NETGEAR FVS114NA Скачать руководство пользователя | Manualshive

Страница: 175 / 212

background image

Reference Manual for the ProSafe VPN Firewall FVS114

Virtual Private Networking

C-9

202-10098-01, April 2005

Figure C-5: VPN tunnel Security Associaton (SA)

The SA contains all the information necessary for gateway A to negotiate a secure and encrypted
communication stream with gateway B. This communication is often referred to as a “tunnel.” The
gateways contain this information so that it does not have to be loaded onto every computer
connected to the gateways.

Each gateway must negotiate its SA with another gateway using the parameters and processes
established by IPSec. As illustrated below, the most common method of accomplishing this
process is via the Internet Key Exchange (IKE) protocol which automates some of the negotiation
procedures.

Figure C-6: IPSec Security Association (SA) negotiation

Or, you can configure your gateways using manual key exchange, which involves manually
configuring each paramter on both gateways.

1.

The IPSec software on Host A initiates the IPSec process in an attempt to communicate
with Host B.

The two computers then begin the Internet Key Exchange (IKE) process.

VPN Gateway A

VPN Gateway B

VPN Tunnel

PCs

PCs

VPN Gateway

VPN Gateway

1) Communication

request sent to VPN Gateway

2) IKE Phase I authentication

3) IKE Phase II negotiation

4) Secure data transfer

5) IPSec tunnel termination

IPSec Security Association IKE

VPN Tunnel Negotiation Steps

«
...
173
174
175
176
177
...
»

Содержание FVS114NA

Страница 1: ...202 10098 01 April 2005 202 10098 01 April 2005 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ProSafe VPN Firewall FVS114...

Страница 2: ...lar installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct...

Страница 3: ...1 April 2005 iii Product and Publication Details Model Number FVS114 Publication Date April 2005 Product Family Router Product Name FVS114 ProSafe VPN Firewall Home or Business Product Business Langua...

Страница 4: ...202 10098 01 April 2005 iv...

Страница 5: ...and Management 2 4 Maintenance and Support 2 4 Package Contents 2 5 The FVS114 Front Panel 2 5 The FVS114 Rear Panel 2 6 NETGEAR Related Products 2 7 NETGEAR Product Registration Support and Document...

Страница 6: ...4 11 Using a Schedule to Block or Allow Specific Traffic 4 13 Time Zone 4 14 Getting E Mail Notifications of Event Logs and Alerts 4 15 Viewing Logs of Web Access or Attempted Web Access 4 17 Syslog 4...

Страница 7: ...g Automatic Key Management 6 2 IKE Policies Automatic Key and Authentication Management 6 3 VPN Policy Configuration for Auto Key Negotiation 6 5 VPN Policy Configuration for Manual Key Exchange 6 9 U...

Страница 8: ...te Example 8 10 Enabling Remote Management Access 8 10 UPnP 8 13 Chapter 9 Troubleshooting Basic Functioning 9 1 Power LED Not On 9 1 LEDs Never Turn Off 9 2 LAN or Internet Port LEDs Not On 9 2 Troub...

Страница 9: ...ful Packet Inspection B 11 Denial of Service Attack B 11 Ethernet Cabling B 11 Category 5 Cable Quality B 12 Inside Twisted Pair Cables B 13 Uplink Switches Crossover Cables and MDI MDIX Switching B 1...

Страница 10: ...7 Install or Verify Windows Networking Components D 7 Enabling DHCP to Automatically Configure TCP IP Settings D 8 DHCP Configuration of TCP IP in Windows XP D 8 DHCP Configuration of TCP IP in Windo...

Страница 11: ...Contents xi 202 10098 01 April 2005 B G 2 C G 3 D G 3 E G 4 G G 5 I G 5 L G 6 M G 7 P G 7 Q G 8 R G 9 S G 9 T G 9 U G 10 W G 10...

Страница 12: ...202 10098 01 April 2005 xii Contents...

Страница 13: ...de uses the following typographical conventions This guide uses the following formats to highlight special messages This manual is written for the FVS114 VPN Firewall according to these specifications...

Страница 14: ...sing forwards or backwards through the manual one page at a time A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directl...

Страница 15: ...wing opens in a browser window Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http w...

Страница 16: ...Reference Manual for the ProSafe VPN Firewall FVS114 1 4 About This Manual 202 10098 01 April 2005...

Страница 17: ...sers The FVS114 VPN Firewall provides you with multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Parents and network administrators can establi...

Страница 18: ...ddress or email pager whenever a significant event occurs With its content filtering feature the FVS114 prevents objectionable content from reaching your PCs The firewall allows you to control access...

Страница 19: ...t TCP IP refer to Appendix B Network Routing and Firewall Basics IP Address Sharing by NAT The FVS114 VPN Firewall allows several networked PCs to share an Internet account using only a single IP addr...

Страница 20: ...all automatically senses the type of Internet connection asking you only for the information required for your type of ISP account Diagnostic functions The firewall incorporates built in diagnostic fu...

Страница 21: ...information Registration and Warranty Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to...

Страница 22: ...n Power is supplied to the firewall TEST On Off The system is initializing The system is ready and running INTERNET 100 100 Mbps On Off The Internet WAN port is operating at 100 Mbps The Internet WAN...

Страница 23: ...ired Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2 0 Adapter MA521 802 11b PC Card FA511 CardBus Adapter FA120 USB 2 0 Adapter Desktops...

Страница 24: ...Documentation is available on the Resource CD and at http kbserver netgear com When the VPN firewall router is connected to the Internet click the Knowledge Base or the Documentation link under the W...

Страница 25: ...vice When you perform the VPN firewall router setup steps be sure to use the computer you first registered with your cable ISP For DSL Service You may need information such as the DSL login name e mai...

Страница 26: ...ter d Disconnect the cable at the computer end only point A in the diagram e Look at the label on the bottom of the VPN firewall router Locate the Internet port Securely insert the Ethernet cable from...

Страница 27: ...re connected and you are ready to restart your network 2 RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Warning Failure to restart your network in the correct sequence could prevent you from connecting...

Страница 28: ...Internet LINK ACT light should be lit If not make sure the Ethernet cable is securely attached to the VPN firewall router Internet port and the modem and the modem is powered on LOCAL A LOCAL light sh...

Страница 29: ...nd DNS server addresses automatically which is usually so For help with this see Appendix D Preparing Your Network or the animated tutorials on the Resource CD 2 Click OK Follow the prompts to proceed...

Страница 30: ...els on the front and back of the VPN firewall router identify the number of each LOCAL port Make sure the network settings of the computer are correct LAN connected computers must be configured to obt...

Страница 31: ...ng http www routerlogin net basicsetting htm in the browser address bar and pressing Enter You will not be prompted for a user name or password This will enable you to manually configure the VPN firew...

Страница 32: ...en press Enter Figure 3 6 Login URL 2 For security reasons the firewall has its own user name and password When prompted enter admin for the firewall user name and password for the firewall password b...

Страница 33: ...e Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router If you do not click Logout the VPN firewall router wi...

Страница 34: ...n settings follow this procedure 1 Connect to the VPN firewall router by typing http www routerlogin net in the address field of your browser then press Enter 2 For security reasons the firewall has i...

Страница 35: ...n manually configure the firewall using the Basic Settings menu shown in Figure 3 9 using these steps 1 Log in to the firewall at its default address of http www routerlogin net using a browser like I...

Страница 36: ...tings take effect d Firewall s MAC Address This section determines the Ethernet MAC address that will be used by the firewall on the Internet port Some ISPs will register the Ethernet MAC address of t...

Страница 37: ...PPPoE PPTP Telstra Bigpond Cable broadband connections select your Internet service provider from the drop down list Figure 3 10 Basic Settings ISP list b The screen will change according to the ISP...

Страница 38: ...Reference Manual for the ProSafe VPN Firewall FVS114 3 14 Connecting the Firewall to the Internet 202 10098 01 April 2005...

Страница 39: ...ames A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication betw...

Страница 40: ...menu Web Components You can use these to block undesirable Web componenents or behavior Select the desired options Turn Proxy filtering on Block use of a remote Proxy Server A Proxy Server can be used...

Страница 41: ...wsing access enter the keyword Trusted User To specify a Trusted User enter that PC s IP address in the Trusted User box and click Apply You may specify one Trusted User which is a PC that will be exe...

Страница 42: ...application source or destination IP addresses and time of day You can also choose to log traffic that matches or does not match the rule you have defined To create a new rule click the Add button To...

Страница 43: ...AN of the Source Address As with the Source Address you can select Any a Single address or a Range unless NAT is enabled and the destination is the LAN In that case you must enter a Single LAN address...

Страница 44: ...er or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is...

Страница 45: ...llow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown in Figure 4 4 CU SEEME...

Страница 46: ...eature in the LAN IP menu to keep the PC s IP address constant Each local PC must access the local server using the PC s local LAN address 192 168 0 99 in this example Attempts by local PCs to access...

Страница 47: ...ck Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule th...

Страница 48: ...Figure 4 6 Rules table For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules table beginning at the top and proceedin...

Страница 49: ...P Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applicati...

Страница 50: ...om Service menu 2 Enter a descriptive name for the service so that you will remember what it is 3 Select whether the service uses TCP or UDP as its transport protocol If you can t determine which is u...

Страница 51: ...r Allow Specific Traffic If you enabled content filtering in the Block Sites menu or if you defined an outbound rule to use a schedule you can set up a schedule for when blocking occurs or when access...

Страница 52: ...Apply when you have finished configuring this page Time Zone The FVS114 VPN Firewall uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on...

Страница 53: ...mail If your enable e mail notification these boxes cannot be blank Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may be able to find this informatio...

Страница 54: ...on your selection you may also need to specify Day for sending log Relevant when the log is sent weekly or daily Time for sending log Relevant when the log is sent daily or weekly If the Weekly Daily...

Страница 55: ...oming and outgoing service requests hacker probes and administrator logins If you enable content filtering in the Block Sites menu the Log page will also show you when someone on your network tried to...

Страница 56: ...try descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the i...

Страница 57: ...nced Virtual Private Networking How to Set Up a Client to Gateway VPN Configuration on page 5 5 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the...

Страница 58: ...re access from a remote PC such as a telecommuter connecting to an office network see Figure 5 1 Figure 5 1 Client to gateway VPN tunnel A VPN client access allows a remote PC to connect to your netwo...

Страница 59: ...ngs on one end to match the inbound VPN settings on other end and vice versa This set of configuration information defines a security association SA between the two VPN endpoints When planning your VP...

Страница 60: ...ster but less secure than 3DES 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys AES AES Advanced Encryption Sta...

Страница 61: ...C defaults see Table 5 1 on page 5 4 are not appropriate for your special circumstances How to Set Up a Client to Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR Pro...

Страница 62: ...Wizard link in the main menu to display this screen Click Next to proceed Figure 5 4 VPN Wizard start screen 2 Fill in the Connection Name and the pre shared key select the type of target end point an...

Страница 63: ...10098 01 April 2005 Figure 5 5 Connection Name and Remote IP Type The Summary screen below displays Figure 5 6 VPN Wizard Summary Enter the new Connection Name RoadWarrior in this example Enter the p...

Страница 64: ...lick the here link see Figure 5 6 Click Back to return to the Summary screen Figure 5 7 VPNC Recommended Settings 3 Click Done on the Summary screen see Figure 5 6 to complete the configuration proced...

Страница 65: ...isregard this message c Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary d The system should show t...

Страница 66: ...es not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel see Figure 5 5 because Connection Names are unrelated to how the VPN tunnel functions Tip Choose Connect...

Страница 67: ...check box i Enter the public WAN IP Address of the FVS114 in the field directly below the ID Type menu In this example 22 23 24 25 would be used The resulting Connection Settings are shown in Figure 5...

Страница 68: ...elect Certificate box c Select IP Address in the ID Type box If you are using a virtual fixed IP address enter this address in the Internal Network IP Address box Otherwise leave this box empty d In t...

Страница 69: ...4 configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b E...

Страница 70: ...the Key Exchange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange Figure 5 15 Security Policy Editor Key Exchange b In the SA Life menu select...

Страница 71: ...the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To...

Страница 72: ...nitoring the Progress and Status of the VPN Client Connection Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer 1 To launch th...

Страница 73: ...A before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Transferring a Security Policy to Another Client This...

Страница 74: ...Security Policy The following procedure Figure 5 21 enables you to import an existing security policy Step 1 Select Export Security Policy from the File pulldown Step 2 Click Export once you decide t...

Страница 75: ...Step 1 Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown Step 2 Select the security policy to import In this example the security policy file is named FVS...

Страница 76: ...anges of each VPN endpoint must be different The connection will fail if both are using the NETGEAR default address range of 192 168 0 x In this example LAN A uses 192 168 0 1 and LAN B uses 192 168 3...

Страница 77: ...s of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed Figure 5 23 VPN Wizard start...

Страница 78: ...and click Next Figure 5 25 Remote IP 4 Identify the IP addresses at the target endpoint that can use this tunnel and click Next Figure 5 26 Secure Connection Remote Accessibility Enter the WAN IP addr...

Страница 79: ...Reference Manual for the ProSafe VPN Firewall FVS114 Basic Virtual Private Networking 5 23 202 10098 01 April 2005 The Summary screen below displays Figure 5 27 VPN Wizard Summary...

Страница 80: ...n and encryption settings used by the VPN Wizard click the here link see Figure 5 27 Click Back to return to the Summary screen Figure 5 28 VPN Recommended Settings 5 Click Done on the Summary screen...

Страница 81: ...5 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the FVS114 management interface and click on VPN Status under VPN to get...

Страница 82: ...ing the VPN tunnel Use the VPN Status page Activate the VPN tunnel by pinging the remote endpoint Start Using a VPN Tunnel to Activate It To use a VPN tunnel use a Web browser to go to a URL whose IP...

Страница 83: ...le remote endpoint LAN IP address To activate the VPN tunnel by pinging the remote endpoint 192 168 3 1 do the following steps depending on whether your configuration is client to gateway or gateway t...

Страница 84: ...FVS114 Within two minutes the ping response should change from timed out to reply Note Use Ctrl C to stop the pinging Figure 5 35 Ping test results Once the connection is established you can open the...

Страница 85: ...mine the status of a VPN tunnel perform the following steps 1 Log in to the VPN Firewall 2 Open the FVS114 management interface and click VPN Status under VPN to get the VPN Status Log screen Figure 5...

Страница 86: ...emote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Ass...

Страница 87: ...tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactiva...

Страница 88: ...Log in to the VPN Firewall 2 Click VPN Policies under VPN to display the VPN Policies screen Figure 5 42 Select the radio button for the VPN tunnel to be deleted and click the Delete button Figure 5 4...

Страница 89: ...king for a description on how to use the basic VPN features Overview of FVS114 Policy Based VPN Configuration The FVS114 uses state of the art firewall and security technology to facilitate controlled...

Страница 90: ...ching VPN policies on both the local and remote FVS114 VPN Firewalls The outbound VPN policy on one end must match to the inbound VPN policy on other end and vice versa When the network traffic enters...

Страница 91: ...8 01 April 2005 IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to d...

Страница 92: ...ns where the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode must be Aggressive and the Identities below both Local and Remote must be Name On the matching VP...

Страница 93: ...dentify the target remote FVS114 by name IKE SA Parameters These parameters determine the properties of the IKE Security Association Encryption Algorithm Choose the encryption algorithm for this IKE p...

Страница 94: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 6 Advanced Virtual Private Networking 202 10098 01 April 2005 Figure 6 3 VPN Auto Policy menu...

Страница 95: ...main name By its IP Address Address Type The address type used to locate the remote VPN firewall or client to which you wish to connect By its Fully Qualified Domain Name FQDN your domain name By its...

Страница 96: ...P Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protocol for the VPN header These settings must match the remote VPN endpoint Enable Authentication Us...

Страница 97: ...licies link from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employed...

Страница 98: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 10 Advanced Virtual Private Networking 202 10098 01 April 2005 Figure 6 4 VPN Manual Policy menu...

Страница 99: ...address space The choices are ANY for all valid IP addresses in the Internet address space Single IP Address Range of IP Addresses Subnet Address Remote IP The drop down menu allows you to configure t...

Страница 100: ...tication when you use ESP Two ESP modes are available Plain ESP encryption ESP encryption with authentication These settings must match the remote VPN endpoint SPI Incoming Enter a hexadecimal value 3...

Страница 101: ...es are produced by providing the particulars of the user being identified to the CA The information provided may include the user s name e mail ID and domain name Enable Authentication Use this check...

Страница 102: ...eans that the certificate is not revoked IKE can then use this certificate for authentication If the certificate is present in the CRL it means that the certificate is revoked and the IKE will not aut...

Страница 103: ...4 to the Internet Gateway A s LAN interface has the address 10 5 6 1 and its WAN Internet interface has the address 14 15 16 17 Gateway B connects the internal LAN 172 23 9 0 24 to the Internet Gatewa...

Страница 104: ...by reviewing the security settings as seen in the Figure 4 2 on page 4 4 Figure 6 6 LAN to LAN VPN access from an FVS114 to an FVS114 Use this scenario illustration and configuration screens as a mod...

Страница 105: ...nternet IP Address menu b Configure the WAN Internet Address according to the settings above and click Apply to save your settings For more information on configuring the WAN IP settings in the Basic...

Страница 106: ...IP address according to the settings above and click Apply to save your settings For more information on LAN TCP IP setup topics please see Configuring LAN TCP IP Setup Parameters on page 8 5 Note Aft...

Страница 107: ...main menu VPN section click on the IKE Policies link and then click the Add button to display the screen below Figure 6 9 Scenario 1 IKE Policy b Configure the IKE Policy according to the settings in...

Страница 108: ...licy button Figure 6 10 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Poli...

Страница 109: ...on and click the Diagnostics link b To test connectivity to the WAN port of Gateway B enter 22 23 24 25 and then click Ping c This causes a ping to be sent to the WAN interface of Gateway B Within two...

Страница 110: ...r instructions on this topic see Time Zone on page 4 14 1 Obtain a root certificate a Obtain the root certificate that includes the public key from a Certificate Authority CA Note The procedure for ob...

Страница 111: ...ificate Subject This is the name that other organizations will see as the holder owner of this certificate This should be your registered business name or official company name Generally all certifica...

Страница 112: ...s shown below Figure 6 12 Self Certificate Request data 4 Transmit the Self Certificate Request data to the Trusted Root CA a Highlight the text in the Data to supply to CA area copy it and paste it i...

Страница 113: ...cate back from the Trusted Root CA and save it as a text file Note In the case of a Windows 2000 internal CA the CA administrator might simply email it to back to you Follow the procedures of your CA...

Страница 114: ...lf Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVS114 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see Scena...

Страница 115: ...t file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its membe...

Страница 116: ...Reference Manual for the ProSafe VPN Firewall FVS114 6 28 Advanced Virtual Private Networking 202 10098 01 April 2005...

Страница 117: ...all These features can be found by clicking on the Maintenance heading in the main menu of the browser interface Viewing VPN Firewall Status Information The Router Status menu provides status and usag...

Страница 118: ...e Internet IP Subnet Mask The IP Subnet Mask being used by the Internet WAN port of the firewall DHCP The protocol on the WAN port used to obtain the WAN IP address This field can show DHCP Client Fix...

Страница 119: ...n Connection Time The length of time the firewall has been connected to your Internet service provider s network Connection Method The method used to obtain an IP address from your Internet service pr...

Страница 120: ...mitted on this interface since reset or manual clear RxPkts The number of packets received on this interface since reset or manual clear Collisions The number of collisions on this interface since res...

Страница 121: ...o force the firewall to look for attached devices click the Refresh button Upgrading the Firewall Software The routing software of the FVS114 VPN Firewall is stored in FLASH memory and can be upgraded...

Страница 122: ...ading a new page If the browser is interrupted it may corrupt the software When the upload is complete your firewall will automatically restart The upgrade process will typically take about one minute...

Страница 123: ...gful name at this time such as sanjose cfg Restoring the Configuration To restore your settings from a saved configuration file enter the full path to the file on your PC or click the Browse button to...

Страница 124: ...d NETGEAR recommends that you change this password to a more secure password From the main menu of the browser interface under the Maintenance heading select Set Password to bring up this menu Figure...

Страница 125: ...his will list all Routers between the source this device and the destination IP address The Trace Route results will be displayed in a new screen click Back to return to the Diagnostics screen Perform...

Страница 126: ...e 202 10098 01 April 2005 Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing the Internet However connection...

Страница 127: ...uter to respond to a ping from the internet Both of these options have security issues so use them carefully Figure 8 1 WAN Setup menu Connect Automatically as Required Normally this option should be...

Страница 128: ...need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection Port Speed In most cases your router can automatically determine...

Страница 129: ...ddress you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service which will allow you to register your d...

Страница 130: ...chosen for the firewall 2 From the main menu of the browser interface under Advanced click on Dynamic DNS Figure 8 2 Dynamic DNS page 3 Access the Web site of one of the dynamic DNS service providers...

Страница 131: ...tup to view the menu shown below Figure 8 3 LAN IP Setup Menu Configuring LAN TCP IP Setup Parameters The firewall is shipped preconfigured to use private IP addresses on the LAN side and to act as a...

Страница 132: ...ng information with other firewalls The RIP Direction selection controls how the firewall sends and receives RIP packets Both is the default When set to Both or Out Only the firewall broadcasts its ro...

Страница 133: ...ear the Use router as DHCP server check box Otherwise leave it checked To specify the pool of IP addresses to be assigned set the Starting IP Address and Ending IP Address These addresses should be pa...

Страница 134: ...contacts the firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew To edit or delete a reserved address entry 1 Click the button next to the reserved...

Страница 135: ...or this static route in the Route Name box This is for identification purpose only 3 Select Private if you want to limit access to the LAN only The static route will not be reported in RIP 4 Select Ac...

Страница 136: ...ur local network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards...

Страница 137: ...select Everyone b To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range c To allow access from a sin...

Страница 138: ...your browser followed by a colon and the custom port number For example if your WAN IP address is 134 177 0 123 and you use port number 8080 type the following in your browser https 134 177 0 123 808...

Страница 139: ...ter durations will ensure that control points have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device status but can signifi...

Страница 140: ...Manual for the ProSafe VPN Firewall FVS114 8 14 Advanced Configuration 202 10098 01 April 2005 Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP...

Страница 141: ...e connected c The Internet port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is gree...

Страница 142: ...t Configuration and Password on page 9 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Interne...

Страница 143: ...all and reboot your PC If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP a...

Страница 144: ...ain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off...

Страница 145: ...not have the firewall configured as its TCP IP gateway If your PC obtains its information from the firewall by DHCP reboot the PC and verify the gateway address Troubleshooting a TCP IP Network Using...

Страница 146: ...IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works co...

Страница 147: ...ion of the firewall see Erasing the Configuration on page 7 7 Use the Reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address are not kn...

Страница 148: ...Reference Manual for the ProSafe VPN Firewall FVS114 9 8 Troubleshooting 202 10098 01 April 2005...

Страница 149: ...1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V D...

Страница 150: ...A 2 Technical Specifications 202 10098 01 April 2005 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T...

Страница 151: ...edures for the Internet The documents are listed on the World Wide Web at www ietf org and are mirrored and indexed at many other sites worldwide Basic Router Concepts Large amounts of bandwidth can b...

Страница 152: ...col RIP Using RIP routers periodically update one another and check for changes to add to the routing table The FVS114 VPN Firewall supports both the older RIP 1 and the newer RIP 2 protocols Among ot...

Страница 153: ...ess type begins with a unique bit pattern which is used by the TCP IP software to identify the address class After the address class has been determined the software can correctly identify the host se...

Страница 154: ...range host address of all ones is not assigned but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address Netmask In each of the address class...

Страница 155: ...address into smaller multiple physical networks known as subnetworks Some of the node numbers are used as a subnet number instead A Class B address gives us 16 bits of node numbers translating to 64 0...

Страница 156: ...135 129 to 192 68 135 254 The following table lists the additional subnet mask bits in dotted decimal notation To use the table write down the original class netmask and replace the 0 value octets wit...

Страница 157: ...sts without problems However the IANA has reserved the following three blocks of IP addresses specifically for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 25...

Страница 158: ...al LAN IP addresses to a single address that is globally unique on the Internet The internal LAN IP addresses can be either private addresses or registered addresses For more information about IP addr...

Страница 159: ...o the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receiving statio...

Страница 160: ...a Dynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other d...

Страница 161: ...ewall to analyze groups of network connection states Using Stateful Packet Inspection an incoming packet is intercepted at the network layer and then analyzed for state related information associated...

Страница 162: ...egory 5 Only 0 5 inch 1 5 cm of untwist in the wire pair is allowed at any termination point A twisted pair Ethernet network operating at 10 Mbits second 10BASE T will often tolerate low quality cable...

Страница 163: ...omputers and workstation adapter cards are usually media dependent interface ports called MDI or uplink ports Most repeaters and switch ports are configured as media dependent interfaces with built in...

Страница 164: ...to as Media Dependant Interface Crossover MDI X When connecting a PC to a PC or a hub port to another hub port the transmit pair must be exchanged with the receive pair This exchange is done by one o...

Страница 165: ...port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection e g connecting to a PC or an uplink connection e g connecting to a router switch or hub...

Страница 166: ...Reference Manual for the ProSafe VPN Firewall FVS114 B 16 Network Routing and Firewall Basics 202 10098 01 April 2005...

Страница 167: ...e data flowing across the network is protected by encryption technologies Private networks lack data security so data attackers can tap directly into the network and read the data IPSec based VPNs use...

Страница 168: ...inexpensively installed on existing Internet connections What Is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authenticati...

Страница 169: ...eable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authent...

Страница 170: ...addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in certain c...

Страница 171: ...he new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in the IP header ther...

Страница 172: ...The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studi...

Страница 173: ...most cases each gateway will have a public facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation regarding the constru...

Страница 174: ...nderstand how to open specific protocols ports and addresses that you intend to allow VPN Tunnel Between Gateways A Security Association SA frequently called a tunnel is the set of information that al...

Страница 175: ...below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Figure C 6 IPSec Security Association SA ne...

Страница 176: ...tion algorithms to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between th...

Страница 177: ...f IKE negotiation is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A and Gateway B Two LANs set up with similar or overlapping addr...

Страница 178: ...November 1998 RFC 2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS...

Страница 179: ...the software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon Maci...

Страница 180: ...firewall assigns the following TCP IP configuration information automatically when the PCs are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 255 0 Gatew...

Страница 181: ...steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Prot...

Страница 182: ...way to configure this information is to allow the PC to obtain the information from a DHCP server in the network You will find there are many similarities in the procedures for different Windows syst...

Страница 183: ...5 202 10098 01 April 2005 Verify the following settings as shown Client for Microsoft Network exists Ethernet adapter is present TCP IP is present Primary Network Logon is set to Windows logon Click...

Страница 184: ...d click Next 5 Uncheck all boxes in the LAN Internet Configuration screen and click Next 6 Proceed to the end of the Wizard Verifying TCP IP Properties After your PC is configured and has rebooted you...

Страница 185: ...r IP Networking As part of the PC preparation process you may need to install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP...

Страница 186: ...ill walk you through the configuration process for each of these versions of Windows DHCP Configuration of TCP IP in Windows XP Locate your Network Neighborhood icon Select Control Panel from the Wind...

Страница 187: ...atus window This box displays the connection status duration speed and activity statistics Administrator logon access rights are needed to use this window Click the Properties button to view details a...

Страница 188: ...default and set to DHCP without your having to configure it However if there are problems follow these steps to configure TCP IP with DHCP for Windows 2000 Verify that the Obtain an IP address automat...

Страница 189: ...l up Connections Right click on Local Area Connection and select Properties The Local Area Connection Properties dialog box appears Verify that you have the correct Ethernet card selected in the Conne...

Страница 190: ...Internet Protocol TCP IP Properties dialogue box Verify that Obtain an IP address automatically is selected Obtain DNS server address automatically is selected Click OK to return to Local Area Connect...

Страница 191: ...network card you need to configure the TCP IP environment for Windows NT 4 0 Follow this procedure to configure TCP IP with DHCP in Windows NT 4 0 Choose Settings from the Start Menu and then select C...

Страница 192: ...Reference Manual for the ProSafe VPN Firewall FVS114 D 14 Preparing Your Network 202 10098 01 April 2005 Highlight the TCP IP Protocol in the Network Protocols box and click on the Properties button...

Страница 193: ...figuration information will be listed and should match the values below if you are using the default TCP IP settings that NETGEAR recommends for connecting through a router or gateway The IP address i...

Страница 194: ...n each networked Macintosh you will need to configure TCP IP to use DHCP MacOS 8 6 or 9 x 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens 2 From the Connect via...

Страница 195: ...k the TCP IP configuration by returning to the TCP IP Control Panel From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below...

Страница 196: ...ternet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the PCs on the local network to masquerade as the single PC to access the Int...

Страница 197: ...These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use...

Страница 198: ...r Macintosh so that you can use this information when you configure the FVS114 VPN Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information...

Страница 199: ...rk with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the FVS114 VPN Firewall After configuring all of your comp...

Страница 200: ...Reference Manual for the ProSafe VPN Firewall FVS114 D 22 Preparing Your Network 202 10098 01 April 2005...

Страница 201: ...ption keys 802 1x uses a protocol called EAP Extensible Authentication Protocol and supports multiple authentication methods such as token cards Kerberos one time passwords certificates and public key...

Страница 202: ...es the algorithm to behave slightly differently so the increasing key sizes not only offer a larger number of bits with which you can scramble the data but also increase the complexity of the cipher a...

Страница 203: ...in four twisted pairs and terminated with an RJ45 type connector In addition there are restrictions on maximum cable length for both 10 and 100 Mbits second networks Certificate Authority A Certificat...

Страница 204: ...ber of predefined top level suffixes such as com edu uk etc For example in the address mail NETGEAR com mail is a server name and NETGEAR com is the domain DSL Short for digital subscriber line but is...

Страница 205: ...t Control Message Protocol ICMP is an extension to the Internet Protocol IP that supports packets containing error control and informational messages The PING command for example uses ICMP to test an...

Страница 206: ...er The most widely used version of IP today is IP version 4 IPv4 However IP version 6 IPv6 is also beginning to be supported IPv6 provides for much longer addresses and therefore for the possibility o...

Страница 207: ...nterface card Usually written in the form 01 23 45 67 89 ab Maximum Receive Unit The size in bytes of the largest packet that can be sent or received Maximum Transmit Unit The size in bytes of the lar...

Страница 208: ...on connection by simulating a dial up connection PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial u...

Страница 209: ...documents published by the Internet Engineering Task Force IETF proposing standard protocols and procedures for the Internet RFCs can be found at www ietf org router A device that forwards data betwe...

Страница 210: ...the Internet from behind a firewall The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall The proxy server...

Страница 211: ...Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 11 202 10098 01 April 2005...

Страница 212: ...Reference Manual for the ProSafe VPN Firewall FVS114 12 Glossary 202 10098 01 April 2005...

Отзывы:

Нет отзывов

Похожие инструкции для FVS114NA

Бренд: Watchguard Страницы: 2

Бренд: Watchguard Страницы: 11

Бренд: Lightning SA Страницы: 172

Бренд: ZyXEL Communications Страницы: 2

Бренд: ZyXEL Communications Страницы: 394

Бренд: Fortinet Страницы: 374

Бренд: Nexcom Страницы: 71

Бренд: Bitdefender Страницы: 13

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды