¤ SL1200 Internet Security Router User Manual E2923/ November 2006
Copyright Information E2923 First Edition October 2006 Copyright © 2006 ASUSTeK COMPUTER INC. All Rights Reserved. No part of this manual, including the products and software described in it, may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means, except documentation kept by the purchaser for backup purposes, without the express written permission of ASUSTeK COMPUTER INC. (ASUS).
Contact Information ASUSTeK COMPUTER INC. Company address: General (tel): Web site address: General (fax): General email: 15 Li-Te Road, Beitou, Taipei 11259 +886-2-2894-3447 www.asus.com.tw +886-2-2894-7798 info@asus.com.tw Technical support General support (tel): +886-2-2894-3447 Online support: http://support.asus.com ASUS COMPUTER INTERNATIONAL (America) Company address: General (fax): Web site address: 44370 Nobel Drive, Fremont, CA 94538, USA +1-510-608-4555 usa.asus.
Notices Federal Communications Commission Statement This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: • This device may not cause harmful interference, and • This device must accept any interference received including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.
Table of Contents 1 Introduction.............................................................1 1.1 Features ....................................................................1 1.2 System Requirements ...............................................1 1.3 Using this manual . ....................................................2 1.1.1 Notational conventions................................................ 2 1.1.2 Typographical conventions.......................................... 2 1.1.3 Symbols ..............
3.3 Part 3 — Quick Configuration of ASUS SL1200 .........................................................18 3.3.1 Buttons Used in Setup Wizard ................................. 18 3.3.2 Setting up the ASUS SL1200 ................................... 19 3.3.3 Testing Your Setup ................................................... 25 3.3.4 Default Router Settings ........................................... 25 4 Using the Configuration Manager.......................27 4.1 Log into the Configuration Manager.....
6 Configuring WAN Settings ................................41 6.1 WAN Connection Mode ............................................41 6.2 PPoE ........................................................................42 6.2.1 WAN PPoE Configuration Parameters ........................................ 42 6.2.2 Configuring PPoE for WAN....................................... 43 6.3 Dynamic IP ...............................................................44 6.3.1 WAN Dynamic IP Configuration Parameters ..........
Configuring DDNS ...............................................54 8.1 DDNS Configuration Parameters .............................55 8.2 Access DDNS Configuration Page ...........................56 8.3 Configuring HTTP DDNS Client ...............................57 9 Configuring Firewall/NAT Settings ....................57 9.1 Firewall Overview .....................................................58 9.1.1 Stateful Packet Inspection . ..................................... 58 9.1.
.4.2 Access Outbound ACL Rule Configuration Page (Firewall -> Outbound ACL) ........................... 69 9.4.3 Add Outbound ACL Rules ........................................ 75 9.4.4 Modify Outbound ACL Rules .................................... 76 9.4.5 Delete Outbound ACL Rules .................................... 76 9.4.6 Display Outbound ACL Rules . ................................. 77 9.5 Configuring URL Filters ............................................77 9.5.
.3 Establishing VPN Connection Using Automatic Keying ........................................ 111 10.3.1 Add a Rule for VPN Connection Using Pre-shared Key .............................................111 10.3.2 Modify VPN Rules ..................................................113 10.3.3 Delete VPN Rules ..................................................113 10.3.4 View VPN Rules .....................................................114 10.4 VPN Statistics . ..............................................
.7 Upgrade Firmware ................................................138 11.8 Reset the Internet Security Router .......................139 11.9 Logout Configuration Manager .............................140 12 ALG Configuration ...........................................141 13 IP Addresses, Network Masks, and Subnets ......................................................145 13.1 IP Addresses ........................................................145 13.1.1 Structure of an IP Address .....................
Configuration Page....................................................... 21 Figure 3.7 Setup Wizard - LAN Configuration Page . .................................................... 22 Figure 3.8 Setup Wizard - DHCP Server Configuration Page . .................................................... 22 Figure 3.9 Setup Wizard - WAN PPoE Configuration Page . .................................................... 23 Figure 3.10 Setup Wizard - WAN Dynamic IP Configuration Page . ......................................
to Four Globally Valid IP Addresses ............................ 61 Figure 9.2 Dynamic NAT - Four Private IP Addresses Mapped to Three Valid IP Addresses ......................... 62 Figure 9.3 Dynamic NAT - PC-A can get a NAT Association after PC-B is disconnected .......................................... 62 Figure 9.4 Map Any Internal PCs to a Single Global IP Address . ........................................... 63 Figure 9.5 Reverse Static NAT - Map a Global IP Address to An Internal PC ...............
Figure 9.21 Network Diagram for NAT Pool Example .................. 96 Figure 9.22 NAT Pool Example - Create a Static NAT Pool ......................................................... 97 Figure 9.23 NAT Pool Example - Associate a NAT Pool to an ACL Rule .......................................... 97 Figure 9.24 Time Range Configuration Page ............................... 99 Figure 9.25 Time Range Example - Create a Time Range ............................................................. 101 Figure 9.
on ISR1 ................................................................. 126 Figure 10.12 Extranet Example - VPN Policy Configuration on ISR2 ........................................... 126 Figure 10.13 Extranet Example - Outgoing NAT Pool Configuration on ISR2 ........................................... 127 Figure 10.14 Extranet Example - Incoming NAT Pool Configuration on ISR2 ........................................... 127 Figure 10.15 Extranet Example - Outbound ACL Rule on ISR2 .......................
List of Tables Table 2.1 Front Panel Label and LEDs . ......................................... 3 Table 2.2 Rear Panel Connections ................................................. 4 Table 2.3 DoS Attacks .................................................................... 8 Table 2.4 VPN Features................................................................ 10 Table 3.1 LED Indicators .............................................................. 13 Table 3.2 Default Settings Summary ....................
Table 10.2 Pre-configured IKE proposals in the router................ 104 Table 10.3 Pre-configured IPSec proposals in the router ........... 105 Table 10.4 VPN Tunnel Configuration Parameter ...................... 107 Table 10.5 VPN Statistics ............................................................114 Table 10.6 Outbound Un-translated Firewall Rule for VPN Packets on ISR1 ...............................................119 Table 10.7 Inbound Un-translated Firewall Rule for VPN Packets on ISR1 .........
Chapter 1 - Introduction 1 Introduction Thank you for buying the ASUS SL1200, the Internet Security Router! Your Local Area Network (LAN) will now be able to access the Internet using high-speed broadband connection such as those with ADSL or cable modem. This user manual will show you how to set up the ASUS SL1200, and how to customize its configuration to get the most out of this product. 1.
Chapter 1 - Introduction 1.3 Using this Manual 1.3.1 Notational conventions • Acronyms are defined the first time they appear in the text and in the Glossary. • The ASUS SL1200 is simply referred to as “the router” or "Internet Security Router". • The terms LAN and network are used interchangeably to refer to a group of Ethernet-connected computers at one site. 1.3.2 Typographical conventions • Italics are used to identify terms defined in the Glossary.
Chapter 1 - Introduction 2 Getting to Know the ASUS SL1200 2.1 Package contents Check your ASUS SL1200 package for these items: • ASUS SL1200 • Power adapter • Ethernet cable (“straight-through” type) • (Optional) console port cable (RJ-45) If any of the above items is damaged or missing, contact your retailer. 2.2 Front Panel The front panel contains LED indicators that show the status of the unit. Figure 2.1. Front Panel LEDs Table 2.1.
Chapter 1 - Introduction 2.3 Rear Panel The rear panel contains the ports and power connections. Figure 2.2. Rear Panel Connections Table 2.2. Rear Panel Labels and LEDs Label POWER Reset Function Connects to the supplied power adapter Resets the device CONSOLE RJ-45 serial port for console management WAN Connects to your WAN device such as ADSL or cable modem.
Chapter 1 - Introduction 2.4 Major Features 2.4.1 Firewall Features The ASUS SL1200's firewall provides features to protect your network from being attacked and to prevent your network from being used as the springboard for attacks. The firewall features are: • Address Sharing and Management • Packet Filtering • Stateful Packet Inspection • Defense against Denial of Service Attacks •Application Content Filtering • Log and Alert • Remote Access • Keyword based URL Filtering 2.4.1.
Chapter 2 - Getting to Know the Internet Security Router • Dynamic NAT: It dynamically maps an internal host address to a globally valid Internet address (m-ton). The map usually contains a pool of internal IP addresses (m) and a pool of globally valid Internet IP addresses (n) with m usually greater than n. Each internal IP address is mapped to one external IP address on a first come first serve basis. • Network Address and Port Translation (NAPT): It is also called IP Masquerading.
Chapter 2 -Getting to Know the Internet Security Router • Use of the wild card for composing filter rules • Filter Rule priorities • Time based filters • Application specific filters • User group based filters for remote access 2.4.1.2 Stateful Packet Inspection The ASUS SL1200's firewall uses “stateful packet inspection” that extracts state-related information required for the security decision from the packet and maintains this information for evaluating subsequent connection attempts.
Chapter 2 - Getting to Know the Internet Security Router Table 2.3.
Chapter 2 -Getting to Know the Internet Security Router used to generate custom reports. The firewall can also forward Syslog information to a Syslog server on a private network. The ASUS SL1200's firewall supports: • Alerts sent to the administrator via e-mail. • At a minimum, maintains log details such as, time of packet arrival, description of action taken by Firewall and reason for action. • Supports the UNIX Syslog format.
Chapter 2 - Getting to Know the Internet Security Router Table 2.4.
Chapter 3 - Quick Start Guide 3 Quick Start Guide This chapter provides the basic instructions for connecting the ASUS SL1200 to a computer or a LAN and to the Internet. • Part 1 provides instructions to set up the hardware. • Part 2 describes how to configure Internet properties on your computer(s). • Part 3 shows you how to configure basic settings on the Internet Security Router to get your LAN connected to the Internet.
Chapter 3 - Quick Start Guide LAN1 – LAN4 on the rear panel of the device and connect the other end to the Ethernet port of a computer. If your LAN has more than four computers, you can attach one end of an Ethernet cable to a hub or a switch, such as an uplink port (refer to the hub or switch documentations for instructions), and the other to the Ethernet switch port (labeled LAN1 – LAN4) on the router.
Chapter 3 - Quick Start Guide Check the LED indicators (refer to Table 3.1) to determine if the hardware setup is working properly. Table 3.1. LED Indicators LED POWER LAN1 – LAN4 WAN Description Solid green to indicate that the device is turned on. If this light is not on, check if the power adapter is attached to the Internet Security Router and if it is plugged into a power source.
Chapter 3 - Quick Start Guide 3.2.2 Windows® XP PCs 1. In the Windows task bar, click Start -> Control Panel. 2. Double-click the Network Connections icon. 3. In the LAN or High-Speed Internet window, right-click on icon corresponding to your network interface card (NIC) and select Properties. (Often this icon is labeled Local Area Connection). The Local Area Connection dialog box displays with a list of currently installed network items. 4.
Chapter 3 - Quick Start Guide You may be prompted to install files from your Windows 2000 installation CD or other media. Follow the instructions to install the files. 7. If prompted, click to restart your computer with the new settings. Next, configure the PCs to accept IP addresses assigned by the router. 8. In the Control Panel, double-click the Network and Dial-up Connections icon. 9. In Network and Dial-up Connections window, right-click the Local Area Connection icon, and then select Properties.
Chapter 3 - Quick Start Guide Next, configure the PCs to accept IP information assigned by the router. 7. In the Control Panel, double-click the Network icon. 8. In the Network dialog box, select an entry started with “TCP/IP ->” and the name of your network adapter, and then click . 9. In the TCP/IP Properties dialog box, click the radio button labeled Obtain an IP address automatically. 10. In the TCP/IP Properties dialog box, click the Default Gateway tab. Enter 192.168.1.
Chapter 3 - Quick Start Guide 6. Click to continue, and then click if prompted to restart your computer. Next, configure the PCs to accept IP addresses assigned by the router. 7. Open the Control Panel window, and then double-click the Network icon. 8. In the Network dialog box, click the Protocols tab. 9. In the Protocols tab, select TCP/IP, and then click . 10. In the Microsoft TCP/IP Properties dialog box, click the radio button labeled Obtain an IP address from a DHCP server. 11.
Chapter 3 - Quick Start Guide On each PC to which you want to assign static information, follow the instructions on pages 13 through 17 relating only to checking for and installing the IP protocol. Once it is installed, continue to follow the instructions for displaying each of the Internet Protocol (TCP/ IP) properties. Instead of enabling dynamic assignment of the IP addresses for the computer, DNS server, and default gateway, click the radio buttons that enable you to enter the information manually.
Chapter 3 - Quick Start Guide 3.3.2 Setting up the ASUS SL1200 To set up the router 1. Before accessing the Configuration Manager in the router, make sure that the HTTP proxy setting is disabled in your browser. In IE, click Tools -> Internet Options -> Connections -> LAN settings and then uncheck “Use proxy server for your LAN …” 2.
Chapter 3 - Quick Start Guide The Setup Wizard home page displays each time you log into the Configuration Manager. Figure 3.3. Setup Wizard Home Page Figure 3.4. Setup Wizard - Password Configuration Page 4. Click to enter the password configuration page as shown in Figure 3.4. Change the password, if desired. Otherwise, click to proceed to the next page.
Chapter 3 - Quick Start Guide 5. In the System Information setup page, enter the requested information and click to save the changes. Otherwise, click to proceed to the next page. Figure 3.5. Setup Wizard- System Information Setup Page Figure 3.6. Setup Wizard - Date/Time Configuration Page 6. In the Date/Time Setup page, select your time zone from the Time Zone drop-down list. Click to save the settings and then click the to go to the next configuration page.
Chapter 3 - Quick Start Guide 7. It is recommended that you keep the default LAN IP settings at this point until after you have completed the rest of the configurations and confirm that your Internet connection is working. Click to proceed to the next configuration page. Figure 3.7. Setup Wizard- LAN IP Configuration Page Figure 3.8.
Chapter 3 - Quick Start Guide 8. It is recommended that you keep the default settings for DHCP server until after you have completed the rest of the configurations and confirm that your Internet connection is working. Click to proceed to the next configuration page. 9. In the WAN Configuration page, you configure the WAN settings for the router. Depending on the connection mode required by your ISP, you can select from the three connection modes in the Connection Mode dropdown list (see Figure 3.
Chapter 3 - Quick Start Guide a) PPPoE Connection Mode (see Figure 3.9) • You do not need to enter primary/secondary DNS IP addresses. PPPoE is able to automatically obtain this information for you from your ISP. However, if you prefer to use your favorite DNS servers, you may enter them in the space provided. • Host name is optional. You may leave it empty if your ISP did not provide such information. • Enter the user name and password provided by your ISP.
Chapter 3 - Quick Start Guide c) Static IP Connection Mode • Enter WAN IP address in the IP Address field. This information should be provided by your ISP. • Enter Subnet Mask for the WAN. This information should be provided by your ISP. Typically, it is 255.255.255.0. • Enter gateway address provided by your ISP in the space provided. • Enter at lease the primary DNS IP address provided by your ISP. Secondary DNS IP address is optional.
Chapter 3 - Quick Start Guide Before you modifying any settings, review Chapter 4 for general information about accessing and using the Configuration Manager program. We strongly recommend that you contact your ISP prior to changing the default configuration. Table 3.2. Default Settings Summary Option DHCP (Dynamic Host Configuration Protocol) Explanations/Instructions The Internet Security Router maintains a pool of private IP addresses for dynamic assignment to your LAN computers.
Chapter 4 - Using the Configuration Manager 4 Using the Configuration Manager The ASUS SL1200 includes a preinstalled program called the Configuration Manager, which provides an interface to the software installed on the device. It enables you to configure the device settings to meet the needs of your network. You access it through your web browser from any PC connected to the router via the LAN or WAN ports. This chapter describes the general guides for using the Configuration Manager. 4.
Chapter 4 - Using the Configuration Manager Figure 4.1. Configuration Manager Login Screen 2. Enter your user name and password, and then click . The first time you log into the program, use these default settings: Default User Name: admin Default Password: admin You can change the password at any time. See section 11.2 Change the Login Password. The Setup Wizard page displays each time you log into the program. See Figure 4.3.
Chapter 4 - Using the Configuration Manager 4.2 Functional Layout A typical Configuration Manager page consists of two separate frames the left frame and the right frame. The left frame, as shown in Figure 4.2, contains all the menus available for device configuration. Menus are indicated by file icons, and related menus are grouped into categories, such as LAN, and WAN, and indicated by expandable folder icons. You can click on any of these folders to display a specific configuration page. Figure 4.2.
Chapter 4 - Using the Configuration Manager 4.2.2 Commonly Used Buttons and Icons The following buttons or icons are used throughout the application. The Table 4.1. Description of Commonly Used Buttons and Icons Button/Icon Function Stores any changes you have made on the current page. Adds the existing configuration to the system such as a static route or a firewall ACL rule. Modifies the existing configuration in the system such as a static route or a firewall ACL rule.
Chapter 4 - Using the Configuration Manager 4.3 Configuration Manager's Home Page The Setup Wizard home page displays when you first access the Configuration Manager. Figure 4.3. Setup Wizard Home Page 4.4 Overview of System Configuration To view the overall system configuration, log into Configuration Manager as administrator, and then click the System Info menu. Figure 4.4 shows the information available in the System Info page. Figure 4.4.
Chapter 5 - Configuring LAN Settings 5 Configuring LAN Settings This chapter describes how to configure LAN properties for the LAN interface on the router. You will learn to configure IP address, DHCP, and DNS server for your LAN in this chapter. 5.1 LAN IP Address If you are using the router with multiple PCs on your LAN, you must connect the LAN via the Ethernet ports on the built-in Ethernet switch. You must assign a unique IP address to each device residing on your LAN.
Chapter 5 - Configuring LAN Settings 5.1.1 LAN IP Configuration Parameters Table 5.1describes the configuration parameters available for LAN IP configuration. Table 5.1. LAN IP Configuration Parameters Setting IP Address Subnet Mask Description The LAN IP address of the router. This IP is used by your computers to identify the router’s LAN port. The public IP address assigned to you by your ISP is not your LAN IP address. The public IP address identifies the WAN port on the router to the Internet.
Chapter 5 - Configuring LAN Settings 2. Enter a LAN IP address and subnet mask for the router. 3. Click to save the LAN IP address. If you were using an Ethernet connection for the current session, and changed the IP address, the connection will be terminated. 4. Reconfigure your PCs, if necessary, so that their IP addresses place them in the same subnet as the new IP address of the LAN port. See the Quick Start Guide chapter, 3.2 Part 2 — Configuring Your Computers, for instructions. 5.
Chapter 5 - Configuring LAN Settings 5.2.2 Why use a DHCP? DHCP allows you to manage and distribute IP addresses throughout your network from the router. Without DHCP, you would have to configure each computer separately with IP address and related information. DHCP is commonly used with large networks and those that are frequently expanded or otherwise updated. 5.2.
Chapter 5 - Configuring LAN Settings 2. Enter the information for the IP Address Pool (Begin/End Address), Subnet Mask, Lease Time and Default Gateway IP Address.Other fields, such as Primary/Secondary DNS Server IP Address and Primary/Secondary WINS Server IP Address, are optional. However, it is recommended that you enter the primary DNS server IP address. You may enter the LAN IP or your ISP’s DNS IP in the primary DNS Server IP Address field. Table 5.
Chapter 5 - Configuring LAN Settings 5.2.4 Viewing Current DHCP Address Assignments When the router functions as a DHCP server for your LAN, it keeps a record of any addresses it has leased to your computers. To view a table of all current IP address assignments, go to the DHCP Server Configuration page. A page displays similar to that shown in Figure 5.2. The bottom half of the same page shows the existing DHCP address assignments.
Chapter 5 - Configuring LAN Settings 5.3 DNS 5.3.1 About DNS Domain Name System (DNS) servers map the user-friendly domain names that users type into their Web browsers (such as “yahoo.com”) to the equivalent numerical IP addresses that are used for Internet routing. When a PC user types a domain name into a browser, the PC must first send a request to a DNS server to obtain the equivalent IP address.
Chapter 5 - Configuring LAN Settings 5.3.3 Configuring DNS Relay When you specify the device’s LAN port IP address as the DNS address, then the router automatically performs “DNS relay”. Since the device itself is not a DNS server, it forwards domain name lookup requests from the LAN PCs to a DNS server at the ISP. It then relays the DNS server’s response to the PC. When performing DNS relay, the router must maintain the IP addresses of the DNS servers it contacts.
Chapter 5 - Configuring LAN Settings 5.4 Viewing LAN Statistics You can view statistics of your LAN traffic on the router. You will not typically need to view this data, but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems. To view LAN IP statistics, click Statistics on the LAN submenu. Figure 5.3 shows the LAN Statistics page. Figure 5.3. LAN Statistics Page To display the updated statistics since you opened the page, click .
Chapter 6 - Configuring WAN Settings 6 Configuring WAN Settings This chapter describes how to configure WAN settings for the WAN interface on the router that communicates with your ISP. You will learn to configure IP address, DHCP, and DNS server for your WAN in this chapter. 6.1 WAN Connection Mode The router supports three modes of WAN connection – PPPoE, dynamic IP, and static IP.
Chapter 6 - Configuring WAN Settings 6.2 PPPoE 6.2.1 WAN PPPoE Configuration Parameters Table 6.1describes the configuration parameters available for PPPoE connection mode. Table 6.1. WAN PPPoE Configuration Parameters Setting Description Host Name User Name and Password Host name is optional but may be required by some ISP. Enter the user name and password you use to log into your ISP. This is different from the information you used to log into Configuration Manager.
Chapter 6 - Configuring WAN Settings 6.2.2 Configuring PPPoE for WAN To configure PPPoE settings 1. Select PPPoE from the Connection Mode drop-down list as shown in Figure 6.1. 2. (Optional) Enter the host name if required by your ISP. 3. If you are connecting to the Internet using PPPoE, you probably only have to enter User Name and Password in the PPPoE Configuration page as shown in Figure 6.1, unless you want to use your preferred DNS servers. 4.
Chapter 6 - Configuring WAN Settings 6.3 Dynamic IP 6.3.1 WAN Dynamic IP Configuration Parameters Table 6.2 describes the configuration parameters available for dynamic IP connection mode. Table 6.2. WAN Dynamic IP Configuration Parameters Field Description Host Name Primary/ Secondary DNS Host name is optional but may be required by some ISP. IP address of the primary and/or secondary DNS are optional as DHCP client will automatically obtain the DNS IP addresses configured at your ISP.
Chapter 6 - Configuring WAN Settings Figure 6.2. WAN Dynamic IP (DHCP client) Configuration Page 6.4 Static IP 6.4.1 WAN Static IP Configuration Parameters Table 6.3 describes the configuration parameters available for static IP connection mode. Table 6.3. WAN Static IP Configuration Parameters Setting Description IP Address WAN IP address provided by your ISP. Subnet Mask WAN subnet mask provided by your ISP. Typically, it is set as 255.255.255.0.
Chapter 6 - Configuring WAN Settings 6.4.2 Configuring Static IP for WAN Figure 6.3. WAN Static IP Configuration Page To configure static IP settings 1. Select Static from the Connection Mode drop-down list as shown in Figure 6.3. 2. Enter the WAN IP address in the IP Address field. This information should be provided by your ISP. 3. Enter the Subnet Mask for the WAN. This information should be provided by your ISP. Typically, it is 255.255.255.0. 4.
Chapter 6 - Configuring WAN Settings 6.5 Viewing WAN Statistics You can view statistics of your WAN traffic. You will not need to view this data, but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems. To view WAN IP statistics, click Statistics on the WAN submenu. Figure 6.4 shows the WAN Statistics page. Figure 6.4. WAN Statistics Page To see the updated statistics since you opened the page, simply click .
Chapter 7 - Configuring Routes 7 Configuring Routes You can use Configuration Manager to define specific routes for your Internet and network data communication. This chapter describes basic routing concepts and provides instructions for creating routes. 7.
Chapter 7 - Configuring Routes 7.2 Dynamic Routing using Routing Information Protocol (RIP) RIP enables routing information exchange between routers; thus, routes are updated automatically without human intervention. Please note that RIP service must be enabled first in the System Management / System Services configuration page if you want to use RIP to exchange routing information with other routers. 7.2.1 Dynamic Routing (RIP) Configuration Parameters Table 7.
Chapter 7 - Configuring Routes Field Description Click on Enable or Disable radio button to enable/disable authentication for exchanging the routing information. All the routers exchanging routing information must use the same authentication key. The default setting is Disable. RIP Authentication Mode Select RIP authentication mode from the drop down list. Two modes are available - Clear Text, and MD5. The default setting is Clear Text.
Chapter 7 - Configuring Routes 5. To enable or disable RIP passive mode, click the Enable or Disable radio button. 6. Select RIP version for sending and receiving routing information from the respective drop-down list. 7. To enable or disable authentication, click the Enable or Disable radio button. You must also select the RIP authentication mode and enter authentication key if authentication is enabled. 8.
Chapter 7 - Configuring Routes 7.3.2 Adding a Static Route To add a static route to the routing table 1. To open the routing configuration page, click the Routing menu. 2. Enter static routes information such as destination IP address, destination netmask and gateway IP address in the corresponding fields. For a description of these fields, refer to Table 7.2. Static Route Configuration Parameters. To create a route that defines the default gateway for your LAN, enter 0.0.0.
Chapter 7 - Configuring Routes 7.3.4 Viewing the Routing Table All IP-enabled computers and routers maintain a table of IP addresses that are commonly accessed by their users. For each of these destination IP addresses, the table lists the IP address of the first hop the data should take. This table is known as the device’s routing table. To view the SL 1200’s routing table, just open the Routing configuration page by clicking on the Routing menu.
Chapter 8 - Configuring DDNS 8 Configuring DDNS Dynamic DNS is a service that allows computers to use the same domain name, even when the IP address changes from time to time (during reboot or when the ISP’s DHCP server resets IP leases).The router connects to a Dynamic DNS service whenever the WAN IP address changes. It supports setting up the web services such as Web server, and FTP server using a domain name instead of the IP address.
Chapter 8 - Configuring DDNS Figure 8.1. Network Diagram for HTTP DDNS Whenever the IP address of the configured DDNS interface changes, DDNS update is sent to the specified DDNS service provider. The router should be configured with the DDNS username and password obtained from the DDNS service provider.
Chapter 8 - Configuring DDNS 8.1 DDNS Configuration Parameters Table 8.1 describes the configuration parameters available for DDNS service. Table 8.1. DDNS Configuration Parameters Field Description DDNS State Enable Click on this radio button to enable the DDNS Service Disable Click on this radio button to disable the DDNS Service DDNS Type – select a DDNS service type: HTTP or RFC-2136 DDNS HTTP DDNS Click this radio button if HTTP DDNS is desired.
Chapter 8 - Configuring DDNS 8.3 Configuring HTTP DDNS Client Figure 8.2. HTTP DDNS Configuration Page To configure the HTTP DDNS 1. You should have a registered domain name with a DDNS service provider. If you have not done so,visit http://www.dns-tokyo.jp or http://www.dyndns.org for more details. 2. Make sure that you have a host name configured for the router. Otherwise, go to System Management -> System Identity to configure one. 3. Open the DDNS Configuration page. See section 8.
Chapter 9 - Configuring Firewall/NAT Settings 9 Configuring Firewall/NAT Settings The router provides built-in firewall/NAT functions. These functions protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and who should be automatically notified.
Chapter 9 - Configuring Firewall/NAT Settings packet inspection engine. Otherwise, the packet will be dropped. This “hole” will be closed when the connection session terminates. No configuration is required for stateful packet inspection. It is enabled by default when the firewall is enabled. Refer to section 11.1 Configure System Services to enable or disable firewall service on the router. 9.1.
Chapter 9 - Configuring Firewall/NAT Settings 9.1.4 Default ACL Rules The router supports three types of default access rules: • Inbound Access Rules: For controlling incoming access to computers on your LAN. • Outbound Access Rules: For controlling outbound access to external networks for hosts on your LAN. • Self Access Rules: For controlling access to the Internet Security Router itself. Default Inbound Access Rules No default inbound access rule is configured.
Chapter 9 - Configuring Firewall/NAT Settings 9.2.1 Static (One to One) NAT Static NAT maps an internal host address to a globally valid Internet address (one-to-one). The IP address in each packet is directly translated with a globally valid IP contained in the mapping. Figure 9.1 illustrates the IP address mapping relationship between the four private IP addresses and the four globally valid IP addresses. This mapping is static.
Chapter 9 - Configuring Firewall/NAT Settings 9.2.2 Dynamic NAT Dynamic NAT maps an internal host dynamically to a globally valid Internet address (m-to-n). The mapping usually contains a pool of internal IP addresses (m) and a pool of globally valid Internet IP addresses (n) with m usually greater than n. Each internal IP address is mapped to one external IP address on a first come first serve basis. Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings 9.2.3 Network Address and Port Translation (NAPT) or Port Address Translation (PAT) This mapping is also called IP Masquerading. This maps many internal hosts to one globally valid Internet address. The mapping contains a pool of network ports to be used for translation. Every packet is translated with the globally valid Internet address and the port number is translated with an available port from the pool of network ports. Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings 9.2.4 Reverse Static NAT Reverse static NAT maps a globally valid IP address to an internal host address for the inbound traffic. All packets coming to that globally valid IP address are relayed to the Internal address. This is useful when hosting services in an internal machine. Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings Figure 9.7. Inbound ACL Configuration Page 9.3.1 Inbound ACL Rule Configuration Parameters Table 9.1 describes the configuration parameters available for firewall inbound ACL rule. Table 9.1. Inbound ACL Rule Configuration Parameters Field Description ID Add New Click on this option to add a new ‘basic’ Firewall rule. Rule Number Select a rule from the drop-down list to modify its attributes.
Chapter 9 - Configuring Firewall/NAT Settings Field Description Source IP This option allows you to set the source network to which this rule should apply. Use the drop-down list to select one of the following options: Any This option allows you to apply this rule to all the computers in the source network such as those on the Internet. IP Address This option allows you to specify an IP address on which this rule will be applied.
Chapter 9 - Configuring Firewall/NAT Settings Field Description Single This option allows you to apply this rule to an application with a specific source port number. Port Number Enter the source port number Range Select this option if you want this rule to apply to applications with this port range. The following fields become available for entry when this option is selected.
Chapter 9 - Configuring Firewall/NAT Settings Field Description NAT This option allows you to select the type of NAT for the inbound traffic. None Select this option if you do not intend to use NAT in this inbound ACL rule. IP Address Select this option to specify the IP address of the computer (usually a server in your LAN) that you want the incoming traffic to be directed. This option is called reverse NAPT or virtual server.
Chapter 9 - Configuring Firewall/NAT Settings 9.3.2 Access Inbound ACL Rule Configuration Page – (Firewall -> Inbound ACL) Log into Configuration Manager as administrator. Click Firewall -> Inbound ACL. The Firewall Inbound ACL Configuration page displays as shown in Figure 9.7. When you open the Inbound ACL Configuration page, a list of existing ACL rules is also displayed at the bottom half of the configuration page such as those shown in Figure 9.8. Figure 9.8. Inbound ACL Configuration Example 9.3.
Chapter 9 - Configuring Firewall/NAT Settings 5. Assign a priority for this rule by selecting a number from the “Move to” drop-down list. The number indicates the priority of the rule with 1 being the highest. Higher priority rules will be examined prior to the lower priority rules by the firewall. 6. Click the button to create the new ACL rule. The new ACL rule will then be displayed in the inbound access control list table at the bottom half of the Inbound ACL Configuration page. Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings 3. Click to delete this ACL rule. The ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page. 9.3.6 Display Inbound ACL Rules To see existing inbound ACL rules, open the Inbound ACL Rule Configuration page as described in section 9.3.2 Access Inbound ACL Rule Configuration Page. 9.4 Configuring Outbound ACL Rules By creating ACL rules in outbound ACL configuration page as shown in Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings 9.4.1 Outbound ACL Rule Configuration Parameters Table 9.2 describes the configuration parameters available for firewall outbound ACL rule. Table 9.2. Outbound ACL Rule Configuration Parameters Field Description ID Add New Click on this option to add a new ‘basic’ Firewall rule. Rule Number Select a rule from the drop-down list to modify its attributes. Action Move to Allow Select this button to configure the rule as an allow rule.
Chapter 9 - Configuring Firewall/NAT Settings Field Range Description This option allows you to include a range of IP addresses for applying this rule. The following fields become available for entry when this option is selected: Begin Enter the starting IP address of the range End Enter the ending IP address of the range IP Pool Destination IP This option allows you to associate a pre-configured IP pool with this rule. The available IP pool can be selected from the IP pool drop-down list.
Chapter 9 - Configuring Firewall/NAT Settings Field Description Service This option allows you to select any of the pre-configured services from the drop-down list instead of the destination port. The following are examples of services: BATTLE-NET, PC-ANYWHERE, FINGER, DIABLO-II, L2TP, H323GK, CUSEEME, MSN-ZONE, ILS, ICQ_2002, ICQ_2000, MSN, AOL, RPC, RTSP7070, RTSP554, QUAKE, N2P, PPTP, MSG2, MSG1, IRC, IKE, H323, IMAP4, HTTPS, DNS, SNMP, NNTP, POP3, SMTP, HTTP, FTP, TELNET.
Chapter 9 - Configuring Firewall/NAT Settings 9.4.2 Access Outbound ACL Rule Configuration Page – (Firewall -> Outbound ACL) Log into Configuration Manager as administrator. Click Firewall -> Outbound ACL. The Firewall Outbound ACL Configuration page displays as shown in Figure 9.9. When you open the Outbound ACL Configuration page, a list of existing ACL rules is also displayed at the bottom half of the configuration page such as those shown in Figure 9.9. 9.4.
Chapter 9 - Configuring Firewall/NAT Settings Figure 9.10. Outbound ACL Configuration Example 9.4.4 Modify Outbound ACL Rules To modify an outbound ACL rule 1. Open the Outbound ACL Rule Configuration Page. See section 9.4.2 Access Outbound ACL Rule Configuration Page. 2. Click on the icon of the rule to be modified in the outbound ACL table or select the rule number from the “ID” drop-down list. 3.
Chapter 9 - Configuring Firewall/NAT Settings 2. Click on the icon of the rule to be deleted in the outbound ACL table or select the rule number from the “ID” drop-down list. 3. Click on to delete this ACL rule. The ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page. 9.4.6 Display Outbound ACL Rules To see existing outbound ACL rules, open the Outbound ACL Rule Configuration page as described in section 9.4.
Chapter 9 - Configuring Firewall/NAT Settings 9.5.2 Access URL Filter Configuration Page – (Firewall -> URL Filter) Log into Configuration Manager as administrator. Click Firewall -> URL Filter. The Firewall URL Filter Configuration page displays as shown in Figure 9.11. When you open the URL Filter Configuration page, a list of existing URL filter rules is also displayed at the bottom half of the configuration page such as those shown in Figure 9.11. Figure 9.11. URL Filter Configuration Page 9.5.
Chapter 9 - Configuring Firewall/NAT Settings 9.5.4 Modify URL Filter Rules To modify an URL Filter rule, you must first delete the existing URL filter rule (see Section 9.5.5) and then add a new one (see Section 9.5.3 Add an URL Filter Rule). 9.5.5 Delete URL Filter Rules To delete an URL Filter rule 1. Open the URL Configuration page. See section 9.5.2 Access URL Filter Configuration Page. 2.
Chapter 9 - Configuring Firewall/NAT Settings Figure 9.12. URL Filter Rule Example 9.6 Configuring Advanced Firewall Features – (Firewall -> Advanced) This option sequence brings up the screen with the following sub-options for setting advanced firewall features: • Self Access: This option allows you to configure rules for controlling packets targeting the Internet Security Router itself. • Services: Use this option to configure services (applications using specified port numbers).
Chapter 9 - Configuring Firewall/NAT Settings 9.6.1 Configuring Self Access Rules Self Access rules control access to the router itself. You may use Self Access Rule Configuration page to: • Add a Self Access rule, and set basic parameters for it • Modify an existing Self Access rule • Delete an existing Self Access rule • View existing Self Access rules Figure 9.13. Self Access Rule Configuration Page Table 9.4.
Chapter 9 - Configuring Firewall/NAT Settings 9.6.1.2 Access Self Access Rule Configuration Page – (Firewall -> Advanced -> Self Access) Log into Configuration Manager as administrator. Click Firewall -> Advanced -> Self Access. The Firewall Self Access Rule Configuration page displays as shown in Figure 9.13. When you open the Self Access Configuration page, a list of existing Self Access rules is also displayed at the bottom half of the configuration page such as those shown in Figure 9.13. 9.6.1.
Chapter 9 - Configuring Firewall/NAT Settings 2. Click on the icon of the Self Access rule to be modified in the Self Access rule table or select the Self Access rule from the Self Access rule drop-down list. 3. You may then disable or enable the traffic from LAN or WAN or both. The port number cannot be changed if TCP or UCP protocol is selected. To modify the port number, you must first delete the existing Self Access rule and add a new rule instead. 4. Click on to save the changes.
Chapter 9 - Configuring Firewall/NAT Settings • Delete an existing service • View configured services Figure 9.14 shows the Firewall Service List Configuration page. The configured services are listed at the bottom half of the same page. Figure 9.14. Service List Configuration Page 9.6.2.1 Service List Configuration Parameters Table 9.5 describes the available configuration parameters for firewall service list. Table 9.5.
Chapter 9 - Configuring Firewall/NAT Settings 9.6.2.3 Add a Service To add a service, follow 1. Open the Service List Configuration Page. See section 9.6.2.2 Access Service List Configuration Page. 2. Select Add New from the service drop-down list. 3. Enter a desired name, preferably a meaningful name that signifies the nature of the service, in the Service Name field. Only alphanumeric characters are allowed in a name. 4. Make changes to any or all of the following fields: public port and protocol.
Chapter 9 - Configuring Firewall/NAT Settings 9.6.2.5 Delete a Service To delete a service 1. Open the Service List Configuration Page. See section 9.6.2.2 Access Service List Configuration Page. 2. Select the service from the service drop-down list or click on the icon of the service to be modified in the service list table. 3. Click on to delete this service. The service deleted will be removed from the service list table located at the bottom half of the same configuration page. 9.6.2.
Chapter 9 - Configuring Firewall/NAT Settings Table 9.6. DoS Protection Configuration Parameters Field Description SYN Flooding Check or un-check this option to enable or disable protection against SYN Flood attacks. This attack involves sending connection requests to a server, but never fully completing the connections. This will cause some computers to get into a “stuck state” where they cannot accept connections from legitimate users.
Chapter 9 - Configuring Firewall/NAT Settings Field Description Sequence Number Out Check or un-check this option to enable or disable protection of Range Check against TCP out of range sequence number attacks. An attacker can send a TCP packet to cause an intrusion detection system (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent in that connection may then be ignored by the IDS. This may indicate an unsuccessful attempt to hijack a TCP session.
Chapter 9 - Configuring Firewall/NAT Settings 9.6.3.2 Access DoS Configuration Page – (Firewall -> Advanced -> DoS) Log into Configuration Manager as administrator. Click Firewall -> Advanced -> DoS. The DoS Configuration page displays as shown in Figure 9.15. When you open the DoS Configuration page, a list of default DoS protection is also displayed at the bottom half of the configuration page such as those shown in Figure 9.15. These protections are enabled by default when firewall is enabled. 9.6.3.
Chapter 9 - Configuring Firewall/NAT Settings 9.7 Firewall Policy List – (Firewall -> Policy List) Firewall policy list provides a convenient way to manage firewall ACL rules (inbound/outbound ACL rules, and group ACL rules). • IP Pools: This option allows you to configure logical names for IP Pools and set appropriate IP addresses. Each record contains the name of the IP record and the types of IP address (single IP address or a range of IP address or a subnet address).
Chapter 9 - Configuring Firewall/NAT Settings 9.7.1.2 Access IP Pool Configuration Page – (Firewall -> Policy List -> IP Pool) Log into Configuration Manager as administrator. ClickFirewall menu, click the Policy List submenu and then click the IP Pool submenu. The IP Pool Configuration page displays, as shown in Figure 9.16. When you open the IP Pool Configuration page, a list of existing IP pools is also displayed at the bottom half of the configuration page such as those shown in Figure 9.16. Figure 9.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.1.4 Modify an IP Pool To modify an IP Pool 1. Open the IP Pool Configuration page. See section 9.7.1.2 Access IP Pool Configuration Page. 2. Click on the icon of the IP pool to be modified in the IP Pool List table or select the IP pool from the IP Pool drop-down list. 3. Make desired changes to any or all of the following fields: Pool name, Pool type and IP address. 4. Click on to save the new settings.
Chapter 9 - Configuring Firewall/NAT Settings 1. Open the IP Pool Configuration page to create two IP groups – see Figure 9.18. Figure 9.18. IP Pool Example – Add Two IP Pools – MISgroup1 and MISgroup2 2. Associate an IP pool to firewall ACL rules – inbound, outbound or group ACL by selecting IP Pool from the Source IP Type drop-down list and then choose an IP pool from the IP pool dropdown list. In this example, IP pool is used to associate to source IP.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.2 Configuring NAT Pool 9.7.2.1 NAT Pool Configuration Parameters Table 9.8 describes the configuration parameters available for a NAT pool. Table 9.8. NAT Pool Configuration Parameters Field Description NAT Pool Name Enter a name for the NAT Pool. NAT Pool Type Select the type of NAT Pool and make appropriate IP Address entries. Static Select this type of NAT to set a one-to-one Mapping between the Internal Address and the External Address.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.2.2 Access NAT Pool Configuration Page – (Firewall -> Policy List -> NAT Pool) Log into Configuration Manager as administrator. Click Firewall -> Policy List -> NAT Pool. The NAT Pool Configuration page displays as shown in Figure 9.20. When you open the NAT Pool Configuration page, a list of existing NAT pools is also displayed at the bottom half of the configuration page such as those shown in Figure 9.20. Figure 9.20. NAT Pool Configuration Page 9.7.2.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.2.4 Modify a NAT Pool To modify a NAT Pool 1. Open the NAT Pool Configuration page. See section 9.7.2.2 Access NAT Pool Configuration Page. 2. Click on the icon of the NAT pool to be modified in the NAT Pool List table or select the NAT pool from the NAT Pool drop-down list. 3. Make desired changes to any or all of the following fields: Pool name, Pool type and IP address. 4. Click on to save the new settings.
Chapter 9 - Configuring Firewall/NAT Settings 1. Create a NAT pool for static NAT – see Figure 9.22. Figure 9.22. NAT Pool Example – Create a Static NAT Pool 2. Associate the NAT pool to an outbound ACL rule by selecting NAT Pool from the NAT type drop-down list and then choose an existing NAT pool from the NAT pool drop-down list. Figure 9.23.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.3 Configuring Time Range With this option you can configure access time range records for eventual association with ACL rules. ACL rules associated with a time range record will be active only during the scheduled period. If the ACL rule denies HTTP access during 10:00hrs to 18:00hrs, then before 10:00hrs and after 18:00hrs the HTTP traffic will be permitted to pass through. One time range record can contain up to three time periods.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.3.2 Access Time Range Configuration Page – (Firewall -> Policy List -> Time Range) Log into Configuration Manager as administrator. Click Firewall -> Policy List -> Time Range. The Time Range Configuration page displays as shown in Figure 9.24. When you open the Time Range Configuration page, a list of existing time ranges is also displayed at the bottom half of the configuration page such as those shown in Figure 9.24. Figure 9.24.
Chapter 9 - Configuring Firewall/NAT Settings 9.7.3.4 Modify a Time Range To modify a Time Range 1. Open the Time Range Configuration page. See section 9.7.3.2 Access Time Range Configuration Page. 2. Click on the icon of the Time Range to be modified in the Time Range list table or select the Time Range from the Time Range dropdown list. 3. Select the Schedule from the schedule drop-down list. 4. Make desired changes to any or all of the following fields: Days of week and hours. 5.
Chapter 9 - Configuring Firewall/NAT Settings Figure 9.25. Time Range Example – Create a Time Range 2. Associate the time range to an outbound ACL rule by selecting an existing time range from the Time Range drop-down list. Figure 9.26 shows that MISgroup1 is denied FTP access during office hours. Figure 9.26.
Chapter 9 - Configuring Firewall/NAT Settings 9.8 Firewall Statistics – Firewall -> Statistics The Firewall Statistics page displays details regarding the active connections. Figure 9.27 shows a sample firewall statistics for active connections. To see an updated statistics, click on . Figure 9.27.
Chapter 10 - Configuring VPN 10 Configuring VPN The chapter contains instructions for configuring VPN connections using automatic keying and manual keys. 10.1 Default Parameters The router is pre-configured with a default set of proposals/connections. They cover the most commonly used sets of parameters, required for typical deployment scenarios. It is recommended that you use these preconfigured proposals/connections to simplify VPN connection setup.
Chapter 10 - Configuring VPN Pre-configured IKE proposals IKE proposals decide the type of encryption, hash algorithms, and authentication method that will be used for the establishment of the session keys between the endpoints of a tunnel. Table 10.2 lists the preconfigured IKE proposals. Table 10.2.
Chapter 10 - Configuring VPN Name Encryption Authentication D i f f i e - H e l l m a n Key Algorithm ike3DES preshared3des-md5dh5 ike-preDES shareddessha1-dh5 ike-preDES shareddesmd5-dh5 Manage- Lifetime Algorithm Group ment MD5 5 Pre-shared Keys SHA-1 5 Pre-shared Keys 3600 MD5 5 Pre-shared Keys 3600 (secs) 3600 Pre-configured IPSec proposals IPSec proposals decide the type of encryption and authentication for the traffic that flows between the endpoints of the tunnel. Table 10.
Chapter 10 - Configuring VPN Default lifetime Default lifetime for the pre-configured IKE proposals and IPSec proposals is 3600 seconds (One hour). It is recommended to set lifetime value greater than 600 seconds, for a new IKE proposal or IPSec proposal. This will reduce quick re-keying which will unnecessarily burden the system. Limits for key length The maximum key length for pre shared key, cipher key and Authentication Key is 50characters.
Chapter 10 - Configuring VPN 10.2 VPN Tunnel Configuration Parameters Table 10.4 describes all the VPN tunnel configuration parameters available for various VPN configurations. Table 10.4. VPN Tunnel Configuration Parameter Field Description VPN Connection Settings ID Add New Click on this option to add a new ‘basic’ Firewall rule. Rule Number Select a rule from the drop-down list, to modify its attributes.
Chapter 10 - Configuring VPN Field Description IP Range Start IP This option allows you to include a range of IP addresses for applying this rule. The following fields become available for entry when this option is selected: Enter the starting IP address of the range. End IP Enter the ending IP address of the range. Remote Secure Group (only available for site to site VPN mode) This option allows you to set the remote (destination) secure network to which this rule should apply.
Chapter 10 - Configuring VPN Field Description IKE Encryption / Authentication Select the IKE authentication and encryption from the dropdown list.
Chapter 10 - Configuring VPN Field Description IPSec Proposal Settings IPSec Encryption / Authentication Select one of the following pre-configured IKE proposals from the dropdown list. If All is selected, all the pre-configured proposals will be associated with existing tunnel and one (among the set of IPSec proposals) will be selected automatically and used by IPSec to communicate with its peer.
Chapter 10 - Configuring VPN 10.3 Establish VPN Connection Using Automatic Keying This section describes the steps to establish the VPN tunnel using the Configuration Manager. Internet Key Exchange (IKE) is the automatic keying protocol used to exchange the key that is used to encrypt/ authenticate the data packets according to the user-configured rule. The parameters that should be configured are: • the network addresses of internal and remote networks.
Chapter 10 - Configuring VPN 2. Prior to adding a VPN rule, make sure that the VPN service is enabled in System Service Configuration page. 3. Select Add New from the ID drop-down list. 4. Enter a desired name, preferably a meaningful name that signifies the nature of the VPN connection, in the Name field. Only alphanumeric characters are allowed in a name. 5. Click on Enable or Disable radio button to enable or disable this rule. Figure 10.1. VPN Tunnel Configuration Page – Pre-shared Key Mode 6.
Chapter 10 - Configuring VPN 10.3.2 Modify VPN Rules To modify a VPN rule 1. Log into Configuration Manager as administrator. Click VPN -> VPN Tunnel. 2. Prior to modifying a VPN rule, make sure that the VPN service is enabled in System Service Configuration page. 3. Select the rule number from the ID drop-down list or click on the icon of the rule to be modified in the VPN Connection Status table. 4. Click on Enable or Disable radio button to enable or disable this rule. 5.
Chapter 10 - Configuring VPN 10.3.4 View VPN Rules To view existing VPN rules 1. Log into Configuration Manager as administrator. Click VPN -> VPN Tunnel. 2. The VPN rule table located at the bottom half of the VPN Configuration page shows all the configured VPN rules. 10.4 VPN Statistics Statistics option allows you to view the information about the VPN statistics – Global, IKE SAs and IPSec SAs. Table 10.5 gives description for the VPN statistics parameters. Table 10.5.
Chapter 10 - Configuring VPN Entry Descriptions IKE Statistics IKE negotiation statistics IKE Phase1 Negotiation Done Number of IKE phase-1 negotiations performed Failed IKE Negotiations Done Number of failed IKE phase -1negotiations Quick Mode Negotiation Performed Number of IKE quick mode negotiations performed Number of ISAKMP SAs Number of phase 1 SA’s ESP Statistics Number of ESP statistics Active Inbound ESP SAs Number of active inbound ESP SA’s Active Outbound ESP SAs Number of active outbound
Chapter 10 - Configuring VPN Figure 10.2. VPN Statistics Page 10.5 VPN Connection Examples Gateways with integrated VPN and Firewall are useful in scenarios where: • The traffic between branch offices is protected by VPN and • Traffic destined for public Internet goes through Firewall/NAT. To avoid NAT/IPSec interoperability issues, outgoing traffic is first processed by Firewall/NAT and then by IPSec. Hence, you must ensure that appropriate Firewall rules are configured to let the VPN traffic gothrough.
Chapter 10 - Configuring VPN 10.5.1.1 Configure Rules on Internet Security Router 1 (ISR1) This section describes the steps to establish the VPN/Firewall for the Internet scenario. Figure 10.3 shows the typical Intranet connections. The ADSL or cable modem is not required if the two networks are connected via Ethernet connections.The setting of each configuration step is illustrated in a figure. For instructions on configuration of each step, refer to the next section for details. Figure 10.3.
Chapter 10 - Configuring VPN Figure 10.4. Intranet VPN Policy Configuration on ISR1 Step 1: Configure VPN connection rules Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR1 using automatic keying. Step 2: Configure Firewall rules 1. Configure outbound Firewall rule to allow packets from 192.168.1.0/255. 255.255.0 to 192.168.2.0/255.255.255.0 without any NAT 2. Configure inbound Firewall rule to allow packets from 192.168.2.0/255.2 55.255.0 to 192.
Chapter 10 - Configuring VPN Table 10.6. Outbound Un-translated Firewall Rule for VPN Packets on ISR1 Field Source IP Destination IP Value Type Subnet Address 192.168.1.0 Mask 255.255.255.0 Type Subnet Address 192.168.1.0 Mask 255.255.255.0 NAT None Action Allow VPN Enable The outbound Un-translated Firewall rule has to be added the existing rule ID 1001. Table 10.7.
Chapter 10 - Configuring VPN 10.5.1.2 Configure Rules on Internet Security Router 2 (ISR2) Step 1: Configure VPN connection rules Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR2 using automatic keying. Figure 10.5. Intranet VPN Policy Configuration on ISR2 Step 2: Configure Firewall rules 1. Configure outbound Firewall rule to allow packets from 192.168.2.0/255 .255.255.0 to 192.168.1.0/255.255.255.0 without any NAT. 2.
Chapter 10 - Configuring VPN Table 10.8. Outbound Un-translated Firewall Rule for VPN Packets on ISR1 Field Source IP Destination IP Value Type Subnet Address 192.168.2.0 Mask 255.255.255.0 Type Subnet Address 192.168.1.0 Mask 255.255.255.0 NAT None Action Allow VPN Enable The outbound Un-translated Firewall rule has to be added the existing rule ID 1001. Table 10.9.
Chapter 10 - Configuring VPN 10.5.1.3 Establish Tunnel and Verify • Ping continuously from a host in the LAN behind ISR1 to a host in the LAN behind ISR2. The first few pings might fail. After a few seconds, the host in the LAN behind ISR1 should start getting ping response. 10.5.2 Extranet Scenario – firewall + static NAT + VPN for VPN traffic In case of the extranet scenario, the networks protected by the routers could be under different administrative authorities.
Chapter 10 - Configuring VPN The results are: • The LAN behind ISR1 would be viewed as 192.168.11. 0/24 by the LAN behind ISR2. • The LAN behind ISR2 would be viewed as 192.168.12. 0/24 by the LAN behind ISR1. The configuration of each of the routers for extranet scenario consists of the following steps: • Configure VPN Connection rules. • Configure Firewall rules to allow inbound and outbound VPN traffic by performing one-to-one NAT.
Chapter 10 - Configuring VPN 10.5.2.2 Configure VPN Rules on ISR1 Step 1: Configure VPN Rule Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR1 using automatic keying with the following addresses: 1. Use 192.168.11.0/255.255.255.0 for the Local Secure Group 2. Use 192.168.12.0/255.255.255.0 for the Remote Secure Group Figure 10.7. Extranet Example –VPN Policy Configuration on ISR1 Step 2: Configure Static NAT Pools 1.
Chapter 10 - Configuring VPN 2. Configure incoming static NAT pool (reverse-static-NAT) for translating addresses in range 192.168.11.1-192.168.11.254 to 192.168.1.1-192.168. 1.254 Figure 10.9. Extranet Example – Incoming NAT Pool Configuration on ISR1 Step 3: Configure Extranet access rules 1. Configure outbound Firewall rules to map the source IP address of outbound packets from 192.168.1.x range to 192.168.11.x (defined by Outgoing_NAT pool) range before sending the packet to VPN. Figure 10.10.
Chapter 10 - Configuring VPN Figure 10.11. Extranet Example – Inbound ACL Rule on ISR1 10.5.2.3 Configure VPN Rules on ISR2 Step 1: Configure VPN rules Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR2 using automatic keying with the following addresses: 1. Use 192.168.12.0/255.255.255.0 as Local Secure Group 2. Use 192.168.11.0/255.255.255.0 as Remote Secure Group Figure 10.12.
Chapter 10 - Configuring VPN Step 2: Configure Static NAT Pools 1. Configure outgoing static NAT pool (static-NAT) for translating addresses in range 192.168.1.1- 192.168.1.254 to 192.168.12.1-192.1 68.12.254 Figure 10.13. Extranet Example – Outgoing NAT Pool Configuration on ISR2 2. Configure incoming static NAT pool (reverse-static-NAT) for translating addresses in range 192.168.12.1-192.168.12.254 to 192.168.1.1-192.1 68.1.254 Figure 10.14.
Chapter 10 - Configuring VPN Figure 10.15. Extranet Example – Outbound ACL Rule on ISR2 2. Configure inbound Firewall rules to map the destination IP address of inbound packets from 192.168.12.x range to 192.168.1.x range after the packet is processed by VPN. Figure 10.16.
Chapter 10 - Configuring VPN 10.5.2.4 Establish Tunnel and Verify • Start continuous ping from a host on the LAN behind ISR1 to a host on the LAN behind ISR2. The first few pings would fail. After a few seconds, The host on the LAN behind ISR1 should start getting ping response. • Ping from a host on the LAN behind ISR2 to a host on the LAN behind ISR1. Ping should be successful.
Chapter 11 - System Management 11 System Management This chapter describes the following administrative tasks that you can perform using Configuration Manager: • Configure system services • Modify password • Modify system Information • Modify system date and time • Reset, backup and restore system configuration • Update firmware • Logout of Configuration Manager You can access these tasks from the System Management menu. 11.1 Configure System Services As shown in Figure 11.
Chapter 11 - System Management Figure 11.1. System Services Configuration Page 11.2 Change the Login Password The first time you log into the Configuration Manager, you use the default username and password (admin and admin). The system allows two types of users – administrator (username: admin) and guest (username: guest). Administrator has the privilege to modify the system settings while guest can only view the system settings.
Chapter 11 - System Management The Password Configuration page allows you to change supervisor or user’s password. Follow the steps below to change password: 1. Log into Configuration Manager as admin, click the System Management menu, and then click the User Account submenu. The User Account Configuration page displays, as shown in Figure 11.2. 2. Enter existing password in the Login Password field. 3. Type the new password in the New Password text field and again in the Confirm New Password text field.
Chapter 11 - System Management 11.4 Setup Date and Time The Internet Security Router keeps a record of the current date and time, which it uses to calculate and report various performance data. Figure 11.4. Date and Time Configuration Page There is no real time clock inside the Internet Security Router. The system date and time are maintained by external network time server.
Chapter 11 - System Management 11.5 SNMP Setup Simple Network Management Protocol (SNMP) is used for network management. You may use the SNMP configuration page to enable or disable the SNMP support. 11.5.1 SNMP Configuration Parameters Table 11.1 describes the configuration parameters available for SNMP setup. Table 11.1. Fixed DHCP Lease Configuration Field Description SNMP Click on the Enable or Disable radio button to enable or disable the SNMP support.
Chapter 11 - System Management Figure 11.5. SNMP Configuration 5. Click to save the configuration. You can verify your settings in the existing SNMP configuration table displayed at the bottom of the configuration page. Figure 11.6. Existing SNMP Configuration 11.6 System Configuration Management 11.6.1 Reset System Configuration At times, you may want to revert to factory default settings to eliminate problems resulted from incorrect system configuration. To reset system configuration 1.
Chapter 11 - System Management Figure 11.7. Default Setting Configuration Page Sometimes, you may find that you have no way to access the Internet Security Router, such as when you forget your password. The only way out in this scenario is to reset the system configuration to the factory default. To reset the router 1. Power down the Internet Security Router and wait for at least five seconds. 2.
Chapter 11 - System Management Figure 11.8. Backup System Configuration Page 11.6.3 Restore System Configuration To restore system configuration 1. Log into the Configuration Manager as administrator. Click System Management -> Configuration -> Restore. The Restore Configuration page displays, as shown in Figure 11.9. Figure 11.9. Restore System Configuration Page 2. Enter the path and name of the system configuration file that you want to restore in the Configuration File text box.
Chapter 11 - System Management Figure 11.10. Windows File Browser 3. Click to restore the system configuration. The Internet Security Router will reboot to make the new system configuration in effect. 11.7 Upgrade Firmware ASUSTek may from time to time provide you with an update to the firmware running on the Internet Security Router. All system software is contained in a single file, called an image. Configuration Manager provides an easy way to upload the new firmware image.
Chapter 11 - System Management 2. In the Firmware text box, enter the path and name of the firmware image file. Alternatively, you may click on button to search for it on your hard drive. 3. Click to update the firmware. It may take up to 5 minutes for the firmware upgrade. After the transfer of firmware is completed, the Internet Security Router will reboot to make the new firmware in effect. 11.
Chapter 11 - System Management 11.9 Logout Configuration Manager To logout of Configuration Manager, click in the Configuration Manager Logout page. If you are using IE as your browser, a window similar to the one shown in Figure 11.14 will prompt for confirmation before closing your browser. Figure 11.13. Configuration Manager Logout Page Figure 11.14.
Chapter 12 - ALG Configuration 12 ALG Configuration Table 12.1 lists all the supported ALGs (Application Layer Gateway). Table 12.1. Supported ALG ALG/Application Protocol and Name Port Predefined Service Name Tested Software Version PCAnywhere UDP/22 PC-ANYWHERE pcAnywhere 9.0.
Chapter 12 - ALG Configuration ALG/Application Protocol Name Port Netmeeting with GK TCP/1720 and P r e d e f i n e d Tested Software Service Name Version H323 UDP/1719 H323GK UDP/53 DNS SIP UDP/5060 SIP Intel Video Phone TCP/1720 H323 UDP/53 DNS TCP/21 FTP UDP/53 DNS UDP/1701 L2TP UDP/53 DNS TCP/1723 PPTP UDP/53 DNS FTP W i n d o w s Netmeeting Version 3.01 O p e n g k Ve r s i o n 1.2.0 SIP User Agent 2.0 Intel Video Phone Version 5.0 WFTPD version 2.03 Redhat Linux 7.
Chapter 12 - ALG Configuration ALG/Application Protocol Name Port and P r e d e f i n e d Tested Software Service Name Version Chats MSIM TCP/1863 MSN TCP/80 HTTP UDP/53 DNS MSN Messenger Service Version 3.6.
Chapter 12 - ALG Configuration ALG/Application Protocol Name Port and P r e d e f i n e d Tested Software Service Name Version Chats POP3 IMAP SMTP TCP/110 POP3 UDP/53 DNS TCP/143 IMAP4 UDP/53 DNS TCP/25 SMTP UDP/53 DNS HTTPS / TLS / SSL TCP/443 LDAP NNTP 144 HTTPS TCP/80 HTTP UDP/53 DNS TCP/389 ILS UDP/53 DNS TCP/119 NNTP UDP/53 DNS ASUS SL1200 Outlook Express 5 Outlook Express 5 Outlook Express 5 Internet Explorer 5 Openldap 2.0.
Chapter 13 - IP Addresses, Network Masks, and Subnets 13 IP Addresses, Network Masks, and Subnets 13.1 IP Addresses This section pertains only to IP addresses for IPv4 (version 4 of the Internet Protocol). IPv6 addresses are not covered. This section assumes basic knowledge of binary numbers, bits, and bytes. IP addresses, the Internet’s version of telephone numbers, are used to identify individual nodes (computers or devices) on the Internet.
Chapter 13 - IP Addresses, Network Masks, and Subnets Table 13.1. IP Address structure Class Field1 Class A Network ID Class B Network ID Class C Network ID Field2 Field3 Field4 Host ID Host ID Host ID Here are some examples of valid IP addresses: Class A: 10.30.6.125 (network = 10, host = 30.6.125) Class B: 129.88.16.49 (network = 129.88, host = 16.49) Class C: 192.60.201.11 (network = 192.60.201, host = 11) 13.2 Network classes The three commonly used network classes are A, B, and C.
Chapter 13 - IP Addresses, Network Masks, and Subnets 13.3 Subnet masks A mask looks like a regular IP address, but contains a pattern of bits that tells what parts of an IP address are the network ID and what parts are the host ID: bits set to 1 mean “this bit is part of the network ID” and bits set to 0 mean “this bit is part of the host ID.” Subnet masks are used to define subnets (what you get after dividing a network into smaller pieces).
Chapter 14 - Troubleshooting 14 Troubleshooting This appendix suggests solutions for problems you may encounter in installing or using the Internet Security Router, and provides instructions for using several IP utilities to diagnose problems. Contact Customer Support if these suggestions do not resolve the problem. Table 14.1. Problems and suggestions Problem Troubleshooting Suggestion LEDs Power LED does not illuminate after product is turned on.
Chapter 14 - Troubleshooting Problem Troubleshooting Suggestion Internet Access PC cannot access Internet Use the ping utility, discussed in the following section, to check whether your PC can communicate with the Internet Security Router’s LAN IP address (by default 192.168.1.1). If it cannot, check the Ethernet cabling.
Chapter 14 - Troubleshooting Problem Troubleshooting Suggestion Configuration Manager Program You forgot/lost your Configuration Manager user ID or password. Cannot access the Configuration Manager program from your browser. If you have not changed the password from the default, try using “admin” as both the user ID and password. Otherwise, you can reset the device to the default configuration by following the instructions provided in section 11.5.1 “Reset System Configuration”.
Chapter 14 - Troubleshooting 14.1 Diagnosing problems using IP utilities 14.1.1 ping Ping is a command you can use to check whether your PC can recognize other computers on your network and the Internet. A ping command sends a message to the computer you specify. If the computer receives the message, it sends messages in reply. To use it, you must know the IP address of the computer with which you are trying to communicate. On Windows-based computers, you can execute a ping command from the Start menu.
Chapter 14 - Troubleshooting you do not know the IP address of a particular Internet location, you can use the nslookup command, as explained in the following section. From most other IP-enabled operating systems, you can execute the same command at a command prompt or through a system administration utility. 14.1.2 nslookup You can use the nslookup command to determine the IP address associated with an Internet site name.
Chapter 15 - Glossary 15 Glossary 10BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 10 Mbps. Also known as Category 3 (CAT 3) wiring. See also data rate, Ethernet. 100BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 100 Mbps. Also known as Category 5 (CAT 5) wiring. See also data rate, Ethernet. 1000BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 1000 Mbps.
Chapter 15 - Glossary Ethernet The most commonly installed computer network technology, usually using twisted pair wiring. Ethernet data rates are 10 Mbps and 100 Mbps. See also 10BASE-T, 100BASE-T, twisted pair. FTP File Transfer Protocol A program used to transfer files between computers connected to the Internet. Common uses include uploading new or updated files to a web server, and downloading files from a web server. host A device (usually a computer) connected to a network.
Chapter 15 - Glossary Monitor Also called “Roving Analysis”, allow you to attach a network analyzer to one port and use it to monitor the traffics of other ports on the switch. network mask A network mask is a sequence of bits applied to an IP address to select the network ID while ignoring the host ID. Bits set to 1 mean “select this bit” while bits set to 0 mean “ignore this bit.” For example, if the network mask 255.255.255.0 is applied to the IP address 100.10.50.1, the network ID is 100.10.
Chapter 15 - Glossary remote In a physically separate location. For example, an employee away on travel who logs in to the company’s intranet is a remote user. RJ-45 Registered Jack Standard-45 The 8-pin plug used in transmitting data over phone lines. Ethernet cabling usually uses this type of connector. RMON Remote Monitoring Extensions to SNMP, provide comprehensive network monitoring capabilities.
Chapter 15 - Glossary TCP/IP Transmission Control Protocol/Internet Protocol The basic protocols used on the Internet. TCP is responsible for dividing data up into packets for delivery and reassembling them at the destination, while IP is responsible for delivering the packets from source to destination. When TCP and IP are bundled with higher-level applications such as HTTP, FTP, Telnet, etc., TCP/IP refers to this whole suite of protocols.
Chapter 15 - Glossary upstream The direction of data transmission from the user to the Internet. VLAN Virtual Local Area Network WAN Wide Area Network Any network spread over a large geographical area, such as a country or continent. With respect to the SL-1000, WAN refers to the Internet.