ZyXEL Communications Prestige 792H User Manual Download Page 125 | Manualshive

Page: 125 / 437

background image

Prestige 792H User’s Guide

Firewall

8-13

8.7.1 Packet Filtering:

The router filters packets as they pass through the router’s interface according to the filter rules you
designed.

Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need
a chain of rules to filter a service.

Packet filtering only checks the header portion of an IP packet.

When To Use Filtering

To block/allow LAN packets by their MAC addresses.

To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.

To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific
inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also
blocks the traffic from B to A. Filters can not distinguish traffic originating from an inside host or an
outside host by IP address.

To block/allow IP trace route.

8.7.2 Firewall

The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this
type employ an inspection module, applicable to all protocols, that understands data in the packet is
intended for other layers, from the network layer (IP headers) up to the application layer.

The firewall performs stateful inspection. It takes into account the state of connections it handles so that,
for example, a legitimate incoming packet can be matched with the outbound request for that packet and
allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound
request can be blocked.

The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the
network session rather than control individual packets in a session.

The firewall provides e-mail service to notify you of routine reports and when alerts occur.

When To Use The Firewall

To prevent DoS attacks and prevent hackers cracking your network.

A range of source and destination IP addresses as well as port numbers can be specified within one
firewall rule making the firewall a better choice when complex rules are required.

«
...
123
124
125
126
127
...
»

Summary of Contents for Prestige 792H

Page 1: ...Prestige 792H G SHDSL 4 port Security Gateway User s Guide Version 3 40 BZ 0 March 2004...

Page 2: ...yXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it co...

Page 3: ...ency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio televisi...

Page 4: ...mpliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by...

Page 5: ...he purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be...

Page 6: ...l com 1 800 255 4101 1 714 632 0882 www us zyxel com NORTH AMERICA sales zyxel com 1 714 632 0858 ftp us zyxel com ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A support zyxel d...

Page 7: ...ORWAY sales zyxel no 47 22 80 61 81 ZyXEL Communications A S Nils Hansens vei 13 0667 Oslo Norway support zyxel se 46 31 744 7700 www zyxel se SWEDEN sales zyxel se 46 31 744 7701 ZyXEL Communications...

Page 8: ......

Page 9: ...5 Chapter 2 Introducing the Web Configurator 2 1 2 1 Web Configurator Overview 2 1 2 2 Accessing the Prestige Web Configurator 2 1 2 3 Navigating the Prestige Web Configurator 2 2 2 4 Configuring Pas...

Page 10: ...onfiguration 3 16 3 14Wizard Setup Configuration Connection Tests 3 18 3 15Test Your Internet Connection 3 19 Chapter 4 LAN Setup 4 1 4 1 LAN Overview 4 1 4 1 1 LANs WANs and the Prestige 4 1 4 2 DNS...

Page 11: ...Setup 7 1 7 1 Dynamic DNS 7 1 7 1 1 DynDNS Wildcard 7 1 7 2 Configuring Dynamic DNS 7 1 Chapter 8 Firewall 8 1 8 1 Firewall Overview 8 1 8 2 Types of Firewalls 8 1 8 2 1 Packet Filtering Firewalls 8...

Page 12: ...10 7Creating Editing Firewall Rules 10 11 10 7 1 Source and Destination Addresses 10 13 10 8Timeout 10 14 10 8 1 Factors Influencing Choices for Timeout Values 10 15 Chapter 11 Customized Services 11...

Page 13: ...gotiation Mode 14 14 14 10 2 Diffie Hellman DH Key Groups 14 14 14 10 3 Perfect Forward Secrecy PFS 14 14 14 11 Configuring Advanced IKE Settings 14 15 14 12 Manual Key Setup 14 18 14 12 1 Security Pa...

Page 14: ...Diagnostic DSL Line Screen 17 8 17 5Firmware Screen 17 9 Chapter 18 Introducing the SMT 18 1 18 1SMT Introduction 18 1 18 1 1 Procedure for SMT Configuration via Console Port 18 1 18 1 2 Procedure for...

Page 15: ...n 24 10 24 5 2 LLC based Multiplexing or PPP Encapsulation 24 10 Chapter 25 Static Route Setup 25 1 25 1Static Route Overview 25 1 Chapter 26 Bridging Setup 26 1 26 1Bridging Overview 26 1 26 2Bridge...

Page 16: ...30 5 30 4 1 Viewing Error Log 30 5 30 4 2 Syslog 30 6 30 5Diagnostic 30 8 Chapter 31 Firmware and Configuration File Maintenance 31 1 31 1Filename Conventions 31 1 31 2Backup Configuration 31 2 31 2 1...

Page 17: ...ting the Time 32 5 Chapter 33 IP Policy Routing 33 1 33 1IP Policy Routing Overview 33 1 33 1 1 IP Policy Routing Benefits 33 1 33 1 2 Routing Policy 33 1 33 2IP Routing Policy Setup 33 2 33 3Applying...

Page 18: ...VPN Responder IPSec Log 37 3 Chapter 38 Internal SPTGEN 38 1 38 1Internal SPTGEN Overview 38 1 38 2The Configuration Text File Format 38 1 38 2 1 Internal SPTGEN File Modification Important Points to...

Page 19: ...gure 3 8 Wizard LAN Configuration 3 17 Figure 3 9 Wizard Screen Connection Tests 3 19 Figure 4 1 LAN and WAN IP Addresses 4 1 Figure 4 2 LAN 4 4 Figure 5 1 Example of Traffic Shaping 5 4 Figure 5 2 WA...

Page 20: ...le 11 5 Figure 11 7 Rule Summary Example 11 6 Figure 12 1 Content Filter Keyword 12 2 Figure 12 2 Content Filter Schedule 12 3 Figure 12 3 Content Filter Trusted 12 4 Figure 12 4 Content Filter Logs 1...

Page 21: ...gure 21 5 Remote Node PPP Options Menu Fields 21 7 Figure 21 6 Remote Node Network Layer Options 21 8 Figure 21 7 Menu 11 5 Remote Node Filter Ethernet 21 10 Figure 22 1 TCP IP Ethernet Setup 22 1 Fig...

Page 22: ...re 27 13 NAT Example 2 27 13 Figure 27 14 NAT Example 2 Menu 15 2 1 27 14 Figure 27 15 NAT Example 3 27 15 Figure 27 16 Example 3 Menu 11 3 27 15 Figure 27 17 Example 3 Menu 15 1 1 1 27 16 Figure 27 1...

Page 23: ...8 Figure 31 1 System Maintenance Backup Configuration 31 3 Figure 31 2 FTP Session Example 31 4 Figure 31 3 System Maintenance Backup Configuration 31 6 Figure 31 4 System Maintenance Starting Xmodem...

Page 24: ...e Set Setup 34 2 Figure 34 3 Applying Schedule Set s to a Remote Node PPPoE 34 4 Figure 35 1 Telnet Configuration on a TCP IP Network 35 1 Figure 35 2 Remote Management Control 35 2 Figure 36 1 VPN SM...

Page 25: ...3 Services and Port Numbers 6 6 Table 6 4 NAT Mode 6 8 Table 6 5 Edit SUA NAT Server Set 6 9 Table 6 6 Address Mapping Rules 6 11 Table 6 7 Address Mapping Rule Edit 6 13 Table 7 1 DDNS 7 2 Table 8 1...

Page 26: ...08 ISAKMP Payload Types 14 30 Table 14 16 Telecommuters Sharing One VPN Rule Example 14 31 Table 14 17 Telecommuters Using Unique VPN Rules Example 14 33 Table 15 1 Remote Management 15 3 Table 16 1 C...

Page 27: ...30 2 System Maintenance Information 30 4 Table 30 3 System Maintenance Menu Syslog Parameters 30 7 Table 30 4 System Maintenance Menu Diagnostic 30 9 Table 31 1 Filename Conventions 31 2 Table 31 2 G...

Page 28: ...Prestige 792H User s Guide xxviii List of Tables Table A 5 Troubleshooting the Password A 3 Table A 6 Troubleshooting Telnet A 3 Diagram C 1 Virtual Circuit Topology C 1...

Page 29: ...de contain background information on features not configurable by web configurator Related Documentation Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Star...

Page 30: ...other words throughout this manual The Prestige 792H may be referred to as the Prestige in this user s guide Images of Prestige 792H are used throughout this document unless otherwise specified The fo...

Page 31: ...the downstream capacity is higher than the upstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simp...

Page 32: ......

Page 33: ...Getting Started I P Pa ar rt t I I Getting Started This part covers Getting to Know Your Prestige Hardware Installation Initial Setup WAN LAN and Internet Access...

Page 34: ......

Page 35: ...a Traffic Redirect service that forwards WAN traffic to a backup gateway The Prestige uses TC PAM line code with echo cancellation for high data rate transmissions over a single twisted telephone wir...

Page 36: ...d on the IPSec standard and is fully interoperable with other IPSec based VPN products Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to th...

Page 37: ...ocol SUA Single User Account and NAT Network Address Translation PAP and CHAP Security The Prestige supports PAP Password Authentication Protocol and CHAP Challenge Handshake Authentication Protocol C...

Page 38: ...nloading of firmware and configuration file over the LAN Packet Filtering Packet filtering blocks unwanted traffic from entering leaving your network Ease of Installation Your Prestige is designed for...

Page 39: ...Internet Access Figure 1 1 Internet Access Application Your Prestige can act as either of the following A bridge for multi computer MAC bridging RFC 1483 bridged Ethernet 802 3 1 2 2 LAN to LAN Appli...

Page 40: ......

Page 41: ...0 and later or Netscape Navigator 7 0 and later versions with JavaScript enabled It is recommended that you set your screen resolution to 1024 by 768 pixels 2 2 Accessing the Prestige Web Configurator...

Page 42: ...gate the web configurator from the Site Map screen Select a language from the Language drop down list box Click Wizard Setup to begin a series of screens to configure your Prestige for the first time...

Page 43: ...P icon located in the top right corner of most screens to view embedded help 2 4 Configuring Password It is highly recommended that you change the password for accessing the Prestige To change your Pr...

Page 44: ...his field Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begin configuring this screen afresh 2 5 Resetting the Prestige If you forget your password or cannot acces...

Page 45: ...ip it and save it in a folder Step 3 Turn off the Prestige begin a terminal emulation software session and turn on the Prestige again When you see the message Press Any key to enter Debug Mode within...

Page 46: ......

Page 47: ...you 3 2 WAN Setup Use the first wizard screen to configure G SHDSL settings for your WAN line Different telephone companies deploy different types of G SHDSL service If you are unsure of any of this...

Page 48: ...e is a client select the same Standard Mode that the server side selects ANSI and ETSI create recommendations and standards for the telecommunications industry 3 3 Encapsulation Be sure to use the enc...

Page 49: ...tion over ATM Adaptation Layer 5 AAL5 The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protoc...

Page 50: ...r VPI and Virtual Channel Identifier VCI numbers assigned to you The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Please s...

Page 51: ...attained the connection does not succeed Max Rate Min Rate Select transfer rates from the Max Rate and Min Rate drop down list boxes For back to back applications make sure that your Prestige and its...

Page 52: ...more information VPI Enter the VPI assigned to you This field may already be configured VCI Enter the VCI assigned to you This field may already be configured Next Click this button to go to the next...

Page 53: ...net mask specifies the network number portion of an IP address Your Prestige will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mas...

Page 54: ...for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private networ...

Page 55: ...3 10 NAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a diff...

Page 56: ...ls in this screen Table 3 3 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifi...

Page 57: ...e Prestige will try to bring up the connection automatically if it is disconnected The schedule rule s in SMT menu 26 has priority over your Connection settings Network Address Translation This option...

Page 58: ...LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select None SUA Only or Full F...

Page 59: ...a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dy...

Page 60: ...sown list box Refer to the NAT chapter for more details Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen 3 11 4 PPPoE Select PPPoE from the E...

Page 61: ...dress and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seco...

Page 62: ...m 192 168 1 33 to 192 168 1 64 for the client machines This leaves 31 IP addresses 192 168 1 2 to 192 168 1 32 excluding the Prestige itself which has a default IP of 192 168 1 1 for other server mach...

Page 63: ...ing table describes the labels in this screen Table 3 7 Wizard LAN Configuration LABEL DESCRIPTION LAN IP Address Enter the IP address of your Prestige in dotted decimal notation for example 192 168 1...

Page 64: ...pool Size of Client IP Pool This field specifies the size or count of the IP address pool Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients a...

Page 65: ...browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you canno...

Page 66: ......

Page 67: ...help you configure a LAN DHCP server and manage IP addresses 4 1 1 LANs WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two s...

Page 68: ...e real DNS server learned through IPCP and relays the response back to the computer Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leav...

Page 69: ...ll send out RIP packets but will not accept any RIP packets received 4 None the Prestige will not send any RIP packets and will ignore any RIP packets received The Version field controls the format an...

Page 70: ...e 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The Prestige supports both IGMP version 1 IGMP v1 and IGMP version 2 IGMP v2 At start...

Page 71: ...s pool Size of Client IP Pool This field specifies the size or count of the IP address pool Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients...

Page 72: ...Prestige 792H User s Guide 4 6 LAN Setup Table 4 1 LAN LABEL DESCRIPTION Apply Click this button to save these settings back to the Prestige Cancel Click this button to reset the fields in this screen...

Page 73: ...than 15 means the link is down The smaller the number the lower the cost The metric sets the priority for the Prestige s routes to the Internet If any two of the default routes have the same metric t...

Page 74: ...s and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing Microsoft Dial Up Networking software...

Page 75: ...gives a maximum PCR of 1962 cells sec This rate is not guaranteed because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of each bursty traffic source It specifies th...

Page 76: ...792H User s Guide 5 4 WAN Setup Figure 5 1 Example of Traffic Shaping 5 5 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN WAN Setup The screen differs by the encaps...

Page 77: ...Prestige 792H User s Guide WAN Setup 5 5 Figure 5 2 WAN Setup The following table describes the labels in this screen...

Page 78: ...t Refer to the appendix for more information VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local mana...

Page 79: ...re can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP ad...

Page 80: ...ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Back Click Back to return to the previous screen Apply Click...

Page 81: ...bnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 5 4 Traffic Redirect LAN Setup 5 7 Configuring WAN Backup The WAN Backup port or CON A...

Page 82: ...92H User s Guide 5 10 WAN Setup To change your Prestige s WAN backup settings click WAN then WAN Backup The screen appears as shown Figure 5 5 WAN Backup The following table describes the fields in th...

Page 83: ...ion usually a WAN backup connection it periodically checks to whether or not it can use a higher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks A...

Page 84: ...external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps User Name Type the login name assigned by your ISP Password Type the password assigned by your ISP Pri Phone Type the...

Page 85: ...entication make sure that you specify the correct authentication protocol when connecting to such an implementation 5 9 Configuring Advanced WAN Backup To edit your Prestige s advanced WAN backup sett...

Page 86: ...Prestige 792H User s Guide 5 14 WAN Setup Figure 5 6 Advanced WAN Backup...

Page 87: ...ire dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list box to select the sp...

Page 88: ...2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP...

Page 89: ...onnection settings Allocate Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the tim...

Page 90: ...ang up in addition to issuing the drop command ATH 5 12 Response Strings The response strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the WAN d...

Page 91: ...ble 5 4 Advanced Modem Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call Example atdt Drop Type the AT Command string to drop a call represents a one second wai...

Page 92: ...oing call before timing out stopping Example 60 Retry Count Type a number of times for the Prestige to retry a busy or no answer phone number before blacklisting the number Example 0 Retry Interval Ty...

Page 93: ...NAT and Dynamic DNS II Part II NAT and Dynamic DNS This part covers NAT Network Address Translation and dynamic DNS Domain Name Sever...

Page 94: ......

Page 95: ...side outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet wh...

Page 96: ...nside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA i...

Page 97: ...multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the...

Page 98: ...ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M M No OV Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 Server 6 2 SUA Single User Account Versus NAT SUA...

Page 99: ...ddress in Server Set 1 default server the Prestige discards all packets received for ports that are not specified here or in the remote management setup 6 3 1 Port Forwarding Services and Port Numbers...

Page 100: ...Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Mana...

Page 101: ...H User s Guide NAT 6 7 Figure 6 3 Multiple Servers Behind NAT Example 6 4 Selecting the NAT Mode Click NAT to open the following screen Figure 6 4 NAT Mode The following table describes the labels in...

Page 102: ...Edit SUA NAT Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige Edit Details Click this link to go to the NAT Address Mapping Rules...

Page 103: ...els in this screen Table 6 5 Edit SUA NAT Server Set LABEL DESCRIPTION Start Port No Enter a port number in this field To forward only one port enter the port number again in the End Port No field To...

Page 104: ...ess Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify When a rule matches the current packet the Prestige takes the corresponding action and...

Page 105: ...Address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to one and Server mapp...

Page 106: ...us ZyXEL routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each loca...

Page 107: ...the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all...

Page 108: ......

Page 109: ...relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic...

Page 110: ...the name of your Dynamic DNS service provider Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user name Pas...

Page 111: ...r III Part III Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an ove...

Page 112: ......

Page 113: ...to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented with...

Page 114: ...hat some proxies support See section 8 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 8 3 In...

Page 115: ...that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by d...

Page 116: ...ze packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a net...

Page 117: ...ck floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queu...

Page 118: ...the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If...

Page 119: ...king a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the...

Page 120: ...the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet tra...

Page 121: ...nection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminates or ti...

Page 122: ...subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connecti...

Page 123: ...case by case basis You can use the web configurator s Custom Ports feature to do this 8 6 Guidelines for Enhancing Security with Your Firewall 1 Change the default password via SMT or web configurator...

Page 124: ...e to submit information Secure web transactions are quite difficult to crack 6 Never reveal your IP address or other system networking information to people outside your company Be careful of files e...

Page 125: ...cket contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other...

Page 126: ...raffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports...

Page 127: ...nagement see the Remote Management chapter and the firewall is enabled The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it The firewall allows remote ma...

Page 128: ...s and which logs and or immediate alerts the Prestige is to send An End of Log message displays for each mail in which a complete log has been sent Figure 9 2 E mail The following table describes the...

Page 129: ...When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Alerts Use the drop down list box to select which day of the week to send the logs T...

Page 130: ...lues should be reduced You should make any changes to the threshold values before you continue configuring firewall rules 9 4 3 Half Open Sessions An unusually high number of half open sessions either...

Page 131: ...ing half open sessions according to one of the following methods 1 If the Blocking Time timeout is 0 the default then the Prestige deletes the oldest existing half open session for the host for every...

Page 132: ...ack detected Select this check box to generate an alert whenever an attack is detected Denial of Services Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall...

Page 133: ...uests The Prestige stops deleting half open sessions when the number is less than the Max Incomplete Low Do not set Maximum Incomplete High to lower than the current Max Incomplete Low number TCP Maxi...

Page 134: ......

Page 135: ...example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization...

Page 136: ...e 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a rule that allows Internet us...

Page 137: ...of IPs or a subnet 10 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 10 3 1 LAN to WAN Rules The defau...

Page 138: ...led record that you create for packets that either match a rule don t match a rule or both when you are creating editing a firewall rule see Figure 10 5 You can also choose not to create a log for a r...

Page 139: ...ewall log 128 entries are available numbered from 0 to 127 Once they are all used the log will wrap around and the old logs will be lost Time This is the time the log was recorded in this format You m...

Page 140: ...ort and protocol This is a log for a DoS attack attack land ip spoofing icmp echo icmp vulnerability NetBIOS smtp illegal command traceroute teardrop or syn flood Chapter 8 has more detailed discussio...

Page 141: ...ng up the following screen This screen is a summary of the existing rules Note the order in which the rules are listed The ordering of your rules is very important as rules are applied in turn Figure...

Page 142: ...dress is equivalent to Any Service This is the service to which the rule applies See Table 10 3 for more information Action This is the specified action for that rule whether to Block discard or Forwa...

Page 143: ...web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program t...

Page 144: ...ntrol channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070...

Page 145: ...P 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It...

Page 146: ...0 5 Creating Editing A Firewall Rule The following table describes the labels in this screen Table 10 4 Creating Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new addr...

Page 147: ...ist box to select whether to Block silently discard or Forward allow the passage of packets that match this rule Log This field determines if a log is created for packets that match the rule Match don...

Page 148: ...a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address Type the single IP address or the sta...

Page 149: ...lt 30 for the Prestige to wait for a TCP session to reach the established state before dropping the session FIN Wait Timeout Type the number of seconds default 60 for a TCP session to remain open afte...

Page 150: ...ating Custom Rules Table 10 6 Timeout LABEL DESCRIPTION Back Click Back to return to the previous screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to...

Page 151: ...mbers not predefined by the Prestige see Figure 10 5 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further information on these se...

Page 152: ...your customized service Protocol This shows the IP protocol TCP UDP or Both that defines your customized service Port This is the port number or range that defines your customized service Back Click B...

Page 153: ...of port numbers that define your customized service Back Click Back to return to the Firewall Customized Services screen Apply Click Apply to save your customized settings and exit this screen Cancel...

Page 154: ...tep 5 Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows Figure 11 5 Customized Service f...

Page 155: ...ed earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it Figure 11 6 Syslog Rule Configuration Example This is your MyService cust...

Page 156: ...wall rules the Rule Summary screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige Figure 11 7 Rule...

Page 157: ...schedule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 12 2 Configuring Keyword Block...

Page 158: ...check box to enable this feature Block Websites that contain these keywords in the URL This box contains the list of all the keywords that you have configured the Prestige to block Delete Highlight a...

Page 159: ...get a message telling you that the content filter is blocking this request Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Can...

Page 160: ...previous screen Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings 12 4 Configuring Trusted Computers To exclude a range of users on the LAN from con...

Page 161: ...you want to exclude an individual computer Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to return to the previously...

Page 162: ...e web site Reason This field shows what type of configuration in content filtering caused the event For example BLOCK_EXCEPT_TRUSTED_DOMAINS BLOCK_UNTRUST_DOMAIN BLOCK_KEYWORD BLOCK_ACTIVEX BLOCK_JAVA...

Page 163: ...VPN IPSec IV Part IV VPN IPSec This part provides information about configuring VPN IPSec for secure communications...

Page 164: ......

Page 165: ...for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentic...

Page 166: ...estige supports the following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved p...

Page 167: ...Prestige 792H User s Guide Introduction to IPSec 13 3 Figure 13 2 VPN Application 13 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Page 168: ...including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMA...

Page 169: ...transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most...

Page 170: ...teway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet...

Page 171: ...y authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sancti...

Page 172: ...ige has to rebuild the VPN tunnel if the My IP Address changes after setup 14 4 Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router secure gat...

Page 173: ...Screen The following figure helps explain the main fields in the web configurator Figure 14 1 IPSec Summary Fields Local and remote IP addresses must be static Click VPN and Setup to open the VPN Summ...

Page 174: ...es Name This field displays the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Y signifies that this VPN policy is active Local Address Th...

Page 175: ...nels connected to it and they all have keep alive enabled then no other tunnels can take a turn connecting to the Prestige because the Prestige never drops the tunnels that are already connected Check...

Page 176: ...ge E mail Type an e mail address up to 31 characters by which to identify this Prestige The domain name or e mail address that you use in the Content field is used for identification purposes only and...

Page 177: ...il An ID mismatched message displays in the IPSEC LOG Table 14 6 Mismatching ID Type and Content Configuration Example PRESTIGE A PRESTIGE B Local ID type IP Local ID type IP Local ID content 1 1 1 10...

Page 178: ...Prestige 792H User s Guide 14 8 VPN Screens Figure 14 3 VPN IKE...

Page 179: ...elect Tunnel mode or Transport mode from the drop down list box DNS Server for IPSec VPN If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this addit...

Page 180: ...s configured to Subnet this is a subnet mask on the LAN behind your Prestige Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The rem...

Page 181: ...ess of your computer or leave the field blank to have the Prestige automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which t...

Page 182: ...ey Mode field must be set to IKE Security Protocol VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the se...

Page 183: ...anagement Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begin configuring this screen afresh Delete Click Delete t...

Page 184: ...connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA neg...

Page 185: ...ta that does not require such security so PFS is disabled None by default in the Prestige Disabling PFS means new authentication and encryption keys are derived from the same root secret which may hav...

Page 186: ...from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater tha...

Page 187: ...e or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure t...

Page 188: ...t MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 sec...

Page 189: ...uniquely identify a particular Security Association SA The SPI is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and key value...

Page 190: ...Prestige 792H User s Guide 14 20 VPN Screens Figure 14 6 VPN Manual Key The following table describes the labels in this screen...

Page 191: ...S server allows clients on the VPN to find other computers and servers on the VPN by their private domain names Local Local IP addresses must be static and correspond to the remote IPSec router s conf...

Page 192: ...ter can initiate the VPN Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as on...

Page 193: ...can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a...

Page 194: ...ecurity Association SA is the group of security settings related to a specific VPN tunnel This screen displays active VPN connections Use Refresh to display active VPN connections This screen is read...

Page 195: ...er Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for a...

Page 196: ...describes the labels in this screen Table 14 11 Global Setting LABEL DESCRIPTION Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that...

Page 197: ...pen the screen shown next Figure 14 9 VPN Logs The following table describes the labels in this screen Table 14 12 VPN Logs LABEL DESCRIPTION Back Click Back to return to the previous screen Previous...

Page 198: ...to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Table 14 15 Phase 1 IKE SA process done Phase 1 negotiation is finished Start Phase...

Page 199: ...s The IKE key exchange process fails if this limit is exceeded IKE Packet Retransmit The Prestige did not receive a response from the peer and so retransmits the last packet sent Failed to send IKE Pa...

Page 200: ...e out disconnect If an SA has no packets transmitted for a period of time configurable via CI command the Prestige drops the connection The following table shows RFC 2408 ISAKMP payload types that the...

Page 201: ...C in the figure to use one VPN rule to simultaneously access a Prestige at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec router...

Page 202: ...Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules co...

Page 203: ...mutera dydns org Peer ID Type IP Local ID Type IP Peer ID Content 192 168 2 12 Local ID Content 192 168 2 12 Secure Gateway Address telecommuter1 com Local IP Address 192 168 2 12 Remote Address 192 1...

Page 204: ...792H User s Guide 14 34 VPN Screens 14 18VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW SNMP DNS or ICMP then you should configure remote management REMOTE MGNT to allow access for that...

Page 205: ...Remote Management and UPnP V Part V Remote Management and UPnP This part contains Remote Management and UPnP...

Page 206: ......

Page 207: ...er in SMT menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in one of the remote management screens 3 The IP address in the Secured Clie...

Page 208: ...do nothing in this timeout period except when it is continuously updating the status in menu 24 1 or when sys stdio has been changed on the command line 15 2 Telnet You can configure your Prestige fo...

Page 209: ...ect the access interface Choices are All LAN Only WAN Only and Disable Port This field shows the port number for the remote management service You may change the port number for a service in this fiel...

Page 210: ......

Page 211: ...UPnP device will allow you to access the information and properties of that device 16 1 2 NAT Transversal UPnP NAT Traversal automates the process of allowing an application to operate through NAT UP...

Page 212: ...llowed on the LAN See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 16 2 Accessing the Prestige Web Configurator to Configu...

Page 213: ...tige so that they can communicate through the Prestige for example by using NAT Transversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enab...

Page 214: ...k Add Remove Programs Step 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details Step 3 In the Communications window select the Universal Plug and Pla...

Page 215: ...nections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays Step 4 Select Networking Service in the Comp...

Page 216: ...stalled in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of the Prestige Turn on your computer and the Prestige Auto discover Your UPnP enabled Networ...

Page 217: ...automatically created Step 4 You may edit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings will...

Page 218: ...u can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not know the IP address of the Prestige Follow the steps b...

Page 219: ...led device displays under Local Network Step 5 Right click on the icon for your Prestige and select Invoke The web configurator login screen displays Step 6 Right click on the icon for your Prestige a...

Page 220: ......

Page 221: ...Maintenance VI Part VI Maintenance This part covers the maintenance screens...

Page 222: ......

Page 223: ...c statistics 17 1 Maintenance Overview Use the maintenance screens to view system information upload new firmware manage configuration and restart your Prestige 17 2 System Status Screen Click System...

Page 224: ...Prestige 792H User s Guide 17 2 Maintenance Figure 17 1 System Status The following table describes the labels in this screen...

Page 225: ...Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN I...

Page 226: ...ere includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configurable Figure 17 2 System Status Show Statistics The fol...

Page 227: ...his shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors This...

Page 228: ...shows current DHCP client information including IP Address Host Name and MAC Address of all network clients using the DHCP server Figure 17 3 DHCP Table The following table describes the labels in thi...

Page 229: ...e Maintenance 17 7 Figure 17 4 Diagnostic 17 4 1 Diagnostic General Screen Click Diagnostic and then General to open the screen shown next Figure 17 5 Diagnostic General The following table describes...

Page 230: ...that you entered Reset System Click this button to reboot the Prestige A warning dialog box is then displayed asking you if you re sure you want to reboot the system Click OK to proceed Back Click th...

Page 231: ...www zyxel com in a file that usually uses the system model name with a bin extension e g Prestige bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a su...

Page 232: ...an upload them Upload Click Upload to begin the upload process This process may take up to two minutes Reset Click this button to clear all user entered configuration information and return the Presti...

Page 233: ...ork Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Back...

Page 234: ......

Page 235: ...overs System Management Terminal configuration for general setup LAN setup wireless LAN setup Internet access remote nodes remote node TCP IP static routing and NAT See the web configurator parts of t...

Page 236: ......

Page 237: ...ER to display the SMT password screen The default password is 1234 18 1 2 Procedure for SMT Configuration via Telnet The following procedure details how to telnet into your Prestige Step 1 In Windows...

Page 238: ...re is no activity for longer than five minutes after you log in your Prestige will automatically log you out Figure 18 1 Login Screen 18 1 4 Prestige SMT Menu Overview The following figure gives you a...

Page 239: ...Mode Menu 24 3 1 System Maintenance View Error Log Menu 24 3 2 System Maintenance UNIX Syslog Menu 24 2 1 System Maintenance Information Menu 24 2 System Information and Console port Speed Menu 24 10...

Page 240: ...e next field You can also use the UP DOWN arrow keys to move to the previous and the next field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two ty...

Page 241: ...estige 15 NAT Setup Use this menu to specify inside servers when NAT is enabled 21 Filter and Firewall Setup Configure filters activate deactivate the firewall and view the firewall log 22 SNMP Config...

Page 242: ...ay Menu 23 System Security Step 2 Enter 1 to display Menu 23 1 System Security Change Password as shown next Step 3 Type your existing system password in the Old Password field for example 1234 and pr...

Page 243: ...00 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the Pr...

Page 244: ...blank the ISP may assign a domain name via DHCP You can go to menu 24 8 and type sys domainname to see the current domain name used by your gateway If you want to clear this field just press the SPACE...

Page 245: ...PACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail addre...

Page 246: ......

Page 247: ...pes of G SHDSL service If you are unsure of any of this information please check with your telephone company 20 2 WAN Setup Screen From the main menu enter 2 to open menu 2 Figure 20 1 WAN Setup Menu...

Page 248: ...er Max Rate 2312 Kbps Press SPACE BAR to select a Transfer Max Rate greater than or equal to the Transfer Min Rate and press ENTER to continue Transfer Min Rate 2312 Kbps Press SPACE BAR to select a T...

Page 249: ...uide for the Hardware Installation chapter then configure 1 Menu 2 WAN Setup 2 Menu 2 1 Advanced WAN Setup and 3 Menu 11 1 Remote Node Profile Backup ISP as shown next 21 1 1 Configuring Dial Backup i...

Page 250: ...device connected to your Dial Backup port for specific AT commands at fs0 0 Edit Advanced Setup To edit the advanced setup for the Dial Backup port move the cursor to this field press the SPACE BAR to...

Page 251: ...erminal Ready signal is dropped after the AT Command String Drop is sent out Yes AT Response String CLID Calling Line Identification Enter the keyword that precedes the CLID Calling Line Identificatio...

Page 252: ...no answer phone number before blacklisting the number 0 to disable the blacklist control Retry Interval sec Enter a number of seconds for the Prestige to wait before trying another call after a call...

Page 253: ...y Password Enter the password assigned by your ISP for this remote node Authen This field sets the authentication protocol used for outgoing calls Options for this field are CHAP PAP Your Prestige wil...

Page 254: ...2 2 for more information No default Telco Option Allocated Budget Enter the maximum number of minutes that this remote node may be called within the time period configured in the Period field The def...

Page 255: ...shown next Figure 21 4 Menu 11 2 Remote Node PPP Options This table describes the Remote Node PPP Options menu and contains instructions on how to configure the PPP options fields Figure 21 5 Remote...

Page 256: ...ask here if you know it static 0 0 0 0 default My WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know...

Page 257: ...version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or select None to disable it See the LAN Setup chapter for more information on this feature None default Once you...

Page 258: ...Dial Backup Figure 21 7 Menu 11 5 Remote Node Filter Ethernet Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter h...

Page 259: ...open Menu 3 1 LAN Port Filter Setup Use this menu to specify filter set s that you want to apply to Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful fo...

Page 260: ...nu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary...

Page 261: ...BAR to select the RIP direction Choices are None Both In Only or Out Only None Version Press SPACE BAR to select the RIP version Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Ent...

Page 262: ...t Person s Name Domain Name Edit Dynamic DNS No Route IP Yes Bridge No Press ENTER to Confirm or ESC to Cancel Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Server Client IP Pool Starting Ad...

Page 263: ...ddress pool 192 168 1 33 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Primary DNS Server Secondary DNS Server Enter the IP addresses of the DNS servers The D...

Page 264: ...Multicasting or select None to disable it None default IP Policies Create policies using SMT menu 25 see the IP Policy Routing chapter and apply them on the Prestige LAN interface here You can apply...

Page 265: ...mation in one screen Menu 4 is actually a simplified setup for one of the remote nodes that you can access in Menu 11 From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Fi...

Page 266: ...mail Select VBR Variable Bit Rate for bursty traffic and bandwidth sharing with other applications UBR Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR 0 Su...

Page 267: ...PACE BAR to select None SUA Only or Full Feature Please see the NAT Chapter for more details on the SUA Single User Account feature SUA Only Address Mapping Set Type the numbers of mapping sets 1 8 to...

Page 268: ......

Page 269: ...Advanced Applications VIII P Pa ar rt t V VI II II I Advanced Applications This part shows how to configure Remote Nodes Static Routes Bridging and NAT...

Page 270: ......

Page 271: ...ou use Menu 4 to set up Internet access you are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as we...

Page 272: ...cation Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combination because no extra protocol identifying headers are needed The PPP protocol al...

Page 273: ...P Multiplexing Press SPACE BAR and then ENTER to select the method of multiplexing that your ISP uses either VC based or LLC based LLC based Service Name When using PPPoE encapsulation type the name o...

Page 274: ...te This field determines the protocol used in routing Options are IP and None IP Bridge When bridging is enabled your Prestige will forward any packet that it does not route to this remote node otherw...

Page 275: ...See the Remote Node Filter section for more details No default Idle Timeout sec Type the number of seconds 0 9999 that can elapse when the Prestige is idle there is no traffic going to the remote nod...

Page 276: ...Rem Subnet Mask Type the subnet mask assigned to the remote node My WAN Addr Some implementations especially UNIX derivatives require separate IP network numbers for the WAN and LAN links and each en...

Page 277: ...ber need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number 2 Private This determines if the Prestige will include the route to this remote node in its RIP broa...

Page 278: ...1 then press SPACE BAR to select Yes Press ENTER to display Menu 11 5 Remote Node Filter Use Menu 11 5 Remote Node Filter to specify the filter set s to apply to the incoming and outgoing traffic bet...

Page 279: ...open Menu 11 6 Remote Node ATM Layer Options There are two versions of Menu 11 6 for the Prestige depending on whether you chose VC based or LLC based multiplexing and PPP either PPPoA or PPPoE encap...

Page 280: ...header Figure 24 8 Menu 11 6 for LLC based Multiplexing or PPP Encapsulation Menu 11 6 Remote Node ATM Layer Options VPI VCI VC Multiplexing VC Options for IP VC Options for Bridge VPI 0 VPI N A VCI...

Page 281: ...ode Configuration 24 11 In this case only one set of VPI and VCI numbers need be specified for all protocols The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 1 to 31 is reserved...

Page 282: ......

Page 283: ...connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige kn...

Page 284: ...P Static Route Setup as shown next Figure 25 3 IP Static Route Setup Now type the index number of one of the static routes you want to configure Menu 12 Static Route Setup 1 IP Static Route 3 Bridge S...

Page 285: ...the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must be the IP address of one of the remote nodes Metric Metric represents the cost of transmission for r...

Page 286: ......

Page 287: ...on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you need it do not bridge what the Prestige can route 26 2 Bridge Ethernet Setup Basically a...

Page 288: ...up When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 26 2 2 Brid...

Page 289: ...dicates whether the static route is active Yes or not No Ether Address Type the MAC address of the destination computer that you want to bridge the packets to IP Address If available type the IP addre...

Page 290: ...e 26 4 Bridging Setup FIELD DESCRIPTION When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go bac...

Page 291: ...rts Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types 1 Choose SUA Only if you have just one public WAN IP address for...

Page 292: ...in menu 11 1 Step 1 Enter 11 from the main menu and choose a node number Step 2 Move the cursor to the Edit IP IPX Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3...

Page 293: ...address for your Prestige SUA Only 27 3 NAT Setup Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN You can see two NA...

Page 294: ...nged Figure 27 5 Address Mapping Rules SUA Table 27 2 Address Mapping Rules SUA FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15 1 or enter the name of a new set...

Page 295: ...GA Type These are the mapping types discussed above Server allows us to specify multiple servers of different types behind NAT to this machine See later for some examples Server When you have complete...

Page 296: ...ured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the...

Page 297: ...it Insert Before or Delete in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to sa...

Page 298: ...his field is N A for One to One and Server types N A Global IP Start This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start...

Page 299: ...etup Step 2 Enter 2 to display Menu 15 2 NAT Server Sets as shown next Figure 27 8 NAT Server Sets Step 3 Enter 1 to go to Menu 15 2 NAT Server Setup as follows Menu 15 2 NAT Server Sets 1 Server Set...

Page 300: ...ollowing figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after...

Page 301: ...al NAT Examples This section provides some examples with Network Address Translation 27 4 1 Example 1 Internet Access Only In the following Internet access example you only need one rule where your IL...

Page 302: ...tup ISP s Name ChangeMe Encapsulation RFC 1483 Multiplexing LLC based VPI 1 VCI 1 ATM QoS Type UBR Peak Cell Rate PCR 5500 Sustained Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N...

Page 303: ...ad only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 27 4 2 Example 2 Internet Access with an Inside Server Figure 27 13 NAT...

Page 304: ...e first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic in both dir...

Page 305: ...menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENT...

Page 306: ...u 15 1 1 should look as follows Figure 27 18 Example 3 Final Menu 15 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Serv...

Page 307: ...ure the IGA3 to map to our web server and mail server on the LAN Step 8 Enter 15 from the main menu Step 9 Enter 2 in Menu 15 NAT Setup Step 10 Enter 1 in Menu 15 2 NAT Server Sets and enter 1 again t...

Page 308: ...apping as port numbers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 27 20 NAT Example 4 Menu 15 2 NAT Server Setup Rule Star...

Page 309: ...rload mapping types Follow the steps outlined in example 3 to configure these two menus as follows Figure 27 21 Example 4 Menu 15 1 1 1 After you ve configured your rule you should be able to check th...

Page 310: ...1 1 Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M M NO OV 2 3 4 5 6 7 8 9...

Page 311: ...Advanced Management IX Part IX Advanced Management This part discusses Filter Configuration SNMP System Maintenance and IP Policy Routing Call Scheduling and Remote Management...

Page 312: ......

Page 313: ...are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is...

Page 314: ...s that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable Initia...

Page 315: ...ch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 28 2 Filter Rule Process You can apply up t...

Page 316: ...ckets Because each filter set can have up to 6 rules you can have a maximum of 24 rules active for a single port 28 2 Filter Set Configuration To configure a filter set follow the procedures indicated...

Page 317: ...ummary Menu 21 1 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 3 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 N...

Page 318: ...es Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Menu 21 4 Filter Rules Summary A Type Filter Rules M m...

Page 319: ...s Summary A Type Filter Rules M m n 1 Y IP PR 6 SA 0 0 0 0 DA 0 0 0 0 DP 21 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Menu 21 11 Filter Rules Summary A Type Filter Rules M m...

Page 320: ...le chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken for instance forward the packet...

Page 321: ...Filter Rules Summary and press ENTER to open menu 21 1 1 for the rule There are two types of filter rules TCP IP and Generic Depending on the type of rule the parameters for each type will be differen...

Page 322: ...r instance 2 3 refers to the second filter set and the third filter rule of that set 1 1 Filter Type Use SPACE BAR and then ENTER to choose a rule Parameters displayed for each type will be different...

Page 323: ...Comp Select the comparison to apply to the destination port in the packet against the value given in Destination Port Choices are None Less Greater Equal or Not Equal None Source IP Addr Type the sou...

Page 324: ...Both All packets will be logged None Action Matched Select the action for a matching packet Choices are Check Next Rule Forward or Drop Check Next Rule default Action Not Matched Select the action for...

Page 325: ...ive Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Che...

Page 326: ...the Value to determine a match The Mask and Value fields are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either f...

Page 327: ...he data portion before comparison Value Type the value in Hexadecimal to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken or else...

Page 328: ...xact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the...

Page 329: ...21 Filter Set Configuration Step 2 Enter the index number of the filter set you want to configure in this case 3 Step 3 Type a descriptive name or comment in the Edit Comments field for example TELNE...

Page 330: ...s Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure 1 M N means an action can be taken immediately The actio...

Page 331: ...b No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type The first filter rule type determines all s...

Page 332: ...or device filter rules See earlier in this chapter for information on filters Output Filter Sets Apply filters for traffic leaving the Prestige You may apply filter rules for protocol or device filte...

Page 333: ...inserted in the protocol filters field under Call Filter Sets in menu 11 5 to block local NetBIOS traffic from triggering calls to the ISP Figure 28 20 Filtering Remote Node Traffic Note that call fil...

Page 334: ......

Page 335: ...ocol used for exchanging management information between network devices SNMP is a member of TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to mana...

Page 336: ...anager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retri...

Page 337: ...ess of source 0 0 0 0 Trap Community Type the trap community which is the password sent with each trap to the SNMP manager public Destination Type the IP address of the station to send your SNMP traps...

Page 338: ...1215 A trap is sent with the port number 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 linkD...

Page 339: ...is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status type 24 to go...

Page 340: ...has been connected to the current remote node My WAN IP from ISP The IP address of the ISP remote node Ethernet Shows statistics for the LAN Status Shows the current status of the LAN Tx Pkts The num...

Page 341: ...Speed Shows the downstream transfer rate in kbps CPU Load Specifies the percentage of CPU utilization 30 3 System Information To get to the System Information Step 1 Enter 24 to display Menu 24 System...

Page 342: ...ersion Standard This refers to the operational protocol the Prestige and the DSLAM Digital Subscriber Line Access Multiplexer are using LAN Ethernet Address Refers to the Ethernet MAC Media Access Con...

Page 343: ...Log and Trace There are two logging facilities in the Prestige The first is the error logs and trace records that are stored locally The second is the UNIX syslog facility for message logging 30 4 1...

Page 344: ...tenance UNIX Syslog as shown next Figure 30 8 System Maintenance Syslog and Accounting You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose...

Page 345: ...ng board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by...

Page 346: ...192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03 R01mF 4 PPP Log SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening pp...

Page 347: ...FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the...

Page 348: ......

Page 349: ...firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg This is a sample FTP session saving the current configurat...

Page 350: ...ad files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration t...

Page 351: ...configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt 31 2 3...

Page 352: ...sfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default remote directory path Initial Local Directory Specify the default local directory path 31 2...

Page 353: ...lt when the file transfer is complete Step 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP clien...

Page 354: ...onfiguration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to section 31 2 5 to read about configurations that disallow TFTP and FTP over WAN 31 2 9 Backu...

Page 355: ...his function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the p...

Page 356: ...puter to the Prestige See earlier in this chapter for more information on filename conventions Step 8 Enter quit to exit the ftp prompt The Prestige will automatically restart after a successful resto...

Page 357: ...menu 24 6 and enter y at the following screen Figure 31 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has started Figure 31 10 System Maint...

Page 358: ...revious Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSFER PR...

Page 359: ...r the upload system configuration file process is complete For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP n...

Page 360: ...onfiguration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt The Prest...

Page 361: ...ve and the Prestige in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to t...

Page 362: ...ld be similar 31 4 9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 31 17 Example Xmodem Upload After the configuration upload...

Page 363: ...4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To upload sy...

Page 364: ...File Maintenance Figure 31 19 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Browse t...

Page 365: ...SMT by selecting menu 24 8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by...

Page 366: ...be dropped and any future outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure...

Page 367: ...ion is selected Table 32 1 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This...

Page 368: ...enance Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen Figure 32 6 System Maintenance Time and Date Setting Menu 24 10 System Maintenance T...

Page 369: ...ure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays a...

Page 370: ......

Page 371: ...the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batc...

Page 372: ...x of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set including the criteria and the action of a single policy and whether a p...

Page 373: ...P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __...

Page 374: ...rom Don t Care Normal Min Delay Max Thruput Min Cost or Max Reliable Precedence Precedence value of the incoming packet Press SPACE BAR and then ENTER to select a value from 0 to 7 or Don t Care Packe...

Page 375: ...t be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing No Change...

Page 376: ...0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies 2 4 7 9 Press ENTER to Confi...

Page 377: ...ets to a remote network using another policy See the next figure Figure 33 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to...

Page 378: ...h protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 1...

Page 379: ...er N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Press S...

Page 380: ......

Page 381: ...le Setup as shown next Figure 34 1 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in...

Page 382: ...be triggered up until the end of the Duration Table 34 1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate the schedule set...

Page 383: ...ct in hour minute format 09 00 Duration Enter the maximum length of time this connection is allowed in hour minute format 08 00 Action Forced On means that the connection is maintained whether or not...

Page 384: ...ofile Rem Node Name Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing VC based Edit ATM Options No Service Name Telco Option Incoming Allocated Budget min 0 Rem Login Pe...

Page 385: ...rnet WAN only the LAN only All LAN and WAN or Disable neither WAN only Internet ALL LAN and WAN LAN only Disable Neither If you enable remote management of a service but have applied a filter to block...

Page 386: ...Web Server Each of these read only labels denotes a service that you may use to remotely manage the Prestige Server Port This field shows the port number for the remote management service You may chan...

Page 387: ...tch the client IP address If it does not match the Prestige will disconnect the session immediately 4 There is already another remote management session of the same type Telnet FTP or Web running You...

Page 388: ......

Page 389: ...GEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide for ba...

Page 390: ......

Page 391: ...ain submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage r...

Page 392: ...1 IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 1 Menu 27 1 IPSec Summary Name A Local Addr Start Addr End Mask Encap IPSec Algorithm Key Mgt Remote Addr Start Addr End M...

Page 393: ...nge this is the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the L...

Page 394: ...cure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 Remote Addr End When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Re...

Page 395: ...n a VPN rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previou...

Page 396: ...tige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Local I...

Page 397: ...IP address changes 0 0 0 0 Peer ID type Press SPACE BAR to choose IP DNS or E mail and press ENTER Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPS...

Page 398: ...ame configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time In order to have more tha...

Page 399: ...A Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields are N A when the Secure Gateway Address field is configured to 0...

Page 400: ...mber must be greater than that specified in the previous field This field is N A when 0 is configured in the Port Start field Enable Replay Detection As a VPN setup is processing intensive the system...

Page 401: ...the same negotiation mode Main PSK Pre Shared Key Prestige gateways authenticate an IKE VPN session by matching pre shared keys Pre shared keys are best for small networks with fewer than ten nodes En...

Page 402: ...renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication...

Page 403: ...your configuration or press ESC at any time to cancel 36 5 Manual Setup You only configure Menu 27 1 1 2 Manual Setup when you select Manual in the Key Management field in Menu 27 1 1 IPSec Setup Manu...

Page 404: ...oose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight...

Page 405: ...789a bcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal Type a number base 10 from 1 to 999999 for the Security Parameter Index N A Authentication Algorithm Pres...

Page 406: ......

Page 407: ...A lifetime period expires See the Web Configurator User s Guide on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic 37 2 Using SA Monito...

Page 408: ...bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding auth...

Page 409: ...1 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 0...

Page 410: ......

Page 411: ...ve and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige 38 2 The Configuration Text F...

Page 412: ...0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 38 1 Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 System Name Str Prestige 10000002 Location Str 100...

Page 413: ...2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 Please wait for the system to write SPT text file ROM t Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 c...

Page 414: ...0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put rom t ftp bye 1 Launch your FTP application 2 Enter bin The comman...

Page 415: ...XI Part XI Appendices and Index This section provides some Appendices and an Index...

Page 416: ......

Page 417: ...l emulation 9600 bps is the default speed on leaving the factory Try other speeds in case the speed has been changed I cannot access the Prestige via the console port 2 Make sure the communications pr...

Page 418: ...word field in Menu 4 Internet Access Setup I cannot connect to a remote node or ISP Check menu 4 or menu 11 1 to verify the Encapsulation for the remote node Problems with Internet Access Table A 4 Tr...

Page 419: ...he User s Guide for details Problems with Telnet Table A 6 Troubleshooting Telnet PROBLEM CORRECTIVE ACTION Refer to the Remote Management Limitations section for scenarios when remote management may...

Page 420: ......

Page 421: ...similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carr...

Page 422: ...mes to the Access Concentrator AC Between the AC and an ISP the AC is acting as a L2TP Layer 2 Tunneling Protocol LAC L2TP Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is...

Page 423: ...PPoE Client When using the Prestige as a PPPoE client the PCs on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on the i...

Page 424: ......

Page 425: ...en circuit end points Diagram C 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide individua...

Page 426: ......

Page 427: ...used only over the short haul between the PC and the modem over Ethernet For the rest of the connection the PPP frames are transported with PPP over AAL5 RFC 2364 The PPP connection however is still b...

Page 428: ...F Cisco s Layer 2 Forwarding Conceptually there are three parties in PPTP namely the PNS PPTP Network Server the PAC PPTP Access Concentrator and the PPTP user The PNS is the box that hosts both the P...

Page 429: ...ection supports multiple call sessions The following diagram depicts the message exchange of a successful call setup between a PC and an ANT Diagram D 3 Example Message Exchange between PC and an ANT...

Page 430: ......

Page 431: ...Attack 8 6 Budget Management 32 2 32 3 C Call Back Delay 21 4 Call Filtering 28 1 Call Filters Built In 28 1 User Defined 28 1 Call Scheduling 34 1 Maximum Number of Schedule Sets 34 1 PPPoE 34 3 Prec...

Page 432: ...ges Sample 30 6 Ethernet 22 1 Ethernet Encapsulation 6 5 Ethernet Traffic 28 21 Ethernet 802 3 bridged 1 5 F Factory LAN Defaults 4 3 FCC iii Features 1 1 Filename Conventions 31 1 Filter 21 9 28 1 Ap...

Page 433: ...4 4 IGMP support 24 7 IKE Setup 36 11 Industry Canada iv Install UPnP 16 3 Windows Me 16 4 Windows XP 16 5 Installation Ease 1 4 Interactive Applications 33 1 Internal SPTGEN 38 1 FTP Download Exampl...

Page 434: ...address 26 3 Main Menu 18 4 Management Information Base MIB 29 2 Max incomplete High 9 4 Max incomplete Low 9 4 MBS See Maximum Burst Size Media Access Control 26 1 Message Logging 30 5 Metric 5 1 21...

Page 435: ...28 11 Protocol Filter Rules 28 16 Protocols Supported 1 3 PSK 36 11 Q Quality of Service 33 1 Quick Start Guide 2 1 16 2 R RAS 30 4 33 2 Rate Receiving 30 2 Transmission 30 2 Read Me First xxix Relate...

Page 436: ...2 Source Based Routing 33 1 Speed 1 1 SPI 36 13 Stateful Inspection 1 2 8 1 8 2 8 7 8 8 Prestige 8 9 Process 8 8 Static Routing Topology 25 1 SUA 1 3 6 5 6 6 SUA Single User Account See NAT Subnet Mas...

Page 437: ...U UDP ICMP Security 8 10 Universal Plug and Play 16 1 Application 16 1 Security issues 16 1 Universal Plug and Play Forum 16 2 UNIX Syslog 30 5 30 7 UNIX syslog parameters 30 6 Upload Firmware 31 10 U...

Reviews:

No comments

Related manuals for Prestige 792H

Brand: Ursalink Pages: 23

Brand: Handlink Technologies Pages: 156

RAK7243 Pilot Gateway Pro

Brand: RAKwireless Pages: 18

Brand: LOYTEC Pages: 150

Brand: RTA Pages: 73

Brand: Iget Pages: 12

Brand: Wiznet Pages: 41

Brand: HID Pages: 38

Brand: Sencore Pages: 37

AirLink PinPoint X

Brand: Sierra Wireless Pages: 62

Brand: NetModule Pages: 223

ThingPark Partner

Brand: Actility Pages: 4

Optimizer Voice

Brand: RedPort Pages: 18

Brand: Hitron Pages: 124

Brand: Davolink Pages: 105

Brand: Vantron Pages: 98

OfficeConnect 3C100XF

Brand: 3Com Pages: 260

SenzaGate SG151lite

Brand: E-Senza Pages: 28

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands