Nortel BSR252 Скачать руководство пользователя страница 1

Страница: 1 / 460

BSR252

Business Secure Router

Document Number:

NN47923-500

Document Version:

1.1

Date:

March 2007

Nortel Business Secure Router 252 Configuration —
Basics

Содержание BSR252

Страница 1: ...BSR252 Business Secure Router Document Number NN47923 500 Document Version 1 1 Date March 2007 Nortel Business Secure Router 252 Configuration Basics ...

Страница 2: ...o be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are ...

Страница 3: ...ialist by using an Express Routing Code 32 Getting Help through a Nortel distributor or reseller 32 Chapter 1 Getting to know your Business Secure Router 33 Introducing the Business Secure Router 33 Features 34 Physical features 34 High speed Internet access 34 ADSL standards 34 Networking compatibility 35 Multiplexing 35 Encapsulation 35 Four Port switch 35 Autonegotiating 10 100 Mb s Ethernet LA...

Страница 4: ...lias 39 Central Network Management 39 SNMP 39 Network Address Translation NAT 40 Traffic Redirect 40 Port Forwarding 40 DHCP Dynamic Host Configuration Protocol 40 Full network management 40 Logging and tracing 41 Upgrade Business Secure Router Firmware 41 Embedded FTP and TFTP Servers 41 Applications for the Business Secure Router 41 Secure broadband internet access and VPN 41 Hardware Setup 42 C...

Страница 5: ...ultiplexing 55 VPI and VCI 55 Wizard setup configuration first screen 55 IP address and subnet mask 57 IP address assignment 57 IP assignment with PPPoA or PPPoE encapsulation 58 IP assignment with RFC 1483 encapsulation 58 IP assignment with ENET ENCAP encapsulation 58 Private IP addresses 58 Nailed up connection only with PPP 59 NAT 59 Wizard setup configuration second screen 59 DHCP setup 65 IP...

Страница 6: ...VPN Server Client Emulation 77 Allowing remote management of a LAN connected BCM50 77 Setting up the router for guest access 78 Preventing heavy data traffic from impacting telephone calls 79 Setting Up a Remote Office with a UNIStim IP Telephone 79 Inter operability With Third Party Routers 80 VPN Connections With Cisco Routers 80 Chapter 5 System screens 81 System overview 81 DNS overview 81 Pri...

Страница 7: ...ing IP Alias 105 Chapter 7 WAN screens 107 WAN overview 107 TCP IP Priority metric 107 Configuring Route 108 PPPoE encapsulation 109 Configuring WAN ISP 110 Configuring WAN IP 113 Traffic redirect 117 Configuring Traffic Redirect 118 Configuring Dial Backup 119 Advanced Modem Setup 124 AT Command Strings 124 DTR Signal 124 Response Strings 124 Configuring Advanced Modem Setup 125 Chapter 8 Network...

Страница 8: ... Mapping 139 Trigger Port Forwarding 143 Trigger Port Forwarding example 143 Two points to remember about Trigger Ports 144 Configuring Trigger Port Forwarding 145 Chapter 9 Static Route screens 147 Static Route overview 147 Configuring IP Static Route 148 Configuring Route entry 150 Chapter 10 Firewalls 153 Firewall overview 153 Types of firewalls 153 Packet filtering firewalls 154 Application le...

Страница 9: ...ng 167 Firewall 167 When to use the firewall 167 Chapter 11 Firewall screens 169 Access methods 169 Firewall policies overview 169 Rule logic overview 171 Rule checklist 171 Security ramifications 171 Key fields for configuring rules 172 Action 172 Service 172 Source address 172 Destination address 172 Connection direction examples 172 LAN to WAN rules 173 WAN to LAN rules 173 Configuring firewall...

Страница 10: ...PN 199 VPN 199 IPSec 199 Business Secure Router VPN functions 199 VPN screens overview 200 Other terminology 201 Encryption 201 Data confidentiality 202 Data integrity 202 Data origin authentication 202 VPN applications 202 IPSec architecture 202 IPSec algorithms 203 AH Authentication Header protocol 204 ESP Encapsulating Security Payload protocol 204 Key management 205 Encapsulation 206 Transport...

Страница 11: ...ng an IP Policy 230 Port forwarding server 236 Configuring a port forwarding server 236 IKE phases 238 Negotiation Mode 240 Preshared key 240 Diffie Hellman DH Key Groups 241 Perfect Forward Secrecy PFS 241 Configuring advanced Branch office setup 241 SA Monitor 245 Global settings 247 VPN Client Termination 248 VPN Client Termination IP pool summary 252 VPN Client Termination IP pool edit 254 VPN...

Страница 12: ...e details 290 Directory servers 294 Add or edit a directory server 295 Chapter 15 Bandwidth management 299 Bandwidth management overview 299 Bandwidth classes and filters 300 Proportional bandwidth allocation 300 Application based bandwidth management 300 Subnet based bandwidth management 300 Application and subnet based bandwidth management 301 Reserving bandwidth for nonbandwidth class traffic 3...

Страница 13: ...e management overview 329 Remote management limitations 329 Remote management and NAT 330 System timeout 330 Introduction to HTTPS 331 Configuring WWW 332 HTTPS example 334 Internet Explorer warning messages 335 Netscape Navigator warning messages 335 Avoiding the browser warning messages 337 Logon screen 338 SSH overview 343 How SSH works 344 SSH implementation on the Business Secure Router 345 R...

Страница 14: ...th UPnP 362 UPnP implementation 362 Configuring UPnP 362 Displaying UPnP port mapping 364 Installing UPnP in Windows example 365 Installing UPnP in Windows Me 365 Installing UPnP in Windows XP 366 Using UPnP in Windows XP example 368 Autodiscover Your UPnP enabled Network Device 368 WebGUI easy access 371 Chapter 20 Logs Screens 373 Configuring View Log 373 Configuring Log settings 375 Configuring...

Страница 15: ...iguration screen 405 Back to Factory Defaults 405 Backup configuration 406 Restore configuration 407 Restart screen 408 Appendix A Troubleshooting 411 Problems Starting Up the Business Secure Router 411 Problems with the LAN LED 412 Problems with the LAN interface 412 Problems with the WAN interface 413 Problems with Internet access 413 Problems accessing an Internet Web site 414 Problems with the...

Страница 16: ...2 Netscape Pop up Blockers 423 Allowing Pop ups 424 Enable Pop up Blockers with Exceptions 425 Netscape Java Permissions and JavaScript 427 Appendix B Log Descriptions 431 VPN IPSec Logs 440 VPN Responder IPSec Log 441 Log Commands 450 Configuring what you want the Business Secure Router to log 450 Displaying Logs 451 Log Command Example 452 Index 453 ...

Страница 17: ...et connection with RFC 1483 61 Figure 11 Internet connection with ENET ENCAP 62 Figure 12 Internet connection with PPPoE 63 Figure 13 Wizard Screen 3 66 Figure 14 Wizard LAN configuration 67 Figure 15 Wizard Screen 4 69 Figure 16 Private DNS server example 82 Figure 17 System general setup 83 Figure 18 DDNS 86 Figure 19 Password 88 Figure 20 Time and Date 91 Figure 21 ALG 94 Figure 22 LAN IP 100 F...

Страница 18: ...ess Secure Router firewall application 156 Figure 46 Three way handshake 158 Figure 47 SYN flood 159 Figure 48 Smurf attack 160 Figure 49 Stateful inspection 162 Figure 50 LAN to WAN traffic 173 Figure 51 WAN to LAN traffic 174 Figure 52 Enabling the firewall 176 Figure 53 Creating and editing a firewall rule 179 Figure 54 Adding or editing source and destination addresses 181 Figure 55 Creating o...

Страница 19: ... VPN Client Termination 249 Figure 79 VPN Client Termination IP pool summary 253 Figure 80 VPN Client Termination IP pool edit 254 Figure 81 VPN Client Termination advanced 256 Figure 82 Certificate configuration overview 263 Figure 83 My Certificates 264 Figure 84 My Certificate Import 268 Figure 85 My Certificate create 270 Figure 86 My Certificate details 274 Figure 87 Trusted CAs 278 Figure 88...

Страница 20: ...cape 336 Figure 114 Security Certificate 2 Netscape 337 Figure 115 Logon screen Internet Explorer 339 Figure 116 Login screen Netscape 340 Figure 117 Replace certificate 341 Figure 118 Device specific certificate 342 Figure 119 Common Business Secure Router certificate 343 Figure 120 SSH Communication Example 344 Figure 121 How SSH Works 344 Figure 122 SSH 346 Figure 123 SSH Example 1 Store Host K...

Страница 21: ...8 My Network Places Local network 372 Figure 149 View Log 374 Figure 150 Log settings 376 Figure 151 Reports 379 Figure 152 Web site hits report example 381 Figure 153 Protocol Port report example 382 Figure 154 LAN IP address report example 384 Figure 155 Call schedule summary 388 Figure 156 Call schedule edit 389 Figure 157 Applying Schedule Sets to a remote node 392 Figure 158 System Status 396...

Страница 22: ...re 176 Security Settings Java Scripting 421 Figure 177 Security Settings Java 422 Figure 178 Java Sun 423 Figure 179 Allow Popups from this site 424 Figure 180 Netscape Search Toolbar 424 Figure 181 Popup Windows 425 Figure 182 Popup Windows 426 Figure 183 Allowed Sites 427 Figure 184 Advanced 428 Figure 185 Scripts Plug ins 429 Figure 186 Example VPN Initiator IPSec Log 441 Figure 187 Example VPN...

Страница 23: ...l setup 83 Table 9 DDNS 86 Table 10 Password 88 Table 11 Default Time Servers 90 Table 12 Time and Date 92 Table 13 ALG 95 Table 14 LAN IP 101 Table 15 Static DHCP 104 Table 16 IP Alias 106 Table 17 WAN Route 109 Table 18 WAN WAN ISP 112 Table 19 WAN IP 115 Table 20 Traffic Redirect 119 Table 21 Dial Backup Setup 121 Table 22 Advanced Setup 126 Table 23 NAT definitions 130 Table 24 NAT mapping typ...

Страница 24: ... 46 VPN and NAT 208 Table 47 Summary 211 Table 48 VPN Contivity Client rule setup 215 Table 49 VPN Contivity Client advanced rule setup 217 Table 50 Local ID type and content fields 219 Table 51 Peer ID type and content fields 219 Table 52 Matching ID type and content configuration example 220 Table 53 Mismatching ID Type and Content Configuration Example 220 Table 54 VPN Branch Office rule setup ...

Страница 25: ...h Management Example 301 Table 77 Bandwidth Manager Summary 302 Table 78 Bandwidth Manager Class Setup 304 Table 79 Bandwidth Manager Edit class 306 Table 80 Services and port numbers 308 Table 81 Bandwidth management statistics 309 Table 82 Bandwidth manager monitor 310 Table 83 802 1X 314 Table 84 Local User database 318 Table 85 Local User database edit 321 Table 86 Current split networks 323 T...

Страница 26: ...eshooting the LAN LED 412 Table 116 Troubleshooting the LAN interface 412 Table 117 Troubleshooting the WAN Interface 413 Table 118 Troubleshooting Internet access 413 Table 119 Troubleshooting Web Site Internet Access 414 Table 120 Troubleshooting the password 414 Table 121 Troubleshooting the WebGUI 415 Table 122 Troubleshooting Remote Management 415 Table 123 System Error Logs 431 Table 124 Sys...

Страница 27: ...Business Secure Router 252 Configuration Basics Table 135 PKI Logs 446 Table 136 Certificate Path Verification Failure Reason Codes 448 Table 137 IEEE 802 1X Logs 449 Table 138 Log categories and available settings 450 ...

Страница 28: ...28 Tables NN47923 500 ...

Страница 29: ...he following text conventions Note This guide explains how to use the WebGUI to configure your Business Secure Router See Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router Not all features can be configured through all interfaces Enter means type one or...

Страница 30: ...d release notes free directly from the Internet Go to www nortel com documentation Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems Web site at www adobe...

Страница 31: ...oftware documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting Help over the phone from a Nortel Solutions Center If you don t find the information you require on the Nortel Technic...

Страница 32: ...RC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to www nortel com erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller ...

Страница 33: ... a high speed Asymmetrical Digital Subscriber Line Plus ADSL2 port into a single package The Business Secure Router is ideal for high speed Internet browsing and making LAN to LAN connections to remote networks By integrating Digital Subscriber Line DSL and Network Address Translation NAT the Business Secure Router provides easy installation and Internet access By integrating firewall and Virtual ...

Страница 34: ...of the International Telecommunications Union G 992 1 ADSL2 G dmt bis G 992 3 ADSL2 G 992 5 Table 1 Feature specifications Feature Specification Number of static routes 12 Number of NAT sessions 4096 Number of SUA Single User Account servers 12 Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels Client and or Branch Office 10 Maximum number of conc...

Страница 35: ...t I 610 F4 F5 OAM Networking compatibility Your Business Secure Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer DSLAM providers making configuration as simple as possible Multiplexing The Business Secure Router supports VC based and LLC based multiplexing Encapsulation The Business Secure Router supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 en...

Страница 36: ... can get the current time and date from an external server when you turn on your Business Secure Router You can also set the time manually Reset button The Business Secure Router reset button is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to setup IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server enabl...

Страница 37: ...tocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up to 32 user profiles without a ne...

Страница 38: ...Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other UPnP enabled devices can dynami...

Страница 39: ... Ethernet interface The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network Central Network Management With Central Network Management CNM an enterprise or service provider network administrator can manage your Business Secure Router The enterprise or service provi...

Страница 40: ...tocol With DHCP Dynamic Host Configuration Protocol individual client computers can obtain the TCP IP configuration at start up from a centralized DHCP server The Business Secure Router has built in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to all systems that support the DHCP client The Business Secure Router can also ac...

Страница 41: ... The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Applications for the Business Secure Router Secure broadband internet access and VPN The Business Secure Router provides broadband Internet access through ADSL The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic managemen...

Страница 42: ...ess Secure Router continue with the rest of this guide for configuration instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment Caution Electro static Discharge can disrupt the router Use appropriate handling precautions to avoid ESD Avoid touching the connector...

Страница 43: ...Chapter 1 Getting to know your Business Secure Router 43 Nortel Business Secure Router 252 Configuration Basics Note Please use only No 26 AWG American Wire Gauge or larger telecommunication line cord ...

Страница 44: ...44 Chapter 1 Getting to know your Business Secure Router NN47923 500 ...

Страница 45: ... resolution is 1 024 by 768 pixels In order to use the WebGUI you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Allowing Pop up Windows JavaScript and Java Permissions on page 416 if you want to make sure these functions are allowed in Interne...

Страница 46: ...lt and the password PlsChgMe is the default and click Login Click Reset to clear any information you have entered in the Username and Password fields Figure 2 Login screen 4 A screen asking you to change your password highly recommended appears and is shown in Figure 3 Type a new password and retype it to confirm and click Apply or click Ignore ...

Страница 47: ...ecure Router 252 Configuration Basics Figure 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Figure 4 Replace certificate screen ...

Страница 48: ...ith 8 data bit no parity one stop bit and flow control set to none The password will be reset to PlsChgMe also Procedure to use the reset button Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults 6 Reset Button on the Router LineFeed Press the RESET button for longer than three seconds to return the Business Secure Router to...

Страница 49: ...tivating Xmodem upload on your terminal Figure 5 is an example of an Xmodem configuration upload using HyperTerminal 6 Click Transfer then Send File to display the screen illustrated in Figure 5 Figure 5 Example Xmodem Upload 7 After the firmware uploads successfully enter atgo to restart the router Navigating the Business Secure Router WebGUI Follow the instructions in the MAIN MENU screen or cli...

Страница 50: ...50 Chapter 2 Introducing the WebGUI NN47923 500 Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information Figure 7 is a sample of what displays ...

Страница 51: ...Chapter 2 Introducing the WebGUI 51 Nortel Business Secure Router 252 Configuration Basics Figure 7 Contact Support ...

Страница 52: ...52 Chapter 2 Introducing the WebGUI NN47923 500 ...

Страница 53: ...u do not have the required information Encapsulation Be sure to use the encapsulation method required by your ISP The Business Secure Router supports the following methods ENET ENCAP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be ...

Страница 54: ... functions like a dial up Internet connection The Business Secure Router encapsulates the PPP session based on RFC 1483 and sends it through an ATM PVC Permanent Virtual Circuit to the Internet Service Provider ISP DSLAM Digital Subscriber Line Access Multiplexer For more information about PPPoA refer to RFC 2364 For more information about PPP refer to RFC 1661 RFC 1483 RFC 1483 describes two meth...

Страница 55: ...ng information being contained in each packet header Despite the extra bandwidth and processing overhead this method can be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultaneous VCs VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers assigned...

Страница 56: ...If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit VPI Enter the V...

Страница 57: ...ch covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 0 and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network After you select the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your Business Secure Router Make sure that no other device on...

Страница 58: ...r a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Business Secure Router acts as a DHCP client on the WAN and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the Business Secure Router Private IP addresses Every machine on the Internet must have a unique addr...

Страница 59: ...d whenever the connection is down A nailed up connection can be expensive if you are billed by your Internet connection usage time Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern NAT Network Address Translation NAT is the translation of the IP address of a host in a packet For example the s...

Страница 60: ...s This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Click Obtain an IP Address Automatically if you have a dynamic IP address otherw...

Страница 61: ...er tries to bring up the connection automatically if it is disconnected The schedule rules in SMT menu 26 has priority over your Connection settings Network Address Translation This option is available if you select Routing in the Mode field Select None SUA Only or Full Feature from the drop down list box For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click...

Страница 62: ...s A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP addre...

Страница 63: ...NET ENCAP in the Encapsulation field in the previous screen Network Address Translation Select None SUA Only or Full Feature from the drop down list box For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen Table 5 Internet connection with ENET ENCAP continued La...

Страница 64: ... you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand if you do not want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on Demand with 0 as the idle time out which means the Internet sessi...

Страница 65: ...u turn DHCP service off you must have another DHCP server on your LAN or else the computer must be manually configured DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 IP pool setup The Business Secure Router is preconfigured with a pool of IP addresses for the client machines Wizard setup configuration third screen 1 Verify the settings in the following screen To change the LAN info...

Страница 66: ...izard Screen 3 2 To change your Business Secure Router LAN settings click Change LAN Configuration to display the following screen Note If you change the Business Secure Router LAN IP address you must use the new IP address to access the WebGUI again ...

Страница 67: ...nfiguration Table 7 describes the fields in Figure 14 Table 7 Wizard LAN configuration Label Description LAN IP Address Enter the IP address of your Business Secure Router in dotted decimal notation for example 192 168 1 1 factory default LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP ...

Страница 68: ...nd DNS Server Third DNS Server Select Obtained From ISP if your ISP dynamically assigns DNS server information and the Business Secure Router WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns Select UserDefined if you have the IP address of a DNS server Enter the DNS server IP address in the field to the right Select DNS Relay to have the Busin...

Страница 69: ...nnected LAN devices click Start Diagnose Otherwise click Finish to go back to the site map screen Figure 15 Wizard Screen 4 Test your Internet connection Launch your Web browser and navigate to www nortel com Internet access is just the beginning For more detailed information on the complete range of features for the Business Secure Router see the rest of this guide If you cannot access the Intern...

Страница 70: ...70 Chapter 3 Wizard setup NN47923 500 ...

Страница 71: ...he rules can be deleted 2 Response to Invalid User ID or Password When the wrong user ID or password is entered into the router login screen no error message is displayed Instead the login screen is simply displayed again 3 First DHCP Address Reserved for BCM50 The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet and will not be assigned to any other equipment Once assi...

Страница 72: ... higher than the first If this type of address range is entered the range is ignored 2 Automatic Firewall Programming Configurations to various areas of the router such as remote management or adding a SUA Server do not automatically add the appropriate rules to the Firewall to enable the traffic to pass through the router These need to be added separately Note Firewall rules do not apply to IPSec...

Страница 73: ...or a VPN Client user cannot contain the single or double quote characters 4 IP Pool Address Overlap When defining multiple VPN Client Termination IP pools the router uses the IP Subnet mask and not the pool size to determine if the pools are overlapping The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool 5 VPN Client Termination Failure In Specific...

Страница 74: ...hanges Apply must then be clicked on the VPN Client Termination main page Security 1 Exporting or Saving Self Signed Certificate To export or save a self signed certificate click details the icon that looks like a paper note then click Export or copy the PEM text into the clipboard and paste into a file Routing 1 RIP Version Advertisement Control To change the version of generated RIP advertisemen...

Страница 75: ...IREWALL add a WAN to LAN rule c If the service is not in the list of available services add it as a Custom Port d Add the rule selecting the service and entering the server IP address as the destination IP address Connecting two sites to establish a virtual private network The recommended method to do this is through a branch to branch IPSec tunnel 1 In VPN Summary add a new tunnel by editing an u...

Страница 76: ... as per BCM50 installation guide 3 Create a tunnel to the remote site as described above 4 In the remote site set the S1 and S2 addresses to the IP address of the BCM50 which is identified in the router DHCP table or in the BCM50 This is done with a CLI command TELNET or SSH to the router This needs TELNET or SSH enabled on that router Select menu 24 select menu 8 and enter the commands ip dhcp en...

Страница 77: ...P addresses from a pool define the pool and enable it 2 Assuming a Local User Database is used for authentication a Add user name and password to the local user database as an IPSec user and activate it If the hosts will be assigned a static IP address enter the address that will be assigned to the user Configuring the router to connect to a Nortel VPN Server Client Emulation 1 Go to VPN Summary a...

Страница 78: ...for guest access The recommended approach to provide guest access is by creating an IP Alias and using static addressing for the corporate equipment to make it a member of the defined Alias subnet Then use firewall rules to restrict access of the guest equipment NOTE if a BCM50 is used it will also need to be assigned a static IP address 1 Go to LAN IP Alias and Enable IP Alias 1 2 Define a subnet...

Страница 79: ...l server documentation for calculation details 3 Set up a similar LAN subclass Setting Up a Remote Office with a UNIStim IP Telephone For a remote office with a PC and a UNIStim IP telephone behind a Business Secure Router Client Emulation is the recommended method to connect to the main office 1 At the main office Contivity Client Server establish two user accounts one for the telephone and one f...

Страница 80: ...tware and configure it with the PC user account information Inter operability With Third Party Routers VPN Connections With Cisco Routers When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router the following configuration rules should be followed 1 Ensure that the WAN IP of the BSR222 252 router and the Cisco router are not in the same su...

Страница 81: ...domain names for Business Secure Router system features like VPN DDNS and the time server Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries Private DNS server In cases where you want to use domain names...

Страница 82: ... access computers that use private domain names on the HQ network the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters Figure 16 Private DNS server example Configuring General Setup Click SYSTEM to open the General screen Note If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on t...

Страница 83: ...re If you leave this field blank the ISP assigns a domain name through DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either through the WebGUI or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again ...

Страница 84: ... can be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right A User Defined entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate User Defined entry changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a system DNS server you must use IP address...

Страница 85: ...all you even if they don t know your IP address First of all you must register a dynamic DNS account with for example www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name The Dynamic DNS service provider gives you a password or key DYNDNS wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the ...

Страница 86: ...ynamic DNS Service Provider Select the name of your Dynamic DNS service provider DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma User Enter your username up to 31 characters ...

Страница 87: ... line IP Address Update Policy DDNS Server Auto Detect IP Address Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server not be able to detect the proper IP address if there is an HTTP proxy s...

Страница 88: ... can access and configure all of the Business Secure Router s features Old Password Type your existing system administrator password PlsChgMe is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays a for each character you type Retype to Confirm Retype your new system password for confirmation ...

Страница 89: ...figure the WAN ISP and IP screens Configure the VPN Contivity Client settings except the Advanced screen exclusive use mode for client tunnel and MAC address allowed settings View the SA monitor Configure the VPN Global Setting screen View logs View the Maintenance Status screen Use the Maintenance F W Upload and Restart screens User Name Type a username for the client user up to 31 characters New...

Страница 90: ...successful or all the predefined NTP time servers have been tried Configuring Time and Date To change the time and date of your Business Secure Router click SYSTEM and then Time and Date The screen in Figure 20 appears Use this screen to configure the time based on your local time zone Table 11 Default Time Servers a ntp alphazed net ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu tock usno n...

Страница 91: ...Chapter 5 System screens 91 Nortel Business Secure Router 252 Configuration Basics Figure 20 Time and Date ...

Страница 92: ...s the last updated date from the time server or the last date configured manually After you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the Business Secure Router get the time and date from the time server that you specified Time Protocol Select the time service protocol that your time server sends wh...

Страница 93: ... Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you select Enable Daylight Saving The o clock field uses the...

Страница 94: ...so configure NAT and firewall rules depending upon the type of access you want to allow Configuring ALG To change the ALG settings of your Business Secure Router click SYSTEM and then ALG The screen appears as shown in Figure 21 Figure 21 ALG Note You must enable the FTP H 323 or SIP ALG in order to use bandwidth management on that application ...

Страница 95: ...ending of voice signals over the Internet Protocol The H 323 ALG does not support H 323 Gatekeeper Enable SIP ALG Select this check box to allow SIP Session Initiation Protocol applications to go through the Business Secure Router The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sess...

Страница 96: ...96 Chapter 5 System screens NN47923 500 ...

Страница 97: ...P Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients can obtain TCP IP configuration at start up from a server You can configure the Business Secure Router as a DHCP server or disable it When configured as a server the Business Secure Router provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else ...

Страница 98: ...es you explicit DNS server addresses read the embedded WebGUI help regarding which fields need to be configured RIP setup RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers RIP Direction controls the sending and receiving of RIP packets When set to Both or Out Only the Business Secure Router broadcasts its routing table periodi...

Страница 99: ...s an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned...

Страница 100: ...100 Chapter 6 LAN screens NN47923 500 Configuring IP Click LAN to open the IP screen Figure 22 LAN IP ...

Страница 101: ...Router from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool The default is 192 168 1 2 Pool Size This field specifies the size or count of the IP address pool The default is 126 DHCP Server Address Ty...

Страница 102: ...he three servers Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it LAN TCP IP IP Address Type the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 factory default IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your Business...

Страница 103: ... on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is st...

Страница 104: ...the fields in Figure 23 Table 15 Static DHCP Label Description This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the size or count of the IP address pool Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh ...

Страница 105: ...ace The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet interface with the Business Secure Router itself as the gateway for each LAN network To change the IP Alias settings of your Business Secure Router click LAN then the IP Alias tab The screen appears as shown in Figure 24 Figure 24 IP Alias Note Make sure that the subnets of the logical network...

Страница 106: ... to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more infor...

Страница 107: ...mber greater than 15 means the link is down The smaller the number the lower the cost 1 The metric sets the priority for the routes of the Business Secure Router to the Internet Each route must have a unique metric 2 The priority of the WAN port route must always be higher than the dial backup and traffic redirect route priorities If the WAN port route has a metric of 1 and the traffic redirect ro...

Страница 108: ...108 Chapter 7 WAN screens NN47923 500 The dial backup or traffic redirect routes cannot take priority over the WAN routes Configuring Route Click WAN to open the Route screen Figure 25 WAN Route ...

Страница 109: ...ervices a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carrier as it requires no specific configuration of the broadband modem at the customer site Table 17 WAN Route Label Description WAN Traffic Redirect Dial Backup The default WAN c...

Страница 110: ...ters on the LAN do not need PPPoE software installed since the Business Secure Router does that part of the task Furthermore with NAT all of the LAN computers will have access Configuring WAN ISP To configure the WAN ISP settings for your Business Secure Router click WAN then the WAN ISP tab The screen differs depending on the encapsulation ...

Страница 111: ...Chapter 7 WAN screens 111 Nortel Business Secure Router 252 Configuration Basics Figure 26 WAN WAN ISP ...

Страница 112: ...VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65 535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you Login Information PPPoA and PPPoE encapsulation only Service Name PPPoE only Type the name of your PPPoE...

Страница 113: ...through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP using the Business Secure Router Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client softw...

Страница 114: ...114 Chapter 7 WAN screens NN47923 500 Figure 27 WAN IP ...

Страница 115: ... Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server After you select Full Feature you must configure at least one address mapping set Metric This field sets this route s priority among the r...

Страница 116: ...ulticasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Multicast Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Pro...

Страница 117: ... the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you must also create a WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN This field does the same as the Allow between LAN and WAN field in the LAN IP scre...

Страница 118: ...teway for each LAN network Put the protected LAN in one subnet Subnet 1 in Figure 29 and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN Business Secure Router firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 29 Traffic Redirect LAN Setup Configuring Traffic Redirect To change the traffic redirect settings click WAN then...

Страница 119: ...t Label Description Active Select this check box to have the Business Secure Router use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router s Internet connection terminates Apply Click Apply to...

Страница 120: ...120 Chapter 7 WAN screens NN47923 500 Figure 31 Dial Backup Setup ...

Страница 121: ...sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9 600 19 200 38 400 57 600 115 200 or 230 400 b s AT Command Initial String Type the AT command string to initialize the WAN devic...

Страница 122: ...n one network to a different IP address known within another network SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server When you select this option the Business Secure Router uses Address Mapping Set 255 Clear this option to disable NAT Enable RIP Select this check box to turn on RIP Routing Information Protocol which allows a router to exchange ro...

Страница 123: ...RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial backup connection on during the time that you select Allocated Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time perio...

Страница 124: ...ng up the current call when the DTR Data Terminal Ready signal is dropped by the DTE If the Drop DTR When Hang Up check box is selected the Business Secure Router uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Response Strings The response strings tell the Business Secure Router the tags or labels immediately preceding the various call para...

Страница 125: ...Basics Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 32 Figure 32 Advanced Setup Note Consult the manual of your WAN device connected to your dial backup port for specific AT commands Note ...

Страница 126: ...evice CLID is required for CLID authentication NMBR Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed CONNECT Call Control Dial Timeout sec Type a number of seconds for the Business Secure Router to try to set up an outgoing call before timing out stopping 60 Retry Count Type a number of times for the Business Secure Router to retry a busy...

Страница 127: ...rtel Business Secure Router 252 Configuration Basics Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Table 22 Advanced Setup Label Description Example ...

Страница 128: ...128 Chapter 7 WAN screens NN47923 500 ...

Страница 129: ...o a different IP address known within another network NAT definitions Inside outside denotes where a host is located relative to the Business Secure Router For example the computers of your subscribers are the inside hosts while the Web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router For example the local addr...

Страница 130: ...is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a Telnet server on your local network and make them accessible to the outside world You can make designated servers on the LAN accessible to the outside world If you do not define any servers for Many to One and Man...

Страница 131: ...ces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Business Secure Router keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored as illustrated in Figure 33 Figure 33 How NAT works Port restricted cone NAT...

Страница 132: ... cannot send packets with source IP address e f g h and port 10101 to A because A has not sent a packet to IP address e f g h and port 10101 Figure 34 Port Restricted Cone NAT NAT application Figure 35 illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Business Secure Router can communicate with three distinct WAN networks More examples follow at ...

Страница 133: ...l IP address This is equivalent to SUA for example PAT port address translation the Single User Account feature the SUA Only option Many to Many Overload In Many to Many Overload mode the Business Secure Router maps the multiple local IP addresses to shared global IP addresses Many One to One In Many One to One mode the Business Secure Router maps each local IP address to a unique global IP addres...

Страница 134: ...resses of clients or servers using mapping types Select either SUA Only or Full Feature in WAN IP Table 24 NAT mapping type Type IP Mapping SMT Abbreviations One to One ILA1ÅÆ IGA1 1 1 Many to One SUA PAT ILA1ÅÆ IGA1 ILA2ÅÆ IGA1 M 1 Many to Many Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA1 ILA4ÅÆ IGA2 M M Ov Many One to One ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA3 M 1 1 Server Server 1 IPÅÆ IGA1 Server...

Страница 135: ...than one service for example both FTP and web service it is better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports With many residential broadband ISP accounts you cannot run any server processes such as a Web or FTP server from your location Your ISP periodically checks for servers and can suspend your account if it discovers ...

Страница 136: ...n ports 22 25 to one server port 80 to another and assign a default server IP address of 192 168 1 35 as shown in Figure 36 Table 25 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Pro...

Страница 137: ...figuring SUA Server Click SUA NAT to open the SUA Server screen Refer to Chapter 10 Firewalls on page 153 and Chapter 11 Firewall screens on page 169 for port numbers commonly used for particular services Note If you do not assign a Default Server IP Address then all packets received for ports not specified in this screen are discarded Business Secure Router ...

Страница 138: ...el Description Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen are discarded Number of an individual SUA server entry ...

Страница 139: ... 9 If you delete rule 4 rules 5 to 7 are pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change the NAT address mapping settings click SUA NAT then the Address Mapping tab The screen appears as shown in Figure 38 Active Select this check box to enable the SUA server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delet...

Страница 140: ...is is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This refers to the Inside Global IP Address IGA 0 0 0 0 is for a dynamic IP address from your ISP with Many to One and Server mapping types Global End IP This is th...

Страница 141: ...one global IP address This is equivalent to SUA that is PAT port address translation the Single User Account feature 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server permits you to specify inside servers of different services behind the NAT to be accessible to the out...

Страница 142: ...ny to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are...

Страница 143: ...Business Secure Router records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the WAN port on the Business Secure Router receives a response with a specific port number and protocol incoming port the Business Secure Router forwards the traffic to the LAN IP address of the computer that sent the reques...

Страница 144: ...etween 6970 7170 4 The Business Secure Router forwards the traffic to Jane s computer IP address 5 Only Jane can connect to the Real Audio server until the connection is closed or times out The Business Secure Router times out in three minutes with UDP User Datagram Protocol or two hours with TCP IP Transfer Control Protocol Internet Protocol Two points to remember about Trigger Ports Trigger even...

Страница 145: ... Configuration Basics Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router click SUA NAT and the Trigger Port tab The screen appears as shown in Figure 41 Figure 41 Trigger Port Note Only one LAN computer can use a trigger port range at a time ...

Страница 146: ...the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the Business Secure Router to record the IP address of the LAN computer that sent the traffic to ...

Страница 147: ...nnected and the Business Secure Router has no knowledge of the networks beyond For instance the Business Secure Router knows about network N2 in Figure 42 through remote node Router 1 However the Business Secure Router is unable to route a packet to network N3 because it does not know that there is a route through the same remote node Router 1 through gateway Router 2 The static routes are for you...

Страница 148: ...42 Example of Static Routing topology Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen Note The first static route entry is for the default WAN route You cannot modify or delete this static default route Business Secure Router ...

Страница 149: ... field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the Business Secure Router LAN or WAN port The gateway helps forward packets to their destinations ...

Страница 150: ...tive This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter t...

Страница 151: ...recise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the Business Secure Router includes this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate this route to other hosts through RIP broadcasts Apply Click Apply to save y...

Страница 152: ...152 Chapter 9 Static Route screens NN47923 500 ...

Страница 153: ...mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It must never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires in...

Страница 154: ...eauthenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than if the router needed to filter application traffic and direct it to a number of specific systems The router need only allow application traffic destined for the appli...

Страница 155: ...Router also has packet filtering capabilities The Business Secure Router is installed between the LAN and a broadband modem connecting to the Internet so that it can allow it to act as a secure gateway for all data passing between the Internet and the LAN The Business Secure Router has one ADSL WAN port and four Ethernet LAN ports which are used to physically separate the network into two areas Th...

Страница 156: ...to network resources The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP ...

Страница 157: ... of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system and can cause systems to crash hang or reboot Teardrop attack exploits weaknesses in the reasse...

Страница 158: ... the initiator responds with an ACK acknowledgment After this handshake a connection is established SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are mov...

Страница 159: ...work with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router broadcasts the ICMP echo request packet to all hosts on the network If there are numerous hosts this creates a large amount of ICMP echo request and response traffic If a hacke...

Страница 160: ...CMP types trigger an alert Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are shown in Table 34 all others are illegal Table 33 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 34 Legal NetBIOS commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Страница 161: ...hat the packets originate from a trusted host and is allowed through the router or firewall The Business Secure Router blocks all IP Spoofing attempts Stateful inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access an outside service the proxy server remembers things about your original request like the port ...

Страница 162: ...owing example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list an...

Страница 163: ...nd the connection s state table entry is updated as necessary You can modify the inbound extended access list temporary entries based on the updated state information in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the tempora...

Страница 164: ...rnet into the LAN Except in a few special cases see Upper layer protocols on page 165 these packets are dropped and logged If an initiation packet originates on the LAN someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of the security policy as is the case with the default policy the connection is allowed A cache entry is added which inclu...

Страница 165: ...ply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they can be used to reroute traffic through attacking machines Upper layer protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is use...

Страница 166: ...n find creative ways to misuse the enabled services to access the firewall or the network 5 For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the fire...

Страница 167: ...work layer IP headers up to the application layer The firewall performs stateful inspection It takes into account the state of the connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses s...

Страница 168: ... The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur 6 The firewall can block any specific URL traffic that occurs in the future The URL can be saved in an Access Control List ACL database ...

Страница 169: ...options and are only recommended for advanced users refer to Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for firewall CLI commands Firewall policies overview Firewall rules are grouped based on the direction of travel of packets to which they apply By default Business Secure Router stateful packet inspection allows packets traveling in the following directions LAN to LAN B...

Страница 170: ...at from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and...

Страница 171: ...llow only certain machines on the Internet to access the LAN Security ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be mo...

Страница 172: ...ddress What is the source address of the connection is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Destination address What is the destination address of the connection is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Connection direction examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN L...

Страница 173: ...ess Secure Router WAN interface itself By default the Business Secure Router stops WAN computers from using the Business Secure Router as a gateway to communicate with other computers on the WAN You can configure one of these rules to allow a WAN computer to manage the Business Secure Router LAN to WAN rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed unrestric...

Страница 174: ...he rule and stops checking the firewall rules For example you have one general rule that blocks all LAN to WAN IRC Internet Relay Chat And you have another rule that allows IRC traffic from your company president s LAN IP address to go to the WAN In order for the president s IRC traffic to get through the rule for the president s IP address must come before the rule that blocks all LAN to WAN IRC ...

Страница 175: ...s the Business Secure Router LAN IP address return traffic does not go through the Business Secure Router This is called an asymmetrical or triangle route and causes the Business Secure Router to reset the connection as the connection has not been acknowledged Note Allowing asymmetrical routes can let traffic from the WAN go directly to the LAN without passing through the Business Secure Router A ...

Страница 176: ...2 Table 36 Firewall rules summary First screen Label Description Enable Firewall Select this check box to activate the firewall The Business Secure Router performs access control and protects against Denial of Service DoS attacks when the firewall is activated The firewall allows traffic to go through your VPN tunnels ...

Страница 177: ...ure summarized below take priority over the general firewall action settings above This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field allows you to reorder your rules Status This field displays whether a firewall is turned on Active or not Inactive Rules that have not been configured display Empty Source Address This drop down list...

Страница 178: ...the screen where you configure a firewall rule Move Select the Index option button of a rule and type a number for where you want to put that rule Click Move to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Rule to Rule Number Click a rule s option button and type the number for where you want to put that rule Edi...

Страница 179: ...53 Table 37 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it Packet Direction Use the drop down list to select the direction of packet travel to which you want to apply this firewall rule ...

Страница 180: ...remove a service highlight it in the Selected Services box on the right then click Custom Port Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custom service denoted by an from the Available Services list and click this button to edit the service Delete Select a custom service denoted by an fro...

Страница 181: ... Table 38 Adding or editing source and destination addresses Label Description Address Type Select an option from the drop down list that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here Use a numerical IP address in dotted decimal notation for example 192 168 1 10 End IP Address Enter the e...

Страница 182: ...a custom port Table 39 describes the fields in Figure 55 Table 39 Creating Editing A Custom Port Label Description Service Name Enter a unique name to identify the service a service that is not predefined in the Business Secure Router Service Type Choose the IP port TCP UDP or Both that defines your customized port from the drop down list Port Configuration Type Click Single to specify one port on...

Страница 183: ...nk and then the Summary tab 2 In the Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen Figure 56 Firewall edit rule screen example 4 Select WAN to LAN as the Packet Direction 5 Select Any in the Destin...

Страница 184: ...Custom Port screen Configure it as shown in Figure 58 and click Apply Figure 58 Edit custom port example 8 The firewall rule configuration screen displays Use the arrows between Available Services and Selected Services to configure it as shown in Figure 59 Click Apply after you are done Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Clic...

Страница 185: ...the configuration procedure for this Internet firewall rule the Rule Summary screen will look like the on illustrated in Figure 60 Rule 1 Allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router ...

Страница 186: ...Rule screen see Figure 53 displays all predefined services that the Business Secure Router already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there can be more than one IP protocol ...

Страница 187: ...9 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program is a program to enable fast transfer of files including large files that cannot be sent by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol is a client server protocol for the World Wide Web HTTPS TCP 443 HTTPS is a secur...

Страница 188: ... Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Logon RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTS...

Страница 189: ...n of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SSH TCP UDP 22 Secure Shell Remote Logon Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Using syslog you can send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELN...

Страница 190: ...influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LAN network Network bandwidth Type of traffic for certain servers If your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy then the d...

Страница 191: ...ons as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period TCP maximum incomplete and blocking period An unusually high number of half open sessions with the same destination host address indicates that a Denial of Service attack is being launched against the host Whene...

Страница 192: ... the fields in Figure 61 Table 41 Attack alert Label Description Generate alert when attack detected A detected attack automatically generates a log entry Check this box to generate an alert as well as a log whenever an attack is detected Denial of Service Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Business ...

Страница 193: ...ns as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the Business Secure Router to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions ...

Страница 194: ...194 Chapter 11 Firewall screens NN47923 500 ...

Страница 195: ...the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering through SMT menu 21 1 To access these functions from the Main Menu click Content Filter to expand the Content Filter menus Restrict web features The Business Secure Router can block web features such as ActiveX controls Java applets and cookies and disable web proxies Days and Times W...

Страница 196: ...196 Chapter 12 Content filtering NN47923 500 Configure Content Filtering Click Content Filter on the navigation panel to open the screen show in Figure 62 Figure 62 Content filter ...

Страница 197: ...his proxy server Enable URL Keyword Blocking The Business Secure Router can block Web sites with URLs that contain certain keywords in the domain name or IP address For example if the keyword bad was enabled all sites containing this keyword in the domain name or IP address will be blocked for example URL http www website com bad html is blocked Select this check box to enable this feature Keyword...

Страница 198: ...ict web server data such as ActiveX Java Cookies and Web Proxy are not affected Enter the time period in 24 hour format during which content filtering will be enforced Select the All Day check box to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced Apply Click Apply to save your changes Reset Click Reset to begin configuring this s...

Страница 199: ...services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the I...

Страница 200: ...able 43 VPN Screens overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Business Secure Router operate as a VPN client Branch Office Rule Setup Use these screens to manually configure VPN rules that have the Business Secure Router operate as a VPN router SA Monitor Use this screen to ...

Страница 201: ...tion secure Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key Figure 63 Encryption and decryption Table 44 VPN Screens Overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Business Secure Route...

Страница 202: ...works Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled between the WAN and the LAN remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protoc...

Страница 203: ...ty Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms ...

Страница 204: ...ence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but can be used for verification of the integrity of the ...

Страница 205: ...fectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data during phase 1 You can configure the device to use a 128 bit 192 bit or 256 bit key for phase 2 AES is faster than 3DES Select NULL to set up a phase 2 tunnel without encryption Authentica...

Страница 206: ... the original IP header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the ...

Страница 207: ...ess Secure Router The security protocol appears after the outer IP header and before the inside IP header IPSec and NAT Read this section if you are running IPSec on a host computer behind the Business Secure Router NAT is incompatible with the AH protocol in both Transport and Tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a h...

Страница 208: ...ation of the original header plus original payload which is unchanged by a NAT device Transport mode ESP with authentication is not compatible with NAT although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints see NAT Traversal on page 213 for details Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of t...

Страница 209: ...c Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the address of the remote secure gateway In this case only the remote secure gateway can initiate SAs This is useful for telecommuters initiating a VPN tunnel to the company network Summary screen Figure 66 helps explain the main fields in the WebGUI Figure 66 IPSec summary fie...

Страница 210: ...210 Chapter 13 VPN NN47923 500 Figure 67 Summary IP Policies ...

Страница 211: ... are indicated by the starting and ending IP addresses separated by a dash You configure these IP addresses in the VPN Branch Office IP Policy screen This field is empty if you do not configure the VPN branch office rule to use an IP policy Private IP addresses are IP addresses of computers on your Business Secure Router s local network for which you have configured the IP policy to use NAT for th...

Страница 212: ... Business Secure Router because the Business Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic Nailed up The nailed up feature is similar to the keep alive feature When you initiate an IPSec tunnel with nailed up enabled the Business Secure Router automatically renegotiates the tunnel when the IPSec SA lifetime period expire...

Страница 213: ...ss Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the Business Secure Router and the remote IPSec router Figure 68 NAT router between IPSec routers Normally you cannot set up a VPN connection with a NAT router between the ...

Страница 214: ...1 on page 222 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A Preshared key A preshared key identifies a communicating party during a phase 1 IKE negotiation see IKE phases on page 238 for more information It is called preshared because you have to share it with another party before you can communicate with them over a secure c...

Страница 215: ...PN client Active Select this check box to turn on this rule Clear this check box if you do not want to use this rule after you apply it If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive To set a Contivity Client rule to active all of the other VPN rules must be disabled Keep Alive Select this check box to turn on the Keep Alive feature for this SA ...

Страница 216: ...ve characters of the remote IPSec router You can use alphanumeric characters the underscore dash period and the symbol in a domain name No spaces are allowed User Name Enter the username exactly as the IPSec router administrator gives it to you Password Enter the password exactly as the IPSec router administrator gives it to you Advanced Click Advanced to configure group authentication and on dema...

Страница 217: ... ID and Group Password fields when you enable Group Authentication After Group Authentication is not enabled the remote IPSec router uses the User Name and Password to authenticate the Business Secure Router Group ID Enter the group ID exactly as the IPSec router administrator gives it to you This field only applies when you enable Group Authentication Group Password Enter the group password exact...

Страница 218: ... addresses The Business Secure Router can distinguish up to 12 incoming SAs because you can select between two encryption algorithms DES and 3DES two authentication algorithms MD5 and SHA1 and three key groups DH1 DH2 and DH5 when you configure a VPN rule see Configuring advanced Branch office setup on page 241 The ID type and content act as an extra level of identification for incoming SAs Apply ...

Страница 219: ...rs by which to identify this Business Secure Router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 51 Peer ID type and content fields Peer ID type Content IP Type the IP address of the computer with which you make the VPN connection or leave the field blank to have the B...

Страница 220: ...he following applies if this field is configured as 0 0 0 0 The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel Table 52 Matching ID type and content configuration example Business Secure Router A Business Secure Router B Local ID type E mail Local ID type IP Local ID content tom yourcompany com Local ID content 1 1 1 2 Peer ...

Страница 221: ...the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See Chapter 7 WAN screens on page 107 for details about dial backup and traffic redirect Configuring Branch Office VPN Rule Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule The VPN Branch Office Rule Setup screen is shown in Figure 71 ...

Страница 222: ...222 Chapter 13 VPN NN47923 500 Figure 71 VPN Branch Office rule setup ...

Страница 223: ...iates the SA when it restarts NAT Traversal Select this check box to enable NAT traversal With NAT traversal you can set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol In order for a IPSec router behind a NAT ...

Страница 224: ...rivate IP Address This field displays the IP address or a range of IP addresses of the computers on your Business Secure Router s local network for which you have configured this VPN rule For a range of addresses the starting and ending IP addresses are displayed separated by a dash This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy...

Страница 225: ...esses of a range of computers when the policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to Many One to one in the IP Policy screen This field displays the policy s local IP address or range of addresses when you disable branch tunnel NAT address mapping in the IP Policy screen This field displays a single static IP address when the IP policy s Local Address Type field is co...

Страница 226: ...olicy and then click Edit to edit that IP policy Delete Select the radio button next to an IP policy that you want to remove and then click Delete Authentication Method Select the Pre Shared Key radio button to use a preshared secret key to identify the Business Secure Router Select the Certificate radio button to identify the Business Secure Router by a certificate Pre Shared Key Type your presha...

Страница 227: ...ield type an IP address or leave the field blank to have the Business Secure Router automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which to identify this Business Secure Router When you select E mail in the Local ID Type field type an e mail address up to 31 characters by which to identify this Business Secure Router Th...

Страница 228: ...lt if this IP address changes The following applies if this field is configured as 0 0 0 0 the default The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the Business Secure Router uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffi...

Страница 229: ...e and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is faster than 3DES Select N...

Страница 230: ...13 VPN NN47923 500 Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy The Branch Office IP Policy setup screen is shown in Figure 72 ...

Страница 231: ...Chapter 13 VPN 231 Nortel Business Secure Router 252 Configuration Basics Figure 72 VPN Branch Office IP Policy ...

Страница 232: ...e Business Secure Router starts the IPSec connection idle timeout timer when it sends the ping packet If there is no traffic from the remote IPSec router by the time the timeout period expires the Business Secure Router disconnects the VPN tunnel Control Ping IP Address If you select Enable Control Ping enter the IP address of a computer at the branch office The computer s IP address must be in th...

Страница 233: ...at are to use the VPN tunnel Private Ending IP Address When the Type field is configured to One to one this field is N A When the Type field is configured to Many to One or Many One to one enter the ending static IP address of the range of computers on your Business Secure Router s LAN that are to use the VPN tunnel Virtual Starting IP Address Virtual addresses must be static and correspond to the...

Страница 234: ...ith the Secure Gateway Address field set to 0 0 0 0 Address Type Use the drop down menu to choose Single Address Range Address or Subnet Address Select Single Address for a single IP address Select Range Address for a specific range of IP addresses Select Subnet Address to specify IP addresses on a network by their subnet mask Starting IP Address When the Address Type field is configured to Single...

Страница 235: ...the Protocol field and 21 FTP in the Port field Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields do not apply when the Secure Gateway Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN Two active SAs cannot have the local and remote IP addresses both the same You ...

Страница 236: ...e Type select Many to One enter the private and virtual IP addresses and click the Port Forwarding Server button to display the screen shown in Figure 73 Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ...

Страница 237: ...er In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address all packets received for ports not specified in this screen are discarded Number of an individual port forwarding server entry Active Select this check box to activate the port forwardi...

Страница 238: ... Port Type a port number in this field To forward only one port type the port number in the Start Port field above and then type it again in this field To forward a series of ports type the last port number in a series that begins with the port number in the Start Port field above Server IP Address Type your server IP address in this field Apply Click this button to save these settings and return ...

Страница 239: ...ield you can determine how long an IKE SA will stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected In Phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Choose whether to enabl...

Страница 240: ... communicating parties are negotiating authentication phase 1 It uses six messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are neg...

Страница 241: ...lman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This can be unnecessary for data that does not require such security so PFS is disabled None by default in the Business Sec...

Страница 242: ...etup Label Description Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Enable replay detection by setting this field to YES Phase 1 A phase 1 exchange establishes an IKE SA Security Association ...

Страница 243: ...more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm Select SHA1 or MD5 from the drop down list The Business Secure Router s authentication algorithm must be identical to the remote IPSec router MD5 Message Digest 5 and SHA1 Secure Hash Algor...

Страница 244: ...message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is fast...

Страница 245: ...er DH2 refers to Diffie Hellman Group 2 a 1 024 bit 1Kb random number more secure yet slower DH5 refers to Diffie Hellman Group 5 a 1 536 bit random number Apply Click Apply to temporarily save the settings and return to the VPN Branch Office Rule Setup screen The advanced settings are saved to the Business Secure Router if you click Apply in the VPN Branch Office Rule Setup screen Cancel Click Ca...

Страница 246: ...ddress in a range of computers on the remote network behind the remote IPSec router Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase Business Secure Router processing requirements and communications latency delay Refresh Click Refresh to display the current active VPN connections This butto...

Страница 247: ...Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa Allow Through IPSec Tunnel Select this check box to send NetBIOS packets through the VPN connection Exclusive Use Mode for Cl...

Страница 248: ...client to establish a VPN connection to a backup IPSec router when the default remote IPSec router specified in the Destination field is not accessible The VPN fail over feature must also be set up in the remote IPSec router First Gateway Second Gateway Third Gateway These read only fields display the IP addresses of the backup IPSec routers The Business Secure Router automatically gets this infor...

Страница 249: ...Chapter 13 VPN 249 Nortel Business Secure Router 252 Configuration Basics Figure 78 VPN Client Termination ...

Страница 250: ...iations RADIUS Server Select this option to have the Business Secure Router use an external RADIUS server to identify the Contivity VPN clients during phase 1 IKE negotiations Click Configure RADIUS Server to specify the associated external RADIUS server Group ID The Contivity VPN clients send the group ID and group password to the Business Secure Router for or initial authentication After a succe...

Страница 251: ...t You can select a 128 bit key implementation of AES AES is faster than 3DES SHA1 Secure Hash Algorithm and MD5 Message Digest 5 are hash algorithms used to authenticate packet data SHA1 algorithm is generally considered stronger than MD5 but is slower IKE Encryption and Diffie Hellman Group Select the combinations of encryption algorithm and Diffie Hellman key group that the Business Secure Route...

Страница 252: ...Enable Perfect Forward Secrecy Perfect Forward Secrecy PFS is disabled by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Turn on PFS to use the Diffie Hellman exchange to create a new key for each IPSec SA setup Rekey Timeout Set the allowed lifetime for an individual key used for data encryption before negotiating a new key A setting of 00 00 00 disables the...

Страница 253: ...This field displays the label that you configure for the IP address pool Active This field displays whether or not the IP address pool is turned on Starting Address This field displays the first IP address in the IP address pool Subnet mask This field displays the subnet mask that you specified to define the IP address pool Pool size This field displays how many IP addresses you set the Business S...

Страница 254: ... you can configure the entry Use this screen to configure a range of IP addresses to assign to the Contivity VPN clients Figure 80 VPN Client Termination IP pool edit Table 62 describes the fields in Figure 80 Table 62 VPN Client Termination IP pool edit Label Description Active Turn on the IP pool if you want the Business Secure Router to use it in assigning IP addresses to the Contivity VPN clie...

Страница 255: ...en Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels Pool Size Specify how many IP addresses the Business Secure Router is to give out from the pool created by the starting address and subnet mask 256 is the maximum Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the IP Pool Summary screen witho...

Страница 256: ...256 Chapter 13 VPN NN47923 500 Figure 81 VPN Client Termination advanced ...

Страница 257: ...is UDP port to the VPN Contivity client behind the NAT router Fail Over The fail over feature allows a Contivity VPN client to establish a VPN connection to a backup IPSec router when the Business Secure Router is not accessible The VPN fail over feature must also be set up in the Contivity VPN clients First Gateway Second Gateway Third Gateway Enter the IP addresses of the backup IPSec routers Wh...

Страница 258: ...ies what the Business Secure Router does when it detects a noncompliant version of Contivity VPN client software Select None to allow the VPN tunnel without displaying any messages to tell the user where to download the required version of the Contivity VPN client software Select Send Message to allow the VPN tunnel but display a message to tell the user where to download the required version of t...

Страница 259: ...s to have both numbers and letters Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed 0 means that a password never expires Minimum Password Length Enter the minimum number of characters that can be used for a Contivity VPN client password Apply Click Apply to save your changes to the Business Secure Router Reset Click R...

Страница 260: ...260 Chapter 13 VPN NN47923 500 ...

Страница 261: ...tion authorities You can use the Business Secure Router to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption i...

Страница 262: ...es maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The Business Secure Router can check a peer s certificate against a list of revoked certificates on a directory server The framework of servers software procedures and policies that handles keys...

Страница 263: ...gned certificates Use the Trusted CA screens to save CA certificates to the Business Secure Router Use the Trusted Remote Hosts screens to import self signed certificates Use the Directory Servers screen to configure a list of addresses of directory servers that contain lists of valid and revoked certificates My Certificates Click CERTIFICATES My Certificates to open summary list of certificates a...

Страница 264: ...264 Chapter 14 Certificates NN47923 500 Figure 83 My Certificates ...

Страница 265: ...nd a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the Business Secure Router uses to sign imported trusted remote host certificates CERT represents a certificate issued by a c...

Страница 266: ...o other features such as HTTPS VPN or SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My C...

Страница 267: ... convert a binary PKCS 7 certificate into a printable form Importing a certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions on the screen shown in Figure 84 to save an existing certificate to the Business Secure Router Note 1 You can only import a certificate that matches a corresponding certification request generated by t...

Страница 268: ...e Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate to the Business Secure Router Cancel Click Cancel to quit and return to the My Certificates screen ...

Страница 269: ...cate Click CERTIFICATES My Certificates and then Create to open the My Certificate Create screen Use this screen to have the Business Secure Router create a self signed certificate enroll a certificate with a certification authority or generate a certification request For more information see Figure 85 ...

Страница 270: ...270 Chapter 14 Certificates NN47923 500 Figure 85 My Certificate create ...

Страница 271: ...and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You can use any character including spaces but the Business Secure Router drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You can use any character including ...

Страница 272: ...requires it Enrollment Protocol Select the certification authority enrollment protocol from the drop down list Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineerin...

Страница 273: ...eturn and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Business Secure Router to enroll a certificate online My Certificate details Click CERTIFICATES and then My Certificates to open the My Certificates screen see Figure 83 Click the details icon to...

Страница 274: ...274 Chapter 14 Certificates NN47923 500 Figure 86 My Certificate details ...

Страница 275: ...tificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it can be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The Business Secure Router does not trust the certificate and displays Not trusted in this...

Страница 276: ...as already expired Key Algorithm This field displays the type of algorithm that was used to generate the key pair the Business Secure Router uses RSA encryption of the certificate and the length of the key set in bits 1 024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for wh...

Страница 277: ...copy and paste a certification request into a certification authority Web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management ...

Страница 278: ...hen the bar is red consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the owner of the such as CN Common Name OU Organizational Unit or depa...

Страница 279: ...cation authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate details screen to have the Business Secure Router check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a scree...

Страница 280: ... a trusted certification authority certificate to the Business Secure Router Figure 88 Trusted CA import Table 69 describes the labels in Figure 88 Note You must remove any spaces from the certificate filename before you can import the certificate Table 69 Trusted CA import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Brow...

Страница 281: ...o view in depth information about the certification authority certificate change the certificate name and set whether or not you want the Business Secure Router to check a certification authority list of revoked certificates before trusting a certificate issued by the certification authority Apply Click Apply to save the certificate on the Business Secure Router Cancel Click Cancel to quit and ret...

Страница 282: ...282 Chapter 14 Certificates NN47923 500 Figure 89 Trusted CA details ...

Страница 283: ...y certification authority in the list along with the certificate of the end entity The Business Secure Router does not trust the end entity certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate Information These read only fields display detailed information about the certific...

Страница 284: ...e Key Usage This field displays for what functions the certificate key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority certificate and P...

Страница 285: ...ertificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution through floppy disk for examp...

Страница 286: ...fault Self signed Certificate This field displays identifying information about the default self signed certificate on the Business Secure Router that the Business Secure Router uses to sign the trusted remote host certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subje...

Страница 287: ...splays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to ope...

Страница 288: ...st certificates 3 Double click the certificate icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 92 Certificate details Verify over the phone for example that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields ...

Страница 289: ... Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host certificate to the Business Secure Router see Figure 93 Figure 93 Trusted remote host import Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its file name before you can import it ...

Страница 290: ... this screen to view in depth information about the trusted remote host certificate and change the certificate name Table 72 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the Business S...

Страница 291: ...Chapter 14 Certificates 291 Nortel Business Secure Router 252 Configuration Basics Figure 94 Trusted remote host details ...

Страница 292: ...t the certificate Type This field displays general information about the certificate With trusted remote host certificates this field always displays CA signed The Business Secure Router is the Certification Authority that signed the certificate X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates ...

Страница 293: ... value to verify that this is the remote host s actual certificate because the Business Secure Router has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Verifying a certificate of a trusted remote host on page 287 for how to verify a remote host s certificate SHA1 Fingerprint This is the message digest of the certificate that th...

Страница 294: ...fication authority s list of revoked certificates the Business Secure Router first checks the servers listed in the CRL Distribution Points field of the incoming certificate If the certificate does not list a server or the listed server is not available the Business Secure Router checks the servers listed here Figure 95 Directory servers Apply Click Apply to save your changes to the Business Secur...

Страница 295: ...rtificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the protocol that the directory server uses Mod...

Страница 296: ...s spaces are not permitted to identify this directory server Access Protocol Use the drop down list to select the access protocol used by the directory server LDAP Lightweight Directory Access Protocol is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates 1 Server Address Type the IP address in dotted decimal notation or the domain name...

Страница 297: ...r must authenticate itself in order to assess the directory server Type the logon name up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Apply Click Apply to save your changes to the Business Secure Router...

Страница 298: ...298 Chapter 14 Certificates NN47923 500 ...

Страница 299: ... use of real time applications such as Voice over IP VoIP increasing the requirement for bandwidth allocation is also increasing Bandwidth management addresses questions such as Who gets how much access to specific applications Which traffic must have guaranteed delivery How much bandwidth is allotted to guarantee delivery With bandwidth management you can configure the allowed output for an inter...

Страница 300: ...bclass View your configured bandwidth subclasses for a given interface in the Class Setup tab see Configuring class setup on page 303 for details The total of the configured bandwidth budgets cannot exceed the configured bandwidth budget for the interface as specified in Configuring summary on page 302 Proportional bandwidth allocation With bandwidth management you can define how much bandwidth ea...

Страница 301: ...an application Table 76 shows bandwidth allocations for application specific traffic from separate LAN subnets Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter leave some of the bandwidth on the interface unbudgeted Table 76 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A Fro...

Страница 302: ...mmary Label Description WAN LAN These read only labels represent the physical interfaces Select the check box next to an interface to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic source Traffic redirect or IP alias can cause LAN to LAN traffic to pass through the Business Secure R...

Страница 303: ...or the root class To add or delete child classes on an interface click BW MGMT then the Class Setup tab The screen appears as shown in Figure 99 Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface root class see Configuring class setup on page 303 Nortel recommends that you set this s...

Страница 304: ...ses Bandwidth Management This field displays whether bandwidth management on the interface you selected in the field above is enabled Active or not Inactive Add Sub Class Click Add Sub Class to add a subclass Edit Click Edit to go to a screen where you can configure the selected subclass You cannot edit the root class Delete Click Delete to remove the selected subclass You cannot delete the root c...

Страница 305: ... 0 0 0 0 0 means all Destination Port This field displays the port number of the destination 0 means all ports Source IP Address This field displays the source IP address in dotted decimal notation followed by the subnet mask The IP 0 0 0 0 0 means all Source Port This field displays the port number of the source The 0 means all ports Protocol ID This field displays the protocol ID service type nu...

Страница 306: ...se the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters including spaces Bandwidth Budget kbps Specify the maximum bandwidth allowed for the class in kb s The recommendation is a setting between 20 kbps and 20 000 kbps for an individual class The bandwidth you specify cannot cause the total allocated bandwidths of this and all other subclasses to exceed the bandwi...

Страница 307: ...ic If you select H 323 make sure you also turn on the H 323 ALG For more information about ALG see ALG on page 94 SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging events notification and conferencing The Business Secure Router supports SIP traffic pass through Select SIP from the drop down list to configure this bandwidth filter for SIP traffic T...

Страница 308: ... See Table 80 for some common services and port numbers Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving Table 80 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer ...

Страница 309: ...transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in b s for the past one to eight seconds For example t 1 means one second ago Update Period Seconds Enter the time interval in seconds to define how...

Страница 310: ...abels in Figure 102 Table 82 Bandwidth manager monitor Label Description Interface Select an interface from the drop down list to view the bandwidth usage of its bandwidth classes Class This field displays the name of the class Budget kbps This field displays the amount of bandwidth allocated to the class Current Usage kbps This field displays the amount of bandwidth that each class is using Refre...

Страница 311: ...IUS RADIUS is based on a client sever model that supports authentication and accounting where users are the clients and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your Business Secure Router acts as ...

Страница 312: ...ting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the Business Secure Router and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized acces...

Страница 313: ...cription of how IEEE 802 1x EAP authentication works 1 The user sends a start message to the Business Secure Router 2 The Business Secure Router sends a request identity message to the user for identity information 3 The user replies with identity information including username and password 4 The RADIUS server checks the user information against its user profile database and determines whether or ...

Страница 314: ...ion Required to allow all users to access your network without authentication Select No Access to deny all users access to your wired network Reauthentication Period Specifies the time interval between the RADIUS server authentication checks of users connected to the network This field is active only when you select Authentication Required in the Authentication Type field Idle Timeout Seconds The ...

Страница 315: ...ver for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the username is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Router first check the u...

Страница 316: ...316 Chapter 16 IEEE 802 1x NN47923 500 ...

Страница 317: ...limited number of users Introduction to Local User database By storing user profiles locally on the Business Secure Router your Business Secure Router is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you can authenticate in this way Local User database To see the local user list click AUTH SERVER The Local User Database ...

Страница 318: ...ption User ID This field displays the logon name for the user account Active This field displays Yes if the user account is enabled or No if it is disabled User type This field displays whether the user account can be used for a IEEE 802 1X or IPSec logon or both Last Name This field displays the user s last name First Name This field displays the user s first name ...

Страница 319: ...ounts A dash appears for all other accounts Valid displays if an IPSec user can use the account to logon Expired displays if an IPSec user can no longer use the account to logon This happens when you have enabled Password Management in the VPN Client Termination Advanced screen and the account password has exceeded the time that you configured as the Maximum Password Age Edit Select a user account...

Страница 320: ...320 Chapter 17 Authentication server NN47923 500 Figure 106 Local User database edit ...

Страница 321: ... or 802 1X IPSec in the User Type field First Name Enter the user s first name Last Name Enter the user s last name Static IP Address Enter the IP address of the remote user in dotted decimal notation Static Subnet Mask Enter the subnet mask of the remote user Split Tunneling Enable or disable split tunneling or inverse split tunneling Select Disable to force all traffic to be encrypted and go thr...

Страница 322: ...This field applies when you select Enabled in the Split Tunneling field Select the network for which you force traffic to be encrypted and go through the VPN tunnel Inverse Split Tunnel Network This field applies when you select Enabled Inverse or Enabled Inverse locally connected in the Split Tunneling field Select the network for which you do not force traffic to be encrypted and go through the ...

Страница 323: ...o use with split or inverse split VPN tunnels Table 86 Current split networks Label Description Return to Local User Database User Edit Page Click this link to return to the screen where you configure a local user database entry Current Split Networks This is the list of names of split or inverse split networks Add Click Add to open another screen where you can specify split or inverse split netwo...

Страница 324: ...escribes the labels in Figure 108 Table 87 Current split networks edit Label Description Network Name Enter a name to identify the split network IP Address Enter the IP address for the split network in dotted decimal notation Netmask Enter the netmask for the split network in dotted decimal notation ...

Страница 325: ...gure 109 Current Subnets for Network This box displays the subnets that belong to this split network Add Click Add to save your split network configuration Delete Select a network subset and click Delete to remove it Clear Click Clear to remove all of the configuration field and subnet settings Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this sc...

Страница 326: ...ption Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user authentication using the local user profile on the Business Secure Router Server IP Address Enter the IP address of the external authentication server in dotted decimal notation ...

Страница 327: ...e check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 a...

Страница 328: ...328 Chapter 17 Authentication server NN47923 500 ...

Страница 329: ...can manage your Business Secure Router from a remote location through Internet WAN only LAN only ALL LAN and WAN Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Remote management limitations Remote management over LAN or WAN does not work if Note When you configure remote management to allow management from the WAN you still need to...

Страница 330: ...n is running with a Telnet session A web session is disconnected if you begin a Telnet session nor does it begin if a Telnet session is already running 7 A firewall rule blocks access to device Remote management and NAT When NAT is enabled Use the Business Secure Router WAN IP address when configuring from the WAN Use the Business Secure Router LAN IP address when configuring from the LAN System t...

Страница 331: ...ess the Business Secure Router using the WebGUI The SSL protocol specifies that the SSL server the Business Secure Router must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router whereas the SSL client only authenticates itself when the SSL server requires it to do so select Authenticate Client Certificates in the REMOTE MGMT...

Страница 332: ...TTPS implementation Configuring WWW To change your Business Secure Router Web settings click REMOTE MGMT to open the WWW screen Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen the Business Secure Router blocks all HTTP connection attempts ...

Страница 333: ...r and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the Business Secure Router by sending the Business Secure Router a certificate To do that the SSL client must have a CA signed cer...

Страница 334: ...nt is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service HTTP Server Port You can change the server port number for a service...

Страница 335: ...12 appears in Internet Explorer Select Yes to proceed to the WebGUI logon screen if you select No then WebGUI access is blocked Figure 112 Security Alert dialog box Internet Explorer Netscape Navigator warning messages When you attempt to access the Business Secure Router HTTPS server a Website Certified by an Unknown Authority screen shown in Figure 113 appears asking if you trust the server cert...

Страница 336: ...er 18 Remote management screens NN47923 500 Select Accept this certificate permanently to import the Business Secure Router certificate into the SSL client Figure 113 Figure 18 4 Security Certificate 1 Netscape ...

Страница 337: ...ctory default certificate is the Business Secure Router itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating syst...

Страница 338: ... use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address a Create a new certificate for the Business Secure Router that uses the IP address of the Business Secure Router port that you are trying to access as the common name of the certificate For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 ...

Страница 339: ...Chapter 18 Remote management screens 339 Nortel Business Secure Router 252 Configuration Basics Figure 115 Logon screen Internet Explorer ...

Страница 340: ...nagement screens NN47923 500 Figure 116 Login screen Netscape Click Login to proceed The screen shown in Figure 117 appears The factory default certificate is a common default certificate for all Business Secure Router models ...

Страница 341: ...sics Figure 117 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Click CERTIFICATES to open the My Certificates screen You see information similar to that shown in Figure 118 ...

Страница 342: ...ote management screens NN47923 500 Figure 118 Device specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate The My Certificates screen appears Figure 119 ...

Страница 343: ...e 119 Common Business Secure Router certificate SSH overview Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network ...

Страница 344: ...a secure connection is established between two remote hosts Figure 121 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result to the server ...

Страница 345: ...r The client then sends its authentication information username and password to the server to log on to the server SSH implementation on the Business Secure Router Your Business Secure Router supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the Business Secure Router for remote SMT management and file transfer on ...

Страница 346: ...owever you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to ac...

Страница 347: ...e Example 1 Microsoft Windows This section describes how to access the Business Secure Router using the Secure Shell Client program 1 Launch the SSH client and specify the connection information IP address port number or device name for the Business Secure Router 2 Configure the SSH client to accept connection using SSH version 1 3 A window appears prompting you to store the host key in you comput...

Страница 348: ...ult IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the Business Secure Router Figure 124 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the Business Secure Router using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message appears prompting you to save...

Страница 349: ...ecure Router for secure file transfer using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message displays prompting you to save the host information of the Business Secure Router Type yes and press ENTER 2 Enter the password to log on to the Business Secure Router 3 Use the put command to upload a new firmware to the Business Secure Router ss...

Страница 350: ...ing to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras Uploading firmware bin to ras Read from remote hos...

Страница 351: ...t Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the com...

Страница 352: ...ings click REMOTE MANAGEMENT and then the FTP tab The screen appears as shown in Figure 129 Figure 129 FTP Table 92 describes the fields in Figure 129 Table 92 FTP Label Description Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through ...

Страница 353: ...rates an SNMP management operation SNMP is only available if TCP IP is configured The default get and set communities are public Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the c...

Страница 354: ...etwork management functions It executes applications that control and monitor managed devices The managed devices contain object variables and managed objects that define each piece of information to be collected about a device Examples of variables include number of packets received and node port status A Management Information Base MIB is a collection of managed objects SNMP allows a manager and...

Страница 355: ... data and monitor status and performance SNMP Traps The Business Secure Router sends traps to the SNMP manager when any one of the following events occurs Table 93 SNMP traps Trap Trap Name Description 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap ...

Страница 356: ... 131 Figure 131 SNMP Table 94 describes the fields in Figure 131 Table 94 SNMP Label Description SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is PlsChgMe RO Set Community Enter the Set community which is the password for incoming Set requests from the management station The default i...

Страница 357: ...r The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interfaces If any through which a computer can access the Business Secure Router us...

Страница 358: ...ver Access Select the interfaces if any through which a computer can send DNS queries to the Business Secure Router Secured Client IP Address A secured client is a trusted computer that is allowed to send DNS queries to the Business Secure Router Select All to allow any computer to send DNS queries to the Business Secure Router Choose Selected to just allow the computer with the IP address that yo...

Страница 359: ...s in Figure 133 Note In order to allow Ping on the WAN you must also configure a WAN to WAN Business Secure Router rule that allows PING ICMP 0 traffic Table 96 Security Label Description ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed...

Страница 360: ...rt requests for unused ports thus leaving the unused ports and the Business Secure Router unseen If the firewall blocks a packet from the WAN the Business Secure Router sends a TCP reset packet Use the sys firewall tcprst rst off command in the command interpreter if you want to stop the Business Secure Router from sending TCP reset packets Apply Click Apply to save your customized settings and ex...

Страница 361: ... in use How do I know if I am using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network appears as a separate icon By selecting the icon of a UPnP device you can access the information and properties of that device NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate t...

Страница 362: ... enabled devices can communicate freely with each other without additional configuration If this is not your intention disable UPnP UPnP implementation The device has UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC This UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing the UPnP implementation supports Windows Messenger ...

Страница 363: ...ugh UPnP Select this check box to allow UPnP enabled applications to automatically configure the Business Secure Router so that they can communicate through the Business Secure Router For example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device eliminating the need to manually configure port forwarding for...

Страница 364: ...fers the Business Secure Router can keep a record when your computer uses UPnP to create a NAT forwarding rule for that service The following read only table displays information about the UPnP created NAT mapping rule entries in the NAT routing table This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP p...

Страница 365: ...e unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the Business Secure Router forwards incoming connection requests Internal Client This field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultan...

Страница 366: ...ow select the Universal Plug and Play check box in the Components selection box 4 Click OK to return to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Figure 137 Communications Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP ...

Страница 367: ...s 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window appears Figure 138 Network connections 4 Select Networking Service in the Components selection box and click Details Figure 139 Windows optional networking components wizard ...

Страница 368: ... Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the device Make sure the computer is connected to a LAN port of the device Turn on your computer and the Business Secure Router Autodiscover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network C...

Страница 369: ...nfiguration Basics 2 Right click the icon and select Properties Figure 141 Internet gateway icon 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created Figure 142 Internet connection properties ...

Страница 370: ...the port mappings or click Add to manually add port mappings Figure 143 Internet connection properties advanced setup Figure 144 Service settings Note When the UPnP enabled device is disconnected from your computer all port mappings are deleted automatically ...

Страница 371: ...nection icon 6 Double click the icon to display your current Internet connection status Figure 146 Internet connection status WebGUI easy access With UPnP you can access the WebGUI without first finding out its IP address This is helpful if you do not know the IP address of your Business Secure Router Follow the steps below to access the WebGUI 1 Click Start and then Control Panel 2 Double click N...

Страница 372: ...laces Figure 147 Network connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your Business Secure Router and select Invoke The WebGUI logon screen displays Figure 148 My Network Places Local network ...

Страница 373: ...on Click LOGS to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Configuring Log settings on page 375 Options include logs about system maintenance system errors access control allowed or blocked Web sites blocked Web features such as ActiveX controls Java and cookies attacks such as DoS and IPSec Log entries in r...

Страница 374: ...og was recorded Refer to Configuring Time and Date on page 90 for information about configuring the time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information a...

Страница 375: ...re serious attention including system errors attacks access control and attempted access to blocked Web sites or Web sites with restricted Web features such as cookies or Active X Some categories such as System Errors consist of both logs and alerts You can differentiate between logs and alerts by their color in the View Log screen Alerts display in red and logs display in black Refresh Click Refr...

Страница 376: ...376 Chapter 20 Logs Screens NN47923 500 Figure 150 Log settings ...

Страница 377: ...nt through e mail Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that logs the selected categories of logs Log Facility Select a location from the drop down list In the log facility you can log the messages to different files in t...

Страница 378: ...Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 p m to send the logs Log Select the categories of the logs that you want to record Logs include alerts Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e mail alerts to the e mail address specified in the Send Alerts To field Log Consolidation Active Some lo...

Страница 379: ... HTTP GET packets Many Web sites include HTTP GET references to other Web sites and the Business Secure Router can count these as hits thus the Web hit count is not yet 100 accurate Figure 151 Reports Note The Web site hit count not be 100 accurate because sometimes when an individual Web page loads it can contain references to other Web sites that also get counted as hits Note Enabling the report...

Страница 380: ...een Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list to select the type of reports to display Web Site Hits displays the Web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays the protocols or service ports that have...

Страница 381: ...he domain names of the Web sites visited most often from computers on the LAN The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first The Business Secure Router counts each page viewed in a Web site as another hit on the Web site Hits This column lists how many times each Web site has been visited The count starts ove...

Страница 382: ...een select Protocol Port from the Report Type drop down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Figure 153 Protocol Port report example ...

Страница 383: ...tocol or service port listed first Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed Incoming refers to traffic that is coming into the Business Secure Router LAN from the WAN Outgoing refers to traffic that is going out from the Business Secure Router LAN to the WAN Amount This column lists how much traffic has been sent and recei...

Страница 384: ... IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kilobytes Megabytes or Gigabytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traf...

Страница 385: ...ature Table 105 Report Specifications Label Description Number of Web sites protocols or ports IP addresses listed 20 Hit count limit Up to 232 hits can be counted per Web site The count starts over at 0 if it passes four billion Bytes count limit Up to 264 bytes can be counted per protocol port or LAN IP address The count starts over at 0 if it passes 264 bytes ...

Страница 386: ...386 Chapter 20 Logs Screens NN47923 500 ...

Страница 387: ...in a video cassette recorder you can specify a time period for the VCR to record Apply schedule sets in the WAN IP screen or the WAN Dial Backup screen Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node set 1 takes precedence over set 2 3 and 4 as the Business Secure Router by default ap...

Страница 388: ...Description This is the call schedule set number Name This field displays the name of the call schedule set Active This field shows whether the call schedule set is turned on Yes or off No Start Date This is the date in year month day format that the call schedule set takes effect Duration Date This is the date in year month day format that the call schedule set ends ...

Страница 389: ...he Action field Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means tha...

Страница 390: ...t will activate in year month day format If you selected Weekly in the How Often field then select the day or days of the week when the set will activate Start Time 24 Hour Format Enter the start time in hour minute format when you want the schedule set to take effect Duration Time 24 Hour Format Enter the maximum length of time in hour minute format that the schedule set is to apply the action co...

Страница 391: ...Once your schedule sets are configured you must then apply them Apply schedule sets in the WAN IP screen You can apply schedule sets for the dial backup connection refer to Configuring Dial Backup on page 119 Click WAN Dial Backup to display the Dial Backup screen as shown in Figure 157 Use the screen to apply up to four schedule sets ...

Страница 392: ...392 Chapter 21 Call scheduling screens NN47923 500 Figure 157 Applying Schedule Sets to a remote node ...

Страница 393: ...Chapter 21 Call scheduling screens 393 Nortel Business Secure Router 252 Configuration Basics ...

Страница 394: ...394 Chapter 21 Call scheduling screens NN47923 500 ...

Страница 395: ...t traffic statistics Maintenance overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Business Secure Router Status screen Click MAINTENANCE to open the Status screen where you can monitor your Business Secure Router Note that these fields are READ ONLY and only used for diagnostic purposes ...

Страница 396: ...u chose in the first Internet Access Wizard screen It is for identification purposes Nortel Firmware Version The release of firmware currently on the Business Secure Router and the date the release was created DSL FW Version This is the DSL firmware version currently on the Business Secure Router Standard This is the ADSL standard that your Business Secure Router is using WAN Information ...

Страница 397: ...rtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control or Ethernet address unique to your Business Secure Router IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the LAN port DHCP role Server Relay or None DHCP Start IP This is the first of the contiguous address...

Страница 398: ...eld specifies the percentage of CPU utilization LAN or WAN Port Statistics This is the WAN or LAN port Link Status This is the status of your WAN link Upstream Speed This is the upstream speed of your Business Secure Router DownstreamSpeed This is the downstream speed of your Business Secure Router Node Link This field displays the remote node index number and link type Link types are PPPoA ENET R...

Страница 399: ... duplex setting if you re using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you re using PPPoE encapsulation For a LAN port this shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors...

Страница 400: ...t name MAC Address This field shows the MAC address of the computer with the name in the Host Name field Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Reserve Select the check box to have the Business Secure Router always assign the displayed IP address...

Страница 401: ...re Router 252 Configuration Basics Figure 161 Diagnostic Table 111 describes the fields in Figure 161 Table 111 Diagnostic Label Description General TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection ...

Страница 402: ... this button to reinitialize the ADSL line The large text box above then displays the progress and results of this operation for example Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully ATM Status Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before ...

Страница 403: ... device again Table 112 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process can take up to two minutes Note Do n...

Страница 404: ...Shown in Figure 164 on your desktop Figure 164 Network Temporarily Disconnected After two minutes log on again and check your new firmware version in the System Status screen If the upload was not successful the screen shown in Figure 165 appears Uploading the wrong firmware file or a corrupted firmware file can cause this error Click Return to return to the F W Upload screen Figure 165 Firmware u...

Страница 405: ...ion related to factory defaults backup configuration and restoring configuration appears as shown in Figure 166 Figure 166 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the Business Secure Router to its factory defaults The warning screen will appear see Figure 167 ...

Страница 406: ... reverts to PlsChgMe Backup configuration With backup configuration you can back up and save the current device configuration to a 104 KB file on your computer After your device is configured and functioning properly Nortel recommends that you back up your configuration file before making configuration changes The backup configuration file is useful in case you need to return to your previous sett...

Страница 407: ...one minute before logging on to the device again Figure 168 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect In some operating systems you see the icon shown in Figure 169 on your desktop Table 113 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse t...

Страница 408: ... Nortel Business Secure Router 252 Fundamentals NN47923 301 guide for details about how to set up your computer IP address If the upload was not successful click Return to return to the Configuration screen Restart screen With system restart you can reboot the Business Secure Router without turning the power off Click MAINTENANCE and then Restart Click Restart to have the Business Secure Router re...

Страница 409: ...Chapter 22 Maintenance 409 Nortel Business Secure Router 252 Configuration Basics Figure 170 Restart screen ...

Страница 410: ...410 Chapter 22 Maintenance NN47923 500 ...

Страница 411: ...te power source Check that the Business Secure Router and the power source are both turned on Turn the Business Secure Router off and on If the error persists you likely have a hardware problem In this case contact your vendor I cannot access the Business Secure Router through the console port 1 Make sure the Business Secure Router is connected to your computer s serial port 2 Make sure the commun...

Страница 412: ...e Action I cannot access the Business Secure Router from the LAN Check your Ethernet cable type and connections For LAN connection instructions see Nortel Business Secure Router 252 Fundamentals NN47923 301 Make sure the Ethernet adapter is installed in the computer and functioning properly I cannot ping any computer on the LAN Check the 10M 100M LAN LEDs on the front panel If they are all off che...

Страница 413: ...sword if you are using PPPoE or PPPoA encapsulation Make sure that you have entered the correct service type username and password the username and password are case sensitive Use the WAN screens in the WebGUI If your ISP requires host name authentication configure your computer name as the system name of the Business Secure Router use the System General screen to configure the system name Table 1...

Страница 414: ...et access settings Your username and password can be case sensitive If device connections and Internet access settings are correct contact your ISP Table 120 Troubleshooting the password Problem Corrective Action I cannot access the Business Secure Router The administrator username is nnadmin The default password is PlsChgMe The Password and Username fields are case sensitive Make sure that you en...

Страница 415: ...siness Secure Router must be on the same subnet for LAN access If you changed the Business Secure Router LAN IP address then enter the new one as the URL Remove any filters in SMT menu 3 1 LAN or menu 11 1 4 WAN that block Web service Table 122 Troubleshooting Remote Management Problem Corrective Action I cannot remotely manage the Business Secure Router from the LAN or the WAN Check your remote m...

Страница 416: ... necessary Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or enable pop up blocking and create an exception for your device IP address Allowing Pop ups 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 171 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy t...

Страница 417: ...ear the Block pop ups check box in the Pop up Blocker section of the screen Figure 172 Internet Options 3 Click Apply to save this setting Enabling Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab ...

Страница 418: ...47923 500 2 Select Settings to open the Pop up Blocker Settings screen Figure 173 Internet options 3 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Страница 419: ... address to the list of Allowed sites Figure 174 Pop up Blocker settings 5 Click Close to return to the Internet Options screen 6 Click Apply to save this setting Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer check that JavaScript and Java permissions are enabled ...

Страница 420: ...Internet Options and then the Security tab Figure 175 Internet options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default ...

Страница 421: ...lose the window Figure 176 Security Settings Java Scripting Internet Explorer Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected ...

Страница 422: ...lick OK to close the window Figure 177 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Страница 423: ...n and open a new browser Figure 178 Java Sun Netscape Pop up Blockers Either disable the blocking of unrequested pop up windows enabled by default in Netscape or allow pop ups from Web sites by creating an exception for your device IP address Note Netscape 7 2 screens are used here Screens for other Netscape versions vary ...

Страница 424: ...s from this site 2 In the Netscape search toolbar you can enable and disable pop up blockers for Web sites Figure 180 Netscape Search Toolbar You can also check if pop up blocking is disabled in the Popup Windows screen in the Privacy Security directory 1 In Netscape click Edit and then Preferences 2 Click the Privacy Security directory and then select Popup Windows ...

Страница 425: ...1 Popup Windows 4 Click OK to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device follow these steps 1 In Netscape click Edit and then Preferences 2 In the Privacy Security directory select Popup Windows 3 Make sure the Block unrequested popup windows check box is selected ...

Страница 426: ...ubleshooting NN47923 500 4 Click the Allowed Sites button Figure 182 Popup Windows 5 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Страница 427: ... to return to the Popup Windows screen 8 Click OK to save this setting Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape check that JavaScript and Java permissions are enabled 1 In Netscape click Edit and then Preferences 2 Click the Advanced directory 3 In the Advanced screen make sure the Enable Java check box is selected ...

Страница 428: ...ubleshooting NN47923 500 4 Click OK to close the window Figure 184 Advanced 5 Click the Advanced directory and then select Scripts Plug ins 6 Make sure the Navigator check box is selected in the enable JavaScript section ...

Страница 429: ...Appendix A Troubleshooting 429 Nortel Business Secure Router 252 Configuration Basics 7 Click OK to close the window Figure 185 Scripts Plug ins ...

Страница 430: ...430 Appendix A Troubleshooting NN47923 500 ...

Страница 431: ...n information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interfac...

Страница 432: ...The Business Secure Router allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All Web traffic is disabled except for trusted domains untrusted domains or the cybernot list JAVBLK IP Domain Name The Business Secure...

Страница 433: ...d code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an IGMP IP spoofing attack on the WAN port ip spoofing WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port ip spoofing WAN GRE The firewall detected a GRE ...

Страница 434: ...routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ICMP type d code d The firewall detected an ICMP IP spoofing attack while the Business Secure Route...

Страница 435: ...uter blocked or forwarded it according to the configuration of the ACL set Firewall rule match TCP set d rule d TCP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match UDP set d rule d UDP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according ...

Страница 436: ...ed firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match set d rule d Access did not match the listed fire...

Страница 437: ...ule d UDP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d ICMP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d Access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter matc...

Страница 438: ...ent a TCP packets in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out of order ICMP The Business Secure Ro...

Страница 439: ...packets traveling from the WAN to the WAN or the Business Secure Router Table 130 ICMP Notes Type Code Description 0 Echo reply 0 Echo reply message 3 Destination unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because the packet was set to Don t Fragment DF 5 Source route failed 4 Source quench 0 A gateway...

Страница 440: ... in transit 1 Fragment reassembly time exceeded 12 Parameter problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp reply 0 Timestamp reply message 15 Information request 0 Information request message 16 Information reply 0 Information reply message Table 131 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg no...

Страница 441: ... Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA N...

Страница 442: ...Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH SA NONCE ID ID 012 01 Jan 08 08 10 Recv HASH Clea...

Страница 443: ... the connection but the IKE key exchange has not completed Duplicate requests with the same cookie The Business Secure Router received multiple requests from the same peer but is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party us...

Страница 444: ...h the local s peer ID type Phase 1 ID content mismatch The ID content of an incoming packet does not match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type Peer ID IP address type IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loca...

Страница 445: ...address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The Business Secure Router cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPL...

Страница 446: ...e certificate enrollment succeeded The Destination field records the certification authority server IP address and port Enrollment failed The SCEP online certificate enrollment failed The Destination field records the certification authority server IP address and port Failed to resolve SCEP CA server url The SCEP online certificate enrollment failed because the certification authority server addre...

Страница 447: ...the LDAP server whose address and port are recorded in the Source field Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field Failed to decode the received CRL The router received a corrupted CRL Certificate Revocation List from the LDAP server whose address and port are recorded in the ...

Страница 448: ...oding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CR...

Страница 449: ... to use another authentication method and was not authenticated User logout because of session timeout expired The router logged off a user whose session expired User logout because of user deassociation The router logged off a user who ended the session User logout because of no authentication response from user The router logged off a user from which there was no authentication response User log...

Страница 450: ...ategory followed by a log category and a parameter to decide what to record No Server to authenticate user There is no authentication server to authenticate a user Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database Table 138 Log categories and available settings Log Categories Availab...

Страница 451: ...ommand to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual Business Secure Router log category Use the sys logs clear command to erase all of the Business Secure Router logs urlforward 0 1 Use 0 to record no logs for a selected category 1 to record only logs a selected category 2 to record only alerts for a selected...

Страница 452: ... 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 4 11 11 2002 15 10 10 192 ...

Страница 453: ...ck Alert 190 192 Attack Types 160 Authentication databases 315 Authentication Header 204 Authentication Type 121 Autonegotiating 10 100 Mb s Ethernet LAN 36 Autosensing 10 100 Mb s Ethernet LAN 36 Auxiliary 36 B Backup 406 Bandwidth Class 300 Bandwidth Filter 300 307 Bandwidth Management 299 Bandwidth Management Statistics 308 Bandwidth Manager Class Configuration 305 Bandwidth Manager Class Setup...

Страница 454: ... Ports Creating Editing 182 D Data Terminal Ready 124 DDNS Type 86 Default 405 Default Policy Log 177 Default Server 138 Default Server IP Address 137 Denial of Service 155 156 190 191 DES 205 Destination Address 172 180 DHCP 65 85 97 98 399 DHCP Dynamic Host Configuration Protocol 40 DHCP Server 101 diagnostic 400 Dial 126 Dial Backup 119 Dial Backup Port Speed 121 Dial Timeout 126 DNS 81 357 DNS...

Страница 455: ...ines For Enhancing Security 166 Introduction 155 LAN to WAN Rules 173 Policies 169 Rule Checklist 171 Rule Logic 171 Rule Security Ramifications 171 Services 186 Types 153 When To Use 167 Firmware Version 396 396 First DNS Server 84 FTP 85 135 136 329 352 FTP Restrictions 329 FTP Server 41 Full Feature 115 Full Network Management 40 G General Setup 82 Global 130 Global End IP 140 143 Global Start ...

Страница 456: ...ng 157 161 IP Static Route 148 IPSec VPN Capability 36 37 ISAKMP Initial Contact Payload 258 J Java 197 K Key Fields For Configuring Rules 172 L LAN IP Address 380 383 LAN Setup 97 107 LAN TCP IP 98 LAN to WAN Rules 173 LAND 158 159 Local 130 Local End IP 140 142 Local Start IP 140 142 Log 177 Logging 41 Logs 373 M MAC Addresses 103 MAC Encapsulated Routing Link Protocol 53 MAIN MENU 50 Management...

Страница 457: ...nel 217 One Minute High 193 One Minute Low 192 One to One 133 One Minute High 191 One to One 142 Outside 130 P Packet Direction 177 179 Packet Filtering 38 166 Packet Filtering Firewalls 154 PAP 121 Password 46 87 321 327 Password Management 259 PAT 142 Permanent Virtual Circuit 54 Phone Number 121 ping 402 Ping of Death 157 Point to Point Protocol over ATM Adaptation Layer 5 54 Point to Point Pro...

Страница 458: ...lass 303 Routing Information Protocol 98 Rule Summary 185 Rules 169 173 Checklist 171 Creating Custom 169 Key Fields 172 LAN to WAN 173 Logic 171 Predefined Services 186 Source and Destination Addresses 181 S SA Monitor 245 Saving the State 161 Schedule Sets Duration 390 Second DNS Server 84 Secondary Phone Number 121 Secure FTP Using SSH Example 349 Secure Telnet Using SSH Example 347 Security Ra...

Страница 459: ... 156 157 158 350 Teardrop 157 technical publications 30 Telnet 350 Telnet Configuration 350 text conventions 29 TFTP Restrictions 329 Third DNS Server 84 Threshold Values 190 Time and Date 36 Time Setting 90 Traceroute 161 Tracing 41 trademarks 2 Traffic Redirect 40 117 118 Trigger Port Forwarding Process 143 U UDP ICMP Security 165 Universal Plug and Play 38 Universal Plug and Play UPnP 361 363 U...

Страница 460: ...460 Index NN47923 500 VPN Client Termination 248 W WAN to LAN Rules 173 Web Proxy 197 Web Site Hits 380 WebGUI 45 49 155 166 172 Windows Networking 116 247 Wizard Setup 53 WWW 332 X Xmodem Upload 49 ...

Результаты поиска

Содержание BSR252

Отзывы:

Похожие инструкции для BSR252

Бренды по названию

Популярные бренды

Nortel BSR252, Конфигурация - Основы

Результаты поиска

Содержание BSR252

Отзывы:

Похожие инструкции для BSR252

Бренды по названию

Популярные бренды