background image

 

 

Prestige 792H 

G.SHDSL 4-port Security Gateway

 

 

 

User's Guide 

Version 3.40(BZ.0) 

March 2004 

 

 

 

 

 

 

Содержание Prestige 792H

Страница 1: ...Prestige 792H G SHDSL 4 port Security Gateway User s Guide Version 3 40 BZ 0 March 2004...

Страница 2: ...yXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it co...

Страница 3: ...ency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio televisi...

Страница 4: ...mpliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by...

Страница 5: ...he purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be...

Страница 6: ...l com 1 800 255 4101 1 714 632 0882 www us zyxel com NORTH AMERICA sales zyxel com 1 714 632 0858 ftp us zyxel com ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A support zyxel d...

Страница 7: ...ORWAY sales zyxel no 47 22 80 61 81 ZyXEL Communications A S Nils Hansens vei 13 0667 Oslo Norway support zyxel se 46 31 744 7700 www zyxel se SWEDEN sales zyxel se 46 31 744 7701 ZyXEL Communications...

Страница 8: ......

Страница 9: ...5 Chapter 2 Introducing the Web Configurator 2 1 2 1 Web Configurator Overview 2 1 2 2 Accessing the Prestige Web Configurator 2 1 2 3 Navigating the Prestige Web Configurator 2 2 2 4 Configuring Pas...

Страница 10: ...onfiguration 3 16 3 14Wizard Setup Configuration Connection Tests 3 18 3 15Test Your Internet Connection 3 19 Chapter 4 LAN Setup 4 1 4 1 LAN Overview 4 1 4 1 1 LANs WANs and the Prestige 4 1 4 2 DNS...

Страница 11: ...Setup 7 1 7 1 Dynamic DNS 7 1 7 1 1 DynDNS Wildcard 7 1 7 2 Configuring Dynamic DNS 7 1 Chapter 8 Firewall 8 1 8 1 Firewall Overview 8 1 8 2 Types of Firewalls 8 1 8 2 1 Packet Filtering Firewalls 8...

Страница 12: ...10 7Creating Editing Firewall Rules 10 11 10 7 1 Source and Destination Addresses 10 13 10 8Timeout 10 14 10 8 1 Factors Influencing Choices for Timeout Values 10 15 Chapter 11 Customized Services 11...

Страница 13: ...gotiation Mode 14 14 14 10 2 Diffie Hellman DH Key Groups 14 14 14 10 3 Perfect Forward Secrecy PFS 14 14 14 11 Configuring Advanced IKE Settings 14 15 14 12 Manual Key Setup 14 18 14 12 1 Security Pa...

Страница 14: ...Diagnostic DSL Line Screen 17 8 17 5Firmware Screen 17 9 Chapter 18 Introducing the SMT 18 1 18 1SMT Introduction 18 1 18 1 1 Procedure for SMT Configuration via Console Port 18 1 18 1 2 Procedure for...

Страница 15: ...n 24 10 24 5 2 LLC based Multiplexing or PPP Encapsulation 24 10 Chapter 25 Static Route Setup 25 1 25 1Static Route Overview 25 1 Chapter 26 Bridging Setup 26 1 26 1Bridging Overview 26 1 26 2Bridge...

Страница 16: ...30 5 30 4 1 Viewing Error Log 30 5 30 4 2 Syslog 30 6 30 5Diagnostic 30 8 Chapter 31 Firmware and Configuration File Maintenance 31 1 31 1Filename Conventions 31 1 31 2Backup Configuration 31 2 31 2 1...

Страница 17: ...ting the Time 32 5 Chapter 33 IP Policy Routing 33 1 33 1IP Policy Routing Overview 33 1 33 1 1 IP Policy Routing Benefits 33 1 33 1 2 Routing Policy 33 1 33 2IP Routing Policy Setup 33 2 33 3Applying...

Страница 18: ...VPN Responder IPSec Log 37 3 Chapter 38 Internal SPTGEN 38 1 38 1Internal SPTGEN Overview 38 1 38 2The Configuration Text File Format 38 1 38 2 1 Internal SPTGEN File Modification Important Points to...

Страница 19: ...gure 3 8 Wizard LAN Configuration 3 17 Figure 3 9 Wizard Screen Connection Tests 3 19 Figure 4 1 LAN and WAN IP Addresses 4 1 Figure 4 2 LAN 4 4 Figure 5 1 Example of Traffic Shaping 5 4 Figure 5 2 WA...

Страница 20: ...le 11 5 Figure 11 7 Rule Summary Example 11 6 Figure 12 1 Content Filter Keyword 12 2 Figure 12 2 Content Filter Schedule 12 3 Figure 12 3 Content Filter Trusted 12 4 Figure 12 4 Content Filter Logs 1...

Страница 21: ...gure 21 5 Remote Node PPP Options Menu Fields 21 7 Figure 21 6 Remote Node Network Layer Options 21 8 Figure 21 7 Menu 11 5 Remote Node Filter Ethernet 21 10 Figure 22 1 TCP IP Ethernet Setup 22 1 Fig...

Страница 22: ...re 27 13 NAT Example 2 27 13 Figure 27 14 NAT Example 2 Menu 15 2 1 27 14 Figure 27 15 NAT Example 3 27 15 Figure 27 16 Example 3 Menu 11 3 27 15 Figure 27 17 Example 3 Menu 15 1 1 1 27 16 Figure 27 1...

Страница 23: ...8 Figure 31 1 System Maintenance Backup Configuration 31 3 Figure 31 2 FTP Session Example 31 4 Figure 31 3 System Maintenance Backup Configuration 31 6 Figure 31 4 System Maintenance Starting Xmodem...

Страница 24: ...e Set Setup 34 2 Figure 34 3 Applying Schedule Set s to a Remote Node PPPoE 34 4 Figure 35 1 Telnet Configuration on a TCP IP Network 35 1 Figure 35 2 Remote Management Control 35 2 Figure 36 1 VPN SM...

Страница 25: ...3 Services and Port Numbers 6 6 Table 6 4 NAT Mode 6 8 Table 6 5 Edit SUA NAT Server Set 6 9 Table 6 6 Address Mapping Rules 6 11 Table 6 7 Address Mapping Rule Edit 6 13 Table 7 1 DDNS 7 2 Table 8 1...

Страница 26: ...08 ISAKMP Payload Types 14 30 Table 14 16 Telecommuters Sharing One VPN Rule Example 14 31 Table 14 17 Telecommuters Using Unique VPN Rules Example 14 33 Table 15 1 Remote Management 15 3 Table 16 1 C...

Страница 27: ...30 2 System Maintenance Information 30 4 Table 30 3 System Maintenance Menu Syslog Parameters 30 7 Table 30 4 System Maintenance Menu Diagnostic 30 9 Table 31 1 Filename Conventions 31 2 Table 31 2 G...

Страница 28: ...Prestige 792H User s Guide xxviii List of Tables Table A 5 Troubleshooting the Password A 3 Table A 6 Troubleshooting Telnet A 3 Diagram C 1 Virtual Circuit Topology C 1...

Страница 29: ...de contain background information on features not configurable by web configurator Related Documentation Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Star...

Страница 30: ...other words throughout this manual The Prestige 792H may be referred to as the Prestige in this user s guide Images of Prestige 792H are used throughout this document unless otherwise specified The fo...

Страница 31: ...the downstream capacity is higher than the upstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simp...

Страница 32: ......

Страница 33: ...Getting Started I P Pa ar rt t I I Getting Started This part covers Getting to Know Your Prestige Hardware Installation Initial Setup WAN LAN and Internet Access...

Страница 34: ......

Страница 35: ...a Traffic Redirect service that forwards WAN traffic to a backup gateway The Prestige uses TC PAM line code with echo cancellation for high data rate transmissions over a single twisted telephone wir...

Страница 36: ...d on the IPSec standard and is fully interoperable with other IPSec based VPN products Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to th...

Страница 37: ...ocol SUA Single User Account and NAT Network Address Translation PAP and CHAP Security The Prestige supports PAP Password Authentication Protocol and CHAP Challenge Handshake Authentication Protocol C...

Страница 38: ...nloading of firmware and configuration file over the LAN Packet Filtering Packet filtering blocks unwanted traffic from entering leaving your network Ease of Installation Your Prestige is designed for...

Страница 39: ...Internet Access Figure 1 1 Internet Access Application Your Prestige can act as either of the following A bridge for multi computer MAC bridging RFC 1483 bridged Ethernet 802 3 1 2 2 LAN to LAN Appli...

Страница 40: ......

Страница 41: ...0 and later or Netscape Navigator 7 0 and later versions with JavaScript enabled It is recommended that you set your screen resolution to 1024 by 768 pixels 2 2 Accessing the Prestige Web Configurator...

Страница 42: ...gate the web configurator from the Site Map screen Select a language from the Language drop down list box Click Wizard Setup to begin a series of screens to configure your Prestige for the first time...

Страница 43: ...P icon located in the top right corner of most screens to view embedded help 2 4 Configuring Password It is highly recommended that you change the password for accessing the Prestige To change your Pr...

Страница 44: ...his field Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begin configuring this screen afresh 2 5 Resetting the Prestige If you forget your password or cannot acces...

Страница 45: ...ip it and save it in a folder Step 3 Turn off the Prestige begin a terminal emulation software session and turn on the Prestige again When you see the message Press Any key to enter Debug Mode within...

Страница 46: ......

Страница 47: ...you 3 2 WAN Setup Use the first wizard screen to configure G SHDSL settings for your WAN line Different telephone companies deploy different types of G SHDSL service If you are unsure of any of this...

Страница 48: ...e is a client select the same Standard Mode that the server side selects ANSI and ETSI create recommendations and standards for the telecommunications industry 3 3 Encapsulation Be sure to use the enc...

Страница 49: ...tion over ATM Adaptation Layer 5 AAL5 The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protoc...

Страница 50: ...r VPI and Virtual Channel Identifier VCI numbers assigned to you The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Please s...

Страница 51: ...attained the connection does not succeed Max Rate Min Rate Select transfer rates from the Max Rate and Min Rate drop down list boxes For back to back applications make sure that your Prestige and its...

Страница 52: ...more information VPI Enter the VPI assigned to you This field may already be configured VCI Enter the VCI assigned to you This field may already be configured Next Click this button to go to the next...

Страница 53: ...net mask specifies the network number portion of an IP address Your Prestige will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mas...

Страница 54: ...for private networks 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private networ...

Страница 55: ...3 10 NAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a diff...

Страница 56: ...ls in this screen Table 3 3 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifi...

Страница 57: ...e Prestige will try to bring up the connection automatically if it is disconnected The schedule rule s in SMT menu 26 has priority over your Connection settings Network Address Translation This option...

Страница 58: ...LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select None SUA Only or Full F...

Страница 59: ...a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dy...

Страница 60: ...sown list box Refer to the NAT chapter for more details Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen 3 11 4 PPPoE Select PPPoE from the E...

Страница 61: ...dress and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seco...

Страница 62: ...m 192 168 1 33 to 192 168 1 64 for the client machines This leaves 31 IP addresses 192 168 1 2 to 192 168 1 32 excluding the Prestige itself which has a default IP of 192 168 1 1 for other server mach...

Страница 63: ...ing table describes the labels in this screen Table 3 7 Wizard LAN Configuration LABEL DESCRIPTION LAN IP Address Enter the IP address of your Prestige in dotted decimal notation for example 192 168 1...

Страница 64: ...pool Size of Client IP Pool This field specifies the size or count of the IP address pool Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients a...

Страница 65: ...browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you canno...

Страница 66: ......

Страница 67: ...help you configure a LAN DHCP server and manage IP addresses 4 1 1 LANs WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two s...

Страница 68: ...e real DNS server learned through IPCP and relays the response back to the computer Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leav...

Страница 69: ...ll send out RIP packets but will not accept any RIP packets received 4 None the Prestige will not send any RIP packets and will ignore any RIP packets received The Version field controls the format an...

Страница 70: ...e 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The Prestige supports both IGMP version 1 IGMP v1 and IGMP version 2 IGMP v2 At start...

Страница 71: ...s pool Size of Client IP Pool This field specifies the size or count of the IP address pool Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients...

Страница 72: ...Prestige 792H User s Guide 4 6 LAN Setup Table 4 1 LAN LABEL DESCRIPTION Apply Click this button to save these settings back to the Prestige Cancel Click this button to reset the fields in this screen...

Страница 73: ...than 15 means the link is down The smaller the number the lower the cost The metric sets the priority for the Prestige s routes to the Internet If any two of the default routes have the same metric t...

Страница 74: ...s and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing Microsoft Dial Up Networking software...

Страница 75: ...gives a maximum PCR of 1962 cells sec This rate is not guaranteed because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of each bursty traffic source It specifies th...

Страница 76: ...792H User s Guide 5 4 WAN Setup Figure 5 1 Example of Traffic Shaping 5 5 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN WAN Setup The screen differs by the encaps...

Страница 77: ...Prestige 792H User s Guide WAN Setup 5 5 Figure 5 2 WAN Setup The following table describes the labels in this screen...

Страница 78: ...t Refer to the appendix for more information VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local mana...

Страница 79: ...re can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP ad...

Страница 80: ...ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Back Click Back to return to the previous screen Apply Click...

Страница 81: ...bnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 5 4 Traffic Redirect LAN Setup 5 7 Configuring WAN Backup The WAN Backup port or CON A...

Страница 82: ...92H User s Guide 5 10 WAN Setup To change your Prestige s WAN backup settings click WAN then WAN Backup The screen appears as shown Figure 5 5 WAN Backup The following table describes the fields in th...

Страница 83: ...ion usually a WAN backup connection it periodically checks to whether or not it can use a higher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks A...

Страница 84: ...external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps User Name Type the login name assigned by your ISP Password Type the password assigned by your ISP Pri Phone Type the...

Страница 85: ...entication make sure that you specify the correct authentication protocol when connecting to such an implementation 5 9 Configuring Advanced WAN Backup To edit your Prestige s advanced WAN backup sett...

Страница 86: ...Prestige 792H User s Guide 5 14 WAN Setup Figure 5 6 Advanced WAN Backup...

Страница 87: ...ire dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list box to select the sp...

Страница 88: ...2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP...

Страница 89: ...onnection settings Allocate Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the tim...

Страница 90: ...ang up in addition to issuing the drop command ATH 5 12 Response Strings The response strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the WAN d...

Страница 91: ...ble 5 4 Advanced Modem Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call Example atdt Drop Type the AT Command string to drop a call represents a one second wai...

Страница 92: ...oing call before timing out stopping Example 60 Retry Count Type a number of times for the Prestige to retry a busy or no answer phone number before blacklisting the number Example 0 Retry Interval Ty...

Страница 93: ...NAT and Dynamic DNS II Part II NAT and Dynamic DNS This part covers NAT Network Address Translation and dynamic DNS Domain Name Sever...

Страница 94: ......

Страница 95: ...side outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet wh...

Страница 96: ...nside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA i...

Страница 97: ...multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the...

Страница 98: ...ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M M No OV Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 Server 6 2 SUA Single User Account Versus NAT SUA...

Страница 99: ...ddress in Server Set 1 default server the Prestige discards all packets received for ports that are not specified here or in the remote management setup 6 3 1 Port Forwarding Services and Port Numbers...

Страница 100: ...Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Mana...

Страница 101: ...H User s Guide NAT 6 7 Figure 6 3 Multiple Servers Behind NAT Example 6 4 Selecting the NAT Mode Click NAT to open the following screen Figure 6 4 NAT Mode The following table describes the labels in...

Страница 102: ...Edit SUA NAT Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige Edit Details Click this link to go to the NAT Address Mapping Rules...

Страница 103: ...els in this screen Table 6 5 Edit SUA NAT Server Set LABEL DESCRIPTION Start Port No Enter a port number in this field To forward only one port enter the port number again in the End Port No field To...

Страница 104: ...ess Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify When a rule matches the current packet the Prestige takes the corresponding action and...

Страница 105: ...Address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to one and Server mapp...

Страница 106: ...us ZyXEL routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each loca...

Страница 107: ...the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all...

Страница 108: ......

Страница 109: ...relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic...

Страница 110: ...the name of your Dynamic DNS service provider Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user name Pas...

Страница 111: ...r III Part III Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an ove...

Страница 112: ......

Страница 113: ...to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented with...

Страница 114: ...hat some proxies support See section 8 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 8 3 In...

Страница 115: ...that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by d...

Страница 116: ...ze packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a net...

Страница 117: ...ck floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queu...

Страница 118: ...the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If...

Страница 119: ...king a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the...

Страница 120: ...the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet tra...

Страница 121: ...nection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminates or ti...

Страница 122: ...subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connecti...

Страница 123: ...case by case basis You can use the web configurator s Custom Ports feature to do this 8 6 Guidelines for Enhancing Security with Your Firewall 1 Change the default password via SMT or web configurator...

Страница 124: ...e to submit information Secure web transactions are quite difficult to crack 6 Never reveal your IP address or other system networking information to people outside your company Be careful of files e...

Страница 125: ...cket contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other...

Страница 126: ...raffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports...

Страница 127: ...nagement see the Remote Management chapter and the firewall is enabled The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it The firewall allows remote ma...

Страница 128: ...s and which logs and or immediate alerts the Prestige is to send An End of Log message displays for each mail in which a complete log has been sent Figure 9 2 E mail The following table describes the...

Страница 129: ...When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Alerts Use the drop down list box to select which day of the week to send the logs T...

Страница 130: ...lues should be reduced You should make any changes to the threshold values before you continue configuring firewall rules 9 4 3 Half Open Sessions An unusually high number of half open sessions either...

Страница 131: ...ing half open sessions according to one of the following methods 1 If the Blocking Time timeout is 0 the default then the Prestige deletes the oldest existing half open session for the host for every...

Страница 132: ...ack detected Select this check box to generate an alert whenever an attack is detected Denial of Services Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall...

Страница 133: ...uests The Prestige stops deleting half open sessions when the number is less than the Max Incomplete Low Do not set Maximum Incomplete High to lower than the current Max Incomplete Low number TCP Maxi...

Страница 134: ......

Страница 135: ...example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization...

Страница 136: ...e 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a rule that allows Internet us...

Страница 137: ...of IPs or a subnet 10 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 10 3 1 LAN to WAN Rules The defau...

Страница 138: ...led record that you create for packets that either match a rule don t match a rule or both when you are creating editing a firewall rule see Figure 10 5 You can also choose not to create a log for a r...

Страница 139: ...ewall log 128 entries are available numbered from 0 to 127 Once they are all used the log will wrap around and the old logs will be lost Time This is the time the log was recorded in this format You m...

Страница 140: ...ort and protocol This is a log for a DoS attack attack land ip spoofing icmp echo icmp vulnerability NetBIOS smtp illegal command traceroute teardrop or syn flood Chapter 8 has more detailed discussio...

Страница 141: ...ng up the following screen This screen is a summary of the existing rules Note the order in which the rules are listed The ordering of your rules is very important as rules are applied in turn Figure...

Страница 142: ...dress is equivalent to Any Service This is the service to which the rule applies See Table 10 3 for more information Action This is the specified action for that rule whether to Block discard or Forwa...

Страница 143: ...web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program t...

Страница 144: ...ntrol channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070...

Страница 145: ...P 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It...

Страница 146: ...0 5 Creating Editing A Firewall Rule The following table describes the labels in this screen Table 10 4 Creating Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new addr...

Страница 147: ...ist box to select whether to Block silently discard or Forward allow the passage of packets that match this rule Log This field determines if a log is created for packets that match the rule Match don...

Страница 148: ...a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address Type the single IP address or the sta...

Страница 149: ...lt 30 for the Prestige to wait for a TCP session to reach the established state before dropping the session FIN Wait Timeout Type the number of seconds default 60 for a TCP session to remain open afte...

Страница 150: ...ating Custom Rules Table 10 6 Timeout LABEL DESCRIPTION Back Click Back to return to the previous screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to...

Страница 151: ...mbers not predefined by the Prestige see Figure 10 5 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further information on these se...

Страница 152: ...your customized service Protocol This shows the IP protocol TCP UDP or Both that defines your customized service Port This is the port number or range that defines your customized service Back Click B...

Страница 153: ...of port numbers that define your customized service Back Click Back to return to the Firewall Customized Services screen Apply Click Apply to save your customized settings and exit this screen Cancel...

Страница 154: ...tep 5 Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows Figure 11 5 Customized Service f...

Страница 155: ...ed earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it Figure 11 6 Syslog Rule Configuration Example This is your MyService cust...

Страница 156: ...wall rules the Rule Summary screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige Figure 11 7 Rule...

Страница 157: ...schedule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 12 2 Configuring Keyword Block...

Страница 158: ...check box to enable this feature Block Websites that contain these keywords in the URL This box contains the list of all the keywords that you have configured the Prestige to block Delete Highlight a...

Страница 159: ...get a message telling you that the content filter is blocking this request Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Can...

Страница 160: ...previous screen Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings 12 4 Configuring Trusted Computers To exclude a range of users on the LAN from con...

Страница 161: ...you want to exclude an individual computer Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to return to the previously...

Страница 162: ...e web site Reason This field shows what type of configuration in content filtering caused the event For example BLOCK_EXCEPT_TRUSTED_DOMAINS BLOCK_UNTRUST_DOMAIN BLOCK_KEYWORD BLOCK_ACTIVEX BLOCK_JAVA...

Страница 163: ...VPN IPSec IV Part IV VPN IPSec This part provides information about configuring VPN IPSec for secure communications...

Страница 164: ......

Страница 165: ...for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentic...

Страница 166: ...estige supports the following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved p...

Страница 167: ...Prestige 792H User s Guide Introduction to IPSec 13 3 Figure 13 2 VPN Application 13 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Страница 168: ...including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMA...

Страница 169: ...transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most...

Страница 170: ...teway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet...

Страница 171: ...y authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sancti...

Страница 172: ...ige has to rebuild the VPN tunnel if the My IP Address changes after setup 14 4 Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router secure gat...

Страница 173: ...Screen The following figure helps explain the main fields in the web configurator Figure 14 1 IPSec Summary Fields Local and remote IP addresses must be static Click VPN and Setup to open the VPN Summ...

Страница 174: ...es Name This field displays the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Y signifies that this VPN policy is active Local Address Th...

Страница 175: ...nels connected to it and they all have keep alive enabled then no other tunnels can take a turn connecting to the Prestige because the Prestige never drops the tunnels that are already connected Check...

Страница 176: ...ge E mail Type an e mail address up to 31 characters by which to identify this Prestige The domain name or e mail address that you use in the Content field is used for identification purposes only and...

Страница 177: ...il An ID mismatched message displays in the IPSEC LOG Table 14 6 Mismatching ID Type and Content Configuration Example PRESTIGE A PRESTIGE B Local ID type IP Local ID type IP Local ID content 1 1 1 10...

Страница 178: ...Prestige 792H User s Guide 14 8 VPN Screens Figure 14 3 VPN IKE...

Страница 179: ...elect Tunnel mode or Transport mode from the drop down list box DNS Server for IPSec VPN If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this addit...

Страница 180: ...s configured to Subnet this is a subnet mask on the LAN behind your Prestige Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The rem...

Страница 181: ...ess of your computer or leave the field blank to have the Prestige automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which t...

Страница 182: ...ey Mode field must be set to IKE Security Protocol VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the se...

Страница 183: ...anagement Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begin configuring this screen afresh Delete Click Delete t...

Страница 184: ...connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA neg...

Страница 185: ...ta that does not require such security so PFS is disabled None by default in the Prestige Disabling PFS means new authentication and encryption keys are derived from the same root secret which may hav...

Страница 186: ...from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater tha...

Страница 187: ...e or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure t...

Страница 188: ...t MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 sec...

Страница 189: ...uniquely identify a particular Security Association SA The SPI is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and key value...

Страница 190: ...Prestige 792H User s Guide 14 20 VPN Screens Figure 14 6 VPN Manual Key The following table describes the labels in this screen...

Страница 191: ...S server allows clients on the VPN to find other computers and servers on the VPN by their private domain names Local Local IP addresses must be static and correspond to the remote IPSec router s conf...

Страница 192: ...ter can initiate the VPN Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as on...

Страница 193: ...can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a...

Страница 194: ...ecurity Association SA is the group of security settings related to a specific VPN tunnel This screen displays active VPN connections Use Refresh to display active VPN connections This screen is read...

Страница 195: ...er Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for a...

Страница 196: ...describes the labels in this screen Table 14 11 Global Setting LABEL DESCRIPTION Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that...

Страница 197: ...pen the screen shown next Figure 14 9 VPN Logs The following table describes the labels in this screen Table 14 12 VPN Logs LABEL DESCRIPTION Back Click Back to return to the previous screen Previous...

Страница 198: ...to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Table 14 15 Phase 1 IKE SA process done Phase 1 negotiation is finished Start Phase...

Страница 199: ...s The IKE key exchange process fails if this limit is exceeded IKE Packet Retransmit The Prestige did not receive a response from the peer and so retransmits the last packet sent Failed to send IKE Pa...

Страница 200: ...e out disconnect If an SA has no packets transmitted for a period of time configurable via CI command the Prestige drops the connection The following table shows RFC 2408 ISAKMP payload types that the...

Страница 201: ...C in the figure to use one VPN rule to simultaneously access a Prestige at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec router...

Страница 202: ...Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules co...

Страница 203: ...mutera dydns org Peer ID Type IP Local ID Type IP Peer ID Content 192 168 2 12 Local ID Content 192 168 2 12 Secure Gateway Address telecommuter1 com Local IP Address 192 168 2 12 Remote Address 192 1...

Страница 204: ...792H User s Guide 14 34 VPN Screens 14 18VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW SNMP DNS or ICMP then you should configure remote management REMOTE MGNT to allow access for that...

Страница 205: ...Remote Management and UPnP V Part V Remote Management and UPnP This part contains Remote Management and UPnP...

Страница 206: ......

Страница 207: ...er in SMT menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in one of the remote management screens 3 The IP address in the Secured Clie...

Страница 208: ...do nothing in this timeout period except when it is continuously updating the status in menu 24 1 or when sys stdio has been changed on the command line 15 2 Telnet You can configure your Prestige fo...

Страница 209: ...ect the access interface Choices are All LAN Only WAN Only and Disable Port This field shows the port number for the remote management service You may change the port number for a service in this fiel...

Страница 210: ......

Страница 211: ...UPnP device will allow you to access the information and properties of that device 16 1 2 NAT Transversal UPnP NAT Traversal automates the process of allowing an application to operate through NAT UP...

Страница 212: ...llowed on the LAN See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 16 2 Accessing the Prestige Web Configurator to Configu...

Страница 213: ...tige so that they can communicate through the Prestige for example by using NAT Transversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enab...

Страница 214: ...k Add Remove Programs Step 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details Step 3 In the Communications window select the Universal Plug and Pla...

Страница 215: ...nections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays Step 4 Select Networking Service in the Comp...

Страница 216: ...stalled in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of the Prestige Turn on your computer and the Prestige Auto discover Your UPnP enabled Networ...

Страница 217: ...automatically created Step 4 You may edit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings will...

Страница 218: ...u can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not know the IP address of the Prestige Follow the steps b...

Страница 219: ...led device displays under Local Network Step 5 Right click on the icon for your Prestige and select Invoke The web configurator login screen displays Step 6 Right click on the icon for your Prestige a...

Страница 220: ......

Страница 221: ...Maintenance VI Part VI Maintenance This part covers the maintenance screens...

Страница 222: ......

Страница 223: ...c statistics 17 1 Maintenance Overview Use the maintenance screens to view system information upload new firmware manage configuration and restart your Prestige 17 2 System Status Screen Click System...

Страница 224: ...Prestige 792H User s Guide 17 2 Maintenance Figure 17 1 System Status The following table describes the labels in this screen...

Страница 225: ...Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN I...

Страница 226: ...ere includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configurable Figure 17 2 System Status Show Statistics The fol...

Страница 227: ...his shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors This...

Страница 228: ...shows current DHCP client information including IP Address Host Name and MAC Address of all network clients using the DHCP server Figure 17 3 DHCP Table The following table describes the labels in thi...

Страница 229: ...e Maintenance 17 7 Figure 17 4 Diagnostic 17 4 1 Diagnostic General Screen Click Diagnostic and then General to open the screen shown next Figure 17 5 Diagnostic General The following table describes...

Страница 230: ...that you entered Reset System Click this button to reboot the Prestige A warning dialog box is then displayed asking you if you re sure you want to reboot the system Click OK to proceed Back Click th...

Страница 231: ...www zyxel com in a file that usually uses the system model name with a bin extension e g Prestige bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a su...

Страница 232: ...an upload them Upload Click Upload to begin the upload process This process may take up to two minutes Reset Click this button to clear all user entered configuration information and return the Presti...

Страница 233: ...ork Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Back...

Страница 234: ......

Страница 235: ...overs System Management Terminal configuration for general setup LAN setup wireless LAN setup Internet access remote nodes remote node TCP IP static routing and NAT See the web configurator parts of t...

Страница 236: ......

Страница 237: ...ER to display the SMT password screen The default password is 1234 18 1 2 Procedure for SMT Configuration via Telnet The following procedure details how to telnet into your Prestige Step 1 In Windows...

Страница 238: ...re is no activity for longer than five minutes after you log in your Prestige will automatically log you out Figure 18 1 Login Screen 18 1 4 Prestige SMT Menu Overview The following figure gives you a...

Страница 239: ...Mode Menu 24 3 1 System Maintenance View Error Log Menu 24 3 2 System Maintenance UNIX Syslog Menu 24 2 1 System Maintenance Information Menu 24 2 System Information and Console port Speed Menu 24 10...

Страница 240: ...e next field You can also use the UP DOWN arrow keys to move to the previous and the next field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two ty...

Страница 241: ...estige 15 NAT Setup Use this menu to specify inside servers when NAT is enabled 21 Filter and Firewall Setup Configure filters activate deactivate the firewall and view the firewall log 22 SNMP Config...

Страница 242: ...ay Menu 23 System Security Step 2 Enter 1 to display Menu 23 1 System Security Change Password as shown next Step 3 Type your existing system password in the Old Password field for example 1234 and pr...

Страница 243: ...00 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the Pr...

Страница 244: ...blank the ISP may assign a domain name via DHCP You can go to menu 24 8 and type sys domainname to see the current domain name used by your gateway If you want to clear this field just press the SPACE...

Страница 245: ...PACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail addre...

Страница 246: ......

Страница 247: ...pes of G SHDSL service If you are unsure of any of this information please check with your telephone company 20 2 WAN Setup Screen From the main menu enter 2 to open menu 2 Figure 20 1 WAN Setup Menu...

Страница 248: ...er Max Rate 2312 Kbps Press SPACE BAR to select a Transfer Max Rate greater than or equal to the Transfer Min Rate and press ENTER to continue Transfer Min Rate 2312 Kbps Press SPACE BAR to select a T...

Страница 249: ...uide for the Hardware Installation chapter then configure 1 Menu 2 WAN Setup 2 Menu 2 1 Advanced WAN Setup and 3 Menu 11 1 Remote Node Profile Backup ISP as shown next 21 1 1 Configuring Dial Backup i...

Страница 250: ...device connected to your Dial Backup port for specific AT commands at fs0 0 Edit Advanced Setup To edit the advanced setup for the Dial Backup port move the cursor to this field press the SPACE BAR to...

Страница 251: ...erminal Ready signal is dropped after the AT Command String Drop is sent out Yes AT Response String CLID Calling Line Identification Enter the keyword that precedes the CLID Calling Line Identificatio...

Страница 252: ...no answer phone number before blacklisting the number 0 to disable the blacklist control Retry Interval sec Enter a number of seconds for the Prestige to wait before trying another call after a call...

Страница 253: ...y Password Enter the password assigned by your ISP for this remote node Authen This field sets the authentication protocol used for outgoing calls Options for this field are CHAP PAP Your Prestige wil...

Страница 254: ...2 2 for more information No default Telco Option Allocated Budget Enter the maximum number of minutes that this remote node may be called within the time period configured in the Period field The def...

Страница 255: ...shown next Figure 21 4 Menu 11 2 Remote Node PPP Options This table describes the Remote Node PPP Options menu and contains instructions on how to configure the PPP options fields Figure 21 5 Remote...

Страница 256: ...ask here if you know it static 0 0 0 0 default My WAN Addr Leave the field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know...

Страница 257: ...version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or select None to disable it See the LAN Setup chapter for more information on this feature None default Once you...

Страница 258: ...Dial Backup Figure 21 7 Menu 11 5 Remote Node Filter Ethernet Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter h...

Страница 259: ...open Menu 3 1 LAN Port Filter Setup Use this menu to specify filter set s that you want to apply to Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful fo...

Страница 260: ...nu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary...

Страница 261: ...BAR to select the RIP direction Choices are None Both In Only or Out Only None Version Press SPACE BAR to select the RIP version Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Ent...

Страница 262: ...t Person s Name Domain Name Edit Dynamic DNS No Route IP Yes Bridge No Press ENTER to Confirm or ESC to Cancel Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Server Client IP Pool Starting Ad...

Страница 263: ...ddress pool 192 168 1 33 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Primary DNS Server Secondary DNS Server Enter the IP addresses of the DNS servers The D...

Страница 264: ...Multicasting or select None to disable it None default IP Policies Create policies using SMT menu 25 see the IP Policy Routing chapter and apply them on the Prestige LAN interface here You can apply...

Страница 265: ...mation in one screen Menu 4 is actually a simplified setup for one of the remote nodes that you can access in Menu 11 From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Fi...

Страница 266: ...mail Select VBR Variable Bit Rate for bursty traffic and bandwidth sharing with other applications UBR Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR 0 Su...

Страница 267: ...PACE BAR to select None SUA Only or Full Feature Please see the NAT Chapter for more details on the SUA Single User Account feature SUA Only Address Mapping Set Type the numbers of mapping sets 1 8 to...

Страница 268: ......

Страница 269: ...Advanced Applications VIII P Pa ar rt t V VI II II I Advanced Applications This part shows how to configure Remote Nodes Static Routes Bridging and NAT...

Страница 270: ......

Страница 271: ...ou use Menu 4 to set up Internet access you are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as we...

Страница 272: ...cation Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combination because no extra protocol identifying headers are needed The PPP protocol al...

Страница 273: ...P Multiplexing Press SPACE BAR and then ENTER to select the method of multiplexing that your ISP uses either VC based or LLC based LLC based Service Name When using PPPoE encapsulation type the name o...

Страница 274: ...te This field determines the protocol used in routing Options are IP and None IP Bridge When bridging is enabled your Prestige will forward any packet that it does not route to this remote node otherw...

Страница 275: ...See the Remote Node Filter section for more details No default Idle Timeout sec Type the number of seconds 0 9999 that can elapse when the Prestige is idle there is no traffic going to the remote nod...

Страница 276: ...Rem Subnet Mask Type the subnet mask assigned to the remote node My WAN Addr Some implementations especially UNIX derivatives require separate IP network numbers for the WAN and LAN links and each en...

Страница 277: ...ber need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number 2 Private This determines if the Prestige will include the route to this remote node in its RIP broa...

Страница 278: ...1 then press SPACE BAR to select Yes Press ENTER to display Menu 11 5 Remote Node Filter Use Menu 11 5 Remote Node Filter to specify the filter set s to apply to the incoming and outgoing traffic bet...

Страница 279: ...open Menu 11 6 Remote Node ATM Layer Options There are two versions of Menu 11 6 for the Prestige depending on whether you chose VC based or LLC based multiplexing and PPP either PPPoA or PPPoE encap...

Страница 280: ...header Figure 24 8 Menu 11 6 for LLC based Multiplexing or PPP Encapsulation Menu 11 6 Remote Node ATM Layer Options VPI VCI VC Multiplexing VC Options for IP VC Options for Bridge VPI 0 VPI N A VCI...

Страница 281: ...ode Configuration 24 11 In this case only one set of VPI and VCI numbers need be specified for all protocols The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 1 to 31 is reserved...

Страница 282: ......

Страница 283: ...connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige kn...

Страница 284: ...P Static Route Setup as shown next Figure 25 3 IP Static Route Setup Now type the index number of one of the static routes you want to configure Menu 12 Static Route Setup 1 IP Static Route 3 Bridge S...

Страница 285: ...the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must be the IP address of one of the remote nodes Metric Metric represents the cost of transmission for r...

Страница 286: ......

Страница 287: ...on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you need it do not bridge what the Prestige can route 26 2 Bridge Ethernet Setup Basically a...

Страница 288: ...up When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 26 2 2 Brid...

Страница 289: ...dicates whether the static route is active Yes or not No Ether Address Type the MAC address of the destination computer that you want to bridge the packets to IP Address If available type the IP addre...

Страница 290: ...e 26 4 Bridging Setup FIELD DESCRIPTION When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go bac...

Страница 291: ...rts Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types 1 Choose SUA Only if you have just one public WAN IP address for...

Страница 292: ...in menu 11 1 Step 1 Enter 11 from the main menu and choose a node number Step 2 Move the cursor to the Edit IP IPX Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3...

Страница 293: ...address for your Prestige SUA Only 27 3 NAT Setup Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN You can see two NA...

Страница 294: ...nged Figure 27 5 Address Mapping Rules SUA Table 27 2 Address Mapping Rules SUA FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15 1 or enter the name of a new set...

Страница 295: ...GA Type These are the mapping types discussed above Server allows us to specify multiple servers of different types behind NAT to this machine See later for some examples Server When you have complete...

Страница 296: ...ured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the...

Страница 297: ...it Insert Before or Delete in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to sa...

Страница 298: ...his field is N A for One to One and Server types N A Global IP Start This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start...

Страница 299: ...etup Step 2 Enter 2 to display Menu 15 2 NAT Server Sets as shown next Figure 27 8 NAT Server Sets Step 3 Enter 1 to go to Menu 15 2 NAT Server Setup as follows Menu 15 2 NAT Server Sets 1 Server Set...

Страница 300: ...ollowing figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after...

Страница 301: ...al NAT Examples This section provides some examples with Network Address Translation 27 4 1 Example 1 Internet Access Only In the following Internet access example you only need one rule where your IL...

Страница 302: ...tup ISP s Name ChangeMe Encapsulation RFC 1483 Multiplexing LLC based VPI 1 VCI 1 ATM QoS Type UBR Peak Cell Rate PCR 5500 Sustained Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N...

Страница 303: ...ad only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 27 4 2 Example 2 Internet Access with an Inside Server Figure 27 13 NAT...

Страница 304: ...e first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic in both dir...

Страница 305: ...menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENT...

Страница 306: ...u 15 1 1 should look as follows Figure 27 18 Example 3 Final Menu 15 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Serv...

Страница 307: ...ure the IGA3 to map to our web server and mail server on the LAN Step 8 Enter 15 from the main menu Step 9 Enter 2 in Menu 15 NAT Setup Step 10 Enter 1 in Menu 15 2 NAT Server Sets and enter 1 again t...

Страница 308: ...apping as port numbers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 27 20 NAT Example 4 Menu 15 2 NAT Server Setup Rule Star...

Страница 309: ...rload mapping types Follow the steps outlined in example 3 to configure these two menus as follows Figure 27 21 Example 4 Menu 15 1 1 1 After you ve configured your rule you should be able to check th...

Страница 310: ...1 1 Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M M NO OV 2 3 4 5 6 7 8 9...

Страница 311: ...Advanced Management IX Part IX Advanced Management This part discusses Filter Configuration SNMP System Maintenance and IP Policy Routing Call Scheduling and Remote Management...

Страница 312: ......

Страница 313: ...are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is...

Страница 314: ...s that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable Initia...

Страница 315: ...ch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 28 2 Filter Rule Process You can apply up t...

Страница 316: ...ckets Because each filter set can have up to 6 rules you can have a maximum of 24 rules active for a single port 28 2 Filter Set Configuration To configure a filter set follow the procedures indicated...

Страница 317: ...ummary Menu 21 1 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 3 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 N...

Страница 318: ...es Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Menu 21 4 Filter Rules Summary A Type Filter Rules M m...

Страница 319: ...s Summary A Type Filter Rules M m n 1 Y IP PR 6 SA 0 0 0 0 DA 0 0 0 0 DP 21 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Menu 21 11 Filter Rules Summary A Type Filter Rules M m...

Страница 320: ...le chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken for instance forward the packet...

Страница 321: ...Filter Rules Summary and press ENTER to open menu 21 1 1 for the rule There are two types of filter rules TCP IP and Generic Depending on the type of rule the parameters for each type will be differen...

Страница 322: ...r instance 2 3 refers to the second filter set and the third filter rule of that set 1 1 Filter Type Use SPACE BAR and then ENTER to choose a rule Parameters displayed for each type will be different...

Страница 323: ...Comp Select the comparison to apply to the destination port in the packet against the value given in Destination Port Choices are None Less Greater Equal or Not Equal None Source IP Addr Type the sou...

Страница 324: ...Both All packets will be logged None Action Matched Select the action for a matching packet Choices are Check Next Rule Forward or Drop Check Next Rule default Action Not Matched Select the action for...

Страница 325: ...ive Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Che...

Страница 326: ...the Value to determine a match The Mask and Value fields are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either f...

Страница 327: ...he data portion before comparison Value Type the value in Hexadecimal to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken or else...

Страница 328: ...xact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the...

Страница 329: ...21 Filter Set Configuration Step 2 Enter the index number of the filter set you want to configure in this case 3 Step 3 Type a descriptive name or comment in the Edit Comments field for example TELNE...

Страница 330: ...s Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure 1 M N means an action can be taken immediately The actio...

Страница 331: ...b No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type The first filter rule type determines all s...

Страница 332: ...or device filter rules See earlier in this chapter for information on filters Output Filter Sets Apply filters for traffic leaving the Prestige You may apply filter rules for protocol or device filte...

Страница 333: ...inserted in the protocol filters field under Call Filter Sets in menu 11 5 to block local NetBIOS traffic from triggering calls to the ISP Figure 28 20 Filtering Remote Node Traffic Note that call fil...

Страница 334: ......

Страница 335: ...ocol used for exchanging management information between network devices SNMP is a member of TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to mana...

Страница 336: ...anager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retri...

Страница 337: ...ess of source 0 0 0 0 Trap Community Type the trap community which is the password sent with each trap to the SNMP manager public Destination Type the IP address of the station to send your SNMP traps...

Страница 338: ...1215 A trap is sent with the port number 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 linkD...

Страница 339: ...is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status type 24 to go...

Страница 340: ...has been connected to the current remote node My WAN IP from ISP The IP address of the ISP remote node Ethernet Shows statistics for the LAN Status Shows the current status of the LAN Tx Pkts The num...

Страница 341: ...Speed Shows the downstream transfer rate in kbps CPU Load Specifies the percentage of CPU utilization 30 3 System Information To get to the System Information Step 1 Enter 24 to display Menu 24 System...

Страница 342: ...ersion Standard This refers to the operational protocol the Prestige and the DSLAM Digital Subscriber Line Access Multiplexer are using LAN Ethernet Address Refers to the Ethernet MAC Media Access Con...

Страница 343: ...Log and Trace There are two logging facilities in the Prestige The first is the error logs and trace records that are stored locally The second is the UNIX syslog facility for message logging 30 4 1...

Страница 344: ...tenance UNIX Syslog as shown next Figure 30 8 System Maintenance Syslog and Accounting You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose...

Страница 345: ...ng board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by...

Страница 346: ...192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03 R01mF 4 PPP Log SdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening pp...

Страница 347: ...FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the...

Страница 348: ......

Страница 349: ...firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg This is a sample FTP session saving the current configurat...

Страница 350: ...ad files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration t...

Страница 351: ...configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt 31 2 3...

Страница 352: ...sfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default remote directory path Initial Local Directory Specify the default local directory path 31 2...

Страница 353: ...lt when the file transfer is complete Step 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP clien...

Страница 354: ...onfiguration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to section 31 2 5 to read about configurations that disallow TFTP and FTP over WAN 31 2 9 Backu...

Страница 355: ...his function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the p...

Страница 356: ...puter to the Prestige See earlier in this chapter for more information on filename conventions Step 8 Enter quit to exit the ftp prompt The Prestige will automatically restart after a successful resto...

Страница 357: ...menu 24 6 and enter y at the following screen Figure 31 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has started Figure 31 10 System Maint...

Страница 358: ...revious Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSFER PR...

Страница 359: ...r the upload system configuration file process is complete For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP n...

Страница 360: ...onfiguration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt The Prest...

Страница 361: ...ve and the Prestige in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to t...

Страница 362: ...ld be similar 31 4 9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 31 17 Example Xmodem Upload After the configuration upload...

Страница 363: ...4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To upload sy...

Страница 364: ...File Maintenance Figure 31 19 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Browse t...

Страница 365: ...SMT by selecting menu 24 8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by...

Страница 366: ...be dropped and any future outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure...

Страница 367: ...ion is selected Table 32 1 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This...

Страница 368: ...enance Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen Figure 32 6 System Maintenance Time and Date Setting Menu 24 10 System Maintenance T...

Страница 369: ...ure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays a...

Страница 370: ......

Страница 371: ...the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batc...

Страница 372: ...x of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set including the criteria and the action of a single policy and whether a p...

Страница 373: ...P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __...

Страница 374: ...rom Don t Care Normal Min Delay Max Thruput Min Cost or Max Reliable Precedence Precedence value of the incoming packet Press SPACE BAR and then ENTER to select a value from 0 to 7 or Don t Care Packe...

Страница 375: ...t be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing No Change...

Страница 376: ...0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies 2 4 7 9 Press ENTER to Confi...

Страница 377: ...ets to a remote network using another policy See the next figure Figure 33 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to...

Страница 378: ...h protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 1...

Страница 379: ...er N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Press S...

Страница 380: ......

Страница 381: ...le Setup as shown next Figure 34 1 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in...

Страница 382: ...be triggered up until the end of the Duration Table 34 1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate the schedule set...

Страница 383: ...ct in hour minute format 09 00 Duration Enter the maximum length of time this connection is allowed in hour minute format 08 00 Action Forced On means that the connection is maintained whether or not...

Страница 384: ...ofile Rem Node Name Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing VC based Edit ATM Options No Service Name Telco Option Incoming Allocated Budget min 0 Rem Login Pe...

Страница 385: ...rnet WAN only the LAN only All LAN and WAN or Disable neither WAN only Internet ALL LAN and WAN LAN only Disable Neither If you enable remote management of a service but have applied a filter to block...

Страница 386: ...Web Server Each of these read only labels denotes a service that you may use to remotely manage the Prestige Server Port This field shows the port number for the remote management service You may chan...

Страница 387: ...tch the client IP address If it does not match the Prestige will disconnect the session immediately 4 There is already another remote management session of the same type Telnet FTP or Web running You...

Страница 388: ......

Страница 389: ...GEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide for ba...

Страница 390: ......

Страница 391: ...ain submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage r...

Страница 392: ...1 IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 1 Menu 27 1 IPSec Summary Name A Local Addr Start Addr End Mask Encap IPSec Algorithm Key Mgt Remote Addr Start Addr End M...

Страница 393: ...nge this is the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the L...

Страница 394: ...cure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 Remote Addr End When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Re...

Страница 395: ...n a VPN rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previou...

Страница 396: ...tige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Local I...

Страница 397: ...IP address changes 0 0 0 0 Peer ID type Press SPACE BAR to choose IP DNS or E mail and press ENTER Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPS...

Страница 398: ...ame configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time In order to have more tha...

Страница 399: ...A Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields are N A when the Secure Gateway Address field is configured to 0...

Страница 400: ...mber must be greater than that specified in the previous field This field is N A when 0 is configured in the Port Start field Enable Replay Detection As a VPN setup is processing intensive the system...

Страница 401: ...the same negotiation mode Main PSK Pre Shared Key Prestige gateways authenticate an IKE VPN session by matching pre shared keys Pre shared keys are best for small networks with fewer than ten nodes En...

Страница 402: ...renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication...

Страница 403: ...your configuration or press ESC at any time to cancel 36 5 Manual Setup You only configure Menu 27 1 1 2 Manual Setup when you select Manual in the Key Management field in Menu 27 1 1 IPSec Setup Manu...

Страница 404: ...oose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight...

Страница 405: ...789a bcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal Type a number base 10 from 1 to 999999 for the Security Parameter Index N A Authentication Algorithm Pres...

Страница 406: ......

Страница 407: ...A lifetime period expires See the Web Configurator User s Guide on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic 37 2 Using SA Monito...

Страница 408: ...bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding auth...

Страница 409: ...1 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 0...

Страница 410: ......

Страница 411: ...ve and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige 38 2 The Configuration Text F...

Страница 412: ...0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 38 1 Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 System Name Str Prestige 10000002 Location Str 100...

Страница 413: ...2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 Please wait for the system to write SPT text file ROM t Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 c...

Страница 414: ...0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put rom t ftp bye 1 Launch your FTP application 2 Enter bin The comman...

Страница 415: ...XI Part XI Appendices and Index This section provides some Appendices and an Index...

Страница 416: ......

Страница 417: ...l emulation 9600 bps is the default speed on leaving the factory Try other speeds in case the speed has been changed I cannot access the Prestige via the console port 2 Make sure the communications pr...

Страница 418: ...word field in Menu 4 Internet Access Setup I cannot connect to a remote node or ISP Check menu 4 or menu 11 1 to verify the Encapsulation for the remote node Problems with Internet Access Table A 4 Tr...

Страница 419: ...he User s Guide for details Problems with Telnet Table A 6 Troubleshooting Telnet PROBLEM CORRECTIVE ACTION Refer to the Remote Management Limitations section for scenarios when remote management may...

Страница 420: ......

Страница 421: ...similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carr...

Страница 422: ...mes to the Access Concentrator AC Between the AC and an ISP the AC is acting as a L2TP Layer 2 Tunneling Protocol LAC L2TP Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is...

Страница 423: ...PPoE Client When using the Prestige as a PPPoE client the PCs on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on the i...

Страница 424: ......

Страница 425: ...en circuit end points Diagram C 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide individua...

Страница 426: ......

Страница 427: ...used only over the short haul between the PC and the modem over Ethernet For the rest of the connection the PPP frames are transported with PPP over AAL5 RFC 2364 The PPP connection however is still b...

Страница 428: ...F Cisco s Layer 2 Forwarding Conceptually there are three parties in PPTP namely the PNS PPTP Network Server the PAC PPTP Access Concentrator and the PPTP user The PNS is the box that hosts both the P...

Страница 429: ...ection supports multiple call sessions The following diagram depicts the message exchange of a successful call setup between a PC and an ANT Diagram D 3 Example Message Exchange between PC and an ANT...

Страница 430: ......

Страница 431: ...Attack 8 6 Budget Management 32 2 32 3 C Call Back Delay 21 4 Call Filtering 28 1 Call Filters Built In 28 1 User Defined 28 1 Call Scheduling 34 1 Maximum Number of Schedule Sets 34 1 PPPoE 34 3 Prec...

Страница 432: ...ges Sample 30 6 Ethernet 22 1 Ethernet Encapsulation 6 5 Ethernet Traffic 28 21 Ethernet 802 3 bridged 1 5 F Factory LAN Defaults 4 3 FCC iii Features 1 1 Filename Conventions 31 1 Filter 21 9 28 1 Ap...

Страница 433: ...4 4 IGMP support 24 7 IKE Setup 36 11 Industry Canada iv Install UPnP 16 3 Windows Me 16 4 Windows XP 16 5 Installation Ease 1 4 Interactive Applications 33 1 Internal SPTGEN 38 1 FTP Download Exampl...

Страница 434: ...address 26 3 Main Menu 18 4 Management Information Base MIB 29 2 Max incomplete High 9 4 Max incomplete Low 9 4 MBS See Maximum Burst Size Media Access Control 26 1 Message Logging 30 5 Metric 5 1 21...

Страница 435: ...28 11 Protocol Filter Rules 28 16 Protocols Supported 1 3 PSK 36 11 Q Quality of Service 33 1 Quick Start Guide 2 1 16 2 R RAS 30 4 33 2 Rate Receiving 30 2 Transmission 30 2 Read Me First xxix Relate...

Страница 436: ...2 Source Based Routing 33 1 Speed 1 1 SPI 36 13 Stateful Inspection 1 2 8 1 8 2 8 7 8 8 Prestige 8 9 Process 8 8 Static Routing Topology 25 1 SUA 1 3 6 5 6 6 SUA Single User Account See NAT Subnet Mas...

Страница 437: ...U UDP ICMP Security 8 10 Universal Plug and Play 16 1 Application 16 1 Security issues 16 1 Universal Plug and Play Forum 16 2 UNIX Syslog 30 5 30 7 UNIX syslog parameters 30 6 Upload Firmware 31 10 U...

Отзывы: