Prestige 652 ADSL Security Router User's Guide Version 3.
Prestige 652 ADSL Security Router Copyright Copyright © 2002 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Prestige 652 ADSL Security Router Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
Prestige 652 ADSL Security Router Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective operation and safety requirements. The Industry Canada label does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Prestige 652 ADSL Security Router ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Prestige 652 ADSL Security Router Customer Support Please have the following information ready when you contact customer support. • • • • • Product model and serial number. Information in Menu 24.2.1 – System Information. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD E-MAIL TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL SUPPORT/SALES LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com www.
Prestige 652 ADSL Security Router Table of Contents GETTING STARTED........................................................................................................................................I Chapter 1 Getting To Know Your Prestige.................................................................................................1-1 1.1 Prestige 652 ADSL Security Router ..........................................................................................1-1 1.2 Features .....................
Prestige 652 ADSL Security Router Chapter 5 Remote Node Configuration .....................................................................................................5-1 5.1 Remote Node Setup ...................................................................................................................5-1 5.2 Remote Node Setup ...................................................................................................................5-6 5.3 Remote Node Filter.................................
Prestige 652 ADSL Security Router 13.1 Introduction..............................................................................................................................13-1 13.2 Creating/Editing A Customized Service ..................................................................................13-3 13.3 Example DHCP Negotiation and Syslog Connection from the Internet ..................................13-4 Chapter 14 Logs ...........................................................................
Prestige 652 ADSL Security Router 21.3 Telnet Capabilities ...................................................................................................................21-1 21.4 FTP ..........................................................................................................................................21-2 21.5 Web..........................................................................................................................................21-2 21.6 Remote Management .......
Prestige 652 ADSL Security Router 29.4 29.5 29.6 29.7 29.8 29.9 Problems with the LAN Interface ............................................................................................29-2 Problems with the WAN Interface ...........................................................................................29-2 Problems with Internet Access .................................................................................................29-3 Problems with the Password ...............................
Prestige 652 ADSL Security Router List of Figures Figure 1-1 Internet Access Application...........................................................................................................1-7 Figure 1-2 Firewall Application......................................................................................................................1-8 Figure 1-3 LAN-to-LAN Application.............................................................................................................
Prestige 652 ADSL Security Router Figure 4-8 Example of Traffic Shaping........................................................................................................ 4-15 Figure 4-9 Internet Access Setup ................................................................................................................. 4-15 Figure 5-1 Menu 11 — Remote Node Setup.................................................................................................. 5-2 Figure 5-2 Menu 11.
Prestige 652 ADSL Security Router Figure 8-11 Menu 15.2.1 — NAT Server Setup ...........................................................................................8-18 Figure 8-12 Multiple Servers Behind NAT Example....................................................................................8-19 Figure 8-13 NAT Example 1.........................................................................................................................8-20 Figure 8-14 Menu 4 — Internet Access & NAT Example .
Prestige 652 ADSL Security Router Figure 12-3 Firewall Rules Summary — First Screen ................................................................................. 12-5 Figure 12-4 Creating/Editing A Firewall Rule ........................................................................................... 12-10 Figure 12-5 Adding/Editing Source and Destination Addresses ................................................................ 12-12 Figure 12-6 Timeout Screen.........................................
Prestige 652 ADSL Security Router Figure 16-18 Filtering Remote Node Traffic ..............................................................................................16-22 Figure 16-19 Filtering Remote Node Traffic with PPPoE ..........................................................................16-22 Figure 17-1 SNMP Management Model.......................................................................................................17-1 Figure 17-2 Menu 22 — SNMP Configuration ...................
Prestige 652 ADSL Security Router Figure 19-14 Telnet Into Menu 24.7.2 — System Maintenance .................................................................19-11 Figure 19-15 FTP Session Example of Firmware File Upload .................................................................. 19-12 Figure 19-16 Menu 24.7.1 as seen using the Console Port ........................................................................ 19-14 Figure 19-17 Example Xmodem Upload .................................................
Prestige 652 ADSL Security Router Figure 24-2 VPN Application .......................................................................................................................24-3 Figure 24-3 IPSec Architecture.....................................................................................................................24-4 Figure 24-4 Transport and Tunnel Mode IPSec Encapsulation.....................................................................24-5 Figure 25-1 VPN SMT Menu Tree .............
Prestige 652 ADSL Security Router Diagram 5 Boot Module Commands ................................................................................................................
Prestige 652 ADSL Security Router List of Tables Table 2-1 Front Panel LED Description......................................................................................................... 2-1 Table 2-2 Main Menu Commands................................................................................................................ 2-11 Table 2-3 Main Menu Summary ..................................................................................................................
Prestige 652 ADSL Security Router Table 9-3 Legal NetBIOS Commands............................................................................................................9-7 Table 9-4 Legal SMTP Commands ................................................................................................................9-7 Table 10-1 View Firewall Log......................................................................................................................10-3 Table 11-1 E-mail ...................
Prestige 652 ADSL Security Router Table 19-3 General Commands for GUI-based TFTP Clients ..................................................................... 19-6 Table 20-1 Budget Management .................................................................................................................. 20-3 Table 20-2 Time and Date Setting Fields ..................................................................................................... 20-5 Table 21-1 Menu 24.11 – Remote Management Control ..
Prestige 652 ADSL Security Router Preface Congratulations on your purchase of the Prestige 652 ADSL Router with VPN and Firewall. There are two Prestige 652 models, one for ADSL over POTS (Plain Old Telephone System) and one for ADSL over ISDN (Integrated Synchronous Digital System). Both models are discussed together in this guide. The Prestige 652 is an ADSL router used for Internet/LAN access via an ADSL line.
Prestige 652 ADSL Security Router Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation Syntax Conventions • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to select one from the predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets.
Prestige 652 ADSL Security Router What is DSL? DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices.
Getting Started Part I: GETTING STARTED This part is structured as a step-by-step guide to help you connect, install and set up your Prestige to operate on your network and to access the Internet. Described are Key Features and Applications, Hardware Installation, Initial Setup and Internet Access.
Prestige 652 ADSL Security Router Chapter 1 Getting To Know Your Prestige This chapter describes the key features and applications of your Prestige. 1.1 Prestige 652 ADSL Security Router Your Prestige integrates a high-speed 10/100Mbps auto-negotiating LAN interface and a high-speed ADSL port into a single package. The Prestige is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks.
Prestige 652 ADSL Security Router You can configure most features of the Prestige via SMT but we recommend you configure the firewall and content filters using the Prestige Web Configurator. • Content Filtering The Prestige can block specific URLs by using the keyword blocking feature.
Prestige 652 ADSL Security Router z ADSL Transmission Rate Standards ♦ Full-Rate (ANSI T1.413, Issue 2; G.dmt (G.992.1) with line rate support of up to 8 Mbps downstream and 832 Kbps upstream. ♦ G.lite (G.992.2) with line rate support of up to 1.5Mbps downstream and 512Kbps upstream. ♦ Supports Multi-Mode standard (ANSI T1.413, Issue 2; G.dmt (G.992.1); G.lite (G992.2)). ♦ TCP/IP (Transmission Control Protocol/Internet Protocol) network layer protocol. ♦ ATM Forum UNI 3.1 PVC.
Prestige 652 ADSL Security Router ♦ ICMP support ♦ IP QoS support ♦ MIB II support (RFC 1213) z Networking Compatibility Your Prestige is compatible with the major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers, making configuration as simple as possible for you. z Multiplexing The Prestige supports VC-based and LLC-based multiplexing.
Prestige 652 ADSL Security Router • Diagnostics Capabilities ♦ The Prestige can perform self-diagnostic tests. These tests check the integrity of the following circuitry: z ♦ FLASH memory ♦ ADSL circuitry ♦ RAM ♦ LAN port Ease of Installation Your Prestige is designed for quick, intuitive and easy installation. z Housing Your Prestige's all new compact and ventilated housing minimizes space requirements making it easy to position anywhere in your busy office. 1.
Prestige 652 ADSL Security Router Figure 1-1 Internet Access Application Internet Single User Account For a SOHO (Small Office/Home Office) environment, your Prestige offers the Network Address Translation (NAT) feature that allows multiple users on the LAN (Local Area Network) to access the Internet concurrently for the cost of a single IP address. 1.3.2 Firewall for Secure Broadband Internet Access The Prestige provides protection from attacks by Internet hackers.
Prestige 652 ADSL Security Router 1.3.3 LAN to LAN Application You can use the Prestige to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application for your Prestige is shown as follows. Figure 1-3 LAN-to-LAN Application 1.3.4 VPN Application The Prestige’s VPN feature makes it an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites.
Prestige 652 ADSL Security Router Figure 1-4 VPN Application 1-8 Getting To Know Your Prestige
Prestige 652 ADSL Security Router Chapter 2 Hardware Installation and Initial Setup This chapter describes the physical features of the Prestige and how to make cable connections. 2.1 Front Panel LEDs of the P652 The LEDs on the front panel indicate the operational status of your Prestige Figure 2-1 Front Panel Table 2-1 Front Panel LED Description LED PWR SYS PPPoE COLOR STATUS Green On The Prestige is receiving power. Blinking The Prestige is performing a self-test.
Prestige 652 ADSL Security Router LED LAN 10M LAN 100M COLOR STATUS Green On The Prestige has a successful 10Mb Ethernet connection. Blinking The Prestige is sending/receiving data. Off The Prestige does not have a 10Mb Ethernet connection. On The Prestige has a successful 100Mb Ethernet connection. Blinking The Prestige is sending/receiving data. Off The Prestige does not have a 100Mb Ethernet connection.
Prestige 652 ADSL Security Router 2.2.1 xDSL Port Connect the Prestige directly to the wall jack using a DSL cable (telephone wire). Connect a microfilter(s) between the wall jack and your telephone(s). A microfilter acts as low-pass filter (voice transmission takes place in the 0 to 4KHz bandwidth) and is an optional purchase. 2.2.2 Console Port Use terminal emulator software on a computer for configuring your Prestige via console port.
