ...s you are implementing subnetting use the subnet mask computed by the Business Secure Router 255 255 255 0 RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Only or None Both default Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 default Multicast IGMP Internet Group Multicast Protocol is...

Page 58: ...col filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 9 IP Alias setup menu field Field Description Example IP Alias Choose Yes to configure the LAN network for the Business Secure Router Yes IP Address Enter the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 IP Subnet Mask Your Business Secure Router ...

Page 59: ... then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the Business Secure Router 1 Outgoing Protocol Filters Enter the filter sets you wish to apply to the outgoing traffic between this node and the Business Secure Router 2 Table 9 IP Alias setup menu field Field...

Page 60: ...60 Chapter 4 LAN setup N0115789 ...

Page 61: ...tup Use the information from your ISP along with the instructions in this chapter to set up your Business Secure Router to access the Internet There are three different menu 4 screens depending on whether you chose Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine which encapsulation type you should use Ethernet encapsulation If you choose Ethernet in menu 4 you will see Figure 15...

Page 62: ...Internet Service Provider e g myISP This information is for identification purposes only Encapsulation Press SPACE BAR and then press ENTER to choose Ethernet The encapsulation method influences your choices for the IP Address field Service Type Press SPACE BAR and then ENTER to select Standard RR Toshiba Road Runner Toshiba authentication method RR Manager Road Runner Manager authentication metho...

Page 63: ...ith your static IP Gateway IP Address Enter the gateway IP address associated with your static IP Network Address Translation With the NAT you can translate an Internet protocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Choose None to disable NA...

Page 64: ...tion about PPPoE see Appendix E PPPoE on page 227 Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation PPTP Service Type N A My Login username My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Table 11 New fields in menu 4 PPTP S...

Page 65: ...My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation Full Feature Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 12 New fields in menu 4 PPPoE screen Field Description Example Encapsulation Press SPACE BAR and then press ENTER to choose PPPoE The encapsulation metho...

Page 66: ...ness Secure Router embedded WebGUI You can also define additional firewall rules or modify existing ones but exercise extreme caution in doing so See the chapters on firewalls in BCM50e Integrated Router Configuration Basics N0115788 for more information on the firewall Note When the firewall is activated the default policy can communicate to the Internet if the communication originates from the L...

Page 67: ...e network behind it across a WAN connection Note that when you use menu 4 to set up Internet access you are actually configuring a remote node The following describes how to configure Menu 11 1 Remote Node Profile Menu 11 1 2 Remote Node Network Layer Options and Menu 11 1 4 Remote Node Filter Remote Node setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup Figure 18 En...

Page 68: ...ncapsulation There are two variations of menu 11 1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet The first menu 11 1 screen you see is for Ethernet encapsulation shown in Figure 19 Menu 11 Remote Node Setup 1 ChangeMe ISP SUA 2 GUI BACKUP_ISP SUA Enter Node to Edit ...

Page 69: ... Space Bar to Toggle Table 13 Fields in menu 11 1 Field Description Example Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters LAoffice Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Yes Encapsulation Ethernet is the default encapsulation Press SPACE BAR and then ENTER to change to PPPoE or PPTP...

Page 70: ... Router calls this remote node Valid for PPPoE encapsulation only Retype to Confirm Type your password again to make sure that you have entered it correctly Server IP This field is valid only when Road Runner is selected in the Service Type field The Business Secure Router finds the Road Runner Server IP automatically if this field is left blank If it does not then you must enter the authenticatio...

Page 71: ...ed protocol is stronger than specified If you encounter a case where the peer disconnects right after a successful authentication make sure that you specify the correct authentication protocol when connecting to such an implementation Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Encapsulation PPPoE Edit IP No Service Type Standard Telco Option Service Name Allocated Bud...

Page 72: ...Router accepts either CHAP or PAP when requested by this remote node CHAP accept CHAP only PAP accept PAP only CHAP PAP Telco Option Allocated Budget The field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control 0 default Period hr This field is the time period in which the budget is reset For example if we are allowed to call this r...

Page 73: ...pe to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 15 shows how to configure fields in menu 11 1 not previously discussed Table 15 Fields in Menu 11 1 PPTP Encapsulation Field Description Example Encapsulat...

Page 74: ...r connection name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your DSL modem N My ISP Schedules You can apply up to four call schedule sets here Nailed Up Connections Press SPACE BAR and then ENTER to select Yes if you want to make the connection to this remote node a nailed up connection No Table 15 Fields in Menu 11 1 PPTP Encaps...

Page 75: ...twork Address Translation SUA Only Metric N A Private N A RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Table 16 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If your ISP did not assign you an explicit IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static a...

Page 76: ...gle User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server When you select Full Feature you must configure at least one address mapping set See Chapter 9 Network Address Translation NAT for...

Page 77: ...r to Chapter 11 Filter configuration on page 117 For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Version Press SPACE BAR and then ENTER to select the RIP version from RIP 1 RIP 2B RIP 2M or None N A Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group The Business Sec...

Page 78: ...o display Menu 11 1 Remote Node Profile as shown in Figure 25 Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters Device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters D...

Page 79: ...vice Name N A Edit Filter Sets No Outgoing My Login N A My Password N A Edit Traffic Redirect No Retype to Confirm N A Server N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 17 Menu 11 1 Remote Node profile Traffic Redirect Field Field Description Example Edit Traffic Redirect Press SPACE BAR to select Yes or No Select No default if you do not want to configure this fea...

Page 80: ... 5 Timeout sec 3 Press ENTER to Confirm or ESC to Cancel Table 18 Menu 11 1 5 Traffic Redirect setup Field Description Example Active Press SPACE BAR and select Yes to enable or No to disable traffic redirect setup The default is No Yes Configuration Backup Gateway IP Address Enter the IP address of your backup gateway in dotted decimal notation The Business Secure Router automatically forwards tr...

Page 81: ...c is forwarded to the backup gateway A good number is 2 to 5 seconds 3 Period sec Enter the time interval in seconds between WAN connection checks A good number is 5 to 60 seconds 5 Timeout sec Enter the number of seconds the Business Secure Router waits for a ping response from the IP Address in the Check WAN IP Address field before it times out The number in this field should be less than the nu...

Page 82: ...82 Chapter 6 Remote Node setup N0115789 ...

Page 83: ... menu Select one of the IP static routes as shown in Figure 27 to configure IP static routes in menu 12 1 Figure 27 Menu 12 IP Static Route Setup Note The Reserved static route entry is for the default WAN route You cannot modify or delete a static default route Menu 12 IP Static Route Setup 1 Reserved 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 _____...

Page 84: ... is for identification purposes only Active This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identica...

Page 85: ...ameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node is propagated to other hosts through RIP broadcasts After you complete filling in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ES...

Page 86: ...86 Chapter 7 IP Static Route Setup N0115789 ...

Page 87: ...er From the main menu enter 14 to display Menu 14 Dial in User Setup Figure 29 Menu 14 Dial in User Setup Type a number and press ENTER to edit the user profile Menu 14 Dial in User Setup 1 ________ 9 ________ 17 ________ 25 ________ 2 ________ 10 ________ 18 ________ 26 ________ 3 ________ 11 ________ 19 ________ 27 ________ 4 ________ 12 ________ 20 ________ 28 ________ 5 ________ 13 ________ 21...

Page 88: ... Edit Dial in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile This field is case sensitive Active Press SPACE BAR to select Yes and press ENTER to enable the user profile Password Enter a password up to 31 characters long for this user profile After you complete this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel...

Page 89: ...re NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Applying NAT You apply NAT via menus 4 or 11 1 2 Figure 32 on page 91 Figure 31 shows you how to apply NAT for Internet access in menu 4 Enter 4 from the main menu to go to Menu 4 Internet Access Setup Note You must create a firewall rule in addition to setting up SUA NAT to al...

Page 90: ...select Yes and then press ENTER to bring up Menu 11 1 2 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm o...

Page 91: ... Table 21 Applying NAT in Menus 4 11 1 2 Field Description Options Network Address Translation When you select this option the SMT uses Address Mapping Set 1 menu 15 1 Address Mapping Sets on page 92 for further discussion Choose Full Feature if you have multiple public WAN IP addresses for your Business Secure Router When you select Full Feature you must configure at least one address mapping set...

Page 92: ...n you select SUA Only the SMT uses the pre configured Set 255 read only The server set is a list of LAN servers mapped to external ports To use this set a server rule must be set up inside the NAT address mapping set To configure NAT enter 15 from the main menu to bring up the screen shown in Figure 33 Figure 33 Menu 15 NAT Setup Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping S...

Page 93: ...Figure 34 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the screen shown in Figure 35 see SUA Single User Account Versus NAT on page 89 The fields in this menu cannot be changed Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number ...

Page 94: ...l End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Press ENTER to Confirm or ESC to Cancel Note Menu 15 1 255 is read only Table 22 SUA Address Mapping Rules Field Description Example Set Name This is the name of the set you selected in menu 15 1 or enter the name of a new set you want to create SUA Idx This is the index or rule number 1 Local Start IP Local Star...

Page 95: ... 0 0 and the end IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above With Server you can specify multiple servers of different types behind NAT to this machine Examples is found in ...

Page 96: ...remaining rules are ignored If there are any empty rules before your new configured rule your configured rule is pushed up by that number of empty rules For example if you Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 2 3 4 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Note The Type Local and G...

Page 97: ... This is a required field If this field is left blank the entire set is deleted NAT_SET Action The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a rule before the rule selected The rules after the selected rule are then moved down by one rule Delete means to delete the selected rule and all the rules after the selected one advance one...

Page 98: ...ype Press SPACE BAR and then ENTER to select from a total of five types If you choose Server you can specify multiple servers of different types behind NAT to this computer See Example 3 Multiple public IP addresses with inside servers on page 106 for an example One to On e Local IP Start Only local IP fields are N A for server Global IP fields must be set for Server Enter the starting local IP ad...

Page 99: ...nter 2 to go to Menu 15 2 NAT Server Setup Global IP Start Enter the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server 0 0 0 0 End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types N A After you finish configuring ...

Page 100: ...ress ENTER to open Menu 15 2 1 NAT Server Configuration see the next figure Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 No 0 0 0 0 0 0 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press EN...

Page 101: ...n the End Port field Table 25 15 2 1 NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry Name Enter a name to identify this port forwarding rule Active Press SPACE BAR and then ENTER to select Yes to enable the NAT server entry Start Port Enter a port number in the Start Port field To forward only one port enter it again in the En...

Page 102: ...s ESC at any time to cancel Figure 40 Menu 15 2 NAT Server Setup You assign the private network IP addresses The NAT network appears as a single host on the Internet A is the FTP Telnet SMTP server Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 ...

Page 103: ...ral NAT examples The following are some examples of NAT configuration Internet access only In the Internet access example shown in Figure 42 you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Figure 42 NAT Example 1 BCM50e Integrated Router BCM50e Integrated Router ...

Page 104: ...amples on page 103 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 1 2 is specifically preconfigured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Login Server IP N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Networ...

Page 105: ...anced Example 2 Internet access with an inside server Figure 44 NAT Example 2 In this case you do exactly as shown in Figure 44 use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in Figure 45 BCM50e Integrated Router ...

Page 106: ...e first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 2 Map the second IGA to the second internal FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping 4 You also map your third IGA to the web server and mail server on the LAN If you...

Page 107: ...Enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENTER to confirm 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as 10 1...

Page 108: ...hows how to configure the first rule Menu 11 1 2 Remote Node Network Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation Full Feature Metric N A Private N A RIP Direction None Version N A Enter here to CONFIRM or ESC to CANCEL ...

Page 109: ...9 BCM50e Integrated Router Configuration Advanced Figure 48 Example 3 Menu 15 1 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel ...

Page 110: ...5 from the main menu 9 Now enter 2 from this menu and configure it as shown in Example 3 Menu 15 2 Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule ...

Page 111: ... Menu 15 2 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 002 Yes 25 25 192 168 1 20 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 006 No 0 0 0 0 0 0 007 No 0 0 0 0 0 0 008 No 0 0 0 0 0 0 009 No 0 0 0 0 0 0 010 No 0 0 0 0 0 0 Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Note Only one LAN computer ...

Page 112: ...Table 26 Menu 15 3 Trigger Port setup description Field Description Example Rule This is the rule index number 1 Name Enter a unique name for identification purposes You can enter up to 15 characters in this field All characters are permitted including spaces Real Audio Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The Business...

Page 113: ...ss Secure Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN Start Port Enter a port number or the starting port number in a range of port numbers 7070 End Port Enter a port number or the ending port number in a range of port numbers 7070 Press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Tab...

Page 114: ...114 Chapter 9 Network Address Translation NAT N0115789 ...

Page 115: ...reen shown in Figure 52 Figure 52 Menu 21 Filter and Firewall Setup Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 53 Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the WebGUI to configure firewall rules Menu 21 Filter and Firewall ...

Page 116: ...vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the WebGUI to configure the firewall Press ENTER to Confirm or ESC to Cancel Note Configure the firewall rules using the WebGUI or CLI com...

Page 117: ...ubdivided into device and protocol filters Data filtering screens the data to determine if the packet is allowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet is allowed to trigger a call Remote node c...

Page 118: ... filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules are configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming Telnet sessions A summary of their filter rules is shown in the figures that follow Figure 55 illustrates the logic flow when executing a filter rule Also see Figure 59 ...

Page 119: ...of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Start Fetch First Filter Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule ...

Page 120: ...cludes filtering for NetBIOS over TCP IP packets by default To configure another filter set follow the procedure below 1 Enter 21 in the main menu to open menu 21 Figure 56 Menu 21 Filter and Firewall Setup Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number ...

Page 121: ...r Rules Summary The screen shown in Figure 58 shows the summary of the existing rules in the filter set Table 27 and Table 28 contain a brief description of the abbreviations used in the previous menus Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 _______________ 4 _____________...

Page 122: ...n is complete N means there are no more rules to check You can specify an action to be taken for example forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule n Action Not ...

Page 123: ...ate When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filter field or vice versa the Business Secure Router warns you and prevents you from saving Configuring a TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule Using TCP IP rules you can base the rule on the fi...

Page 124: ...ss ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 29 TCP IP Filter Rule Menu fields Field Description Options Active Press SPACE BAR and then ENTER to select Yes to activate the filter rule or No to deactivate it Yes No IP Protocol Protocol refers to the upper layer protocol for example TCP is 6 UDP is 17 and ICMP is 1 Type a value between 0 and 255 A value of 0 matches ANY prot...

Page 125: ... the IP mask to apply to the Source IP Addr 0 0 0 0 Port Enter the source port of the packets that you wish to filter The range of this field is 0 to 65 535 This field is ignored if it is 0 0 65535 Port Comp Press SPACE BAR and then ENTER to select the comparison to apply to the source port in the packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This field ...

Page 126: ...ogged None Action Matched Action Not Matched Both Action Matched Press SPACE BAR and then ENTER to select the action for a matching packet Check Next Rule Forward Drop Action Not Matched Press SPACE BAR and then ENTER to select the action for a packet not matching the rule Check Next Rule Forward Drop After you configure Menu 21 1 1 1 TCP IP Filter Rule press ENTER at the message Press ENTER to Co...

Page 127: ...ction Matched Action Not Matched More No Filter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched ...

Page 128: ... portion before comparing the result against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select Generic Filter Rule in the Filter Type field in menu 21 1 4 1 and press ENTER to op...

Page 129: ...to compare The range for this field is from 0 to 255 0 255 Length Enter the byte count of the data portion in the packet that you wish to compare The range for this field is 0 to 8 0 8 Mask Enter the mask in Hexadecimal notation to apply to the data portion before comparison Value Enter the value in Hexadecimal notation to compare with the data portion More If Yes a matching packet is passed to th...

Page 130: ...1 Filter and Firewall Setup 2 Enter 1 to open Menu 21 1 Filter Set Configuration Action Not Matched Select the action for a packet not matching the rule Check Next Rule Forward Drop After you complete filling in Menu 21 1 1 1 Generic Filter Rule press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel This data is now be displayed on Menu 21 1 1 Filter Ru...

Page 131: ...ly one filter rule in this set The screen shows you that you have configured and activated A Y a TCP IP filter rule Type IP Pr 6 for destination Telnet ports DP 23 M N means an action can be taken immediately The action is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched whether or not there are more rules to be checked there ar...

Page 132: ...ode Profile 3 Go to the Edit Filter Sets field press SPACE BAR to select Yes and press ENTER 4 This brings you to menu 11 1 4 Apply a filter set our example is filter set 3 as shown in Figure 66 5 After you enter the set numbers press ENTER to confirm and leave menu 11 1 4 Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N E...

Page 133: ...he exact address and port on the wire Therefore the Business Secure Router applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applied at the point when the Business Secure Router is receiving and sendin...

Page 134: ...can choose up to four filter sets from twelve by entering their numbers separated by commas for example 3 4 6 11 Input filter sets filter incoming traffic to the Business Secure Router and output filter sets filter outgoing traffic from the Business Secure Router For PPPoE or PPTP encapsulation you have the additional option of specifying remote node call filter sets Figure 65 Filtering LAN Traffi...

Page 135: ...appropriate You can cascade up to four filter sets by entering their numbers separated by commas The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls and to block incoming Telnet FTP and HTTP connections Figure 66 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protoco...

Page 136: ...136 Chapter 11 Filter configuration N0115789 ...

Page 137: ...he main menu to display Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Figure 67 Menu 22 SNMP Configuration Note SNMP is only available if TCP IP is configured Menu 22 SNMP Configuration SNMP Get Community Set Community Trusted Host 0 0 0 0 Trap Community Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel ...

Page 138: ...this address A blank default field means your Business Secure Router will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the Trap community which is the password sent with each trap to the SNMP manager Public Destination Type the IP address of the station to send your SNMP traps to 0 0 0 0 After you complete this menu press ENTER at the prompt Press ENTER...

Page 139: ...e system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files CI command sys reboot and others 6b For fatal error A trap is sent with the message of the fatal code if the system reboots because of fatal errors Table 32 SNMP Traps Trap Trap Name Description ...

Page 140: ...140 Chapter 12 SNMP Configuration N0115789 ...

Page 141: ...server and 802 1x in this menu System password Figure 68 Menu 23 System security Nortel recommends you change the default password If you forget your password you have to restore the default configuration file For more information see Restoring the factory default configuration settings in BCM50e Integrated Router Configuration Basics N0115788 Menu 23 System Security 1 Change Password 2 RADIUS Ser...

Page 142: ...stem Security RADIUS Server as shown in Figure 70 Figure 70 Menu 23 2 System Security RADIUS server Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x Enter Menu Selection Number Menu 23 2 System Security RADIUS Server Authentication Server Active No Server Address 0 0 0 0 Port 1812 Shared Secret Accounting Server Active No Server Address 0 0 0 0 Port 1813 Shared Secret Press E...

Page 143: ... not sent over the network This key must be the same on the external authentication server and Business Secure Router Accounting Server Active Press SPACE BAR to select Yes and press ENTER to enable user authentication through an external accounting server Server Address Enter the IP address of the external accounting server in dotted decimal notation Port The default port of the RADIUS server for...

Page 144: ...144 Chapter 13 System security N0115789 ...

Page 145: ... menus 24 1 to 24 4 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your Business Secure Router These tools include updates on system status port status and log and trace capabilities Select menu 24 in the main menu to open Menu 24 System Maintenance as shown in Figure 71 ...

Page 146: ...nt and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open System Maintenance Status 3 There are three commands in Menu 24 1 System Maintenance Status Entering 1 drops the WAN connection 9 resets the counters and ESC takes you back to the previous screen Menu 24 System Maintenance 1 System Status 2 System Infor...

Page 147: ...9 00 00 02 0 0 0 0 0 0 0 0 Client LAN 00 13 49 00 00 01 192 168 1 1 255 255 255 0 Server System up Time 0 22 37 Name Routing IP RAS F W Version VBCM222_2 6 0 0 002b1 07 24 Press Command COMMANDS 1 Drop WAN 9 Reset Counters ESC Exit Table 34 System Maintenance Status Menu Fields Field Description Port Identifies a port WAN or LAN on the Business Secure Router Status Shows the port speed and duplex ...

Page 148: ...P address of the port listed on the left IP Mask The IP mask of the port listed on the left DHCP The DHCP setting of the port listed on the left System up Time The total time the Business Secure Router has been on RAS F W Version The release of firmware currently on the Business Secure Router and the date the release was created Name This is the Business Secure Router system name domain name assig...

Page 149: ...nsole Port Speed System Information System Information gives you information about your system as shown in Figure 75 More specifically it gives you information on your routing protocol Ethernet address and IP address Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Please enter selection ...

Page 150: ...er system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used RAS F W Version The release of firmware currently on the Business Secure Router and the date the release was created Ethernet Address Refers to the Ethernet MAC Media Access Control address of your Business Secure Router IP Add...

Page 151: ...ness Secure Router has a syslog facility for message logging and a trace function for viewing call triggering packets Figure 77 Menu 24 3 System Maintenance Log and Trace Syslog logging The Business Secure Router uses the syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance Syslog Logging ...

Page 152: ...C to Cancel Table 36 System Maintenance Menu Syslog Parameters Parameter Description Syslog Active Press SPACE BAR and then ENTER to turn syslog on or off Syslog Server IP Address Enter the IP Address of the server that logs the CDR Call Detail Record and system messages For example the syslog server Log Facility Press SPACE BAR and then ENTER to select a Local option Using the log facility you ca...

Page 153: ...192 168 102 2 RAS board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx x Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Jul 19 11 28 39 192 168 102 2 RAS Packet Trigger Protocol 1 Data 4500003c100100001f010...

Page 154: ... S04 R01mF Mar 03 11 59 20 202 132 155 97 RAS GEN 00a0c5f502fnord010080 S05 R01mF Mar 03 12 00 52 202 132 155 97 RAS GEN ffffffffffff0080 S05 R01mF Mar 03 12 00 57 202 132 155 97 RAS GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 RAS IP Src 192 168 1 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S04 R01mF PPP Log Message Format SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String Stri...

Page 155: ...stination Address dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number Action nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1 80 137 172 21 1 80 137 UDP default permit 2 0 B 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 192 168 77 88 520 192...

Page 156: ... 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination Port 0x000D 13 Sequence Number 0x05B8D000 95997952 Ack Number 0x00000000 0 Header Length 24 Flags 0x02 S Window Size 0x2000 8192 Checksum 0xE06A 57450 Urgent Ptr 0x0000 0 Options 0000 02 04 02 00 RAW DATA 0000 45 00 00 2C 00 02 0...

Page 157: ...DHCP is discussed in BCM50e Integrated Router Configuration Basics N0115788 The Business Secure Router can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 1 2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP Using the WAN Release and Renewal fields in menu 24 4 you can release or renew the assigned WAN IP add...

Page 158: ...ase your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings Internet Setup Test This feature is only available for dial up connections using PPPoE or PPTP encapsulation Enter 4 to test the Internet setup You can also test the Internet setup in Menu 4 Internet Access Refer to Chapter 5 Internet access on page 61 for more details Reboot System Enter 11 to reboot the Business ...

Page 159: ...ized the Business Secure Router settings they can be saved back to your computer under a filename of your choosing The system firmware sometimes referred to as the ras file has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Busine...

Page 160: ... when prompted in the SMT menu to go into debug mode Backup configuration Using Option 5 from Menu 24 System Maintenance you can back up the current Business Secure Router configuration to your computer Backup is highly recommended once your Business Secure Router is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster Note ...

Page 161: ...rom transfers the configuration file on the Business Secure Router to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt Menu 24 5 System Maintenance Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Typ...

Page 162: ... 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 39 General commands for GUI based FTP clients Command Description Host Address Enter the address of the host server Logon Type Anonymous This is when a user ID and password is automatically supplied to the server for anonymous access Anonymous logons will work only if your ISP or service administrator has ena...

Page 163: ...WAN although it can work To use TFTP your computer must have both Telnet and TFTP clients To back up the configuration file follow the procedure shown next 1 Use Telnet from your computer to connect to the Business Secure Router and log on Because TFTP does not have any security checks the Business Secure Router records the IP address of the Telnet client and accepts TFTP requests only from this a...

Page 164: ...r in GUI based TFTP clients Note Telnet connection must be active and the SMT must be in CI mode before and during the TFTP transfer For details on TFTP commands see TFTP command example on page 164 consult the documentation of your TFTP client program For UNIX use get to transfer from the Business Secure Router to the computer and binary to set binary transfer mode Table 40 General commands for G...

Page 165: ...tore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster note that you must wait for the system to automatically restart after the file transfer is complete Restore Using FTP For details about back up using FTP and TFTP refer to Backup configuration on page 160 Bi...

Page 166: ...xit the ftp prompt The Business Secure Router automatically restarts after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your Business Secure Router Then type nnadmin and SMT password as reques...

Page 167: ... 165 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File Firmware file upload FTP is the preferred method for uploading the firmware and configuration To use this feature your computer must have an FTP client When you use Telnet to access the Business Secure Router the screens for uploading firmware and the configuration file using FTP appear ftp put...

Page 168: ...ation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the I...

Page 169: ... mode to binary 6 Use put to transfer files from the computer to the Business Secure Router for example put firmware bin ras transfers the firmware on your computer firmware bin to the Business Secure Router and renames it ras Similarly put config rom rom 0 transfers the configuration file on your computer config rom to the Business Secure Router and renames it rom 0 Likewise get rom 0 config rom ...

Page 170: ...are and the configuration file follow the procedure shown next 2 Use Telnet from your computer to connect to the Business Secure Router and log on Because TFTP does not have any security checks the Business Secure Router records the IP address of the Telnet client and accepts TFTP requests only from this address 3 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenan...

Page 171: ...ad command example on page 171 consult the documentation of your TFTP client program For UNIX use get to transfer from the Business Secure Router to the computer put to transfer from the computer to the Business Secure Router and binary to set binary transfer mode TFTP upload command example The following is an example TFTP command tftp i host put firmware bin ras where i specifies binary image tr...

Page 172: ...172 Chapter 15 Firmware and configuration file maintenance N0115789 ...

Page 173: ...ame functionality as the SMT while adding some low level setup and diagnostic functions Enter the CI from the SMT by selecting menu 24 8 Access can be by Telnet connection although some commands are only available with a serial connection See the included disk or www nortel com for more detailed information about CI commands Enter 8 from Menu 24 System Maintenance Note Use of undocumented commands...

Page 174: ...ed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Firmware Update 8 Command Interpreter Mode 9 Call Control 10 Time and Date Sett...

Page 175: ...s 8021x Table 41 Valid commands Command Description sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether This commands display Ethernet information and configure Ethernet settings ip This commands display IP information and configure IP settings ipsec This commands display IPSec information and configure IPSec set...

Page 176: ...e total outgoing call time exceeds the limit the current call is dropped and any future outgoing calls are blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in Figure 91 Figure 91 Call Control Budget management Menu 24 9 1 shows the budget management statistics...

Page 177: ...mote node Menu 24 9 1 Budget Management Remote Node 1 ChangeMe 2 GUI Connection Time Total Budget No Budget No Budget Elapsed Time Total Period No Budget No Budget Reset Node 0 to update screen Table 42 Budget management Field Description Example Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection...

Page 178: ...ll Max Min Total Enter Entry to Delete 0 to exit Table 43 Call History Fields Field Description Phone Number The PPPoE service names are shown here Dir This shows whether the call is incoming or outgoing Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This is ...

Page 179: ...s Secure Router error logs and firewall logs Select menu 24 in the main menu to open Menu 24 System Maintenancet Figure 94 Menu 24 System Maintenance Enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your Business Secure Router as shown in Figure 95 Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 L...

Page 180: ...Not all time servers support all protocols so check with your ISP or network administrator or use trial and error to find a protocol that works The main differences between the time protocols are the format Daytime RFC 867 format is the day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC...

Page 181: ... Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Mar Last Sun The time you type in the hr field depends on your time zone In Germany for instance type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date mm nth week hr Configure the day and tim...

Page 182: ...Time The Business Secure Router resets the time in three instances After you make changes to and leave menu 24 10 After starting up the Business Secure Router starts up if a time server configured in menu 24 10 After starting the Business Secure Router in 24 hour intervals ...

Page 183: ...s Secure Router interface if any from which computers You can manage your Business Secure Router from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control Note When you Choose WAN only or ALL LAN WAN you...

Page 184: ... Service Port 53 Access LAN only Secure Client IP 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 45 Menu 24 11 Remote Management control Field Description Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you can use to remotely manage the Business Secure Router Port This field shows the port number fo...

Page 185: ... Web session is already running 6 There is a firewall rule that blocks remote management Certificate Press SPACE BAR and then ENTER to select the certificate that the Business Secure Router uses to identify itself The Business Secure Router is the SSL server and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router Authent...

Page 186: ...186 Chapter 17 Remote Management N0115789 ...

Page 187: ... cassette recorder you can specify a time period for the VCR to record You can apply up to 4 schedule sets in Menu 11 1 Remote Node Profile From the main menu enter 26 to access Menu 26 Schedule Setup as shown in Figure 97 Figure 97 Menu 26 Schedule Setup Menu 26 Schedule Setup Schedule Schedule Set Name Set Name 1 AlwaysOn 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 ...

Page 188: ...dule sets for a remote node To set up a schedule set select the schedule set you want to setup from menu 26 1 12 and press ENTER to see Menu 26 1 Schedule Set Setup as shown in Figure 98 Figure 98 Menu 26 1 Schedule Set Setup Note To delete a schedule set enter the set number and press SPACE BAR and then ENTER or delete in the Edit Name field Menu 26 1 Schedule Set Setup Active Yes Start Date yyyy...

Page 189: ...w Often field above enter the date the set should activate here in year month date format 2000 01 01 Weekday Day If you selected Weekly in the How Often field above select the days when the set should activate and recur by going to that days and pressing SPACE BAR to select Yes After you complete this menu press ENTER to exit Yes No N A Start Time Enter the start time when you wish the schedule se...

Page 190: ...99 Figure 99 Applying Schedule Sets to a Remote Node PPPoE You can apply up to four schedule sets separated by commas for one remote node Change the schedule set numbers to your preferences Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Encapsulation Ethernet Edit IP No Service Type Standard Session Options Service Name N A Edit Filter Sets No Outgoing My Login N A My Pas...

Page 191: ...urchase of a third party TCP IP application package TCP IP is already installed on computers using Windows NT 2000 XP or Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have I...

Page 192: ...P protocol and Client for Microsoft Networks If you need the adapter a In the Network window click Add b Select Adapter and click Add c Select the manufacturer and model of your network adapter and click OK If you need TCP IP a In the Network window click Add b Select Protocol and click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and cli...

Page 193: ...nges take effect Configuring 1 In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 101 Windows 95 98 Me TCP IP p...

Page 194: ...y installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Business Secure Router and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and click ...

Page 195: ...dvanced Windows 2000 NT XP 1 For Windows XP click Start Control Panel In Windows 2000 NT click Start Settings Control Panel Figure 103 Windows XP Start menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 104 Windows XP Control Panel ...

Page 196: ...ght click Local Area Connection and then click Properties Figure 105 Windows XP Control Panel Network Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 106 Windows XP Local Area Connection Properties ...

Page 197: ... fields Click Advanced Figure 107 Windows XP Advanced TCP IP settings 6 If you do not know your gateway IP address remove any previously installed gateways in the IP Settings tab and click OK Ë Do one or more of the following if you want to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subn...

Page 198: ...Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP addresses If you know your DNS server IP addresses click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab ...

Page 199: ...ngs 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel Figure 109 Macintosh OS 8 9 Apple Menu ...

Page 200: ...the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your Business Secure Router and restart your computer if prompted Verifying ...

Page 201: ...ck System Preferences to open the System Preferences window Figure 111 Macintosh OS X Apple menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 112 Macintosh OS X Network ...

Page 202: ...y Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Business Secure Router in the Router address box 5 Click Apply Now and close the window 6 Turn on your Business Secure Router and restart your computer if prompted Verifying settings Check your TCP IP properties in the Network window ...

Page 203: ...than one connection to the Internet through one or more ISPs If an alternate gateway is on the LAN and its IP address is in the same subnet as the Business Secure Router LAN IP address the triangle route also called asymmetrical route problem can occur The steps below describe the triangle route problem A traffic route is a path for sending or receiving data packets between two Ethernet devices So...

Page 204: ...owledged Figure 114 Triangle Route Problem The Triangle Route Solutions IP aliasing Using IP alias you can partition your network into logical sections over the same Ethernet interface Your Business Secure Router supports up to three logical LAN interfaces with the Business Secure Router being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning...

Page 205: ...Advanced 2 The Business Secure Router reroutes the packet to Gateway B which is in Subnet 2 3 The reply from WAN goes to the Business Secure Router 4 The Business Secure Router ends the response to the computer in Subnet 1 Figure 115 IP Alias BCM50e Integrated Router WAN ...

Page 206: ...206 Appendix B Triangle Route N0115789 ...

Page 207: ...s Import Business Secure Router certificates into Netscape Navigator In Netscape Navigator you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority Select Accept This Certificate Permanently in Figure 116 to do this Figure 116 Security Certificate ...

Page 208: ...fication authority To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certification authority The following example procedure shows how to import the Business Secure Router s self signed server certificate into your operating system as a trusted certification a...

Page 209: ...ndix C Importing certificates 209 BCM50e Integrated Router Configuration Advanced 2 Click Install Certificate to open the Install Certificate wizard Figure 118 Certificate General Information before Import ...

Page 210: ...210 Appendix C Importing certificates N0115789 3 Click Next to begin the Install Certificate wizard Figure 119 Certificate Import Wizard 1 ...

Page 211: ...Appendix C Importing certificates 211 BCM50e Integrated Router Configuration Advanced 4 Select where you want to store the certificate and click Next Figure 120 Certificate Import Wizard 2 ...

Page 212: ...certificates N0115789 5 Click Finish to complete the Import Certificate wizard Figure 121 Certificate Import Wizard 3 6 Click Yes to add the Business Secure Router certificate to the root store Figure 122 Root Certificate Store ...

Page 213: ...rtificates is selected on the Business Secure Router You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active see Certificates in BCM50e Integrated Router Configuration Basics N0115788 for details Apply for a certificate from a Certification Authority CA that is trusted by the Business Secure Router see the Business...

Page 214: ...ing certificates N0115789 Figure 124 Business Secure Router Trusted CA screen The CA sends you a package containing the CA s trusted certificate your personal certificates and a password to install the personal certificates ...

Page 215: ...o the one shown in Figure 125 Figure 125 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix Installing your personal certificates You need a password in advance The CA can issue the password or you can specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to Figure 126 ...

Page 216: ...216 Appendix C Importing certificates N0115789 1 Click Next to begin the wizard Figure 126 Personal certificate import wizard 1 ...

Page 217: ...ated Router Configuration Advanced 2 The file name and path of the certificate you double clicked automatically appears in the File name text box Click Browse if you wish to import a different certificate Figure 127 Personal certificate import wizard 2 ...

Page 218: ...218 Appendix C Importing certificates N0115789 3 Enter the password given to you by the CA Figure 128 Personal certificate import wizard 3 ...

Page 219: ...ated Router Configuration Advanced 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 129 Personal certificate import wizard 4 ...

Page 220: ...inish to complete the wizard and begin the import process Figure 130 Personal certificate import wizard 5 6 Figure 131 shows the screen that appears when the certificate is correctly installed on your computer Figure 131 Personal certificate import wizard 6 ...

Page 221: ...S 1 Enter https Business Secure Router IP Address in your browser s web address field Figure 132 Access the Business Secure Router via HTTPS 2 When Authenticate Client Certificates is selected on the Business Secure Router you are asked to select a personal certificate to send to the Business Secure Router This screen displays even if you only have a single certificate as shown in Figure 133 Figur...

Page 222: ...222 Appendix C Importing certificates N0115789 3 The Business Secure Router login screen appears Figure 134 Business Secure Router secure login screen ...

Page 223: ... in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place It allows the ISP to us...

Page 224: ... tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE client th...

Page 225: ...Appendix D PPPoE 225 BCM50e Integrated Router Configuration Advanced Figure 136 Business Secure Router as a PPPoE Client BCM50e Integrated Router ...

Page 226: ...226 Appendix D PPPoE N0115789 ...

Page 227: ...n is to build PPTP into the ANT ADSL Network Termination where PPTP is used only over the short haul between the PC and the modem over Ethernet For the rest of the connection the PPP frames are transported with PPP over AAL5 RFC 2364 The PPP connection however is still between the PC and the ISP The various connections in this setup are depicted in the following diagram The drawback of this soluti...

Page 228: ...PPTP packets to the server In the case above as the remote PPTP Client initializes the PPTP connection the user must configure the PPTP clients The Business Secure Router initializes the PPTP connection hence there is no need to configure the remote PPTP clients Figure 138 Business Secure Router as a PPTP client PPTP protocol overview PPTP is very similar to L2TP since L2TP is based on both PPTP a...

Page 229: ... Microsoft s implementation the PC and hence the Business Secure Router is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an RFC 2364 server Control and PPP connections Each PPTP session has distinct control connection and PPP data connection Call connection The control connection runs over TCP Similar to L2TP a tunnel control connection is first established before ca...

Page 230: ...ge exchange between PC and an ANT PPP data connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 231: ...V 1200 mA MTBF 389 921 hrs Mean Time Between Failures Operation Temperature 0º C 40º C Ethernet Specification for WAN 10 100Mb s Half Full autonegotiation Ethernet Specification for LAN VPN Ports 10 100Mb s Half Full autonegotiation autosensing WAN LAN Ethernet Cable Pin Layout Straight Through Crossover Switch 1 IRD Adapter 1 OTD Switch 1 IRD Switch 1 IRD 2 IRD 2 OTD 2 IRD 2 IRD 3 OTD 3 IRD 3 OTD...

Page 232: ...232 Appendix F N0115789 ...

Page 233: ...ass A addresses have a 0 in the left most bit In a class A address the first octet is the network number and the remaining three octets make up the host ID Class B addresses have a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the le...

Page 234: ...d range of 128 to 191 The first octet of a class C address begins with 110 and therefore has a range of 192 to 223 Table 48 Classes of IP addresses IP Address Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note Host IDs of all zeros or all ones...

Page 235: ...nored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask is alw...

Page 236: ...octets of the address make up the network number class C You want to have two separate networks Table 51 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255 255 255 0 24 0000 0000 255 255 255 128 25 1000 0000 255 255 255 192 26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 110...

Page 237: ... bit values indicate host ID bits borrowed to form network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet Table 52 Subnet 1 Network number Last Octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet M...

Page 238: ...mbinations of 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all 0s is the subnet itself all 1s is the broadcast address on the subnet Table 54 Subnet 1 Network number Last octet bit value IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet ...

Page 239: ... 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 57 Subnet 4 Network number Last Octet Bit Value IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 16...

Page 240: ...y for class B subnet planning 7 192 193 222 223 8 224 225 254 255 Table 59 Class C subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 60 Class B subnet planning No Borrowed Host B...

Page 241: ... 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1 024 62 11 255 255 255 224 27 2 048 30 12 255 255 255 240 28 4 096 14 13 255 255 255 248 29 8 192 6 14 255 255 255 252 30 16 384 2 15 255 255 255 254 31 32 768 1 Table 60 Class B subnet planning No Borrowed Host Bits Subnet Mask No Subnets No Hosts per Subnet ...

Page 242: ...242 Appendix G IP subnetting N0115789 ...

Page 243: ...and keywords exactly as shown Do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of netbios filter and whether to turn it on or off Command usage A list of valid commands can be found by typing hel...

Page 244: ...rd countrycode countrycode Sets or displays the country code datetime date year month date Sets or displays the system s current date time hour min sec Sets or displays the system time period day Sets how often the Business Secure Router gets the date and time from the time server sync Gets the date and time from the time server domainname Displays the domain name that the device sends to the LAN ...

Page 245: ...e 1 log 2 alert 3 both Records the access control logs javablocked 0 none 1 log Records the java blocked logs mten 0 none 1 log Records the system maintenance logs packetfilter 0 none 1 log Records the packet filter logs ppp 0 none 1 log Records the PPP logs remote 0 none 1 log Records the remote management logs tcpreset 0 none 1 log Records the TCP reset logs upnp 0 none 1 log Records the UPnP lo...

Page 246: ...isplays the mail schedule schedule hour 0 23 Sets the hour to send logs schedule minute 0 59 Sets the minute to send the logs schedule policy 0 full 1 hourly 2 daily 3 weekly 4 none Sets the mail schedule policy schedule week 0 sun 1 mon 2 tue 3 wed 4 thu 5 fri 6 sat Sets the day of the week to send weekly logs server domainName IP Sets the domain name or IP address of the mail server to which the...

Page 247: ...ss switch bmlog 0 no 1 yes Turns the broadcast or multicast log on or off display Displays switch settings trilog 0 no 1 yes Turns triangle route logging on or off reboot 0 cold boot 1 immediate reboot 2 bootModule debug mode Restarts the device rn load entry no Loads remote node information disp entry no 0 working buffer Displays remote node information nat none sua full_feature Configures remote...

Page 248: ...dle timeout value tcpfin Sets the TCP FIN session idle timeout value udp Sets the UDP session idle timeout value gre Sets the GRE session idle timeout value esp Sets the ESP session idle timeout value ah Sets the AH session idle timeout value others Sets the idle timeout value for other sessions trcdisp parse brief disp Sets the level of detail that should be displayed parse displays the most deta...

Page 249: ...cket trace buffer channel name none incoming outgoing bothway Sets the packet trace direction for a given channel string on off Enables or disables the sending of a log to the trace packet buffer when configuration changes are made or displays the current setting if neither on off is specified switch on off Enables or disables packet trace or displays the current setting if neither on nor off is s...

Page 250: ...these commands to configure remote server management access telnet ftp web icmp snmp dns value Sets the server access type load Loads server information disp Displays server information port telnet ftp web snmp port Sets the server port save Saves server information secureip telnet ftp web icmp snmp dns ip Sets server secure IP address pwderrtm minute Sets or displays the password error blocking t...

Page 251: ...l block Owner filter netbios disp Displays the current NetBIOS filter modes config 0 Between LAN and WAN 3 IPSec Pass through 4 Trigger Dial on off Sets NetBIOS filters roadrunner debug level Enables or disables Road Runner service 0 disable default 1 enable display iface name Displays Road Runner information iface name enif0 wanif0 restart iface name Restarts Road Runner ddns debug level Enables ...

Page 252: ...fig Displays LAN configuration information driver cnt disp name Displays the Ethernet driver counters status ch_name Shows the LAN status version Displays the Ethernet device type edit load 1 LAN Loads Ethernet 1 LAN data from the System Parameters Table mtu value Sets the Ethernet data Maximum Transmission Unit accessblock 0 disable 1 enable Blocks Internet access speed auto 10 half 10 full 100 h...

Page 253: ... Disables or enables the alias for the specified interface arp status iface Displays an interface s IP Address Resolution Protocol status attpret on off Allows or disallows the device to receive ARP from a different network or not force on off Enables or disables the ARP timeout function dhcp iface client release Releases the DHCP client IP address renew Renews the DHCP client IP address status op...

Page 254: ...is command currently does not work icmp status Displays the ICMP statistics counter discovery iface on off Sets the ICMP router discovery flag ifconfig iface ipaddr broadcast addr mtu value dynamic Configures a network interface ping hostid Pings a remote host route status if Displays the routing table add dest_addr defaul t bits gateway metric Adds a route addiface dest_addr defaul t bits gateway...

Page 255: ...bles the RIP debug trace mode iface in mode Sets the Business Secure Router to use the RIP information it receives iface out mode Sets the Business Secure Router to broadcast its routing table dialin_user show in out both none Shows the dial in user RIP direction tcp status Displays the TCP statistic counters telnet host port Creates a Telnet connection to the specified host tftp support Displays ...

Page 256: ...es and keyword blocking display Displays the content filtering customize action flags actionFlags act 1 7 enable disable Sets the content filtering customize action flags logFlags type 1 3 enabl e disable Sets the content filtering customize log flags add string trust untrust keyword Adds a trusted Web site forbidden Web site or keyword blocking string delete string trust untrust keyword Deletes a...

Page 257: ...ng reports data url Records the most visited Web sites ip Records the LAN IP addresses that sent and received the most traffic srv Records the most heavily used protocols or service ports stroute display rule buf Displays the list of static routes or detailed information on a specified rule load rule Loads the specified static route rule into the buffer save Saves a rule from the buffer to the Sys...

Page 258: ...ace iface join group Adds an interface to a group iface leave group Removes an interface from a group iface query Sends an IGMP query on the specified interface iface rsptime time Sets the IGMP response time iface start Turns on IGMP on the specified interface iface stop Turns off IGMP on the specified interface iface ttl threshold Sets the IGMP Time To Live threshold iface v1compat on off Turns o...

Page 259: ...ommand Description debug type 0 Disable 1 Original on off 2 IKE on off 3 IPSec SPI on off 4 XAUTHon off 5 CERT on off 6 All Turns the trace for IPsec debug information on or off level 0 None 1 User 2 Low 3 High Sets the debug level The higher the number the more detailed display Shows debugging information including type and level switch on off As long as there is one active IPSec rule all packets...

Page 260: ...sconnects the tunnel show_runtime sa Displays runtime phase 1 and phase 2 SA information spd When a dynamic rule accepts a request and a tunnel is established a runtime SPD is created according to the peer s local IP address This command displays these runtime SPDs updatePeerIp Forces the system to immediately update IPSec rules that use a domain name as the secure gateway IP address display rule ...

Page 261: ...Sets the My IP Address peerIdType 0 IP 1 DNS 2 Email Sets the peer ID type peerIdContent content Sets the peer ID content secureGwAddr IP address Domain name Sets the secure gateway address authMethod 0 PreSharedKey 1 RSASignature Sets the authentication method certificate certificate name Specifies the certificate to use for authentication preShareKey ASCII 0xHEX Types 8 to 32 case sensitive ASCI...

Page 262: ...t Specifies whether the rule is for a branch office or Contivity Client VPN connection authOptions 0 Username Password 1 Group ID Password Sets the Business Secure Router to either send just the username and password to the remote Contivity VPN switch or a group ID and password as well onDemand on off Sets whether or not outgoing packets can automatically trigger a VPN connection to the remote Con...

Page 263: ...olicySave Saves the IP policy ipsecList Displays a summary of the IPSec phase 2 rules policyList Displays the IP policies policyDelete rule index Deletes the specified IP policy policyConfig Uses these commands to configure an IP policy for an IPSec office tunnel rule saIndex rule index Binds the IP policy to an IPSec rule active Yes No Turns the IP policy on or off lcAddrStart IP Sets the local s...

Page 264: ...P address or subnet mask swSkipOverlapIP on off Turn this option on to have the device allow rules with overlapping source and destination IP addresses adjTcpMss off auto user defined value Sets the adjust TCP Maximum Segment Size contivityDial Initiates the Contivity Client VPN connection contivityDrop Ends the Contivity Client VPN connection contivityState Displays information about the Contivit...

Page 265: ...s destEnd IP address Sets the exempt host s destination end IP address save Saves an exempt host btNatList Displays the branch tunnel NAT entries Table 66 Sys firewall commands Command Description acl disp Displays ACLs or a specific ACL set and rule active yes no Activates or deactivates firewall Enables or disables the firewall cnt disp Displays the firewall log type and count clear Clears the f...

Page 266: ...lays the status of the broadcast log triangle Sets if the firewall ignores triangle route packets on the LAN or WAN Table 67 Bandwidth management commands Command Description interface lan enable bandwidth xxx Enables bandwidth management BWM for traffic going out the LAN interface You can also specify the b s of bandwidth wrr prr Sets the queueing mechanism to fairness based WRR or priority based...

Page 267: ...n borrowing is turned on and vice versa del Deletes the class and its filter and all its children classes and their filters in LAN mod bandwidth xxx Modifies the parameters of the class in the LAN A bandwidth value is optional name xxx Sets the class name priority x Sets the class priority The range is between 0 the lowest to 7 the highest The priority is unchanged if you do not set a new value bo...

Page 268: ... add Daddr mask Dmask Dport Saddr mask Smask Sport protocol Adds a filter for class in LAN The filter contains destination address netmask destination port source address netmask source port and protocol Use 0 for items that you do not want the filter to include del Deletes the LAN filter that belongs to the specified LAN class wan add Daddr mask Dmask Dport Saddr mask Smask Sport protocol Adds a ...

Page 269: ...LAN class or all of the LAN classes if you do not specify one The first time you use the command turns it on the second time turns it off and so on wan Displays the bandwidth usage of the specified WAN class or all of the WAN classes if you do not specify one The first time you use the command turns it on the second time turns it off and so on moveFilter channName from to Changes the filter order ...

Page 270: ...tificate subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces put it in quotes key size specifies the key size It has to be an integer from 512 to 2 048 The default is 1 024 bits create request name subject key size Creates a certificate request and saves it to the router for later manual enrollment nam...

Page 271: ...led certificate CA addr specifies the CA server address CA cert specifies the name of the CA certificate auth key specifies the id and key used for user authentication The format is id key To leave the id and key blank type subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces put it in quotes key size s...

Page 272: ...e is saved as def_self_sign ed name Sets the specified self signed certificate as the default self signed certificate name specifies the name of the certificate to be set as the default self signed certificate If name is not specified the name of the current self signed certificate is displayed replace_facto ry Creates a certificate using your device MAC address that is specific to this device The...

Page 273: ... the CA certificate on off specifies whether or not the CA issues CRL If on off is not specified the current crl_issuer status of the CA is used remote_trusted import name Imports the PEM encoded certificate from stdin name specifies the name the imported remote host certificate is saved as export name Exports the PEM encoded certificate to stdout for the user to copy and paste name specifies the ...

Page 274: ...e name Deletes the specified directory service name specifies the name of the directory server to be deleted view name Views the specified directory service name specifies the name of the directory server to be viewed list Lists all directory service names and basic information rename old name new name Renames the specified directory service old name specifies the name of the directory server to b...

Page 275: ...hat enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIO...

Page 276: ... numbered 0 3 to configure NetBIOS Filter Status Between LAN and WAN Block IPSec Packets Forward Trigger Dial Disabled Table 69 NetBIOS filter default settings Name Description Example Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN or from the WAN to the LAN Forward IPSec Packets This field displays whether NetBIOS packets sent thro...

Page 277: ... to block NetBIOS packets from being sent through a VPN connection Use off to allow NetBIOS packets to be sent through a VPN connection Example commands Command sys filter netbios config 0 on This command blocks LAN to WAN and WAN to LAN NetBIOS packets Command sys filter netbios config 1 off This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command sys filter netbios config 3 on Thi...

Page 278: ...P address index index of pool where Use this command to specify the IP address that the Business Secure Router is to assign to the BCM50 interface Specify an interface on the device Currently you can use this command with the LAN interface enif0 ip IP address This is the IP address that you want to assign to the Nortel BCM50 index index of pool This is the number of an IP address in the Business S...

Page 279: ...m50ipreserve ip 11 12 13 10 Nortel BCM50 DHCP server options Use these commands to add site specific options to the DHCP server s offer messages that it sends to the BCM50 BCM50 DHCP server settings Syntax ip dhcp interface server m50dhcpmode 0 disable 1 IP phones only 2 All devices 3 automatic range start range end where interface Specify an interface on the device Currently you can use this comm...

Page 280: ...server will assign when enabled You can type the full IP addresses or just the last parts If you type part of an IP address the Business Secure Router combines it with the IP address assigned to the BCM50 customer LAN interface to form a range of IP addresses that are on the same subnet as the BCM50 customer LAN interface For example the Business Secure Router assigns the BCM50 an IP address of 11...

Page 281: ...nment Syntax ip dhcp interface server voipserver id 1 2 server IP port 1 65535 retry count 0 255 where interface Specify an interface on the device Currently you can use this command with the LAN interface enif0 0 1 Use 1 to have the Nortel BCM50 assign VoIP server DHCP option 128 and VLAN DHCP option 191 settings to Nortel s IP Telephone 2004 Use 0 to not have the Nortel BCM50 assign VoIP server ...

Page 282: ...ds the VoIP server information for both servers when it receives a DHCP request from Nortel s i2004 VoIP telephones VLAN ID assignment Syntax ip dhcp interface server vlanid none vlan id1 vlan id2 vlan id10 where Use this command to assign VLAN IDs to IP Telephone 2004 port 1 65535 This is the VoIP server s listening port 1 65535 retry count 0 255 This sets the number of times 0 255 the i2004 can ...

Page 283: ...Nortel WLAN Handsets 2210 2211 TFTP server IP address assignment Syntax ip dhcp interface server tftpserver none serverIP where Use this command to assign a TFTP server IP address to Nortel WLAN Handsets 2210 2211s The following example sets the Business Secure Router to assign a TFTP server IP address of 11 12 13 15 to WLAN Handsets 2210 2211 ip dhcp interface server tftpserver 11 12 13 15 interf...

Page 284: ...iness Secure Router to assign a WLAN Telephony Manager 2245 IP address of 11 12 13 16 to WLAN Handsets 2210 2211 ip dhcp interface server wlantelmanager 11 12 13 16 interface Specify an interface on the device Currently you can use this command with the LAN interface enif0 none serverIP Specify the address of a WLAN Telephony Manager 2245 for the Nortel WLAN Handsets 2210 2211 Use none if you do n...

Page 285: ...mation from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT L...

Page 286: ...all Table 73 Content filtering logs Category Log Message Description URLFOR IP Domain Name The Business Secure Router allows access to this IP address or domain name and forwards traffic to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All web traffic is disabled except for trusted domains ...

Page 287: ...tack land OSPF The firewall detected an OSPF land attack land ICMP type d code d The firewall detected an ICMP land attack see the section on ICMP messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an IGMP ...

Page 288: ...IGMP The firewall detected an IGMP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route...

Page 289: ... listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy OSPF set d OSPF access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set s configuration Firewall default policy set d Access matched the default policy of the listed ACL set and the Bu...

Page 290: ...d not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match ESP set d rule d ESP access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access d...

Page 291: ...e firewall detected a DoS attack and sent a TCP packet in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out...

Page 292: ...Table 77 ICMP notes Type Code Description 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway can discard internet datagrams if it does not have the buffer space needed to qu...

Page 293: ...t reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 78 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note This message i...

Page 294: ... 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA NONCE ID ID 012 01 Jan 08 02 26 Send HASH Clear IPSec Log y n ...

Page 295: ...ain Mode request from 192 168 100 100 002 01 Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH SA N...

Page 296: ...e peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party is using 3DES encryption but the other party is using DES encryption so the connection fails Verifying Local ID failed Verifying Remote ID failed During IKE Phase 2...

Page 297: ...ess The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the IP address type and IP address of the incoming packet vs My Remote IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log display...

Page 298: ... corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPLAY packet If the Business Secure Router receives a packet with the wrong sequence number it discards it Inbound packet authentic...

Page 299: ...The SCEP online certificate enrollment was successful The Destination field records the certification authority server IP address and port Enrollment failed The SCEP online certificate enrollment failed The Destination field records the certification authority server s IP address and port Failed to resolve SCEP CA server url The SCEP online certificate enrollment failed because the certification a...

Page 300: ...address and port are recorded in the Source field Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field Failed to decode the received CRL The router received a corrupted CRL Certificate Revocation List from the LDAP server whose address and port are recorded in the Source field Failed to...

Page 301: ... 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added ...

Page 302: ...ory followed by a log category and a parameter to decide what to record Use the sys logs save command to store the settings in the Business Secure Router you must do this in order to record logs Table 84 Log categories and available settings Log Categories Available Parameters access 0 1 2 3 attack 0 1 2 3 error 0 1 2 3 ike 0 1 2 3 ipsec 0 1 2 3 javablocked 0 1 2 3 mten 0 1 upnp 0 1 urlblocked 0 1...

Page 303: ...ord the access logs and alerts and then view the results ras sys logs load ras sys logs category access 3 ras sys logs save ras sys logs display access time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 ...

Page 304: ...304 Appendix K Log descriptions N0115789 ...

Page 305: ... after the third time an incorrect password is entered Table 85 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default sys pwderrtm N Th...

Page 306: ...306 Appendix L Brute force password guessing protection N0115789 ...

Page 307: ...l 176 Call History 178 Call Scheduling 33 187 Maximum Number of Schedule Sets 187 PPPoE 190 Precedence 188 Precedence Example 188 Call Triggering Packet 155 Central Network Management 34 CHAP 72 Command Interpreter Mode 173 Community 137 Conditions that prevent TFTP and FTP from working over WAN 162 Connection ID Name 74 Console Port 148 149 151 Content Filtering 32 conventions text 23 copyright 2...

Page 308: ... 32 Activating 115 SMT Menus 115 FTP 185 FTP File Transfer 167 FTP Restrictions 162 185 FTP Server 36 107 Full Network Management 35 G Gateway IP Addr 76 Gateway IP Address 63 84 General Setup 45 H Hidden Menus 40 Host 49 Host IDs 234 HTTPS 32 I Idle Timeout 72 Incoming Protocol Filters 59 Initial Screen 39 Internet Access 61 ISP s Name 62 Internet Access Setup 61 62 90 Introduction to Filters 117...

Page 309: ...133 Applying NAT in the SMT Menus 89 Configuring 92 Examples 103 Ordering Rules 96 Network Address Translation 63 Network Address Translation NAT 34 89 O Offline 50 Operation Temperature 231 Outgoing Protocol Filters 59 P Packet Filtering 32 PAP 72 Password 40 43 62 63 137 Period hr 72 Ping 158 Port Forwarding 35 PPPoE 33 223 PPPoE Encapsulation 61 65 68 70 72 78 PPTP 227 Client 63 64 Configuring ...

Page 310: ...5 Subnetting 235 Syslog 151 152 Syslog IP Address 152 System Information 145 148 149 System Maintenance 145 146 147 148 150 151 152 157 158 160 163 170 173 176 178 180 System Management Terminal 40 System Name 46 System Status 146 T TCP IP 54 57 74 123 124 126 129 133 Setup 57 TCP IP and DHCP Setup 54 TCP IP filter rule 123 technical publications 24 text conventions 23 TFTP File Transfer 170 TFTP ...

Page 311: ...Index 311 BCM50e Integrated Router Configuration Advanced W WAN DHCP 157 158 WAN Setup 51 52 WebGUI 116 www dyndns org 50 ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands