manualshive.com logo in svg

ZyXEL Communications Prestige 662HW Series, Руководство пользователя

Серия продуктов ZyXEL Communications Prestige 662HW - это надежные маршрутизаторы с возможностью подключения к Интернету и различными устройствами. Вы можете бесплатно загрузить руководство пользователя на manualshive.com, чтобы узнать больше о функционале и настройках устройства. Надежное решение для вашей домашней сети.

Поделиться
Скачать
background image

Prestige 662HW Series User’s Guide 

Firewalls 

         11-9 

Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet 
and requests a file. At this point, the remote server will open a data connection from the Internet. For 
FTP to work properly, this connection must be allowed to pass through even though a connection from 
the Internet would normally be rejected. 

In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches 
for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data 
connection. This can be done safely, since the PORT command contains address and port information, 
which can be used to uniquely identify the connection. 

Any protocol that operates in this way must be supported on a case-by-case basis. You can use the 
web configurator’s Custom Ports feature to do this. 

11.6  Guidelines for Enhancing Security with Your Firewall 

♦ 

Change the default password via SMT or web configurator.  

♦ 

Limit who can telnet into your router.  

♦ 

Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled 
service could present a potential security risk. A determined hacker might be able to find 
creative ways to misuse the enabled services to access the firewall or the network.  

♦ 

For local services that are enabled, protect against misuse. Protect by configuring the services to 
communicate only with specific peers, and protect by configuring rules to block packets for the services 
at specific interfaces.  

♦ 

Protect against IP spoofing by making sure the firewall is active.  

♦ 

Keep the firewall in a secured (locked) room.

 

 

11.6.1 Security In General 

You can never be too careful! Factors outside your firewall, filtering or NAT can cause security 
breaches. Below are some generalizations about what you can do to minimize them. 

♦ 

Encourage your company or organization to develop a comprehensive security plan. Good 
network administration takes into account what hackers can do and prepares against attacks. 
The best defense against hackers and crackers is information. Educate all employees about the 
importance of security and how to minimize risk. Produce lists like this one! 

♦ 

DSL or cable modem connections are “always-on” connections and are particularly vulnerable 
because they provide more opportunities for hackers to crack your system. Turn your 
computer off when not in use.  

♦ 

Never give out a password or any sensitive information to an unsolicited telephone call or e-
mail. 

♦ 

Never e-mail sensitive information such as passwords, credit card information, etc., without 
encrypting the information first. 

♦ 

Never submit sensitive information via a web page unless the web site uses secure 
connections. You can identify a secure connection by looking for a small “key” icon on the 
bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web 
site uses a secure connection, it is safe to submit information. Secure web transactions are 
quite difficult to crack. 

Содержание Prestige 662HW Series

Страница 1: ...Prestige 662HW Series 802 11g Wireless ADSL 2 4 Port Security Gateway User s Guide Version 3 40 May 2004...

Страница 2: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does i...

Страница 3: ...nstructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off...

Страница 4: ...the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event b...

Страница 5: ...09 0 www zyxel de GERMANY sales zyxel de 49 2405 6909 99 ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany 33 0 4 72 52 97 97 FRANCE info zyxel fr 33 0 4 72 52 19 20 www zyxel fr ZyXE...

Страница 6: ...etup Introduction 3 1 3 2 Encapsulation 3 1 3 3 Multiplexing 3 2 3 4 VPI and VCI 3 2 3 5 Wizard Setup Configuration First Screen 3 2 3 6 IP Address and Subnet Mask 3 3 3 7 IP Address Assignment 3 4 3...

Страница 7: ...T Screens 8 1 8 1 NAT Overview 8 1 8 2 SUA Single User Account Versus NAT 8 4 8 3 SUA Server 8 4 8 4 Selecting the NAT Mode 8 5 8 5 Configuring SUA Server 8 6 8 6 Configuring Address Mapping 8 7 8 7 E...

Страница 8: ...2 16 4 Secure Gateway Address 16 2 16 5 VPN Summary Screen 16 2 16 6 Keep Alive 16 4 16 7 NAT Traversal 16 5 16 8 ID Type and Content 16 6 16 9 Pre Shared Key 16 8 16 10 Editing VPN Policies 16 8 16 1...

Страница 9: ...3 Changing the System Password 22 4 Chapter 23 Menu 1 General Setup 23 1 23 1 General Setup 23 1 23 2 Procedure To Configure Menu 1 23 1 Chapter 24 Menu 2 WAN Backup Setup 24 1 24 1 Introduction to WA...

Страница 10: ...n 34 1 34 1 About SNMP 34 1 34 2 Supported MIBs 34 2 34 3 SNMP Configuration 34 2 34 4 SNMP Traps 34 3 Chapter 35 System Security 35 1 35 1 System Security 35 1 35 2 Creating User Accounts on the Pres...

Страница 11: ...e Format 44 1 44 3 Internal SPTGEN FTP Download Example 44 2 44 4 Internal SPTGEN FTP Upload Example 44 3 Appendices and Index XII Appenidx A Troubleshooting A 1 Problems Starting Up the Prestige A 1...

Страница 12: ...WAN IP Addresses 5 1 Figure 5 2 LAN Setup 5 5 Figure 5 3 LAN Static DHCP 5 7 Figure 6 1 RTS CTS 6 2 Figure 6 2 Prestige Wireless Security Levels 6 3 Figure 6 3 Wireless 6 4 Figure 6 4 MAC Address Filt...

Страница 13: ...l Example Rule Summary 12 12 Figure 12 9 Firewall Example Edit Rule Destination Address 12 12 Figure 12 10 Edit Custom Port Example 12 13 Figure 12 11 Firewall Example Edit Rule Select Customized Serv...

Страница 14: ...th Allotment Example 20 4 Figure 20 5 Maximize Bandwidth Usage Example 20 5 Figure 20 6 Bandwidth Borrowing Example 20 6 Figure 20 7 Media Bandwidth Management Summary 20 7 Figure 20 8 Media Bandwidth...

Страница 15: ...e Node Filter PPPoA or PPPoE Encapsulation 28 8 Figure 28 7 Menu 11 6 for VC based Multiplexing 28 8 Figure 28 8 Menu 11 6 for LLC based Multiplexing or PPP Encapsulation 28 9 Figure 28 9 Menu 11 1 Re...

Страница 16: ...Device Filter Sets 33 10 Figure 33 11 Sample Telnet Filter 33 11 Figure 33 12 Menu 21 1 6 1 Sample Filter 33 12 Figure 33 13 Menu 21 1 6 1 Sample Filter Rules Summary 33 13 Figure 33 14 Filtering Ethe...

Страница 17: ...Routing Policy Setup 40 3 Figure 40 3 Menu 25 1 1 IP Routing Policy 40 4 Figure 40 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 40 5 Figure 40 5 Menu 11 3 Remote Node Network Layer Options 40 6 Figure 40...

Страница 18: ...13 Table 6 6 Wireless LAN 802 1x WPA for WPA Protocol 6 15 Table 6 7 Wireless LAN 802 1x WPA for WPA PSK Protocol 6 16 Table 6 8 Local User Database 6 18 Table 6 9 RADIUS 6 18 Table 7 1 WAN Setup 7 4...

Страница 19: ...ration Example 16 7 Table 16 7 VPN IKE 16 9 Table 16 8 VPN IKE Advanced Setup 16 15 Table 16 9 VPN Manual Key 16 18 Table 16 10 VPN SA Monitor 16 21 Table 16 11 VPN Global Setting 16 22 Table 16 12 Te...

Страница 20: ...rk Layer Options 28 5 Table 28 3 Menu 11 8 Advance Setup Options 28 10 Table 29 1 Menu12 1 1 Edit IP Static Route 29 3 Table 30 1 Remote Node Network Layer Options Bridge Fields 30 3 Table 30 2 Menu 1...

Страница 21: ...3 Table 38 2 Menu 24 10 System Maintenance Time and Date Setting 38 5 Table 39 1 Menu 24 11 Remote Management Control 39 2 Table 40 1 Menu 25 1 IP Routing Policy Setup 40 3 Table 40 2 Menu 25 1 1 IP R...

Страница 22: ...t A 9 Troubleshooting Remote Management A 3 Chart B 1 Classes of IP Addresses B 1 Chart B 2 Allowed IP Address Range By Class B 2 Chart B 3 Natural Masks B 2 Chart B 4 Alternative Subnet Mask Notation...

Страница 23: ...interfaces Related Documentation Supporting Disk Refer to the included CD for support documents Compact Guide The Compact Guide is designed to help you get up and running right away They contain conn...

Страница 24: ...use e g as a shorthand for for instance and i e for that is or in other words throughout this manual The Prestige 662HW series 802 11g Wireless ADSL 2 4 Port Security Gateway may be referred to as th...

Страница 25: ...al services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an extended download that inc...

Страница 26: ......

Страница 27: ...t I I Getting Started This part is structured as a step by step guide to help you access your Prestige It covers key features and applications accessing the web configurator and configuring the wizar...

Страница 28: ......

Страница 29: ...etc By integrating DSL and NAT the Prestige provides ease of installation and Internet access The Prestige is also a complete security solution with a robust firewall and content filtering Three Pres...

Страница 30: ...firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN The Prestige firewall supports TCP UDP inspection DoS detection and prevention real t...

Страница 31: ...ireless network to help keep network communications private Wi Fi Protected Access Wi Fi Protected Access WPA is a subset of the IEEE 802 11i security specification draft Key differences between WPA a...

Страница 32: ...fer of either 10 Mbps or 100 Mbps in either half duplex or full duplex mode depending on your Ethernet network Auto Crossover MDI MDI X 10 100 Mbps Ethernet Interface s These interfaces automatically...

Страница 33: ...ditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behav...

Страница 34: ...Ease of Installation Your Prestige is designed for quick intuitive and easy installation Housing Your Prestige s compact and ventilated housing minimizes space requirements making it easy to position...

Страница 35: ...ion from attacks by Internet hackers By default the firewall blocks all incoming traffic from the WAN The firewall supports TCP UDP inspection and DoS Denial of Services detection and prevention as we...

Страница 36: ......

Страница 37: ...g the Prestige Web Configurator 1 Make sure your Prestige hardware is properly connected refer to the Compact Guide 2 Prepare your computer computer network to connect to the Prestige refer to the Com...

Страница 38: ...the RESET button for ten seconds or until the PWR SYS LED begins to blink and then release it When the PWR SYS LED begins to blink the defaults have been restored and the Prestige restarts 2 4 Navigat...

Страница 39: ...erties and WAN backup settings NAT SUA Only Use this screen to configure servers behind the Prestige Full Feature Use this screen to configure network address translation mapping rules Dynamic DNS Use...

Страница 40: ...hange your Prestige s log settings View Log Use this screen to view the logs for the categories that you selected Media Bandwidth Management Summary Use this screen to allocate an interface s outgoing...

Страница 41: ...your ISP 3 2 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP The Prestige bridges a PPP session over Ethernet PPP over Eth...

Страница 42: ...tifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carr...

Страница 43: ...btain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP add...

Страница 44: ...or a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Prestige acts as a DHCP client on the WAN port and so the IP Addre...

Страница 45: ...ction when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers fla...

Страница 46: ...elow Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection...

Страница 47: ...atic IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be...

Страница 48: ...rnet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the password associated with the user name above IP Address This option is available...

Страница 49: ...ext to continue to the next wizard screen 3 11 DHCP Setup DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 allows individual clients to obtain TCP IP configuration at start up from a ser...

Страница 50: ...rd Setup Figure 3 6 Wizard Screen 3 If you want to change your Prestige LAN settings click Change LAN Configuration to display the screen as shown next Figure 3 7 Wizard LAN Configuration The followin...

Страница 51: ...r When DHCP server is used set the following items Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Size of Client IP Pool This field s...

Страница 52: ...ser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you cannot ac...

Страница 53: ...Password LAN Wireless LAN and WAN II P Pa ar rt t I II I Password LAN Wireless LAN and WAN This part covers the password LAN Local Area Network Wireless LAN and WAN setup...

Страница 54: ......

Страница 55: ...commended click Password The screen appears as shown Figure 4 1 Password The following table describes the fields in this screen Table 4 1 Password LABEL DESCRIPTION Old Password Type the default pass...

Страница 56: ......

Страница 57: ...S Server Address DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP addres...

Страница 58: ...w the IP address of a computer before you can access it There are two ways that an ISP disseminates the DNS server addresses The ISP tells you the DNS server addresses usually in the form of an inform...

Страница 59: ...in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to t...

Страница 60: ...tination The following lists out the steps taken when a computer tries to access the Internet for the first time through the Prestige 1 When a computer which is in a different subnet first attempts to...

Страница 61: ...ystems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remo...

Страница 62: ...d IGMP v2 Select None to disable it Any IP Setup Select this option to activate the Any IP feature This allows a computer to access the Internet without changing the network settings such as IP addres...

Страница 63: ...atic DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the size or...

Страница 64: ......

Страница 65: ...evices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interferen...

Страница 66: ...ler than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your networ...

Страница 67: ...restige your network is accessible to any wireless networking device that is within range Use the Prestige web configurator to configurator to set up your wireless LAN security settings Refer to the c...

Страница 68: ...LABEL DESCRIPTION Enable Wireless LAN The wireless LAN is turned off by default before you enable the wireless LAN you should configure some security by setting MAC filters and or 802 1x security oth...

Страница 69: ...ige and the wireless stations must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP th...

Страница 70: ...he list of MAC addresses in the MAC Address table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit...

Страница 71: ...erform mutual authentication 6 6 2 RADIUS RADIUS is based on a client sever model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS...

Страница 72: ...pport multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perform authentication Figure 6...

Страница 73: ...he wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The...

Страница 74: ...em 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access...

Страница 75: ...Enable without Dynamic WEP Key Shared WEP Yes Disable WPA WEP No Yes WPA TKIP No Yes WPA PSK WEP Yes Yes WPA PSK TKIP Yes Yes 6 11 Wireless Client WPA Supplicants A wireless client supplicant is the...

Страница 76: ...red allows all wireless stations access to the wired network without entering usernames and passwords This is the default setting Authentication Required means that all wireless stations have to enter...

Страница 77: ...passwords in order to stay connected This field is activated only when you select Authentication Required in the Wireless Port Control field Enter a time interval between 10 and 9999 seconds The defa...

Страница 78: ...r database on the Prestige for a wireless station s username and password Select RADIUS Only to have the Prestige just check the user database on the specified RADIUS server for a wireless station s u...

Страница 79: ...ffic if the Key Management Protocol is WPA and WPA Mixed Mode is disabled WEP is used automatically if you have enabled WPA Mixed Mode All unicast traffic is automatically encrypted by TKIP when WPA o...

Страница 80: ...ific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols WPA Mixed Mode The Prestige can operate in WPA Mixed Mode which supports both clients r...

Страница 81: ...authenticate wireless users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way To change your Prestige s local user data...

Страница 82: ...cel Click Cancel to begin configuring this screen again 6 14 Configuring RADIUS Once you enable the EAP authentication you need to specify the external sever for remote user authentication and account...

Страница 83: ...list box to enable user authentication through an external accounting server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default...

Страница 84: ......

Страница 85: ...direct route next In the same manner the Prestige uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traffic redirect...

Страница 86: ...an cell rate of each bursty traffic source It specifies the maximum average rate at which cells can be sent over the virtual connection SCR may not be greater than the PCR Maximum Burst Size MBS is th...

Страница 87: ...Prestige is in bridge mode you set the Prestige to use a static fixed WAN IP address 7 6 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN and WAN Setup The screen dif...

Страница 88: ...S Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select...

Страница 89: ...apsulation only This field is available when you select PPPoE encapsulation In addition to the Prestige s built in PPPoE client you can enable PPPoE pass through to allow up to ten hosts on the LAN to...

Страница 90: ...gure 7 3 Traffic Redirect Example The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN Use IP alias to configure the LAN in...

Страница 91: ...7 Figure 7 4 Traffic Redirect LAN Setup 7 8 Configuring WAN Backup To change your Prestige s WAN backup settings click WAN then WAN Backup The screen appears as shown Figure 7 5 WAN Backup The follow...

Страница 92: ...gher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the numbe...

Страница 93: ...etween the dial backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps User Name Type the login name assigned by your ISP Password Type the password assig...

Страница 94: ...User s Guide 7 10 WAN Setup Figure 7 6 Advanced WAN Backup The following table describes the fields in this screen Table 7 3 Advanced WAN Backup LABEL DESCRIPTION Basic Login Name Type the login name...

Страница 95: ...ng the three routes the Prestige uses normal traffic redirect and dial backup Type a number 1 to 15 to set the priority of the dial backup route for data transmission The smaller the number the higher...

Страница 96: ...e connection automatically if it is disconnected Connect on Demand Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in the Max Idle Timeout fiel...

Страница 97: ...ommand ATH 7 12 Response Strings The response strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been...

Страница 98: ...eyword preceding the connection speed Example CONNECT Call Control Dial Timeout Type a number of seconds for the Prestige to try to set up an outgoing call before timing out stopping Example 60 Retry...

Страница 99: ...NAT Dynamic DNS and Time and Date III P Pa ar rt t I II II I NAT Dynamic DNS and Time and Date This part covers NAT Network Address Translation dynamic DNS Domain Name Sever and Time and Date setup...

Страница 100: ......

Страница 101: ...rk while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 8 1 NAT Definitions ITEM DESCRI...

Страница 102: ...address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces th...

Страница 103: ...ous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple local IP addresses to shared global IP addresses M...

Страница 104: ...xample web or FTP that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world You may enter a single port number or...

Страница 105: ...t Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protoco...

Страница 106: ...it Details Click this link to go to the NAT Edit SUA NAT Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige Edit Details Click this...

Страница 107: ...e port number again in the Start Port No field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the S...

Страница 108: ...le describes the fields in this screen Table 8 6 Address Mapping Rules LABEL DESCRIPTION Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapp...

Страница 109: ...L routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each local IP ad...

Страница 110: ...utside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local...

Страница 111: ...all you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server th...

Страница 112: ...S service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user name Password Type the password as...

Страница 113: ...e s time and date settings 10 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to configure the Prestige s time based...

Страница 114: ...Date Enter the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Dayligh...

Страница 115: ...l Content Filter and Anti Virus Packet Scan This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an ov...

Страница 116: ......

Страница 117: ...alls Stateful Inspection Firewalls 11 2 1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source destination computer network address of a packet and the type of app...

Страница 118: ...1 2 or in the web configurator The Prestige s purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The Prestige can be used to prevent theft destruction and mo...

Страница 119: ...figuring or managing the computer is not careful a hacker could attack it over an unprotected port Some of the most common IP ports are Table 11 1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SM...

Страница 120: ...g queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the queue is full the s...

Страница 121: ...e Figure 11 4 Smurf Attack ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Table 11 2 ICMP Commands That Trigger Alerts 5...

Страница 122: ...ckets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and...

Страница 123: ...tbound packet The inbound packet is evaluated against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rul...

Страница 124: ...ion is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connection that is if it is a response to a connection which originated on the LAN...

Страница 125: ...ces to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces Protect against IP spoofing by making sure the firewall is active...

Страница 126: ...omparisons between the Prestige s filtering and firewall functions 11 7 1 Packet Filtering The router filters packets as they pass through the router s interface according to the filter rules you desi...

Страница 127: ...ur network A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required To selec...

Страница 128: ......

Страница 129: ...er This allows computers on the LAN to manage the Prestige and communicate between networks or subnets connected to the LAN interface LAN to WAN By default the Prestige s stateful packet inspection bl...

Страница 130: ...affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN 12 3 2 Security...

Страница 131: ...e of IPs or a subnet 12 4 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 12 4 1 LAN to WAN Rules The def...

Страница 132: ...sage can be immediately sent to an e mail account that you specify in the Log Settings screen see the chapter on logs 12 5 Configuring Basic Firewall Settings Click Firewall and then Default Policy to...

Страница 133: ...er subnet on the LAN interface of the Prestige or the Prestige itself Default Action Use the radio buttons to select whether to Block silently discard or Forward allow the passage of packets that are...

Страница 134: ...to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings above Rule This is your firewall r...

Страница 135: ...sert to add a new firewall rule before the specified index number Click Append to add a new firewall rule after the specified index number Move Type a rule s index number and the number for where you...

Страница 136: ...Prestige 662HW Series User s Guide 12 8 Firewall Configuration Figure 12 5 Firewall Edit Rule The following table describes the labels in this screen...

Страница 137: ...elete to remove it Services Available Selected Services Please see Table 12 6 for more information on services available Highlight a service from the Available Services box on the left then click Add...

Страница 138: ...d Services Table 12 4 Customized Services LABEL DESCRIPTION No This is the number of your customized port Click a rule s number of a service to go to the Firewall Customized Services Config screen to...

Страница 139: ...Range to specify a span of ports that define your customized service Port Number Type a single port number or the range of port numbers that define your customized service Back Click Back to return to...

Страница 140: ...t the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 4 Click Insert to display the firewall rule configuration screen 5 Select Any...

Страница 141: ...Services link to open the Customized Service Config screen Configure it as follows and click Apply Figure 12 10 Edit Custom Port Example 8 In the Edit Rule screen use the Add and Remove buttons betwee...

Страница 142: ...Prestige 662HW Series User s Guide 12 14 Firewall Configuration Figure 12 11 Firewall Example Edit Rule Select Customized Services...

Страница 143: ...re 12 5 displays all predefined services that the Prestige already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP...

Страница 144: ...667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending...

Страница 145: ...CACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environme...

Страница 146: ...its unused TCP ports Note that the probing packets must first traverse the Prestige s firewall mechanism before reaching this anti probing mechanism Therefore if the firewall mechanism blocks a probin...

Страница 147: ...en sessions rises above a threshold max incomplete high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open re...

Страница 148: ...g half open sessions One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this...

Страница 149: ...s is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Ente...

Страница 150: ......

Страница 151: ...content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 13 2 Configuring Keyword Blocking Use this screen to block sites contai...

Страница 152: ...characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this procedure to add other keywords Up to 64 keywords are allowed When you try to access a web...

Страница 153: ...sers on the LAN from content filtering on your Prestige click Content Filter and Trusted The screen appears as shown Figure 13 3 Content Filter Trusted The following table describes the labels in this...

Страница 154: ......

Страница 155: ...infected computer inoperable Macro Virus Macros are small programs that are created to perform repetitive actions Macros run automatically when a file to which they are attached is opened Macro viruse...

Страница 156: ...ocal network and the Internet This way the Prestige can scan the traffic transmitting between your local network and the Internet This eliminates the need to install the scanning engine and the patter...

Страница 157: ...ice in the Registration and Virus Information Update screen refer to Section 14 5 for more information Choose which application to be scanned E Mail Select this option to scan incoming outgoing e mail...

Страница 158: ...le in this screen Click Anti Virus and Registration and Virus Information Update to display the screen as shown The Prestige automatically restarts after the virus scan update is complete Figure 14 3...

Страница 159: ...s are 1 hr 12 hr and 24 hr Manually Update Virus Information Click Update Now to download and update to the latest virus pattern file Back Click Back to return to the previous screen Apply Click Apply...

Страница 160: ...Prestige 662HW Series User s Guide 14 6 Anti Virus Packet Scan Figure 14 5 Virus Scan Update Successful The Prestige automatically restarts after the virus scan update is complete...

Страница 161: ...VPN IPSec V P Pa ar rt t V V VPN IPSec This part provides information about configuring VPN IPSec for secure communications...

Страница 162: ......

Страница 163: ...ons for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authe...

Страница 164: ...etworks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Res...

Страница 165: ...e use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanis...

Страница 166: ...m behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 15 4 IPSec and NAT Read this section if you are running IPSec on a host computer behind...

Страница 167: ...ntication is not compatible with NAT although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints see section 16 7 for details Table 15 1 VPN...

Страница 168: ......

Страница 169: ...mployed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of th...

Страница 170: ...ss is the WAN IP address or domain name of the remote IPSec router secure gateway If the remote secure gateway has a static WAN IP address enter it in the Secure Gateway Address field You may alternat...

Страница 171: ...st be static Click VPN and Setup to open the VPN Summary screen This is a read only menu of your IPSec rules tunnels The IPSec summary menu is read only Edit a VPN by selecting an index number and the...

Страница 172: ...c IP addresses in a range of computers are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Range A static IP address and a subnet mask are display...

Страница 173: ...the UDP port 500 header and responds IPSec routers A and B build a VPN connection 16 7 1 NAT Traversal Configuration For NAT traversal to work you must Use ESP security protocol in either transport or...

Страница 174: ...ng local and remote IP addresses With main mode see section 16 11 1 the ID type and content are encrypted to provide identity protection In this case the Prestige can only distinguish between up to 12...

Страница 175: ...ain name also does not have to match the remote router s IP address or what you configure in the Secure Gateway Addr field below 16 8 1 ID Type and Content Examples Two IPSec routers must have matchin...

Страница 176: ...otiation see section 16 11 for more on IKE phases It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection 16 10Editing VPN...

Страница 177: ...ect Tunnel mode or Transport mode from the drop down list box DNS Server for IPSec VPN If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this additio...

Страница 178: ...router When the Remote Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configur...

Страница 179: ...characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP ad...

Страница 180: ...e message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more...

Страница 181: ...man public key cryptography see section 16 11 3 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long the IP...

Страница 182: ...lman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys 16 11 3 Perfect F...

Страница 183: ...ckets to protect against replay attacks Select YES from the drop down menu to enable replay detection or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port nu...

Страница 184: ...these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate an...

Страница 185: ...ost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing...

Страница 186: ...hen you select Manual in the IPSec Key Mode field on the VPN IKE screen This is the VPN Manual Key screen as shown next Figure 16 8 VPN Manual Key The following table describes the fields in this scre...

Страница 187: ...in a range of computers on your LAN behind your Prestige When the Local Address Type field is configured to Subnet this is a static IP address on the LAN behind your Prestige End Subnet Mask When the...

Страница 188: ...that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput Select NULL to set up a tunnel without e...

Страница 189: ...PSec SA when the SA lifetime expires even if there is no traffic Figure 16 9 VPN SA Monitor The following table describes the fields in this screen Table 16 10 VPN SA Monitor LABEL DESCRIPTION No This...

Страница 190: ...etBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to p...

Страница 191: ...dress 192 168 1 10 0 0 0 0 N A 16 17 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to the...

Страница 192: ...ters Prestige Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 1...

Страница 193: ...e 662HW Series User s Guide VPN Screens 16 25 16 18VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for that...

Страница 194: ......

Страница 195: ...mote Management UPnP and Logs This part contains information on how to configure the Prestige for remote management setting up Universal Plug and Play UPnP and setting up and displaying logs Remote Ma...

Страница 196: ......

Страница 197: ...eld You may only have one remote management session running at a time The Prestige automatically disconnects a remote management session of lower priority when another remote management session of hig...

Страница 198: ...istics screen is polling 17 2 Telnet You can configure your Prestige for remote Telnet access as shown next Figure 17 1 Telnet Configuration on a TCP IP Network 17 3 FTP You can upload and download Pr...

Страница 199: ...This field shows the port number for the remote management service You may change the port number for a service in this field but you must use the same port number to use that service for remote manag...

Страница 200: ......

Страница 201: ...ork addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions NAT traversal allows the following Dynamic port mapping Learn...

Страница 202: ...hanges through UPnP Select this check box to allow UPnP enabled applications to automatically configure the Prestige so that they can communicate through the Prestige for example by using NAT traversa...

Страница 203: ...Click OK to go back to the Add Remove Programs Properties window and click Next Restart the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows...

Страница 204: ...ple This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN...

Страница 205: ...dit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically Select Show i...

Страница 206: ...lpful if you do not know the IP address of the Prestige Follow the steps below to access the web configurator Click Start and then Control Panel Double click Network Connections Select My Network Plac...

Страница 207: ...Prestige 662HW Series User s Guide UPnP 18 7 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige...

Страница 208: ......

Страница 209: ...ttacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen A...

Страница 210: ...er name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you...

Страница 211: ...e week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to sel...

Страница 212: ...his field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This field dis...

Страница 213: ...54 03 UDP src port 00520 dest port 00520 1 00 2 Apr 7 00 From 192 168 1 131 To 192 168 1 255 default policy forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10...

Страница 214: ......

Страница 215: ...Media Bandwidth Management VII P Pa ar rt t V VI II I Media Bandwidth Management This part provides information on the functions and configuration of Media Bandwidth Management...

Страница 216: ......

Страница 217: ...ns display measurements in kbps kilobits per second but this User s Guide also uses Mbps megabits per second for brevity s sake 20 2 Bandwidth Classes and Filters Use bandwidth classes and child class...

Страница 218: ...mple 20 4 2 Subnet based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets Each bandwidth class Subnet A and Subnet B is allotted 320kbps Figure 20...

Страница 219: ...he Prestige to divide up any available bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class is not using among the bandwidth classes that require more ba...

Страница 220: ...department only uses 1 Mbps of the budgeted 2 Mbps the Prestige also divides the remaining 1 Mbps among the classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total o...

Страница 221: ...class first The child class can also borrow bandwidth from a higher parent class grandparent class if the child class s parent class is also configured to borrow bandwidth from its parent class This c...

Страница 222: ...Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled The Amy class cannot borrow unused bandwidth from the Sales USA class because the...

Страница 223: ...ty and treats bandwidth classes of the same level equally 4 The Prestige assigns any remaining unbudgeted bandwidth to traffic that does not match any of the bandwidth classes 20 8 Configuring Summary...

Страница 224: ...the speed of this interface see the Speed field description Back Click Back to go to the main Media Bandwidth Management screen Apply Click Apply to save your settings back to the Prestige Cancel Clic...

Страница 225: ...Click Delete to delete the class and all its child classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class 20 9 1 Media Bandwidth Management Cl...

Страница 226: ...tion Port Source Port and Protocol ID fields SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging and other VoIP Voice over IP applications Select SIP f...

Страница 227: ...formance information Click the Statistics button in the Class Setup screen to open the Statistics screen Figure 20 10 Media Bandwidth Management Statistics The following table describes the labels in...

Страница 228: ...to clear all of the bandwidth management statistics 20 10 Bandwidth Monitor To view the Prestige s bandwidth usage and allotments click Media Bandwidth Management then Monitor The screen appears as sh...

Страница 229: ...Maintenance VIII P Pa ar rt t V VI II II I Maintenance This part covers the maintenance screens...

Страница 230: ......

Страница 231: ...rt traffic statistics 21 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 21 2 System Status Scree...

Страница 232: ...21 2 Maintenance Figure 21 1 System Status The following table describes the fields in this screen Table 21 1 System Status LABEL DESCRIPTION System Status System Name This is the name of your Prestig...

Страница 233: ...estige IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the WAN port DHCP role Server Relay not all Prestige models or None DHCP Start IP This...

Страница 234: ...the downstream speed of your Prestige Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Interface This field displays the type of p...

Страница 235: ...ige as a DHCP server or disable it When configured as a server the Prestige provides the TCP IP configuration for the clients If set to None DHCP service will be disabled and you must have another DHC...

Страница 236: ...the IP address of the network device MAC Address This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address...

Страница 237: ...has a unique MAC address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Association Time This field displays the time a wi...

Страница 238: ...you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered Reset System Click this button to reboot the Prestige A warning dialog box is then display...

Страница 239: ...test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin this test The Prestige sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to th...

Страница 240: ...Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zi...

Страница 241: ...Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click...

Страница 242: ......

Страница 243: ...ystem Management Terminal configuration for general setup WAN backup LAN setup wireless LAN setup Internet access remote node static route NAT and enabling the firewall See the web configurator parts...

Страница 244: ......

Страница 245: ...34 in the Password field 3 After entering the password you will see the main menu Please note that if there is no activity for longer than five minutes default timeout period after you log in your Pre...

Страница 246: ...down to another menu ENTER To move forward to a submenu type in the number of the desired submenu and press ENTER Move up to a previous menu ESC Press ESC to move back to the previous menu Move to a...

Страница 247: ...previous menu Exit the SMT Type 99 then press ENTER Type 99 at the main menu prompt and press ENTER to exit the SMT interface After you enter the password the SMT displays the main menu as shown next...

Страница 248: ...g Policy Setup Use this menu to configure your IP routing policy 26 Schedule Setup Use this menu to schedule outgoing calls 27 VPN IPSec Use this menu to configure VPN connections 99 Exit Use this to...

Страница 249: ...the entry for the Computer name field and enter it as the Prestige System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the...

Страница 250: ...over the ISP assigned domain name zyxel com tw Edit Dynamic DNS Press the SPACE BAR to select Yes or No default Select Yes to configure Menu 1 1 Configure Dynamic DNS discussed next No Route IP Set t...

Страница 251: ...e domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password assigned to you...

Страница 252: ......

Страница 253: ...stige periodically ping the IP addresses configured in the Check WAN IP Address fields Check WAN IP Address1 3 Configure this field to test your Prestige s WAN accessibility Type the IP address of a r...

Страница 254: ...nu 2 2 Dial Backup Setup Select No default if you do not want to configure this feature When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or...

Страница 255: ...enu 2 WAN Backup Setup press the SPACE BAR to select Yes and then press ENTER Figure 24 3 Menu 2 2 Dial Backup Setup The following table describes the fields in this menu Table 24 3 Menu 2 2 Dial Back...

Страница 256: ...e 24 4 Menu 2 2 1 Advanced Dial Backup Setup AT Commands Fields FIELD DESCRIPTION EXAMPLE AT Command Strings Dial Enter the AT Command string to make a call atdt Drop Enter the AT Command string to dr...

Страница 257: ...ter a number of seconds for the Prestige to keep trying to set up an outgoing call before timing out stopping The Prestige times out and stops if it cannot set up an outgoing call within the timeout v...

Страница 258: ......

Страница 259: ...Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 25 2 Menu 3 1 LAN Port F...

Страница 260: ...DHCP If set to Server your Prestige can assign IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server...

Страница 261: ...ulate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige 255 255 255 0 RIP Direction Press SPACE BAR to select...

Страница 262: ......

Страница 263: ...eless LAN Setup FIELD DESCRIPTION EXAMPLE ESSID The ESSID Extended Service Set IDentifier identifies the AP to which the wireless stations associate Wireless stations associating to the Access Point m...

Страница 264: ...f data encryption WEP causes performance degradation Disable Default Key Enter the number of the key as an active key Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter 5 ch...

Страница 265: ...d or denied access to the Prestige in these address fields When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC t...

Страница 266: ......

Страница 267: ...ting is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 see IP Policy Routing and apply them on the Prestige LAN and or WAN interface...

Страница 268: ...TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client...

Страница 269: ...e RIP version Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the Prestige Outgoing Protocol F...

Страница 270: ...ulation Gateway IP address if you are using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 27 6 Menu 4 Internet Access Setup The follow...

Страница 271: ...the peak rate Type the MBS The MBS must be less than 65535 0 My Login Configure the My Login and My Password fields for PPPoA and PPPoE encapsulation only Enter the login name that your ISP gives you...

Страница 272: ......

Страница 273: ...are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in three...

Страница 274: ...application Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combin...

Страница 275: ...ased LLC based Service Name When using PPPoE encapsulation type the name of your PPPoE service here N A Incoming Rem Login Type the login name that this remote node will use to call your Prestige The...

Страница 276: ...is sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For exam...

Страница 277: ...P Bridge field press SPACE BAR to select Yes then press ENTER to display Menu 11 3 Remote Node Network Layer Options Figure 28 3 Menu 11 3 Remote Node Network Layer Options The next table explains fie...

Страница 278: ...imates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number 2 Private This determines if the Prestige will include the rout...

Страница 279: ...restige and also to prevent certain packets from triggering calls You can specify up to 4 filter sets separated by comma for example 1 5 9 12 in each filter field Note that spaces are accepted in this...

Страница 280: ...For VC based multiplexing by prior agreement a protocol is assigned a specific virtual circuit for example VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Figure 28...

Страница 281: ...ons In menu 11 1 select PPPoE in the Encapsulation field Figure 28 9 Menu 11 1 Remote Node Profile Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation VPI 8 VCI 35 AT...

Страница 282: ...to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige Each host can have a separate account and a public WAN IP address PPPoE pass...

Страница 283: ...emote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the follow...

Страница 284: ...oute Setup Now type the route number of a static route you want to configure Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Menu 12 1 IP Static Route Setup 1...

Страница 285: ...your Prestige that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must be the IP address of one of the re...

Страница 286: ......

Страница 287: ...otocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you...

Страница 288: ...0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to Cancel Menu 11...

Страница 289: ...menu 12 choose option 3 then choose a static route to edit as shown next Figure 30 3 Menu 12 3 1 Edit Bridge Static Route The following table describes the Edit Bridge Static Route menu Table 30 2 Me...

Страница 290: ......

Страница 291: ...rts two types of mapping Many to One and Server See section 31 3 1 for a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addresses to...

Страница 292: ...e 3 Move the cursor to the Edit IP Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name MyISP...

Страница 293: ...s and submenus to create the mapping table used to assign global addresses to computers on the LAN Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 the SMT will use Set 1 When yo...

Страница 294: ...ss Mapping Sets Figure 31 4 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 31 1 1 The fields in this menu cannot be changed Menu 15 1 Addr...

Страница 295: ...End IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the en...

Страница 296: ...matches the current packet the Prestige takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pu...

Страница 297: ...the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IP...

Страница 298: ...to One Many to One and Server types N A Server Mapping Set Only available when Type is set to Server Type a number from 1 to 10 to choose a server set from menu 15 2 When you have completed this menu...

Страница 299: ...as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any t...

Страница 300: ...ress Translation field This is the Many to One mapping discussed in section 31 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre config...

Страница 301: ...er and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules n...

Страница 302: ...you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 31 16 1 Enter 15 from the main menu 2 Enter 1 to configure the Address Mapping Sets...

Страница 303: ...IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both...

Страница 304: ...in Menu 15 NAT Setup 3 Enter 1 in Menu 15 2 NAT Server Sets to see the following menu Configure it as shown Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global S...

Страница 305: ...ing figure illustrates this Figure 31 19 NAT Example 4 Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These application...

Страница 306: ...Example 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 S...

Страница 307: ...r the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters...

Страница 308: ...tacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy ru...

Страница 309: ...stem information and diagnosis firmware and configuration file maintenance system maintenance remote management IP Policy Routing call scheduling and Internal SPTGEN for configuration of multiple Pres...

Страница 310: ......

Страница 311: ...ring Call filters are divided into two groups the built in call filters and user defined call filters Your Prestige has built in call filters that prevent administrative for example RIP packets from t...

Страница 312: ...various types of packets Because each filter set can have up to six rules you can have a maximum of 24 rules active for a single port For incoming packets your Prestige applies data filters only Packe...

Страница 313: ...1 Figure 33 4 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 ___...

Страница 314: ...e filter rule number 1 to 6 A Active Y means the rule is active N means the rule is inactive Type The type of filter rule GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here...

Страница 315: ...listed as follows Table 33 2 Rule Abbreviations Used FILTER TYPE DESCRIPTION IP Pr Protocol SA Source Address SP Source Port Number DA Destination Address DP Destination Port Number GEN Off Offset Le...

Страница 316: ...hoose a rule Parameters displayed for each type will be different Choices are TCP IP Filter Rule or Generic Filter Rule TCP IP Filter Rule Active Select Yes to activate or No to deactivate the filter...

Страница 317: ...ld Choices are None Less Greater Equal or Not Equal None TCP Estab This applies only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want to establish TCP connection s SYN 1 a...

Страница 318: ...is section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets For IP it is generally easier to use the IP rules directly For generic...

Страница 319: ...Filter Rule Active Select Yes to turn on or No to turn off the filter rule No default Offset Type the starting byte of the data portion in the packet that you want to compare The range for this field...

Страница 320: ...here are two classes of filter rules Generic Filter Device rules and Protocol Filter TCP IP rules Generic Filter rules act on the raw data from to LAN and WAN Protocol Filter rules act on IP packets W...

Страница 321: ...ure in this case 6 Type a descriptive name or comment in the Edit Comments field for example TELNET_WAN and press ENTER Press ENTER at the message Press ENTER to confirm or ESC to cancel to open Menu...

Страница 322: ...0 0 0 0 IP Mask 0 0 0 0 Port Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter...

Страница 323: ...o decide if a packet should be allowed to trigger a call 33 7 1 Ethernet Traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffi...

Страница 324: ...y default filter set NetBIOS_WAN is inserted in the protocol filters field under Call Filter Sets in menu 11 5 to block local NetBIOS traffic from triggering calls to the ISP Figure 33 15 Filtering Re...

Страница 325: ...manager An agent is a management software module that resides in a managed device the Prestige An agent translates the local management information from the managed device into a form compatible with...

Страница 326: ...ption 22 from the main menu to open Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Figure 34 2 Menu 22 SNMP Configuration The follo...

Страница 327: ...fined in RFC 1215 A trap is sent after booting software reboot 3 linkDown defined in RFC 1215 A trap is sent with the port number when any of the links are down See the following table 4 linkUp define...

Страница 328: ......

Страница 329: ...tore the default configuration file Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the Prestige in the Introducing the Web Configu...

Страница 330: ...al authentication server and Prestige Accounting Server Active Press SPACE BAR to select Yes and press ENTER to enable user authentication through an external accounting server No Server Address Enter...

Страница 331: ...Table 35 2 Menu 23 4 System Security IEEE802 1x FIELD DESCRIPTION Wireless Port Control Press SPACE BAR and select a security mode for the wireless LAN access Select No Authentication Required to all...

Страница 332: ...the Wireless Port Control field Also set the Authentication Databases field to RADIUS Only Local user database may not be used Select Disable to allow wireless stations to communicate with the access...

Страница 333: ...k the user database on the Prestige for a wireless station s username and password If the user name is not found the Prestige then checks the user database on the specified RADIUS server Select RADIUS...

Страница 334: ...long for this user profile When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the prev...

Страница 335: ...System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status...

Страница 336: ...rrent remote node My WAN IP from ISP This is the IP address of the ISP remote node Ethernet This shows statistics for the LAN Status This shows the current status of the LAN Tx Pkts This is the number...

Страница 337: ...Console Port Speed From this menu you have two choices as shown in the next figure Figure 36 3 Menu 24 2 System Information and Console Port Speed 36 3 1 System Information Enter 1 in menu 24 2 to dis...

Страница 338: ...the DHCP setting None Relay or Server of the Prestige 36 3 2 Console Port Speed You can set up different port speeds for the console port through Menu 24 2 2 System Maintenance Console Port Speed You...

Страница 339: ...NIX Syslog as shown next Figure 36 8 Menu 24 3 2 System Maintenance Syslog and Accounting 53 Sat Jan 01 00 00 03 2000 PP01 WARN SNMP TRAP 0 cold start 54 Sat Jan 01 00 00 03 2000 PP01 INFO main init c...

Страница 340: ...te Call ID C01 Incoming Call xxxx connected speed xxxxx Remote Call ID L02 Tunnel Connected L2TP C02 OutCall Connected xxxx connected speed xxxxx Remote Call ID C02 CLID call refused L02 Call Terminat...

Страница 341: ...oto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZYXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZYXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2...

Страница 342: ...initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the Prestige Command Mode Type the mo...

Страница 343: ...fer to the label on the bottom of your Prestige ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg Th...

Страница 344: ...and you don t have to rename the files Please note that terms download and upload are relative to the computer Download means to transfer from the Prestige to the computer while upload means from your...

Страница 345: ...ress of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service ad...

Страница 346: ...transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the Prestige and the computer The file name for the configuration file is ro...

Страница 347: ...file transfer is complete WARNING DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE 37 3 1 Restore Using FTP For details about backup using T FTP please refer to...

Страница 348: ...xample Refer to section 37 2 5 to read about configurations that disallow TFTP and FTP over WAN 37 4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and config...

Страница 349: ...be transferred to the rom 0 file on the system 4 The system reboots automatically after the upload system configuration file process is complete For details on FTP commands please consult the documen...

Страница 350: ...sallow TFTP and FTP over WAN 37 4 5 TFTP File Upload The Prestige also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as...

Страница 351: ...rogram For UNIX use get to transfer from the Prestige to the computer put the other way around and binary to set binary transfer mode 37 4 6 TFTP Upload Command Example The following is an example TFT...

Страница 352: ......

Страница 353: ...8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the c...

Страница 354: ...uture outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 38 3 Menu 24 9 Syst...

Страница 355: ...is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have lapsed Elapsed Time Total Per...

Страница 356: ...Use Time Server when Bootup None Time Server Address N A Current Time 00 51 24 New Time hh mm ss 00 51 19 Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start...

Страница 357: ...unsure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field display...

Страница 358: ......

Страница 359: ...s on configuring firewall rules 39 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Rem...

Страница 360: ...address 0 0 0 0 Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC to Cancel to save your configuration or press ESC to cancel 39 2 2 Remote Management Limitat...

Страница 361: ...ige s LAN IP address when configuring from the LAN 39 4 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out i...

Страница 362: ......

Страница 363: ...hile using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 40 3 Routing Policy Individual routing policies are used as part...

Страница 364: ...eria and the action of a single policy and whether a policy is active or not Each policy contains two lines The former part is the criteria of the incoming packet and the latter is the action Between...

Страница 365: ...eria Action 1 Y SA 1 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________...

Страница 366: ...t Care Packet Length Type the length of incoming packets in bytes The operators in the Len Comp next field apply to packets of this length Len Comp Press SPACE BAR and then ENTER to choose from Equal...

Страница 367: ...ss ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 40 5 Applying an IP Policy This section shows you where to apply the IP polici...

Страница 368: ...route Figure 40 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige...

Страница 369: ...ets from any host IP 0 0 0 0 means any host with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protoc...

Страница 370: ...S Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to...

Страница 371: ...For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the Prestige by default applies the lowest numbered set first Set 2 will take p...

Страница 372: ...elected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Once Once Date If you selected Once in the How Often field abov...

Страница 373: ...our schedule sets are configured you must then apply them to the desired remote node s Enter 11 from the Main Menu and then enter the target remote node index Using SPACE BAR select PPPoE or PPPoA in...

Страница 374: ......

Страница 375: ...nal SPTGEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide...

Страница 376: ......

Страница 377: ...se main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to mana...

Страница 378: ...etup is configured to Single this is a static IP address on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP addr...

Страница 379: ...al level of security AH choices are MD5 default 128 bits and SHA 1 160 bits Both AH and ESP increase the Prestige s processing requirements and communications latency delay You need to finish configur...

Страница 380: ...onfirm prompt Use Edit to create or edit a rule Use Delete to remove a rule To edit or delete a rule first make sure you are on the correct page When a VPN rule is deleted subsequent rules do not move...

Страница 381: ...ersal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversa...

Страница 382: ...of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field When you select DNS in the P...

Страница 383: ...ured to Range enter the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field is configured to SUBNET this is a subnet mask on the LAN behind your Pres...

Страница 384: ...ng to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 0 End Enter a port...

Страница 385: ...ceive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm The Prestige and the remote IPSec router generate an encryption key from the Di...

Страница 386: ...s Define the length of time before an IPSec Security Association automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days 28800 default Encapsulation Press SPA...

Страница 387: ...When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any character may be used including spaces but trailing spaces are truncated Fill in the Key1 fie...

Страница 388: ...choose from MD5 or SHA1 and then press ENTER N A Key Enter the authentication key to be used by IPSec if applicable The key must be unique Enter 16 characters for MD5 authentication and 20 characters...

Страница 389: ...when the SA lifetime expires even if there is no traffic 43 2 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections...

Страница 390: ...3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding authentication informat...

Страница 391: ...te any field except parameters in the Input column For more text file examples refer to the Example Internal SPTGEN Screens Appendix Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 Syst...

Страница 392: ...d Parameter Entered Command Line Example 44 3 Internal SPTGEN FTP Download Example Figure 44 4 Internal SPTGEN FTP Download Example field value is not legal error 1 ROM t is not saved error Line ID 10...

Страница 393: ...al SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp pu...

Страница 394: ......

Страница 395: ...Appendices and Index XII P Pa ar rt t X XI II I Appendices and Index This part contains additional background information and an index or key terms...

Страница 396: ...e you should contact your vendor Problems with the LAN LED Chart A 2 Troubleshooting the LAN LED PROBLEM CORRECTIVE ACTION Check your Ethernet cable connections and type refer to the Compact Guide for...

Страница 397: ...sulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the correct casing Refer to the WAN Setup chapter web configurator or the Internet Access c...

Страница 398: ......

Страница 399: ...t for details For WAN access you must configure remote management to allow server access from the Wan or all You must also configure a firewall rule to allow access from the WAN Refer to the chapters...

Страница 400: ......

Страница 401: ...s the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address I...

Страница 402: ...255 255 255 0 Subnetting With subnetting the class arrangement of an IP address is ignored For example a class C address no longer has to have 24 bits of network number and 8 bits of host ID With sub...

Страница 403: ...s by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 16...

Страница 404: ...ubnets The above example illustrated using a 25 bit subnet mask to divide a class C address space into two subnets Similarly to divide a class C address into four subnets you need to borrow two host I...

Страница 405: ...t Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last oc...

Страница 406: ...ing The following table is a summary for class B subnet planning Chart B 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 25...

Страница 407: ...the switching fabric is already in place 3 It allows the ISP to use the existing dial up model to authenticate and optionally to provide differentiated services Traditional Dial up Scenario The follo...

Страница 408: ...PPoE Client When using the Prestige as a PPPoE client the computers on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on...

Страница 409: ...etween circuit end points Diagram D 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide indiv...

Страница 410: ......

Страница 411: ...seen in SMT screens FN Field Name PVA Parameter Values Allowed INPUT An example of what you may enter Applies to the Prestige The following are Internal SPTGEN screens associated with the SMT screens...

Страница 412: ...col filters Set 4 256 30100013 Output device filters Set 1 256 30100014 Output device filters Set 2 256 30100015 Output device filters Set 3 256 30100016 Output device filters Set 4 256 Menu 3 2 TCP I...

Страница 413: ...Both 2 In Only 3 Out Only 0 30201005 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201006 IP Alias 1 Incoming protocol filters Set 1 256 30201007 IP Alias 1 Incoming protocol filters Set 2 256 30201008 IP Ali...

Страница 414: ...t 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2 Outgoing protocol filters Set 2 256 30201025 IP Alias 2 Outgoing protocol filters Set 3 256 30201026 IP Alias 2 Outg...

Страница 415: ...00 Continued 30501034 Address 32 00 00 00 00 00 00 Menu 4 Internet Access Setup SMT Menu 4 FIN FN PVA INPUT 40000000 Configured 0 No 1 Yes 1 40000001 ISP 0 No 1 Yes 1 40000002 Active 0 No 1 Yes 1 4000...

Страница 416: ...otocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP outgoing protocol f...

Страница 417: ...et 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destination IP address 0 0 0 0 120102004 IP Static Route set 2 Destination IP subnetmask 0 120102005 IP Static Route set 2 Gateway 0 0 0 0 1201...

Страница 418: ...et 5 Active 0 No 1 Yes 0 120105003 IP Static Route set 5 Destination IP address 0 0 0 0 120105004 IP Static Route set 5 Destination IP subnetmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 1201...

Страница 419: ...e 0 No 1 Yes 0 120108003 IP Static Route set 8 Destination IP address 0 0 0 0 120108004 IP Static Route set 8 Destination IP subnetmask 0 120108005 IP Static Route set 8 Gateway 0 0 0 0 120108006 IP S...

Страница 420: ...tion IP address 0 0 0 0 120111004 IP Static Route set 11 Destination IP subnetmask 0 120111005 IP Static Route set 11 Gateway 0 0 0 0 120111006 IP Static Route set 11 Metric 0 120111007 IP Static Rout...

Страница 421: ...s 0 0 0 0 120114004 IP Static Route set 14 Destination IP subnetmask 0 120114005 IP Static Route set 14 Gateway 0 0 0 0 120114006 IP Static Route set 14 Metric 0 120114007 IP Static Route set 14 Priva...

Страница 422: ...tart 0 150000005 SUA Server 2 Port End 0 150000006 SUA Server 2 Local IP address 0 0 0 0 150000007 SUA Server 3 Active 0 No 1 Yes 0 150000008 SUA Server 3 Protocol 0 All 6 TCP 1 7 UDP 0 150000009 SUA...

Страница 423: ...r 8 Port End 0 150000036 SUA Server 8 Local IP address 0 0 0 0 150000037 SUA Server 9 Active 0 No 1 Yes 0 150000038 SUA Server 9 Protocol 0 All 6 TCP 1 7 UDP 0 150000039 SUA Server 9 Port Start 0 1500...

Страница 424: ...1 Rule 1 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210101008 IP Filter Set 1 Rule 1 Src IP address 0 0 0 0 210101009 IP Filter Set 1 Rule 1 Src Subnet Mask 0 210101010 IP Filter Se...

Страница 425: ...0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set 1 rule 3 SMT Menu 21 1 1 3...

Страница 426: ...ddress 0 0 0 0 210104005 IP Filter Set 1 Rule 4 Dest Subnet Mask 0 210104006 IP Filter Set 1 Rule 4 Dest Port 137 210104007 IP Filter Set 1 Rule 4 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr...

Страница 427: ...none 1 equal 2 not equal 3 less 4 greater 0 210105013 IP Filter Set 1 Rule 5 Act Match 1 check next 2 forward 3 drop 3 210105014 IP FILTER SET 1 RULE 5 ACT NOT MATCH 1 CHECK NEXT 2 FORWARD 3 DR OP 1...

Страница 428: ...PUT 210201001 IP Filter Set 2 Rule 1 Type 0 none 2 TCP I P 2 210201002 IP Filter Set 2 Rule 1 Active 0 No 1 Yes 1 210201003 IP Filter Set 2 Rule 1 Protocol 6 210201004 IP Filter Set 2 Rule 1 Dest IP a...

Страница 429: ...0 none 1 equal 2 not equal 3 less 4 greater 1 210202008 IP Filter Set 2 Rule 2 Src IP address 0 0 0 0 210202009 IP Filter Set 2 Rule 2 Src Subnet Mask 0 210202010 IP Filter Set 2 Rule 2 Src Port 0 21...

Страница 430: ...Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 4 Filter set 2 rule 4 SMT Menu 21 1 2 4 FIN FN PVA INPUT 210204001 IP Filter Set 2 Rule 4 Type 0 none 2 TCP I P 2 210204002 IP Filter Set 2 Ru...

Страница 431: ...0205006 IP Filter Set 2 Rule 5 Dest Port 138 210205007 IP Filter Set 2 Rule 5 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210205008 IP Filter Set 2 Rule 5 Src IP address 0 0 0 0 21020...

Страница 432: ...not equal 3 less 4 greater 0 210206013 IP Filter Set 2 Rule 6 Act Match 1 check next 2 forward 3 drop 3 210206014 IP Filter Set 2 Rule 6 Act Not Match 1 check next 2 forward 3 drop 2 Menu 23 1 System...

Страница 433: ...ver Port 23 241100002 TELNET Server Access 0 all 1 none 2 Lan 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0 0 241100004 FTP Server Port 21 241100005 FTP Server Access 0 all 1 none 2 Lan 3 W...

Страница 434: ...Prestige 662HW Series User s Guide E 24 Example Internal SPTGEN Screens 990000001 ADSL OPMD 0 etsi 1 norma l 2 gdmt 3 mul timode 3...

Страница 435: ...er the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment mak...

Страница 436: ...Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from the list of network clients and then click OK e Restart your computer so the changes you made take ef...

Страница 437: ...ay s IP address remove previously installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click O...

Страница 438: ...ateway Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network...

Страница 439: ...Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have...

Страница 440: ...P address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab...

Страница 441: ...onfigured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties wind...

Страница 442: ...ally Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Close the TCP IP Control Panel 6 Click Sav...

Страница 443: ...lect Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in t...

Страница 444: ......

Страница 445: ...de labeled Phone to your telephone Step 2 Connect the side labeled Modem to your Prestige Step 3 Connect the side labeled Line to the telephone wall jack Telephone Microfilters Telephone voice transmi...

Страница 446: ...rs Diagram G 2 Connecting a Microfilter Prestige With ISDN This section relates to people who use their Prestige with ADSL over ISDN digital telephone service only The following is an example installa...

Страница 447: ...router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s web configurator interface WEB Login Fail...

Страница 448: ...include the protocol Protocol of the packet for example TCP or UDP that triggered the log Chart H 4 Attack Logs LOG MESSAGE DESCRIPTION attack Protocol The firewall detected an attack The log may also...

Страница 449: ...and the Prestige logged it src IP Protocol Direction Access did not match a firewall rule s source IP address and the Prestige logged it protocol Protocol Direction Access did not match a firewall rul...

Страница 450: ...chable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 S...

Страница 451: ...P Notes TYPE CODE DESCRIPTION 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Informat...

Страница 452: ......

Страница 453: ...4 Budget Management 38 2 38 3 BW Budget 20 10 C call back delay 24 5 Call Filtering 33 1 Call Filters Built In 33 1 User Defined 33 1 Call Scheduling 41 1 Maximum Number of Schedule Sets 41 1 PPPoE 4...

Страница 454: ...lter Structure 33 2 Generic Filter Rule 33 8 Remote Node 28 7 Remote Node Filter 28 7 Remote Node Filters 33 14 Sample 33 12 SUA 33 10 TCP IP Filter Rule 33 6 Filter Log 36 6 Filter Rule 33 6 Filter R...

Страница 455: ...Policies 40 5 IP Policy Routing IPPR 1 5 27 1 Applying an IP Policy 40 5 Ethernet IP Policies 40 5 Gateway 40 5 IP Pool Setup 3 9 IP Ports 42 7 42 8 IP Protocol 40 4 IP Routing Policy IPPR 40 1 Benefi...

Страница 456: ...ng 40 1 POP3 8 5 11 3 Port Configuration 12 11 Port Numbers 8 5 PPP Encapsulation 28 9 PPP Log 36 7 PPPoA 28 2 PPTP 8 5 Precedence 40 1 40 4 Pre Shared Key 16 8 Prestige Firewall Application 11 2 Prio...

Страница 457: ...12 9 25 3 28 6 29 3 36 4 Subnet Masks B 2 Subnetting B 2 Supporting Disk xxii SYN Flood 11 4 SYN ACK 11 4 Syntax Conventions xxii Syslog 12 11 12 15 36 5 Syslog IP Address 36 6 Syslog Server 36 5 Sys...

Страница 458: ...Multiplexing 28 2 Virtual Private Network 15 1 VPI VCI 3 2 VPN 15 1 VPN Applications 15 2 W WAN Setup 24 1 WAN to LAN Rules 12 3 Web Configurator 2 1 2 2 2 3 11 2 11 9 12 2 32 2 WEP 6 3 WEP Encryptio...

Отзывы:

Нет отзывов

Похожие инструкции для Prestige 662HW Series

ICP DAS USA GW-7552-B User Manual preview
GW-7552-B
Бренд: ICP DAS USA Страницы: 71
TANDBERG Codian GW 3201 Series Getting Started preview
Codian GW 3201 Series
Бренд: TANDBERG Страницы: 18
Grandstream Networks GXW-410xv User Manual preview
GXW-410xv
Бренд: Grandstream Networks Страницы: 32
ENANCER ONLY SMART HOME D-FTC2E User Manual preview
ONLY SMART HOME D-FTC2E
Бренд: ENANCER Страницы: 9
ProSoft ProLinx 104S Protocol Manual preview
ProLinx 104S
Бренд: ProSoft Страницы: 157
RTA 460ETCUS Product User Manual preview
460ETCUS
Бренд: RTA Страницы: 80
IFM Electronic AC5225 Original Device Manual preview
AC5225
Бренд: IFM Electronic Страницы: 65
IFM ZB0929 Operating Instructions Manual preview
ZB0929
Бренд: IFM Страницы: 28
IFM AL1350 Operating Instructions Manual preview
AL1350
Бренд: IFM Страницы: 85
Omron KOSMOS Hardware Setup Manual preview
KOSMOS
Бренд: Omron Страницы: 11
Omron PRT1-SCU11 Operation Manual preview
PRT1-SCU11
Бренд: Omron Страницы: 78
Vbox Communications XTi 4134 Full User Manual preview
XTi 4134
Бренд: Vbox Communications Страницы: 88
ZyXEL Communications P-792H Quick Start Manual preview
P-792H
Бренд: ZyXEL Communications Страницы: 10
Winmate EAC Mini EACIL67 User Manual preview
EAC Mini EACIL67
Бренд: Winmate Страницы: 72
Ubiquiti sunMAX SM-SG Quick Start Manual preview
sunMAX SM-SG
Бренд: Ubiquiti Страницы: 24
IQ Home GW-3E70009 Quick Start Manual preview
GW-3E70009
Бренд: IQ Home Страницы: 19
Avaya IG550 Installing And Configuring preview
IG550
Бренд: Avaya Страницы: 196
BAPI GTW900 Installation & Operating Instructions Manual preview
GTW900
Бренд: BAPI Страницы: 9

Бренды по названию

Популярные бренды

Загрузить еще бренды