Prestige 652 ADSL Security Router A computer equipped with communications software (for example, Hyper Terminal in Windows 95) configured to the following parameters: VT100 terminal emulation. 9600 baud rate. Parity set to none, 8 data bits, 1 stop bit. Flow control set to none. After the Prestige has been successfully connected to your network, you can make future changes to the configuration via Telnet. 2.4 P652 with POTS 2.4.1 Connecting a POTS Splitter One major difference between Full Rate (G.
Prestige 652 ADSL Security Router Figure 2-3 Connecting a POTS Splitter Step 1. Connect the side labeled “Phone” to your telephone. Step 2. Connect the side labeled “Modem” to your Prestige. Step 3. Connect the side labeled “Line” to the telephone wall jack. 2.4.2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz.
Prestige 652 ADSL Security Router Figure 2-4 Connecting a Microfilter 2.5 P652 with ISDN This section relates to people who use their P652 with ADSL over ISDN (digital telephone service) only. The following is an example installation for the P652 with ISDN.
Prestige 652 ADSL Security Router 2.6 Turning On Your Prestige At this point, you should have connected the DSL, LAN 10/100M, console and power ports to the appropriate devices. Make sure the power adapter is plugged into an appropriate power source and the power button (located on the back of your Prestige) is “on” (pushed in). 2.
Prestige 652 ADSL Security Router Enter Password : XXXX Figure 2-7 Login Screen 2.8 Resetting the Prestige If you forget your password or cannot access the Prestige, you will need to reload the factory-default configuration file. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file.
Prestige 652 ADSL Security Router 2.8.2 Procedure To Use The Reset Button Make sure the SYS led is on (not blinking) before you begin this procedure. 1. Press the RESET button for ten seconds, then release it. If the SYS LED begins to blink, the defaults have been restored and the Prestige restarts. Otherwise, go to step 2. 2. Turn the Prestige off. 3. While pressing the RESET button, turn the Prestige on. 4. Continue to hold the RESET button.
Prestige 652 ADSL Security Router 2.8.3 Prestige 652 SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige. Figure 2-8 SMT Menu Overview 2.9 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige.
Prestige 652 ADSL Security Router Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 2-2 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER]. Move up to a previous menu [ESC] Press [ESC] to move back to the previous menu.
Prestige 652 ADSL Security Router Copyright (c) 1994 - 2002 ZyXEL Communications Corp. Prestige 652 Main Menu Getting Started 1. General Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 25. IP Routing Policy Setup 26. Schedule Setup 27. VPN/IPSec Setup 99.
Prestige 652 ADSL Security Router # MENU TITLE DESCRIPTION 26 Schedule Setup Use this menu to schedule outgoing calls. 27 VPN/ IPSec Setup Use this menu to configure VPN connections. 99 Exit Use this to exit from SMT and return to a blank screen. 2.10 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1. Enter 23 in the main menu to display Menu 23 - System Password as shown next. Step 2.
Prestige 652 ADSL Security Router Chapter 3 General Setup Menu 1 - General Setup contains administrative and system-related information. 3.1 System Name System Name is for identification purposes. ZyXEL recommends you enter your computer’s “Computer name”. • In Windows 95/98 click Start -> Settings -> Control Panel and then double-click Network. Click the Identification tab, note the entry for the Computer name field and enter it as the Prestige System Name.
Prestige 652 ADSL Security Router To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The Prestige supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service. 3.2.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use for example, www.
Prestige 652 ADSL Security Router Domain Name Enter your domain name here (if you have one). If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name" to see the current domain name used by your router. zyxel.com.tw If you want to clear this field just press [SPACE BAR] and then [ENTER]. The domain name entered by you is given priority over the ISP assigned domain name.
Prestige 652 ADSL Security Router Follow the instructions in the next table to configure Dynamic DNS parameters. Table 3-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION Service Provider This is the name of your Dynamic DNS service provider. Active Press [SPACE BAR] to select Yes and then press [ENTER] to enable dynamic DNS. Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider. EMAIL Enter your e-mail address. USER Enter your user name.
Prestige 652 ADSL Security Router Menu 3 - Ethernet Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 3-3 Menu 3 — Ethernet Setup 3.4.1 LAN Port Filter Setup This menu allows you to specify filter set(s) that you wish to apply to the Ethernet traffic. You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Menu 3.
Prestige 652 ADSL Security Router Chapter 4 Internet Access This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access. 4.1 Factory Ethernet Defaults The Ethernet parameters of the Prestige are preset in the factory with the following values: 1. IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits). 2. DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations.
Prestige 652 ADSL Security Router Figure 4-1 LAN & WAN IPs 4.3 TCP/IP Parameters 4.3.1 IP Address and Subnet Mask Like houses on a street that share a common street name, the computers on a LAN share one common network number. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
Prestige 652 ADSL Security Router 4.3.2 Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.
Prestige 652 ADSL Security Router 4.3.4 DHCP Configuration DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The Prestige has built-in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client.
Prestige 652 ADSL Security Router 4.4 IP Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender – 1 recipient) or Broadcast (1 sender – everybody on the network). Multicast is a third way to deliver IP packets to a group of hosts on the network - not everybody. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a multicast group - it is not used to carry user data.
Prestige 652 ADSL Security Router Figure 4-2 Physical Network Figure 4-3 Partitioned Logical Networks Use menu 3.2.1 to configure IP Alias on your Prestige. 4.6.1 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network. Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= Server Client IP Pool Starting Addres= 192.168.1.
Prestige 652 ADSL Security Router Pressing [ENTER] displays Menu 3.2.1 - IP Alias Setup, as shown next. Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= Outgoing protocol filters= IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= Outgoing protocol filters= N/A N/A N/A N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 4-5 Menu 3.
Prestige 652 ADSL Security Router 4.7 Route IP Setup The first step is to enable the IP routing in Menu 1 - General Setup. To edit menu 1, type in 1 in the main menu and press [ENTER]. Set the Route IP field to Yes by pressing [SPACE BAR]. Menu 1 - General Setup System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Figure 4-6 Menu 1 — General Setup 4.8 TCP/IP Ethernet Setup and DHCP Use menu 3.
Prestige 652 ADSL Security Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.
Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Primary DNS Server Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP clients along with the IP address and Secondary DNS Server the subnet mask. Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here. Follow the instructions in the following table to configure TCP/IP parameters for the Ethernet port.
Prestige 652 ADSL Security Router 4.9 VPI and VCI Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers supplied by your telephone company. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Please see the Appendices for more information. 4.10 Multiplexing There are two conventions to identify what protocols the virtual circuit (VC) is carrying.
Prestige 652 ADSL Security Router 4.11.2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP. The Prestige bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information on PPPoE, see the Appendices. 4.11.
Prestige 652 ADSL Security Router DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as they are assigned to the Prestige by the DHCP server. 4.13 Internet Access Configuration Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11.
Prestige 652 ADSL Security Router FIELD DESCRIPTION DNS Server Address Assignment Primary DNS server Secondary DNS server Enter when using RFC 1483 Encapsulation or a static IP address. ENET ENCAP Gateway IP Address Gateway IP Address Enter when using ENET ENCAP Encapsulation. YOUR INFO 4.13.1 Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and “burstiness” or fluctuation of data transmission over an ATM network.
Prestige 652 ADSL Security Router Figure 4-8 Example of Traffic Shaping From the main menu, enter 4 to display Menu 4 - Internet Access Setup, (shown next). Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= RFC 1483 Multiplexing= VC-based VPI #= 8 VCI #= 35 ATM QoS Type= CBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static IP Address= 0.0.0.
Prestige 652 ADSL Security Router Table 4-5 Internet Access Setup Menu Fields FIELD DESCRIPTION EXAMPLE ISP’s Name Enter the name of your Internet Service Provider. This information is for identification purposes only. ChangeMe Encapsulation Press [SPACE BAR] to select the method of encapsulation used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP. RFC 1483 Multiplexing Press [SPACE BAR] to select the method of multiplexing used by your ISP. Choices are VC-based or LLC-based.
Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Network Address Translation Press [SPACE BAR] to select None, SUA Only or Full Feature. Please see the NAT Chapter for more details on the SUA (Single User Account) feature. SUA Only Address Mapping Set Type the numbers of mapping sets (1-8) to use with NAT. See the NAT chapter for details.
Advanced Applications Part II: ADVANCED APPLICATIONS This part shows how to configure Remote Nodes, Remote Node TCP/IP and NAT.
Prestige 652 ADSL Security Router Chapter 5 Remote Node Configuration This chapter covers the parameters that are protocol-independent. Protocol-dependent configuration (TCP/IP and Bridging) is covered in the following chapters. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use menu 4 to set up Internet access, you are configuring one of the remote nodes. 5.
Prestige 652 ADSL Security Router 5.1.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. Consult your telephone company for information on encapsulation and multiplexing methods for LAN-to-LAN applications, for example between a branch office and corporate headquarters. There must be prior agreement on encapsulation and multiplexing methods because they cannot be automatically determined.
Prestige 652 ADSL Security Router Menu 11.
Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Service Name When using PPPoE encapsulation, type the name of your PPPoE service here. Incoming: Type the login name that this remote node will use to call your Prestige. The login name and the Rem Password will be used to authenticate this node. Rem Login Rem Password N/A Type the password used when this remote node calls your Prestige. Outgoing: My Login Type the login name assigned by your ISP when the Prestige calls this remote node.
Prestige 652 ADSL Security Router FIELD Schedule Sets Nailed up Connection Session Options Edit Filter Sets Idle Timeout (sec) DESCRIPTION EXAMPLE You can apply up to four schedule sets here. For more details please refer to the Call Schedule Setup chapter. This field specifies if you want to make the connection to this remote node a nailed-up connection. More details are given earlier in this section. Use [SPACE BAR] to choose Yes and press [ENTER] to open menu 11.5 to edit the filter sets.
Prestige 652 ADSL Security Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set=2 Metric= 2 Private= No RIP Direction= None Version= RIP-1 Multicast= None IP Policies= 3,4,5,6 Bridge Options: Ethernet Addr Timeout(min)= 0 Press ENTER to Confirm or ESC to Cancel: Figure 5-3 Remote Node Network Layer Options The next table explains fields in Menu 11.
Prestige 652 ADSL Security Router FIELD Mapping Set DESCRIPTION EXAMPLE mapping sets in menu 15.1. Select one of the NAT server sets (2-10) in menu 15.2 (see the NAT chapter for details) and type that number here. When SUA Only is selected in the NAT field, the SMT uses NAT server set 1 in menu 15.2 (see the NAT chapter for details). Metric The metric represents the “cost” of transmission for routing purposes.
Prestige 652 ADSL Security Router Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 5-4 Menu 11.5 — Remote Node Filter Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= Device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= Device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 5-5 Menu 11.
Prestige 652 ADSL Security Router Chapter 6 Remote Node TCP/IP Configuration This chapter shows a sample LAN-to-LAN application and how to configure TCP/IP remote node. 6.1 TCP/IP Configuration The following sections describe how to configure the TCP/IP parameters of a remote node. 6.1.1 Editing TCP/IP Options Follow the steps shown next to edit Menu 11.6 – Remote Node ATM Layer Options. In menu 11.1, move the cursor to the Edit ATM Options field and then press [SPACE BAR] to select Yes.
Prestige 652 ADSL Security Router LLC-based Multiplexing or PPPoA or PPPoE Encapsulation For LLC-based multiplexing or PPP or PPPoE encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 8 VCI #= 35 ATM QoS Type= UBR Peak Cell Rate (PCR)= 5400 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 .
Prestige 652 ADSL Security Router Figure 6-3 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection To configure the TCP/IP parameters of a remote node, first configure fields in Menu 11.1 – Remote Node Profile, as shown in the following table. For more details on the IP Option fields, refer to Internet Access. Table 6-1 TCP/IP-Related Fields in Menu 11.1 — Remote Node Profile FIELD DESCRIPTION EXAMPLE Route Make sure IP is among the protocols in the Route field in Menu 11.1 – Remote Node Profile.
Prestige 652 ADSL Security Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Bridge Options: Ethernet Addr Timeout (min)= 0 Press ENTER to Confirm or ESC to Cancel: Figure 6-4 Remote Node Network Layer Options The following table shows the fields in Menu 11.
Prestige 652 ADSL Security Router FIELD (Network Address Translation) DESCRIPTION EXAMPLE Select SUA Only if you have just one public WAN IP address for your Prestige. The SMT uses Address Mapping Set 255 (menu 15.1 - see section 8.3.1). Select None to disable NAT. Address Mapping Set When Full Feature is selected in the NAT field, configure address mapping sets in menu 15.1. Select one of the NAT server sets (2-10) in menu 15.2 (see the NAT chapter for details) and type that number here.
Prestige 652 ADSL Security Router network N3 because it does not know that there is a route through remote node Router 1 (via Router 2). The static routes allow you to tell the Prestige about the networks beyond the remote nodes. Figure 6-5 Sample Static Routing Topology Configuration Step 1. 6-6 To configure an IP static route, use Menu 12 – Static Route Setup (shown next).
Prestige 652 ADSL Security Router Menu 12 - Static Route Setup 1. IP Static Route 3. Bridge Static Route Please enter selection: Figure 6-6 Menu 12 — Static Route Setup Step 2. From menu 12, select 1 to open Menu 12.1 — IP Static Route Setup (shown next). Menu 12.1 - IP Static Route Setup 1. 2. 3. 4. 5. 6. 7. 8. ________ ________ ________ ________ ________ ________ ________ ________ Enter selection number: Figure 6-7 Menu 12.1 — IP Static Route Setup Step 3.
Prestige 652 ADSL Security Router The following table describes the fields for Menu 12.1.1 – Edit IP Static Route Setup. Table 6-3 Edit IP Static Route Menu Fields FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only. Active This field allows you to activate/deactivate this static route.
Prestige 652 ADSL Security Router Chapter 7 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige. 7.1 Bridging in General Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another.
Prestige 652 ADSL Security Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Bridge Options: Ethernet Addr Timeout (min)= 0 Press ENTER to Confirm or ESC to Cancel: Figure 7-1 Menu 11.
Prestige 652 ADSL Security Router Menu 12.3.1 - Edit Bridge Static Route Route #: 1 Route Name= Active= No Ether Address= ? IP Address= Gateway Node= 1 Press ENTER to Confirm or ESC to Cancel: Figure 7-2 Menu 12.3.1 — Edit Bridge Static Route The following table describes the Edit Bridge Static Route menu. Table 7-2 Edit Bridge Static Route Menu Fields FIELD DESCRIPTION Route # This is the route index number you typed in Menu 12.3 – Bridge Static Route Setup.
Prestige 652 ADSL Security Router Chapter 8 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 8.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. 8.1.
Prestige 652 ADSL Security Router NAT never changes the IP address (either local or global) of an outside host. 8.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Prestige 652 ADSL Security Router Figure 8-1 How NAT Works 8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Prestige 652 ADSL Security Router Figure 8-2 NAT Application With IP Alias 8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
Prestige 652 ADSL Security Router Port numbers do not change for One-to-One and Many-to-Many No Overload NAT mapping types. The following table summarizes these types.
Prestige 652 ADSL Security Router The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 8-2. 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. 8.2.2 Applying NAT You apply NAT via menus 4 or 11.3 as displayed next.
Prestige 652 ADSL Security Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Bridge Options: Ethernet Addr Timeout (min)= 0 Press ENTER to Confirm or ESC to Cancel: Figure 8-4 Menu 11.
Prestige 652 ADSL Security Router further information on these menus. To configure NAT, enter 15 from the main menu to bring up the following screen. Menu 15 — NAT Setup 1. 2. Address Mapping Sets NAT Server Sets Enter Menu Selection Number: Figure 8-5 Menu 15 — NAT Setup 8.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Menu 15.1 - Address Mapping Sets 1. 2. 3. 4. 5. 6. 7. 8. 255.
Prestige 652 ADSL Security Router Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------0.0.0.0 Local End IP --------------255.255.255.255 Global Start IP --------------0.0.0.0 0.0.0.0 Global End IP --------------- Type -----M-1 Server Press ENTER to Confirm or ESC to Cancel: Figure 8-7 Menu 15.1.255 — SUA Address Mapping Rules The following table explains the fields in this screen. Menu 15.1.255 is read-only.
Prestige 652 ADSL Security Router FIELD Type DESCRIPTION EXAMPLE These are the mapping types discussed above (see Table 8-2). Server allows us to specify multiple servers of different types behind NAT to this machine. See later for some examples. Server Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. User-Defined Address Mapping Sets Now let’s look at option 1 in menu 15.1.
Prestige 652 ADSL Security Router ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.
Prestige 652 ADSL Security Router Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 8-9 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set Table 8-6 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Set Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. 8.4 NAT Server Sets – Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.
Prestige 652 ADSL Security Router SERVICES PORT NUMBER HTTP (Hyper Text Transfer protocol or WWW, Web) 80 POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunneling Protocol) 1723 8.4.1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2. Enter 2 to display Menu 15.
Prestige 652 ADSL Security Router Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 0 0 0.0.0.0 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 8-11 Menu 15.2.1 — NAT Server Setup Step 4.
Prestige 652 ADSL Security Router Figure 8-12 Multiple Servers Behind NAT Example 8-16 NAT
Prestige 652 ADSL Security Router 8.5 General NAT Examples 8.5.1 Example 1 Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Prestige 652 ADSL Security Router From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 8.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case. 8.5.
Prestige 652 ADSL Security Router Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 192.168.1.10 2. 0 0 0.0.0.0 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 8-16 Menu 15.2.1 — Specifying an Inside Server 8.5.
Prestige 652 ADSL Security Router Figure 8-17 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 8-18. Step 2. Then enter 15 from the main menu. Step 3. Enter 1 to configure the Address Mapping Sets. Step 4. Enter 1 to begin configuring this new set.
Prestige 652 ADSL Security Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Bridge Options: Ethernet Addr Timeout (min)= 0 Press ENTER to Confirm or ESC to Cancel: Figure 8-18 Example 3: Menu 11.3 The following figure shows how to configure the first rule.
Prestige 652 ADSL Security Router Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10. Local End IP --------------255.255.255.255 Action= Edit Global Start IP --------------10.132.50.1 10.132.50.2 10.132.50.3 10.132.50.3 Global End IP --------------- Type -----1-1 1-1 M-1 Server Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 8-20 Example 3: Final Menu 15.1.
Prestige 652 ADSL Security Router Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.21 3. 25 25 192.168.1.20 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Example 3: Menu 15.2.1 8.5.
Prestige 652 ADSL Security Router Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload mapping types. Follow the steps outlined in example 3 to configure these two menus as follows. Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.
Prestige 652 ADSL Security Router Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------192.168.1.10 Local End IP --------------192.168.1.12 Action= Edit Global Start IP --------------10.132.50.1 Global End IP --------------10.132.50.3 Type -----M:M NO OV Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 8-23 Example 4: Menu 15.1.
Firewall and Content Filters Part III: Firewall and Content Filters Part III introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
Prestige 652 ADSL Security Router Chapter 9 Firewalls This chapter gives some background information on firewalls and explains how to get started with the Prestige firewall. 9.1 What Is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an accesscontrol policy between two networks.
Prestige 652 ADSL Security Router i. Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. ii. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Prestige 652 ADSL Security Router Figure 9-1 Prestige Firewall Application 9.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Prestige is pre-configured to automatically detect and thwart all known DoS attacks. 9.4.
Prestige 652 ADSL Security Router Table 9-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4. IP Spoofing. 1.
Prestige 652 ADSL Security Router Figure 9-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
Prestige 652 ADSL Security Router 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data.
Prestige 652 ADSL Security Router Table 9-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 9-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY NOOP Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
Prestige 652 ADSL Security Router Denies all sessions originating from the WAN to the LAN. Figure 9-5 Stateful Inspection The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 9.5.
Prestige 652 ADSL Security Router 4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected. 5. The outbound packet is forwarded out through the interface. 6. Later, an inbound packet reaches the interface.
Prestige 652 ADSL Security Router The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly. Below is a brief technical description of how these connections are tracked.
Prestige 652 ADSL Security Router little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 9.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously.
Prestige 652 ADSL Security Router 9.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information.
Prestige 652 ADSL Security Router 9.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. Packet filtering only checks the header portion of an IP packet. When To Use Filtering 1. To block/allow LAN packets by their MAC addresses. 2.
Prestige 652 ADSL Security Router 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5. Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. 6.
Prestige 652 ADSL Security Router Chapter 10 Introducing the Prestige Firewall This chapter shows you how to get started with the Prestige firewall. 10.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it. • The firewall allows remote management from the LAN. 10.
Prestige 652 ADSL Security Router 10.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Additional rules may be configured using the web configurator. Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1.
Prestige 652 ADSL Security Router An “End of Log” message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. Table 10-1 View Firewall Log FIELD DESCRIPTION EXAMPLES # This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log wraps around and the old logs are lost. 23 Time This is the time the log was recorded in this format. You must configure menu 24.
Prestige 652 ADSL Security Router Chapter 11 Using the Prestige Web Configurator This chapter shows you how to configure your firewall with the web configurator. 11.1 Web Configurator Login and Main Menu Screens Use the Prestige web configurator, to configure your firewall. To get started, follow the steps shown next. Step 1. Launch your web browser and enter 192.168.1.1 as the URL. Step 2. Enter “admin” as the user name and "1234" (default) as the password and click Login. Step 3.
Prestige 652 ADSL Security Router 11.2 Enabling the Firewall Click Advanced Setup, Firewall, and then Config to display the following screen. Click the Firewall Enabled check box to enable (or activate) the firewall. Figure 11-1 Enabling the Firewall 11.3 E-mail The E-mail screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent. 11.3.
Prestige 652 ADSL Security Router you. Enter the complete e-mail address to which alert messages will be sent in the E-mail Alerts To field and schedule times for sending alerts in the Log Timer fields in the E-mail screen (following screen). 11.3.2 Logs A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 12-4). You can also choose not to create a log for a rule in this screen.
Prestige 652 ADSL Security Router The following table describes the fields in this screen. Table 11-1 E-mail FIELD DESCRIPTION OPTIONS Address Info Mail Server Mail Subject Enter the IP address of your mail server in dotted decimal notation. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via e-mail. Enter a subject that you want to appear in the subject field of your e-mail here (see Figure 11-3).
Prestige 652 ADSL Security Router 11.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the included disk for information on other types of error messages. E-mail error messages appear in SMT menu 24.3.1 as "SMTP action request failed. ret= ??". The “??"are described in the following table.
Prestige 652 ADSL Security Router Subject: Firewall Alert From Prestige Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com To: user@zyxel.com The date format here is Day-Month-Year. 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy |forward | 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> | 2|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |default policy |forward | 09:54:17 |UDP src port:00520 dest port:00520 |<1,00> | 3|Apr 7 00 |From:192.168.1.6 To:10.10.10.
Prestige 652 ADSL Security Router 2. The minimum capacity of server backlog in your LAN network. 3. The CPU power of servers in your LAN network. 4. Network bandwidth. 5. Type of traffic for certain servers. If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules.
Prestige 652 ADSL Security Router 2. If the Blocking Time timeout is greater than 0, then the Prestige blocks all new connection requests to the host giving the server time to handle the present connections. The Prestige continues to block all new connection requests until the Blocking Time expires. The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections.
Prestige 652 ADSL Security Router The following table describes the fields in this screen. Table 11-3 Attack Alert FIELD Generate alert when attack detected DESCRIPTION DEFAULT VALUES A detected attack automatically generates a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See the Logs Chapter for more information on logs and alerts.
Prestige 652 ADSL Security Router Table 11-3 Attack Alert FIELD DESCRIPTION DEFAULT VALUES deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number. half-open sessions rises above 100, and to stop deleting halfopen sessions with the number of existing half-open sessions drops below 80.
Prestige 652 ADSL Security Router Chapter 12 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules. 12.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
Prestige 652 ADSL Security Router 3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN. 12.2.
Prestige 652 ADSL Security Router Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 12.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 12.3.
Prestige 652 ADSL Security Router 12.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 12-2 WAN to LAN Traffic 12.4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet, so the discussion below refers to both.
Prestige 652 ADSL Security Router Figure 12-3 Firewall Rules Summary — First Screen The following table describes the fields in this screen. Table 12-1 Firewall Rules Summary — First Screen FIELD DESCRIPTION OPTIONS The default action for packets not matching following rules Should packets that do not match the following rules be blocked or forwarded? Make your choice from the drop down list box. Note that “block” means the firewall silently discards the packet.
Prestige 652 ADSL Security Router Table 12-1 Firewall Rules Summary — First Screen FIELD DESCRIPTION OPTIONS default set. The following fields summarize the rules you have created. Note that these fields are read only. Click the tab at the top of the box to order the rules according to that tab. No. This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. The Move field below allows you to reorder your rules. Click a rule’s number to edit the rule.
Prestige 652 ADSL Security Router Table 12-2 Predefined Services SERVICE DESCRIPTION AIM(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ. BGP(TCP:179) Border Gateway Protocol. BOOTP_CLIENT(UDP:68) DHCP Client. BOOTP_SERVER(UDP:67) DHCP Server. CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software. DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
Prestige 652 ADSL Security Router Table 12-2 Predefined Services SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
Prestige 652 ADSL Security Router Table 12-2 Predefined Services SERVICE DESCRIPTION TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System). TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
Prestige 652 ADSL Security Router Figure 12-4 Creating/Editing A Firewall Rule Table 12-3 Creating/Editing A Firewall Rule FIELD Source Address 12-10 DESCRIPTION OPTIONS Click SrcAdd to add a new address, SrcEdit to edit SrcAdd Creating Custom Rules
Prestige 652 ADSL Security Router Table 12-3 Creating/Editing A Firewall Rule FIELD Destination Address Services Available/Selected Services DESCRIPTION OPTIONS an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses. SrcEdit Click DestAdd to add a new address, DestEdit to edit an existing one or DestDelete to delete one. Please see the following section on adding and editing destination addresses.
Prestige 652 ADSL Security Router Figure 12-5 Adding/Editing Source and Destination Addresses Table 12-4 Adding/Editing Source and Destination Addresses FIELD Address Type DESCRIPTION OPTIONS Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.
Prestige 652 ADSL Security Router 12.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the discussion below refers to both. 12.6.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values – see section 11.4.1. Click Timeout for either Local Network or Internet.
Prestige 652 ADSL Security Router Table 12-5 Timeout Menu FIELD DESCRIPTION DEFAULT VALUE TCP Timeout Values Connection Timeout This is the length of time the Prestige waits for a TCP session to reach the established state before dropping the session. 30 seconds FIN-Wait Timeout This is the length of time a TCP session remains open after the firewall detects a FIN-exchange (indicating the end of the TCP session).
Prestige 652 ADSL Security Router Chapter 13 Customized Services This chapter covers creating, viewing and editing custom services. 13.1 Introduction Configure customized services and port numbers not predefined by the Prestige (see Figure 12-4). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read section 12.5.
Prestige 652 ADSL Security Router Table 13-1 Customized Services FIELD DESCRIPTION Customized Services No. Name Protocol Port This is the number of your customized port. Click a rule’s number to edit the rule. This is the name of your customized port. This shows the IP protocol (TCP, UDP or Both) that defines your customized port. This is the port number or range that defines your customized port. Use the Help icon for field descriptions.
Prestige 652 ADSL Security Router 13.2 Creating/Editing A Customized Service Click a rule number in the previous screen to create a new custom port or edit an existing one. This action displays the following screen. Figure 13-2 Creating/Editing A Customized Service The next table describes the fields in this screen. Table 13-2 Creating/Editing A Custom Port FIELD DESCRIPTION Service Name Enter a unique name for your custom port.
Prestige 652 ADSL Security Router Table 13-2 Creating/Editing A Custom Port FIELD DESCRIPTION OPTIONS Click Single to specify one port only or Range to specify a span of ports that define your customized service. Single Port Configuration Type Port Number Range Enter a single port number or the range of port numbers that define your customized service. Click Back to return to the previous screen.
Prestige 652 ADSL Security Router Figure 13-3 Configure Source IP Customized Services 13-5
Prestige 652 ADSL Security Router Step 5. Click Edit Available Service in the edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 13-4 Customized Service for Syslog Customized services show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your customized service.
Prestige 652 ADSL Security Router Step 5. Follow the procedures outlined earlier in this chapter to configure all your rules. Configure the rule configuration screen like the one below and apply it. This is the address range of the syslog servers. This is your Syslog custom port. Click Apply when finished.
Prestige 652 ADSL Security Router Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a syslog connection from the WAN. Click Apply to save your settings back to the Prestige.
Prestige 652 ADSL Security Router Chapter 14 Logs This chapter contains information about using the log screen to view the results of the rules you have configured. 14.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 12-4). Click Logs to bring up the next screen. Firewall logs may also be viewed in SMT Menu 21.3 (see section 10.3) or via syslog (SMT Menu 24.3.2 - System Maintenance - UNIX Syslog).
Prestige 652 ADSL Security Router Table 14-1 Log Screen FIELD DESCRIPTION EXAMPLES No. This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure menu 24.10 for realtime; otherwise the time shown in these examples is displayed. dd:mm:yy e.g., Jan 1 0 hh:mm:ss e.g.
Prestige 652 ADSL Security Router Chapter 15 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator. Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.
Advanced Management Part IV: ADVANCED MANAGEMENT This part discusses Filtering, SNMP, System Information and Diagnosis, Firmware and Configuration File Maintenance, System Maintenance and Information, Remote Management and IP Policy Routing.
Prestige 652 ADSL Security Router Chapter 16 Filter Configuration This chapter shows you how to create and apply filters. 16.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens data to determine if the packet should be allowed to pass.
Prestige 652 ADSL Security Router Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
Prestige 652 ADSL Security Router You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port. For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige A filter set consists of one or more filter rules.
Prestige 652 ADSL Security Router Menu 21.1 - Filter Set Configuration Filter Set # -----1 2 3 4 5 6 Comments ----------------_______________ NetBIOS_WAN NetBIOS_LAN PPPoE TEL_FTP_WEB_SNM _______________ Filter Set # -----7 8 9 10 11 12 Comments ----------------_______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 0 Edit Comments= N/A Press ENTER to Confirm or ESC to Cancel: Figure 16-5 Menu 21.
Prestige 652 ADSL Security Router Menu 21.1.2 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - 1 2 3 4 5 6 Y Y Y Y Y Y IP IP IP IP IP IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 Pr=17, SA=0.0.0.0, DA=0.0.0.
Prestige 652 ADSL Security Router Menu 21.1.4 - Filter Rules Summary # 1 2 3 4 5 6 A Y Y N N N N Type Filter Rules M m ---- --------------------------------------------------------------- - Gen Off=12, Len=2, Mask=ffff, Value=8863 N F Gen Off=12, Len=2, Mask=ffff, Value=8864 N F n N D Enter Filter Rule Number (1-6) to Configure: Figure 16-8 PPPoE Filter Rules Summary Menu 21.1.
Prestige 652 ADSL Security Router Table 16-1 Filter Rules Summary Menu Abbreviations FIELD DESCRIPTION # The filter rule number: 1 to 6. A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete.
Prestige 652 ADSL Security Router 16.3 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 – Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. There are two types of filter rules: TCP/IP and Generic. Depending on the type of rule, the parameters for each type will be different. Use [SPACE BAR] to select the type of rule that you want to create in the Filter Type field and press [ENTER] to open the respective menu.
Prestige 652 ADSL Security Router Table 16-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third filter rule of that set. 7,1 Filter Type Use [SPACE BAR] and then [ENTER] to choose a rule. Parameters displayed for each type will be different. Choices are TCP/IP Filter Rule or Generic Filter Rule.
Prestige 652 ADSL Security Router FIELD DESCRIPTION If Yes, a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields. More EXAMPLE No (default) If More is Yes, then Action Matched and Action Not Matched will be N/A. Log Select the logging option from the following: None – No packets will be logged. None Action Matched – Only packets that match the rule parameters will be logged.
Prestige 652 ADSL Security Router Packet into IP Filter Filter Active? No Yes Apply SrcAddrMask to Src Addr Check Src IP Addr Not Matched Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Not Matched Matched Check IP Protocol Not Matched Matched Check Src & Dest Port Not Matched Matched More? Yes No Action Matched Drop Drop Packet Action Not Matched Check Next Rule Check Next Rule Drop Forward Forward Check Next Rule Accept Packet Figure 16-11 Executing an IP Filter Filter Confi
Prestige 652 ADSL Security Router 16.3.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Prestige 652 ADSL Security Router Table 16-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. 8,1 Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule. Parameters displayed below each type will be different. Choices are Generic Filter Rule or TCP/IP Filter Rule. Active Select Yes to turn on or No to turn off the filter rule.
Prestige 652 ADSL Security Router 16.4 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire.
Prestige 652 ADSL Security Router Figure 16-14 Sample Telnet Filter Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2. Enter 1 to open Menu 21.1 - Filter Set Configuration. Step 3. Enter the index of the filter set you wish to configure (say 4) and press [ENTER]. Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.9 - Filter Rules Summary.
Prestige 652 ADSL Security Router Menu 21.1.9.1 - TCP/IP Filter Rule Filter #: 9,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: There are no more rules to check.
Prestige 652 ADSL Security Router Menu 21.1.9 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- --------------------------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23). M = N means an action can be taken immediately.
Prestige 652 ADSL Security Router Table 16-5 Filter Sets Table FILTER SETS DESCRIPTION Input Filter Sets: Apply filters for incoming traffic. You may apply protocol or device filter rules. See earlier in this chapter for information on filters. Output Filter Sets: Apply filters for traffic leaving the Prestige. You may apply filter rules for protocol or device filters. See earlier in this section for information on types of filters.
Prestige 652 ADSL Security Router Apply filter 3 to block Tel, FTP and Web traffic from the WAN Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CANCEL: Apply filter 1 to block NETBIOS traffic to the WAN Figure 16-18 Filtering Remote Node Traffic Menu 11.
Prestige 652 ADSL Security Router Chapter 17 SNMP Configuration This chapter explains SNMP Configuration menu 22. SNMP is only available if TCP/IP is configured. 17.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Prestige 652 ADSL Security Router An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
Prestige 652 ADSL Security Router Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Hgst= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 17-2 Menu 22 — SNMP Configuration The following table describes the SNMP configuration parameters.
Prestige 652 ADSL Security Router 17.4 SNMP Traps The Prestige will send traps to the SNMP manager when any one of the following events occurs: Table 17-2 SNMP Traps TRAP # TRAP NAME DESCRIPTION 1 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 2 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). 3 linkUp (defined in RFC-1215) A trap is sent with the port number.
Prestige 652 ADSL Security Router Chapter 18 System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 – System Maintenance, as shown in the following figure. Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Prestige 652 ADSL Security Router Menu 24.1 - System Maintenance – Status hh:mm:ss Sat. Jan. 01, 2000 Node-Lnk 1-ENET 2 3 4 5 6 7 8 Status Up N/A N/A N/A N/A N/A N/A N/A TxPkts 211 0 0 0 0 0 0 0 RxPkts 0 0 0 0 0 0 0 0 Errors 0 0 0 0 0 0 0 0 Tx B/s 0 0 0 0 0 0 0 0 Rx B/s 0 0 0 0 0 0 0 0 Up Time 0:26:20 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 My WAN IP (from ISP) : Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.
Prestige 652 ADSL Security Router FIELD DESCRIPTION Status Shows the current status of the LAN. Tx Pkts The number of transmitted packets to the LAN. Rx Pkts The number of received packets from the LAN. Collision Number of collisions. WAN Shows statistics for the WAN. Line Status Shows the current status of the xDSL line, which can be Up or Down. Upstream Speed Shows the transfer rate of traffic going out from the Prestige to the WAN.
Prestige 652 ADSL Security Router Menu 24.2.1 – System Maintenance – Information Name: Routing: IP ZyNOS F/W Version: V3.40(FN.0)b13 | 4/22/2002 ADSL Chipset Vendor: Alcatel, Version 3.8.163 Standard: Multi-Mode LAN Ethernet Address: 00:a0:c5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Figure 18-4 Menu 24.2.1 — System Maintenance — Information Table 18-2 Fields in System Maintenance FIELD DESCRIPTION Name Displays the system name of your Prestige.
Prestige 652 ADSL Security Router 18.2.2 Console Port Speed You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200, 38400, 57600 and 115200bps. Use [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure. Menu 24.2.
Prestige 652 ADSL Security Router After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Prestige 652 ADSL Security Router Table 18-3 System Maintenance Menu — Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog: Active Syslog IP Address Log Facility Use [SPACE BAR] and then [ENTER] to turn syslog on or off. Type the IP address of your syslog server. Use [SPACE BAR] and then [ENTER] to select one of seven different local options. The log facility lets you log the message in different server files. Refer to your UNIX manual.
Prestige 652 ADSL Security Router Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000 3 - Filter Log SdcmdSyslogSend (SYSLOG_FILLOG, SYSLOG_NOTICE, String); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.
Prestige 652 ADSL Security Router The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 18-4 System Maintenance Menu — Diagnostic FIELD DESCRIPTION Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Reboot System Reboot the Prestige. Command Mode Type the mode to test and diagnose your Prestige using specified commands.
Prestige 652 ADSL Security Router Chapter 19 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 19.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension.
Prestige 652 ADSL Security Router Table 19-1 Filename Conventions FILE TYPE INTERNAL NAME EXTERNAL NAME DESCRIPTION Configuration File Rom-0 This is the configuration filename on the Prestige. Uploading the rom-0 file replaces the entire ROM file system, including your Prestige configurations, system-related data (including the default password), the error log and the trace log. *.rom Firmware Ras This is the generic name for the ZyNOS firmware on the Prestige. *.bin 19.
Prestige 652 ADSL Security Router 19.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
Prestige 652 ADSL Security Router 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit Figure 19-2 FTP Session Example 19.2.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
Prestige 652 ADSL Security Router 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4. There is an SMT console session running. 5. There is already another remote management session of the same type (web, FTP or Telnet) running. You may only have one remote management session of the same type running at one time. 6.
Prestige 652 ADSL Security Router where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Prestige IP address, “get” transfers the file source on the Prestige (rom-0, name of the configuration file on the Prestige) to the file destination on the computer and renames it config.rom. 19.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients.
Prestige 652 ADSL Security Router Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Figure 19-4 System Maintenance — Starting Xmodem Download Screen Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen. Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive.
Prestige 652 ADSL Security Router WARNING! DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. WHEN THE RESTORE CONFIGURATION PROCESS IS COMPLETE, THE PRESTIGE WILL AUTOMATICALLY RESTART. 19.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter. Menu 24.
Prestige 652 ADSL Security Router Step 7. Use “put” to transfer files from the Prestige to the computer, for example, “put config.rom rom0” transfers the configuration file “config.rom” on your computer to the Prestige. See earlier in this chapter for more information on filename conventions. Step 8. Enter “quit” to exit the ftp prompt. The Prestige will automatically restart after a successful restore process. 19.3.2 Restore Using FTP Session Example ftp> put config.
Prestige 652 ADSL Security Router Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 19-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Save to ROM Hit any key to start system reboot. Figure 19-12 Successful Restoration Confirmation Screen 19.
Prestige 652 ADSL Security Router Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3. Type "put firmwarefilename ras" where "firmwarefilename" is the name of your firmware upgrade file on your workstation and "ras" is the remote file name on the system. 4.
Prestige 652 ADSL Security Router To upload the firmware and the configuration file, follow these examples 19.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (the default is “1234”). Step 5. Enter “bin” to set transfer mode to binary. Step 6.
Prestige 652 ADSL Security Router To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address. Step 2.
Prestige 652 ADSL Security Router 19.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, then follow the instructions as shown in the following screen. Menu 24.7.1 - System Maintenance - Upload System Firmware To 1. 2. 3. upload system firmware: Enter "y" at the prompt below to go into debug mode. Enter "atur" after "Enter Debug Mode" message.
Prestige 652 ADSL Security Router 19.4.10 Step 1. Uploading Configuration File Via Console Port Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message.
Prestige 652 ADSL Security Router Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 19-19 Example Xmodem Upload After the configuration upload process has completed, restart the Prestige by entering “atgo”.
Prestige 652 ADSL Security Router Chapter 20 System Maintenance and Information This chapter leads you through SMT menus 24.8 to 24.10. 20.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
Prestige 652 ADSL Security Router Copyright (c) 1994 - 2002 ZyXEL Communications Corp. ras> ? Valid commands are: sys exit device ether wan poe config ip ipsec ppp bridge hdap ras> Figure 20-2 Valid Commands 20.2 Call Control Support The Prestige provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Prestige 652 ADSL Security Router Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period No Budget --------------- No Budget --------------- 1.ChangeMe 2.-------3.-------4.-------5.-------6.-------7.-------8.-------- Reset Node (0 to update screen): Figure 20-4 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Prestige 652 ADSL Security Router 20.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige. The real time is then displayed in the Prestige error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next.
Prestige 652 ADSL Security Router Table 20-2 Time and Date Setting Fields FIELD DESCRIPTION Use Time Server when Bootup Enter the time service protocol that your time server sends when you turn on the Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
Prestige 652 ADSL Security Router Chapter 21 Remote Management This chapter covers remote management found in SMT menu 24.11. 21.1 About Telnet Configuration Before the Prestige is properly setup for TCP/IP, the only option for configuring it is through the console port. Once your Prestige is configured, you can use Telnet to configure it remotely as shown below. Figure 21-1 Telnet Configuration on a TCP/IP Network 21.
Prestige 652 ADSL Security Router 21.4 FTP You can upload and download the Prestige’s firmware and configuration files using FTP, please see the Firmware and Configuration File Maintenance chapter for details. To use this feature, your computer must have an FTP client. 21.5 Web You can use the Prestige’s embedded web configurator for configuration and file management. See the Using the Prestige Web Configurator chapter for an introduction to the web configurator. 21.
Prestige 652 ADSL Security Router Menu 24.11 - Remote Management Control TELNET Server: Server Port = 23 Secured Client IP = 0.0.0.0 Server Access = LAN only FTP Server: Server Port = 21 Secured Client IP = 0.0.0.0 Server Access = LAN only Web Server: Server Port = 80 Secured Client IP = 0.0.0.0 Server Access = LAN only Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 21-2 Menu 24.11 – Remote Management Control Table 21-1 Menu 24.
Prestige 652 ADSL Security Router 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2. You have disabled that service in menu 24.11. 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4. There is an SMT console session running. 5.
Prestige 652 ADSL Security Router Chapter 22 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 22.1 Introduction Traditionally, routing is based on the destination address only and the Prestige takes the shortest path to forward a packet. IP Routing Policy (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Prestige 652 ADSL Security Router IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set. 22.4 IP Routing Policy Setup Menu 25 lists all the policies that are defined.
Prestige 652 ADSL Security Router Menu 25.1 - IP Routing Policy Setup # A Criteria/Action - - -------------------------------------------------------------------------1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 |GW=192.168.1.
Prestige 652 ADSL Security Router Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Menu 25.1.1 - IP Routing Policy Policy Set Name= test Active= Yes Criteria: IP Protocol = 6 Type of Service= Normal Precedence = 0 Source: addr start= 1.1.1.1 port start= 20 Destination: addr start= 2.2.2.2 port start= 20 Action= Matched Gateway addr = 192.168.1.
Prestige 652 ADSL Security Router FIELD DESCRIPTION Source: addr start / end Source IP address range from start to end. port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination: addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Specifies whether action should be taken on criteria Matched or Not Matched.
Prestige 652 ADSL Security Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= 2,4,7,9 Edit IP Alias= No Type IP Policy sets here. Press ENTER to Confirm or ESC to Cancel: Figure 22-4 Menu 3.
Prestige 652 ADSL Security Router 22.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Figure 22-6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next.
Prestige 652 ADSL Security Router Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 - IP Routing Policy as shown next. Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr = 192.168.1.
Prestige 652 ADSL Security Router Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 0.0.0.0 port start= 0 Destination: addr start= 0.0.0.0 port start= 20 Action= Matched Gateway addr =192.168.1.100 Type of Service= No Change Precedence = No Change Packet length= 10 Len Comp= N/A end= N/A end= N/A end= N/A end= 21 Log= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Call Scheduling, VPN/IPSec and Internal SPTGEN Part V: Call Scheduling, VPN/IPSec and Internal SPTGEN Part V provides information about Call Scheduling, VPN/IPSec and Internal SPTGEN.
Prestige 652 ADSL Security Router Chapter 23 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 23.1 Introduction The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a video cassette recorder that lets you specify times to record programs. You can apply up to 4 schedule sets in Menu 11.1 - Remote Node Profile.
Prestige 652 ADSL Security Router To set up a schedule set select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Menu 26.
Prestige 652 ADSL Security Router Table 23-1 Schedule Set Setup Fields FIELD DESCRIPTION Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration Enter the maximum length of time this connection is allowed in hourminute format. Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field.
Prestige 652 ADSL Security Router Menu 11.
Prestige 652 ADSL Security Router Chapter 24 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 24.1 Introduction 24.1.1 VPN A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines.
Prestige 652 ADSL Security Router Figure 24-1 Encryption and Decryption ¾ Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. ¾ Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. ¾ Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 24.1.
Prestige 652 ADSL Security Router Figure 24-2 VPN Application 24.2 IPSec Architecture The overall IPSec architecture is shown as follows.
Prestige 652 ADSL Security Router Figure 24-3 IPSec Architecture 24.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Prestige 652 ADSL Security Router 24.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 24-4 Transport and Tunnel Mode IPSec Encapsulation 24.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Prestige 652 ADSL Security Router A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered.
Prestige 652 ADSL Security Router Chapter 25 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 25.1 VPN/IPSec Setup The VPN/IPSec main SMT menu has three main submenus. 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. 3. View the IPSec connection log in menu 27.4.
Prestige 652 ADSL Security Router Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor 3. View IPSec Log Enter Menu Selection Number: Figure 25-2 Menu 27 — VPN/IPSec Setup 25.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems.
Prestige 652 ADSL Security Router Table 25-1 AH and ESP ESP AH Select DES for minimal security and 3DES for maximum. Select NULL to set up a tunnel without encryption. Select MD5 for minimal security and SHA-1 for maximum security. DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
Prestige 652 ADSL Security Router 25.3.1 My IP Address My IP Addr is the WAN IP address of the Prestige. If this field is configured as 0.0.0.0, then the Prestige will use the current Prestige WAN IP address (static or dynamic) to set up the VPN tunnel. If the My IP Addr changes after setup, then the VPN tunnel will have to be rebuilt. 25.3.2 Secure Gateway Address Secure Gateway Addr is the WAN IP address or domain name of the remote IPSec router (secure gateway).
Prestige 652 ADSL Security Router Figure 25-4 Telecommuter’s Prestige Configuration Figure 25-5 Headquarters Prestige Configuration The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. A Prestige with Secure Gateway Address set to 0.0.0.0 can receive multiple VPN connection requests using the same VPN rule at the same time.
Prestige 652 ADSL Security Router Menu 27.1 – IPSec Summary # 001 002 003 Name Key Mgt -----Taiwan IKE zw50 IKE China IKE A Y N N Local Addr Start - Local Addr End Remote Addr Start ----------------192.168.1.35 172.16.2.40 1.1.1.1 4.4.4.4 192.168.1.40 N/A - Remote Addr End --------------192.168.1.38 172.16.2.46 1.1.1.1 255.255.0.0 192.168.1.42 N/A Encap -----Tunnel Tunnel Tunnel IPSec Algorithm Secure Gw Addr -----------------ESP DES MD5 193.81.13.2 AH SHA1 zw50test.zyxel. ESP DES MD5 0.0.0.
Prestige 652 ADSL Security Router Table 25-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE field. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the end (static) IP address, in a range of computers on the LAN behind your Prestige. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to SUBNET, this is a subnet mask on the LAN behind your Prestige. Encap This field displays Tunnel mode or Transport mode. See earlier for a discussion of these.
Prestige 652 ADSL Security Router Table 25-3 Menu 27.1 — IPSec Summary FIELD Remote Addr End DESCRIPTION When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is the same (static) IP address as in the Remote Addr Start field. EXAMPLE 172.16.2.46 When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Addr Type field in Menu 27.1.
Prestige 652 ADSL Security Router Menu 27.1.1 – IPSec Setup Index= 1 Active= Yes Name= Taiwan My IP Addr= 0.0.0.0 Secure Gateway Addr= zw50test.zyxel.com.tw Protocol= 0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1 End= Port Start= 0 End= Remote: Addr Type= SUBNET IP Addr Start= 4.4.4.4 End= Port Start= 0 End= Enable Replay Detection = No Key Management= IKE Edit Key Management Setup= No N/A N/A 255.255.0.0 N/A Press ENTER to Confirm or ESC to Cancel: Figure 25-7 Menu 27.1.
Prestige 652 ADSL Security Router Table 25-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EXAMPLE The VPN tunnel has to be rebuilt if this IP address changes. Secure Gateway Addr Type the WAN IP address or the domain name (up to 31 characters) of the Zw50test.com. IPSec router with which you’re making the VPN connection. tw Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE, see later).
Prestige 652 ADSL Security Router Table 25-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field. Remote EXAMPLE N/A Remote IP addresses must be static and correspond to the remote IPSec router’s configured local IP addresses. The remote fields are N/A when the Secure Gateway Addr field is configured to 0.0.0.0.
Prestige 652 ADSL Security Router Table 25-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field.
Prestige 652 ADSL Security Router Figure 25-8 Two Phases to set up the IPSec SA In phase 1 you must: ¾ Choose a negotiation mode. ¾ Authenticate the connection by entering a pre-shared key. ¾ Choose an encryption algorithm. ¾ Choose an authentication algorithm. ¾ Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). ¾ Set the IKE SA lifetime. This field allows you to determine how long IKE SA negotiation should proceed before it times out.
Prestige 652 ADSL Security Router ¾ Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication. 25.5.
Prestige 652 ADSL Security Router Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= ? Encryption Algorithm = DES Authentication Algorithm = MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol = ESP Encryption Algorithm = DES Authentication Algorithm = SHA1 SA Life Time (Seconds)= 28800 Encapsulation = Tunnel Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel: Figure 25-9 Menu 27.1.1.1 — IKE Setup Table 25-5 Menu 27.1.1.
Prestige 652 ADSL Security Router Table 25-5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to choose from 3DES or DES and then press [ENTER]. Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slightly slower. MD5 Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].
Prestige 652 ADSL Security Router 25.6 Manual Setup You only configure Menu 27.1.1.2 – Manual Setup when you select Manual in the Key Management field in Menu 27.1.1 – IPSec Setup. Manual key management is useful if you have problems with IKE key management. 25.6.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. These parameters have been discussed earlier.
Prestige 652 ADSL Security Router Menu 27.1.1.2 – Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI (Decimal)= Encryption Algorithm= DES Key1= Key2= N/A Key3= N/A Authentication Algorithm= SHA1 Key= AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 25-10 Menu 27.1.1.2 — Manual Setup Table 25-7 Menu 27.1.1.
Prestige 652 ADSL Security Router Table 25-7 Menu 27.1.1.2 — Manual Setup FIELD DESCRIPTION Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press Algorithm [ENTER]. Key Enter the authentication key to be used by IPSec if applicable. The key must be unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 authentication. Any character may be used, including spaces, but trailing spaces are truncated.
Prestige 652 ADSL Security Router Chapter 26 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 1.1. Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections. An SA times out automatically after one minute if there is no traffic. 1. Use the Refresh function to display active VPN connections. 2.
Prestige 652 ADSL Security Router Table 26-1 Menu 27.2 — SA Monitor FIELD DESCRIPTION EXAMPLE public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule. In this case, the name is followed by the remote IP address as configured in Menu 27.1.1. – IPSec Setup. Individual connections using the same VPN rule may be terminated without affecting other connections using the same rule. Encap.
Prestige 652 ADSL Security Router Chapter 27 IPSec Log This chapter interprets common IPSec log messages. 27.1 IPSec Logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
Prestige 652 ADSL Security Router The following figure shows a typical log from the VPN connection peer. Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.
Prestige 652 ADSL Security Router Table 27-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Prestige has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet. !! Duplicate requests with the same cookie The Prestige has received multiple requests from the same peer but it is still processing the first IKE packet from that peer.
Prestige 652 ADSL Security Router The following table shows sample log messages during packet transmission. Table 27-2 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION !! WAN IP changed to If the Prestige’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”.. If this field is configured as 0.0.0.0, then the Prestige will use the current Prestige WAN IP address (static or dynamic) to set up the VPN tunnel.
Prestige 652 ADSL Security Router Table 27-3 RFC-2408 ISAKMP Payload Types LOG DISPLAY IPSec Log PAYLOAD TYPE NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID 27-5
Prestige 652 ADSL Security Router Chapter 28 Internal SPTGEN Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file – eliminating the need to navigate and configure individual SMT menus for each Prestige. 28.
Prestige 652 ADSL Security Router This is the name of the menu. This is the Field Name column. This is the name of the field as seen in the corresponding SMT screen. Example: Configured One “=” sign, followed by one space, must precede everything you input. / Menu 1 General Setup 10000000 10000001 10000002 10000003 10000004 10000005 10000006 = = = = = = = Configured System Name Location Contact Person’s Name Route IP Route IPX Bridge This is the Field Identification Number column.
Prestige 652 ADSL Security Router field value is not legal error:-1 ROM-t is not saved, error Line ID:10000000 reboot to get the original configuration Bootbase Version: V2.02 | 2/22/2001 13:33:11 RAM: Size = 8192 Kbytes FLASH: Intel 8M *2 Figure 28-2 Invalid Parameter Entered — Command Line Example The Prestige will display the following if you enter parameter(s) that are valid. Please wait for the system to write SPT text file(ROMt)... Bootbase Version: V2.
Prestige 652 ADSL Security Router You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 28.3 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary. 3. Upload your “rom-t” file from your computer to the Prestige using the “put” command. computer to the Prestige. c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.
Additional Information Part:VI ADDITIONAL INFORMATION This part contains Troubleshooting, Appendices and the Index.
Prestige 652 ADSL Security Router Chapter 29 Troubleshooting This chapter covers potential problems and the corresponding remedies. 29.1 Problems Starting Up the Prestige Table 16-1 Troubleshooting the Start-Up of Your Prestige PROBLEM CORRECTIVE ACTION None of the LEDs turn on when I turn on the Prestige. Make sure that the Prestige’s power adapter is connected to the Prestige and plugged in to an appropriate power source. Check that the Prestige and the power source are both turned on.
Prestige 652 ADSL Security Router 29.3 Problems with the DSL LED Table 29-2 Troubleshooting the DSL LED PROBLEM The xDSL LED is off. CORRECTIVE ACTION Check the telephone wire and connections between the Prestige DSL port and the wall jack. Make sure that the telephone company has checked your phoneline and set it up for DSL service. Reset your xDSL line in SMT menu 24.4 to reinitialize your link to the DSLAM. 29.
Prestige 652 ADSL Security Router 29.6 Problems with Internet Access Table 29-5 Troubleshooting Internet Access PROBLEM I cannot access the Internet. CORRECTIVE ACTION Make sure the Prestige is turned on and connected to the network. If the DSL LED is off, refer to the Problems with the DSL LED section. Verify your settings in SMT menus 3.2 and 4. Make sure you use correct casing when typing entries. Internet connection disconnects. Check the schedule rules in SMT menu 26.
Prestige 652 ADSL Security Router 29.8 Problems with the Web Configurator Table 29-7 Troubleshooting the Web Configurator PROBLEM I cannot access the web configurator. CORRECTIVE ACTION Type “admin” in the User Name field. The default password is “1234”. Both fields are case-sensitive. If you have changed the password and have now forgotten it, you will need to upload the default configuration file (Refer to the Resetting the Prestige section).
Prestige 652 ADSL Security Router Appendix A PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Prestige 652 ADSL Security Router How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
Prestige 652 ADSL Security Router Appendix B Virtual Circuit Topology ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate.
Prestige 652 ADSL Security Router Appendix C Boot Module Commands When you reboot your Prestige, you will be given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file) already discussed in a previous section. Bootbase Version: V1.
Prestige 652 ADSL Security Router ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
Prestige 652 ADSL Security Router Appendix D Power Adapter Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model DV-1215A Input Power AC120Volts/60Hz/30W Output Power AC12Volts/1.25A Power Consumption 11 W Safety Standards UL, CUL, CSA (UL 1310, CSA C22.2 No.223) NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA-121A25 Input Power AC120Volts/60Hz/19W Output Power AC12Volts/1.25A Power Consumption 11 W Safety Standards UL, CUL (UL 1310, CSA C22.2 No.
Prestige 652 ADSL Security Router Appendix E TCP/IP All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Prestige 652 ADSL Security Router b. Select Client and then click Add. c. Select Microsoft from the list of manufacturers. d. Select Client for Microsoft Networks from the list of network clients and then click OK. e. Restart your computer so the changes you made take effect. Configuring TCP/IP 1. In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties. 2. Click the IP Address tab.
Prestige 652 ADSL Security Router 1. Click Start, Settings, Network and Dial-up Connections and right-click Local Area Connection or the connection you want to configure and click Properties. 2. Select Internet Protocol (TCP/IP) (you may need to scroll down) and click Properties. 3. The Internet Protocol TCP/IP Properties window opens. -If your IP address is dynamic, click Obtain an IP address automatically.
Prestige 652 ADSL Security Router -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. To configure advanced static address settings for a local area connection, click Advanced, and do one or more of the following to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add. -In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
Prestige 652 ADSL Security Router 3. For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Prestige in the Router address box. 5. Close the TCP/IP Control Panel. 6. Click Save if prompted, to save changes to your configuration. 7.
Prestige 652 ADSL Security Router Appendix F Example Internal SPTGEN Screens This appendix covers Prestige Internal SPTGEN screens. Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION MEANING FIN Field Identification Number (not seen in SMT screens) FN Field Name PVA Parameter Values Allowed INPUT This is an example of what you may enter The following are Internal SPTGEN screens associated with the SMT screens of your Prestige.
Prestige 652 ADSL Security Router / MENU 3.1 GENERAL ETHERNET SETUP (SMT MENU 3.
Prestige 652 ADSL Security Router 30200008 = IP Address = 172.21.2.
Prestige 652 ADSL Security Router 30201010 = IP Alias #1 Outgoing protocol filters Set 1 = 256 30201011 = IP Alias #1 Outgoing protocol filters Set 2 = 256 30201012 = IP Alias #1 Outgoing protocol filters Set 3 = 256 30201013 = IP Alias #1 Outgoing protocol filters Set 4 = 256 30201014 = IP Alias 2 <0(No) | 1(Yes)> =0 30201015 = IP Address = 0.0.0.
Prestige 652 ADSL Security Router / MENU 4 INTERNET ACCESS SETUP (SMT MENU 4) P FIN FN PVA INPUT 40000000 = Configured <0(No) | 1(Yes)> =1 40000001 = ISP <0(No) | 1(Yes)> =1 40000002 = Active <0(No) | 1(Yes)> =1 40000003 = ISP's Name 40000004 = Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA)| 5(ENET ENCAP)> =2 40000005 = Multiplexing <1(LLC-based) | 2(VC-based) =1 40000006 = VPI # =0 40000007 = VCI # = 35 40000008 = Service Name = any 40000009 = My Login
Prestige 652 ADSL Security Router 40000023 = ISP outgoing protocol filter set 4 = 256 40000024 = ISP PPPoE idle timeout =0 40000025 = Route IP <0(No) | 1(Yes)> =1 40000026 = Bridge <0(No) | 1(Yes)> =0 40000027 = ATM QoS Type <0(CBR) | (1 (UBR)> =1 40000028 = Peak Cell Rate (PCR) =0 40000029 = Sustain Cell Rate (SCR) =0 40000030 = Maximum Burst Size(MBS) =0 / MENU 12.1.1 IP STATIC ROUTE SETUP (SMT MENU 12.1.
Prestige 652 ADSL Security Router / MENU 12.1.3 IP STATIC ROUTE SETUP (SMT MENU 12.1.3) FIN FN PVA INPUT 120103001 = IP Static Route set #3, Name = 120103002 = IP Static Route set #3, Active <0(No) |1(Yes)> =0 120103003 = IP Static Route set #3, Destination IP address = 0.0.0.0 120103004 = IP Static Route set #3, Destination IP subnetmask =0 120103005 = IP Static Route set #3, Gateway = 0.0.0.
Prestige 652 ADSL Security Router 120105005 = IP Static Route set #5, Gateway = 0.0.0.0 120105006 = IP Static Route set #5, Metric =0 120105007 = IP Static Route set #5, Private <0(No) |1(Yes)> =0 / MENU 12.1.6 IP STATIC ROUTE SETUP (SMT MENU 12.1.6) FIN FN PVA INPUT 120106001 = IP Static Route set #6, Name = 120106002 = IP Static Route set #6, Active <0(No) |1(Yes)> =0 120106003 = IP Static Route set #6, Destination IP address = 0.0.0.
Prestige 652 ADSL Security Router 120108003 = IP Static Route set #8, Destination IP address = 0.0.0.0 120108004 = IP Static Route set #8, Destination IP subnetmask =0 120108005 = IP Static Route set #8, Gateway = 0.0.0.0 120108006 = IP Static Route set #8, Metric =0 120108007 = IP Static Route set #8, Private <0(No) |1(Yes)> =0 PVA INPUT / MENU 15 SUA SERVER SETUP (SMT MENU 15) T FIN FN 150000001 = SUA Server IP address for default port = 0.0.0.
Prestige 652 ADSL Security Router 150000020 = SUA Server #8 Port Start =0 150000021 = SUA Server #8 Port End =0 150000022 = SUA Server #8 Local IP address = 0.0.0.0 150000023 = SUA Server #9 Port Start =0 150000024 = SUA Server #9 Port End =0 150000025 = SUA Server #9 Local IP address = 0.0.0.0 150000026 = SUA Server #10 Port Start =0 150000027 = SUA Server #10 Port End =0 150000028 = SUA Server #10 Local IP address = 0.0.0.
Prestige 652 ADSL Security Router 210101007 = IP Filter Set 1,Rule 1 Dest Port Comp <0(none)|1(equal)|2( not equal)| 3(less)| 4(greater)> =1 210101008 = IP Filter Set 1,Rule 1 Src IP address = 0.0.0.
Prestige 652 ADSL Security Router 210102011 = IP Filter Set 1,Rule 2 Src Port Comp <0(none)|1(equal)|2( not equal)|3(less)|4(great er)> =0 210102013 = IP Filter Set 1,Rule 2 Act Match <1(check next)|2(forward)|3(dr op)> =3 210102014 = IP Filter Set 1,Rule 2 Act Not Match <1(check next)|2(forward)|3(dr op)> =1 / MENU 21.1.3 SET #1, RULE #3 (SMT MENU 21.1.
Prestige 652 ADSL Security Router 210103014 = IP Filter Set 1,Rule 3 Act Not Match <1(check next)|2(forward)|3(dr op) =1 / MENU 21.1.4 SET #1, RULE #4 (SMT MENU 21.1.4) FIN FN PVA INPUT 210104001 = IP Filter Set 1,Rule 4 Type <2(TCP/IP)> =2 210104002 = IP Filter Set 1,Rule 4 Active <0(No)|1(Yes)> =1 210104003 = IP Filter Set 1,Rule 4 Protocol = 17 210104004 = IP Filter Set 1,Rule 4 Dest IP address = 0.0.0.
Prestige 652 ADSL Security Router 210105003 = IP Filter Set 1,Rule 5 Protocol = 17 210105004 = IP Filter Set 1,Rule 5 Dest IP address = 0.0.0.0 210105005 = IP Filter Set 1,Rule 5 Dest Subnet Mask =0 210105006 = IP Filter Set 1,Rule 5 Dest Port = 138 210105007 = IP Filter Set 1,Rule 5 Dest Port Comp 210105008 = IP Filter Set 1,Rule 5 Src IP Address = 0.0.0.
Prestige 652 ADSL Security Router Z 210106007 = IP Filter Set 1,Rule 6 Dest Port Comp <0(none)|1(equal)|2( not equal)|3(less)|4(great er)> =1 210106008 = IP Filter Set 1,Rule 6 Src IP address = 0.0.0.
Prestige 652 ADSL Security Router / MENU 24.11 REMOTE MANAGEMENT CONTROL (SMT MENU 24.11) FIN FN 241100001 = TELNET Server Port 241100002 = TELNET Server Access 241100003 = TELNET Server Secured IP address = 0.0.0.0 241100004 = FTP Server Port = 21 241100005 = FTP Server Access 241100006 = FTP Server Secured IP address = 0.0.0.
Prestige 652 ADSL Security Router Index A Brute-force Attack, .......................................... 9-6 Action for Matched Packets ......................... 12-11 Budget Management............................. 20-2, 20-3 ADSL Over ISDN............................................ 2-6 C ADSL, what is it?.......................................... xxvii Call Control ................................................... 20-2 Alert Schedule................................................
Prestige 652 ADSL Security Router Power Adapter............................................. 2-3 DHCP ..................................................... 1-4, 18-4 Rear Panel ................................................... 2-2 DHCP Negotaition and Syslog Connection from the Internet – EG 3 .....................................13-4 Console Port .................................................. 18-3 Content Filtering............................................ 15-1 Days and Times ..................
Prestige 652 ADSL Security Router Encapsulation......................... 1-5, 4-11, 4-16, 5-2 Filter Log .............................................. 18-7, 18-8 ENET ENCAP ........................................... 4-11 Filter Rule .................................................... 16-10 PPP ............................................................ 4-12 Filter Rule Process......................................... 16-3 PPP over Ethernet ......................................
Prestige 652 ADSL Security Router Logs........................................................... 11-3 Hop Count .............................................. 5-8, 6-10 Policies ...................................................... 12-1 HTML Help..................................................... See Remote Management................................. 10-1 HTTP................. 8-17, 9-1, 9-3, 9-4, 25-11, 25-12 Rule Checklist ........................................... 12-1 HyperTerminal program..
Prestige 652 ADSL Security Router RFC 1483................................................... 4-12 ISDN................................................................ 2-6 IP Alias Setup .................................................. 4-6 K IP Filter ........................................................ 16-13 Key Fields For Configuring Rules................. 12-2 Logic Flow............................................... 16-12 L IP mask ........................................................
Prestige 652 ADSL Security Router Media Access Control...................................... 7-1 O Message Logging........................................... 18-5 One Minute High............................................11-9 Metric............................................... 5-8, 6-6, 6-10 One Minute Low ............................................11-9 Multicast ................................................... 5-8, 6-6 One-Minute High ...........................................
Prestige 652 ADSL Security Router PPPoE Encapsulation................................5-3, 5-9 Restore Configuration.................................... 19-7 Precedence ............................................ 22-1, 22-4 Return address ............................................... 11-4 Prestige Firewall Application........................... 9-3 RFC-1483 ........................................................ 5-2 Prestige Web Configurator............................. 11-1 RFC-2364 .............
Prestige 652 ADSL Security Router Security Association ...................................... 26-1 Static Route Setup ............................................6-6 Security In General ........................................ 9-12 Static Routing Topology...................................6-7 Security Ramifications................................... 12-2 SUA (Single User Account) ................... See NAT Server8-5, 8-9, 8-12, 8-15, 8-16, 8-17, 8-18, 8-22, 8-24, 20-5 Subnet Mask .
Prestige 652 ADSL Security Router T U TCP Maximum Incomplete........11-7, 11-8, 11-10 UDP/ICMP Security ...................................... 9-10 TCP Security.................................................. 9-10 UNIX Syslog ........................................ 18-5, 18-7 TCP/IP .................6-1, 9-3, 9-4, 16-16, 18-9, 21-1 UNIX syslog parameters................................ 18-6 TCP/IP Options................................................ 6-1 Upload Firmware .......................
