ZyXEL Communications Prestige 202H Series Скачать руководство пользователя страница 1

Страница: 1 / 309

Prestige 202H

ISDN Router

User’s Guide

Version 3.40

August 2003

Содержание Prestige 202H Series

Страница 1: ...Prestige 202H ISDN Router User s Guide Version 3 40 August 2003...

Страница 2: ...f ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any product...

Страница 3: ...ncy energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio televisio...

Страница 4: ...mpliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by...

Страница 5: ...E Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of m...

Страница 6: ...pport zyxel com tw 886 3 578 3942 www zyxel com www europe zyxel com WORLDWIDE sales zyxel com tw 886 3 578 2439 ftp europe zyxel com ZyXEL Communications Corp 6 Innovation Road II Science Based Indus...

Страница 7: ...o Know Your Prestige 1 1 1 1 Introducing the Prestige 202H 1 1 1 2 Features 1 1 1 3 Internet Access With the Prestige 1 4 Chapter 2 Hardware Installation 2 1 2 1 Front Panel 2 1 2 2 Rear Panel and Con...

Страница 8: ...Setup 6 1 6 1 Ethernet Setup 6 1 6 2 Ethernet TCP IP and DHCP Server 6 2 6 3 Configuring TCP IP Ethernet and DHCP 6 5 6 4 IP Alias 6 6 6 5 IP Alias Setup 6 7 Chapter 7 Internet Access Setup 7 1 7 1 I...

Страница 9: ...ommuting Application With Windows Example 10 7 10 7 LAN to LAN Server Application Example 10 10 Chapter 11 Network Address Translation NAT 11 1 11 1 NAT Overview 11 1 11 2 Applying NAT 11 6 11 3 NAT S...

Страница 10: ...tom Rules 15 1 15 1 Rules Overview 15 1 15 2 Rule Logic Overview 15 1 15 3 Connection Direction 15 3 15 4 Rule Summary 15 4 15 5 Predefined Services 15 6 15 6 Timeout 15 12 Chapter 16 Customized Servi...

Страница 11: ...ion and Console Port Speed 20 3 20 4 Log and Trace 20 5 20 5 Accounting Server 20 9 20 6 Call Triggering Packet 20 10 20 7 Diagnostic 20 11 Chapter 21 Firmware and Configuration File Maintenance 21 1...

Страница 12: ...5 2 IPSec Architecture 25 3 25 3 Encapsulation 25 5 25 4 IPSec and NAT 25 6 Chapter 26 VPN IPSec Setup 26 1 26 1 VPN IPSec Overview 26 1 26 2 IPSec Algorithms 26 2 26 3 My IP Address 26 3 26 4 Secure...

Страница 13: ...ices and Index V Appendix A Troubleshooting A Problems Starting Up the Prestige A Problems With the ISDN Line B Problems With a LAN Interface B Problems Connecting to a Remote Node or ISP C Remote Use...

Страница 14: ...System Security Change Password 3 6 Figure 3 5 Resetting the Router 3 7 Figure 3 6 Example Xmodem Upload 3 8 Figure 4 1 Menu 1 General Setup 4 1 Figure 4 2 Configure Dynamic DNS 4 3 Figure 5 1 Menu 2...

Страница 15: ...Route Setup 9 2 Figure 9 3 Menu 12 1 Edit IP Static Route 9 2 Figure 10 1 Menu 13 Default Dial in Setup 10 2 Figure 10 2 Menu 13 1 Default Dial in Filter 10 5 Figure 10 3 Menu 14 Dial in User Setup 1...

Страница 16: ...11 Menu 15 2 NAT Server Setup 11 14 Figure 11 12 Multiple Servers Behind NAT Example 11 15 Figure 11 13 NAT Example 1 11 16 Figure 11 14 Menu 4 Internet Access NAT Example 11 16 Figure 11 15 NAT Exam...

Страница 17: ...ure 15 3 Firewall Rules Summary First Screen 15 5 Figure 15 4 Creating Editing A Firewall Rule 15 10 Figure 15 5 Adding Editing Source and Destination Addresses 15 12 Figure 15 6 Timeout Screen 15 13...

Страница 18: ...re 18 17 Filtering Remote Node Traffic 18 21 Figure 19 1 SNMP Management Model 19 1 Figure 19 2 Menu 22 SNMP Configuration 19 3 Figure 20 1 Menu 24 System Maintenance 20 1 Figure 20 2 Menu 24 1 System...

Страница 19: ...ion Example 21 10 Figure 21 12 Successful Restoration Confirmation Screen 21 10 Figure 21 13 System Maintenance Upload Firmware 21 11 Figure 21 14 Menu 24 7 1 Upload System Firmware 21 11 Figure 21 15...

Страница 20: ...ure 25 4 Figure 25 4 Transport and Tunnel Mode IPSec Encapsulation 25 5 Figure 26 1 VPN SMT Menu Tree 26 1 Figure 26 2 Menu 27 VPN IPSec Setup 26 2 Figure 26 3 IPSec Summary Fields Illustration 26 4 F...

Страница 21: ...Menu 3 2 1 IP Alias Setup 6 8 Table 7 1 Internet Account Information 7 1 Table 7 2 Menu 4 Internet Access Setup 7 2 Table 8 1 Menu 11 1 Remote Node Profile 8 3 Table 8 2 BTR vs MTR for BOD 8 7 Table...

Страница 22: ...defined Services 14 2 Table 14 2 E mail 14 5 Table 14 3 SMTP Error Messages 14 6 Table 14 4 Attack Alert 14 9 Table 15 1 Firewall Rules Summary First Screen 15 5 Table 15 2 Predefined Services 15 7 Ta...

Страница 23: ...9 1Call Control Parameters 22 3 Table 22 2 Menu 24 9 1 Budget Management 22 5 Table 22 3 Menu 24 9 4 Call History 22 6 Table 22 4 Time and Date Setting Fields 22 7 Table 23 1 Menu 26 1 Schedule Set Se...

Страница 24: ...26 11 Telecommuter and Headquarters Configuration Example 26 23 Table 27 1 Menu 27 2 SA Monitor 27 2 Table 28 1 Sample IKE Key Exchange Logs 28 2 Table 28 2 Sample IPSec Logs During Packet Transmissio...

Страница 25: ...tructions Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Packing List Card The Packing List Card lists all items that should have c...

Страница 26: ...means the space bar UP and DOWN are the up and down arrow keys Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Ap...

Страница 27: ...Getting Started I Part I Getting Started This part is structured as a step by step guide to help you connect install and setup your router to operate on your network and access the Internet...

Страница 28: ......

Страница 29: ...tion describes the router s key features IPSec VPN Capability Establish Virtual Private Network VPN tunnels to connect home office computers to your company network using data encryption and the Inter...

Страница 30: ...tion between network devices Your router supports SNMP agent functionality that allows a manager station to manage and monitor the router through the network SNMP is only available if TCP IP is config...

Страница 31: ...Protocol Multilink Protocol link layer protocol Dial on Demand The Dial on Demand feature allows the router to automatically place a call to a remote gateway based on the triggering packet s destinat...

Страница 32: ...you the expense of unnecessary charges Data Compression Your router incorporates Stac data compression to speed up data transfer Stac is the de facto standard of data compression over PPP links Netwo...

Страница 33: ...eature that allows multiple users on the LAN Local Area Network to access the Internet concurrently for the cost of a single user NAT address mapping can also be used for other LAN to LAN connections...

Страница 34: ...enge Handshake Authentication Protocol authentication can be used to control remote access You can also use callback for security and or accounting purposes Figure 1 3 Remote Access 1 3 4 Secure Broad...

Страница 35: ...Prestige 202H User s Guide Getting to Know Your Prestige 1 7 Figure 1 4 Secure Internet Access and VPN Application...

Страница 36: ......

Страница 37: ...power is applied to the router and it has boot up properly A green blinking PWR SYS LED indicates the router is performing a system test or rebooting When the router senses low voltage power the PWR S...

Страница 38: ...outer and the female end to a serial port COM1 COM2 or other COM port of your computer After the initial setup you can modify the configuration remotely through telnet connections See the chapter on T...

Страница 39: ...On Your Router At this point you should have connected the console port the ISDN port the Ethernet port s and the power port to the appropriate devices or lines You can now turn on the router by pushi...

Страница 40: ......

Страница 41: ...tige via the Console Port Make sure you have the physical connection properly set up as described in the hardware installation chapter When configuring using the console port you need a computer equip...

Страница 42: ...d press ENTER Move up to a previous menu ESC Press the ESC key to move back to the previous menu Move to a hidden menu Press SPACE BAR to change No to Yes then press ENTER Fields beginning with Edit l...

Страница 43: ...e password the SMT displays the Main Menu as shown Figure 3 2 SMT Main Menu 3 4 1 System Management Terminal Interface Summary Table 3 2 Main Menu Summary NO Menu Title FUNCTION 1 General Setup Use th...

Страница 44: ...r router can be used as a dial in server 14 Dial in User Setup Use this menu to configure settings for remote dial in users 15 NAT Setup Use this menu to configure Network Address Translation 21 Filte...

Страница 45: ...e Configuration Menu 24 7 System Maintenance Upload Firmware Menu 24 8 Command Interpreter Mode Menu 24 3 1 System Maintenance View Error Log Menu 24 3 2 System Maintenance UNIX Syslog Menu 24 2 1 Sys...

Страница 46: ...d press ENTER Note that as you type a password the screen displays an X for each character you type 3 7 Resetting the Prestige If you forget your password or cannot access the SMT menu you will need t...

Страница 47: ...ation software session and turn on the Prestige again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode Step 3 Enter atlc after Enter Debug...

Страница 48: ...er then Send File to display the following screen Figure 3 6 Example Xmodem Upload Step 6 After successful firmware upload enter atgo to restart the router Type the configuration file s location or cl...

Страница 49: ...r Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note th...

Страница 50: ...ard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns or...

Страница 51: ...ic DNS service provider WWW DynDNS ORG default Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes EMAIL Enter your e mail address mail mailserver USER Enter your...

Страница 52: ......

Страница 53: ...p FIELD DESCRIPTION Switch Type This read only field displays your switch type DSS 1 B Channel Usage In general this will be Switch Switch default If you are only using one B channel e g your router i...

Страница 54: ...ve your configuration or press ESC at any time to cancel 5 2 ISDN Advanced Setup Menus Select Yes in the Edit Advanced Setup field of Menu 2 ISDN Setup to display Menu 2 1 as shown later Switch Type T...

Страница 55: ...dapter 2 will be used as the calling party number You only need to fill in these fields if your switch or PABX requires a specific calling party number for outgoing calls otherwise leave them blank Th...

Страница 56: ...ur ISDN If you select Yes the router will perform a loop back test to check the ISDN line If the loop back test fails please note the error message that you receive and take the appropriate troublesho...

Страница 57: ...plications through many default values that do not need to be programmed It provides a unified interface for applications to access the different ISDN services such as data voice fax telephony etc ISD...

Страница 58: ...a shared device and can be used by several different client computers at the same time e g one computer sending a fax another computer doing a file transfer RVS COM has to be installed on each client...

Страница 59: ...ng table describes the fields in this screen Table 5 2 Configuring NetCAPI FIELD DESCRIPTION Active This field allows you to enable or disable NetCAPI Press the SPACEBAR to select Yes or No Menu 2 2 N...

Страница 60: ...phone number does not match the ISDN DATA number then the call will be routed to NetCAPI Select Called Party Subaddress if you want to direct all incoming calls to the Prestige only when the incoming...

Страница 61: ...to apply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 6 2 Menu...

Страница 62: ...IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the c...

Страница 63: ...refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 6 2 4 RIP Setup RIP Routing Information Protocol allows a router to exchange rout...

Страница 64: ...DNS server addresses The first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP does give you the DNS server addres...

Страница 65: ...d If set to Relay the router acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients When set to Server the following four items need to be set Serv...

Страница 66: ...ddress that you assign Unless you are implementing subnetting use the subnet mask computed by the router 255 255 255 0 RIP Direction Press SPACE BAR to select the RIP direction from Both None In Only...

Страница 67: ...ess ENTER to configure the second and third network Press ENTER to open Menu 3 2 1 IP Alias Setup as shown next Figure 6 6 Menu 3 2 1 IP Alias Setup Menu 3 2 1 IP Alias Setup IP Alias 1 No IP Address...

Страница 68: ...mask computed by the router 255 255 255 0 RIP Direction Press SPACE BAR and then ENTER to select the RIP direction from Both In Only Out Only Both Version Press SPACE BAR and then ENTER to select the...

Страница 69: ...to record your Internet Account Information Table 7 1 Internet Account Information INTERNET ACCOUNT INFORMATION Your device s WAN IP Address if given __________________ DNS Server IP Address if given...

Страница 70: ...ed with the login name above My WAN IP Addr Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique...

Страница 71: ...router uses the PPP Multilink Protocol PPP MP to bundle multiple links in a single connection to boost the effective throughput between two nodes This option is only available if the transfer type is...

Страница 72: ...Advanced Applications II Part II Advanced Applications This part describes the advanced applications of your Prestige such as Remote Node Configuration Dial in Configuration and NAT...

Страница 73: ...e calculated For example the Prestige may make a call but drop the call after 10 seconds maybe there was no reply but the call would still be charged at a minimum time unit let us say 3 minutes With m...

Страница 74: ..._______ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ Enter Node to Edit Menu 11 1 Remote Node Profile Rem Node Name nodename Active Yes Call Direction Outgoing Incoming Rem Login...

Страница 75: ...rom this remote node Call Direction Several other fields in this menu depend on this parameter For example in order to enable Callback the Call Direction must be set to Both Incoming Rem Login Enter t...

Страница 76: ...used for outgoing calls Options for this field are CHAP PAP Your Prestige will accept either CHAP or PAP when requested by this remote node CHAP accept CHAP only PAP accept PAP only CHAP PAP Pri mary...

Страница 77: ...umber Nailed up Connection This field specifies if you want to make the connection to this remote node a nailed up connection See the following section for more details No Toll Period This is the basi...

Страница 78: ...gle connection to boost the effective throughput between two nodes Due to the fragmentation reconstruction overhead associated with MP you may not get a linear increase in throughput when a link is ad...

Страница 79: ...add threshold is 30 Kbps and subtract threshold is 60 Kbps The Prestige performs bandwidth on demand only if it initiates the call Addition and subtraction are based on the value set in the BOD Calcu...

Страница 80: ...sion The default for this field is No No BACP Your Prestige negotiates the Secondary Phone number for a dial up line from the peer when BACP Bandwidth Allocation Control Protocol is enabled otherwise...

Страница 81: ...his parameter specifies the number of seconds where traffic is below the subtraction threshold before your Prestige drops the second link Default 5 sec Once you have configured this menu press ENTER a...

Страница 82: ...onnection No Toll Period sec 0 Session Options Edit Filter Sets No Idle Timeout sec 300 Press ENTER to Confirm or ESC to Cancel IP address of the Prestige on LAN 2 Menu 11 1 Remote Node Profile Rem No...

Страница 83: ...1 Remote Node Profile You must fill in either the remote Prestige WAN IP address or the remote Prestige LAN IP address This depends on the remote router s WAN IP i e for the remote Prestige the My WA...

Страница 84: ...e ISDN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the IP address assigned to the ISDN port o...

Страница 85: ...o this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP br...

Страница 86: ...p to 4 filter sets separated by comma e g 1 5 9 12 in each filter field The default is no filters Note that spaces are accepted in this field The Prestige comes with a prepackaged filter set NetBIOS_W...

Страница 87: ...igure 8 8 Menu 11 5 Remote Node Filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filte...

Страница 88: ......

Страница 89: ...that is directly connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instanc...

Страница 90: ...This field allows you to activate deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network numbe...

Страница 91: ...represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the c...

Страница 92: ......

Страница 93: ...h as Bandwidth On Demand Protocol Security etc 10 2 Default Dial in User Setup This section covers the default dial in parameters The parameters in menu 13 affect incoming calls from both remote dial...

Страница 94: ...e three options for this field None No CLID is required Required CLID must be available or the Prestige will not answer the call Preferred If the CLID is available then CLID will be used otherwise aut...

Страница 95: ...user name and password from the far end that it is dialing to If the remote node requires mutual authentication set this field to Yes No O G Username Enter the login name to be used to respond to the...

Страница 96: ...s IP addresses and this field specifies the first one in the pool The IP start address is the start of a series of consecutive IP addresses IP Count 1 2 In this field enter the number 1 or 2 of addres...

Страница 97: ...figured number The other is ease of accounting For instance your company pays for the connection charges for telecommuting employees and you use your Prestige as the dial in server When you turn on th...

Страница 98: ...or login for example johndoe johndoe Active You can disallow dial in access to this user by setting this field to inactive Inactive users are displayed with a minus sign at the beginning of the name i...

Страница 99: ...Otherwise a N A will appear in the field Enter the telephone number to which your Prestige will call back Rem CLID If you enable CLID Authen field in Menu 13 then you need to specify the telephone nu...

Страница 100: ...to configure the Default Dial in User Setup to set the operational parameters for all dial in users An example of remote access server for telecommuters is shown next Figure 10 5 Example of Telecommut...

Страница 101: ...Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min Period hr IP Address Supplied By Dial in User Yes IP Pool Yes IP Start Addr 192 168 250 250 IP Count 1 2 N A Sessio...

Страница 102: ...e Default Dial in User Setup to set the operational parameters for incoming calls Additionally you must create a remote node for the router on the remote network see the chapter on Remote Node Configu...

Страница 103: ...rrier Access Code Nailed Up Connection No Toll Period sec 0 Session Options Edit Filter Sets No Idle Timeout sec 300 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Set Call Directio...

Страница 104: ...D channel and verifies that the calling number corresponds with that configured in menu 11 If they do the Prestige LAN 2 hangs up and calls the Prestige on LAN 1 back Start dialing for node LAN_2 Hit...

Страница 105: ...s Edit Filter Sets No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Set this field to Required Menu 11 1 Remote Node Profile Rem Node Name LAN_1 Active Yes Call Direction Both Inco...

Страница 106: ...lling number does not match the Rem CLID number in Menu 11 1 Figure 10 14 Callback and CLID Connection Test Copyright c 1994 2003 ZyXEL Communications Corp LAN_2 sys trcl call Tracelog type 9080 level...

Страница 107: ...f a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the...

Страница 108: ...ional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address tra...

Страница 109: ...NAT Works 11 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct...

Страница 110: ...ge maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers support...

Страница 111: ...IGA1 M 1 Many to Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M M No OV Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1...

Страница 112: ...ss Setup Figure 11 3 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11 1 Step 1 Enter 11 from the main menu and select a remote node Step 2 Mo...

Страница 113: ...o create the mapping table used to assign global addresses to computers on the LAN You can see two NAT Address Mapping sets in menu 15 1 You can only configure Set 1 Set 255 is used for SUA When you s...

Страница 114: ...Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 11 1 6 The fields in this menu cannot be changed Menu 15 NAT Setup 1 Address Mapping Sets...

Страница 115: ...P 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above see Table 11 2 Server allows us to specify multiple servers of different types behind...

Страница 116: ...ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in yo...

Страница 117: ...select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting a...

Страница 118: ...obal IP address IGA This field is N A for One to One Many to One and Server types N A Server Mapping Set Only available when Type is set to Server Type a number from 1 to 10 to choose a server set fro...

Страница 119: ...ure refer to your ISP The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the included disk for m...

Страница 120: ...e IP address of the server in the IP Address field In the following figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Menu 15 2 NAT Server Setup Rul...

Страница 121: ...at any time to cancel Figure 11 12 Multiple Servers Behind NAT Example 11 5 General NAT Examples This section provides some examples with Network Address Translation 11 5 1 Example 1 Internet Access O...

Страница 122: ...read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name...

Страница 123: ...xample 2 Internet Access with an Inside Server Figure 11 15 NAT Example 2 In this case you do exactly as above use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the In...

Страница 124: ...t IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic...

Страница 125: ...nter 15 from the main menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select...

Страница 126: ...192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Menu 11 3 Remote Node Network Layer Options IP Option...

Страница 127: ...Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3...

Страница 128: ...bers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 11 21 NAT Example 4 Other applications such as some gaming programs are NA...

Страница 129: ...1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Server Mapping Set N A Press ENTER to Confirm or ESC...

Страница 130: ...Firewall III Part III Firewall This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules...

Страница 131: ...r a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be impl...

Страница 132: ...g that some proxies support See section 12 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 12...

Страница 133: ...ls that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by...

Страница 134: ...size packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a n...

Страница 135: ...ack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it que...

Страница 136: ...t the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source...

Страница 137: ...from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the rou...

Страница 138: ...r protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the...

Страница 139: ...on s state table entry is deleted and the connection s temporary inbound access list entries are deleted 12 5 2 Stateful Inspection and the Prestige Additional rules may be defined to extend or overri...

Страница 140: ...nce numbers However at the very minimum they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in o...

Страница 141: ...l service such as SNMP or NTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to a...

Страница 142: ...as or 8 Upgrade your software regularly Many older versions of software especially web browsers have well known security deficiencies When you upgrade to the latest versions you get the latest patches...

Страница 143: ...squerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather...

Страница 144: ......

Страница 145: ...allow you to activate the firewall and view firewall logs 13 2 Using Prestige SMT Menus From the main menu enter 21 to go to Menu 21 Filter Set and Firewall Configuration to display the screen shown...

Страница 146: ...ssions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme cautio...

Страница 147: ...tched did not match or was there an attack The set and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X...

Страница 148: ......

Страница 149: ...Launch your web browser and enter 192 168 1 1 as the URL Step 2 Enter admin as the user name and 1234 default as the password and click Login Step 3 The Site Map screen displays as shown next Figure...

Страница 150: ...ick this link to enable the firewall Email Click this link to configure an alert report to be sent to a specific e mail address Alert Click this link to configure alerts to be sent in the event of att...

Страница 151: ...N to LAN traffic Logs Click this link to view the firewall s logs 14 2 Enabling the Firewall Click Advanced Setup Firewall and then Config to display the following screen Click the Firewall Enabled ch...

Страница 152: ...lert when attack detected checkbox or when a rule is matched in the Rule Config screen see Figure 15 4 When an event generates an alert a message is immediately sent to an e mail account specified by...

Страница 153: ...il address to identify the Prestige as the sender of the e mail messages i e a return to sender address for backup purposes returnaddress pre stige com Log Timer Log Schedule This pop up menu is used...

Страница 154: ...ror messages appear in SMT menu 24 3 1 as SMTP action request failed ret The are described in the following table Table 14 3 SMTP Error Messages 1 means Prestige out of socket 2 means tcp SYN fail 3 m...

Страница 155: ...ed sessions Subject Firewall Alert From Prestige Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP sr...

Страница 156: ...pen sessions rises above a threshold max incomplete high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open r...

Страница 157: ...whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click Advanced Setup Firewall and Alert to bring up the next screen...

Страница 158: ...d to stop deleting half open sessions when fewer than 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions t...

Страница 159: ...When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you select the Blocking Time checkbox any new sessions will be blocked for the length of time...

Страница 160: ......

Страница 161: ...fter you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Not...

Страница 162: ...ers that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a...

Страница 163: ...of IPs or a subnet 15 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 15 3 1 LAN to WAN Rules The defau...

Страница 164: ...lowing figure Figure 15 2 WAN to LAN Traffic 15 4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet so the discussion below refers to both Click on Firewa...

Страница 165: ...RIPTION EXAMPLE The default action for packets not matching following rules Should packets that do not match the following rules be blocked or forwarded Make your choice from the drop down list box No...

Страница 166: ...is created None None Rules Reorder Move rule number You may reorder your rules using this function Select by clicking on the rule you want to move The ordering of your rules is important as rules are...

Страница 167: ...possible by e mail H 323 TCP 1720 Net Meeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS HTTPS is a secured http session often u...

Страница 168: ...TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 10...

Страница 169: ...ronments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol simila...

Страница 170: ...Prestige 202H User s Guide 15 10 Creating Custom Rules Figure 15 4 Creating Editing A Firewall Rule The following table describes the fields in this screen...

Страница 171: ...click Edit Available Service Click this button to go to the list of available custom services Action for Matched Packets Should packets that match this rule be blocked or forwarded Make your choice fr...

Страница 172: ...2 169 1 50 a subnet or any IP address Select an option from the drop down list box Subnet Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Address...

Страница 173: ...to Local Network Set Figure 15 6 Timeout Screen The following table describes the fields in this screen Table 15 5 Timeout Menu FIELD DESCRIPTION DEFAULT VALUE TCP Timeout Values Connection Timeout T...

Страница 174: ...is the length of time of inactivity a UDP connection remains open before the Prestige considers the connection closed 60 seconds ICMP Timeout This is the length of time an ICMP session waits for the...

Страница 175: ...d services and port numbers not predefined by the Prestige see Figure 15 4 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further i...

Страница 176: ...protocol TCP UDP or Both that defines your customized port Port This is the port number or range that defines your customized port Use the Help icon for field descriptions When you have finished viewi...

Страница 177: ...ck Back to return to the previous screen When you have finished click Apply to save your customized settings and exit this screen Cancel to return to the previously saved settings Delete to remove thi...

Страница 178: ...rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows Figure 16 4 Customized Service for MyService Customized services show up with a...

Страница 179: ...tlined earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it Figure 16 5 MyService Rule Configuration This is your MyService custo...

Страница 180: ...y screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige Figure 16 6 Example Rule Summary Rule 3 Al...

Страница 181: ...s that match don t match or both this rule see Figure 15 4 Click Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 13 2 or via syslog SMT Menu 24 3 2 Syste...

Страница 182: ...ow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set...

Страница 183: ...ced Management This part discusses Filtering SNMP System Information and Diagnosis Firmware and Configuration File Maintenance System Maintenance and Information Call Scheduling Remote Management and...

Страница 184: ......

Страница 185: ...divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is used...

Страница 186: ...s that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable Initia...

Страница 187: ...etch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 18 2 Filter Rule Process You can apply up...

Страница 188: ...ted rules for example all the rules for NetBIOS into a single set and give it a descriptive name You can configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in...

Страница 189: ...ER to confirm to open Menu 21 1 x Filter Rules Summary The following shows filter rules summary screens for filter sets 1 through 4 Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Co...

Страница 190: ...2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 3 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 N D N 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 5 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 6 Y IP Pr...

Страница 191: ...bbreviations used in the previous menus Menu 21 1 4 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 21 N D F 2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 20 N D F 3 N 4 N 5...

Страница 192: ...action to be taken for instance forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the...

Страница 193: ...instance protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for pro...

Страница 194: ...d 255 A value of O matches ANY protocol 0 to 255 IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination If Yes the rule app...

Страница 195: ...parison to apply to the source port in the packet against the value given in Source Port field Choices are None Less Greater Equal or Not Equal None TCP Estab This applies only when the IP Protocol fi...

Страница 196: ...tion for a packet not matching the rule Choices are Check Next Rule Forward or Drop Check Next Rule default When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to...

Страница 197: ...ive Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Che...

Страница 198: ...ecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select an empty filter set in menu 21 1 for exampl...

Страница 199: ...l to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields If More is...

Страница 200: ...xact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the...

Страница 201: ...d Firewall Setup Step 2 Enter 1 to open Menu 21 1 Filter Set Configuration Step 3 Enter the index of the filter set you wish to configure such as 4 and press ENTER Step 4 Enter a descriptive name or c...

Страница 202: ...More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type The first filter rule type determines all subse...

Страница 203: ...ly the example filter set for example filter set 3 in this menu as shown in the next section 18 6 Applying Filters and Factory Defaults Menu 21 1 9 Filter Rules Summary A Type Filter Rules M m n 1 Y I...

Страница 204: ...separated by commas for example 3 4 6 11 The factory default filter set NetBIOS_LAN is inserted in the protocol filters field under Input Filter Sets in menu 3 1 in order to prevent local NetBIOS mes...

Страница 205: ...t Filter Sets protocol filters 3 4 5 device filters Output Filter Sets protocol filters 1 device filters Enter here to CONFIRM or ESC to CANCEL Apply filter 3 to block Telnet traffic from the WAN filt...

Страница 206: ......

Страница 207: ...NMP is a member of the TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige supports...

Страница 208: ...equest response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an obj...

Страница 209: ...ress A blank default field means your Prestige will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the trap community which is the password sent with each tr...

Страница 210: ...sent with the port number 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 linkDown defined in...

Страница 211: ...f the ports as shown next System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your G SHDSL telephone line status number of packets sent and recei...

Страница 212: ...bandwidth used on this channel ALU The ALU Average Line Utilization is a 5 second moving average of usage for this channel Up Time Time this channel has been connected to the current remote node Chan...

Страница 213: ...channels since the system has been powered up CPU Load This specifies the percentage of CPU utilization LAN Packet Which Triggered Last Call This shows the first 48 octets of the LAN packet that trig...

Страница 214: ...sed ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation Country Code This is the country co...

Страница 215: ...speed in menu 24 2 2 as shown in the following figure Figure 20 5 Menu 24 2 2 System Maintenance Change Console Port Speed 20 4 Log and Trace Type 3 in menu 24 to open Menu 24 3 Log and Trace This me...

Страница 216: ...ix Syslog The Prestige uses the UNIX syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance...

Страница 217: ...message to different files in the server Please refer to your UNIX manual for more details Types CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packet Triggered The first...

Страница 218: ...Call Terminated Jul 19 11 19 27 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall C...

Страница 219: ...S05 R01mF Mar 03 12 00 57 202 132 155 97 ZyXEL GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S04 R01mF 4 PPP log PP...

Страница 220: ...ge this value unless your network administrator instructs you to do so 1646 Key Specify a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and t...

Страница 221: ...gth 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 1...

Страница 222: ...This tool hangs up the B1 channel It is only applicable if the B1 channel is currently in use Hang Up B2 Call This tool hangs up the B2 channel It is only applicable if the B2 channel is currently in...

Страница 223: ...s option reboots the Prestige Command Mode This option allows you to enter the command mode It allows you to diagnose and test your Prestige using a specified set of commands Manual Call Remote Node I...

Страница 224: ......

Страница 225: ...ut firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg This is a sample FTP session saving the current configu...

Страница 226: ...load files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration...

Страница 227: ...nsfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prom...

Страница 228: ...option Normal The server requires a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default...

Страница 229: ...I mode by entering 8 in Menu 24 System Maintenance Step 3 Enter command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the fiv...

Страница 230: ...bin extension or configuration file rom extension on your computer Remote File This is the filename on the Prestige The filename for the firmware is ras and for the configuration file is rom 0 Binary...

Страница 231: ...s section shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to...

Страница 232: ...transfer files from the Prestige to the computer for example put config rom rom 0 transfers the configuration file config rom on your computer to the Prestige See earlier in this chapter for more inf...

Страница 233: ...ial communications programs should be similar Step 1 Display menu 24 6 and enter y at the following screen Figure 21 9 System Maintenance Restore Configuration Step 2 The following screen indicates th...

Страница 234: ...following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR P...

Страница 235: ...ur system Then type root and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your computer and ras is the remote file name...

Страница 236: ...es it rom 0 Likewise get rom 0 config rom transfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conve...

Страница 237: ...interpreter CI mode by entering 8 in Menu 24 System Maintenance Step 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter command sys stdio...

Страница 238: ...FTP or TFTP is faster Any serial communications program should work fine however you must use the Xmodem protocol to perform the download upload 21 4 8 Uploading Firmware File Via Console Port Step 1...

Страница 239: ...he configuration upload process has completed restart the Prestige by entering atgo 21 4 10 Uploading Configuration File Via Console Port Step 1 Select 2 from Menu 24 7 System Maintenance Upload Firmw...

Страница 240: ...Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 W...

Страница 241: ...Maintenance 21 17 Figure 21 20 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Browse t...

Страница 242: ......

Страница 243: ...ction to the console port although some commands are only available with a serial connection See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from M...

Страница 244: ...eeds the limit the current call will be dropped and any future outgoing calls will be blocked The blacklist function prevents the Prestige from re dialing to an unreachable phone number It is a list o...

Страница 245: ...he Prestige will timeout if it cannot set up an outgoing digital call within the timeout value The default is 30 Retry Counter How many times a busy or no answer telephone number is retried before it...

Страница 246: ...9 1 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node When this limit is reached the call will be dropped and further outgoing calls to t...

Страница 247: ...that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have lapsed Elapsed Time Total Period The period is the time cy...

Страница 248: ...om that telephone number 22 3 Time and Date There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige Menu 24 10 al...

Страница 249: ...ay have to check with your ISP network administrator or use trial and error to find a protocol that works The main differences between them are the format Daytime RFC 867 format is day month year time...

Страница 250: ...Current Date This field displays an updated date only when you reenter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time diff...

Страница 251: ...igure 23 1 Menu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node the...

Страница 252: ...the present to 2036 February 5 How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusi...

Страница 253: ...or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on th...

Страница 254: ...t IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocated Budget min Rem CLID Period hr Call Back No Schedules 1 3 4 11 Outgoing Carrier Access Code My Login Nailed Up Connectio...

Страница 255: ...menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 6 You have disabled that service in one of the remote management screens 7 The IP address in the Secured Client IP fie...

Страница 256: ...on the command line 24 2 Telnet You can configure your Prestige for remote Telnet access as shown next Figure 24 1 Telnet Configuration on a TCP IP Network 24 3 FTP You can upload and download Presti...

Страница 257: ...terface if any by pressing the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely ma...

Страница 258: ......

Страница 259: ...ons for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authe...

Страница 260: ...Prestige supports the following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved...

Страница 261: ...Prestige 202H User s Guide Introduction to VPN IPSec 25 3 Figure 25 2 VPN Application 25 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Страница 262: ...e including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms H...

Страница 263: ...for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the orig...

Страница 264: ...t the receiving end doesn t know about the NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including h...

Страница 265: ...connections 26 1 1 VPN IPSec SMT Menus The VPN IPSec main SMT menu has three main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec rou...

Страница 266: ...cations where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the informa...

Страница 267: ...Secure Gateway Addr is the WAN IP address or domain name of the remote IPSec router secure gateway If the remote secure gateway has a static public IP address enter it in the Secure Gateway Addr fiel...

Страница 268: ...6 5 IPSec Summary Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your IPSec rules tunnels Edit or create an IPSec rule by selecting an in...

Страница 269: ...1 IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 001 Name This field displays the unique identification name for this VPN rule The name may be up to 32 characters long but...

Страница 270: ...1 2 if is displayed Tunnel IPSec Algorithm This field displays the security protocols used for an SA ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it int...

Страница 271: ...p is configured to Range this is the end static IP address in a range of computers on the network behind the remote IPSec router When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SU...

Страница 272: ...Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the Prestige to distinguish between multiple rules for SAs that connect from r...

Страница 273: ...ige automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 characters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters...

Страница 274: ...ocal ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 26 8 Pre Shared Key A pre shared key identifies a communicating...

Страница 275: ...ige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Local ID...

Страница 276: ...PN tunnel has to be rebuilt if this IP address changes 0 0 0 0 Peer ID Type Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain n...

Страница 277: ...y time Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Select RANGE for a specific range of IP addresses Select SUBNET to specify IP a...

Страница 278: ...ddresses on a network by their subnet mask SUBNET IP Addr Start When the Addr Type field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Addr T...

Страница 279: ...SPACE BAR to choose either IKE or Manual and then press ENTER Manual is useful for troubleshooting if you have problems using IKE key management IKE Edit Key Management Setup Press SPACE BAR to change...

Страница 280: ...ready established the IPSec SA stays connected In phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Cho...

Страница 281: ...otection It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre shared key authentication 26 10 2 Diffie Hellman DH K...

Страница 282: ...s connecting through a secure gateway must have the same negotiation mode Main Pre Shared Key Prestige gateways authenticate an IKE VPN session by matching pre shared keys Pre shared keys are best for...

Страница 283: ...renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication...

Страница 284: ...12 1 Active Protocol This field is a combination of mode and security protocols used for the VPN These parameters were discussed earlier Table 26 9 Active Protocol Encapsulation and Security Protocol...

Страница 285: ...up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any character may be used including spaces but trailing spaces are...

Страница 286: ...ces but trailing spaces are truncated N A When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 26 13 Telecom...

Страница 287: ...TELECOMMUTER HEADQUARTERS My IP Address 0 0 0 0 dynamic IP address assigned by the ISP Public static IP address Secure Gateway IP Address Public static IP address or domain name 0 0 0 0 With this IP a...

Страница 288: ...s a Prestige at headquarters They can use different IPSec parameters including the pre shared key and the local IP addresses or ranges of addresses can overlap See the following graphic for an example...

Страница 289: ...ections An SA times out automatically after one minute if there is no traffic 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections T...

Страница 290: ...sulating it into IP packets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header p...

Страница 291: ...following figure shows a typical log from the VPN connection peer Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv...

Страница 292: ...Recv Main Mode request from IP Recv Aggressive Mode request from IP The Prestige has received an IKE negotiation request from the peer Send Symbol Symbol Recv Symbol Symbol IKE uses the ISAKMP protoco...

Страница 293: ...emote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule d If the security gateway is 0 0 0 0 the Prestige will use the peer s L...

Страница 294: ...t If the Prestige receives a packet with the wrong sequence number it will discard it Inbound packet authentication failed The authentication configuration settings are incorrect Please check them Inb...

Страница 295: ...Prestige 202H User s Guide IPSec Log 28 5 Table 28 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID...

Страница 296: ...Appendices and Index V Part V Appendices and Index This part provides appendices and an index of key terms...

Страница 297: ......

Страница 298: ...LEDs turn on when you turn on the Prestige If the error persists you may have a hardware problem In this case you should contact your vendor 1 Check to see if the Prestige is connected to your comput...

Страница 299: ...merica only The ISDN loopback test failed If the ISDN initialization is successful then the loopback test should also work Verify the telephone numbers that have been entered in Menu 2 The loopback te...

Страница 300: ...CLID Authen and Recv Authen In Menu 14 1 verify the user name and password for the remote dial in user If the remote dial in user is negotiating IP verify that the IP address is supplied correctly in...

Страница 301: ...CORRECTIVE ACTION When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN Cannot access the Prestige from t...

Страница 302: ...el AA 121A Input Power AC120Volts 60Hz 18W max Output Power AC12Volts 1 0A Power Consumption 8 W Safety Standards UL CUL UL 1310 CSA C22 2 No 223 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model D...

Страница 303: ...Adapter Model AA 121ABN Input Power AC230Volts 50Hz 140mA Output Power AC12Volts 1 0A Power Consumption 8 W Safety Standards ITS GS CE EN 60950 china Standards AC Power Adapter Model DV 121AACCP 5720...

Страница 304: ...Gateway xxv Brute force Attack 12 6 BTR See Base Transmission Rate budget control 8 5 10 3 Budget Management 22 2 22 4 22 5 C Call Control 1 4 Call Direction 8 3 Call Filtering 18 1 Call Filters Built...

Страница 305: ...ample 14 6 Mail Server 14 5 Mail Subject 14 5 Tab 14 4 EMAIL 4 3 E mail Address 4 3 E mail Alerts 14 5 Enable Wildcard 4 3 Encapsulation 8 8 Enter See Syntax Conventions Entering Information 3 2 Error...

Страница 306: ...stallation 2 1 Hidden Menus 3 2 HTTP 11 13 12 1 12 3 12 4 26 13 26 14 HyperTerminal program 21 6 21 9 I i e See Syntax Conventions ICMP echo 12 6 Idle Timeout 8 5 10 9 Incoming Call Support 1 2 Indust...

Страница 307: ...s Translation NAT 1 2 11 1 Notice iii O One Minute High 14 10 One Minute Low 14 10 One Minute High 14 8 Online Registration v Outgoing Calling Party Number 5 3 Outgoing Data Call Bumping Support 1 3 P...

Страница 308: ...22 7 22 8 Service v 15 2 Service Type 16 3 Set Up a Schedule 23 2 Single User Account 7 3 SMTP Error Messages 14 6 Smurf 12 6 SNMP 1 2 Community 19 3 20 10 Configuration 19 2 Get 19 2 Manager 19 2 MIB...

Страница 309: ...14 7 Time and Date Setting 22 6 22 7 Timeout 15 12 15 13 15 14 Toll Period 8 5 Traceroute 12 7 Tracing 1 3 Trademarks ii Troubleshooting A ISDN Line B LAN Interface B Remote Node or ISP C Remote User...

Результаты поиска

Содержание Prestige 202H Series

Отзывы:

Похожие инструкции для Prestige 202H Series

Бренды по названию

Популярные бренды

ZyXEL Communications Prestige 202H Series, Руководство пользователя

Результаты поиска

Содержание Prestige 202H Series

Отзывы:

Похожие инструкции для Prestige 202H Series

Бренды по названию

Популярные бренды