ZyXEL Communications Prestige 653HWI series User Manual Download Page 143 | Manualshive

Page: 143 / 564

background image

Prestige 653HWI Series User’s Guide

Firewalls

11-7

Table 11-3 Legal NetBIOS Commands

MESSAGE:

REQUEST:

POSITIVE:

NEGATIVE:

RETARGET:

KEEPALIVE:

All SMTP commands are illegal except for those displayed in the following tables.

Table 11-4 Legal SMTP Commands

AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP

QUIT RCPT RSET SAML SEND SOML

TURN VRFY

Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a
packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of
the network topology inside the firewall.
4. Often, many DoS attacks also employ a technique known as "

IP Spoofing

" as part of their attack. IP

Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the
DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a
router or firewall into thinking that the communications are coming from within the trusted network. To
engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets
originate from a trusted host and should be allowed through the router or firewall. The Prestige blocks all
IP Spoofing attempts.

11.5 Stateful Inspection

With stateful inspection, fields of the packets are compared to packets that are already known to be trusted.
For example, if you access some outside service, the proxy server remembers things about your original
request, like the port number and source and destination addresses. This “remembering” is called

saving the

state.

When the outside system responds to your request, the firewall compares the received packets with the

saved state to determine if they are allowed in. The Prestige uses stateful packet inspection to protect the
private LAN from hackers and vandals on the Internet. By default, the Prestige’s stateful inspection allows
all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that
originates from the Internet. In summary, stateful inspection:

Allows all sessions originating from the LAN (local network) to the WAN (Internet).

«
...
141
142
143
144
145
...
»

Summary of Contents for Prestige 653HWI series

Page 1: ...Prestige 653HWI Series ADSL Security Gateway with IEEE802 11g and ISDN Backup User s Guide Version 3 40 December 2003...

Page 2: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does...

Page 3: ...requency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio tele...

Page 4: ...the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event b...

Page 5: ...xel com ftp zyxel com WORLDWIDE sales zyxel com tw 886 3 578 2439 ftp europe zyxel com ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan support zyxel com...

Page 6: ...1 2 2 Accessing the Prestige Web Configurator 2 1 2 3 Navigating the Prestige Web Configurator 2 2 2 4 Resetting the Prestige 2 3 Chapter 3 Wizard Setup 3 1 3 1 Wizard Setup Introduction 3 1 3 2 Encap...

Page 7: ...view 7 1 7 2 ISDN 7 1 7 3 NetCAPI 7 1 7 4 Metric 7 2 7 5 PPPoE Encapsulation 7 2 7 6 Traffic Shaping 7 3 7 7 Configuring WAN Functions 7 4 7 8 Configuring WAN DSL Setup 7 6 7 9 ISDN Connection Setup 7...

Page 8: ...2 1 12 3 Attack Alert 12 2 Chapter 13 Creating Custom Rules 13 1 13 1 Rules Overview 13 1 13 2 Rule Logic Overview 13 1 13 3 Connection Direction 13 3 13 4 Logs 13 5 13 5 Rule Summary 13 5 13 6 Predef...

Page 9: ...nagement 17 27 Remote Management UPnP and Logs VI Chapter 18 Remote Management Configuration 18 1 18 1 Remote Management Overview 18 1 18 2 Telnet 18 2 18 3 FTP 18 3 18 4 Web 18 3 18 5 Configuring Rem...

Page 10: ...nging the System Password 23 6 Chapter 24 Menu 1 General Setup 24 1 24 1 General Setup 24 1 24 2 Procedure To Configure Menu 1 24 1 Chapter 25 Menu 2 WAN Backup Setup 25 1 25 1 Introduction to WAN Bac...

Page 11: ...ing in General 31 1 31 2 Bridge Ethernet Setup 31 1 Chapter 32 Network Address Translation NAT 32 1 32 1 Using NAT 32 1 32 2 Applying NAT 32 1 32 3 NAT Setup 32 3 32 4 Configuring a Server behind NAT...

Page 12: ...38 10 Chapter 39 System Maintenance 39 1 39 1 Command Interpreter Mode 39 1 39 2 Call Control Support 39 2 39 3 Time and Date Setting 39 4 Chapter 40 Remote Management 40 1 40 1 Remote Management Ove...

Page 13: ...GEN FTP Upload Example 45 4 Appendices and Index XII Appendix A Troubleshooting A 1 Appendix B IP Subnetting B 1 Appendix C Wireless LAN and IEEE 802 11 C 1 Appendix D Antenna Selection and Positionin...

Page 14: ...N Configuration 3 13 Figure 3 8 Wizard Screen 4 3 14 Figure 4 1 Password 4 1 Figure 5 1 LAN and WAN IP Addresses 5 1 Figure 5 2 LAN 5 4 Figure 6 1 RTS Threshold 6 2 Figure 6 2 Prestige Wireless Securi...

Page 15: ...ting A Firewall Rule 13 11 Figure 13 5 Adding Editing Source and Destination Addresses 13 13 Figure 13 6 Timeout 13 14 Figure 14 1 Customized Services 14 1 Figure 14 2 Creating Editing A Customized Se...

Page 16: ...21 12 Figure 21 9 Bandwidth Manager Class Configuration 21 14 Figure 21 10 Bandwidth Management Statistics 21 17 Figure 21 11 Bandwidth Manager Monitor 21 18 Figure 22 1 System Status 22 2 Figure 22...

Page 17: ...p 29 2 Figure 29 2 Menu 11 1 Remote Node Profile 29 3 Figure 29 3 Menu 11 3 Remote Node Network Layer Options 29 6 Figure 29 4 Sample IP Addresses for a TCP IP LAN to LAN Connection 29 8 Figure 29 5 M...

Page 18: ...ring Process 34 2 Figure 34 2 Filter Rule Process 34 3 Figure 34 3 Menu 21 Filter Set Configuration 34 4 Figure 34 4 NetBIOS_WAN Filter Rules Summary 34 5 Figure 34 5 NetBIOS_LAN Filter Rules Summary...

Page 19: ...Screen 38 7 Figure 38 7 Telnet into Menu 24 6 38 8 Figure 38 8 Restore Using FTP Session Example 38 9 Figure 38 9 System Maintenance Restore Configuration 38 9 Figure 38 10 System Maintenance Starting...

Page 20: ...e 42 3 Applying Schedule Set s to a Remote Node PPPoE 42 4 Figure 43 1 VPN SMT Menu Tree 43 1 Figure 43 2 Menu 27 VPN IPSec Setup 43 2 Figure 43 3 Menu 27 1 IPSec Summary 43 2 Figure 43 4 Menu 27 1 1...

Page 21: ...ble 7 4 ISDN Dial In Setup 7 14 Table 7 5 Configuring NetCAPI 7 16 Table 7 6 WAN Backup Setup 7 22 Table 8 1 NAT Definitions 8 1 Table 8 2 NAT Mapping Types 8 5 Table 8 3 Services and Port Numbers 8 7...

Page 22: ...commuter and Headquarters Configuration Example 17 25 Table 18 1 Remote Management 18 3 Table 19 1 Configuring UPnP 19 2 Table 20 1 Log Settings 20 3 Table 20 2 View Logs 20 4 Table 20 3 SMTP Error Me...

Page 23: ...IP Static Route 30 3 Table 31 1 Remote Node Network Layer Options Bridge Fields 31 3 Table 31 2 Menu 12 3 1 Edit Bridge Static Route 31 3 Table 32 1 Applying NAT in Menus 4 11 3 32 3 Table 32 2 SUAAdd...

Page 24: ...and Date Setting 39 5 Table 40 1 Menu 24 11 Remote Management Control 40 2 Table 41 1 Menu 25 1 IP Routing Policy Setup 41 3 Table 41 2 Menu 25 1 1 IP Routing Policy 41 4 Table 42 1 Menu 26 1 Schedule...

Page 25: ...es B 1 Chart B 2 Allowed IP Address Range By Class B 2 Chart B 3 Natural Masks B 2 Chart B 4 Alternative Subnet Mask Notation B 3 Chart B 5 Subnet 1 B 4 Chart B 6 Subnet 2 B 4 Chart B 7 Subnet 1 B 5 C...

Page 26: ...on features configurable by web configurator The SMT parts of this guide contain background information solely on features not configurable by web configurator Use the web configurator System Managem...

Page 27: ...ed field choices are in Bold Arial font Command and arrow keys are enclosed in square brackets ENTER means the Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar M...

Page 28: ...pstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an...

Page 29: ...I Getting Started This part is structured as a step by step guide to help you access your Prestige It covers key features and applications accessing the web configurator and configuring the wizard scr...

Page 30: ......

Page 31: ...f working anywhere within the coverage area Models includes in this series at the time of writing are P653HWI 11 P653HWI 13 P653HWI 17 Models ending in 1 for example P653HWI 11 denote a device that wo...

Page 32: ...DoS Denial of Service protection By default when the firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN The Prestige firewall supports T...

Page 33: ...p keep network communications private Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to the Internet thus acting as an auxiliary if your re...

Page 34: ...erface BRI Support The router supports a single BRI The BRI offers two 64 Kbps channels which can be used independently for two destinations or be bundled to speed up data transfer Incoming Call Suppo...

Page 35: ...on the Internet 10 100M Auto negotiating Ethernet Fast Ethernet Interface s This auto negotiation feature allows the Prestige to detect the speed of incoming transmissions and adjust appropriately wi...

Page 36: ...IP configuration at start up from a centralized DHCP server The Prestige has built in DHCP server capability enabled by default It can assign IP addresses an IP default gateway and DNS servers to DHCP...

Page 37: ...iplexing Encapsulation The Prestige supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 encapsulation over ATM MAC encapsulated routing ENET encapsulation as well as PPP over Ethernet RFC...

Page 38: ...ce requirements making it easy to position anywhere in your busy office 1 3 Applications for the Prestige Here are some example uses for which the Prestige is well suited 1 3 1 Internet Access The Pre...

Page 39: ...that allows multiple users on the LAN Local Area Network to access the Internet concurrently for the cost of a single IP address 1 3 2 Firewall for Secure Broadband Internet Access The Prestige provi...

Page 40: ...Application 1 3 3 VPN Application The Prestige s VPN feature makes it an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for le...

Page 41: ...o Know Your Prestige 1 11 Figure 1 3 VPN Application 1 3 4 LAN to LAN Application You can use the Prestige to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN appl...

Page 42: ...Prestige 653HWI Series User s Guide 1 12 Getting To Know Your Prestige Figure 1 4 Prestige LAN to LAN Application...

Page 43: ...igator 7 0 and later versions with JavaScript enabled It is recommended that you set your screen resolution to 1024 by 768 pixels 2 2 Accessing the Prestige Web Configurator Step 1 Make sure your Pres...

Page 44: ...configurator from the SITE MAP screen Select a language from the Language drop down list box Click Wizard Setup to begin a series of screens to configure your Prestige for the first time Click a link...

Page 45: ...l be reset to 1234 also 2 4 1 Using The Reset Button Step 1 Make sure the SYS LED is on not blinking Step 2 Press the RESET button for five seconds and then release it When the SYS LED begins to blink...

Page 46: ...cing the Web Configurator Figure 2 3 Example Xmodem Upload Step 5 After successful firmware upload enter atgo to restart the router Type the configuration file s location or click Browse to search for...

Page 47: ...outed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the Ethernet Encapsulation Gateway field in the second wizard screen You can get this informat...

Page 48: ...VC1 carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 3 3 2 LLC based Multiplexing In this case one VC carr...

Page 49: ...Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET E...

Page 50: ...Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the ne...

Page 51: ...e IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses...

Page 52: ...s reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern 3 9 NAT NAT Network Address Trans...

Page 53: ...t Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Connection Select Connec...

Page 54: ...C 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select None SUA Only or...

Page 55: ...Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP A...

Page 56: ...ress Translation Select None SUA Only or Full Feature from the drop sown list box Refer to the NAT chapter for more details Back Click Back to go back to the first wizard screen Next Click Next to con...

Page 57: ...ault setting selects Connection on Demand with 0 as the idle time out which means the Internet session will not timeout Select Nailed Up Connection when you want your connection up all the time The Pr...

Page 58: ...f 192 168 1 1 for other server machines for example server for mail FTP telnet web etc that you may have 3 12 Wizard Setup Configuration Third Screen Step 1 Verify the settings in the screen shown nex...

Page 59: ...168 1 1 factory default If you changed the Prestige s LAN IP address you must use the new IP address if you want to access the web configurator again LAN Subnet Mask Enter a subnet mask in dotted deci...

Page 60: ...s The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask Secondary DNS Server As above Back Click Back to go back to the previous screen Finish Click Finish to sa...

Page 61: ...ate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you cannot access the Inte...

Page 62: ......

Page 63: ...Password LAN Wireless LAN and WAN II Part II Password LAN Wireless LAN and WAN This part covers the password LAN Local Area Network wireless LAN and WAN setup...

Page 64: ......

Page 65: ...for accessing the Prestige 4 2 Configuring Password To change your Prestige s password recommended click Password The screen appears as shown Figure 4 1 Password The following table describes the fie...

Page 66: ...4 2 Password Setup Table 4 1 Password LABEL DESCRIPTION Retype to Confirm Type the new password again in this field Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to b...

Page 67: ...e IP addresses 5 1 1 LANs WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two separate IP networks one inside the LAN network...

Page 68: ...roxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances If your ISP gives you explicit DNS servers...

Page 69: ...h RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting 5 4 4 Multicast Traditionally IP packets are transmi...

Page 70: ...Setup WAN interfaces in the web configurator LAN WAN Select None to disable IP multicasting on these interfaces 5 5 Configuring LAN Click LAN to open the following screen Figure 5 2 LAN The following...

Page 71: ...Pool This field specifies the size or count of the IP address pool Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients along with the IP addres...

Page 72: ...ige 653HWI Series User s Guide 5 6 LAN Setup Table 5 1 LAN LABEL DESCRIPTION Apply Click this button to save these settings back to the Prestige Cancel Click this button to reset the fields in this sc...

Page 73: ...rk RADIUS server for remote user authentication and accounting 6 1 2 Channel The range of radio frequencies used by IEEE 802 11g wireless devices is called a channel Channels available depend on your...

Page 74: ...equest To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS R...

Page 75: ...ill be fragmented before they reach RTS CTS size 6 2 Levels of Security Wireless security is vital to your network to protect wireless communication between wireless stations access points and the wir...

Page 76: ...less stations and the access points must use the same WEP key for data encryption and decryption Your Prestige allows you to configure up to four 64 bit or 128 bit WEP keys but only one key can be ena...

Page 77: ...e data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 0 and 2432 Fragmentation Threshold The threshold number of bytes fo...

Page 78: ...access to up to 32 devices Allow Association or exclude up to 32 devices from accessing the Prestige Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC addre...

Page 79: ...Prestige 653HWI Series User s Guide Wireless LAN Setup 6 7 Figure 6 4 MAC Address Filter The following table describes the fields in this menu...

Page 80: ...el Click Cancel to begin configuring this screen afresh 6 5 Network Authentication You can set the Prestige and your network to authenticate a wireless station before the wireless station can communic...

Page 81: ...per response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Account...

Page 82: ...s station sends a start message to the Prestige Step 2 The Prestige sends a request identity message to the wireless station for identity information Step 3 The wireless station replies with identity...

Page 83: ...e wired network ReAuthentication Timer Specify how often wireless stations have to reenter user names and passwords in order to stay connected This field is activated only when you select Authenticati...

Page 84: ...heck the user database on the Prestige for a client s user name and password If the user name is not found the Prestige checks the user database on the specified RADIUS server Select RADIUS first then...

Page 85: ...Prestige 653HWI Series User s Guide Wireless LAN Setup 6 13 Figure 6 7 Local User Database The following table describes the fields in this screen...

Page 86: ...to 31 characters long for this user profile Back Click Back to go to the main wireless LAN setup screen Apply Click Apply to save these settings back to the Prestige Cancel Click Cancel to begin confi...

Page 87: ...over the network This key must be the same on the external authentication server and Prestige Accounting Server Active Select Yes from the drop down list box to enable user authentication through an...

Page 88: ......

Page 89: ...r file transfer G3 G4 Fax Autoanswer host mode telephony etc on Windows 95 98 NT platforms 7 3 1 CAPI CAPI is an interface standard that allows applications to access ISDN services Several application...

Page 90: ...mary default route Should the DSL route fail to connect to the Internet the Prestige first tries the traffic redirect route In the same manner the Prestige uses the dial backup route if the traffic re...

Page 91: ...ctions Peak Cell Rate PCR is the maximum rate at which the sender can send cells This parameter may be lower but not higher than the maximum line speed 1 ATM cell is 53 bytes 424 bits so a maximum spe...

Page 92: ...up Figure 7 1 Example of Traffic Shaping 7 7 Configuring WAN Functions To change your Prestige s WAN remote node settings click WAN to access the WAN Functions screen Figure 7 2 WAN Functions The foll...

Page 93: ...e regular WAN connection is dropped ISDN Dial in Setup Click ISDN Dial in Setup to edit your Prestige s Dial in settings for remote management NetCAPI Setup Click NetCAPI Setup to edit your Prestige s...

Page 94: ...Prestige 653HWI Series User s Guide 7 6 WAN Setup 7 8 Configuring WAN DSL Setup To edit your DSL settings click WAN DSL Setup The screen differs by the encapsulation Figure 7 3 WAN DSL Setup...

Page 95: ...Choices are VC or LLC Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more information VPI The valid range for the...

Page 96: ...eld A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account featur...

Page 97: ...bnetting appendix in the to calculate a subnet mask If you are implementing subnetting ENET ENCAP Gateway ENET ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when...

Page 98: ...3HWI Series User s Guide 7 10 WAN Setup 7 9 ISDN Connection Setup To edit your Prestige s advanced WAN backup settings click WAN ISDN Connection Setup The screen appears as shown Figure 7 4 ISDN Conne...

Page 99: ...d IP Address Automatically Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within th...

Page 100: ...Allocate Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured...

Page 101: ...s Guide WAN Setup 7 13 7 10 ISDN Dial In Setup To edit your Prestige s Dial In Setup click WAN ISDN Dial In Setup The screen appears as shown Figure 7 5 ISDN Dial In Setup The following table describe...

Page 102: ...gle connection to boost the effective throughput between two nodes This option is only available if the transfer type is 64K Options for this field are Off BOD and Always Budget Allocate Budget Type t...

Page 103: ...s Guide WAN Setup 7 15 7 11 Configuring NetCAPI To edit your Prestige s NetCAPI settings click WAN NetCAPI Setup The screen appears as shown Figure 7 6 Configuring NetCAPI The following table describe...

Page 104: ...ddress of ISDN DATA If the incoming call does not match the subaddress of ISDN DATA then the call will be routed to NetCAPI Start IP Refers to the first IP address of a group of NetCAPI clients Each g...

Page 105: ...rent client workstations at the same time e g one workstation sending a fax another workstation doing a file transfer RVS COM has to be installed on each client workstation in order to share the ISDN...

Page 106: ...rt connection see the Compact Guide 7 13 Traffic Redirect on the LAN Traffic redirect forwards LAN traffic to a backup gateway when the Prestige cannot connect to the Internet An example is shown in t...

Page 107: ...cted to the LAN or DMZ Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in...

Page 108: ...Prestige 653HWI Series User s Guide 7 20 WAN Setup Figure 7 10 Traffic Redirect LAN Setup...

Page 109: ...ide WAN Setup 7 21 7 15 Configuring WAN Backup To change your Prestige s WAN backup settings click WAN then WAN Backup The screen appears as shown Figure 7 11 WAN Backup Setup The following table desc...

Page 110: ...n it periodically checks to whether or not it can use a higher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks Allow more time if your destination...

Page 111: ...Figure 7 2 Metric This field sets this route s priority between the two backup routes the Prestige uses The metric represents the cost of transmission A router determines the best route for transmissi...

Page 112: ......

Page 113: ...NAT Dynamic DNS and Time Zone III Part III NAT Dynamic DNS and Time Zone This part covers NAT Network Address Translation dynamic DNS Domain Name Sever and Time Zone setup...

Page 114: ......

Page 115: ...local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side...

Page 116: ...d If you do not define any servers for Many to One and Many to Many Overload mapping see Table 8 2 NAT offers the additional benefit of firewall protection With no servers defined your Prestige filter...

Page 117: ...AT Works 8 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct W...

Page 118: ...maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported...

Page 119: ...SMT ABBREVIATION One to One ILA1 IGA1 1 1 Many to One SUA PAT ILA1 IGA1 ILA2 IGA1 M 1 Many to Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2...

Page 120: ...ports a default server IP address A default server receives packets from ports that are not specified in this screen If you do not assign a Default Server IP Address the Prestige discards all packets...

Page 121: ...r further information about port numbers Table 8 3 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 F...

Page 122: ...ers Behind NAT Example 8 4 Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the Prestige Click NAT to open...

Page 123: ...Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige Edit Details Click this link to go to the NAT Address Mapping Rules screen Apply...

Page 124: ...er the port number again in the End Port No field To forward a series of ports enter the start port number here and the end port number in the End Port No field End Port No Enter a port number in this...

Page 125: ...stige takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rul...

Page 126: ...field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT...

Page 127: ...count feature that previous ZyXEL routers supported only 3 Many to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many to Many No Overload Ma...

Page 128: ...his field is N A for One to One Many to One and Server mapping types Server Mapping Set Only available when Type is set to Server Select a number from 1 to 10 from the drop down menu to choose a serve...

Page 129: ...riends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a...

Page 130: ...ect the name of your Dynamic DNS service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user nam...

Page 131: ...this screen to configure the Prestige s time and date settings 10 1 Configuring Time Zone To change your Prestige s time and date click Time Zone The screen appears as shown Use this screen to config...

Page 132: ...me zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Select this option if you use daylight savings time Daylight saving is a...

Page 133: ...k Apply Time Current Time This field displays the time of your Prestige Each time you reload this page the Prestige synchronizes the time with the time server New Time This field displays the last upd...

Page 134: ......

Page 135: ...rs IV Part IV Firewall and Content Filters This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an ove...

Page 136: ......

Page 137: ...ewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented...

Page 138: ...ching that some proxies support See section 11 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprise...

Page 139: ...otocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traff...

Page 140: ...oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through...

Page 141: ...Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it...

Page 142: ...adcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the s...

Page 143: ...ming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through th...

Page 144: ...and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s exis...

Page 145: ...ection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminates or tim...

Page 146: ...s any subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid co...

Page 147: ...on a case by case basis You can use the web configurator s Custom Ports feature to do this 11 6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web config...

Page 148: ...ormation to people outside your company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files 7 Chang...

Page 149: ...ate of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a r...

Page 150: ...Prestige 653HWI Series User s Guide 11 14 Firewalls 6 The firewall can block specific URL traffic that might occur in the future The URL can be saved in an Access Control List ACL database...

Page 151: ...ow management see the Remote Management chapter and the firewall is enabled The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it The firewall allows remo...

Page 152: ...to the chapter on logs for details 12 3 2 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters These default values should work fine fo...

Page 153: ...detected in the last one minute sample period TCP Maximum Incomplete and Blocking Time An unusually high number of half open sessions with the same destination host address could indicate that a Denia...

Page 154: ...ses the firewall to stop deleting half open sessions The Prestige continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 is the defaul...

Page 155: ...umber TCP Maximum Incomplete This is the number of existing half open TCP sessions default 10 with the same destination host IP address that causes the firewall to start dropping half open sessions to...

Page 156: ......

Page 157: ...For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchroniza...

Page 158: ...rvice 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a rule that allows Interne...

Page 159: ...a single IP a range of IPs or a subnet 13 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 13 3 1 LAN to...

Page 160: ...13 1 LAN to WAN Traffic 13 3 2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections WAN to LAN If you wish to allow certain WAN users to have access to your LAN you...

Page 161: ...An attack automatically generates a log Logs can be sent to an e mail account or syslog server that you specify in the Log Settings screen see the chapter on logs 13 5 Rule Summary The fields in the...

Page 162: ...n for packets not matching following rules Use the drop down list box to select whether to Block silently discard or Forward allow the passage of packets that do not match the following rules Default...

Page 163: ...None Rules Reorder You may reorder your rules using this function Use the drop sown list box to select the number of the rule you want to move The ordering of your rules is important as rules are appl...

Page 164: ...t be possible by e mail H 323 TCP 1720 Net Meeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS HTTPS is a secured http session oft...

Page 165: ...a channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login...

Page 166: ...and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer...

Page 167: ...ure 13 4 Creating Editing A Firewall Rule The following table describes the fields in this screen Table 13 3 Creating Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new...

Page 168: ...down list box to select whether to Block silently discard or Forward allow the passage of packets that match this rule Log This field determines if a log is created for packets that match the rule Mat...

Page 169: ...50 a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address Type the single IP address or the...

Page 170: ...default 30 for the Prestige to wait for a TCP session to reach the established state before dropping the session FIN Wait Timeout Type the number of seconds default 60 for a TCP session to remain open...

Page 171: ...ing Custom Rules 13 15 Table 13 5 Timeout LABEL DESCRIPTION Back Click Back to return to the previous screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel...

Page 172: ......

Page 173: ...rt numbers not predefined by the Prestige see Figure 13 4 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further information on the...

Page 174: ...e of your customized service Protocol This shows the IP protocol TCP UDP or Both that defines your customized service Port This is the port number or range that defines your customized service Back Cl...

Page 175: ...e your customized service Back Click Back to return to the Firewall Customized Services screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to return to...

Page 176: ...dit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows Figure 14 4 Customized Service for MyService Example Customized services sh...

Page 177: ...utlined earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it Figure 14 5 Syslog Rule Configuration Example This is your MyService...

Page 178: ...firewall rules the Rule Summary screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige Figure 14 6...

Page 179: ...You can set a schedule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 15 2 Configuring...

Page 180: ...ect this check box to enable this feature Block Websites that contain these keywords in the URL This box contains the list of all the keywords that you have configured the Prestige to block Delete Hig...

Page 181: ...ou will get a message telling you that the content filter is blocking this request Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel C...

Page 182: ...to the previous screen Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings 15 4 Configuring Trusted Computers To exclude a range of users on the LAN...

Page 183: ...P address of a specific range of users on your LAN that you want to exclude from content filtering Leave this field blank if you want to exclude an individual computer Back Click Back to return to the...

Page 184: ......

Page 185: ...VPN IPSec V Part V VPN IPSec This part provides information about configuring VPN IPSec for secure communications...

Page 186: ......

Page 187: ...ions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and auth...

Page 188: ...lications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased li...

Page 189: ...he default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES al...

Page 190: ...he original IP header in the hashing process 16 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access t...

Page 191: ...ding headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiv...

Page 192: ......

Page 193: ...rity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not san...

Page 194: ...d is configured as 0 0 0 0 then the Prestige will use the current Prestige WAN IP address static or dynamic to set up the VPN tunnel The Prestige has to rebuild the VPN tunnel if the My IP Address cha...

Page 195: ...y management and not Manual key management 17 5 VPN Summary Screen The following figure helps explain the main fields in the web configurator Figure 17 1 IPSec Summary Fields Local and remote IP addre...

Page 196: ...This field displays whether the VPN policy is active or not A Y signifies that this VPN policy is active Local Address This is the IP address es of computers on your local network behind your Prestig...

Page 197: ...und traffic the Prestige automatically drops the tunnel after two minutes 17 7 ID Type and Content With aggressive negotiation mode see section 17 10 1 the Prestige identifies incoming SAs by ID type...

Page 198: ...e Gateway field DNS Type a domain name up to 31 characters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters by which to identify the remote IPSec router T...

Page 199: ...IGE B Local ID type IP Local ID type IP Local ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 17 8 Pre Shared Key A p...

Page 200: ...Prestige 653HWI Series User s Guide 17 8 VPN Screens Figure 17 3 VPN IKE...

Page 201: ...through a secure gateway must have the same negotiation mode Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs cannot h...

Page 202: ...rop down menu to choose Single Range or Subnet Select Single with a single IP address Select Range for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subn...

Page 203: ...omain name Select E mail to identify the remote IPSec router by an e mail address Content When you select IP in the Peer ID Type field type the IP address of the computer with which you will make the...

Page 204: ...ame secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variatio...

Page 205: ...riod expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected In phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an e...

Page 206: ...llows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH...

Page 207: ...ens 17 15 Figure 17 5 VPN IKE Advanced The following table describes the fields in this screen Table 17 8 VPN IKE Advanced LABEL DESCRIPTION VPN IKE Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc...

Page 208: ...MTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field If Remote Start Port is left at 0 End will also rem...

Page 209: ...egotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication key...

Page 210: ...is disabled NONE by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Choose DH1 or DH2 from the drop down list box to enable PFS DH1 refers to Diffie Hellman Grou...

Page 211: ...ical outgoing and incoming SPIs 17 13Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen This is the VPN Manual Key screen...

Page 212: ...dress Type field is configured to Single enter a static IP address on the LAN behind your Prestige When the Local Address Type field is configured to Range enter the beginning static IP address in a r...

Page 213: ...nd static IP address in a range of computers on the network behind the remote IPSec router When the Remote Address Type field is configured to Subnet enter a subnet mask on the network behind the remo...

Page 214: ...elect SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered strong...

Page 215: ...describes the fields in this screen Table 17 10 SA Monitor LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Enca...

Page 216: ...N Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to find other computers It may sometimes be necessary to allo...

Page 217: ...anges of addresses cannot overlap See the following table and figure for an example Having everyone use the same pre shared key may create a vulnerability If the pre shared key is compromised all of t...

Page 218: ...parate VPN rule to simultaneously access a Prestige at headquarters They can use different IPSec parameters including the pre shared key and the local IP addresses or ranges of addresses can overlap S...

Page 219: ...If a VPN tunnel uses a remote management service port Telnet FTP WWW SNMP DNS or ICMP and terminates at the Prestige s LAN or WAN port configure remote management to allow access for that service If...

Page 220: ...Prestige 653HWI Series User s Guide 17 28 VPN Screens If the VPN tunnel terminates at the Prestige s WAN IP address configure remote management for WAN server access or LAN WAN or LAN WAN DMZ...

Page 221: ...UPnP and Logs VI Part VI Remote Management UPnP and Logs This part contains information on how to configure the Prestige for remote management setting up Universal Plug and Play UPnP and setting up an...

Page 222: ......

Page 223: ...Disable When you Choose WAN only or ALL LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access...

Page 224: ...P address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN 18 1 3 System Timeout There is a system timeout of five minutes three hundred seconds for either...

Page 225: ...Click Remote Management to open the following screen Figure 18 2 Remote Management The following table describes the fields in this screen Table 18 1 Remote Management LABEL DESCRIPTION Server Type E...

Page 226: ...IPTION Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the Prestige Type an IP address to restrict access to a client with a matching IP address Apply Cl...

Page 227: ...cting the icon of a UPnP device will allow you to access the information and properties of that device 19 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to opera...

Page 228: ...tested UPnP broadcasts are only allowed on the LAN See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 19 2 1 Configuring UPn...

Page 229: ...application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP ap...

Page 230: ...rt the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP Step 1 Click start and Control Panel Step 2 Double click Network Connections Step 3...

Page 231: ...ple This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN...

Page 232: ...ere automatically created Step 4 You may edit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings w...

Page 233: ...ou can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not know the IP address of the Prestige Follow the steps...

Page 234: ...enabled device displays under Local Network Step 5 Right click on the icon for your Prestige and select Invoke The web configurator login screen displays Step 6 Right click on the icon for your Presti...

Page 235: ...lerts and Logs An alert is a type of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System...

Page 236: ...Prestige 653HWI Series User s Guide 20 2 Logs Screens Figure 20 1 Log Settings The following table describes the fields in this screen...

Page 237: ...enable UNIX syslog Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box T...

Page 238: ...ogs screen to see the logs for the categories that you selected in the Log Settings screen see section 20 2 Log entries in red indicate alerts The log wraps around and deletes the old entries after it...

Page 239: ...ngs page make sure that you have first filled in the Address Info fields in Log Settings see section 20 2 Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to delete all the logs...

Page 240: ...forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10 10 10 10 match forward 09 54 19 UDP src port 03516 dest port 00053 1 01 snip snip 126 Apr 7 00 From 192 168 1...

Page 241: ...Bandwidth Management VII Part VII Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management...

Page 242: ......

Page 243: ...dropped packets at the next routing device For example you can set the WAN interface speed to 1000kbps if the ADSL connection has an upstream speed of 1000kbps All configuration screens display measur...

Page 244: ...available bandwidth 21 4 Bandwidth Management Usage Examples These examples show bandwidth management allotments on a WAN interface that is configured for 640Kbps 21 4 1 Application based Bandwidth M...

Page 245: ...nt Example The following example uses bandwidth classes based on LAN subnets and applications specific applications in each subnet are allotted bandwidth Table 21 1 Application and Subnet based Bandwi...

Page 246: ...er a bandwidth class s priority number is the higher the priority Assign real time applications like those using audio or video a higher priority number to provide smoother operation 21 5 2 Fairness b...

Page 247: ...estige distributes the available bandwidth equally among classes with the same priority level 21 6 1 Reserving Bandwidth for Non Bandwidth Class Traffic Do the following three steps to configure the P...

Page 248: ...e bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1 Mbps of its budgeted 2 Mbps Sales and Marketing are first to get extra bandwidth because they have the hig...

Page 249: ...ss can also borrow bandwidth from a higher parent class grandparent class if the child class s parent class is also configured to borrow bandwidth from its parent class This can go on for as many leve...

Page 250: ...idth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled The Bill class can also borrow unused bandwidth from t...

Page 251: ...on individual child classes the Prestige functions as follows 1 The Prestige sends traffic according to each bandwidth class s bandwidth budget 2 The Prestige assigns a parent class s unused bandwidt...

Page 252: ...ive Select an interface s check box to enable bandwidth management on that interface Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management Th...

Page 253: ...restige Cancel Click Cancel to begin configuring this screen afresh 21 9 Configuring Class Setup The class setup screen displays the configured bandwidth classes by individual interface Select an inte...

Page 254: ...LABEL DESCRIPTION Interface Select an interface from the drop down list box for which you wish to set up classes Back Click Back to go to the main BW Manager screen Add Child Class Click Add Child cl...

Page 255: ...lass 21 9 1 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Configuration screen You must use the Bandwidth Manager Summary screen to enable bandwidth managem...

Page 256: ...dwidth Manager Class Configuration The following table describes the labels in this screen Table 21 4 Bandwidth Manager Class Configuration LABEL DESCRIPTION Class Name Use the auto generated name or...

Page 257: ...ble 21 2 Bandwidth Filter The Prestige uses a bandwidth filter to identify the traffic that belongs to a bandwidth class Active Select the check box to have the Prestige use this bandwidth filter when...

Page 258: ...ns any source port number Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP A blank protocol ID means any protocol number Back Click Back to go to th...

Page 259: ...lass the statistics page is showing Budget kbps This field displays the amount of bandwidth allocated to the class Tx Packets This field displays the total number of packets transmitted Tx Bytes This...

Page 260: ...1 10 Configuring Monitor To view the Prestige s bandwidth usage and allotments click BW Manager then Monitor The screen appears as shown Figure 21 11 Bandwidth Manager Monitor The following table desc...

Page 261: ...ige 653HWI Series User s Guide Bandwidth Management 21 19 Table 21 7 Bandwidth Manager Monitor LABEL DESCRIPTION Back Click Back to go to the main BW Manager screen Refresh Click Refresh to update the...

Page 262: ......

Page 263: ...Maintenance VIII Part VIII Maintenance This part covers the maintenance screens...

Page 264: ......

Page 265: ...rt traffic statistics 22 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 22 2 System Status Scree...

Page 266: ...Prestige 653HWI Series User s Guide 22 2 Maintenance Figure 22 1 System Status...

Page 267: ...tion IP Address This is the DSL port IP address IP Subnet Mask This is the DSL port IP subnet mask Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtu...

Page 268: ...er of packets sent and number of packets received for each port 22 2 1 System Statistics Click Show Statistics in the System Status screen to open the following screen Read only information here inclu...

Page 269: ...us For the DSL port this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a...

Page 270: ...en configured as a server the Prestige provides the TCP IP configuration for the clients If set to None DHCP service will be disabled and you must have another DHCP server on your LAN or else the comp...

Page 271: ...LAN 22 4 1 Association List This screen displays the MAC address es of the wireless clients that are currently logged in to the network Click Wireless LAN and then Association List to open the screen...

Page 272: ...tige Back Click Back to return to the previous screen Refresh Click Refresh to renew the information in the table 22 4 2 Channel Usage Table This screen displays the state of the channels within the P...

Page 273: ...Ad hoc network is using the channel within the Prestige s transmission range Back Click Back to return to the previous screen Refresh Click Refresh to renew the information in the table 22 5 Diagnost...

Page 274: ...IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered Reset System Click this button to reboot...

Page 275: ...The following table describes the fields in this screen Table 22 7 Diagnostic DSL Line LABEL DESCRIPTION Reset ADSL Line Click this button to reinitialize the ADSL line The large text box above then...

Page 276: ...packet to the DSLAM ATM switch and then returns it loops it back to the Prestige The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network Upstream Noise Margin Click...

Page 277: ...intenance 22 13 Figure 22 8 Diagnostic ISDN Line The following table describes the fields in this screen Table 22 8 Diagnostic ISDN Line LABEL DESCRIPTION Reset IDSN Line This command re initializes t...

Page 278: ...the B2 channel It is only applicable if the B2 channel is currently in use Back Click this button to go back to the main Diagnostic screen 22 6 Firmware Screen Find firmware at www zyxel com in a fil...

Page 279: ...pressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes Reset Click this button to clear all user entered configuration inf...

Page 280: ...Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click...

Page 281: ...Management Terminal configuration for general setup WAN backup LAN setup wireless LAN setup Internet access remote node static route NAT and enabling the firewall See the web configurator parts of thi...

Page 282: ......

Page 283: ...arity 8 data bits 1 stop bit data flow set to none 9600 bps port speed Press ENTER to display the SMT password screen The default password is 1234 23 1 2 Procedure for SMT Configuration via Telnet The...

Page 284: ...f there is no activity for longer than five minutes after you log in your Prestige will automatically log you out Figure 23 1 Login Screen 23 1 4 Prestige SMT Menu Overview The following figure gives...

Page 285: ...ge 653 SMT Menu Overview 23 2 Navigating the SMT Interface The SMT System Management Terminal is the interface that you use to configure your Prestige Several operations that you should be familiar wi...

Page 286: ...ext field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two types of fields The first requires you to type in the appropriate information The second...

Page 287: ...tatic routes 14 Dial in User Setup Use this menu to set up local user profiles on the Prestige 15 NAT Setup Use this menu to specify inside servers when NAT is enabled 21 Filter and Firewall Setup Use...

Page 288: ...by following the steps shown next Step 1 Enter 23 in the main menu to display Menu 23 System Security Step 2 Enter 1 to display Menu 23 1 System Security Change Password as shown next Step 3 Type your...

Page 289: ...2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the...

Page 290: ...eave this field blank the ISP may assign a domain name via DHCP You can go to menu 24 8 and type sys domainname to see the current domain name used by your gateway If you want to clear this field just...

Page 291: ...lt Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter...

Page 292: ......

Page 293: ...backup connections 25 2 ISDN Dial Backup To set up the ISDN port for use in the event that the regular WAN connection is dropped first make sure you have set up the port connection and then configure...

Page 294: ...ddress of a reliable nearby computer for example your ISP s DNS server address When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other WAN b...

Page 295: ...u 2 1 Traffic Redirect Setup Select No default if you do not want to configure this feature Dial Backup Press SPACE BAR to select Yes or No Select Yes and press ENTER to configure Menu 2 2 Dial Backup...

Page 296: ...uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the numbe...

Page 297: ...Data Enter the telephone number s assigned to your ISDN line by your telephone company Some switch types only have one telephone number Note that the router only accepts digits please do not include...

Page 298: ...y If you place a call from a device on either A B adapter you must dial the prefix by hand PABX Number with S T Bus Number for Loopback Enter the S T bus number if the router is connected to an ISDN P...

Page 299: ...ction There are two types of ISDN Data Link Connection namely point to multipoint and point to point When you select point to multipoint the TE1 value will be assigned by negotiation with the switch W...

Page 300: ...eck the ISDN line If the loop back test fails please note the error message that you receive and take the appropriate troubleshooting action Figure 25 6 Loopback Test 25 6 NetCAPI Setup Menu Select Ye...

Page 301: ...N DATA number If the incoming phone number does not match the ISDN DATA number then the call will be routed to NetCAPI Select Called Party Subaddress if you want to direct all incoming calls to the Pr...

Page 302: ...e the Remote Node Profile 9 settings are used for a backup ISDN connection Remote Node Profile 10 enables Dial In access to the Prestige for remote management Enter 9 or 10 in Menu 11 Remote Node Setu...

Page 303: ...lds for PPPoA and PPPoE encapsulation only Enter the login name that your ISP gives you If you are using PPPoE encapsulation then this field must be of the form user domain where domain identifies you...

Page 304: ...ccessing this remote node 0 default Period hr Enter the time period in hours for how often the budget should be reset For example to allow calls to this remote node for a maximum of 10 minutes every h...

Page 305: ...psulation otherwise select Standard PPP Standard PPP default Compression Press SPACE BAR and then ENTER to select Yes to enable or No to disable Stac compression No default BACP Your Prestige negotiat...

Page 306: ...s separated by a for subtracting and adding the second port Default 32 48 25 9 Editing TCP IP Options Move the cursor to the Edit IP field in Menu 11 1 Remote Node Profile Backup ISP then press SPACE...

Page 307: ...you have multiple public WAN IP addresses for your Prestige SUA Only Select SUA Only if you have just one public WAN IP address for your Prestige The SMT uses Address Mapping Set 255 menu 15 1 see se...

Page 308: ...rom the server to the Expect field the Prestige returns the set s Send string to the server For instance a typical login sequence starts with the server printing a banner a login prompt for you to ent...

Page 309: ...e server If there are errors in the script and it gets stuck at a set for longer than the Dial Timeout in menu 2 default 60 seconds the Prestige will timeout and drop the line To debug a script go to...

Page 310: ...ckup ISP Use menu 11 5 to specify the filter set s to apply to the incoming and outgoing traffic between this remote node and the Prestige to prevent certain packets from triggering calls You can spec...

Page 311: ...ure 25 13 Menu 11 5 Dial Backup Remote Node Filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets pr...

Page 312: ......

Page 313: ...e Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 26 2 Menu 3 1 LAN Port...

Page 314: ...press ENTER to display Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Figure 26 3 Menu 3 2 TCP IP and DHCP Ethernet Setup Follow the instructions in the following table on how to configure the...

Page 315: ...or count of the IP address pool 32 Primary DNS Server Secondary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients along with the IP address and the s...

Page 316: ...enable IP Multicasting or select None to disable it None default IP Policies Create policies using SMT menu 25 see the IP Policy Routing chapter and apply them on the Prestige LAN interface here You c...

Page 317: ...enu 3 5 to set up your Prestige as the wireless access point To edit menu 3 5 enter 3 from the main menu to display Menu 3 LAN Setup When menu 3 appears press 5 and then press ENTER to display Menu 3...

Page 318: ...2 2432 Frag Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 2432 W...

Page 319: ...press ENTER Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table To deny access to the Prestige press SPACE BAR to select Deny Association and Menu 3 5...

Page 320: ...d will be allowed to access the router The default action Allowed Association permits association with the Prestige MAC addresses not listed will be denied access to the router MAC Address Filter Addr...

Page 321: ...Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is appl...

Page 322: ...igure 28 2 Partitioned Logical Networks Use menu 3 2 1 to configure IP Alias on your Prestige 28 4 IP Alias Setup Use menu 3 2 to configure the first network Move the cursor to Edit IP Alias field and...

Page 323: ...Outgoing protocol filters N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A Enter here to CONFIRM or ESC to...

Page 324: ...Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the Prestige Outgoing Protocol Filters Enter...

Page 325: ...using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 28 6 Menu 4 Internet Access Setup The following table contains instructions on how...

Page 326: ...s value specifies the number of idle seconds that elapse before the Prestige automatically disconnects the PPPoE session 0 NAT Press SPACE BAR to select None SUA Only or Full Feature Please see the NA...

Page 327: ...configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in three subme...

Page 328: ...ation Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combination b...

Page 329: ...CAP is selected then the Rem Login Rem Password My Login My Password and Authen fields are not applicable N A ENET ENCAP Multiplexing Press SPACE BAR and then ENTER to select the method of multiplexin...

Page 330: ...hentication Protocol only Authen PAP accept PAP Password Authentication Protocol only Route This field determines the protocol used in routing Options are IP and None IP Bridge When bridging is enable...

Page 331: ...ode before the Prestige automatically disconnects the remote node 0 means that the session will not timeout When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to...

Page 332: ...configure in menu 4 all other nodes are set to Static Dynamic Rem IP Addr This is the IP address you entered in the previous menu Rem Subnet Mask Type the subnet mask assigned to the remote node My W...

Page 333: ...ype a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number 2 Private This determines if the Presti...

Page 334: ...figure while Rem IP Addr indicates the peer WAN IP 172 16 0 2 in the following figure Figure 29 4 Sample IP Addresses for a TCP IP LAN to LAN Connection 29 4 Remote Node Filter Move the cursor to the...

Page 335: ...Node ATM Layer Options In menu 11 1 move the cursor to the Edit ATM Options field and then press SPACE BAR to select Yes Press ENTER to display Menu 11 6 Remote Node ATM Layer Options There are two ve...

Page 336: ...VPI and VCI numbers need be specified for all protocols The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 1 to 31 is reserved for local management of ATM traffic Menu 11 6 Remote...

Page 337: ...dit IP No Incoming Telco Option Rem Login Rem Password Allocated Budget min Rem CLID Period hr Call Back No Schedules Outgoing Carrier Access Code My Login My Password Authen CHAP PAP Session Options...

Page 338: ......

Page 339: ...t is directly connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance th...

Page 340: ...Setup shown next Figure 30 3 Menu 12 1 IP Static Route Setup Step 3 Now type the route number of a static route you want to configure Menu 12 1 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4...

Page 341: ...to be identical to the host ID IP Subnet Mask Type the subnet mask for this destination Follow the discussion on IP Subnet Mask in this manual Gateway IP Address Type the IP address of the gateway The...

Page 342: ...this remote node in its RIP broadcasts If set to Yes this route is kept private and is not included in RIP broadcasts If No the route to this remote node will be propagated to other hosts through RIP...

Page 343: ...tocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you...

Page 344: ...Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to...

Page 345: ...our configuration or press ESC to cancel and go back to the previous screen 31 2 2 Bridge Static Route Setup Similar to network layer static routes a bridging static route tells the Prestige the route...

Page 346: ...to IP Address If available type the IP address of the destination computer that you want to bridge the packets to Gateway Node Press SPACE BAR and then ENTER to select the number of the remote node o...

Page 347: ...Server See section 32 3 1 for a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of cli...

Page 348: ...emote node that you want to configure Step 3 Move the cursor to the Edit IP Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu...

Page 349: ...mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN and the DMZ You can see two NAT address mapping sets in menu 15 1 You can only conf...

Page 350: ...ets Enter 1 to bring up Menu 15 1 Address Mapping Sets Figure 32 4 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 32 1 1 The fields in thi...

Page 351: ...the End IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the...

Page 352: ...bed later and the values are displayed here Ordering Your Rules Ordering your rules is important because the Prestige applies the rules in the order that you specify When a rule matches the current pa...

Page 353: ...all the rules after the selected one will be advanced one rule None disables the Select Rule item Edit Select Rule When you choose Edit Insert Before or Delete in the previous field the cursor jumps t...

Page 354: ...ocal IP address ILA 0 0 0 0 End This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to...

Page 355: ...Server behind NAT Follow these steps to configure a server behind NAT Step 1 Enter 15 in the main menu to go to Menu 15 NAT Setup Step 2 Enter 2 to display Menu 15 2 NAT Server Sets as shown next Fig...

Page 356: ...d In the following figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 6 Press ENTER at the Press ENTER to confirm prompt to save your configurat...

Page 357: ...net Figure 32 10 Multiple Servers Behind NAT Example 32 5 General NAT Examples The following are some examples of NAT configuration 32 5 1 Example 1 Internet Access Only In the following Internet acce...

Page 358: ...ion 32 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name MyISP E...

Page 359: ...and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in the next figure Figure 32 14 Menu 15 2 1 Specifying an Inside Server Menu 15 2 1 NAT Server Setup Used for SUA Only Ru...

Page 360: ...er Four rules need to be configured two bi directional and two unidirectional as follows Rule 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving b...

Page 361: ...direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as 10 132 50 1 our first IGA See Figure 32 17 Step 6 Repeat t...

Page 362: ...re it as shown Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0...

Page 363: ...ping as port numbers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 32 19 NAT Example 4 Menu 15 2 1 NAT Server Setup Rule Star...

Page 364: ...ve configured your rule you should be able to check the settings in menu 15 1 1 as shown next Figure 32 21 Example 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many to...

Page 365: ...r the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters...

Page 366: ...tacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy ru...

Page 367: ...MP system security system information and diagnosis firmware and configuration file maintenance system maintenance remote management IP Policy Routing and call scheduling See the web configurator part...

Page 368: ......

Page 369: ...re divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is us...

Page 370: ...gures that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable In...

Page 371: ...le Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 34 2 Filter Rule Process You can appl...

Page 372: ...Step 1 Enter 21 in the main menu to display Menu 21 Filter and Firewall Setup Step 2 Enter 1 to display Menu 21 1 Filter Set Configuration as shown next Figure 34 3 Menu 21 Filter Set Configuration St...

Page 373: ...0 0 DA 0 0 0 0 DP 139 N D N 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 5 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 6 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 N D F Enter Filter Rule Number 1...

Page 374: ...e Edit Comments field and press ENTER Step 5 Press ENTER at the message Press ENTER to confirm to display Menu 21 1 1 Filter Rules Summary that is if you selected filter set 1 in menu 21 1 See Figure...

Page 375: ...GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here Menu 21 1 4 Filter Rules Summary A Type Filter Rules M m n 1 Y Gen Off 12 Len 2 Mask ffff Value 8863 N F N 2 Y Gen Off 1...

Page 376: ...ched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule n Action Not Matched F means to forward the packet immedi...

Page 377: ...a the Prestige will warn you and will not allow you to save 34 5 1 TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule TCP IP rules allow you to base the rule on the fields...

Page 378: ...n IP source route The majority of IP packets do not have source route No default Destination IP Addr Type the destination IP address of the packet you want to filter This field is ignored if it is 0 0...

Page 379: ...ging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not match the rule param...

Page 380: ...r Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matche...

Page 381: ...sk and Value fields are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FF...

Page 382: ...y to the data portion before comparison Value Type the value in Hexadecimal to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken o...

Page 383: ...he exact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On...

Page 384: ...Telnet Filter Step 1 Enter 1 in the menu 21 to display Menu 21 1 Filter Set Configuration Step 2 Enter the index number of the filter set you want to configure in this case 6 Step 3 Type a descriptive...

Page 385: ...Mask 0 0 0 0 Port Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type T...

Page 386: ...ion shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in menu 21 but have not been applied to filter traffic Menu 21 1 6 Filter R...

Page 387: ...ou want to apply as appropriate You can choose up to four filter sets from twelve by typing their numbers separated by commas for example 3 4 6 11 The factory default filter set NetBIOS_LAN is inserte...

Page 388: ...PPoA or PPPoE encapsulation Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 6 device filters Output Filter Sets protocol filters 2 device filters Call Filter Sets Protocol filters Devi...

Page 389: ...s SNMP is a member of the TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige suppo...

Page 390: ...esponse protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object vari...

Page 391: ...r Prestige will only respond to SNMP messages from this address A blank default field means your Prestige will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type...

Page 392: ...ined in RFC 1215 A trap is sent with the port number 5 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP gets or sets requirements with wrong community pa...

Page 393: ...you forget your password you have to restore the default configuration file Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the Pre...

Page 394: ...nistrator instructs you to do so with additional information 1812 Shared Secret Specify a password up to 31 alphanumeric characters as the key to be shared between the external authentication server a...

Page 395: ...ey must be the same on the external accounting server and Prestige When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or pre...

Page 396: ...how often a client has to re enter username and password to stay connected to the wired network This field is activated only when you select Authentication Required in the Wireless Port Control field...

Page 397: ...Prestige for a client s user name and password If the user name is not found the Prestige checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Prestige fi...

Page 398: ...rs long for this user profile When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the p...

Page 399: ...Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status type 24...

Page 400: ...mber of received packets from this remote node Errors The number of error packets on this connection Tx B s This shows the transmission rate in bytes per second Rx B s This shows the receiving rate in...

Page 401: ...e WAN Line Status This shows the current status of the xDSL line which can be Up or Down Upstream Speed This shows the upstream transfer rate in kbps Downstream Speed This shows the downstream transfe...

Page 402: ...S is a registered trademark of ZyXEL Communications Corporation ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version Standard This refers to the operational protocol the Prestig...

Page 403: ...rt Speed Once you change the Prestige consol port speed you must also set the speed parameter for the communication software you are using to connect to the Prestige 37 3 Log and Trace There are two l...

Page 404: ...yslog and Accounting The Prestige uses the UNIX syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System M...

Page 405: ...rd CDR logs all data phone line activity if set to Yes Packet Triggered The first 48 bytes or octets and protocol type of the triggering packet is sent to the UNIX syslog server when this field is set...

Page 406: ...001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11 29 06 192 168 102 2 ZYXEL Packet Trigger Protocol 1 Data 45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d...

Page 407: ...nitialize the ISDN link to the telephone company ISDN Connection Test You can test to see if your ISDN line is working properly by using this option This command triggers the Prestige to perform a loo...

Page 408: ......

Page 409: ...fer to the label on the bottom of your Prestige ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg Th...

Page 410: ...upload files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configurati...

Page 411: ...ation file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt 38 2 3 Example o...

Page 412: ...enabled this option Normal The server requires a unique User ID and Password to login Transfer Type You must use binary mode when uploading the configuration or firmware file Transfer files in either...

Page 413: ...4 System Maintenance Step 3 Enter command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default w...

Page 414: ...tige The filename for the firmware is ras and for the configuration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to section 38 2 5 to read about configur...

Page 415: ...restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a b...

Page 416: ...file config rom on your computer to the Prestige See earlier in this chapter for more information on filename conventions Step 8 Enter quit to exit the ftp prompt The Prestige will automatically rest...

Page 417: ...play menu 24 6 and enter y at the following screen Figure 38 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has started Figure 38 10 System M...

Page 418: ...the previous Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSF...

Page 419: ...after the upload system configuration file process is complete For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using T...

Page 420: ...he configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt The P...

Page 421: ...active and the Prestige in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get...

Page 422: ...should be similar 38 4 9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 38 17 Example Xmodem Upload After the configuration up...

Page 423: ...ge 38 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To uplo...

Page 424: ...ation File Maintenance Figure 38 19 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Bro...

Page 425: ...ting menu 24 8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help...

Page 426: ...ng calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 39 3 Menu 24 9 System Maintenan...

Page 427: ...s selected Table 39 1 Menu 24 9 1 System Maintenance Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connect...

Page 428: ...em Maintenance Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen Figure 39 6 Menu 24 10 System Maintenance Time and Date Setting Menu 24 10 S...

Page 429: ...unsure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displa...

Page 430: ......

Page 431: ...ls on configuring firewall rules 40 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Re...

Page 432: ...the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the Prestige...

Page 433: ...of the same type running at one time 5 There is a web remote management session running with a Telnet session A Telnet session will be disconnected if you begin a web session it will not begin if ther...

Page 434: ......

Page 435: ...ry of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for...

Page 436: ...the index of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set including the criteria and the action of a single policy and whe...

Page 437: ...0 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________________________________________________________________________ 3...

Page 438: ...xample UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Care Normal Min Delay Max Thruput Min Cost or Max Reliable Precedence Precedence value of the incomin...

Page 439: ...gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing...

Page 440: ...em IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies 2 4 7 9 Press...

Page 441: ...packets to a remote network using another policy See the next figure Figure 41 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 6...

Page 442: ...with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet leng...

Page 443: ...ote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to Confirm or ESC to C...

Page 444: ......

Page 445: ...n next Figure 42 1 Menu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remo...

Page 446: ...n t be triggered up until the end of the Duration Table 42 1 Menu 26 1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate th...

Page 447: ...take effect in hour minute format 09 00 Duration Enter the maximum length of time this connection is allowed in hour minute format 08 00 Action Forced On means that the connection is maintained whethe...

Page 448: ...ofile Rem Node Name ChangeMe Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing VC based Edit ATM Options No Service Name Telco Option Incoming Allocated Budget min 0 Rem...

Page 449: ...TGEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide for b...

Page 450: ......

Page 451: ...se main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to mana...

Page 452: ...mmary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 1 Menu 27 VPN IPSec Setup 1 IPSec Summary 2 SA Monitor Enter Menu Selection Number Menu 27 1 IPSec Summary Name A Local Addr Start L...

Page 453: ...to Range this is the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on...

Page 454: ...he Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 Remote Addr End When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in t...

Page 455: ...e When a VPN rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or pr...

Page 456: ...to have the Prestige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature t...

Page 457: ...this IP address changes 0 0 0 0 Peer ID type Press SPACE BAR to choose IP DNS or E mail and press ENTER Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remot...

Page 458: ...GLE with a single IP address Select RANGE for a specific range of IP addresses Select SUBNET to specify IP addresses on a network by their subnet mask SINGLE IP Addr Start When the Addr Type field is...

Page 459: ...ngle IP address Use RANGE for a specific range of IP addresses Use SUBNET to specify IP addresses on a network by their subnet mask SUBNET IP Addr Start When the Addr Type field is configured to Singl...

Page 460: ...eplay detection by setting this field to Yes Press SPACE BAR to select Yes or No Choose Yes and press ENTER to enable replay detection No Key Management Press SPACE BAR to choose either IKE or Manual...

Page 461: ...ared keys are best for small networks with fewer than ten nodes Enter your pre shared key here Enter up to 31 characters Any character may be used including spaces but trailing spaces are truncated Bo...

Page 462: ...lly renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authenticat...

Page 463: ...save your configuration or press ESC at any time to cancel 43 5 Manual Setup You only configure Menu 27 1 1 2 Manual Setup when you select Manual in the Key Management field in Menu 27 1 1 IPSec Setup...

Page 464: ...and then press ENTER Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you d...

Page 465: ...may be used including spaces but trailing spaces are truncated 123456789a bcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal The SPI must be from one to four uni...

Page 466: ......

Page 467: ...le and does not timeout until the SA lifetime period expires See the web configurator part on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires even if there is no t...

Page 468: ...Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity an...

Page 469: ...re save and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige 45 2 The Configuration T...

Page 470: ...than 0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 45 1 Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 System Name Str Prestige 10000002 Location St...

Page 471: ...2 Please wait for the system to write SPT text file ROM t Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1...

Page 472: ...nal SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp p...

Page 473: ...Appendices and Index XII Part XII Appendices and Index This part contains additional background information and an index or key terms...

Page 474: ......

Page 475: ...e you should contact your vendor 1 Make sure the Prestige is connected to your computer s serial port VT100 terminal emulation 9600 bps is the default speed on leaving the factory Try other speeds in...

Page 476: ...the System Information and Diagnosis chapter SMT Problems with the LAN Interface Chart A 4 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION I cannot access the Prestige from the LAN If the...

Page 477: ...ROBLEM CORRECTIVE ACTION I cannot access the Internet Make sure the Prestige is turned on and connected to the network If the DSL LED is off refer to Chart A 3 Troubleshooting the DSL LED Verify your...

Page 478: ...figurator PROBLEM CORRECTIVE ACTION I cannot access the web configurator Refer to Chart A 7 Troubleshooting the Password Make sure that there is not an SMT console session running Check that you have...

Page 479: ...en remote management may not be possible Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN Refer to Chart A 4 Troubleshoot...

Page 480: ......

Page 481: ...dress the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three oc...

Page 482: ...host ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a bit of the IP address If a bit in the subnet mask is a 1 then the corresponding bit in the IP addr...

Page 483: ...26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 1100 The first mask shown is the class C natural mask Normally if no mask is...

Page 484: ...1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129...

Page 485: ...0000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Chart B 8 Subn...

Page 486: ...110 The following table shows class C IP address last octet values for each subnet Chart B 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 6...

Page 487: ...three host ID octets see Chart B 1 available for subnetting The following table is a summary for class B subnet planning Chart B 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNET...

Page 488: ...e 653HWI Series User s Guide B 8 IP Subnetting Chart B 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 3...

Page 489: ...ve from meeting to meeting accessing up to date information that facilitates the ability to communicate decisions on the fly 5 It provides campus wide networking coverage allowing enterprises the roam...

Page 490: ...k Infrastructure Wireless LAN Configuration For Infrastructure WLANs multiple access points APs link the WLAN to the wired network and allow users to efficiently share network resources The Access Poi...

Page 491: ...Prestige 653HWI Series User s Guide Wireless LAN and IEEE 802 11 C 3 Diagram C 2 ESS Provides Campus Wide Coverage...

Page 492: ......

Page 493: ...Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstruct...

Page 494: ...ns In point to point application position both transmitting and receiving antenna at the same height and in a direct line of sight to each other to attend the best performance For omni directional ant...

Page 495: ...er similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the ca...

Page 496: ...col LAC L2TP Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up conne...

Page 497: ...Prestige 653HWI Series User s Guide PPPoE E 3 Diagram E 2 Prestige as a PPPoE Client...

Page 498: ......

Page 499: ...etween circuit end points Diagram F 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide indiv...

Page 500: ......

Page 501: ...2 No 223 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA 121A25 Input Power AC120Volts 60Hz 19W Output Power AC 16Volts 1 25A Power Consumption 14W Safety Standards UL CUL UL 1310 CSA C22 2 N...

Page 502: ...Prestige 653HWI Series User s Guide G 2 Power Adaptor Specifications Power Consumption 14W Safety Standards ITS GS CE EN 60950...

Page 503: ...n Number not seen in SMT screens FN Field Name PVA Parameter Values Allowed INPUT An example of what you may enter The following are Internal SPTGEN screens associated with the SMT screens of your Pre...

Page 504: ...Output protocol filters Set 2 256 30100011 Output protocol filters Set 3 256 30100012 Output protocol filters Set 4 256 30100013 Output device filters Set 1 256 30100014 Output device filters Set 2 2...

Page 505: ...1 12 256 30200016 IP Policies Set 4 1 12 256 MENU 3 2 1 IP ALIAS SETUP SMT MENU 3 2 1 FIN FN PVA INPUT 30201001 IP Alias 1 0 No 1 Yes 0 30201002 IP Address 0 0 0 0 30201003 IP Subnet Mask 0 30201004...

Page 506: ...ction 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256...

Page 507: ...0 WEP Key3 30500011 WEP Key4 MENU 3 5 1 WLAN MAC ADDRESS FILTER SMT MENU 3 5 1 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 00 00 3050...

Page 508: ...et 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 4...

Page 509: ...Static Route set 1 Gateway 0 0 0 0 120101006 IP Static Route set 1 Metric 0 120101007 IP Static Route set 1 Private 0 No 1 Yes 0 MENU 12 1 2 IP STATIC ROUTE SETUP SMT MENU 12 1 2 FIN FN PVA INPUT 1201...

Page 510: ...ute set 4 Active 0 No 1 Yes 0 120104003 IP Static Route set 4 Destination IP address 0 0 0 0 120104004 IP Static Route set 4 Destination IP subnetmask 0 120104005 IP Static Route set 4 Gateway 0 0 0 0...

Page 511: ...12 1 7 IP STATIC ROUTE SETUP SMT MENU 12 1 7 FIN FN PVA INPUT 120107001 IP Static Route set 7 Name Str 120107002 IP Static Route set 7 Active 0 No 1 Yes 0 120107003 IP Static Route set 7 Destination I...

Page 512: ...0109006 IP Static Route set 9 Metric 0 120109007 IP Static Route set 9 Private 0 No 1 Yes 0 MENU 12 1 10 IP STATIC ROUTE SETUP SMT MENU 12 1 10 FIN FN PVA INPUT 120110001 IP Static Route set 10 Name 1...

Page 513: ...e set 12 Destination IP address 0 0 0 0 120112004 IP Static Route set 12 Destination IP subnetmask 0 120112005 IP Static Route set 12 Gateway 0 0 0 0 120112006 IP Static Route set 12 Metric 0 12011200...

Page 514: ...PVA INPUT 120115001 IP Static Route set 15 Name Str 120115002 IP Static Route set 15 Active 0 No 1 Yes 0 120115003 IP Static Route set 15 Destination IP address 0 0 0 0 120115004 IP Static Route set...

Page 515: ...150000006 SUA Server 2 Local IP address 0 0 0 0 150000007 SUA Server 3 Active 0 No 1 Yes 0 150000008 SUA Server 3 Protocol 0 All 6 TCP 17 U DP 0 150000009 SUA Server 3 Port Start 0 150000010 SUA Serv...

Page 516: ...000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA Server 8 Protocol 0 All 6 TCP 17 U DP 0 150000034 SUA Server 8 P...

Page 517: ...T 1 SMT MENU 21 FIN FN PVA INPUT 210100001 Filter Set 1 Name Str MENU 21 1 1 1 FILTER SET 1 RULE 1 SMT MENU 21 1 1 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filt...

Page 518: ...2 FIN FN PVA INPUT 210102001 IP Filter Set 1 Rule 2 Type 2 TCP IP 2 210102002 IP Filter Set 1 Rule 2 Active 0 No 1 Yes 1 210102003 IP Filter Set 1 Rule 2 Protocol 6 210102004 IP Filter Set 1 Rule 2 De...

Page 519: ...3 Dest IP address 0 0 0 0 210103005 IP Filter Set 1 Rule 3 Dest Subnet Mask 0 210103006 IP Filter Set 1 Rule 3 Dest Port 139 210103007 IP Filter Set 1 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal...

Page 520: ...lter Set 1 Rule 4 Src IP address 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2...

Page 521: ...5 Act Match 1 check next 2 forward 3 dr op 3 210105014 IP Filter Set 1 Rule 5 Act Not Match 1 Check Next 2 Forward 3 Drop 1 MENU 21 1 1 6 SET 1 RULE 6 SMT MENU 21 1 1 6 FIN FN PVA INPUT 210106001 IP F...

Page 522: ...Nam Str NetBIOS_WAN MENU 21 1 2 1 FILTER SET 2 RULE 1 SMT MENU 21 1 2 1 FIN FN PVA INPUT 210201001 IP Filter Set 2 Rule 1 Type 0 none 2 TCP IP 2 210201002 IP Filter Set 2 Rule 1 Active 0 No 1 Yes 1 21...

Page 523: ...IP Filter Set 2 Rule 2 Active 0 No 1 Yes 1 210202003 IP Filter Set 2 Rule 2 Protocol 6 210202004 IP Filter Set 2 Rule 2 Dest IP address 0 0 0 0 210202005 IP Filter Set 2 Rule 2 Dest Subnet Mask 0 2102...

Page 524: ...Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 1 210203008 IP Filter Set 2 Rule 3 Src IP address 0...

Page 525: ...210204009 IP Filter Set 2 Rule 4 Src Subnet Mask 0 210204010 IP Filter Set 2 Rule 4 Src Port 0 210204011 IP Filter Set 2 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 0 210204013...

Page 526: ...Filter Set 2 Rule 5 Act Match 1 check next 2 forward 3 dr op 3 210205014 IP Filter Set 2 Rule 5 Act Not Match 1 check next 2 forward 3 dr op 1 MENU 21 1 2 6 FILTER SET 2 RULE 6 SMT MENU 21 1 2 5 FIN F...

Page 527: ...4 MENU 23 2 SYSTEM SECURITY RADIUS SERVER SMT MENU 23 2 FIN FN PVA INPUT 230200001 Authentication Server Configured 0 No 1 Yes 1 230200002 Authentication Server Active 0 No 1 Yes 1 230200003 Authentic...

Page 528: ...100005 FTP Server Access 0 all 1 none 2 Lan 3 Wan 0 241100006 FTP Server Secured IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Access 0 all 1 none 2 Lan 3 Wan 0 241100009 WEB Se...

Page 529: ...requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropr...

Page 530: ...K If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and the...

Page 531: ...omatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 3 Click the DNS Configuration tab If you do not know your D...

Page 532: ...d and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer whe...

Page 533: ...Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dia...

Page 534: ...Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have...

Page 535: ...IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab...

Page 536: ...and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Cli...

Page 537: ...s User s Guide Setting up Your Computer s IP Address I 9 Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel 2 Select Ethernet built in from...

Page 538: ...in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save chan...

Page 539: ...elect Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in...

Page 540: ......

Page 541: ...lephone sets Install the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Diagram J 1 Connecting a POTS Splitter Step 1 Connect the side label...

Page 542: ...ilter Step 3 Connect another cable from the double jack end of the Y Connector to the Prestige Step 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Diagr...

Page 543: ...The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface...

Page 544: ...rbid ActiveX Destination Contains Java applet Web Block The Prestige blocked access to an IP address or domain name that contains a Java applet because the content filter is set to forbid Java applets...

Page 545: ...detected a TCP SMTP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry Protocol The firewall detected an IP spoofing attack while the Prestige...

Page 546: ...IP Protocol Direction Access did not match a firewall rule s destination IP address and the Prestige logged it src IP Protocol Direction Access did not match a firewall rule s source IP address and t...

Page 547: ...pport the ICMP packet s protocol 2 The ICMP packet is an echo reply for which there was no corresponding echo request Router reply ICMP packet The router sent an ICMP response packet This packet autom...

Page 548: ...etwork on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect dat...

Page 549: ...nder IPSec Log The following figure shows a typical log from the VPN connection peer Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 0...

Page 550: ...Prestige has received an IKE negotiation request from the peer Recv Symbol IKE uses the ISAKMP protocol refer to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different type...

Page 551: ...es exchange policy details including local and remote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule d If the security gatew...

Page 552: ...e incoming packet did not match vs My Local IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The...

Page 553: ...on settings are incorrect Please check them Rule d idle time out disconnect If an SA has no packets transmitted for a period of time configurable via CI command the Prestige drops the connection The f...

Page 554: ......

Page 555: ...tication 25 11 29 4 29 5 Authentication Protocol Outgoing 29 5 auto negotiation 1 4 B Backup 38 2 Bandwidth Borrowing 21 7 Bandwidth Class 21 1 Bandwidth Filter 21 1 21 15 Bandwidth Management 1 4 21...

Page 556: ...iting 14 2 Introduction 14 1 Customer Support v Customized Services 14 2 D data compression 1 3 Data decryption 6 4 Data encryption 6 4 Data Filtering 34 1 Data Link Connection 25 7 Default Policy Log...

Page 557: ...ter Structure 34 4 Generic Filter Rule 34 13 Remote Node 29 8 Remote Node Filter 29 8 Remote Node Filters 34 19 Sample 34 17 SUA 34 15 TCP IP Filter Rule 34 9 Filter Configuration 34 1 Filter Log 37 7...

Page 558: ...2 IEEE 802 11 C 1 IGMP 5 3 IGMP support 25 16 29 7 IKE 13 8 IKE Setup 43 11 Incoming Call Support 1 4 Independent Basic Service Set C 2 Infrastructure Configuration C 2 Install UPnP 19 3 Windows Me 19...

Page 559: ...ISDN Interface 1 3 ISDN Remote Node Profile 25 10 ISDN Setup 25 8 ISDN DCP 7 1 K Key Fields For Configuring Rules 13 2 L LAN 37 3 LAN Configuration 5 4 LAN Interface Troubleshooting A 2 LAN Setup 5 1...

Page 560: ...NetCAPI Server 7 11 NetCAPI Setup 25 8 Network Address Translation 28 6 Network Address Translation NAT 1 4 8 1 32 1 Network Authentication 6 8 Network Management 1 7 8 7 Networking Compatibility 1 6...

Page 561: ...ewall 12 1 33 1 Troubleshooting A 5 Remote Management and NAT 18 2 Remote Management Limitations 18 1 40 2 Remote Management Setup 40 1 Remote Node 29 1 37 2 Network Layer 29 5 Remote Node Profile 29...

Page 562: ...rce Address 13 3 13 11 Source Based Routing 41 1 Splitters J 1 SPTGEN Screens H 1 SQL NET 13 9 SSH 13 9 Stac data compression 1 3 Start Up Troubleshooting A 1 Stateful Inspection 1 2 11 1 11 2 11 7 11...

Page 563: ...15 Setup 25 3 Traffic Shaping 7 3 Traffic Shaping Example 7 4 Transmission Rates 1 1 Transport Mode 16 5 Troubleshooting A 1 Tunnel Mode 16 5 Type of Service 41 1 41 3 41 4 41 5 U UDP ICMP Security 11...

Page 564: ...Web Configurator Navigation 2 2 WEP 6 4 WEP 6 4 WEP Encryption 27 2 Windows 2000 NT XP I 5 Windows 95 98 Me I 1 WIRED EQUIVALENT PRIVACY 6 3 Wireless Channel 6 1 Wireless LAN C 1 6 1 27 1 Benefits C 1...

Reviews:

No comments

Related manuals for Prestige 653HWI series

Brand: ABB Pages: 16

Brand: TempAlert Pages: 22

Brand: Yeastar Technology Pages: 10

NETcon D-G-64NE

Brand: ZIEHL-ABEGG Pages: 27

Brand: TANDBERG Pages: 54

Brand: WaveWare Pages: 18

Brand: AVIRE Pages: 41

Brand: Fife Pages: 48

Brand: ABB Pages: 20

CloudGate-mini Wi-Fi

Brand: Carel Pages: 2

Brand: Crow Pages: 29

Brand: Hitron Pages: 124

Brand: Entone Pages: 5

Brand: Wildix Pages: 3

Brand: Technicolor Pages: 103

IQ Combiner 3C-ES

Brand: enphase Pages: 8

Brand: enphase Pages: 32

Brand: Lantronix Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands