ZyXEL Communications P-794M User Manual Download

Page: 1 / 119

Prestige 794M

SHDSL 4-Port Internet Security Gateway

User’s Guide

Version 1.00

10/2005

Edition 1

Summary of Contents for P-794M

Page 1: ...Prestige 794M SHDSL 4 Port Internet Security Gateway User s Guide Version 1 00 10 2005 Edition 1...

Page 2: ...yXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it co...

Page 3: ...accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turn...

Page 4: ...em or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrical...

Page 5: ...he purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be...

Page 6: ...ark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel f...

Page 7: ...ort zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL U...

Page 8: ...estige 20 1 2 Features 20 1 3 Applications 22 1 3 1 Internet Access 22 1 3 2 Firewall for Secure Broadband Internet Access 23 1 3 3 VPN Application 23 1 3 4 LAN to LAN Application 23 1 4 Hardware Conn...

Page 9: ...Defaults 38 3 2 2 IP Address and Subnet Mask 38 3 2 3 RIP 39 3 3 The Ethernet Screen 39 3 4 Ethernet Client Filter 40 3 4 1 Ethernet Client Filter Candidates 41 3 5 Port Setting 42 3 6 DHCP 43 3 6 1 I...

Page 10: ...n level Firewalls 64 6 2 3 Stateful Inspection Firewalls 65 6 3 General Settings 66 6 4 Packet Filter 67 6 4 1 Add a New TCP UDP Packet Filter 69 6 4 2 Add a New Raw Packet Filter 70 6 5 Intrusion Det...

Page 11: ...ce 96 8 1 Overview 96 8 1 1 Prioritization 96 8 2 IP Throttling 98 8 3 QoS Example 100 8 3 1 Example Prioritization with QoS 100 8 3 2 Rate Limiting with IP Throttling Example 101 8 4 Time Schedule 10...

Page 12: ...Prestige 794M User s Guide Table of Contents 12 12 1 2 SNMP 110 12 1 2 1 SNMPv3 111 12 1 2 2 SNMP Traps and MIBs 112 12 2 The Device Management Screen 112 12 3 IGMP 115 Index 116...

Page 13: ...Prestige 794M User s Guide 13 Table of Contents...

Page 14: ...Figure 17 Status NAT Session 35 Figure 18 Quick Start 36 Figure 19 Quick Start Auto Scan 37 Figure 20 LAN Ethernet 40 Figure 21 LAN Ethernet Client Filter 41 Figure 22 LAN Ethernet Client Filter Activ...

Page 15: ...Figure 57 VPN PPTP LAN to LAN Connection 81 Figure 58 IPSec Summary 84 Figure 59 IPSec Create 85 Figure 60 VPN L2TP 87 Figure 61 VPN L2TP Create 88 Figure 62 L2TP Remote Access Connection 88 Figure 6...

Page 16: ...8 LAN DHCP Server DHCP 45 Table 19 LAN DHCP Server DHCP Fixed Host 46 Table 20 LAN DHCP Server DHCP Relay Agent 47 Table 21 WAN ISP 49 Table 22 WAN ISP Edit PPPoE 50 Table 23 WAN Edit Advanced PPP Opt...

Page 17: ...48 Remote PPTP VPN Dial In Configuration Example 94 Table 49 Remote PPTP VPN Dial In Configuration Example 95 Table 50 QoS Prioritization 97 Table 51 DSCP Mapping 98 Table 52 QoS Outbound Inbound IP T...

Page 18: ...com for an online glossary of networking terms and additional support documentation User Guide Feedback Help us help you E mail all User Guide related comments questions or suggestions for improvemen...

Page 19: ...shorthand for for instance and i e for that is or in other words throughout this manual The Prestige 794M may be referred to as the Prestige in this user s guide Graphics Icons Key Prestige Computer N...

Page 20: ...lows subscribers to select a speed to fit their needs and budgets The Prestige uses the ITU standard PAM16 Line Code complies with G 991 2 and G 994 1 standards 10 100M Auto negotiating Ethernet Fast...

Page 21: ...The Prestige is a stateful inspection firewall with DoS Denial of Service protection By default when the firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is init...

Page 22: ...SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Prestige supports SNMP...

Page 23: ...alerts reports and logs Figure 2 Application Firewall 1 3 3 VPN Application The Prestige s VPN feature makes it an ideal cost effective way to connect branch offices and business partners over the Int...

Page 24: ...Quick Start screen 1 4 1 Front Panel The following figure shows the front panel LEDs Figure 5 Front Panel LEDs The following table describes the LEDs Table 1 Front Panel LEDs LED COLOR STATUS DESCRIP...

Page 25: ...r crossover Ethernet cable CONSOLE Only connect this port if you want to configure the Prestige via console port Connect one end of the console cable to the console port of the Prestige and the other...

Page 26: ...irmware versions 2 2 Accessing the Web Configurator 1 Make sure your Prestige hardware is properly connected and prepare your computer computer network to connect to the Prestige refer to the Quick St...

Page 27: ...dure To Use The Reset Button 1 Make sure the PWR LED is on before you begin this procedure 2 Press the RESET button for more than six seconds and then release it If the SYS LED begins to blink the def...

Page 28: ...with your Prestige Software Version This is the firmware version the Prestige is currently using MAC Address This is the MAC Media Access Control or Ethernet address unique to your Prestige Home URL...

Page 29: ...ield In addition the device puts all ones in the target MAC field FF FF FF FF FF FF is the Ethernet broadcast address The replying device which is either the IP address of the device being sought or t...

Page 30: ...MAC Address This is the MAC address of the device with corresponding IP address above Interface This is the interface name on the Prestige to which a device is connected Static This shows whether the...

Page 31: ...teway This field displays the IP address of a gateway that this route uses Cost This field displays the cost or hope count for this route Table 5 Status Routing Table continued LABEL DESCRIPTION Table...

Page 32: ...connection Local Subnet This field displays the IP address and or subnet mask of the local network behind the Prestige Remote Subnet This field displays the subnet mask of the local network behind the...

Page 33: ...he screen as shown next Note To display and log firewall events enable firewall event logging in the Firewall Log screen Table 9 Status Email Status LABEL DESCRIPTION Email Account Account Name This f...

Page 34: ...uration screen If this happens simply check the error message here and try configuring the screen again Click Status and Error Log in the navigation panel to display the screen as shown next Figure 16...

Page 35: ...is field displays the protocol name such as TCP UDP or ICMP of the NAT session Local IP This field displays the local IP address of the NAT session Port local public This field displays the local to p...

Page 36: ...e than one computer behind the Prestige to access the Internet Select Disable to allow only one user to access the Internet or if computer s behind the Prestige is provided with a public IP address es...

Page 37: ...rovided enter the IP addresses of the DSLAM device or a gateway 3 Click Start to begin the scanning process 4 When the auto scan is complete and successful a screen displays Select your option from th...

Page 38: ...cit DNS server address es read the embedded web configurator help regarding what fields need to be configured 3 2 2 IP Address and Subnet Mask Similar to the way houses on a street share a common stre...

Page 39: ...estige unless you are instructed to do otherwise 3 2 3 RIP RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers By default the Pres...

Page 40: ...ed on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige RIP The RIP field controls the format and the broadcasting method of the RIP pa...

Page 41: ...Filter Active PC in LAN Table 14 LAN Ethernet Client Filter LABEL DESCRIPTION Ethernet Client Filter Select Disable to deactivate this feature This allows any computer to access the network through t...

Page 42: ...f the Ethernet connection on this port Choices are Auto 10Mfalfduplex 10Mfullduplex 100Mhalfduplex and 100Mfullduplex Selecting Auto auto negotiation allows one port to negotiate with a peer port auto...

Page 43: ...3 6 2 DNS Servers There are two places where you can configure DNS setup on the Prestige 1 Use the WAN DNS screen to configure the Prestige to use a DNS server to resolve domain names for Prestige sy...

Page 44: ...een displays as shown next Click Apply Figure 25 LAN DHCP Server Disable 3 6 3 2 DHCP Server Setup To set the Prestige as a DHCP server select DHCP Server and click Next in the DHCP Server screen A sc...

Page 45: ...contiguous addresses in the IP address pool Ending IP Address This field specifies the last of the contiguous addresses in the IP address pool Default Lease Time Specify the default time in seconds a...

Page 46: ...rmation back to the computer Reset Click Reset to start configuring this screen again Fixed Host Click Fixed Host to display a screen where you can assign a static LAN IP address to the specified devi...

Page 47: ...nfiguration screen Figure 28 LAN DHCP Server DHCP Relay Agent The following table describes the labels in this screen Table 20 LAN DHCP Server DHCP Relay Agent LABEL DESCRIPTION DHCP Server IP Address...

Page 48: ...dged In RFC 1483 Bridged the Prestige sends the packets based on the MAC address information That is the Prestige bridges the packets In RFC 1483 Routed the Prestige sends the packets based on the IP...

Page 49: ...Please refer to RFC 2364 for more information on PPPoA Refer to RFC 1661 for more information on PPP 4 1 1 4 IPoA With IPoA IP over ATM the Prestige attempts to map the IP subnet onto the ATM network...

Page 50: ...ys on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select UBRPlus for non real time applications such as e mail Howev...

Page 51: ...0 to set the Prestige to obtain an IP address and other TCP IP information from the ISP every time Authentication Protocol Select an authentication type your ISP uses Choices are CHAP and PAP Select...

Page 52: ...ct false to set the route as a default route for all packets Subnet Mask Specify the subnet mask for PPP connection If you enter 0 0 0 0 the Prestige calculates the subnet mask from the IP address obt...

Page 53: ...Server Enable this feature to set the Prestige to provide DNS server information to a DHCP server Discover Primary Secondary NBNS Enable this feature to set the Prestige to request NBNS NetBIOS Name...

Page 54: ...restige can get the DNS server addresses in the following ways 1 The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS serve...

Page 55: ...gs Click Configuration WAN and SHDSL in the navigation panel to display the screen as shown next Figure 35 SHDSL The following table describes the labels in this screen Table 24 DNS LABEL DESCRIPTION...

Page 56: ...equency Plan and Annex_B_ANFP are automatically selected when the DSL line is in training state These options are not available in CO mode Note For LAN LAN connection make sure the annex type is the s...

Page 57: ...Prestige 794M User s Guide 57 Chapter 4 WAN...

Page 58: ...p restore configuration on the Prestige 5 2 Time Zone To change your Prestige s time and date click Configuration System and Time Server in the navigation panel The screen appears as shown Use this sc...

Page 59: ...Local Time Zone list is to be displayed Select By City to display the list alphabetically based on the cities for each time zone Select By Time Different to display the list in ascending order Local T...

Page 60: ...upload them 3 Click Upload to begin the upload process A screen displays showing the firmware upgrade progress Note Do NOT turn off the Prestige while firmware upload is in progress Figure 39 System F...

Page 61: ...omputer Restore configuration allows you to upload a new or previously saved configuration file from your computer to your Prestige Click Browse to find the file you want to upload Click Restore to be...

Page 62: ...User Account To add a new user account click Create in the User Management screen A screen displays as shown Table 27 System User Management LABEL DESCRIPTION Valid This field indicates whether the ac...

Page 63: ...e Enter an account username Password Enter a password associated to the username above Confirm Enter the password again for confirmation Valid Select true to activate this account Otherwise select fal...

Page 64: ...ly you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall its...

Page 65: ...ral part of standard security solutions for enterprises Your Prestige includes a full SPI Stateful Packet Inspection firewall for controlling Internet access from your LAN as well as helping to preven...

Page 66: ...e Policy The options are applicable when you select Enable in the Security field Select All blocked User defined to block all out going LAN to Internet and incoming packets Internet to LAN based on th...

Page 67: ...ORT NUMBER FIREWALL HIGH MEDIUM LOW START END INBOUND OUTBOUND INBOUND OUTBOUND INBOUND OUTBOUND HTTP 80 TCP 6 80 80 NO YES NO YES NO YES DNS 53 UDP 17 53 53 NO YES NO YES YES YES DNS 53 TCP 6 53 53 N...

Page 68: ...ngs screen refer to Section 6 3 on page 66 You can modify or delete the pre configured packet filters Figure 46 Firewall Packet Filter The following table describes the labels in this screen Table 31...

Page 69: ...ame Source Port This field displays the source port number or port number range Destination Port This field displays the destination port number or port number range Inbound This field displays whethe...

Page 70: ...UDP Source Port Specify the source port or a range of source port numbers in the fields provided Destination Port Specify the destination port or a range of destination port numbers in the fields prov...

Page 71: ...d Echo CharGen scan The following table lists the types of attacks that the IDS is able to detect and the actions performed Apply Click Apply to save the settings and return to the main Packet Filter...

Page 72: ...K Scan TCP No Existing session And Scan Hosts more than five Source IP Scan Yes Yes Net Bus Scan TCP No Existing session DstPort Net Bus 12345 12346 3456 Source IP Scan Yes Yes Back Orifice Scan UDP D...

Page 73: ...pecify the time period in seconds the Prestige blocks any Smurf attacks when detected Scan Attack Block Duration Specify the time period in seconds the Prestige blocks hosts that attempt a possible Sc...

Page 74: ...e Select Always Block to apply the filter s at all times Select Block From and specify the time period the Prestige applies the filter s Keywords Filtering Select Enable to set the Prestige to block a...

Page 75: ...Domains Filtering and click Details to display the screen as shown next Figure 52 Firewall URL Filter Domains Filtering Table 37 Firewall URL Filter Keywords Filtering LABEL DESCRIPTION Create Keywor...

Page 76: ...this field Type Specify whether to allow access Trusted Domain or deny access Forbidden Domain from the drop down list box Apply Click Apply to add the keyword to the table below Trusted Domain This...

Page 77: ...Log Select Enable to log intrusion detections Select Disable not to log intrusion detections URL Blocking Log Select Enable to log URL blocking events Select Disable not to log URL blocking events Ta...

Page 78: ...uite for communication Your Prestige supports three main types of VPN Virtual Private Network PPTP IPSec and L2TP 7 2 PPTP Point to Point Tunneling Protocol PPTP is a network protocol that enables sec...

Page 79: ...reen to configure the Prestige to set up PPTP connection to a remote VPN device Figure 56 VPN PPTP Remote Access Table 40 VPN PPTP LABEL DESCRIPTION Enable Select this option to activate this VPN rule...

Page 80: ...HAP Challenge Handshake Authentication Protocol The default is CHAP When you select PAP password is sent unencrypted While CHAP provides better security by encrypting the password before transmission...

Page 81: ...me Enter a descriptive name for identification purposes Type Select Dial Out if you want your Prestige to operate as a client connecting to a remote VPN device Select Dial In to allow computers to est...

Page 82: ...ncryption Select Auto to set the Prestige to automatically detect whether the remote VPN device uses data encryption Select Enable to activate data encryption on the Prestige Make sure the remote VPN...

Page 83: ...originator 7 3 2 ESP Encapsulating Security Payload The ESP protocol RFC 2406 provides encryption as well as the services offered by AH ESP authenticating properties are limited compared to the AH du...

Page 84: ...by bypassing the Diffie Hellman key exchange 7 3 4 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share i...

Page 85: ...s to use the VPN connection Enter a single IP address in the IP Address field Subnet Select Subnet Address to allow more than one computer in the specified subnet to use the VPN connection Enter the I...

Page 86: ...ceiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple...

Page 87: ...haracters You must precede a hexadecimal key with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexa...

Page 88: ...te Access L2TP Connection Use the L2TP Remote Access Connection screen to create an L2TP VPN rule for accessing a remote network Figure 62 L2TP Remote Access Connection Status This field displays whet...

Page 89: ...ty by encrypting the password before transmission and reauthenticates the VPN client to protect against identity theft Idle Time Specify the time interval in minutes where there is no traffic between...

Page 90: ...egotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Type from 8 to 31 case sensitive ASCII characters or fr...

Page 91: ...ent that initiates the VPN connection For example 192 168 1 10 Username If you select Dial Out in the Type field enter the username provided If you select Dial In in the Type field enter a username to...

Page 92: ...is a tunnel only with no encryption 3DES and AES are more powerful but increase latency DES stands for Data Encryption Standard it uses 56 bits as an encryption method 3DES stands for Triple Data Encr...

Page 93: ...ished Remote Host Name This optional field is applicable when you select Dial Out in the Type field above Enter the host name of the remote VPN device The name must match to establish a VPN connection...

Page 94: ...1 Connection Name Example This name is for identification purposes only 2 Dial in Select this field to allow a remote VPN client to establish a VPN connection to the Prestige Private IP Address Assign...

Page 95: ...n Name Example This name is for identification purposes only 2 Dial out Select this field to allow a VPN client behind the Prestige to establish a VPN connection to a remote network Server IP Address...

Page 96: ...to control the different quality and speed of throughput for each application when the system is running with full loading of upstream You can find two items under the QoS section Prioritization and...

Page 97: ...a protocol type from the drop down list box Choices are any tcp udp icmp and gre Source Port Enter the source port number from which traffic travels Destination Port Enter the destination port number...

Page 98: ...iffServ Code Point DSCP marking allows the classification of traffic based on the DSCP value Select Disabled to deactivate DSCP marking or select a marking scheme Refer to Table 51 on page 98 for the...

Page 99: ...from the drop down list box Choices are any tcp udp icmp and gre Source Port Enter the source port number from which traffic travels Destination Port Enter the destination port number to which traffic...

Page 100: ...screen to prioritize time sensitive applications like VoIP Set a high priority level for VoIP traffic to improve service quality and prevent other applications from using most of the bandwidth In the...

Page 101: ...72 Rating Limiting with IP Throttling Example 8 4 Time Schedule You can configure time schedule profiles and associate a profile to a Prestige setting This allows the Prestige to automatically disabl...

Page 102: ...on Time Schedule Edit Table 54 Configuration Time Schedule LABEL DESCRIPTION ID This field displays the index number Name This field displays the descriptive name for identification purposes Day in a...

Page 103: ...BEL DESCRIPTION ID This read only field displays the index number Name Enter a descriptive name for identification purposes Day Select the day of the week this time schedule is active Start Time Set t...

Page 104: ...owing figure through remote node router R1 However the Prestige is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node router R1 via gatew...

Page 105: ...otation via gateway Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destina...

Page 106: ...time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org...

Page 107: ...u want to be able to use for example www yourhost dyndns org and still reach your hostname Domain Name Enter the domain name your registered with the DDNS service provider you selected above Username...

Page 108: ...the screen as shown next Figure 78 Advanced Check Emails The following table describes the labels in this screen Table 58 Advanced Check Emails LABEL DESCRIPTION Check Email Select Enable to activate...

Page 109: ...omatically set up the SHDSL line to connect to the mail server when the line is down Select the check box to enable automatic line set up Note Enabling this feature may add to your Internet access cos...

Page 110: ...ve a network smoothly and automatically when it is no longer in use 12 1 1 1 How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UP...

Page 111: ...and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent retu...

Page 112: ...ATTRIBUTE RFC 1213 MIB II System group Interfaces group Address Translation group IP group ICMP group TCP group UDP group EGP not applicable Transmission SNMP group RFC1650 EtherLike MIB dot3Stats RFC...

Page 113: ...ter a number Note Make sure the port number is not already used by another service If you change the port number you need to append the port number to the WAN or LAN port IP address to access the web...

Page 114: ...ation The default is public and allows all requests Enter the IP address of the computer you want to allow to view the device information in the IP Address field Otherwise lease this field to 0 0 0 0...

Page 115: ...ulticast groups that it has learned from IGMP snooping or that you have manually configured to ports that are members of that group The Prestige discards multicast traffic destined for multicast group...

Page 116: ...nt filtering 21 Copyright 2 Corrosive Liquids 4 Covers 4 Customer Support 6 D Dampness 4 Danger 4 Daylight saving 59 DDNS 21 106 Denmark Contact Information 6 Device management 110 DHCP 38 43 106 Disa...

Page 117: ...interface 20 Internet access setup Auto scan 37 Quick start 35 Internet Protocol Security IPSec 83 Intrusion detection 71 Intrusion Detection System IDS 71 IP Address 38 40 IP Pool Setup 43 IP throttl...

Page 118: ...TP status 31 Pre Shared Key 84 87 Prioritization 96 Example with QoS 100 PVC Permanent Virtual Circuit 49 Q QoS Example 100 QoS Quality of Service 96 Qualified Service Personnel 4 Quick start for Inte...

Page 119: ...U Universal Plug and Play 110 Universal Plug and Play UPnP 21 UPnP 21 110 URL Uniform Resource Locator 73 URL filter 73 User management 62 V Vendor 4 Ventilation Slots 4 Virtual Private Network VPN 2...

Search results

Summary of Contents for P-794M

Reviews:

Related manuals for P-794M

Brands by name

Popular brands

ZyXEL Communications P-794M, User Manual

Search results

Summary of Contents for P-794M

Reviews:

Related manuals for P-794M

Brands by name

Popular brands