ZyXEL Communications P-662HW-63 User Manual Download Page 160 | Manualshive

Page: 160 / 561

background image

Prestige 662HW Series User’s Guide

Chapter 14 Firewall Configuration

160

2

What direction of traffic does the rule apply to (refer to the

Firewall Policies Overview

section)?

3

What IP services will be affected?

4

What computers on the LAN or DMZ are to be affected (if any)?

5

What computers on the Internet will be affected? The more specific, the better. For
example, if traffic is being allowed from the Internet to the LAN, it is better to allow only
certain machines on the Internet to access the LAN.

14.3.2 Security Ramifications

1

Once the logic of the rule has been defined, it is critical to consider the security
ramifications created by the rule:

2

Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?

3

Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all
users, will a rule that blocks just certain users be more effective?

4

Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the
LAN, Internet users may be able to connect to computers with running FTP servers.

5

Does this rule conflict with any existing rules?

6

Once these questions have been answered, adding rules is simply a matter of plugging the
information into the correct fields in the web configurator screens.

14.3.3 Key Fields For Configuring Rules

14.3.3.1 Action

Should the action be to

Block

or

Forward

?

14.3.3.2 Service

Select the service from the

Service

scrolling list box. If the service is not listed, it is necessary

to first define it. See the

Predefined Services

section

for more information on predefined

services.

14.3.3.3 Source Address

What is the connection’s source address; is it on the LAN, DMZ, WAN? Is it a single IP, a
range of IPs or a subnet?

Note:

“Block” means the firewall silently discards the packet.

«
...
158
159
160
161
162
...
»

Summary of Contents for P-662HW-63

Page 1: ...Prestige 662HW Series 802 11g Wireless ADSL2 4 Port Security Gateway User s Guide Version 3 40 August 2004...

Page 2: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does i...

Page 3: ...ence to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try t...

Page 4: ...of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no even...

Page 5: ...e 49 2405 6909 0 www zyxel de ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany sales zyxel de 49 2405 6909 99 FRANCE info zyxel fr 33 0 4 72 52 97 97 www zyxel fr ZyXEL France 1 rue...

Page 6: ...Prestige 662HW Series User s Guide Customer Support 6...

Page 7: ...Prestige 662HW Series User s Guide 7 Customer Support...

Page 8: ...4 1 1 1 Features of the Prestige 45 1 1 2 Applications for the Prestige 50 1 1 2 1 Internet Access 51 1 1 3 Firewall for Secure Broadband Internet Access 51 1 1 3 1 LAN to LAN Application 51 1 1 4 Pre...

Page 9: ...e IP Addresses 64 3 2 2 Nailed Up Connection PPP 64 3 2 3 NAT 64 3 2 4 Internet Access Wizard Setup Second Screen 64 3 2 5 DHCP Setup 69 3 2 5 1 IP Pool Setup 69 3 2 6 Internet Access Wizard Setup Thi...

Page 10: ...1 2 Channel 90 8 1 3 ESS ID 91 8 1 4 RTS CTS 91 8 1 5 Fragmentation Threshold 92 8 2 Levels of Security 92 8 3 Data Encryption with WEP 93 8 4 Configuring Wireless LAN 93 8 5 Configuring MAC Filter 95...

Page 11: ...ings 124 9 13 Configuring Advanced Modem Setup 124 Chapter 10 Network Address Translation NAT Screens 128 10 1 NAT Overview 128 10 1 1 NAT Definitions 128 10 1 2 What NAT Does 129 10 1 3 How NAT Works...

Page 12: ...9 13 4 2 3 Traceroute 150 13 5 Stateful Inspection 150 13 5 1 Stateful Inspection Process 151 13 5 2 Stateful Inspection and the Prestige 152 13 5 3 TCP Security 152 13 5 4 UDP ICMP Security 153 13 5...

Page 13: ...s 177 14 12 2 1 TCP Maximum Incomplete and Blocking Time 177 Chapter 15 Content Filtering 180 15 1 Content Filtering Overview 180 15 2 Configuring Keyword Blocking 180 15 3 Configuring the Schedule 18...

Page 14: ...12 18 1 VPN Overview 212 18 1 1 IPSec 212 18 1 2 Security Association 212 18 1 3 Other Terminology 212 18 1 3 1 Encryption 212 18 1 3 2 Data Confidentiality 213 18 1 3 3 Data Integrity 213 18 1 3 4 Da...

Page 15: ...al Setting 241 19 17 Telecommuter VPN IPSec Examples 242 19 17 1 Telecommuters Sharing One VPN Rule Example 242 19 17 2 Telecommuters Using Unique VPN Rules Example 243 19 18 VPN and Remote Management...

Page 16: ...andwidth Management Example 272 23 5 Scheduler 272 23 5 1 Priority based Scheduler 273 23 5 2 Fairness based Scheduler 273 23 6 Maximize Bandwidth Usage 273 23 6 1 Reserving Bandwidth for Non Bandwidt...

Page 17: ...er 26 Menu 1 General Setup 302 26 1 General Setup 302 26 2 Procedure To Configure Menu 1 302 26 2 1 Procedure to Configure Dynamic DNS 303 Chapter 27 Menu 2 WAN Backup Setup 306 27 1 Introduction to W...

Page 18: ...2 3 Scenario 3 Multiple VCs 327 31 2 3 Outgoing Authentication Protocol 329 31 3 Remote Node Network Layer Options 330 31 3 1 My WAN Addr Sample IP Addresses 331 31 4 Remote Node Filter 332 31 5 Editi...

Page 19: ...on Programs 358 Chapter 35 Enabling the Firewall 360 35 1 Remote Management and the Firewall 360 35 2 Access Methods 360 35 3 Enabling the Firewall 360 Chapter 36 Filter Configuration 362 36 1 About F...

Page 20: ...s 396 40 2 Backup Configuration 397 40 2 1 Backup Configuration 397 40 2 2 Using the FTP Command from the Command Line 398 40 2 3 Example of FTP Commands from the Command Line 398 40 2 4 GUI based FTP...

Page 21: ...and Date Setting 414 41 3 1 Resetting the Time 416 Chapter 42 Remote Management 418 42 1 Remote Management Overview 418 42 2 Remote Management 418 42 2 1 Remote Management Setup 418 42 2 2 Remote Man...

Page 22: ...Internal SPTGEN FTP Upload Example 452 Chapter 48 Troubleshooting 454 48 1 Problems Starting Up the Prestige 454 48 2 Problems with the LAN LED 454 48 3 Problems with the DSL LED 455 48 4 Problems wi...

Page 23: ...Works 481 Prestige as a PPPoE Client 481 Appendix E Wireless LAN and IEEE 802 11 482 Benefits of a Wireless LAN 482 IEEE 802 11 482 Ad hoc Wireless LAN Configuration 483 Infrastructure Wireless LAN C...

Page 24: ...Your ZyXEL Device 495 Activating a Service 498 Appendix J Windows 98 Me Requirements for Anti Virus Packet Scan Message Display500 Appendix K Example Internal SPTGEN Screens 504 Command Examples 524...

Page 25: ...es User s Guide 25 Table of Contents Appendix P Boot Commands 536 Appendix Q Log Descriptions 538 Log Commands 550 Configuring What You Want the Prestige to Log 550 Displaying Logs 551 Log Command Exa...

Page 26: ...ess Wizard Setup Connection Tests 71 Figure 15 Media Bandwidth Mgnt Wizard Setup First Screen 74 Figure 16 Media Bandwidth Mgnt Wizard Setup Second Screen 75 Figure 17 Media Bandwidth Mgnt Wizard Setu...

Page 27: ...AN to WAN Traffic 161 Figure 59 WAN to LAN Traffic 162 Figure 60 Firewall Default Policy 163 Figure 61 Firewall Rule Summary 164 Figure 62 Firewall Edit Rule 166 Figure 63 Firewall Customized Services...

Page 28: ...SA 232 Figure 99 VPN IKE Advanced Setup 234 Figure 100 VPN Manual Key 237 Figure 101 VPN SA Monitor 240 Figure 102 VPN Global Setting 241 Figure 103 Telecommuters Sharing One VPN Rule Example 242 Figu...

Page 29: ...ssociation List 290 Figure 141 Diagnostic General 291 Figure 142 Diagnostic DSL Line 292 Figure 143 Firmware Upgrade 293 Figure 144 Network Temporarily Disconnected 294 Figure 145 Error Message 294 Fi...

Page 30: ...Internet Access 345 Figure 183 Applying NAT in Menus 4 11 3 345 Figure 184 Menu 15 NAT Setup 346 Figure 185 Menu 15 1 Address Mapping Sets 347 Figure 186 Menu 15 1 255 SUA Address Mapping Rules 347 F...

Page 31: ...6 Figure 230 Menu 24 1 System Maintenance Status 387 Figure 231 Menu 24 2 System Information and Console Port Speed 388 Figure 232 Menu 24 2 1 System Maintenance Information 389 Figure 233 Menu 24 2 2...

Page 32: ...Example of IP Policy Routing 428 Figure 271 IP Routing Policy Example 428 Figure 272 IP Routing Policy Example 429 Figure 273 Applying IP Policies Example 429 Figure 274 Menu 26 Schedule Setup 430 Fi...

Page 33: ...Challenge Authentication 487 Figure 309 Ideal Setup 490 Figure 310 Triangle Route Problem 490 Figure 311 IP Alias 491 Figure 312 Gateways on the WAN Side 491 Figure 313 myZyXEL com Login Screen 495 Fi...

Page 34: ...nd Screen 75 Table 13 Password 76 Table 14 LAN Setup 84 Table 15 LAN Static DHCP 85 Table 16 DMZ 87 Table 17 Wireless LAN 94 Table 18 MAC Address Filter 96 Table 19 Wireless Security Relational Matrix...

Page 35: ...neral Services 188 Table 57 Available Services 189 Table 58 Content Access Control General Web Site Filter 193 Table 59 Content Access Control General Diagnose 198 Table 60 Content Access Control User...

Page 36: ...Main Menu 298 Table 101 Main Menu Summary 299 Table 102 Menu 1 General Setup 303 Table 103 Menu 1 1 Configure Dynamic DNS 304 Table 104 Menu 2 WAN Backup Setup 306 Table 105 Menu 2 1Traffic Redirect...

Page 37: ...d FTP Clients 399 Table 142 General Commands for GUI based TFTP Clients 401 Table 143 Menu 24 9 1 System Maintenance Budget Management 414 Table 144 Menu 24 10 System Maintenance Time and Date Setting...

Page 38: ...Table 184 Menu 4 Internet Access Setup SMT Menu 4 508 Table 185 Menu 12 SMT Menu 12 509 Table 186 Menu 15 SUA Server Setup SMT Menu 15 513 Table 187 Menu 21 1 Filter Set 1 SMT Menu 21 1 515 Table 188...

Page 39: ...Prestige 662HW Series User s Guide 39 List of Tables Table 209 Syslog Logs 549 Table 210 RFC 2408 ISAKMP Payload Types 549...

Page 40: ...structions on getting started Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information ZyXEL Glossary and Web Site Please refer to www zyxel...

Page 41: ...ck the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand...

Page 42: ...upstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start...

Page 43: ...Prestige 662HW Series User s Guide 43 Introduction to DSL...

Page 44: ...included in this user s guide at the time of writing In the Prestige product name H denotes an integrated 4 port switch hub and W denotes an included wireless card The Prestige 662HW provide 802 11g...

Page 45: ...ect to the ISP you will be redirected to web screen s for information input or troubleshooting Any IP The Any IP feature allows a computer to access the Internet and the Prestige without changing the...

Page 46: ...This means an IEEE 802 11b radio card can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or lower depending on range IEEE 802 11g has several intermediate rate steps b...

Page 47: ...d on an application and or subnet You can allocate specific amounts of bandwidth capacity bandwidth budgets to different bandwidth classes Universal Plug and Play UPnP Using the standard TCP IP protoc...

Page 48: ...omatically adjust to either a crossover or straight through Ethernet cable Dynamic DNS Support With Dynamic DNS support you can have a static hostname alias for a dynamic IP address allowing the host...

Page 49: ...estination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding...

Page 50: ...d Diagnostics Capabilities The Prestige can perform self diagnostic tests These tests check the integrity of the following circuitry FLASH memory ADSL circuitry RAM LAN port Packet Filters The Prestig...

Page 51: ...own below Figure 1 Prestige Internet Access Application Internet Single User Account For a SOHO Small Office Home Office environment your Prestige offers the Single User Account SUA feature that allow...

Page 52: ...ter 1 Getting To Know Your Prestige 52 Figure 3 Prestige LAN to LAN Application 1 1 4 Prestige Hardware Installation and Connection Refer to the Quick Start Guide for information on hardware installat...

Page 53: ...Prestige 662HW Series User s Guide 53 Chapter 1 Getting To Know Your Prestige...

Page 54: ...68 pixels 2 1 1 Accessing the Prestige Web Configurator 1 Make sure your Prestige hardware is properly connected refer to the Quick Start Guide 2 Prepare your computer computer network to connect to t...

Page 55: ...t access the web configurator you will need to use the RESET button at the back of the Prestige to reload the factory default configuration file This means that you will lose all configurations that y...

Page 56: ...pload firmware and back up restore or upload a configuration file Click Site Map to go to the Site Map screen Click Logout in the navigation panel when you have finished a Prestige management session...

Page 57: ...your Prestige Content Access Control General Use the screens to configure general settings and set up content access classes User Profiles Use the screens to set up user profiles Online Status Use thi...

Page 58: ...p you identify problems with the Prestige general connection DSL Line These screens display information to help you identify problems with the DSL line Firmware Use this screen to upload firmware to y...

Page 59: ...Prestige 662HW Series User s Guide 59 Chapter 2 Introducing the Web Configurator...

Page 60: ...r instance it encapsulates routed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen You can g...

Page 61: ...t for example VC1 carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 3 1 2 2 LLC based Multiplexing In this...

Page 62: ...net account Otherwise select Bridge Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop down list box Choices vary depending on what you select in the Mode field If y...

Page 63: ...compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the Prestige unless you are instructed to do otherwise 3 2 1 IP Addr...

Page 64: ...lways up regardless of traffic demand The Prestige does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the Prestige will try to bring...

Page 65: ...ain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the text box below Connection Select Connect on Demand when...

Page 66: ...LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select None SUA Only or Full F...

Page 67: ...dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the IP...

Page 68: ...P assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds in the Max Idle Ti...

Page 69: ...is pre configured with a pool of 32 IP addresses starting from 192 168 1 33 to 192 168 1 64 for the client machines This leaves 31 IP addresses 192 168 1 2 to 192 168 1 32 excluding the Prestige itse...

Page 70: ...se the new IP address if you want to access the web configurator again LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP DHCP Server From the DHCP Server drop down list box select On...

Page 71: ...onnection Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Pres...

Page 72: ...affic to pass through the Prestige and be managed by bandwidth management Refer to Chapter 23 Media Bandwidth Management Advanced Setup for more information and advanced configuration 4 1 1 Predefined...

Page 73: ...or e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 eMule These programs use advanced file sharing applications relying on central servers to search for files They use default port 4662 WW...

Page 74: ...andwidth class in the second wizard screen Table 11 Media Bandwidth Mgnt Wizard Setup First Screen LABEL DESCRIPTION Active Select the Active check box to have the Prestige apply bandwidth management...

Page 75: ...width Mgnt Wizard Setup Second Screen LABEL DESCRIPTION Service These fields display the service s selected in the previous screen Priority Select High Mid or Low priority for each service to have you...

Page 76: ...ssword recommended click Password in the Site Map screen Figure 18 Password The following table describes the fields in this screen Table 13 Password LABEL DESCRIPTION Old Password Type the default pa...

Page 77: ...Prestige 662HW Series User s Guide 77 Chapter 5 Password Setup...

Page 78: ...a computer network limited to the immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses 6 1 1 LANs WANs and...

Page 79: ...n are not specified for instance left as 0 0 0 0 the Prestige tells the DHCP clients that it itself is the DNS server When a computer sends a DNS query to the Prestige the Prestige forwards the query...

Page 80: ...g Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to Both the Prestige will b...

Page 81: ...es all directly connected networks to gather group membership After that the Prestige periodically updates this information IP multicasting can be enabled disabled on the Prestige LAN and or WAN inter...

Page 82: ...omputer tries to access the Internet for the first time through the Prestige 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gate...

Page 83: ...LAN Setup After all the routing information is updated the computer can access the Prestige and the Internet as if it is in the same subnet as the Prestige 6 6 Configuring LAN Click LAN and LAN Setup...

Page 84: ...subnet mask Secondary DNS Server As above Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here TCP IP IP Address Enter the IP...

Page 85: ...LAN then the Static DHCP tab The screen appears as shown Figure 22 LAN Static DHCP The following table describes the labels in this screen Table 15 LAN Static DHCP LABEL DESCRIPTION This is the index...

Page 86: ...ers can have access to host servers on the DMZ but no access to the LAN unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user It is...

Page 87: ...he RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format...

Page 88: ...forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN Allow between DMZ and WAN Select this check box to forward NetBIOS...

Page 89: ...Prestige 662HW Series User s Guide 89 Chapter 7 DMZ...

Page 90: ...for details For other operating systems see its documentation If your operating system does not support IEEE 802 1X then you may need to install IEEE 802 1X client software An optional network RADIUS...

Page 91: ...at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden...

Page 92: ...If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmente...

Page 93: ...network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access points must use the same WEP key for data encryption and decrypti...

Page 94: ...Wireless stations associating to the Prestige must have the same ESSID Enter a descriptive name up to 32 characters Hide ESSID Select Yes to hide the ESSID in so a station cannot obtain the ESSID thr...

Page 95: ...allow all wireless computers to communicate with the access points without any data encryption Select 64 bit WEP 128 bit WEP or 256 bit WEP to use data encryption Key 1 to Key 4 The WEP keys are used...

Page 96: ...the list of MAC addresses in the MAC Address table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the Prestige Select Allow Association to per...

Page 97: ...orization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorizat...

Page 98: ...ed secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unautho...

Page 99: ...ent As long as the passwords match a client will be granted access to a WLAN 8 7 2 Encryption WPA improves data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and...

Page 100: ...sword 8 8 WPA PSK Application Example A WPA PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and...

Page 101: ...ity Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type You enter manual keys by first selecti...

Page 102: ...ireless client However you must run Windows XP to use it 8 12 Configuring 802 1x and WPA To change your Prestige s authentication settings click the Wireless LAN link under Advanced Setup and then the...

Page 103: ...t box Choose from No Access Allowed No Authentication Required and Authentication Required No Access Allowed blocks all wireless stations access to the wired network No Authentication Required allows...

Page 104: ...er database may not be used Select Disable to allow wireless stations to communicate with the access points without using dynamic WEP key exchange Select 64 bit WEP or 128 bit WEP to enable data encry...

Page 105: ...otocol The following table describes the labels not previously discussed Back Click Back to go to the main wireless LAN setup screen Apply Click Apply to save your changes back to the Prestige Cancel...

Page 106: ...r broadcast and multicast group traffic if the Key Management Protocol is WPA and WPA Mixed Mode is disabled WEP is used automatically if you have enabled WPA Mixed Mode All unicast traffic is automat...

Page 107: ...including spaces and symbols WPA Mixed Mode The Prestige can operate in WPA Mixed Mode which supports both clients running WPA and clients running dynamic WEP key exchange with 802 1x in the same Wi F...

Page 108: ...le to authenticate wireless users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way To change your Prestige s local user...

Page 109: ...e 36 RADIUS The following table describes the fields in this screen Table 24 Local User Database LABEL DESCRIPTION This is the index number of a local user account Active Select this check box to enab...

Page 110: ...ey must be the same on the external authentication server and Prestige Accounting Server Active Select Yes from the drop down list box to enable user authentication through an external accounting serv...

Page 111: ...Prestige 662HW Series User s Guide 111 Chapter 8 Wireless LAN Setup...

Page 112: ...same metric the Prestige uses the following pre defined priorities Normal route designated by the ISP see the Configuring WAN Setup section Traffic redirect route see the Traffic Redirect section WAN...

Page 113: ...E software installed since the Prestige does that part of the task Furthermore with NAT all of the LANs computers will have access 9 4 Traffic Shaping Traffic Shaping is an agreement between the carri...

Page 114: ...ssary configuration changes In cases where additional account information such as an Internet account user name and password is required or the Prestige cannot connect to the ISP you will be redirecte...

Page 115: ...elds in this screen Table 26 WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider e g MyISP This information is for identification purposes only Mode Select Routing defaul...

Page 116: ...Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Typ...

Page 117: ...T for application where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP Subnet Mask...

Page 118: ...r three logical networks with the Prestige itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subn...

Page 119: ...this field to test your Prestige s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address Note If you activate either traffic redirect or dial b...

Page 120: ...The smaller the number the lower the cost Backup Gateway Type the IP address of your backup gateway in dotted decimal notation The Prestige automatically forwards traffic to this IP address if the Pr...

Page 121: ...9 9 Configuring Advanced WAN Backup To edit your Prestige s advanced WAN backup settings click WAN WAN Backup and then the Advanced Setup button The screen appears as shown Figure 42 Advanced WAN Back...

Page 122: ...speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command Initial String Type the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your dial b...

Page 123: ...C 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 P...

Page 124: ...e to hang up in addition to issuing the drop command ATH 9 12 Response Strings The response strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the...

Page 125: ...the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string T...

Page 126: ...if it does not receive a positive disconnect confirmation Example 20 Call Back Delay Type a number of seconds for the Prestige to wait between dropping a callback request call and dialing the corresp...

Page 127: ...Prestige 662HW Series User s Guide 127 Chapter 9 WAN Setup...

Page 128: ...refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that in...

Page 129: ...NAT offers the additional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more informat...

Page 130: ...following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct WAN networks More examples follow at...

Page 131: ...e servers of different services behind the NAT to be accessible to the outside world Port numbers do not change for One to One and Many to Many No Overload NAT mapping types The following table summar...

Page 132: ...do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services...

Page 133: ...he example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet IP address assigned by ISP Figure 46 Multiple Servers Behind...

Page 134: ...wing screen Refer to Table 32 for port numbers commonly used for particular services Table 33 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT SUA Only Select this radio button...

Page 135: ...s of ports enter the start port number here and the end port number in the End Port No field End Port No Enter a port number in this field To forward only one port enter the port number again in the S...

Page 136: ...e your Prestige s address mapping settings click NAT Select Full Feature and click Edit Details to open the following screen Figure 49 Address Mapping Rules The following table describes the fields in...

Page 137: ...T mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previo...

Page 138: ...utside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local...

Page 139: ...Prestige 662HW Series User s Guide 139 Chapter 10 Network Address Translation NAT Screens...

Page 140: ...friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with...

Page 141: ...Provider This is the name of your Dynamic DNS service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type...

Page 142: ...is screen to configure the Prestige s time and date settings 12 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to c...

Page 143: ...er the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Daylight Saving...

Page 144: ...or a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be imp...

Page 145: ...some proxies support See theStateful Inspection section for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for ent...

Page 146: ...et of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc F...

Page 147: ...sh hang or reboot Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragmen...

Page 148: ...latively long intervals terminates the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users Figure 55 SYN Floo...

Page 149: ...andwidth making communications impossible Figure 56 Smurf Attack 13 4 2 1 ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert...

Page 150: ...l The Prestige blocks all IP Spoofing attempts 13 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you a...

Page 151: ...ermine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this...

Page 152: ...rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Below is a brief technical description of...

Page 153: ...lar situation exists for ICMP except that the Prestige is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming ad...

Page 154: ...count what hackers can do and prepares against attacks The best defense against hackers and crackers is information Educate all employees about the importance of security and how to minimize risk Prod...

Page 155: ...der portion of an IP packet 13 7 1 1 When To Use Filtering To block allow LAN packets by their MAC addresses To block allow special IP packets which are neither TCP nor UDP nor ICMP packets To block a...

Page 156: ...ter choice when complex rules are required To selectively block allow inbound or outbound traffic between inside host networks and outside host networks Remember that filters can not distinguish traff...

Page 157: ...Prestige 662HW Series User s Guide 157 Chapter 13 Firewalls...

Page 158: ...r advanced users 14 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply By default the Prestige s stateful packet inspection allows...

Page 159: ...the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source I...

Page 160: ...e if IRC is blocked for all users will a rule that blocks just certain users be more effective 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability F...

Page 161: ...s for managing the Prestige through the LAN interface and policies for LAN to LAN the policies that control routing between two subnets on the LAN Similarly WAN to WAN Router and DMZ to DMZ Router pol...

Page 162: ...ert Message to Administrator When Matched checkbox or when a rule is matched in the Edit Rule screen see the Configuring Firewall Rules section When an event generates an alert a message can be immedi...

Page 163: ...LAN to DMZ WAN to WAN Router WAN to LAN WAN to DMZ DMZ to DMZ Router DMZ to LAN or DMZ to WAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LA...

Page 164: ...green When the amount of space used is over 80 the bar is red Packet Direction Use the drop down list box to select a direction of travel of packets for which you want to configure firewall rules Defa...

Page 165: ...ice type is equivalent to Any See for more information Action This is the specified action for that rule either Block or Forward Note that Block means the firewall silently discards the packet Schedul...

Page 166: ...Prestige 662HW Series User s Guide Chapter 14 Firewall Configuration 166 Figure 62 Firewall Edit Rule The following table describes the labels in this screen...

Page 167: ...ck Delete to remove it Services Available Selected Services Please see for more information on services available Highlight a service from the Available Services box on the left then click Add to add...

Page 168: ...wall Customized Services 14 8 Creating Editing A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action displ...

Page 169: ...LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configurat...

Page 170: ...x number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 4 Click Insert to display the firewall rule...

Page 171: ...ices link to open the Customized Service screen 8 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 67 Edit Custom Port...

Page 172: ...xample Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rule Summary Note Custom ports show up with an before their names in the Servi...

Page 173: ...ar in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol ty...

Page 174: ...ternet Group Multicast Protocol is used when sending packets to a specific group of hosts NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed fi...

Page 175: ...gement Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems includi...

Page 176: ...g LAN and WAN and DMZ Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the Prestige by probing for unused ports If you select this...

Page 177: ...see Figure 54 For UDP half open means that the firewall has detected no return traffic The Prestige measures both the total number of existing half open sessions and the rate of session establishment...

Page 178: ...n requests to the host giving the server time to handle the present connections The Prestige continues to block all new connection requests until the Blocking Time expires The Prestige also sends aler...

Page 179: ...Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number 100 existing half open sessions The above values causes the Prestige to start deleting half open sessions wh...

Page 180: ...can set a schedule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 15 2 Configuring Keyw...

Page 181: ...that you have configured the Prestige to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a...

Page 182: ...e screen appears as shown Table 52 Content Filter Schedule LABEL DESCRIPTION Days to Block Select a check box to configure which days of the week or everyday you want the content filtering to be activ...

Page 183: ...beginning IP address of a specific range of computers on the LAN that you want to exclude from content filtering To Type the ending IP address of a specific range of users on your LAN that you want t...

Page 184: ...he system before they can gain access to the Internet 16 1 1 Content Access Control WLAN Application You can control LAN user Internet access by having an administrator configure Content Access Contro...

Page 185: ...labels in this screen Note You must set up all four user groups Table 54 Content Access Control General LABEL DESCRIPTION Enable Content Access Control Select the check box to allow the LAN administr...

Page 186: ...web site address Content Filtering Service Click Register to go to a web site where you can register for category based content filtering using an external database You can use a trial application or...

Page 187: ...e day s that you do not want any time restrictions for user Internet access Time Budget Left Type the number of hours 0 to 23 and minutes 0 to 59 to allow Internet access of unblocked sites Note If yo...

Page 188: ...have the service blocked on a day in the weekend Saturday or Sunday These services will be blocked according to the settings you configure in Time Scheduling screen Blocked Services This box shows al...

Page 189: ...CQ TCP 5190 AOL s Internet Messenger service used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Clie...

Page 190: ...Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TC...

Page 191: ...ck Edit under Web Browsing in the Content Access Control General screen A screen displays as shown next TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP...

Page 192: ...Prestige 662HW Series User s Guide Chapter 16 Content Access Control 192 Figure 79 Content Access Control General Web Site Filter...

Page 193: ...pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest Sex Education Selecting this category excludes pages that provide graphic information sometimes...

Page 194: ...nt Business Economy Selecting this category excludes pages devoted to business firms business information economics marketing business management and entrepreneurship This does not include pages that...

Page 195: ...Internet and technology related organizations and companies Hacking Proxy Avoidance Pages providing information on illegal or questionable access to or the use of communications equipment software or...

Page 196: ...excludes pages that promote or provide information about spectator sports recreational activities or hobbies This includes pages that discuss or promote camping gardening and collecting Travel Selecti...

Page 197: ...click basic to see a smaller list Keyword Blocking Select the Enable check box to block the URL containing the keywords in the keyword list Block Websites that contain these keywords in the URL Type a...

Page 198: ...isplay the screen as shown next Table 59 Content Access Control General Diagnose LABEL DESCRIPTION Test Web Site Attribute Test Result This field displays the web site address check result Test if web...

Page 199: ...r Username Enter the user name for this account Password Enter a password associated to the user name above Category Select a user group from the drop down list box to associate this user account to t...

Page 200: ...This field displays the amount of time that you have before the Prestige logs you out and terminates your Internet access This time depends on the time allowance configured in Time Scheduling screen...

Page 201: ...login name and password the Prestige checks the access profile and begins enforcing the access control restriction as defined by the administrator 4 The access privileges remain in force until you lo...

Page 202: ...tor Login The administrator can log into the system The administrator opens their browser and is directed to the Prestige user login page this is the same as the user login The administrator enters ad...

Page 203: ...Prestige 662HW Series User s Guide 203 Chapter 16 Content Access Control...

Page 204: ...ignatures for known viruses and a scanning engine Signatures are byte patterns that are unique to a particular virus These signatures are stored in a pattern file The scanning engine compares the file...

Page 205: ...cted networked computers can grow exponentially 5 To prevent the spread of viruses you need to install host based anti virus software on a computer or buy an anti virus system 17 3 Introduction to the...

Page 206: ...r virus 4 If a virus pattern is matched the Prestige cleans the virus by deleting the infected packet and alerts the intended computer user s 17 3 2 Limitations of the Prestige Packet Scan The Prestig...

Page 207: ...ee the Registration and Online Update section for more information Table 63 Anti Virus Packet Scan LABEL DESCRIPTION Packet Scan Configuration Active Select this check box to enable the anti virus pac...

Page 208: ...maximum number of opened connections is reached default is 300 connections at a time Packet Scan Information Packet Scan Engine Version This read only field displays the version of the scanning engin...

Page 209: ...L com appendix for more information Activation After you have successfully registered for the anti virus service click Activate to enable and start using the anti virus feature This also sets the Pres...

Page 210: ...on and Virus Information Update screen click Update Now An update progress screen displays as shown Figure 88 Virus Scan Update in Progress 2 After the virus scan update is successful a screen display...

Page 211: ...Prestige 662HW Series User s Guide 211 Chapter 17 Anti Virus Packet Scan...

Page 212: ...ions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and auth...

Page 213: ...or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Acc...

Page 214: ...on Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide a...

Page 215: ...ended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 18 3 2 Tunnel Mode Tunnel mode encapsulates the entire...

Page 216: ...using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its des...

Page 217: ...Prestige 662HW Series User s Guide 217 Chapter 18 Introduction to IPSec...

Page 218: ...tegrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not...

Page 219: ...Gateway Address field You may alternatively enter the remote secure gateway s domain name if it has one in the Secure Gateway Address field Table 66 AH and ESP ESP AH DES default Data Encryption Stand...

Page 220: ...he secure gateway s address In this case only the remote secure gateway can initiate SAs This may be useful for telecommuters initiating a VPN tunnel to the company network see the Telecommuter VPN IP...

Page 221: ...s active No signifies that this VPN policy is not active Local Address This is the IP address es of computer s on your local network behind your Prestige The same static IP address is displayed twice...

Page 222: ...wo IPSec routers Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway Address field displays 0 0...

Page 223: ...or NAT traversal to work you must Use ESP security protocol in either transport or tunnel mode Use IKE keying mode Enable NAT traversal on both IPSec endpoints In order for IPSec router A see the figu...

Page 224: ...s section for a telecommuter configuration example Regardless of the ID type and content configuration the Prestige does not allow you to save multiple active rules with overlapping local and remote I...

Page 225: ...e 69 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically...

Page 226: ...ase 1 IKE negotiation see the IKE Phases section for more on IKE phases It is called pre shared because you have to share it with another party before you can communicate with them over a secure conne...

Page 227: ...Prestige 662HW Series User s Guide 227 Chapter 19 VPN Screens Figure 97 VPN IKE The following table describes the fields in this screen...

Page 228: ...Select Tunnel mode or Transport mode from the drop down list box DNS Server for IPSec VPN If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this add...

Page 229: ...field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configured to Single this field is N A When...

Page 230: ...h trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP address other than 0 0 0 0 or use the...

Page 231: ...box When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the m...

Page 232: ...gorithm Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see the Perfect Forward Secrecy PFS section Select None the...

Page 233: ...l Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange t...

Page 234: ...packets to protect against replay attacks Select YES from the drop down menu to enable replay detection or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port...

Page 235: ...both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encry...

Page 236: ...ased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an e...

Page 237: ...14 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field on the VPN IKE screen This is the VPN Manual Key screen as shown next Figure 100 VPN Man...

Page 238: ...P Address Start When the Local Address Type field is configured to Single enter a static IP address on the LAN behind your Prestige When the Local Address Type field is configured to Range enter the b...

Page 239: ...orithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the...

Page 240: ...esh to display active VPN connections This screen is read only The following table describes the fields in this tab When there is outbound traffic but no inbound traffic the SA times out automatically...

Page 241: ...delay Disconnect Select Disconnect next to a security association and then click Apply to stop that security association Back Click Back to return to the previous screen Apply Click Apply to save your...

Page 242: ...for an example configuration that allows multiple telecommuters A B and C in the figure to use one VPN rule to simultaneously access a Prestige at headquarters HQ in the figure The telecommuters do no...

Page 243: ...should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a Prestige located at headquarters The Prestige...

Page 244: ...arters Prestige Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address...

Page 245: ...HW Series User s Guide 245 Chapter 19 VPN Screens 19 18 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for...

Page 246: ...g firewall rules You may manage your Prestige from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you Choose WAN only or ALL LAN WAN you still need to configure...

Page 247: ...rule that blocks it 20 1 2 Remote Management and NAT When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LA...

Page 248: ...otes a service that you may use to remotely manage the Prestige Access Status Select the access interface Choices are All LAN Only WAN Only and Disable Port This field shows the port number for the re...

Page 249: ...Prestige 662HW Series User s Guide 249 Chapter 20 Remote Management Configuration...

Page 250: ...ate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 21 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an applica...

Page 251: ...tion supports IGD 1 0 Internet Gateway Device At the time of writing ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested UPnP...

Page 252: ...stige s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applicat...

Page 253: ...Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 109 Add Remove Programs Windows Setup Communication Components 4...

Page 254: ...ows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 110 Netwo...

Page 255: ...662HW Series User s Guide 255 Chapter 21 Universal Plug and Play UPnP Figure 111 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Universal Plug and Play c...

Page 256: ...section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of...

Page 257: ...Series User s Guide 257 Chapter 21 Universal Plug and Play UPnP Figure 113 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automat...

Page 258: ...stige 662HW Series User s Guide Chapter 21 Universal Plug and Play UPnP 258 Figure 114 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappi...

Page 259: ...erties Advanced Settings Figure 116 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatical...

Page 260: ...ection Status Web Configurator Easy Access With UPnP you can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not...

Page 261: ...iversal Plug and Play UPnP Figure 119 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your Prestige and selec...

Page 262: ...lay UPnP 262 Figure 120 Network Connections My Network Places 6 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige F...

Page 263: ...Prestige 662HW Series User s Guide 263 Chapter 21 Universal Plug and Play UPnP...

Page 264: ...ors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log scr...

Page 265: ...Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert m...

Page 266: ...facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to...

Page 267: ...recorded See the chapter on system maintenance and information to configure the Prestige s time and date Message This field states the reason for the log Source This field lists the source IP address...

Page 268: ...ubject Firewall Alert From Prestige Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP src port 00520...

Page 269: ...Prestige 662HW Series User s Guide 269 Chapter 22 Logs Screens...

Page 270: ...u to configure the allowed output for an interface to match what the network can handle This helps reduce delays and dropped packets at the next routing device For example you can set the WAN interfac...

Page 271: ...onal Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets however the actual bandwidth allotted to each class decreases or increases in proportion to actua...

Page 272: ...applications in each subnet are allotted bandwidth Figure 127 Application and Subnet based Bandwidth Management Example 23 5 Scheduler The scheduler divides up an interface s bandwidth among the band...

Page 273: ...When you enable maximize bandwidth usage the Prestige first makes sure that each bandwidth class gets up to its bandwidth allotment Next the Prestige divides up an interface s available bandwidth ban...

Page 274: ...the classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total of unbudgeted and unused bandwidth among the classes that require more bandwidth In this case suppose tha...

Page 275: ...class first The child class can also borrow bandwidth from a higher parent class grandparent class if the child class s parent class is also configured to borrow bandwidth from its parent class This c...

Page 276: ...enabled The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled The Amy class cannot borrow unused bandwidth from the Sales USA class...

Page 277: ...bandwidth child classes of higher priority and treats bandwidth classes of the same priority equally 3 The Prestige assigns any remaining unused or unbudgeted bandwidth on the interface to any bandwid...

Page 278: ...able bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias...

Page 279: ...erface To add a child class click Media Bandwidth Management then Class Setup Click the Add Child Class button to open the following screen Table 86 Media Bandwidth Management Class Setup LABEL DESCRI...

Page 280: ...ty The default setting is 3 Borrow bandwidth from parent class Select this option to allow a child class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth bud...

Page 281: ...configuring the Destination Port Source Port and Protocol ID fields Destination IP Address Enter the destination IP address in dotted decimal notation A blank destination IP address means any destinat...

Page 282: ...able 88 Services and Port Numbers SERVICES PORT NUMBER Table 89 Media Bandwidth Management Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is show...

Page 283: ...r from refreshing bandwidth management statistics Clear Counter Click Clear Counter to clear all of the bandwidth management statistics Table 89 Media Bandwidth Management Statistics LABEL DESCRIPTION...

Page 284: ...nd port traffic statistics 24 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 24 2 System Status...

Page 285: ...Chapter 24 Maintenance Figure 136 System Status The following table describes the fields in this screen Table 91 System Status LABEL DESCRIPTION System Status System Name This is the name of your Pres...

Page 286: ...if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control o...

Page 287: ...ET RFC 1483 and PPPoE Interface This field displays the type of port Status For the WAN port this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is dow...

Page 288: ...d MAC Address of all network clients using the DHCP server Figure 138 DHCP Table The following table describes the fields in this screen Poll Interval s Type the time interval for the browser to refre...

Page 289: ...ge s wireless LAN 24 5 1 Association List This screen displays the MAC address es of the wireless stations that are currently logged in to the network Click Wireless LAN and then Association List to o...

Page 290: ...sociation List LABEL DESCRIPTION This is the index number of an associated wireless station MAC Address This field displays the MAC Media Access Control address of an associated wireless station Every...

Page 291: ...t Table 96 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that...

Page 292: ...Status Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin thi...

Page 293: ...en the following screen Follow the instructions in this screen to upload firmware to your Prestige Figure 143 Firmware Upgrade The following table describes the labels in this screen Table 98 Firmware...

Page 294: ...ts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 144 Network Temporarily Disconnected After two minutes log in aga...

Page 295: ...Prestige 662HW Series User s Guide 295 Chapter 24 Maintenance...

Page 296: ...restige 1 In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default IP address and click OK 2 Enter 1234 in the Password field 3 After entering the pass...

Page 297: ...enus in this guide as an example The SMT menus vary slightly for different Prestige models The following figure gives you an overview of the various SMT menu screens of your Pres tige Figure 147 Prest...

Page 298: ...quires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields or ChangeMe All fields with the symbol must be fill...

Page 299: ...up an Internet connection 11 Remote Node Setup Use this menu to set up the Remote Node for LAN to LAN connection including Internet connection 12 Static Routing Setup Use this menu to set up static ro...

Page 300: ...d field up to 30 characters and press ENTER 5 Re type your new system password in the Retype to confirm field for confirmation and press ENTER Menu 23 1 System Security Change Password Old Password Ne...

Page 301: ...Prestige 662HW Series User s Guide 301 Chapter 25 Introducing the SMT...

Page 302: ...Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it...

Page 303: ...nal Enter the name up to 30 characters of the person in charge of this Prestige Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via...

Page 304: ...your dynamic DNS service provider Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Host Enter the domain name assigned to your Prestige by your dynamic DNS provide...

Page 305: ...Prestige 662HW Series User s Guide 305 Chapter 26 Menu 1 General Setup...

Page 306: ...Fail Tolerance 0 Recovery Interval sec 0 ICMP Timeout sec 0 Traffic Redirect No Dial Backup No Press ENTER to Confirm or ESC to Cancel Table 104 Menu 2 WAN Backup Setup FIELD DESCRIPTION Check Mechan...

Page 307: ...seconds for an ICMP session to wait for the ICMP response Traffic Redirect Press SPACE BAR to select Yes or No Select Yes and press ENTER to configure Menu 2 1 Traffic Redirect Setup Select No default...

Page 308: ...ns the link is down The smaller the number the lower the cost When you have completed this menu press ENTER at the prompt Press ENTER to Confirm or ESC to Cancel to save your configuration or press ES...

Page 309: ...o edit the advanced setup for the Dial Backup port move the cursor to this field press the SPACE BAR to select Yes and then press ENTER to go to Menu 2 2 1 Advanced Dial Backup Setup When you have com...

Page 310: ...he default the DTR Data Terminal Ready signal is dropped after the AT Command String Drop is sent out AT Response Strings CLID Calling Line Identification Enter the keyword that precedes the CLID Call...

Page 311: ...ait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of seconds for the Prestige to wait between dropping a callback request...

Page 312: ...y to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 156 Menu 3 1 LAN...

Page 313: ...ed below For TCP IP Ethernet setup refer to the Internet Access Configuration section For bridging Ethernet setup refer to Chapter 33 Bridging Setup 28 3 CP IP Ethernet Setup and DHCP Use menu 3 2 to...

Page 314: ...ws 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHCP server and relays DHCP requests an...

Page 315: ...is a network layer protocol used to establish membership in a Multicast group The Prestige supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or...

Page 316: ...less LAN Setup The following table describes the fields in this menu Menu 3 5 Wireless LAN Setup ESSID Wireless Hide ESSID No Channel ID CH06 2437MHz RTS Threshold 2432 Frag Threshold 2432 WEP Disable...

Page 317: ...rovides data encryption to prevent wireless stations from accessing data transmitted over the wireless network Select Disable allows wireless stations to communicate with the access points without any...

Page 318: ...00 00 00 00 11 00 00 00 00 00 00 23 00 00 00 00 00 00 12 00 00 00 00 00 00 24 00 00 00 00 00 00 Enter here to CONFIRM or ESC to CANCEL Table 112 Menu 3 5 1 WLAN MAC Address Filtering FIELD DESCRIPTION...

Page 319: ...Prestige 662HW Series User s Guide 319 Chapter 29 Wireless LAN Setup...

Page 320: ...olicy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 see Chapter 43 IP...

Page 321: ...the second and third network Figure 161 Menu 3 2 TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP...

Page 322: ...IELD DESCRIPTION IP Alias Choose Yes to configure the LAN network for the Prestige IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automat...

Page 323: ...Encapsulation Gateway IP address if you are using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 164 Menu 4 Internet Access Setup The...

Page 324: ...fic source that can be sent at the peak rate and a parameter for burst traffic Type the SCR it must be less than the PCR Maximum Burst Size MBS 0 Refers to the maximum number of cells that can be sent...

Page 325: ...Prestige 662HW Series User s Guide 325 Chapter 30 Internet Access...

Page 326: ...s you are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in t...

Page 327: ...ion Here are some examples of more suitable combinations in such an application 31 2 2 1 Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combin...

Page 328: ...u 11 Encapsulation PPPoA refers to RFC 2364 PPP Encapsulation over ATM Adaptation Layer 5 If RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 of ENET ENCAP are selected then the Rem Lo...

Page 329: ...press ENTER to display Menu 11 8 Advance Setup Options Telco Option Allocated Budget min This sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no bud...

Page 330: ...CEL Table 116 Menu 11 3 Remote Node Network Layer Options FIELD DESCRIPTION IP Address Assignment Press SPACE BAR and then ENTER to select Dynamic if the remote node is using a dynamically assigned IP...

Page 331: ...of 1 for directly connected networks Type a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number P...

Page 332: ...mote Node Filter to specify the filter set s to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls You can s...

Page 333: ...stige depending on whether you chose VC based LLC based multiplexing and PPP encapsulation in menu 11 1 31 5 1 VC based Multiplexing non PPP Encapsulation For VC based multiplexing by prior agreement...

Page 334: ...the VCI is 32 to 65535 1 to 31 is reserved for local management of ATM traffic 31 5 3 Advance Setup Options In menu 11 1 select PPPoE in the Encapsulation field Menu 11 6 Remote Node ATM Layer Options...

Page 335: ...onfirm or ESC to Cancel Menu 11 8 Advance Setup Options PPPoE pass through No Press ENTER to Confirm or ESC to Cancel Table 117 Menu 11 8 Advance Setup Options FIELD DESCRIPTION PPPoE pass through Pre...

Page 336: ...Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the...

Page 337: ...Static Route Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Menu 12 1 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________...

Page 338: ...ss and Subnet Mask section in this manual Gateway IP Address Type the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gatewa...

Page 339: ...Prestige 662HW Series User s Guide 339 Chapter 32 Static Route Setup...

Page 340: ...er protocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing i...

Page 341: ...ilter Sets No Idle Timeout sec N A Press ENTER to Confirm or ESC to Cancel Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Static Ethernet Addr Timeout min...

Page 342: ...Cancel Table 120 Menu 12 3 1 Edit Bridge Static Route FIELD DESCRIPTION Route This is the route index number you typed in Menu 12 3 Bridge Static Route Setup Route Name Type a name for the bridge stat...

Page 343: ...Prestige 662HW Series User s Guide 343 Chapter 33 Bridging Setup...

Page 344: ...ports two types of mapping Many to One and Server See the NAT Setup section or a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addre...

Page 345: ...options for Network Address Translation Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation RFC 1483 Multiplexing LLC based VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rat...

Page 346: ...web configurator screens for further information on these menus To configure NAT enter 15 from the main menu to bring up the following screen Figure 184 Menu 15 NAT Setup 34 3 1 Address Mapping Sets...

Page 347: ...election Number Menu 15 1 255 Address Mapping Rules Set Name Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10...

Page 348: ...u 15 1 1 1 described later and the values are displayed here Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP Global End IP This...

Page 349: ...including deleting a rule No changes to the set take place until this action is taken Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address M...

Page 350: ...multiple servers of different types behind NAT to this computer See section 27 5 3 for an example Local IP Only local IP fields are N A for server Global IP fields MUST be set for Server Start This is...

Page 351: ...acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC a...

Page 352: ...Behind NAT Example 34 5 General NAT Examples The following are some examples of NAT configuration 34 5 1 Example 1 Internet Access Only In the following Internet access example you only need one rule...

Page 353: ...Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 34 5 2 Example 2 Internet Access with an Inside Server Menu 4 Internet Access Setup ISP s Name...

Page 354: ...ervers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two unidir...

Page 355: ...l Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 197 1 Enter 15 from the main menu 2 Enter 1 to configure the Address Mapping Sets 3 Enter 1 to begin config...

Page 356: ...ons IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Bo...

Page 357: ...r 2 in Menu 15 NAT Setup 3 Enter 1 in Menu 15 2 NAT Server Sets to see the following menu Configure it as shown Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Glob...

Page 358: ...Figure 201 NAT Example 4 Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even...

Page 359: ...g Rules Menu 15 1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Server Mapping Set N A Press ENTER to...

Page 360: ...by far the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following cha...

Page 361: ...S attacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Polic...

Page 362: ...ring Call filters are divided into two groups the built in call filters and user defined call filters Your Prestige has built in call filters that prevent administrative for example RIP packets from t...

Page 363: ...ribe how to configure filter sets 36 1 1 The Filter Structure of the Prestige A filter set consists of one or more filter rules Usually you would group related rules for example all the rules for NetB...

Page 364: ...in menu 21 1 Figure 208 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 ____________...

Page 365: ...ff Value 01005e N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Table 125 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number 1 to 6 A Acti...

Page 366: ...of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol...

Page 367: ...TER to Confirm or ESC to Cancel Table 127 Menu 21 1 x 1 TCP IP Filter Rule FIELD DESCRIPTION Filter This is the filter set filter rule coordinates for instance 2 3 refers to the second filter set and...

Page 368: ...es only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want to establish TCP connection s SYN 1 and ACK 0 else it is ignored More If Yes a matching packet is passed to the ne...

Page 369: ...lies the Mask bit wise ANDing to the data portion before comparing the result against the Value to determine a match The Mask and Value fields are specified in hexadecimal numbers Note that it takes t...

Page 370: ...d below each type will be different Choices are Generic Filter Rule or TCP IP Filter Rule Active Select Yes to turn on or No to turn off the filter rule Offset Type the starting byte of the data porti...

Page 371: ...er NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applied at the point where the Prestige is receiving and sen...

Page 372: ...ule Make the entries in this menu as shown next When you press ENTER to confirm the following screen appears Note that there is only one filter rule in this set Figure 216 Menu 21 1 6 1 Sample Filter...

Page 373: ...er Rules Summary 36 7 Applying Filters and Factory Defaults This section shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in men...

Page 374: ...ffic 36 7 2 Remote Node Filters Go to menu 11 5 shown next and type the number s of the filter set s as appropriate You can cascade up to four filter sets by typing their numbers separated by commas T...

Page 375: ...Prestige 662HW Series User s Guide 375 Chapter 36 Filter Configuration...

Page 376: ...network The Prestige supports SNMP version one SNMPv1 and version two c SNMPv2c The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured Figure 220 SNMP...

Page 377: ...etrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements o...

Page 378: ...ent station Trusted Host If you enter a trusted host your Prestige will only respond to SNMP messages from this address A blank default field means your Prestige will respond to all SNMP messages it r...

Page 379: ...d 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message S...

Page 380: ...f you forget your password you have to restore the default configuration file Refer to the Changing the System Password section and the Resetting the Prestige section for information Figure 222 Menu 2...

Page 381: ...on Shared Secret Specify a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access points The key is not sent over the network This...

Page 382: ...stem Security IEEE802 1x Figure 226 Menu 23 4 System Security IEEE802 1x The following table describes the fields in this menu Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x En...

Page 383: ...mic WEP Key Exchange This field is activated only when you select Authentication Required in the Wireless Port Control field Also set the Authentication Databases field to RADIUS Only Local user datab...

Page 384: ...base with 802 1x Key Management Protocol Select Local User Database Only to have the Prestige just check the built in user database on the Prestige for a wireless station s username and password Selec...

Page 385: ...22 ________ 30 ________ 7 ________ 15 ________ 23 ________ 31 ________ 8 ________ 16 ________ 24 ________ 32 ________ Enter Menu Selection Number Menu 14 1 Edit Dial in User User Name test Active Yes...

Page 386: ...wn in the following figure Figure 229 Menu 24 System Maintenance 39 2 System Status The first selection System Status gives you information on the status and statistics of the ports as shown next Syst...

Page 387: ...6 N A 0 0 0 0 0 0 00 00 7 N A 0 0 0 0 0 0 00 00 My WAN IP from ISP 0 0 0 0 Ethernet WAN Status Tx Pkts 528 Line Status Down Collisions 0 Rx Pkts 505 Upstream Speed 0 kbps CPU Load 2 12 Downstream Spee...

Page 388: ...2 to display the screen shown next Rx Pkts This is the number of received packets from the LAN Collision This is the number of collisions WAN This shows statistics for the WAN Line Status This shows t...

Page 389: ...Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 137 Menu 24 2 1 System Maintenance Information FIELD DESCRIPTION Name Displays the system name of your Prestige This information can b...

Page 390: ...mething goes wrong is the error log Follow the procedures to view the local error trace log 1 Type 24 in the main menu to display Menu 24 System Maintenance 2 From menu 24 type 3 to display Menu 24 3...

Page 391: ...task pause 1 day 57 Sat Jan 01 00 00 03 2000 PP21 INFO monitoring WAN connectivity 58 Sat Jan 01 00 03 06 2000 PP19 INFO SMT Password pass 59 Sat Jan 01 00 03 06 2000 PP01 INFO SMT Session Begin 60 Sa...

Page 392: ...02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 Call Terminated 2 Packet Triggered SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Pa...

Page 393: ...55 192 168 102 2 ZYXEL IP Src 202 132 154 123 Dst 255 255 255 255 UDP spo 0208 dpo 0208 S03 R01mF Jul 19 14 44 00 192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03...

Page 394: ...ance Menu Diagnostic FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboo...

Page 395: ...Prestige 662HW Series User s Guide 395 Chapter 39 System Information and Diagnosis...

Page 396: ...name of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames ar...

Page 397: ...ommended once your Prestige is functioning properly FTP is the preferred methods for backing up your current configuration to your computer since they are faster Any serial communications program shou...

Page 398: ...enames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt 40 2 3 Example of FTP Commands from the Command Line Menu 24 5 System...

Page 399: ...le session running 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 1...

Page 400: ...le transfer is complete 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below...

Page 401: ...en 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Table 142 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP a...

Page 402: ...to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your Prestige since FTP is faster Please note th...

Page 403: ...nd FTP over WAN Management Limitations section to read about configurations that disallow TFTP and FTP over WAN Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configur...

Page 404: ...ted Figure 248 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen Figure 249 Restore Configuration...

Page 405: ...d System Firmware 40 4 2 Configuration File Upload You see the following screen when you telnet into menu 24 7 2 Save to ROM Hit any key to start system reboot Note Do not interrupt the file transfer...

Page 406: ...fers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt The...

Page 407: ...s address 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be inter...

Page 408: ...ended since FTP or TFTP is faster Any serial communications program should work fine however you must use the Xmodem protocol to perform the download upload 40 4 8 Uploading Firmware File Via Console...

Page 409: ...l on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar Menu 24 7 2 System Maintenance Upload...

Page 410: ...410 3 Enter atgo to restart the Prestige 40 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 257 Example Xmodem Upload...

Page 411: ...Prestige 662HW Series User s Guide 411 Chapter 40 Firmware and Configuration File Maintenance...

Page 412: ...rmation on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Figu...

Page 413: ...ceeds the limit the current call will be dropped and any future outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Con...

Page 414: ...or get the current time and date from an external server when you turn on your Prestige Menu 24 10 allows you to update the time and date settings of your Prestige The real time is then displayed in...

Page 415: ...9 Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 Press ENTER to Confirm or ESC to Cancel Table 144 Menu 24 10 Syste...

Page 416: ...nly when you re enter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean T...

Page 417: ...Prestige 662HW Series User s Guide 417 Chapter 41 System Maintenance...

Page 418: ...configuring firewall rules 42 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Remote...

Page 419: ...s LAN only Secured Client IP 0 0 0 0 FTP Server Server Port 21 Server Access LAN only Secured Client IP 0 0 0 0 Web Server Server Port 80 Server Access LAN only Secured Client IP 0 0 0 0 Press ENTER t...

Page 420: ...dress when configuring from the LAN 42 4 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out if the managemen...

Page 421: ...Prestige 662HW Series User s Guide 421 Chapter 42 Remote Management...

Page 422: ...ecedence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive tr...

Page 423: ...e main menu to open Menu 25 IP Routing Policy Setup 2 Type the index of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set inclu...

Page 424: ...__________________________________________________________ __________________________________________________________________________ 5 N ______________________________________________________________...

Page 425: ...ies are displayed with a minus sign in SMT menu 25 Criteria IP Protocol IP layer 4 protocol for example UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Care...

Page 426: ...he LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming networ...

Page 427: ...e default IP route and route 2 represents the configured IP route Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary D...

Page 428: ...shown next Figure 271 IP Routing Policy Example 1 Check Menu 25 1 IP Routing Policy Setup to see if the rule is added correctly 2 Create another policy set in menu 25 Menu 25 1 1 IP Routing Policy Po...

Page 429: ...l 6 Type of Service Don t Care Precedence Don t Care Source addr start 0 0 0 0 port start 0 Destination addr start 0 0 0 0 port start 20 Action Matched Gateway addr 192 168 1 100 Type of Service No Ch...

Page 430: ...take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as...

Page 431: ...Yes or No Choose Yes and press ENTER to activate the schedule set Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 20...

Page 432: ...means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means tha...

Page 433: ...Prestige 662HW Series User s Guide 433 Chapter 44 Call Scheduling...

Page 434: ...has these main submenus Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management Menu 27 2 SA Monitor allows you to m...

Page 435: ...Name A Local Addr Start Addr End Mask Encap IPSec Algorithm Key Mgt Remote Addr Start Addr End Mask Secure GW Addr 001 Taiwan Y 192 168 1 35 192 168 1 38 Tunnel ESP AES MD5 IKE 172 16 2 40 172 16 2 4...

Page 436: ...strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet This provides an add...

Page 437: ...hoose the Edit Delete or Go To commands Select None and then press ENTER to go to the Press ENTER to Confirm prompt Use Edit to create or edit a rule Use Delete to remove a rule To edit or delete a ru...

Page 438: ...ment Setup No Press ENTER to Confirm or ESC to Cancel Table 150 Menu 27 1 1 IPSec Setup FIELD DESCRIPTION Index This is the VPN rule index number you selected in the previous menu Name Enter a unique...

Page 439: ...estige The Prestige uses its current WAN IP address static or dynamic in setting up the VPN tunnel if you leave this field as 0 0 0 0 The VPN tunnel has to be rebuilt if this IP address changes Peer I...

Page 440: ...estige End Subnet Mask When the Addr Type field is configured to Single this field is N A When the Addr Type field is configured to Range enter the end static IP address in a range of computers on the...

Page 441: ...nd the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are...

Page 442: ...pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm The Prestige and the remote IPSec router generate an...

Page 443: ...ress SPACE BAR to choose from NULL DES 3DES or AES and then press ENTER Select NULL to set up a tunnel without encryption Authentication Algorithm Press SPACE BAR to choose from SHA1 or MD5 and then p...

Page 444: ...n you choose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys Key1 Enter a unique ei...

Page 445: ...able The key must be unique Enter 16 characters for MD5 authentication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated When you...

Page 446: ...se the Refresh function to display active VPN connections Use the Disconnect function to cut off active connections Type 2 in Menu 27 VPN IPSec Setup and then press ENTER to go to Menu 27 2 SA Monitor...

Page 447: ...by the remote IP address as configured in Menu 27 1 1 IPSec Setup Individual connections using the same VPN rule may be terminated without affecting other connections using the same rule Encap This f...

Page 448: ...ve VPN connections None allows you to jump to the Press ENTER to Confirm prompt Select Next Page or Previous Page to view the next or previous page of rules respectively Select Connection Type the VPN...

Page 449: ...Prestige 662HW Series User s Guide 449 Chapter 46 SA Monitor...

Page 450: ...rnal SPTGEN text files conform to the following format field identification number field name parameter values allowed input where input is your input conforming to parameter values allowed The figure...

Page 451: ...Figure 285 Invalid Parameter Entered Command Line Example The Prestige will display the following if you enter parameter s that are valid Figure 286 Valid Parameter Entered Command Line Example 47 3...

Page 452: ...SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get r...

Page 453: ...Prestige 662HW Series User s Guide 453 Chapter 47 Internal SPTGEN...

Page 454: ...e that the Prestige s power adaptor is connected to the Prestige and plugged in to an appropriate power source Check that the Prestige and the power source are both turned on Turn the Prestige off and...

Page 455: ...ont panel are both off refer to the Problems with the LAN LED section Make sure that the IP address and the subnet mask of the Prestige and your computer s are on the same subnet I cannot ping any com...

Page 456: ...using the same ESSID channel WEP keys if WEP encryption is activated and authentication method Internet connection disconnects Check the schedule rules Refer to the Call Scheduling chapter SMT If you...

Page 457: ...agement and firewall for details Your computer s and the Prestige s IP addresses must be on the same subnet for LAN access If you changed the Prestige s LAN IP address then enter the new one as the UR...

Page 458: ...flow control only use pins 2 3 and 5 Table 164 Console Dial Backup Port Pin Assignments CONSOLE PORT RS 232 FEMALE DB 9F DIAL BACKUP RS 232 MALE DB 9M Pin 1 NON Pin 2 DCE TXD Pin 3 DCE RXD Pin 4 DCE...

Page 459: ...Prestige 662HW Series User s Guide 459 Appendix A Pin Assignments Figure 290 Ethernet Cable Pin Assignments...

Page 460: ...s 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the ap...

Page 461: ...for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If y...

Page 462: ...rk adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP a...

Page 463: ...ck OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying...

Page 464: ...r Computer s IP Address 464 Figure 294 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 295 Windows XP Control Panel 3...

Page 465: ...ork Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 297 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP...

Page 466: ...re additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two...

Page 467: ...fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them Figure 299 Windows XP Internet Protocol TCP IP Properties 8 Click OK to close the Internet Proto...

Page 468: ...Setting up Your Computer s IP Address 468 Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel Figure 300 Macintosh OS 8 9 Apple Menu 2 Selec...

Page 469: ...Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if...

Page 470: ...t in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 303 Macintosh OS X Network 4 For statically assigned settings...

Page 471: ...Guide 471 Appendix B Setting up Your Computer s IP Address 5 Click Apply Now and close the window 6 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP pro...

Page 472: ...address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three...

Page 473: ...the host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arran...

Page 474: ...mask Normally if no mask is specified it is understood that the natural mask is being used Example Two Subnets As an example you have a class C address 192 168 1 0 with subnet mask of 255 255 255 0 Th...

Page 475: ...192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Note In the following charts shaded bold last octet bit values indicate...

Page 476: ...68 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63...

Page 477: ...1111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 176 Eight Subnets SUBNET SUBNET ADDRESS FI...

Page 478: ...ubnetting The following table is a summary for class B subnet planning Table 178 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 2...

Page 479: ...Prestige 662HW Series User s Guide 479 Appendix C IP Subnetting...

Page 480: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Page 481: ...ccess Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is b...

Page 482: ...nference room users access to the network as they move from meeting to meeting getting up to date access to information and the ability to communicate decisions while on the go It provides campus wide...

Page 483: ...unication in an Ad hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs multiple Access Points APs link the WLAN to the wired network and allow users to efficiently share net...

Page 484: ...Prestige 662HW Series User s Guide Appendix E Wireless LAN and IEEE 802 11 484 Figure 307 ESS Provides Campus Wide Coverage...

Page 485: ...Prestige 662HW Series User s Guide 485 Appendix E Wireless LAN and IEEE 802 11...

Page 486: ...802 11b standard does not provide any central user account management User access control is done through manual modification of the MAC address table on the access point Although WEP data encryption...

Page 487: ...less LAN With IEEE 802 1x RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL EAP Over LAN Fig...

Page 488: ...authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certif...

Page 489: ...ison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic...

Page 490: ...ets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below...

Page 491: ...must pass through the Prestige to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The Pr...

Page 492: ...Prestige 662HW Series User s Guide Appendix H Triangle Route 492...

Page 493: ...Prestige 662HW Series User s Guide 493 Appendix H Triangle Route...

Page 494: ...tivate device specific feature s myZyXEL com Account Login 1 Go to myZeXEL com using your web browser 2 Create a new account if you don t have one already with a user name and password by filling in a...

Page 495: ...ave created a myZyXEL com account log in and register your ZyXEL device by clicking the hyperlink as shown in the next screen Note You are automatically logged out of your myZyXEL com account after fi...

Page 496: ...al number in the Serial Number field 4 Your device category and model number automicatically display in the Category and Model fields respectively Otherwise select the correct ones from the drop down...

Page 497: ...w Product 8 Specify the purchase information and click Continue Figure 317 Product Survey 9 Click Continue again 10After you have registered your ZyXEL device you can view its registration details in...

Page 498: ...n see Figure 318 for your registered ZyXEL device click My Product and the link for your ZyXEL device 2 Click Activate for the corresponding service to display the next screen Figure 319 Service Activ...

Page 499: ...endix I myZyXEL com Congratulations You have successfully registered your ZyXEL device and activated a service at myZyXEL com Note You must then activate the service s on your ZyXEL device via its web...

Page 500: ...systems only For Windows 98 Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window di...

Page 501: ...Packet Scan Message Display Figure 322 Windows 98 Task Bar Properties 3 Double click Programs and click StartUp Figure 323 Windows 98 StartUp 4 Right click in the StartUp pane and click New Shortcut...

Page 502: ...acket Scan Message Display 502 Figure 324 Windows 98 Startup Create Shortcut 6 Accept the default or specify a name for the shortcut and click Finish Figure 325 Windows 98 Startup Select a Title for t...

Page 503: ...s User s Guide 503 Appendix J Windows 98 Me Requirements for Anti Virus Packet Scan Message Display Figure 326 Windows 98 Startup Shortcut Note The WinPopup window displays after the computer finishes...

Page 504: ...An example of what you may enter Applies to the Prestige Table 182 Menu 1 General Setup SMT Menu 1 Menu 1 General Setup SMT Menu 1 FIN FN PVA INPUT 10000000 Configured 0 No 1 Yes 0 10000001 System Nam...

Page 505: ...1 Server 2 Relay 0 30200002 Client IP Pool Starting Address 192 168 1 33 30200003 Size of Client IP Pool 32 30200004 Primary DNS Server 0 0 0 0 30200005 Secondary DNS Server 0 0 0 0 30200006 Remote D...

Page 506: ...30201012 IP Alias 1 Outgoing protocol filters Set 3 256 30201013 IP Alias 1 Outgoing protocol filters Set 4 256 30201014 IP Alias 2 0 No 1 Yes 0 30201015 IP Address 0 0 0 0 30201016 IP Subnet Mask 0 3...

Page 507: ...2432 30500005 FRAG Threshold 256 2432 2432 30500006 WEP 0 DISABLE 1 64 bit WEP 2 128 bit WEP 0 30500007 Default Key 1 2 3 4 0 30500008 WEP Key1 30500009 WEP Key2 30500010 WEP Key3 30500011 WEP Key4 ME...

Page 508: ...st pqa 40000010 My Password Str 1234 40000011 Single User Account 0 No 1 Yes 1 40000012 IP Address Assignment 0 Static 1 D ynamic 1 40000013 IP Address 0 0 0 0 40000014 Remote IP address 0 0 0 0 40000...

Page 509: ...Yes 0 120101003 IP Static Route set 1 Destination IP address 0 0 0 0 120101004 IP Static Route set 1 Destination IP subnetmask 0 120101005 IP Static Route set 1 Gateway 0 0 0 0 120101006 IP Static Ro...

Page 510: ...P Static Route set 4 Private 0 No 1 Yes 0 Menu 12 1 5 IP Static Route Setup SMT Menu 12 1 5 FIN FN PVA INPUT 120105001 IP Static Route set 5 Name Str 120105002 IP Static Route set 5 Active 0 No 1 Yes...

Page 511: ...oute set 8 Gateway 0 0 0 0 120108006 IP Static Route set 8 Metric 0 120108007 IP Static Route set 8 Private 0 No 1 Yes 0 Menu 12 1 9 IP Static Route Setup SMT Menu 12 1 9 FIN FN PVA INPUT 120109001 IP...

Page 512: ...Route set 12 Destination IP address 0 0 0 0 120112004 IP Static Route set 12 Destination IP subnetmask 0 120112005 IP Static Route set 12 Gateway 0 0 0 0 120112006 IP Static Route set 12 Metric 0 120...

Page 513: ...tic Route set 15 Private 0 No 1 Yes 0 Menu 12 1 16 IP Static Route Setup SMT Menu 12 1 16 FIN FN PVA INPUT 120116001 IP Static Route set 16 Name Str 120116002 IP Static Route set 16 Active 0 No 1 Yes...

Page 514: ...Local IP address 0 0 0 0 150000022 SUA Server 6 Active 0 No 1 Yes 0 0 150000023 SUA Server 6 Protocol 0 All 6 TCP 17 U DP 0 150000024 SUA Server 6 Port Start 0 150000025 SUA Server 6 Port End 0 150000...

Page 515: ...t Start 0 150000055 SUA Server 12 Port End 0 150000056 SUA Server 12 Local IP address 0 0 0 0 Menu 21 Filter set 1 SMT Menu 21 FIN FN PVA INPUT 210100001 Filter Set 1 Name Str Table 186 Menu 15 SUA Se...

Page 516: ...IP Filter Set 1 Rule 2 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210102008 IP Filter Set 1 Rule 2 Src IP address 0 0 0 0 210102009 IP Filter Set 1 Rule 2 Src Subnet Mask 0 210102010...

Page 517: ...ilter Set 1 Rule 4 Active 0 No 1 Yes 1 210104003 IP Filter Set 1 Rule 4 Protocol 17 210104004 IP Filter Set 1 Rule 4 Dest IP address 0 0 0 0 210104005 IP Filter Set 1 Rule 4 Dest Subnet Mask 0 2101040...

Page 518: ...Set 1 Rule 5 Act Match 1 check next 2 forward 3 drop 3 210105014 IP Filter Set 1 Rule 5 Act Not Match 1 Check Next 2 Forward 3 Dro p 1 Menu 21 1 1 6 set 1 rule 6 SMT Menu 21 1 1 6 FIN FN PVA INPUT 210...

Page 519: ...ule 1 Active 0 No 1 Yes 1 210201003 IP Filter Set 2 Rule 1 Protocol 6 210201004 IP Filter Set 2 Rule 1 Dest IP address 0 0 0 0 210201005 IP Filter Set 2 Rule 1 Dest Subnet Mask 0 210201006 IP Filter S...

Page 520: ...p 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210202013 IP Filter Set 2 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210202014 IP Filter Set 2 Rule 2 Act Not Match 1 check next 2 forward 3 drop...

Page 521: ...4 Dest Subnet Mask 0 210204006 IP Filter Set 2 Rule 4 Dest Port 137 210204007 IP Filter Set 2 Rule 4 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210204008 IP Filter Set 2 Rule 4 Src...

Page 522: ...210205014 IP Filter Set 2 Rule 5 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 6 Filter set 2 rule 6 SMT Menu 21 1 2 5 FIN FN PVA INPUT 210206001 IP Filter Set 2 Rule 6 Type 0 none 2 TCP I...

Page 523: ...hared Secret 111111111111 111 111111111111 1111 230200006 Accounting Server Configured 0 No 1 Yes 1 230200007 Accounting Server Active 0 No 1 Yes 1 230200008 Accounting Server IP Address 192 168 1 44...

Page 524: ...ed IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Access 0 all 1 none 2 L an 3 Wan 0 241100009 WEB Server Secured IP address 0 0 0 0 Table 188 Menu 21 1 Filer Set 2 SMT Menu 21 1...

Page 525: ...Prestige 662HW Series User s Guide 525 Appendix K Example Internal SPTGEN Screens...

Page 526: ...the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol mea...

Page 527: ...Prestige 662HW Series User s Guide 527 Appendix L Command Interpreter...

Page 528: ...es disables the firewall cnt disp Displays the firewall log type and count clear Clears the firewall log count pktdump Dumps the last 64 bytes of packets that the firewall has dropped dynamicrule disp...

Page 529: ...Prestige 662HW Series User s Guide 529 Appendix M Firewall Commands...

Page 530: ...g of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the send...

Page 531: ...Trigger dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter...

Page 532: ...ies User s Guide Appendix N NetBIOS Filter Commands 532 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands fro...

Page 533: ...Prestige 662HW Series User s Guide 533 Appendix N NetBIOS Filter Commands...

Page 534: ...ion to block all access attempts for five minutes after the third time an incorrect password is entered Table 192 Brute Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm Thi...

Page 535: ...Prestige 662HW Series User s Guide 535 Appendix O Brute Force Password Guessing Protection...

Page 536: ...e Prestige boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the...

Page 537: ...ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run...

Page 538: ...Successful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the route...

Page 539: ...etBIOS filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 195 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default polic...

Page 540: ...eset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count is for all TCP and UDP connections through the firewall Note When the number o...

Page 541: ...le board 0 line 0 channel 0 call 3 C01 Outgoing Call dev 6 ch 0 Means the router has dialed to the PPPoE server 3 times board d line d channel d call d s C02 OutCall Connected d s The PPPoE PPTP or di...

Page 542: ...filter server responded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache b...

Page 543: ...nd code details see Table 208 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop a...

Page 544: ...on failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s L...

Page 545: ...router s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s...

Page 546: ...en the router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s...

Page 547: ...was not authenticated User logout because of session timeout expired The router logged out a user whose session expired User logout because of user deassociation The router logged out a user who ended...

Page 548: ...WAN Prestige ACL set for packets traveling from the WAN to the WAN or the Prestige D to D Prestige DMZ to DMZ Prestige ACL set for packets traveling from the DMZ to the DM or the Prestige Table 208 I...

Page 549: ...srcPort dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the...

Page 550: ...ories Example 3 Use sys logs category followed by a log category to display the parameters that are available for the category Figure 330 Displaying Log Parameters Example 4 Use sys logs category foll...

Page 551: ...og category Use the sys logs clear command to erase all of the Prestige s logs Log Command Example This example shows how to set the Prestige to record the access logs and alerts and then view the res...

Page 552: ...ions 333 Attack Alert 176 178 Attack Types 149 Authentication 328 329 Authentication Code 494 Authentication databases 104 authentication databases 384 Authentication Header 218 Authentication protoco...

Page 553: ...on 185 Administrator Login 202 Application 184 configuration steps 184 Content Filtering Service 186 create user groups 185 Customize services 188 Diagnose 197 diagnose sequence 198 Idle Timeout 185 l...

Page 554: ...ost Configuration Protocol 49 Dynamic Secure Gateway Address 220 Dynamic WEP key exchange 104 dynamic WEP key exchange 383 DYNDNS Wildcard 140 E EAP 92 97 98 EAP Authentication 488 MD5 488 TLS 488 TTL...

Page 555: ...d error 294 Fragment Threshold 317 Fragmentation Threshold 92 Fragmentation threshold 92 Frame Relay 51 Frequency Hopping Spread Spectrum 482 FTP 132 246 419 Restrictions 419 FTP File Transfer 405 FTP...

Page 556: ...422 IP Policy Routing IPPR 49 320 Applying an IP Policy 426 Ethernet IP Policies 426 Gateway 426 IP Pool Setup 69 IP Ports 440 441 IP Protocol 425 IP protocol 422 IP protocol type 173 IP Routing Polic...

Page 557: ...duct Registration 496 service activation 498 myZyXEL com Account 494 N Nailed Up Connection 64 NAT 63 132 133 371 Address mapping rule 137 Application 130 Applying NAT in the SMT Menus 344 Configuring...

Page 558: ...189 PSK 383 PVC Permanent Virtual Circuit 60 Q Quality of Service 422 Quick Start Guide 40 R Radio frequency 94 RADIUS 92 97 Configuring 109 Shared Secret Key 98 RADIUS Message Types 97 RADIUS Message...

Page 559: ...re 204 Signature based 204 Signature based virus scan 204 Single User Account SUA 51 SMT Menu Overview 297 SMTP 132 SMTP Error Messages 267 Smurf 148 149 SNMP 132 133 Community 378 Configuration 377 G...

Page 560: ...p 307 Traffic redirect 117 traffic redirect 47 Traffic shaping 113 Transmission Rates 45 Transport Layer Security 488 Transport Mode 215 Triangle 490 Triangle Route Solutions 491 Triple DES 3DES 442 T...

Page 561: ...less LAN 316 482 Benefits 482 Configuring 93 Wireless LAN MAC Address Filtering 47 Wireless LAN Setup 316 Wireless port control 103 383 Wireless security 92 Wizard Setup 73 WLAN 482 Interference 90 Se...

Reviews:

No comments

Related manuals for P-662HW-63

Brand: Eaton Pages: 2

Brand: Vega Pages: 39

Brand: Iget Pages: 8

SBO500 SBO Series

Brand: Synway Pages: 72

Brand: Iget Pages: 12

Brand: NKE Pages: 14

Brand: Cisco Pages: 12

Brand: Cisco Pages: 59

Brand: Cisco Pages: 56

Brand: Cisco Pages: 12

Brand: Cisco Pages: 88

Brand: Cisco Pages: 16

Brand: Cisco Pages: 41

Brand: Cisco Pages: 18

Brand: Cisco Pages: 14

Brand: Cisco Pages: 80

Brand: Cisco Pages: 36

Brand: Cisco Pages: 6

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands