manualshive.com logo in svg

ZyXEL Communications Prestige 662HW Series, User Manual

Share
Download
ZyXEL Communications Prestige 662HW Series User Manual Download Page 147

Prestige 662HW Series User’s Guide 

Firewall Configuration 

        12-19 

12.12.1 Threshold 

Values 

Tune these parameters when something is not working and after you have checked the firewall 
counters. These default values should work fine for most small offices. Factors influencing choices for 
threshold values are: 

♦ 

The maximum number of opened sessions. 

♦ 

The minimum capacity of server backlog in your LAN network. 

♦ 

The CPU power of servers in your LAN network. 

♦ 

Network bandwidth.  

♦ 

Type of traffic for certain servers. 

If your network is slower than average for any of these factors (especially if you have servers that are 
slow or handle many tasks and are often busy), then the default values should be reduced. 
You should make any changes to the threshold values before you continue configuring firewall rules.  

12.12.2 Half-Open 

Sessions 

An unusually high number of half-open sessions (either an absolute number or measured as the arrival 
rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the 
session has not reached the established state-the TCP three-way handshake has not yet been completed 
(see 

Figure 11-2

). For UDP, "half-open" means that the firewall has detected no return traffic. 

The Prestige measures both the total number of existing half-open sessions and the rate of session 
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and 
rate measurements. Measurements are made once a minute. 

When the number of existing half-open sessions rises above a threshold (

max-incomplete high

), the 

Prestige starts deleting half-open sessions as required to accommodate new connection requests. The 
Prestige continues to delete half-open requests as necessary, until the number of existing half-open 
sessions drops below another threshold (

max-incomplete low

). 

When the rate of new connection attempts rises above a threshold (

one-minute high

), the Prestige 

starts deleting half-open sessions as required to accommodate new connection requests. The Prestige 
continues to delete half-open sessions as necessary, until the rate of new connection attempts drops 
below another threshold (

one-minute low

). The rate is the number of new attempts detected in the last 

one-minute sample period. 

TCP Maximum Incomplete and Blocking Time 

An unusually high number of half-open sessions with the same destination host address could indicate 
that a Denial of Service attack is being launched against the host.  

Whenever the number of half-open sessions with the same destination host address rises above a 
threshold (

TCP Maximum Incomplete

), the Prestige starts deleting half-open sessions according to 

one of the following methods: 

♦ 

If the 

Blocking Time

 

timeout is 0 (the default), then the Prestige deletes the oldest existing 

half-open session for the host for every new connection request to the host. This ensures that 
the number of half-open sessions to a given host will never exceed the threshold.  

♦ 

If the 

Blocking Time

 

timeout is greater than 0, then the Prestige blocks all new connection 

requests to the host giving the server time to handle the present connections. The Prestige 
continues to block all new connection requests until the 

Blocking Time

 

expires.  

Summary of Contents for Prestige 662HW Series

Page 1: ...Prestige 662HW Series 802 11g Wireless ADSL 2 4 Port Security Gateway User s Guide Version 3 40 May 2004...

Page 2: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does i...

Page 3: ...nstructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off...

Page 4: ...the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event b...

Page 5: ...09 0 www zyxel de GERMANY sales zyxel de 49 2405 6909 99 ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany 33 0 4 72 52 97 97 FRANCE info zyxel fr 33 0 4 72 52 19 20 www zyxel fr ZyXE...

Page 6: ...etup Introduction 3 1 3 2 Encapsulation 3 1 3 3 Multiplexing 3 2 3 4 VPI and VCI 3 2 3 5 Wizard Setup Configuration First Screen 3 2 3 6 IP Address and Subnet Mask 3 3 3 7 IP Address Assignment 3 4 3...

Page 7: ...T Screens 8 1 8 1 NAT Overview 8 1 8 2 SUA Single User Account Versus NAT 8 4 8 3 SUA Server 8 4 8 4 Selecting the NAT Mode 8 5 8 5 Configuring SUA Server 8 6 8 6 Configuring Address Mapping 8 7 8 7 E...

Page 8: ...2 16 4 Secure Gateway Address 16 2 16 5 VPN Summary Screen 16 2 16 6 Keep Alive 16 4 16 7 NAT Traversal 16 5 16 8 ID Type and Content 16 6 16 9 Pre Shared Key 16 8 16 10 Editing VPN Policies 16 8 16 1...

Page 9: ...3 Changing the System Password 22 4 Chapter 23 Menu 1 General Setup 23 1 23 1 General Setup 23 1 23 2 Procedure To Configure Menu 1 23 1 Chapter 24 Menu 2 WAN Backup Setup 24 1 24 1 Introduction to WA...

Page 10: ...n 34 1 34 1 About SNMP 34 1 34 2 Supported MIBs 34 2 34 3 SNMP Configuration 34 2 34 4 SNMP Traps 34 3 Chapter 35 System Security 35 1 35 1 System Security 35 1 35 2 Creating User Accounts on the Pres...

Page 11: ...e Format 44 1 44 3 Internal SPTGEN FTP Download Example 44 2 44 4 Internal SPTGEN FTP Upload Example 44 3 Appendices and Index XII Appenidx A Troubleshooting A 1 Problems Starting Up the Prestige A 1...

Page 12: ...WAN IP Addresses 5 1 Figure 5 2 LAN Setup 5 5 Figure 5 3 LAN Static DHCP 5 7 Figure 6 1 RTS CTS 6 2 Figure 6 2 Prestige Wireless Security Levels 6 3 Figure 6 3 Wireless 6 4 Figure 6 4 MAC Address Filt...

Page 13: ...l Example Rule Summary 12 12 Figure 12 9 Firewall Example Edit Rule Destination Address 12 12 Figure 12 10 Edit Custom Port Example 12 13 Figure 12 11 Firewall Example Edit Rule Select Customized Serv...

Page 14: ...th Allotment Example 20 4 Figure 20 5 Maximize Bandwidth Usage Example 20 5 Figure 20 6 Bandwidth Borrowing Example 20 6 Figure 20 7 Media Bandwidth Management Summary 20 7 Figure 20 8 Media Bandwidth...

Page 15: ...e Node Filter PPPoA or PPPoE Encapsulation 28 8 Figure 28 7 Menu 11 6 for VC based Multiplexing 28 8 Figure 28 8 Menu 11 6 for LLC based Multiplexing or PPP Encapsulation 28 9 Figure 28 9 Menu 11 1 Re...

Page 16: ...Device Filter Sets 33 10 Figure 33 11 Sample Telnet Filter 33 11 Figure 33 12 Menu 21 1 6 1 Sample Filter 33 12 Figure 33 13 Menu 21 1 6 1 Sample Filter Rules Summary 33 13 Figure 33 14 Filtering Ethe...

Page 17: ...Routing Policy Setup 40 3 Figure 40 3 Menu 25 1 1 IP Routing Policy 40 4 Figure 40 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 40 5 Figure 40 5 Menu 11 3 Remote Node Network Layer Options 40 6 Figure 40...

Page 18: ...13 Table 6 6 Wireless LAN 802 1x WPA for WPA Protocol 6 15 Table 6 7 Wireless LAN 802 1x WPA for WPA PSK Protocol 6 16 Table 6 8 Local User Database 6 18 Table 6 9 RADIUS 6 18 Table 7 1 WAN Setup 7 4...

Page 19: ...ration Example 16 7 Table 16 7 VPN IKE 16 9 Table 16 8 VPN IKE Advanced Setup 16 15 Table 16 9 VPN Manual Key 16 18 Table 16 10 VPN SA Monitor 16 21 Table 16 11 VPN Global Setting 16 22 Table 16 12 Te...

Page 20: ...rk Layer Options 28 5 Table 28 3 Menu 11 8 Advance Setup Options 28 10 Table 29 1 Menu12 1 1 Edit IP Static Route 29 3 Table 30 1 Remote Node Network Layer Options Bridge Fields 30 3 Table 30 2 Menu 1...

Page 21: ...3 Table 38 2 Menu 24 10 System Maintenance Time and Date Setting 38 5 Table 39 1 Menu 24 11 Remote Management Control 39 2 Table 40 1 Menu 25 1 IP Routing Policy Setup 40 3 Table 40 2 Menu 25 1 1 IP R...

Page 22: ...t A 9 Troubleshooting Remote Management A 3 Chart B 1 Classes of IP Addresses B 1 Chart B 2 Allowed IP Address Range By Class B 2 Chart B 3 Natural Masks B 2 Chart B 4 Alternative Subnet Mask Notation...

Page 23: ...interfaces Related Documentation Supporting Disk Refer to the included CD for support documents Compact Guide The Compact Guide is designed to help you get up and running right away They contain conn...

Page 24: ...use e g as a shorthand for for instance and i e for that is or in other words throughout this manual The Prestige 662HW series 802 11g Wireless ADSL 2 4 Port Security Gateway may be referred to as th...

Page 25: ...al services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an extended download that inc...

Page 26: ......

Page 27: ...t I I Getting Started This part is structured as a step by step guide to help you access your Prestige It covers key features and applications accessing the web configurator and configuring the wizar...

Page 28: ......

Page 29: ...etc By integrating DSL and NAT the Prestige provides ease of installation and Internet access The Prestige is also a complete security solution with a robust firewall and content filtering Three Pres...

Page 30: ...firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN The Prestige firewall supports TCP UDP inspection DoS detection and prevention real t...

Page 31: ...ireless network to help keep network communications private Wi Fi Protected Access Wi Fi Protected Access WPA is a subset of the IEEE 802 11i security specification draft Key differences between WPA a...

Page 32: ...fer of either 10 Mbps or 100 Mbps in either half duplex or full duplex mode depending on your Ethernet network Auto Crossover MDI MDI X 10 100 Mbps Ethernet Interface s These interfaces automatically...

Page 33: ...ditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behav...

Page 34: ...Ease of Installation Your Prestige is designed for quick intuitive and easy installation Housing Your Prestige s compact and ventilated housing minimizes space requirements making it easy to position...

Page 35: ...ion from attacks by Internet hackers By default the firewall blocks all incoming traffic from the WAN The firewall supports TCP UDP inspection and DoS Denial of Services detection and prevention as we...

Page 36: ......

Page 37: ...g the Prestige Web Configurator 1 Make sure your Prestige hardware is properly connected refer to the Compact Guide 2 Prepare your computer computer network to connect to the Prestige refer to the Com...

Page 38: ...the RESET button for ten seconds or until the PWR SYS LED begins to blink and then release it When the PWR SYS LED begins to blink the defaults have been restored and the Prestige restarts 2 4 Navigat...

Page 39: ...erties and WAN backup settings NAT SUA Only Use this screen to configure servers behind the Prestige Full Feature Use this screen to configure network address translation mapping rules Dynamic DNS Use...

Page 40: ...hange your Prestige s log settings View Log Use this screen to view the logs for the categories that you selected Media Bandwidth Management Summary Use this screen to allocate an interface s outgoing...

Page 41: ...your ISP 3 2 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP The Prestige bridges a PPP session over Ethernet PPP over Eth...

Page 42: ...tifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carr...

Page 43: ...btain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP add...

Page 44: ...or a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Prestige acts as a DHCP client on the WAN port and so the IP Addre...

Page 45: ...ction when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers fla...

Page 46: ...elow Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection...

Page 47: ...atic IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be...

Page 48: ...rnet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the password associated with the user name above IP Address This option is available...

Page 49: ...ext to continue to the next wizard screen 3 11 DHCP Setup DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 allows individual clients to obtain TCP IP configuration at start up from a ser...

Page 50: ...rd Setup Figure 3 6 Wizard Screen 3 If you want to change your Prestige LAN settings click Change LAN Configuration to display the screen as shown next Figure 3 7 Wizard LAN Configuration The followin...

Page 51: ...r When DHCP server is used set the following items Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Size of Client IP Pool This field s...

Page 52: ...ser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you cannot ac...

Page 53: ...Password LAN Wireless LAN and WAN II P Pa ar rt t I II I Password LAN Wireless LAN and WAN This part covers the password LAN Local Area Network Wireless LAN and WAN setup...

Page 54: ......

Page 55: ...commended click Password The screen appears as shown Figure 4 1 Password The following table describes the fields in this screen Table 4 1 Password LABEL DESCRIPTION Old Password Type the default pass...

Page 56: ......

Page 57: ...S Server Address DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP addres...

Page 58: ...w the IP address of a computer before you can access it There are two ways that an ISP disseminates the DNS server addresses The ISP tells you the DNS server addresses usually in the form of an inform...

Page 59: ...in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to t...

Page 60: ...tination The following lists out the steps taken when a computer tries to access the Internet for the first time through the Prestige 1 When a computer which is in a different subnet first attempts to...

Page 61: ...ystems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remo...

Page 62: ...d IGMP v2 Select None to disable it Any IP Setup Select this option to activate the Any IP feature This allows a computer to access the Internet without changing the network settings such as IP addres...

Page 63: ...atic DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the size or...

Page 64: ......

Page 65: ...evices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interferen...

Page 66: ...ler than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your networ...

Page 67: ...restige your network is accessible to any wireless networking device that is within range Use the Prestige web configurator to configurator to set up your wireless LAN security settings Refer to the c...

Page 68: ...LABEL DESCRIPTION Enable Wireless LAN The wireless LAN is turned off by default before you enable the wireless LAN you should configure some security by setting MAC filters and or 802 1x security oth...

Page 69: ...ige and the wireless stations must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP th...

Page 70: ...he list of MAC addresses in the MAC Address table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit...

Page 71: ...erform mutual authentication 6 6 2 RADIUS RADIUS is based on a client sever model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS...

Page 72: ...pport multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perform authentication Figure 6...

Page 73: ...he wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The...

Page 74: ...em 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access...

Page 75: ...Enable without Dynamic WEP Key Shared WEP Yes Disable WPA WEP No Yes WPA TKIP No Yes WPA PSK WEP Yes Yes WPA PSK TKIP Yes Yes 6 11 Wireless Client WPA Supplicants A wireless client supplicant is the...

Page 76: ...red allows all wireless stations access to the wired network without entering usernames and passwords This is the default setting Authentication Required means that all wireless stations have to enter...

Page 77: ...passwords in order to stay connected This field is activated only when you select Authentication Required in the Wireless Port Control field Enter a time interval between 10 and 9999 seconds The defa...

Page 78: ...r database on the Prestige for a wireless station s username and password Select RADIUS Only to have the Prestige just check the user database on the specified RADIUS server for a wireless station s u...

Page 79: ...ffic if the Key Management Protocol is WPA and WPA Mixed Mode is disabled WEP is used automatically if you have enabled WPA Mixed Mode All unicast traffic is automatically encrypted by TKIP when WPA o...

Page 80: ...ific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols WPA Mixed Mode The Prestige can operate in WPA Mixed Mode which supports both clients r...

Page 81: ...authenticate wireless users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way To change your Prestige s local user data...

Page 82: ...cel Click Cancel to begin configuring this screen again 6 14 Configuring RADIUS Once you enable the EAP authentication you need to specify the external sever for remote user authentication and account...

Page 83: ...list box to enable user authentication through an external accounting server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default...

Page 84: ......

Page 85: ...direct route next In the same manner the Prestige uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traffic redirect...

Page 86: ...an cell rate of each bursty traffic source It specifies the maximum average rate at which cells can be sent over the virtual connection SCR may not be greater than the PCR Maximum Burst Size MBS is th...

Page 87: ...Prestige is in bridge mode you set the Prestige to use a static fixed WAN IP address 7 6 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN and WAN Setup The screen dif...

Page 88: ...S Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select...

Page 89: ...apsulation only This field is available when you select PPPoE encapsulation In addition to the Prestige s built in PPPoE client you can enable PPPoE pass through to allow up to ten hosts on the LAN to...

Page 90: ...gure 7 3 Traffic Redirect Example The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN Use IP alias to configure the LAN in...

Page 91: ...7 Figure 7 4 Traffic Redirect LAN Setup 7 8 Configuring WAN Backup To change your Prestige s WAN backup settings click WAN then WAN Backup The screen appears as shown Figure 7 5 WAN Backup The follow...

Page 92: ...gher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the numbe...

Page 93: ...etween the dial backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps User Name Type the login name assigned by your ISP Password Type the password assig...

Page 94: ...User s Guide 7 10 WAN Setup Figure 7 6 Advanced WAN Backup The following table describes the fields in this screen Table 7 3 Advanced WAN Backup LABEL DESCRIPTION Basic Login Name Type the login name...

Page 95: ...ng the three routes the Prestige uses normal traffic redirect and dial backup Type a number 1 to 15 to set the priority of the dial backup route for data transmission The smaller the number the higher...

Page 96: ...e connection automatically if it is disconnected Connect on Demand Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in the Max Idle Timeout fiel...

Page 97: ...ommand ATH 7 12 Response Strings The response strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been...

Page 98: ...eyword preceding the connection speed Example CONNECT Call Control Dial Timeout Type a number of seconds for the Prestige to try to set up an outgoing call before timing out stopping Example 60 Retry...

Page 99: ...NAT Dynamic DNS and Time and Date III P Pa ar rt t I II II I NAT Dynamic DNS and Time and Date This part covers NAT Network Address Translation dynamic DNS Domain Name Sever and Time and Date setup...

Page 100: ......

Page 101: ...rk while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 8 1 NAT Definitions ITEM DESCRI...

Page 102: ...address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces th...

Page 103: ...ous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple local IP addresses to shared global IP addresses M...

Page 104: ...xample web or FTP that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world You may enter a single port number or...

Page 105: ...t Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protoco...

Page 106: ...it Details Click this link to go to the NAT Edit SUA NAT Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige Edit Details Click this...

Page 107: ...e port number again in the Start Port No field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the S...

Page 108: ...le describes the fields in this screen Table 8 6 Address Mapping Rules LABEL DESCRIPTION Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapp...

Page 109: ...L routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each local IP ad...

Page 110: ...utside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local...

Page 111: ...all you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server th...

Page 112: ...S service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user name Password Type the password as...

Page 113: ...e s time and date settings 10 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to configure the Prestige s time based...

Page 114: ...Date Enter the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Dayligh...

Page 115: ...l Content Filter and Anti Virus Packet Scan This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an ov...

Page 116: ......

Page 117: ...alls Stateful Inspection Firewalls 11 2 1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source destination computer network address of a packet and the type of app...

Page 118: ...1 2 or in the web configurator The Prestige s purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The Prestige can be used to prevent theft destruction and mo...

Page 119: ...figuring or managing the computer is not careful a hacker could attack it over an unprotected port Some of the most common IP ports are Table 11 1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SM...

Page 120: ...g queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the queue is full the s...

Page 121: ...e Figure 11 4 Smurf Attack ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Table 11 2 ICMP Commands That Trigger Alerts 5...

Page 122: ...ckets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and...

Page 123: ...tbound packet The inbound packet is evaluated against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rul...

Page 124: ...ion is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connection that is if it is a response to a connection which originated on the LAN...

Page 125: ...ces to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces Protect against IP spoofing by making sure the firewall is active...

Page 126: ...omparisons between the Prestige s filtering and firewall functions 11 7 1 Packet Filtering The router filters packets as they pass through the router s interface according to the filter rules you desi...

Page 127: ...ur network A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required To selec...

Page 128: ......

Page 129: ...er This allows computers on the LAN to manage the Prestige and communicate between networks or subnets connected to the LAN interface LAN to WAN By default the Prestige s stateful packet inspection bl...

Page 130: ...affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN 12 3 2 Security...

Page 131: ...e of IPs or a subnet 12 4 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 12 4 1 LAN to WAN Rules The def...

Page 132: ...sage can be immediately sent to an e mail account that you specify in the Log Settings screen see the chapter on logs 12 5 Configuring Basic Firewall Settings Click Firewall and then Default Policy to...

Page 133: ...er subnet on the LAN interface of the Prestige or the Prestige itself Default Action Use the radio buttons to select whether to Block silently discard or Forward allow the passage of packets that are...

Page 134: ...to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings above Rule This is your firewall r...

Page 135: ...sert to add a new firewall rule before the specified index number Click Append to add a new firewall rule after the specified index number Move Type a rule s index number and the number for where you...

Page 136: ...Prestige 662HW Series User s Guide 12 8 Firewall Configuration Figure 12 5 Firewall Edit Rule The following table describes the labels in this screen...

Page 137: ...elete to remove it Services Available Selected Services Please see Table 12 6 for more information on services available Highlight a service from the Available Services box on the left then click Add...

Page 138: ...d Services Table 12 4 Customized Services LABEL DESCRIPTION No This is the number of your customized port Click a rule s number of a service to go to the Firewall Customized Services Config screen to...

Page 139: ...Range to specify a span of ports that define your customized service Port Number Type a single port number or the range of port numbers that define your customized service Back Click Back to return to...

Page 140: ...t the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 4 Click Insert to display the firewall rule configuration screen 5 Select Any...

Page 141: ...Services link to open the Customized Service Config screen Configure it as follows and click Apply Figure 12 10 Edit Custom Port Example 8 In the Edit Rule screen use the Add and Remove buttons betwee...

Page 142: ...Prestige 662HW Series User s Guide 12 14 Firewall Configuration Figure 12 11 Firewall Example Edit Rule Select Customized Services...

Page 143: ...re 12 5 displays all predefined services that the Prestige already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP...

Page 144: ...667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending...

Page 145: ...CACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environme...

Page 146: ...its unused TCP ports Note that the probing packets must first traverse the Prestige s firewall mechanism before reaching this anti probing mechanism Therefore if the firewall mechanism blocks a probin...

Page 147: ...en sessions rises above a threshold max incomplete high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open re...

Page 148: ...g half open sessions One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this...

Page 149: ...s is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Ente...

Page 150: ......

Page 151: ...content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 13 2 Configuring Keyword Blocking Use this screen to block sites contai...

Page 152: ...characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this procedure to add other keywords Up to 64 keywords are allowed When you try to access a web...

Page 153: ...sers on the LAN from content filtering on your Prestige click Content Filter and Trusted The screen appears as shown Figure 13 3 Content Filter Trusted The following table describes the labels in this...

Page 154: ......

Page 155: ...infected computer inoperable Macro Virus Macros are small programs that are created to perform repetitive actions Macros run automatically when a file to which they are attached is opened Macro viruse...

Page 156: ...ocal network and the Internet This way the Prestige can scan the traffic transmitting between your local network and the Internet This eliminates the need to install the scanning engine and the patter...

Page 157: ...ice in the Registration and Virus Information Update screen refer to Section 14 5 for more information Choose which application to be scanned E Mail Select this option to scan incoming outgoing e mail...

Page 158: ...le in this screen Click Anti Virus and Registration and Virus Information Update to display the screen as shown The Prestige automatically restarts after the virus scan update is complete Figure 14 3...

Page 159: ...s are 1 hr 12 hr and 24 hr Manually Update Virus Information Click Update Now to download and update to the latest virus pattern file Back Click Back to return to the previous screen Apply Click Apply...

Page 160: ...Prestige 662HW Series User s Guide 14 6 Anti Virus Packet Scan Figure 14 5 Virus Scan Update Successful The Prestige automatically restarts after the virus scan update is complete...

Page 161: ...VPN IPSec V P Pa ar rt t V V VPN IPSec This part provides information about configuring VPN IPSec for secure communications...

Page 162: ......

Page 163: ...ons for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authe...

Page 164: ...etworks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Res...

Page 165: ...e use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanis...

Page 166: ...m behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 15 4 IPSec and NAT Read this section if you are running IPSec on a host computer behind...

Page 167: ...ntication is not compatible with NAT although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints see section 16 7 for details Table 15 1 VPN...

Page 168: ......

Page 169: ...mployed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of th...

Page 170: ...ss is the WAN IP address or domain name of the remote IPSec router secure gateway If the remote secure gateway has a static WAN IP address enter it in the Secure Gateway Address field You may alternat...

Page 171: ...st be static Click VPN and Setup to open the VPN Summary screen This is a read only menu of your IPSec rules tunnels The IPSec summary menu is read only Edit a VPN by selecting an index number and the...

Page 172: ...c IP addresses in a range of computers are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Range A static IP address and a subnet mask are display...

Page 173: ...the UDP port 500 header and responds IPSec routers A and B build a VPN connection 16 7 1 NAT Traversal Configuration For NAT traversal to work you must Use ESP security protocol in either transport or...

Page 174: ...ng local and remote IP addresses With main mode see section 16 11 1 the ID type and content are encrypted to provide identity protection In this case the Prestige can only distinguish between up to 12...

Page 175: ...ain name also does not have to match the remote router s IP address or what you configure in the Secure Gateway Addr field below 16 8 1 ID Type and Content Examples Two IPSec routers must have matchin...

Page 176: ...otiation see section 16 11 for more on IKE phases It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection 16 10Editing VPN...

Page 177: ...ect Tunnel mode or Transport mode from the drop down list box DNS Server for IPSec VPN If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this additio...

Page 178: ...router When the Remote Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configur...

Page 179: ...characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP ad...

Page 180: ...e message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more...

Page 181: ...man public key cryptography see section 16 11 3 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long the IP...

Page 182: ...lman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys 16 11 3 Perfect F...

Page 183: ...ckets to protect against replay attacks Select YES from the drop down menu to enable replay detection or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port nu...

Page 184: ...these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate an...

Page 185: ...ost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing...

Page 186: ...hen you select Manual in the IPSec Key Mode field on the VPN IKE screen This is the VPN Manual Key screen as shown next Figure 16 8 VPN Manual Key The following table describes the fields in this scre...

Page 187: ...in a range of computers on your LAN behind your Prestige When the Local Address Type field is configured to Subnet this is a static IP address on the LAN behind your Prestige End Subnet Mask When the...

Page 188: ...that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput Select NULL to set up a tunnel without e...

Page 189: ...PSec SA when the SA lifetime expires even if there is no traffic Figure 16 9 VPN SA Monitor The following table describes the fields in this screen Table 16 10 VPN SA Monitor LABEL DESCRIPTION No This...

Page 190: ...etBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to p...

Page 191: ...dress 192 168 1 10 0 0 0 0 N A 16 17 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to the...

Page 192: ...ters Prestige Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 1...

Page 193: ...e 662HW Series User s Guide VPN Screens 16 25 16 18VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for that...

Page 194: ......

Page 195: ...mote Management UPnP and Logs This part contains information on how to configure the Prestige for remote management setting up Universal Plug and Play UPnP and setting up and displaying logs Remote Ma...

Page 196: ......

Page 197: ...eld You may only have one remote management session running at a time The Prestige automatically disconnects a remote management session of lower priority when another remote management session of hig...

Page 198: ...istics screen is polling 17 2 Telnet You can configure your Prestige for remote Telnet access as shown next Figure 17 1 Telnet Configuration on a TCP IP Network 17 3 FTP You can upload and download Pr...

Page 199: ...This field shows the port number for the remote management service You may change the port number for a service in this field but you must use the same port number to use that service for remote manag...

Page 200: ......

Page 201: ...ork addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions NAT traversal allows the following Dynamic port mapping Learn...

Page 202: ...hanges through UPnP Select this check box to allow UPnP enabled applications to automatically configure the Prestige so that they can communicate through the Prestige for example by using NAT traversa...

Page 203: ...Click OK to go back to the Add Remove Programs Properties window and click Next Restart the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows...

Page 204: ...ple This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN...

Page 205: ...dit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically Select Show i...

Page 206: ...lpful if you do not know the IP address of the Prestige Follow the steps below to access the web configurator Click Start and then Control Panel Double click Network Connections Select My Network Plac...

Page 207: ...Prestige 662HW Series User s Guide UPnP 18 7 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige...

Page 208: ......

Page 209: ...ttacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen A...

Page 210: ...er name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you...

Page 211: ...e week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to sel...

Page 212: ...his field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This field dis...

Page 213: ...54 03 UDP src port 00520 dest port 00520 1 00 2 Apr 7 00 From 192 168 1 131 To 192 168 1 255 default policy forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10...

Page 214: ......

Page 215: ...Media Bandwidth Management VII P Pa ar rt t V VI II I Media Bandwidth Management This part provides information on the functions and configuration of Media Bandwidth Management...

Page 216: ......

Page 217: ...ns display measurements in kbps kilobits per second but this User s Guide also uses Mbps megabits per second for brevity s sake 20 2 Bandwidth Classes and Filters Use bandwidth classes and child class...

Page 218: ...mple 20 4 2 Subnet based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets Each bandwidth class Subnet A and Subnet B is allotted 320kbps Figure 20...

Page 219: ...he Prestige to divide up any available bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class is not using among the bandwidth classes that require more ba...

Page 220: ...department only uses 1 Mbps of the budgeted 2 Mbps the Prestige also divides the remaining 1 Mbps among the classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total o...

Page 221: ...class first The child class can also borrow bandwidth from a higher parent class grandparent class if the child class s parent class is also configured to borrow bandwidth from its parent class This c...

Page 222: ...Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled The Amy class cannot borrow unused bandwidth from the Sales USA class because the...

Page 223: ...ty and treats bandwidth classes of the same level equally 4 The Prestige assigns any remaining unbudgeted bandwidth to traffic that does not match any of the bandwidth classes 20 8 Configuring Summary...

Page 224: ...the speed of this interface see the Speed field description Back Click Back to go to the main Media Bandwidth Management screen Apply Click Apply to save your settings back to the Prestige Cancel Clic...

Page 225: ...Click Delete to delete the class and all its child classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class 20 9 1 Media Bandwidth Management Cl...

Page 226: ...tion Port Source Port and Protocol ID fields SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging and other VoIP Voice over IP applications Select SIP f...

Page 227: ...formance information Click the Statistics button in the Class Setup screen to open the Statistics screen Figure 20 10 Media Bandwidth Management Statistics The following table describes the labels in...

Page 228: ...to clear all of the bandwidth management statistics 20 10 Bandwidth Monitor To view the Prestige s bandwidth usage and allotments click Media Bandwidth Management then Monitor The screen appears as sh...

Page 229: ...Maintenance VIII P Pa ar rt t V VI II II I Maintenance This part covers the maintenance screens...

Page 230: ......

Page 231: ...rt traffic statistics 21 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 21 2 System Status Scree...

Page 232: ...21 2 Maintenance Figure 21 1 System Status The following table describes the fields in this screen Table 21 1 System Status LABEL DESCRIPTION System Status System Name This is the name of your Prestig...

Page 233: ...estige IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the WAN port DHCP role Server Relay not all Prestige models or None DHCP Start IP This...

Page 234: ...the downstream speed of your Prestige Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Interface This field displays the type of p...

Page 235: ...ige as a DHCP server or disable it When configured as a server the Prestige provides the TCP IP configuration for the clients If set to None DHCP service will be disabled and you must have another DHC...

Page 236: ...the IP address of the network device MAC Address This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address...

Page 237: ...has a unique MAC address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Association Time This field displays the time a wi...

Page 238: ...you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered Reset System Click this button to reboot the Prestige A warning dialog box is then display...

Page 239: ...test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin this test The Prestige sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to th...

Page 240: ...Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zi...

Page 241: ...Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click...

Page 242: ......

Page 243: ...ystem Management Terminal configuration for general setup WAN backup LAN setup wireless LAN setup Internet access remote node static route NAT and enabling the firewall See the web configurator parts...

Page 244: ......

Page 245: ...34 in the Password field 3 After entering the password you will see the main menu Please note that if there is no activity for longer than five minutes default timeout period after you log in your Pre...

Page 246: ...down to another menu ENTER To move forward to a submenu type in the number of the desired submenu and press ENTER Move up to a previous menu ESC Press ESC to move back to the previous menu Move to a...

Page 247: ...previous menu Exit the SMT Type 99 then press ENTER Type 99 at the main menu prompt and press ENTER to exit the SMT interface After you enter the password the SMT displays the main menu as shown next...

Page 248: ...g Policy Setup Use this menu to configure your IP routing policy 26 Schedule Setup Use this menu to schedule outgoing calls 27 VPN IPSec Use this menu to configure VPN connections 99 Exit Use this to...

Page 249: ...the entry for the Computer name field and enter it as the Prestige System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the...

Page 250: ...over the ISP assigned domain name zyxel com tw Edit Dynamic DNS Press the SPACE BAR to select Yes or No default Select Yes to configure Menu 1 1 Configure Dynamic DNS discussed next No Route IP Set t...

Page 251: ...e domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password assigned to you...

Page 252: ......

Page 253: ...stige periodically ping the IP addresses configured in the Check WAN IP Address fields Check WAN IP Address1 3 Configure this field to test your Prestige s WAN accessibility Type the IP address of a r...

Page 254: ...nu 2 2 Dial Backup Setup Select No default if you do not want to configure this feature When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or...

Page 255: ...enu 2 WAN Backup Setup press the SPACE BAR to select Yes and then press ENTER Figure 24 3 Menu 2 2 Dial Backup Setup The following table describes the fields in this menu Table 24 3 Menu 2 2 Dial Back...

Page 256: ...e 24 4 Menu 2 2 1 Advanced Dial Backup Setup AT Commands Fields FIELD DESCRIPTION EXAMPLE AT Command Strings Dial Enter the AT Command string to make a call atdt Drop Enter the AT Command string to dr...

Page 257: ...ter a number of seconds for the Prestige to keep trying to set up an outgoing call before timing out stopping The Prestige times out and stops if it cannot set up an outgoing call within the timeout v...

Page 258: ......

Page 259: ...Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 25 2 Menu 3 1 LAN Port F...

Page 260: ...DHCP If set to Server your Prestige can assign IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server...

Page 261: ...ulate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige 255 255 255 0 RIP Direction Press SPACE BAR to select...

Page 262: ......

Page 263: ...eless LAN Setup FIELD DESCRIPTION EXAMPLE ESSID The ESSID Extended Service Set IDentifier identifies the AP to which the wireless stations associate Wireless stations associating to the Access Point m...

Page 264: ...f data encryption WEP causes performance degradation Disable Default Key Enter the number of the key as an active key Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter 5 ch...

Page 265: ...d or denied access to the Prestige in these address fields When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC t...

Page 266: ......

Page 267: ...ting is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 see IP Policy Routing and apply them on the Prestige LAN and or WAN interface...

Page 268: ...TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client...

Page 269: ...e RIP version Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the Prestige Outgoing Protocol F...

Page 270: ...ulation Gateway IP address if you are using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 27 6 Menu 4 Internet Access Setup The follow...

Page 271: ...the peak rate Type the MBS The MBS must be less than 65535 0 My Login Configure the My Login and My Password fields for PPPoA and PPPoE encapsulation only Enter the login name that your ISP gives you...

Page 272: ......

Page 273: ...are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in three...

Page 274: ...application Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combin...

Page 275: ...ased LLC based Service Name When using PPPoE encapsulation type the name of your PPPoE service here N A Incoming Rem Login Type the login name that this remote node will use to call your Prestige The...

Page 276: ...is sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For exam...

Page 277: ...P Bridge field press SPACE BAR to select Yes then press ENTER to display Menu 11 3 Remote Node Network Layer Options Figure 28 3 Menu 11 3 Remote Node Network Layer Options The next table explains fie...

Page 278: ...imates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number 2 Private This determines if the Prestige will include the rout...

Page 279: ...restige and also to prevent certain packets from triggering calls You can specify up to 4 filter sets separated by comma for example 1 5 9 12 in each filter field Note that spaces are accepted in this...

Page 280: ...For VC based multiplexing by prior agreement a protocol is assigned a specific virtual circuit for example VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Figure 28...

Page 281: ...ons In menu 11 1 select PPPoE in the Encapsulation field Figure 28 9 Menu 11 1 Remote Node Profile Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation VPI 8 VCI 35 AT...

Page 282: ...to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige Each host can have a separate account and a public WAN IP address PPPoE pass...

Page 283: ...emote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the follow...

Page 284: ...oute Setup Now type the route number of a static route you want to configure Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Menu 12 1 IP Static Route Setup 1...

Page 285: ...your Prestige that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must be the IP address of one of the re...

Page 286: ......

Page 287: ...otocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you...

Page 288: ...0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to Cancel Menu 11...

Page 289: ...menu 12 choose option 3 then choose a static route to edit as shown next Figure 30 3 Menu 12 3 1 Edit Bridge Static Route The following table describes the Edit Bridge Static Route menu Table 30 2 Me...

Page 290: ......

Page 291: ...rts two types of mapping Many to One and Server See section 31 3 1 for a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addresses to...

Page 292: ...e 3 Move the cursor to the Edit IP Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name MyISP...

Page 293: ...s and submenus to create the mapping table used to assign global addresses to computers on the LAN Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 the SMT will use Set 1 When yo...

Page 294: ...ss Mapping Sets Figure 31 4 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 31 1 1 The fields in this menu cannot be changed Menu 15 1 Addr...

Page 295: ...End IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the en...

Page 296: ...matches the current packet the Prestige takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pu...

Page 297: ...the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IP...

Page 298: ...to One Many to One and Server types N A Server Mapping Set Only available when Type is set to Server Type a number from 1 to 10 to choose a server set from menu 15 2 When you have completed this menu...

Page 299: ...as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any t...

Page 300: ...ress Translation field This is the Many to One mapping discussed in section 31 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre config...

Page 301: ...er and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules n...

Page 302: ...you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 31 16 1 Enter 15 from the main menu 2 Enter 1 to configure the Address Mapping Sets...

Page 303: ...IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both...

Page 304: ...in Menu 15 NAT Setup 3 Enter 1 in Menu 15 2 NAT Server Sets to see the following menu Configure it as shown Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global S...

Page 305: ...ing figure illustrates this Figure 31 19 NAT Example 4 Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These application...

Page 306: ...Example 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 S...

Page 307: ...r the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters...

Page 308: ...tacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy ru...

Page 309: ...stem information and diagnosis firmware and configuration file maintenance system maintenance remote management IP Policy Routing call scheduling and Internal SPTGEN for configuration of multiple Pres...

Page 310: ......

Page 311: ...ring Call filters are divided into two groups the built in call filters and user defined call filters Your Prestige has built in call filters that prevent administrative for example RIP packets from t...

Page 312: ...various types of packets Because each filter set can have up to six rules you can have a maximum of 24 rules active for a single port For incoming packets your Prestige applies data filters only Packe...

Page 313: ...1 Figure 33 4 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 ___...

Page 314: ...e filter rule number 1 to 6 A Active Y means the rule is active N means the rule is inactive Type The type of filter rule GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here...

Page 315: ...listed as follows Table 33 2 Rule Abbreviations Used FILTER TYPE DESCRIPTION IP Pr Protocol SA Source Address SP Source Port Number DA Destination Address DP Destination Port Number GEN Off Offset Le...

Page 316: ...hoose a rule Parameters displayed for each type will be different Choices are TCP IP Filter Rule or Generic Filter Rule TCP IP Filter Rule Active Select Yes to activate or No to deactivate the filter...

Page 317: ...ld Choices are None Less Greater Equal or Not Equal None TCP Estab This applies only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want to establish TCP connection s SYN 1 a...

Page 318: ...is section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets For IP it is generally easier to use the IP rules directly For generic...

Page 319: ...Filter Rule Active Select Yes to turn on or No to turn off the filter rule No default Offset Type the starting byte of the data portion in the packet that you want to compare The range for this field...

Page 320: ...here are two classes of filter rules Generic Filter Device rules and Protocol Filter TCP IP rules Generic Filter rules act on the raw data from to LAN and WAN Protocol Filter rules act on IP packets W...

Page 321: ...ure in this case 6 Type a descriptive name or comment in the Edit Comments field for example TELNET_WAN and press ENTER Press ENTER at the message Press ENTER to confirm or ESC to cancel to open Menu...

Page 322: ...0 0 0 0 IP Mask 0 0 0 0 Port Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter...

Page 323: ...o decide if a packet should be allowed to trigger a call 33 7 1 Ethernet Traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffi...

Page 324: ...y default filter set NetBIOS_WAN is inserted in the protocol filters field under Call Filter Sets in menu 11 5 to block local NetBIOS traffic from triggering calls to the ISP Figure 33 15 Filtering Re...

Page 325: ...manager An agent is a management software module that resides in a managed device the Prestige An agent translates the local management information from the managed device into a form compatible with...

Page 326: ...ption 22 from the main menu to open Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Figure 34 2 Menu 22 SNMP Configuration The follo...

Page 327: ...fined in RFC 1215 A trap is sent after booting software reboot 3 linkDown defined in RFC 1215 A trap is sent with the port number when any of the links are down See the following table 4 linkUp define...

Page 328: ......

Page 329: ...tore the default configuration file Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the Prestige in the Introducing the Web Configu...

Page 330: ...al authentication server and Prestige Accounting Server Active Press SPACE BAR to select Yes and press ENTER to enable user authentication through an external accounting server No Server Address Enter...

Page 331: ...Table 35 2 Menu 23 4 System Security IEEE802 1x FIELD DESCRIPTION Wireless Port Control Press SPACE BAR and select a security mode for the wireless LAN access Select No Authentication Required to all...

Page 332: ...the Wireless Port Control field Also set the Authentication Databases field to RADIUS Only Local user database may not be used Select Disable to allow wireless stations to communicate with the access...

Page 333: ...k the user database on the Prestige for a wireless station s username and password If the user name is not found the Prestige then checks the user database on the specified RADIUS server Select RADIUS...

Page 334: ...long for this user profile When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the prev...

Page 335: ...System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status...

Page 336: ...rrent remote node My WAN IP from ISP This is the IP address of the ISP remote node Ethernet This shows statistics for the LAN Status This shows the current status of the LAN Tx Pkts This is the number...

Page 337: ...Console Port Speed From this menu you have two choices as shown in the next figure Figure 36 3 Menu 24 2 System Information and Console Port Speed 36 3 1 System Information Enter 1 in menu 24 2 to dis...

Page 338: ...the DHCP setting None Relay or Server of the Prestige 36 3 2 Console Port Speed You can set up different port speeds for the console port through Menu 24 2 2 System Maintenance Console Port Speed You...

Page 339: ...NIX Syslog as shown next Figure 36 8 Menu 24 3 2 System Maintenance Syslog and Accounting 53 Sat Jan 01 00 00 03 2000 PP01 WARN SNMP TRAP 0 cold start 54 Sat Jan 01 00 00 03 2000 PP01 INFO main init c...

Page 340: ...te Call ID C01 Incoming Call xxxx connected speed xxxxx Remote Call ID L02 Tunnel Connected L2TP C02 OutCall Connected xxxx connected speed xxxxx Remote Call ID C02 CLID call refused L02 Call Terminat...

Page 341: ...oto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZYXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZYXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2...

Page 342: ...initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the Prestige Command Mode Type the mo...

Page 343: ...fer to the label on the bottom of your Prestige ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg Th...

Page 344: ...and you don t have to rename the files Please note that terms download and upload are relative to the computer Download means to transfer from the Prestige to the computer while upload means from your...

Page 345: ...ress of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service ad...

Page 346: ...transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the Prestige and the computer The file name for the configuration file is ro...

Page 347: ...file transfer is complete WARNING DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE 37 3 1 Restore Using FTP For details about backup using T FTP please refer to...

Page 348: ...xample Refer to section 37 2 5 to read about configurations that disallow TFTP and FTP over WAN 37 4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and config...

Page 349: ...be transferred to the rom 0 file on the system 4 The system reboots automatically after the upload system configuration file process is complete For details on FTP commands please consult the documen...

Page 350: ...sallow TFTP and FTP over WAN 37 4 5 TFTP File Upload The Prestige also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as...

Page 351: ...rogram For UNIX use get to transfer from the Prestige to the computer put the other way around and binary to set binary transfer mode 37 4 6 TFTP Upload Command Example The following is an example TFT...

Page 352: ......

Page 353: ...8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the c...

Page 354: ...uture outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 38 3 Menu 24 9 Syst...

Page 355: ...is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have lapsed Elapsed Time Total Per...

Page 356: ...Use Time Server when Bootup None Time Server Address N A Current Time 00 51 24 New Time hh mm ss 00 51 19 Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start...

Page 357: ...unsure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field display...

Page 358: ......

Page 359: ...s on configuring firewall rules 39 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Rem...

Page 360: ...address 0 0 0 0 Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC to Cancel to save your configuration or press ESC to cancel 39 2 2 Remote Management Limitat...

Page 361: ...ige s LAN IP address when configuring from the LAN 39 4 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out i...

Page 362: ......

Page 363: ...hile using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 40 3 Routing Policy Individual routing policies are used as part...

Page 364: ...eria and the action of a single policy and whether a policy is active or not Each policy contains two lines The former part is the criteria of the incoming packet and the latter is the action Between...

Page 365: ...eria Action 1 Y SA 1 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________...

Page 366: ...t Care Packet Length Type the length of incoming packets in bytes The operators in the Len Comp next field apply to packets of this length Len Comp Press SPACE BAR and then ENTER to choose from Equal...

Page 367: ...ss ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 40 5 Applying an IP Policy This section shows you where to apply the IP polici...

Page 368: ...route Figure 40 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige...

Page 369: ...ets from any host IP 0 0 0 0 means any host with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protoc...

Page 370: ...S Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to...

Page 371: ...For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the Prestige by default applies the lowest numbered set first Set 2 will take p...

Page 372: ...elected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Once Once Date If you selected Once in the How Often field abov...

Page 373: ...our schedule sets are configured you must then apply them to the desired remote node s Enter 11 from the Main Menu and then enter the target remote node index Using SPACE BAR select PPPoE or PPPoA in...

Page 374: ......

Page 375: ...nal SPTGEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide...

Page 376: ......

Page 377: ...se main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to mana...

Page 378: ...etup is configured to Single this is a static IP address on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP addr...

Page 379: ...al level of security AH choices are MD5 default 128 bits and SHA 1 160 bits Both AH and ESP increase the Prestige s processing requirements and communications latency delay You need to finish configur...

Page 380: ...onfirm prompt Use Edit to create or edit a rule Use Delete to remove a rule To edit or delete a rule first make sure you are on the correct page When a VPN rule is deleted subsequent rules do not move...

Page 381: ...ersal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversa...

Page 382: ...of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field When you select DNS in the P...

Page 383: ...ured to Range enter the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field is configured to SUBNET this is a subnet mask on the LAN behind your Pres...

Page 384: ...ng to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 0 End Enter a port...

Page 385: ...ceive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm The Prestige and the remote IPSec router generate an encryption key from the Di...

Page 386: ...s Define the length of time before an IPSec Security Association automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days 28800 default Encapsulation Press SPA...

Page 387: ...When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any character may be used including spaces but trailing spaces are truncated Fill in the Key1 fie...

Page 388: ...choose from MD5 or SHA1 and then press ENTER N A Key Enter the authentication key to be used by IPSec if applicable The key must be unique Enter 16 characters for MD5 authentication and 20 characters...

Page 389: ...when the SA lifetime expires even if there is no traffic 43 2 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections...

Page 390: ...3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding authentication informat...

Page 391: ...te any field except parameters in the Input column For more text file examples refer to the Example Internal SPTGEN Screens Appendix Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 Syst...

Page 392: ...d Parameter Entered Command Line Example 44 3 Internal SPTGEN FTP Download Example Figure 44 4 Internal SPTGEN FTP Download Example field value is not legal error 1 ROM t is not saved error Line ID 10...

Page 393: ...al SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp pu...

Page 394: ......

Page 395: ...Appendices and Index XII P Pa ar rt t X XI II I Appendices and Index This part contains additional background information and an index or key terms...

Page 396: ...e you should contact your vendor Problems with the LAN LED Chart A 2 Troubleshooting the LAN LED PROBLEM CORRECTIVE ACTION Check your Ethernet cable connections and type refer to the Compact Guide for...

Page 397: ...sulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the correct casing Refer to the WAN Setup chapter web configurator or the Internet Access c...

Page 398: ......

Page 399: ...t for details For WAN access you must configure remote management to allow server access from the Wan or all You must also configure a firewall rule to allow access from the WAN Refer to the chapters...

Page 400: ......

Page 401: ...s the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address I...

Page 402: ...255 255 255 0 Subnetting With subnetting the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With sub...

Page 403: ...s by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 16...

Page 404: ...ubnets The above example illustrated using a 25 bit subnet mask to divide a class C address space into two subnets Similarly to divide a class C address into four subnets you need to borrow two host I...

Page 405: ...t Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last oc...

Page 406: ...ing The following table is a summary for class B subnet planning Chart B 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 25...

Page 407: ...the switching fabric is already in place 3 It allows the ISP to use the existing dial up model to authenticate and optionally to provide differentiated services Traditional Dial up Scenario The follo...

Page 408: ...PPoE Client When using the Prestige as a PPPoE client the computers on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on...

Page 409: ...etween circuit end points Diagram D 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide indiv...

Page 410: ......

Page 411: ...seen in SMT screens FN Field Name PVA Parameter Values Allowed INPUT An example of what you may enter Applies to the Prestige The following are Internal SPTGEN screens associated with the SMT screens...

Page 412: ...col filters Set 4 256 30100013 Output device filters Set 1 256 30100014 Output device filters Set 2 256 30100015 Output device filters Set 3 256 30100016 Output device filters Set 4 256 Menu 3 2 TCP I...

Page 413: ...Both 2 In Only 3 Out Only 0 30201005 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201006 IP Alias 1 Incoming protocol filters Set 1 256 30201007 IP Alias 1 Incoming protocol filters Set 2 256 30201008 IP Ali...

Page 414: ...t 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2 Outgoing protocol filters Set 2 256 30201025 IP Alias 2 Outgoing protocol filters Set 3 256 30201026 IP Alias 2 Outg...

Page 415: ...00 Continued 30501034 Address 32 00 00 00 00 00 00 Menu 4 Internet Access Setup SMT Menu 4 FIN FN PVA INPUT 40000000 Configured 0 No 1 Yes 1 40000001 ISP 0 No 1 Yes 1 40000002 Active 0 No 1 Yes 1 4000...

Page 416: ...otocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP outgoing protocol f...

Page 417: ...et 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destination IP address 0 0 0 0 120102004 IP Static Route set 2 Destination IP subnetmask 0 120102005 IP Static Route set 2 Gateway 0 0 0 0 1201...

Page 418: ...et 5 Active 0 No 1 Yes 0 120105003 IP Static Route set 5 Destination IP address 0 0 0 0 120105004 IP Static Route set 5 Destination IP subnetmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 1201...

Page 419: ...e 0 No 1 Yes 0 120108003 IP Static Route set 8 Destination IP address 0 0 0 0 120108004 IP Static Route set 8 Destination IP subnetmask 0 120108005 IP Static Route set 8 Gateway 0 0 0 0 120108006 IP S...

Page 420: ...tion IP address 0 0 0 0 120111004 IP Static Route set 11 Destination IP subnetmask 0 120111005 IP Static Route set 11 Gateway 0 0 0 0 120111006 IP Static Route set 11 Metric 0 120111007 IP Static Rout...

Page 421: ...s 0 0 0 0 120114004 IP Static Route set 14 Destination IP subnetmask 0 120114005 IP Static Route set 14 Gateway 0 0 0 0 120114006 IP Static Route set 14 Metric 0 120114007 IP Static Route set 14 Priva...

Page 422: ...tart 0 150000005 SUA Server 2 Port End 0 150000006 SUA Server 2 Local IP address 0 0 0 0 150000007 SUA Server 3 Active 0 No 1 Yes 0 150000008 SUA Server 3 Protocol 0 All 6 TCP 1 7 UDP 0 150000009 SUA...

Page 423: ...r 8 Port End 0 150000036 SUA Server 8 Local IP address 0 0 0 0 150000037 SUA Server 9 Active 0 No 1 Yes 0 150000038 SUA Server 9 Protocol 0 All 6 TCP 1 7 UDP 0 150000039 SUA Server 9 Port Start 0 1500...

Page 424: ...1 Rule 1 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210101008 IP Filter Set 1 Rule 1 Src IP address 0 0 0 0 210101009 IP Filter Set 1 Rule 1 Src Subnet Mask 0 210101010 IP Filter Se...

Page 425: ...0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set 1 rule 3 SMT Menu 21 1 1 3...

Page 426: ...ddress 0 0 0 0 210104005 IP Filter Set 1 Rule 4 Dest Subnet Mask 0 210104006 IP Filter Set 1 Rule 4 Dest Port 137 210104007 IP Filter Set 1 Rule 4 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr...

Page 427: ...none 1 equal 2 not equal 3 less 4 greater 0 210105013 IP Filter Set 1 Rule 5 Act Match 1 check next 2 forward 3 drop 3 210105014 IP FILTER SET 1 RULE 5 ACT NOT MATCH 1 CHECK NEXT 2 FORWARD 3 DR OP 1...

Page 428: ...PUT 210201001 IP Filter Set 2 Rule 1 Type 0 none 2 TCP I P 2 210201002 IP Filter Set 2 Rule 1 Active 0 No 1 Yes 1 210201003 IP Filter Set 2 Rule 1 Protocol 6 210201004 IP Filter Set 2 Rule 1 Dest IP a...

Page 429: ...0 none 1 equal 2 not equal 3 less 4 greater 1 210202008 IP Filter Set 2 Rule 2 Src IP address 0 0 0 0 210202009 IP Filter Set 2 Rule 2 Src Subnet Mask 0 210202010 IP Filter Set 2 Rule 2 Src Port 0 21...

Page 430: ...Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 4 Filter set 2 rule 4 SMT Menu 21 1 2 4 FIN FN PVA INPUT 210204001 IP Filter Set 2 Rule 4 Type 0 none 2 TCP I P 2 210204002 IP Filter Set 2 Ru...

Page 431: ...0205006 IP Filter Set 2 Rule 5 Dest Port 138 210205007 IP Filter Set 2 Rule 5 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210205008 IP Filter Set 2 Rule 5 Src IP address 0 0 0 0 21020...

Page 432: ...not equal 3 less 4 greater 0 210206013 IP Filter Set 2 Rule 6 Act Match 1 check next 2 forward 3 drop 3 210206014 IP Filter Set 2 Rule 6 Act Not Match 1 check next 2 forward 3 drop 2 Menu 23 1 System...

Page 433: ...ver Port 23 241100002 TELNET Server Access 0 all 1 none 2 Lan 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0 0 241100004 FTP Server Port 21 241100005 FTP Server Access 0 all 1 none 2 Lan 3 W...

Page 434: ...Prestige 662HW Series User s Guide E 24 Example Internal SPTGEN Screens 990000001 ADSL OPMD 0 etsi 1 norma l 2 gdmt 3 mul timode 3...

Page 435: ...er the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment mak...

Page 436: ...Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from the list of network clients and then click OK e Restart your computer so the changes you made take ef...

Page 437: ...ay s IP address remove previously installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click O...

Page 438: ...ateway Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network...

Page 439: ...Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have...

Page 440: ...P address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab...

Page 441: ...onfigured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties wind...

Page 442: ...ally Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Close the TCP IP Control Panel 6 Click Sav...

Page 443: ...lect Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in t...

Page 444: ......

Page 445: ...de labeled Phone to your telephone Step 2 Connect the side labeled Modem to your Prestige Step 3 Connect the side labeled Line to the telephone wall jack Telephone Microfilters Telephone voice transmi...

Page 446: ...rs Diagram G 2 Connecting a Microfilter Prestige With ISDN This section relates to people who use their Prestige with ADSL over ISDN digital telephone service only The following is an example installa...

Page 447: ...router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s web configurator interface WEB Login Fail...

Page 448: ...include the protocol Protocol of the packet for example TCP or UDP that triggered the log Chart H 4 Attack Logs LOG MESSAGE DESCRIPTION attack Protocol The firewall detected an attack The log may also...

Page 449: ...and the Prestige logged it src IP Protocol Direction Access did not match a firewall rule s source IP address and the Prestige logged it protocol Protocol Direction Access did not match a firewall rul...

Page 450: ...chable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 S...

Page 451: ...P Notes TYPE CODE DESCRIPTION 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Informat...

Page 452: ......

Page 453: ...4 Budget Management 38 2 38 3 BW Budget 20 10 C call back delay 24 5 Call Filtering 33 1 Call Filters Built In 33 1 User Defined 33 1 Call Scheduling 41 1 Maximum Number of Schedule Sets 41 1 PPPoE 4...

Page 454: ...lter Structure 33 2 Generic Filter Rule 33 8 Remote Node 28 7 Remote Node Filter 28 7 Remote Node Filters 33 14 Sample 33 12 SUA 33 10 TCP IP Filter Rule 33 6 Filter Log 36 6 Filter Rule 33 6 Filter R...

Page 455: ...Policies 40 5 IP Policy Routing IPPR 1 5 27 1 Applying an IP Policy 40 5 Ethernet IP Policies 40 5 Gateway 40 5 IP Pool Setup 3 9 IP Ports 42 7 42 8 IP Protocol 40 4 IP Routing Policy IPPR 40 1 Benefi...

Page 456: ...ng 40 1 POP3 8 5 11 3 Port Configuration 12 11 Port Numbers 8 5 PPP Encapsulation 28 9 PPP Log 36 7 PPPoA 28 2 PPTP 8 5 Precedence 40 1 40 4 Pre Shared Key 16 8 Prestige Firewall Application 11 2 Prio...

Page 457: ...12 9 25 3 28 6 29 3 36 4 Subnet Masks B 2 Subnetting B 2 Supporting Disk xxii SYN Flood 11 4 SYN ACK 11 4 Syntax Conventions xxii Syslog 12 11 12 15 36 5 Syslog IP Address 36 6 Syslog Server 36 5 Sys...

Page 458: ...Multiplexing 28 2 Virtual Private Network 15 1 VPI VCI 3 2 VPN 15 1 VPN Applications 15 2 W WAN Setup 24 1 WAN to LAN Rules 12 3 Web Configurator 2 1 2 2 2 3 11 2 11 9 12 2 32 2 WEP 6 3 WEP Encryptio...

Reviews:

No comments

Brands by name

Popular brands

Load more brands