NETGEAR FVL328 - Cable/DSL ProSafe VPN Firewall Router Скачать руководство пользователя | Manualshive

Страница: 39 / 240

background image

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual

Connecting the FVL328 to the Internet

3-15

M-10144-01

How to Complete a Manual Configuration

Manually configure the firewall in the Basic Settings menu using these steps:

1. Answer the question, “Does Your Internet Connection Require a Login?”

•

Select Yes if you normally must launch a login program such as Enternet or WinPOET in
order to access the Internet.

Note:

If you are a Telstra BigPond cable modem customer, or if you are in an area such as

Austria that uses PPTP, login is required. Select Yes, then select BigPond or PPTP from
the Internet Service Type drop-down box.

•

Select No if you do not log in to establish your Internet connection.

2. If you selected Yes, follow the instructions below.

If your Internet connection does not require a login, skip to step 3.

–

Enter your Account Name (may also be called Host Name) and Domain Name.

These parameters may be necessary to access your ISP’s services such as mail or news
servers. These fields are case sensitive.

–

If you want to change the login timeout, enter a new value in minutes. This determines
how long the firewall keeps the Internet connection active after there is no Internet activity
from the LAN. Entering an Idle Timeout value of zero means never log out.

–

If you want to disable NAT, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.

–

Domain Name Server (DNS) Address:

If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also

3. If you selected No, follow the instructions below.

–

If required, enter your Account Name (may also be called Host Name) and Domain Name.

These parameters may be necessary to access your ISP’s services such as mail or news
servers. The Account Name and Domain Name are not always required.

Note:

Disabling NAT will reboot the router and reset all the FVL328 configuration

settings to the factory default. Disable NAT only if you plan to install the FVL328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.

«
...
37
38
39
40
41
...
»

Содержание FVL328 - Cable/DSL ProSafe VPN Firewall Router

Страница 1: ...M 10144 01 M 10144 01 December 2003 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR Model FVL328 ProSafe High Speed VPN Firewall Reference Manual...

Страница 2: ...EN 55 022 Declaration of Conformance This is to certify that the FVL328 Prosafe High Speed VPN Firewall is shielded against the generation of radio interference in accordance with the application of C...

Страница 3: ...ce VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control...

Страница 4: ...M 10144 01 iv...

Страница 5: ...res 2 1 Virtual Private Networking 2 2 A Powerful True Firewall 2 2 ICSA Small Medium Business Category 2 3 Content Filtering 2 3 Configurable Auto Uplink Ethernet Connection 2 3 Protocol Support 2 3...

Страница 6: ...ttings 4 1 Using the Router as a DHCP Server 4 2 How to Configure LAN TCP IP Setup Settings 4 3 How to Configure Reserved IP Addresses 4 4 Configuring WAN Settings 4 4 Connecting Automatically as Requ...

Страница 7: ...Private Networking Overview of FVL328 Policy Based VPN Configuration 6 1 Using Policies to Manage VPN Traffic 6 1 Using Automatic Key Management 6 2 IKE Policies Automatic Key and Authentication Manag...

Страница 8: ...ic Functions 8 1 Power LED Not On 8 2 Test LED Never Turns On or Test LED Stays On 8 2 Local or Internet Port Link LEDs Not On 8 3 Troubleshooting the Web Configuration Interface 8 3 Troubleshooting t...

Страница 9: ...rking C 2 Install or Verify Windows Networking Components C 2 Enabling DHCP to Automatically Configure TCP IP Settings C 4 Selecting Windows Internet Access Method C 4 Verifying TCP IP Properties C 5...

Страница 10: ...ivate Networking What is a VPN E 1 What Is IPSec and How Does It Work E 2 IPSec Security Features E 2 IPSec Components E 2 Encapsulating Security Payload ESP E 3 Authentication Header AH E 4 IKE Secur...

Страница 11: ...DUT G 3 Create an IP Filter Called To Win2K G 7 Configure the General Properties G 12 Configure the FVL328 IKE policy G 14 Configure the FVL328 VPN policy G 15 FVL328 to SSH Sentinel 1 3 Remote VPN G...

Страница 12: ...8 or FVM318 with FQDN to FVL328 Configuration Template I 1 Using DDNS and Fully Qualified Domain Names FQDN I 2 Step By Step Configuration of FVS318 or FVM318 Gateway A I 3 Step By Step Configuration...

Страница 13: ...ation is provided in the Appendices and on the NETGEAR Web site Scope This manual is written for the FVL328 Firewall according to these specifications Table 1 1 Manual Specifications Product Version F...

Страница 14: ...This guide uses the following formats to highlight special messages Table 1 2 Typographical conventions italics Emphasis bold times roman User input Enter Named keys in text are shown enclosed in squ...

Страница 15: ...ross the top to navigate print pages and more The Show in Contents button locates the current topic in the Contents tab Previous Next buttons display the previous or next topic The PDF button links to...

Страница 16: ...op right of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print A new browser window opens showing the PDF version of the chapter you were viewing...

Страница 17: ...work from attacks and intrusions and enables secure communications using Virtual Private Networks VPN Unlike simple Internet sharing routers that rely on Network Address Translation NAT for security t...

Страница 18: ...amic DNS feature is enabled with one of the supported service providers VPNC Certified A Powerful True Firewall Unlike simple Internet sharing NAT routers the FVL328 is a true firewall using stateful...

Страница 19: ...e firewall to log and report attempts to access objectionable Internet sites Configurable Auto Uplink Ethernet Connection With its internal 8 port 10 100 switch the FVL328 can connect to either a 10 M...

Страница 20: ...actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL con...

Страница 21: ...est Internet connectivity and reboot the firewall You can use these diagnostic functions directly from the FVL328 when your are connected on the LAN or when you are connected over the Internet via the...

Страница 22: ...green when lit except for the TEST LED which is amber Note Product updates are available on the NETGEAR Inc Web site at http www netgear com support main asp Documentation updates are available on the...

Страница 23: ...following elements Factory Default Reset push button Eight Local Ethernet RJ 45 ports for connecting the firewall to local computers Internet WAN Ethernet RJ 45 port for connecting the firewall to a c...

Страница 24: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual 2 8 Introduction M 10144 01...

Страница 25: ...equirements The FVL328 Firewall connects to your LAN via twisted pair Ethernet cables To use the FVL328 Firewall on your network each computer must have an installed Ethernet Network Interface Card NI...

Страница 26: ...rmation you can ask your ISP to provide it or you can try one of the options below If you have a computer already connected using the active Internet access account you can gather the configuration in...

Страница 27: ...the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address ______ ______ ______ ______ Subnet Mask ______ ______ ______ ______ Gateway IP Add...

Страница 28: ...s an animated Installation Assistant to help you through this procedure How to Connect the FVL328 to Your LAN There are three steps to connecting your firewall Connect the firewall to your network Log...

Страница 29: ...technology Each Ethernet port will automatically sense whether the cable plugged into the port should have a normal connection e g connecting to a PC or an uplink connection e g connecting to a switch...

Страница 30: ...log in to your Internet connection do not run that software Now that the cable or DSL modem firewall and the computer are turned on verify the following When power on the firewall was first turned on...

Страница 31: ...user name and password When prompted enter admin for the firewall User Name and password for the firewall Password both in lower case letters This default password should be changed later as describe...

Страница 32: ...Connection on page 3 14 Unless your ISP automatically assigns your configuration automatically via DHCP you will need the configuration parameters from your ISP as you recorded them previously in Wor...

Страница 33: ...learn the domain automatically from the ISP If this is not successful you may need to enter it manually 2 Enter the PPPoE login user name and password provided by your ISP These fields are case sensit...

Страница 34: ...available enter it also If you enter an address here after you finish configuring the firewall reboot your computers so that the settings take effect 5 Enter the Router s MAC Address Each computer or...

Страница 35: ...m the ISP If this is not successful you may need to enter it manually 2 If you know that your ISP does not automatically transmit DNS addresses to the firewall during login select Use these DNS server...

Страница 36: ...s feature allows your firewall to masquerade as that computer by using its MAC address 4 Click Apply to save your settings 5 Click the Test button to test your Internet connection If the NETGEAR Web s...

Страница 37: ...nternet connection configuration your can test your Internet connection Log in to the firewall then from the Setup Basic Settings link click the Test button If the NETGEAR Web site does not appear wit...

Страница 38: ...nually Configuring Your Internet Connection You can manually configure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous...

Страница 39: ...e If you want to change the login timeout enter a new value in minutes This determines how long the firewall keeps the Internet connection active after there is no Internet activity from the LAN Enter...

Страница 40: ...an address you must obtain it from the ISP and enter it manually here If you enter an address here you should reboot your computers after configuring the firewall Router s MAC Address This section de...

Страница 41: ...ge for use in private networks and should be suitable in most applications If your network has a requirement to use a different IP addressing scheme you can make those changes The LAN TCP IP Setup par...

Страница 42: ...assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default...

Страница 43: ...y DNS address in the Basic Settings menu otherwise the firewall s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu How to Configure LAN TCP IP Setu...

Страница 44: ...PC or server Note If the PC is already present on your network you can copy its MAC address from the Attached Devices menu and paste it here 4 Click Apply to enter the reserved address into the table...

Страница 45: ...with them but there are other applications that may not function well In some cases one local PC can run the application properly if that PC s IP address is entered as the default DMZ server Incoming...

Страница 46: ...1 Under MTU Size select Custom 2 Enter a new size between 64 and 1500 3 Click Apply to save the new configuration Configuring Dynamic DNS If your network has a permanently assigned IP address you can...

Страница 47: ...tes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Internet access and you do not nee...

Страница 48: ...In this example The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses The Gateway IP Address fields specifies that all traffic for th...

Страница 49: ...limit access to the LAN only The static route will not be reported in RIP e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination i...

Страница 50: ...Model FVL328 ProSafe High Speed VPN Firewall v2 Reference Manual 4 10 WAN and LAN Configuration M 10144 01...

Страница 51: ...user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure password The i...

Страница 52: ...backup so that the saved settings file includes the new password How to Change the Administrator Login Timeout For security the administrator s login to the firewall configuration will time out after...

Страница 53: ...cking to limit access from your LAN to Internet locations or services that you specify as off limits Denial of Service DoS protection Automatically detects and thwarts DoS attacks such as Ping of Deat...

Страница 54: ...e keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed If the keyword is entered all Internet browsing access will be blocked Up to 32 entries are suppor...

Страница 55: ...cess to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FVL328 are Inbound Block all access from outside except responses to requests from the LA...

Страница 56: ...on on the left side of the table and click Move At the script prompt enter the number of the desired new position and click OK Rules Menu Options Enable VPN Passthrough IPSec PPTP L2TP if LAN users ne...

Страница 57: ...ule you can make a local server for example a Web server or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one loca...

Страница 58: ...the Schedule menu Send to LAN Server enter the IP address of the PC or Server on your LAN which will receive the inbound traffic covered by this rule WAN Users these settings determine which packets...

Страница 59: ...igure 5 5 Rule example Videoconferencing from Restricted Addresses Considerations for Inbound Rules If your external IP address is assigned dynamically by your ISP the IP address may change periodical...

Страница 60: ...of the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an application example of outbound rules Outbound Rule Example Bl...

Страница 61: ...dress Select the desired option Any All IP addresses are covered by this rule Address range If this option is selected you must enter the Start and Finish fields Single address Enter the required addr...

Страница 62: ...e rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule to a new position in the table Regulating Access to Network Services Services...

Страница 63: ...mbers you are not limited to these choices Use the procedure below to create your own service definitions How to Define Services 1 Log in to the firewall at its default LAN address of http 192 168 0 1...

Страница 64: ...from one of several Network Time Servers on the Internet The FVL328 includes a battery backed real time clock so time will persist if power is removed In order to localize the time for your log entrie...

Страница 65: ...Savings Time box if your time zone is currently in daylight savings time Note If your region uses Daylight Savings Time you must manually check Adjust for Daylight Savings Time on the first day of Day...

Страница 66: ...all at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 2 Click...

Страница 67: ...state of the art firewall and security technology to facilitate controlled and actively monitored VPN connectivity Since the FVL328 strictly conforms to Internet Engineering Task Force IETF standards...

Страница 68: ...bound VPN parameters on other end and vice versa When the network traffic enters into the FVL328 from the LAN network interface if there is no VPN policy found for a type of network traffic then that...

Страница 69: ...10144 01 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to display...

Страница 70: ...ient connections where the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode MUST be Aggressive and the Identities below both Local and Remote MUST be Name On t...

Страница 71: ...more secure and is the default Authentication Algorithm If you enable Authentication Headers AH this menu lets you select from these authentication algorithms MD5 the default SHA 1 more secure Authent...

Страница 72: ...tworking M 10144 01 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN Auto Policy configuration From the VPN Policies section of the main menu you can...

Страница 73: ...must have this FVL328 s Local Identity Data entered as its Remote VPN Endpoint By its IP Address By its Fully Qualified Domain Name FQDN your domain name SA Life Time The duration of the Security Asso...

Страница 74: ...venting for example remote management or response to ping Single IP Address Range of IP Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protocol for the...

Страница 75: ...ink from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employed The cho...

Страница 76: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual 6 10 Virtual Private Networking M 10144 01 Figure 6 4 VPN Manual Policy Menu...

Страница 77: ...lished If network traffic meets all criteria then a VPN tunnel will be created Local IP The drop down menu allows you to configure the source IP address of the outbound network traffic for which this...

Страница 78: ...re secure Enter the keys in the fields provided For MD5 the keys should be 16 characters For SHA 1 the keys should be 20 characters Key In Enter the keys For MD5 the keys should be 16 characters For S...

Страница 79: ...the remote VPN endpoint has the same value in its Encryption Algorithm Key In field Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy Authentication...

Страница 80: ...the middle security threats A self certificate has your public key and the name of your CA and relies on the CA s certificate to authenticate Each CA has its own certificate The certificates of a CA a...

Страница 81: ...ame scenarios is to help you determine where the two vendors use different vocabulary Seeing the examples presented in these different ways will reveal how systems from different vendors do the same t...

Страница 82: ...needed for configuring Gateway A Note The 24 after the IP address refers to the full range of IP addresses For example 10 5 6 0 24 refers to IP address 10 5 6 0 with the netmask 255 255 255 0 The IKE...

Страница 83: ...ss from an FVL328 to an FVL328 1 Log in to the FVL328 labeled Gateway A as in the illustration Log in to the firewall at its default LAN address of http 192 168 0 1 with its default user name of admin...

Страница 84: ...AT is disabled only standard routing is performed by this Router c Configure the WAN Internet Address according to the settings in Figure 6 6 above and click Apply to save your settings For more infor...

Страница 85: ...to the built in Web based configuration manager of the FVL328 3 Set up the IKE Policy illustrated below on the FVL328 a From the main menu VPN section click the IKE Policies link and then click the A...

Страница 86: ...main menu VPN section click the VPN Policies link and then click the Add Auto Policy button Figure 6 9 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the illustrat...

Страница 87: ...connectivity and view VPN status information on the FVL328 1 To test connectivity between the Gateway A FVL328 LAN and the Gateway B LAN follow these steps a Using our example from a computer attache...

Страница 88: ...ee of security you should turn off this feature when you are finished with testing 3 To view the FVL328 event log and status of Security Associations follow these steps a Go to the FVL328 main menu VP...

Страница 89: ...ight provide it to you via e mail b Save the certificate as a text file called trust txt 2 Install the trusted CA certificate for the Trusted Root CA a Log in to the FVL328 b From the main menu VPN se...

Страница 90: ...s the holder owner of this certificate This should be your registered business name or official company name Generally all certificates should have the same value in the Subject field Hash Algorithm S...

Страница 91: ...nto a text file b Give the certificate request data to the CA In the case of a Windows 2000 internal CA you might simply e mail it to the CA administrator The procedures of a CA like Verisign and a CA...

Страница 92: ...strator might simply email it to back to you Follow the procedures of your CA Save the certificate you get back from the CA as a text file called final txt 6 Upload the new certificate a From the main...

Страница 93: ...Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVL328 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see Scenario...

Страница 94: ...s a text file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for it...

Страница 95: ...hatever password and LAN address you have chosen for the firewall 2 In the Advanced section on the left navigator select Remote Management 3 Select the Turn Remote Management On check box 4 Specify wh...

Страница 96: ...nnect to your ISP There are 2 solutions to this problem a Have your ISP allocate you a Fixed IP address b Use the DDNS Dynamic DNS feature so you can connect using a domain name rather than an IP addr...

Страница 97: ...his screen shows the following parameters Table 7 1 Router Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu Firmware Ve...

Страница 98: ...t access via this Router by sharing this Router s WAN IP address You should only turn NAT OFF if you are sure you do not require it MAC Address This field displays the Ethernet MAC address being used...

Страница 99: ...em up Time The time elapsed since the last power cycle or reset WAN or LAN Port The statistics for the WAN Internet and LAN local ports For each port the screen displays Status The link status of the...

Страница 100: ...tached devices click the Refresh button Viewing Selecting and Saving Logged Information The firewall logs security related events such as denied incoming service requests hacker probes and administrat...

Страница 101: ...rce port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site Destinati...

Страница 102: ...Web based interface of this Router Other connections and traffic to this Router if selected this will log traffic sent to this Router rather than through this Router to the Internet Allow duplicate lo...

Страница 103: ...heck box if you want to receive e mail logs and alerts from the firewall Your outgoing mail server Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may b...

Страница 104: ...the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log is cleare...

Страница 105: ...ser name of admin default password of password or using whatever Password and LAN address you have chosen for the firewall 2 From the Maintenance heading of the main menu select the Settings Backup me...

Страница 106: ...Reset Button on page 8 7 Running Diagnostic Utilities and Rebooting the Router The FVL328 Firewall has a diagnostics feature You can use the diagnostics menu to perform the following functions from th...

Страница 107: ...m the NETGEAR Web site If the upgrade file is compressed ZIP file you must first extract the binary BIN or IMG file before uploading it to the firewall The Web browser used to upload new firmware into...

Страница 108: ...der the Maintenance heading select the Router Upgrade heading to display the menu shown in Figure 7 10 Figure 7 10 Router Upgrade menu 4 In the Router Upgrade menu click Browse to locate the binary BI...

Страница 109: ...member the firewall s configuration password or I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 8 7 Is there a new version of the...

Страница 110: ...are using the 12VDC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test LED Stays...

Страница 111: ...uter s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your computer s address should be in the range of 192 168 0 2 to 192 168 0 254 Refer to Verif...

Страница 112: ...rewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the request was...

Страница 113: ...dress but your computer is unable to load any Web pages from the Internet Your computer may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names...

Страница 114: ...u see this message Request timed out If the path is not functioning correctly you could have one of the following problems Wrong physical connections Make sure the LAN port LED is on If the LED is off...

Страница 115: ...thernet MAC addresses of all but one of your computers Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict acc...

Страница 116: ...e from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include Date shown is January 1 2...

Страница 117: ...r Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V DC 1 2A output 20W max...

Страница 118: ...B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications Local 10BASE T or 100BASE Tx RJ 45 Internet 10BASE T or 100BASE Tx RJ 45 Certifications Firewall ICSA Certified Small Medium Business...

Страница 119: ...wever providing high bandwidth between a local network and the Internet can be very expensive Because of this expense Internet access is usually provided by a slower speed wide area network WAN link s...

Страница 120: ...Internet Protocol IP uses a 32 bit address structure The address is usually written in dot notation also called dotted decimal notation in which each group of eight bits is written in decimal form sep...

Страница 121: ...up to 65 354 hosts on a network A Class B address uses a 16 bit network number and a 16 bit node number Class B addresses are in this range 128 1 x x to 191 254 x x Class C Class C addresses can have...

Страница 122: ...and C addresses are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively For example the address 192 168 170 237 is a Class C IP address whose network portion is the upper 24 bits When combined using...

Страница 123: ...ending the number of addresses available subnet addressing provides other benefits Subnet addressing allows a network manager to construct an address scheme for the network by using different subnets...

Страница 124: ...subnet mask 255 255 255 0 into 16 subnets 4 bits the new subnet mask becomes 255 255 255 240 The following table displays several common netmask values in both the dotted decimal and the masklength fo...

Страница 125: ...168 0 0 192 168 255 255 NETGEAR recommends that you choose your private network number from this range The DHCP server of the FVL328 Firewall is preconfigured to automatically assign private addresse...

Страница 126: ...figure illustrates a single IP address operation Figure 8 3 Single IP Address Operation Using NAT This scheme offers the additional benefit of firewall like protection because the internal LAN addres...

Страница 127: ...the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receiving station...

Страница 128: ...st Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other devices on th...

Страница 129: ...ing to protect your network from attacks and intrusions Since user level applications such as FTP and Web browsers can create complex patterns of network traffic it is necessary for the firewall to an...

Страница 130: ...ir must be exchanged with the receive pair This exchange is done by one of two mechanisms Most hubs provide an uplink switch which will exchange the pairs on one port allowing that port to be connecte...

Страница 131: ...T will often tolerate low quality cables but at 100 Mbits second 10BASE Tx the cable must be rated as Category 5 or Cat 5 by the Electronic Industry Association EIA This rating will be printed on the...

Страница 132: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual B 14 Networks Routing and Firewall Basics M 10144 01...

Страница 133: ...he software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon Macin...

Страница 134: ...ll assigns the following TCP IP configuration information automatically when the computers are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 255 0 Gatew...

Страница 135: ...teps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Protoc...

Страница 136: ...ended default addresses follow these steps 1 Connect all computers to the firewall then restart the firewall and allow it to boot 2 On each attached PC open the Network control panel refer to the prev...

Страница 137: ...the values below if you are using the default TCP IP settings that NETGEAR recommends The IP address is between 192 168 0 2 and 192 168 0 254 The subnet mask is 255 255 255 0 The default gateway is 1...

Страница 138: ...n 1 On the Windows taskbar click the Start button and then click Run The Run window opens 2 Type cmd and then click OK A command window opens 3 Type ipconfig all Your IP Configuration information will...

Страница 139: ...face 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each Macintosh on your network MacOS X 1 From the A...

Страница 140: ...Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommends The IP...

Страница 141: ...t port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the computers on the local network to masquerade as the single PC to access the In...

Страница 142: ...These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use...

Страница 143: ...r Macintosh so that you can use this information when you configure the FVL328 Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information To...

Страница 144: ...to work with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the firewall After configuring all of your computers...

Страница 145: ...nd modified prior to being forwarded and or replied to Field List DATE TIME Log s date and time EVENT Event is that access the device or access other host via the device PKT_TYPE Packet type pass Fire...

Страница 146: ...ult rule match PKT_TYPE UDP packet TCP connection ICMP packet Inbound Log Incoming packets that match the Firewall rules are logged The format is DATE TIME PKT_TYPE SRC_IP SRC_INF DST_IP DST_INF ACTIO...

Страница 147: ...acket Wed 2003 07 30 18 44 50 IP Packet Type Field 321 Source 18 7 21 69 192 168 0 3 Drop Notes DESCRIPTION VPN Packet PKT_TYPE GRE AH ESP IP packet Type Field Num IPSEC ACTION Forward Drop Router Ope...

Страница 148: ...i 2003 12 05 22 59 56 ICMP Packet Echo Request Source 192 168 0 10 Destination 192 168 0 1 Receive The format is DATE TIME EVENT SRC_IP SRC_PORT SRC_INF DST_IP DST_PORT DST_INF ACTION Wed 2003 07 30 1...

Страница 149: ...3 WAN Destination 172 31 12 157 LAN Drop ICMP Flood Fri 2003 12 05 21 33 52 UDP Packet Source 127 0 0 1 0 WAN Destination 172 31 12 157 0 LAN Drop Fragment Attack Fri 2003 12 05 19 20 00 TCP Session S...

Страница 150: ...rce 192 168 0 10 LAN Destination www google com WAN Drop Notes EVENT Attempt to access blocked sites SRC_INF LAN DST_INF WAN All Web Sites and News Groups Visited All Web sites and News groups that yo...

Страница 151: ...bound Policy to Service BGP is Added Fri 2003 12 05 21 49 41 Administrator Action Outbound Policy to Service BGP is Added Fri 2003 12 05 21 50 14 Administrator Action Inbound Policy to Service BGP is...

Страница 152: ...User Manual for the NETGEAR 7300 Series Layer 3 Managed Switch Software D 8 Firewall Log Formats 202 10009 01...

Страница 153: ...ing across the network is protected by encryption technologies Private networks lack data security which allows data attackers to tap directly into the network and read the data IPSec based VPNs use e...

Страница 154: ...nsively installed on existing Internet connections What Is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authentication int...

Страница 155: ...ble identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authentic...

Страница 156: ...addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in certain ca...

Страница 157: ...h IPSec the new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in the IP he...

Страница 158: ...ortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studies in this ap...

Страница 159: ...Network behind it In most cases each Gateway will have a public facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation...

Страница 160: ...erstand how to open specific protocols ports and addresses that you intend to allow Setting Up a VPN Tunnel Between Gateways An SA frequently called a tunnel is the set of information that allows two...

Страница 161: ...by IPSec As illustrated below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Alternatively you ca...

Страница 162: ...s to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between the two VPN gate...

Страница 163: ...is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A vs Gateway B Two LANs set up with similar or overlapping addressing schemes So m...

Страница 164: ...407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS Field in the IPv4 a...

Страница 165: ...rmation before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Che...

Страница 166: ...ration Out of the box the FVS318 or FVM318 is set for its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password For this example we will assume y...

Страница 167: ...entifier name for the NETGEAR FVS318 Gateway A This name must be entered in the other endpoint as Remote IPSec Identifier In this example we used 14 15 16 17 as the local identifier Enter a Remote IPS...

Страница 168: ...IP address 22 23 24 25 in our example of Gateway B in the Remote WAN IP or FQDN field Figure F 4 Figure 4 NETGEAR FVS318 VPN Settings part 2 Main Mode From the Secure Association drop down box select...

Страница 169: ...Step By Step Configuration of FVL328 Gateway B 1 Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration Out of the box the FVL328 is set for its default LAN address of http 192 168 0 1...

Страница 170: ...policies In our example we have used FVS318 as the Policy Name In the Policy Name field type FVS318 From the Direction Type drop down box select Both Directions From the Exchange Mode drop down box s...

Страница 171: ...hr5xb84l6aa9r6 You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800 3 Click the Apply Bu...

Страница 172: ...the FVS318 IKE Policy From the Remote VPN Endpoint Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Address Data...

Страница 173: ...f Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the AH Configurat...

Страница 174: ...teway B LAN Interface address example address 172 23 9 1 2 From a PC behind the FVL328v2 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address example address 1...

Страница 175: ...3 24 25 13 19 46 FVS318 IPsec main_inR3 13 19 46 FVS318 IKE toFVL328 RX MM_R3 22 23 24 25 13 19 46 FVS318 IPsec Decoded Peer s ID is ID_IPV4_ADDR 22 23 24 25and 22 23 24 25in st 13 19 46 FVS318 IPsec...

Страница 176: ...Model FVL328 ProSafe High Speed VPN Firewall v2 Reference Manual F 12 NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 M 10144 01...

Страница 177: ...72 16 9 10 Windows 2000 Server configuration This example shows how to create an IP Security Policy The following steps should be performed in this order 1 Create an IP Security Policy called DUT To W...

Страница 178: ...Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 3 Click Next then type the policy name for example DUT To Win2K DUT in this example refers to Device Under Test Click Next 4 Clear th...

Страница 179: ...anual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 3 M 10144 01 Create an IP Filter called To DUT 1 Click Add Type To DUT and then click Add 2 Type the Source IP address and the...

Страница 180: ...e High Speed VPN Firewall Reference Manual G 4 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 4 Click the Filter Action tab Select the Require Security check box and click...

Страница 181: ...rewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 5 M 10144 01 6 Select High ESP then click OK and OK to go back to the Filter Action 7 Click the Tunnel Settin...

Страница 182: ...328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 8 Click the Authentication Methods tab Click Edit Select the Use this string preshared key check box then type 12345678 9 Click...

Страница 183: ...328 ProSafe High Speed VPN Firewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 7 M 10144 01 Create an IP Filter Called To Win2K 1 Click Add Type To Win2K and c...

Страница 184: ...afe High Speed VPN Firewall Reference Manual G 8 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 2 Type the Source IP address and the Destination IP address 3 Click OK then...

Страница 185: ...e High Speed VPN Firewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 9 M 10144 01 4 Click the Filter Action tab Select the Require Security check box and click...

Страница 186: ...ll Reference Manual G 10 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 6 Select High ESP then click OK Click OK to return to the Filter Action tab 7 Click the Tunnel Sett...

Страница 187: ...28 to Windows 2000 Server and SSH Sentinel VPN Configuration G 11 M 10144 01 8 Click Authentication Methods and click Edit Select the Use this string preshared key check box then type 12345678 9 Click...

Страница 188: ...ProSafe High Speed VPN Firewall Reference Manual G 12 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 Configure the General Properties 1 Click General 2 Click Advanced 3 C...

Страница 189: ...Windows 2000 Server and SSH Sentinel VPN Configuration G 13 M 10144 01 4 Click Edit select Integrity Algorithm SHA1 and Encryption algorithm 3DES DH Low Click OK then OK again Close the window 5 Righ...

Страница 190: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual G 14 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 Configure the FVL328 IKE policy...

Страница 191: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 15 M 10144 01 Configure the FVL328 VPN policy...

Страница 192: ...44 01 FVL328 to SSH Sentinel 1 3 Remote VPN LAN WAN LAN PCa FVL328 NAT router PC b with SSH 1 3 installed FVL328 LAN IP 192 168 0 1 WAN IP 172 16 7 119 24 NAT router support IPSec passthrough LAN IP 1...

Страница 193: ...rence Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 17 M 10144 01 2 Select the Key Management tab a Click Add b Select Create a preshared key and click Next c Type the same...

Страница 194: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual G 18 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 d You will see the FVL328 under My Keys Click Apply...

Страница 195: ...t the Security Policy tab a Under VPN Connections click Add b Click the IP button and type the Gateway IP Address Select FVL328 for the Authentication key Select the Use legacy proposal check box Clic...

Страница 196: ...FVL328 ProSafe High Speed VPN Firewall Reference Manual G 20 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 d Click Properties and check the VPN policy settings e Click Se...

Страница 197: ...roSafe High Speed VPN Firewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 21 M 10144 01 f Configure the settings below then click OK Click OK and then OK again...

Страница 198: ...ProSafe High Speed VPN Firewall Reference Manual G 22 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 4 Right click on the icon click Select VPN and choose the one you jus...

Страница 199: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G 23 M 10144 01 Create the FVL328 IKE Policy Create the FVL328 VPN Policy...

Страница 200: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual G 24 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M 10144 01 Ping a PC to Bring Up the Tunnel...

Страница 201: ...and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresse...

Страница 202: ...p 192 168 0 1 with its default user name of admin and default password of password Even though the remainder of this document will refer to the FVL328 the login procedures and configuration menu scree...

Страница 203: ...help you manage the IKE policies In our example we used VPNclient as the Policy Name From the Direction Type drop down box select Remote Access From the Exchange Mode drop down box select Aggressive M...

Страница 204: ...ection Security Policy Authentication Phase 1 on page H 11 From the Authentication Method radio button select Pre shared Key This will also be selected in the NETGEAR ProSafe VPN Client Security Polic...

Страница 205: ...ke you to the VPN Policies Menu page Click Add Auto Policy This will open a new screen titled VPN Auto Policy Figure H 3 NETGEAR FVL328 VPN Auto Policy General settings Enter a unique name to identify...

Страница 206: ...Addressing ID Type field as seen in Security Policy Editor New Connection on page H 8 Type the starting LAN IP Address of the FVL328 in the Local IP Start IP Address field For this example we used 19...

Страница 207: ...ection Security Policy Key Exchange Phase 2 on page H 12 Select the NETBIOS Enable check box to enable networking features like Windows Network Neighborhood Click Apply to save your changes You will b...

Страница 208: ...it has a dynamically assigned IP address 1 Install the NETGEAR VPN Client Software on the PC You may need to insert your Windows CD to complete the installation Reboot your PC after installing the cl...

Страница 209: ...using Secure Gateway Tunnel check box is selected c In this example select IP Subnet as the ID Type 192 168 0 0 in the Subnet field the Subnet address is the LAN IP Address of the FVL328 with 0 as th...

Страница 210: ...ick Pre Shared Key Figure H 8 Connection Identity Pre Shared Key c Enter hr5xb84l6aa9r6 which is the same Pre Shared Key entered in the FVL328 d Click OK 4 Configure the Connection Identity Settings a...

Страница 211: ...Connection Security Policy In this step you will provide the authentication IKE Phase 1 settings and the key exchange Phase 2 settings The setting choices in this procedure follow the VPNC guidelines...

Страница 212: ...igure the Key Exchange Phase 2 Expand the Key Exchange Phase 2 heading and click on Proposal 1 For this example ensure that the following settings are configured In the SA Life menu select Unspecified...

Страница 213: ...ow to Specify Internal Network Address check box and click OK 7 Save the VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configured an...

Страница 214: ...ect option of the NETGEAR VPN Client popup menu Figure H 13 Connecting the PC to the FVL328 over the VPN tunnel 1 Open the popup menu by right clicking on the system tray icon 2 Select Connect to open...

Страница 215: ...d out to reply To test the connection to a computer connected to the FVL328 simply ping the IP address of that computer Once connected you can open a browser on the remote PC and enter the LAN IP Addr...

Страница 216: ...ection Monitor screen In this example the following connection options apply The FVL328 has a public IP WAN address of 66 120 188 153 The FVL328 has a LAN IP address of 192 168 0 1 The VPN client PC i...

Страница 217: ...ing the FVL328 VPN Status and Log Information Information on the status of the VPN client connection can be viewed by opening the FVL328 VPN Status screen To view this screen click the VPN Status link...

Страница 218: ...Reference Manual for the NETGEAR ProSafe VPN Client H 18 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router 202 10015 01...

Страница 219: ...PN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the param...

Страница 220: ...provides a central public database where information such as email addresses host names and IP addresses can be stored and retrieved Now a gateway can be configured to use a 3rd party service in lieu...

Страница 221: ...on necessary to set up the gateways Step By Step Configuration of FVS318 or FVM318 Gateway A 1 Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration Out of the box the FVS318 or FVM3...

Страница 222: ...DN we are using is netgear dyndns org and the Host Name is netgear Type the Password or key for your dynamic DNS account 5 Click Apply to save your configuration 6 Click on the VPN Settings link on th...

Страница 223: ...me for the remote NETGEAR FVL328 Gateway B This name must be entered in the other endpoint as Local IPSec Identifier In this example we used 22 23 24 25 as the remote identifier Choose a subnet from l...

Страница 224: ...e Secure Association drop down box select Main Mode Next to Perfect Forward Secrecy select the Enabled radio button From the Encryption Protocol drop down box select 3DES In the PreShared Key box type...

Страница 225: ...Enable check box is selected Step By Step Configuration of FVL328 Gateway B 1 Log in to the NETGEAR FVL328 labeled Gateway B in the illustration Out of the box the FVL328 is set for its default LAN ad...

Страница 226: ...ample we have used FVS318 as the Policy Name In the Policy Name field type FVS318 From the Direction Type drop down box select Both Directions From the Exchange Mode drop down box select Main Mode Fro...

Страница 227: ...You must make sure the key is the same for both gateways From the Diffie Hellman DH Group drop down box select Group 1 768 Bit In the SA Life Time field type 28800 3 Click Apply This will bring you ba...

Страница 228: ...Address Type drop down box select IP Address Type the WAN IP Address of Gateway A 14 15 16 17 in our example in the Remote VPN Endpoint Address Data field Type 300 in the SA Life Time Seconds field T...

Страница 229: ...ess of Gateway A 0 0 0 0 in our example in the Remote IP Finish IP Address field Type the LAN Subnet Mask of Gateway A 255 255 255 0 in our example in the Remote IP Subnet Mask field From the AH Confi...

Страница 230: ...1 From a PC behind the NETGEAR FVS318 or FVM318 Gateway A attempt to ping the remote FVL328 Gateway B LAN Interface address example address 172 23 9 1 2 From the FVS318 or FVM318 click the Router Sta...

Страница 231: ...h a financial institution such as a credit card company which provides it with information to confirm an individual s claimed identity CAs are a critical component in data security and electronic comm...

Страница 232: ...erver resolves descriptive names of network resources such as www NETGEAR com to numeric IP addresses Dynamic Host Configuration Protocol DHCP An Ethernet protocol specifying how a centralized DHCP se...

Страница 233: ...ny type of Internet access Because it s a simpler version of X 500 LDAP is sometimes called X 500 lite local area network LAN A communications network serving users within a limited area such as one f...

Страница 234: ...A block of information sent over a network A packet typically contains a source and destination network address some protocol and length information a block of data and a checksum PPP See Point to Po...

Страница 235: ...x Ethernet networks VPN Virtual Private Network A method for securely transporting data between two private networks by using a public network such as the Internet as a connection VPNC Virtual Private...

Страница 236: ...Model FVL328 ProSafe High Speed VPN Firewall Reference Manual 6 Glossary M 10144 01...

Страница 237: ...and time 8 8 Daylight Savings Time 5 15 8 8 daylight savings time 5 15 Default DMZ Server 4 5 default reset button 8 7 Denial of Service DoS protection 2 2 5 3 denial of service attack B 11 DHCP 2 4...

Страница 238: ...8 3 private B 7 translating B 9 IP configuration by DHCP B 10 IP networking for Macintosh C 6 for Windows C 2 C 5 IPSec E 1 IPSec Components E 2 IPSec SA negotiation E 9 IPSec Security Features E 2 IS...

Страница 239: ...ts B 1 Routing Information Protocol 2 3 B 2 rules inbound 5 7 order of precedence 5 12 outbound 5 10 S SA E 4 Scope of Document 1 1 Secondary DNS Server 3 10 3 11 3 13 3 15 3 16 service blocking 5 10...

Страница 240: ...working 2 3 VPN E 1 VPN Consortium E 6 VPN Process Overview E 7 VPNC IKE Phase I Parameters E 10 VPNC IKE Phase II Parameters E 11 W Windows configuring for IP routing C 2 C 5 winipcfg utility C 5 Win...

Отзывы:

Нет отзывов

Похожие инструкции для FVL328 - Cable/DSL ProSafe VPN Firewall Router

Бренд: Fortinet Страницы: 84

Бренд: IBM Страницы: 50

FortiGate 5001A

Бренд: Fortinet Страницы: 40

Бренд: Sophos Страницы: 237

Vigor2850 Series

Бренд: Draytek Страницы: 387

Бренд: Lanner Страницы: 85

Бренд: PaloAlto Networks Страницы: 54

Бренд: Untangle Страницы: 2

Бренд: Trend Micro Страницы: 69

Infoblox-1852-A

Бренд: Infoblox Страницы: 20

Infoblox-1050-A

Бренд: Infoblox Страницы: 28

Бренд: Infoblox Страницы: 40

Бренд: Global Technology Associates Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды