BCM50e Integrated Router Configuration — Basics BCM50e Business Secure Router Document Number: N0115788 Document Version: 1.
Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Call scheduling . . . . . . . . . . . . . . . . . . . . . . . .
Contents 5 Wizard setup: General Setup and System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Wizard setup: Screen 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 PPTP . . . . . . . . . . . . .
Contents Chapter 2 System screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 DNS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Private DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7 Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Service type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring WAN IP . . . . . .
Contents Configuring Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Chapter 6 Static Route screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Static Route overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 9 Firewall policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Rule logic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Rule checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Security ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents BCM50e Integrated Router VPN functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 VPN screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Other terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Data confidentiality . . . . . . . .
Contents 11 Negotiation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Diffie-Hellman (DH) Key Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Perfect Forward Secrecy (PFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Configuring advanced Branch office setup . .
Contents Chapter 12 Bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Bandwidth management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Bandwidth classes and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Proportional bandwidth allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 13 Avoiding the browser warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 SSH overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 How SSH works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents WebGUI easy access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Chapter 16 Logs Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Configuring View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Configuring Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 15 Problems with the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Problems with the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Problems with the WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Problems with Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents N0115788
Figures Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 41 Figure 2 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Figure 3 Change password screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 4 Replace certificate screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 5 MAIN MENU Screen . . . . . . . . . . . . . . .
Figures Figure 19 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Figure 20 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Figure 21 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Figure 22 How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 19 Figure 54 Transport and Tunnel mode IPSec encapsulation . . . . . . . . . . . . . . . . . 140 Figure 55 IPSec summary fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Figure 56 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Figure 57 NAT router between VPN switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Figure 58 VPN Contivity Client rule setup . . . . . . . . . . . .
Figures Figure 89 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Figure 90 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Figure 91 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Figure 92 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Figure 93 Local User database edit . . . . . . . . . . . . . .
Figures 21 Figure 124 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Figure 125 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Figure 126 Windows optional networking components wizard . . . . . . . . . . . . . . . . . 291 Figure 127 Windows XP networking services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Figure 128 Internet gateway icon . . . . . . . . . . . . . . . . . . .
Figures Figure 159 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Figure 160 Pop-up Blocker settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Figure 161 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Figure 162 Security Settings - Java Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Figure 163 Security Settings - Java .
Tables Table 1 Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Table 2 Wizard 2: Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Table 3 Wizard 2: PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Table 4 Wizard2: PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Table 5 Private IP Address Ranges . . . . . . . . . . . . . . . . .
Tables Table 23 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Table 24 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Table 25 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Table 26 IP Static Route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Table 27 Edit IP Static Route . . .
Tables 25 Table 58 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Table 59 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Table 60 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Table 61 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Table 62 My Certificate details . . . . . . .
Tables Table 93 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Table 94 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Table 95 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Table 96 Web site hits report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 27 Table 127 PKI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Table 128 Certificate Path Verification Failure Reason Codes . . . . . . . . . . . . . . . . 366 Table 130 Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables N0115788
Preface Before you begin This guide assists you through the basic configuration of your Business Secure Router for its various applications. Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. Not all features can be configured through all interfaces.
Preface A single keystroke is written in Arial font and enclosed in square brackets. For instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
Preface 31 Getting Help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Preface Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
Chapter 1 Getting to know your BCM50e Integrated Router This chapter introduces the main features and applications of the Business Secure Router. Introducing the BCM50e Integrated Router The BCM50e Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).
Chapter 1 Getting to know your BCM50e Integrated Router Table 1 Feature Specifications Feature Specification Number of concurrent IKE Phase 1 Security Associations: These correspond to the gateway policies. 10 Number of concurrent IPSec VPN tunnels (Phase 2 Security Associations): These correspond to the network policies and are also monitorable and manageable. For example, five IKE gateway policies could each use 12 IPSec tunnels for a total of 60 phase 2 IPSec VPN tunnels.
Chapter 1 Getting to know your BCM50e Integrated Router 35 Autonegotiating 10/100 Mb/s Ethernet WAN The 10/100 Mb/s Ethernet WAN port attaches to the Internet via broadband modem or router and automatically detects if it is on a 10 or a 100 Mb/s Ethernet. Time and date Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router. You can also set the time manually.
Chapter 1 Getting to know your BCM50e Integrated Router SSH The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network. HTTPS HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure WebGUI access to the Business Secure Router.
Chapter 1 Getting to know your BCM50e Integrated Router 37 Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Business Secure Router and other UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network. Call scheduling Configure call time periods to restrict and allow access for users on remote nodes.
Chapter 1 Getting to know your BCM50e Integrated Router IP Alias Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The Business Secure Router supports three logical LAN interfaces via its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network.
Chapter 1 Getting to know your BCM50e Integrated Router 39 Port Forwarding Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. DHCP (Dynamic Host Configuration Protocol) With DHCP (Dynamic Host Configuration Protocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server.
Chapter 1 Getting to know your BCM50e Integrated Router Upgrade Business Secure Router Firmware The firmware of the Business Secure Router can be upgraded manually via the WebGUI. Embedded FTP and TFTP Servers The Business Secure Router’s embedded FTP and TFTP Servers enable fast firmware upgrades, as well as configuration file backups and restoration.
Chapter 1 Getting to know your BCM50e Integrated Router 41 Figure 1 Secure Internet Access and VPN Application BCM50e Integrated Router BCM50e Integrated Router Configuration — Basics
Chapter 1 Getting to know your BCM50e Integrated Router N0115788
Chapter 2 Introducing the WebGUI This chapter describes how to access the Business Secure Router WebGUI and provides an overview of its screens. WebGUI overview There are two methods to access the WebGUI for the Business Secure Router. It can be launched from Element Manager or can be launched from a web browser on the same subnet as the router. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1 024 by 768 pixels.
Chapter 2 Introducing the WebGUI 1 Launch your web browser. 2 Type 192.168.1.1 as the URL. 3 Type the user name (nnadmin is the default) and the password (PlsChgMe! is the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields. Figure 2 Login screen 4 N0115788 A screen asking you to change your password (highly recommended) appears and is shown in Figure 3.
Chapter 2 Introducing the WebGUI 45 Figure 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device.
Chapter 2 Introducing the WebGUI The MAIN MENU screen appears. Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back on to the Business Secure Router if this happens to you. Restoring the factory default configuration settings If you just want to restart the Business Secure Router, press the rear panel RESET button for one to three seconds.
Chapter 2 Introducing the WebGUI 47 Navigating the Business Secure Router WebGUI Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help. Note: The help icon does not appear in the MAIN MENU screen. Figure 5 MAIN MENU Screen Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays.
Chapter 2 Introducing the WebGUI Figure 6 Contact Support N0115788
Chapter 3 Wizard setup This chapter provides information on the Wizard screens in the WebGUI. Wizard overview The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel BCM50e Integrated Router 222 — Fundamentals (NN47922-301) to know what to enter in each field. Leave a field blank if you do not have the required information.
Chapter 3 Wizard setup Domain Name The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Business Secure Router via DHCP. Click Next to configure the Business Secure Router for Internet access.
Chapter 3 Wizard setup 51 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet.
Chapter 3 Wizard setup Table 2 describes the fields in Figure 8. Table 2 Wizard 2: Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection. Service Type Choose from Standard, RR-Telstra (Telstra authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Toshiba (Road Runner Toshiba authentication method).
Chapter 3 Wizard setup 53 Figure 9 Wizard 2: PPTP Encapsulation Table 3 describes the fields in Figure 9. Table 3 Wizard 2: PPTP Encapsulation Label Description ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list. User Name Type the username given to you by your ISP. Password Type the password associated with the username above. Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out.
Chapter 3 Wizard setup Table 3 Wizard 2: PPTP Encapsulation Label Description PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the c:id and n:name format. For example, C:12 or N:My ISP.
Chapter 3 Wizard setup 55 By implementing PPPoE directly on the Business Secure Router (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Business Secure Router does that part of the task. Furthermore, with NAT, all the computers on the LAN have Internet access. Figure 10 Wizard2: PPPoE Encapsulation Table 4 describes the fields in Figure 10.
Chapter 3 Wizard setup Table 4 Wizard2: PPPoE Encapsulation Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out. Idle Timeout Type the time, in seconds, that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen.
Chapter 3 Wizard setup 57 You can obtain your IP address from the IANA, from an ISP, or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. If you are part of a much larger organization, consult your network administrator for the appropriate IP addresses.
Chapter 3 Wizard setup The subnet mask specifies the network number portion of an IP address. Your Business Secure Router computes the subnet mask automatically based on the IP address that you enter. You do not need to change the subnet mask computed by the Business Secure Router unless you are instructed to do otherwise. DNS Server address assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.nortel.com is 47.
Chapter 3 Wizard setup 59 The WAN port of your Business Secure Router is set at half-duplex mode, as most cable or DSL modems only support half-duplex mode. Make sure your modem is in half-duplex mode. Your Business Secure Router supports full duplex mode on the LAN side. Table 6 Example of network properties for LAN servers with fixed IP addresses Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254. Subnet mask 255.255.255.0 Gateway (or default route) 192.168.1.
Chapter 3 Wizard setup Figure 11 Wizard 3 Table 7 describes the fields in Figure 11. Table 7 Wizard 3 Label Description WAN IP Address Assignment N0115788 Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address. IP Address Enter your WAN IP address in this field if you select Use Fixed IP Address.
Chapter 3 Wizard setup 61 Table 7 Wizard 3 Label Description IP Subnet Mask Enter the IP subnet mask in this field if you select Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen. Gateway IP Address Enter the gateway IP address in this field if you select Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen.
Chapter 3 Wizard setup Table 7 Wizard 3 Label Description First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router’s WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you click Finish.
Chapter 3 Wizard setup 63 Basic Setup Complete Well done! You have successfully set up your Business Secure Router to operate on your network and access the Internet.
Chapter 3 Wizard setup N0115788
1 Chapter 1 User Notes General Notes There are some router functions that, although performing as expected, might cause some confusion. These are summarized below. General 1 Default Address Mapping Rules When First Enable NAT Full Feature. When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.
2 Chapter 1 User Notes If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu.
Chapter 1 User Notes 3 If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products. 2 User Name Restrictions User names are limited to a maximum length of 63 characters.
4 Chapter 1 User Notes Security 1 Exporting or Saving Self-Signed Certificate To export or save a self-signed certificate, click details (the icon that looks like a paper note), then click 'Export' or copy the PEM text into the clipboard, and paste into a file.
Chapter 1 User Notes 5 Setting up the router when the system has a server 1 If you are using a Full-Feature NAT configuration, first, do the following... a 2 In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the 'Public' IP address of the server. For both SUA-Only and Full-Feature NAT configurations, do the following... a In SUA/NAT : SUA Server, add server private IP address and port number(s) to the SUA/NAT Server table.
6 Chapter 1 User Notes Adding IP telephony to a multi-site network Scenario 1: A BCM50 in the primary site acting as the gateway for both sites 1 Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is connected to the router, and both have booted. 2 Add the IP phones to the primary site as per BCM50 installation guide. 3 Create a tunnel to the remote site, as described above.
Chapter 1 User Notes 7 Configuring the router to act as a Nortel VPN Server (Client Termination) 1 2 Under VPN / Client Termination, a Enable Client Termination. b Select authentication type and the encryption algorithms supported. c If the clients are assigned IP addresses from a pool, define the pool, and enable it. Assuming a Local User Database is used for authentication, a Add user name and password to the local user database as an IPSec user, and activate it.
8 Chapter 1 User Notes 2 Create the appropriate Firewall rules to add BCM50 access.
Chapter 1 User Notes 9 2 On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass, and reserve sufficient bandwidth based on the number of telephones, for Protocol ID 17 (UDP Traffic). The amount of bandwidth should be based on a reasonable peak number of simultaneous calls, and the data rate needed by the IP telephony CODECs. Refer to the BCM IP Telephony (or other call server) documentation for calculation details. 3 Set up a similar LAN subclass.
10 Chapter 1 User Notes N0115788
11 Chapter 2 System screens This chapter provides information on the System screens. System overview This section provides background information on features that you cannot configure in the Wizard. DNS overview There are three places where you can configure DNS (Domain Name System) setup on the Business Secure Router.
12 Chapter 2 System screens Figure 1 depicts an example where three VPN tunnels are created from Business Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters.
Chapter 2 System screens 13 Figure 2 System general setup Table 1 describes the fields in Figure 2. Table 1 System general setup Label Description System Name Choose a descriptive name for identification purposes. Nortel recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted. Domain Name Enter the domain name (if you know it) here.
14 Chapter 2 System screens Table 1 System general setup Label Description System DNS Servers (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Business Secure Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Chapter 2 System screens 15 Dynamic DNS With Dynamic DNS, you can update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (as in NetMeeting or CU-SeeMe). You can also access your FTP server or Web site on your own computer using a domain name (for instance, myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
16 Chapter 2 System screens Figure 3 DDNS Table 2 describes the fields in Figure 3. Table 2 DDNS N0115788 Label Description Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (,).
Chapter 2 System screens 17 Table 2 DDNS Label Description Password Enter the password associated with your username (up to 31 characters). Enable Wildcard Select the check box to enable DYNDNS Wildcard. Off Line This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.
18 Chapter 2 System screens Figure 4 Password Table 3 describes the fields in Figure 4. Table 3 Password N0115788 Label Description Administrator Setting The administrator can access and configure all of the Business Secure Router's features. Old Password Type your existing system administrator password (PlsChgMe! is the default password). New Password Type your new system password (up to 31 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Chapter 2 System screens 19 Table 3 Password Label Description Client User Setting The client user is the person who uses the Business Secure Router's Contivity Client VPN tunnel. The client user can do the following: • Configure the WAN ISP and IP screens. • Configure the VPN Contivity Client settings (except the Advanced screen’s exclusive use mode for client tunnel and MAC address allowed settings). • View the SA monitor. • Configure the VPN Global Setting screen. • View logs.
20 Chapter 2 System screens When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried. Table 4 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.
Chapter 2 System screens 21 Figure 5 Time and Date BCM50e Integrated Router Configuration — Basics
22 Chapter 2 System screens Table 5 describes the fields in Figure 5. Table 5 Time and Date Label Description Current Time and Date Current Time This field displays the time on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the time with the time server. Current Date This field displays the date on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the date with the time server.
Chapter 2 System screens 23 Table 5 Time and Date Label Description Time Zone Setup Time Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Enable Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening. Select this option if you use Daylight Saving Time.
24 Chapter 2 System screens ALG With Application Layer Gateway (ALG), applications can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow. Note: You must enable the FTP SIP ALG in order to use bandwidth management on that application. Configuring ALG To change the ALG settings of your Business Secure Router, click SYSTEM and then ALG. The screen appears as shown in Figure 6.
25 Chapter 3 LAN screens This chapter describes how to configure LAN settings. LAN overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, configure RIP and multicast settings, and partition your physical network into logical networks.
26 Chapter 3 LAN screens DNS servers Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN. LAN TCP/IP The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. Factory LAN defaults The LAN parameters of the Business Secure Router are preset in the factory with the following values: • • IP address of 192.168.1.
Chapter 3 LAN screens 27 Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP Direction is set to Both and RIP Version to RIP-1.
28 Chapter 3 LAN screens Configuring IP Click LAN to open the IP screen.
Chapter 3 LAN screens 29 Table 7 describes the fields in Figure 7. Table 7 LAN IP Label Description DHCP Server With DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) individual clients (workstations) can obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the Business Secure Router provides TCP/IP configuration for the clients.
30 Chapter 3 LAN screens Table 7 LAN IP Label Description First DNS Server Second DNS Server Third DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.
Chapter 3 LAN screens 31 Table 7 LAN IP Label Description RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
32 Chapter 3 LAN screens Configuring Static DHCP With Static DHCP, you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your Business Secure Router’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown in Figure 8.
Chapter 3 LAN screens 33 Table 8 Static DHCP Label Description IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Configuring IP Alias With IP Alias, you can partition a physical network into different logical networks over the same Ethernet interface.
34 Chapter 3 LAN screens Figure 9 IP Alias Table 9 describes the fields in Figure 9. Table 9 IP Alias N0115788 Label Description IP Alias 1,2 Select the check box to configure another LAN network for the Business Secure Router. IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign.
Chapter 3 LAN screens 35 Table 9 IP Alias Label Description RIP Direction With RIP (Routing Information Protocol, RFC1058 and RFC 1389), a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/ None. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically.
36 Chapter 3 LAN screens N0115788
37 Chapter 4 WAN screens This chapter describes how to configure WAN settings. WAN Overview This section provides background information on features that you cannot configure in the Wizard. 4.1 TCP/IP Priority (Metric) The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
38 Chapter 4 WAN screens Configuring Route Click WAN to open the Route screen. Figure 10 WAN: Route Table 10 describes the fields in Figure 10. Table 10 WAN: Route Label Description WAN Traffic Redirect The default WAN connection is 1. The broadband connection via the WAN port is the preferred method of accessing the WAN. The WAN route always has higher priority than the traffic redirect route. Traffic redirect acts as an auxiliary connection in the event that your regular WAN connection goes down.
Chapter 4 WAN screens 39 Ethernet Encapsulation The screen shown in Figure 11 is for Ethernet encapsulation. Figure 11 Ethernet Encapsulation Table 11 describes the fields in Figure 11. Table 11 Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
40 Chapter 4 WAN screens PPPoE Encapsulation The Business Secure Router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (for example, DSL, cable, or wireless) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example, Radius).
Chapter 4 WAN screens 41 Figure 12 PPPoE Encapsulation Table 12 describes the fields in Figure 12. Table 12 PPPoE Encapsulation Label Description Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (for example, DSL, cable, or wireless) connection.
42 Chapter 4 WAN screens Table 12 PPPoE Encapsulation Label Description Idle Timeout This value specifies the time in seconds that elapses before the router automatically disconnects from the PPPoE server. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh.
Chapter 4 WAN screens 43 Figure 13 PPTP Encapsulation Table 13 describes the fields in Figure 13. Table 13 PPTP Encapsulation Label Description Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that makes secure transfer of data from a remote client to a private server possible by creating a Virtual Private Network (VPN) using TCP/IP based networks. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet.
44 Chapter 4 WAN screens Table 13 PPTP Encapsulation Label Description Password Type the password associated with the username. Nailed up Connection Select Nailed Up Connection if you do not want the connection to time out. Idle Timeout This value specifies the time, in seconds, that elapses before the Business Secure Router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Chapter 4 WAN screens 45 Figure 14 RR Service type Table 14 describes the fields in Figure 14. Table 14 RR Service Type Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Select from Standard, RR-Toshiba (Road Runner Toshiba authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Telstra. Choose a Road Runner service type if your ISP is Time Warner's Road Runner; otherwise choose Standard.
46 Chapter 4 WAN screens Configuring WAN IP To change the WAN IP settings of your Business Secure Router, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select. If your ISP did not assign you a fixed IP address, click Get automatically from ISP (Default); otherwise click Use fixed IP Address and enter the IP address in the field My WAN IP Address.
Chapter 4 WAN screens 47 Figure 15 WAN: IP BCM50e Integrated Router Configuration — Basics
48 Chapter 4 WAN screens Table 15 describes the fields in this Figure 15. Table 15 WAN: IP Label Description Get automatically from ISP Select this option if your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option if your ISP assigned a fixed IP address. IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Chapter 4 WAN screens 49 Table 15 WAN: IP Label Description RIP Direction With RIP (Routing Information Protocol), a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, the Business Secure Router incorporates RIP information that it receives.
50 Chapter 4 WAN screens Table 15 WAN: IP Label Description Allow between WAN and LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you must also enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.
Chapter 4 WAN screens 51 Using the MAC address screen, users can configure the MAC address of the WAN port by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC address. Otherwise, click Spoof this computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC address you are cloning.
52 Chapter 4 WAN screens Figure 18 Traffic Redirect LAN Setup BCM50e Integrated Router Configuring Traffic Redirect To change your Business Secure Router’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown in Figure 19.
Chapter 4 WAN screens 53 Figure 19 Traffic Redirect Table 16 describes the fields in Figure 19. Table 16 Traffic Redirect Label Description Active Select this check box to have the Business Secure Router uses traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation. The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router's Internet connection terminates.
54 Chapter 4 WAN screens Table 16 Traffic Redirect Label Description Check WAN IP Address Configuration of this field is optional. If you do not enter an IP address here, the Business Secure Router uses the default gateway IP address. Configure this field to test your Business Secure Router's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address). If you are using PPTP or PPPoE Encapsulation, type 0.0.0.
Chapter 4 WAN screens 55 Figure 20 Dial Backup Setup BCM50e Integrated Router Configuration — Basics
56 Chapter 4 WAN screens Table 17 describes the fields in Figure 20. Table 17 Dial Backup Setup Label Description Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the logon name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again in this field. Authentication Type Use the drop-down list to select an authentication protocol for outgoing calls.
Chapter 4 WAN screens 57 Table 17 Dial Backup Setup Label Description Used Fixed IP Address Select this check box if your ISP assigned you a fixed IP address and then enter the IP address in the following field. My WAN IP Address Leave the field set to 0.0.0.0 (default) to have the ISP or other remote router dynamically (automatically) assign your WAN IP address, if you do not know it. Type your WAN IP address here, if you know it (static).
58 Chapter 4 WAN screens Table 17 Dial Backup Setup Label Description RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, the Business Secure Router incorporates RIP information that it receives.
Chapter 4 WAN screens 59 Table 17 Dial Backup Setup Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Advanced Modem Setup AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
60 Chapter 4 WAN screens Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 21. Note: To ensure proper operation with the BCM50, none of the default settings should be changed.
Chapter 4 WAN screens 61 Table 18 describes the fields in Figure 21. Table 18 Advanced Setup Label Description Example Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call. ~ ~~+++~~ath represents a one-second wait. For example, ~~~+++~~ath can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
62 Chapter 4 WAN screens Table 18 Advanced Setup N0115788 Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh.
63 Chapter 5 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Business Secure Router. NAT overview NAT (Network Address Translation—NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network, is changed to a different IP address known within another network. NAT definitions Inside/outside denotes where a host is located relative to the Business Secure Router.
64 Chapter 5 Network Address Translation (NAT) Screens Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. Table 19 summarizes this information.
Chapter 5 Network Address Translation (NAT) Screens 65 How NAT works Each packet has two addresses–a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN.
66 Chapter 5 Network Address Translation (NAT) Screens In Figure 23, B can send packets, with source IP address e.f.g.h and port 20202 to A because A previously sent a packet to IP address e.f.g.h and port 20202. B cannot send packets, with source IP address e.f.g.h and port 10101 to A because A has not sent a packet to IP address e.f.g.h and port 10101.
Chapter 5 Network Address Translation (NAT) Screens 67 Figure 24 NAT application with IP Alias BCM50e Integrated Router NAT mapping types NAT supports five types of IP/port mapping. They are: • • • • • One to One: In One-to-One mode, the Business Secure Router maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Business Secure Router maps multiple local IP addresses to one global IP address.
68 Chapter 5 Network Address Translation (NAT) Screens Table 20 summarizes these types.
Chapter 5 Network Address Translation (NAT) Screens 69 SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
70 Chapter 5 Network Address Translation (NAT) Screens Port forwarding: Services and Port Numbers The most often used port numbers are shown in Table 21. Refer to Assigned Numbers (RFC 1700) for further information about port numbers. Refer to the Supporting CD for more examples and details on SUA/NAT.
Chapter 5 Network Address Translation (NAT) Screens 71 Figure 25 Multiple servers behind NAT example BCM50e Integrated Router Configuring SUA Server Note: If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen are discarded. Click SUA/NAT to open the SUA Server screen. Refer to Chapter 7, “Firewalls,” on page 87 and Chapter 8, “Firewall screens,” on page 103 for port numbers commonly used for particular services.
72 Chapter 5 Network Address Translation (NAT) Screens Figure 26 SUA/NAT setup Table 22 describes the fields in Figure 26. Table 22 SUA/NAT setup N0115788 Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not specified in this screen are discarded.
Chapter 5 Network Address Translation (NAT) Screens 73 Table 22 SUA/NAT setup Label Description Active Select this check box to enable the SUA server entry. Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry. Name Enter a name to identify this port forwarding rule. Start Port Enter a port number here. To forward only one port, enter it again in the End Port field.
74 Chapter 5 Network Address Translation (NAT) Screens Figure 27 Address Mapping Table 23 describes the fields in Figure 27. Table 23 Address Mapping N0115788 Label Description Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 and 255.255.255.
Chapter 5 Network Address Translation (NAT) Screens 75 Table 23 Address Mapping Label Description Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (that is, PAT, port address translation), the Single User Account feature. 3.
76 Chapter 5 Network Address Translation (NAT) Screens Figure 28 Address Mapping edit Table 24 describes the fields in Figure 28. Table 24 Address Mapping edit N0115788 Label Description Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address.
Chapter 5 Network Address Translation (NAT) Screens 77 Table 24 Address Mapping edit Label Description Global End IP This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh.
78 Chapter 5 Network Address Translation (NAT) Screens Figure 29 Trigger Port Forwarding process: example BCM50e Integrated Router 1 Jane (A) requests a file from the Real Audio server (port 7070). 2 Port 7070 is a trigger port and causes the Business Secure Router to record Jane’s computer IP address. The Business Secure Router associates Jane's computer IP address with the incoming port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170.
Chapter 5 Network Address Translation (NAT) Screens 79 Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router, click SUA/NAT and the Trigger Port tab. The screen appears as shown in Figure 30. Note: Only one LAN computer can use a trigger port (range) at a time.
80 Chapter 5 Network Address Translation (NAT) Screens Table 25 describes the fields in Figure 30. Table 25 Trigger Port N0115788 Label Description No. This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted, including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
81 Chapter 6 Static Route screens This chapter shows you how to configure static routes for your Business Secure Router. Static Route overview Each remote node specifies only the network to which the gateway is directly connected, and the Business Secure Router has no knowledge of the networks beyond. For instance, the Business Secure Router knows about network N2 in Figure 31 through remote node Router 1.
82 Chapter 6 Static Route screens Figure 31 Example of Static Routing topology BCM50e Integrated Router Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen. Note: The first static route entry is for the default WAN route. You cannot modify or delete this static default route.
Chapter 6 Static Route screens 83 Figure 32 Static Route screen Table 26 describes the fields in Figure 31. Table 26 IP Static Route summary Label Description # Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
84 Chapter 6 Static Route screens Configuring Route entry Select a static route index number and click Edit. The screen is illustrated in Figure 33. Fill in the required information for each static route. Figure 33 Edit IP Static Route Table 27 describes the fields in Figure 33. Table 27 Edit IP Static Route N0115788 Label Description Route Name Enter the name of the IP static route. Leave this field blank to delete this static route.
Chapter 6 Static Route screens 85 Table 27 Edit IP Static Route Label Description Metric Metric represents the cost of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number.
86 Chapter 6 Static Route screens N0115788
87 Chapter 7 Firewalls This chapter gives some background information on firewalls and introduces the Business Secure Router firewall. Firewall overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term firewall is a system or group of systems that enforces an access control policy between two networks. It can also be defined as a mechanism used to protect a trusted network from an untrusted network.
88 Chapter 7 Firewalls Packet Filtering firewalls Packet filtering firewalls restrict access based on the source or destination computer network address of a packet and the type of application. Application level firewalls Application level firewalls restrict access by serving as proxies for external servers. Because they use programs written for specific Internet services, such as HTTP, FTP and Telnet, they can evaluate network packets for valid application specific data.
Chapter 7 Firewalls 89 Introduction to the Business Secure Router firewall The Business Secure Router firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the WebGUI). The Business Secure Router’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet.
90 Chapter 7 Firewalls Figure 34 Business Secure Router firewall application BCM50e Integrated Router Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks.
Chapter 7 Firewalls 91 When computers communicate on the Internet, they use the client/server model, where the server listens on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Note that, while a computer can be intended for use over a single port, such as Web on port 80, other ports are also active and vulnerable to attack by hackers.
92 Chapter 7 Firewalls 2 Weaknesses in the TCP/IP specification leave it open to SYN Flood and LAND attacks. These attacks are executed during the handshake that initiates a communication session between two applications. Figure 35 Three-way handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.
Chapter 7 Firewalls 93 Figure 36 SYN flood In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3 A brute force attack, such as a Smurf attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data.
94 Chapter 7 Firewalls Figure 37 Smurf attack • ICMP vulnerability ICMP is an error reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 29 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY • Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are shown in Table 30— all others are illegal.
Chapter 7 Firewalls 95 All SMTP commands are illegal except for those displayed in Table 31. Table 31 Legal SMTP commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY • NOOP Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes, when a packet filter firewall is configured incorrectly, an attacker can traceroute the firewall and gain knowledge of the network topology inside the firewall.
96 Chapter 7 Firewalls In summary, stateful inspection: • • Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. Figure 38 Stateful inspection BCM50e Integrated Router Figure 38 shows the Business Secure Router’s default firewall rules in action, and demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Chapter 7 Firewalls 97 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, the Action for packets that don’t match firewall rules field determines the action for this packet.
98 Chapter 7 Firewalls • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
Chapter 7 Firewalls 99 After the Business Secure Router receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection that originated on the LAN). UDP/ICMP security UDP and ICMP do not contain any connection information (such as sequence numbers).
100 Chapter 7 Firewalls Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server opens a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet is normally rejected. In order to achieve the above scenario, the Business Secure Router inspects the application level FTP data.
Chapter 7 Firewalls 101 Packet filtering: • • • The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. Packet filtering only checks the header portion of an IP packet. When to use filtering 1 To block or allow LAN packets by their MAC addresses.
102 Chapter 7 Firewalls When to use the firewall N0115788 1 To prevent DoS attacks and prevent hackers cracking your network. 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule, making the firewall a better choice when complex rules are required. 3 To selectively block or allow inbound or outbound traffic between inside host or networks and outside host or networks.
103 Chapter 8 Firewall screens This chapter shows you how to configure your Business Secure Router firewall. Access methods The WebGUI is, by far, the most comprehensive firewall configuration tool your Business Secure Router has to offer. For this reason, Nortel recommends that you configure your firewall using the WebGUI. With SMT screens, you can activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users, refer to for firewall CLI commands.
104 Chapter 8 Firewall screens • • WAN to LAN WAN to WAN/Business Secure Router This prevents computers on the WAN from using the Business Secure Router as a gateway to communicate with other computers on the WAN, or to manage the Business Secure Router, or both. You can define additional rules and sets or modify existing ones, but exercise extreme caution in doing so.
Chapter 8 Firewall screens 105 Rule logic overview Note: Study these points carefully before configuring rules. Rule checklist 1 State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.
106 Chapter 8 Firewall screens Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the WebGUI screens. Key fields for configuring rules Action Set the action to either Block or Forward. Note: Block means the firewall silently discards the packet. Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it.
Chapter 8 Firewall screens 107 the LAN interface is an example of traffic destined for the Business Secure Router’s LAN interface itself. You can also use LAN to LAN/Business Secure Router rules with IP alias to control routing between two subnets on the LAN. WAN to WAN/Business Secure Router rules apply to packets coming in through the WAN interface that are destined for either the Business Secure Router’s WAN interface itself or a different subnet on the WAN.
108 Chapter 8 Firewall screens Figure 40 WAN to LAN traffic BCM50e Integrated Router Configuring firewall Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in Figure 41. The Business Secure Router applies the firewall rules in order, starting from the first rule for a packet’s direction of travel. When the traffic matches a rule, the Business Secure Router takes the action in the rule and stops checking the firewall rules.
Chapter 8 Firewall screens 109 If you list a general rule before a specific rule, traffic that you want to be controlled by the specific rule can get the general rule applied to it instead. Any traffic that does not match the first firewall rule matches the default rule and the Business Secure Router forwards the traffic.
110 Chapter 8 Firewall screens Figure 41 Enabling the firewall Table 32 describes the fields in Figure 41. Table 32 Firewall rules summary: First screen N0115788 Label Description Enable Firewall Select this check box to activate the firewall. The Business Secure Router performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. The firewall allows traffic to go through your VPN tunnels.
Chapter 8 Firewall screens 111 Table 32 Firewall rules summary: First screen Label Description Bypass Triangle Route Select this check box to have the Business Secure Router permit the use of asymmetrical route topology on the network (not reset the connection). Firewall Rules Storage Space in Use This read-only bar shows how much of the Business Secure Router's memory for recording firewall rules is currently being used. The bar turns from green to red when the maximum is approached.
112 Chapter 8 Firewall screens Table 32 Firewall rules summary: First screen Label Description Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. Click Insert to display the screen where you configure a firewall rule. Move Select a rule’s Index option button and type a number for where you want to put that rule. Click Move to move the rule to the number that you typed.
Chapter 8 Firewall screens 113 Figure 42 Creating and editing a firewall rule Table 33 describes the fields in Figure 42. Table 33 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule. Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it. Packet Direction Use the drop-down list to select the direction of packet travel to which you want to apply this firewall rule.
114 Chapter 8 Firewall screens Table 33 Creating and editing a firewall rule Label Description Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. The source address can be a particular (single) IP, a range of IP addresses (for example, 192.168.1.10 to 192.169.1.50), a subnet or any IP address. See the next section for more information about adding and editing source addresses.
Chapter 8 Firewall screens 115 Configuring source and destination addresses To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen. Either action displays the screen shown in Figure 43. Figure 43 Adding or editing source and destination addresses Table 34 describes the fields in Figure 43.
116 Chapter 8 Firewall screens Configuring custom ports You can also configure customized ports for services not predefined by the Business Secure Router (see “Predefined services” on page 120 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) Web site. Click the Add button under Custom Port while editing a firewall to configure a custom port. This displays the screen illustrated in Figure 44.
Chapter 8 Firewall screens 117 Example firewall rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 Click the Firewall link and then the Summary tab. 2 In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 3 Click Insert to display the firewall rule configuration screen.
118 Chapter 8 Firewall screens 6 Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 46 Firewall rule edit IP example 7 In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as shown in Figure 47 and click Apply. Figure 47 Edit custom port example 8 The firewall rule configuration screen displays. Use the arrows between Available Services and Selected Services to configure it as shown in Figure 48.
Chapter 8 Firewall screens 119 Figure 48 MyService rule configuration example After completing the configuration procedure for this Internet firewall rule, the Rule Summary screen will look like the on illustrated in Figure 49. Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router.
120 Chapter 8 Firewall screens Figure 49 My Service example rule summary Predefined services The Available Services list box in the Edit Rule screen (see Figure 42) displays all predefined services that the Business Secure Router already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Chapter 8 Firewall screens 121 type. For example, look at the default configuration labeled “(DNS)”. (UDP/ TCP:53) means UDP port 53 and TCP port 53. Custom services can also be configured using the Custom Ports function, which is discussed in “Configuring custom ports” on page 116. Table 36 Predefined services Service Description AIM/New-ICQ(TCP:5190) AOL Internet Messenger service, used as a listening port by ICQ. AUTH(TCP:113) Authentication protocol used by some servers.
122 Chapter 8 Firewall screens Table 36 Predefined services N0115788 Service Description NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System (NFS) is a client/server distributed file service that provides transparent file sharing for network environments. NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
Chapter 8 Firewall screens 123 Table 36 Predefined services Service Description SIP-V2(UDP:5060) The Session Initiation Protocol (SIP) is an application layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SSH(TCP/UDP:22) Secure Shell Remote Logon Program. STRM WORKS(UDP:1558) Stream Works Protocol.
124 Chapter 8 Firewall screens Configuring attack alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen (Figure 50) you can choose to generate an alert whenever an attack is detected. For DoS attacks, the Business Secure Router uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.
Chapter 8 Firewall screens 125 The Business Secure Router measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. After the number of existing half-open sessions rises above a threshold (max-incomplete high), the Business Secure Router starts deleting half-open sessions as required to accommodate new connection requests.
126 Chapter 8 Firewall screens The Business Secure Router also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click the Attack Alert tab to bring up the screen shown in Figure 50. Figure 50 Attack alert Table 37 describes the fields in Figure 50. Table 37 Attack alert Label Description Generate alert when A detected attack automatically generates a log entry.
Chapter 8 Firewall screens 127 Table 37 Attack alert Label Description One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the Business Secure Router deletes half-open sessions, as required, to accommodate new connection attempts.
128 Chapter 8 Firewall screens N0115788
129 Chapter 9 Content filtering This chapter provides a brief overview of content filtering using the embedded WebGUI. Introduction to content filtering With Internet content filtering, you can create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering via SMT menu 21.1.
130 Chapter 9 Content filtering Configure Content Filtering Click Content Filter on the navigation panel, to open the screen show in Figure 51.
Chapter 9 Content filtering 131 Table 38 describes the fields in Figure 51. Table 38 Content filter Label Description Restrict Web Features Select the boxes to restrict a feature. When you download a page containing a restricted feature, that part of the web page appears blank or grayed out. ActiveX A tool for building dynamic and active Web pages and distributed object applications.
132 Chapter 9 Content filtering Table 38 Content filter N0115788 Label Description Time of Day to Block Time of Day to Block allows the administrator to define during which time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected. Enter the time period, in 24-hour format, during which content filtering will be enforced.
133 Chapter 10 VPN This chapter introduces the basics of IPSec VPNs and covers the VPN WebGUI. See Chapter 16, “Logs Screens,” on page 297 for information about viewing logs and the appendices for IPSec log descriptions. VPN A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines.
134 Chapter 10 VPN or • As a VPN router that can have encrypted connections to multiple remote VPN routers. See Table 1 on page 33 for details about the VPN specifications of the BCM50e Integrated Router. VPN screens overview Table 39 summarizes the main functions of the VPN screens. Security Association A Security Association (SA) is a contract between two parties indicating which security parameters, such as keys and algorithms, they use.
Chapter 10 VPN 135 Other terminology Encryption Encryption is a mathematical operation that transforms data from plaintext (readable) to ciphertext (scrambled text) using a key. The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption; it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key.
136 Chapter 10 VPN Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites. • Accessing Network Resources When NAT Is Enabled When NAT is enabled between the WAN and the LAN, remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protocol.
Chapter 10 VPN 137 Figure 53 IPSec architecture IPSec algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and Triple DES algorithms.
138 Chapter 10 VPN The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404), provide an authentication mechanism for the AH and ESP protocols. The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. After the SA is established, the transport of data can commence.
Chapter 10 VPN 139 An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 40 AH and ESP ESP Encryption AH DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data.
140 Chapter 10 VPN Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 54 Transport and Tunnel mode IPSec encapsulation Transport mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Chapter 10 VPN 141 Outside header: The outside IP header contains the destination IP address of the VPN switch. Inside header: The inside IP header contains the destination IP address of the final system behind the VPN switch. The security protocol appears after the outer IP header and before the inside IP header. IPSec and NAT Read this section if you are running IPSec on a host computer behind the Business Secure Router. NAT is incompatible with the AH protocol in both Transport and Tunnel mode.
142 Chapter 10 VPN Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload, which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT, although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints (see “NAT Traversal” on page 147 for details).
Chapter 10 VPN 143 Dynamic Secure Gateway Address If the remote VPN switch has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the remote VPN switch’s address. In this case, only the remote VPN switch can initiate SAs. This is useful for telecommuters initiating a VPN tunnel to the company network. Summary screen Figure 55 helps explain the main fields in the WebGUI. Figure 55 IPSec summary fields BCM50e Integrated Router Click VPN to open the Summary screen.
144 Chapter 10 VPN Figure 56 Summary IP Policies N0115788
Chapter 10 VPN 145 Table 42 describes the fields in Figure 56. Table 42 Summary Label Description Contivity VPN Client The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. The Contivity VPN Client uses the IPSec protocol to establish a secure end-to-end connection. If you want to set the Contivity Client rule to active, you must set all other VPN rules to inactive.
146 Chapter 10 VPN Table 42 Summary Label Description Edit Click the radio button next to a VPN index number and then click Edit to edit a specific VPN policy. Delete Click the radio button next to a VPN policy number you want to delete and then click Delete. When a VPN policy is deleted, subsequent policies do not move up in the page list.
Chapter 10 VPN 147 office rules. See the VPN Branch Office Rule Setup screen (Figure 60 on page 155). Unlike keep alive, any time the Business Secure Router restarts, it also automatically renegotiates any nailed up tunnels. In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Also different from keep alive, the peer VPN switch does not have to have a Business Secure Router compatible nailed up feature enabled in order for this feature to work.
148 Chapter 10 VPN NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. VPN switch B checks the UDP port 500 header and responds. VPN switches A and B build a VPN connection. NAT Traversal configuration Enable or disable NAT traversal in the VPN Branch Office Rule Setup screen (see Figure 60 on page 155).
Chapter 10 VPN 149 Figure 58 VPN Contivity Client rule setup Table 43 VPN Contivity Client rule setup Label Description Connection Type Select Branch Office to manually configure a VPN rule. This has the BCM50e Integrated Router operate as a VPN router. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. This has the BCM50e Integrated Router operate as a VPN client.
150 Chapter 10 VPN Table 43 VPN Contivity Client rule setup Label Description Destination This field specifies the IP address or the domain name (up to 31 case-sensitive characters) of the remote VPN switch. You can use alphanumeric characters, the underscore, dash, period and the @ symbol in a domain name. No spaces are allowed. User Name Enter the username exactly as the VPN switch administrator gives it to you. Password Enter the password exactly as the VPN switch administrator gives it to you.
Chapter 10 VPN 151 Table 44 describes the fields in Figure 59. Table 44 VPN Contivity Client advanced rule setup Label Description Group Authentication Enable Group Authentication to have the Business Secure Router send a Group ID and Group Password to the remote VPN switch for initial authentication. After a successful initial authentication, a RADIUS server associated with the remote VPN switch uses the User Name and Password to authenticate the Business Secure Router.
152 Chapter 10 VPN ID Type and content With aggressive negotiation mode (see “Negotiation Mode” on page 171 for more information), the Business Secure Router identifies incoming SAs by ID type and content since this identifying information is not encrypted, so that is can distinguish between multiple rules for SAs that connect from remote VPN switches that have dynamic WAN IP addresses.
Chapter 10 VPN 153 Table 45 Local ID type and content fields Local ID type= Content= E-mail Type an e-mail address (up to 31 characters) by which to identify this Business Secure Router. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address.
154 Chapter 10 VPN The two Business Secure Routers shown in Table 48 cannot complete their negotiation because Business Secure Router B’s Local ID type is IP, but Business Secure Router A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. Table 48 Mismatching ID Type and Content Configuration Example Business Secure Router A Business Secure Router B Local ID type: IP Local ID type: IP Local ID content: 1.1.1.10 Local ID content: 1.1.1.
Chapter 10 VPN 155 Figure 60 VPN Branch Office rule setup BCM50e Integrated Router Configuration — Basics
156 Chapter 10 VPN Table 49 describes the fields in Figure 60. Table 49 VPN Branch Office rule setup N0115788 Label Description Connection Type Select Branch Office to manually configure a VPN rule. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. You can only configure one Contivity client rule.
Chapter 10 VPN 157 Table 49 VPN Branch Office rule setup Label Description Available/ Selected IP The Available IP Policy table displays network routes. Use the Policy Add, Edit and Delete buttons to configure this list. Move the network routes that you want to use the VPN tunnel down into the Selected IP Policy table. Select a network route's radio button in the Available IP Policy table, then click the down arrows to move it into the Selected IP Policy table.
158 Chapter 10 VPN Table 49 VPN Branch Office rule setup N0115788 Label Description Local IP Address This field displays the IP address (or range of IP addresses) of the computers on your Business Secure Router's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Chapter 10 VPN 159 Table 49 VPN Branch Office rule setup Label Description Remote IP Address This field displays the IP addresses of computers on the remote network behind the remote VPN switch. This field displays a single (static) IP address when the IP policy's Remote Address Type field is configured to Single Address in the IP Policy screen.
160 Chapter 10 VPN Table 49 VPN Branch Office rule setup N0115788 Label Description Certificate Use the drop-down list to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click My Certificates to go to the My Certificates screen, where you can view the Business Secure Router's list of certificates. Local ID Type Select IP to identify this Business Secure Router by its IP address.
Chapter 10 VPN 161 Table 49 VPN Branch Office rule setup Label Description Peer Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you make the VPN connection or leave the field blank to have the Business Secure Router automatically use the address in the Secure Gateway Address field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote VPN switch.
162 Chapter 10 VPN Table 49 VPN Branch Office rule setup N0115788 Label Description ESP Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next). AH Select AH if you want to use AH (Authentication Header Protocol).
Chapter 10 VPN 163 Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy’s settings. The Branch Office – IP Policy setup screen is shown in Figure 61.
164 Chapter 10 VPN Table 50 describes the fields in Figure 61. Table 50 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. Use 1 for ICMP, 6 for TCP, 17 for UDP, and so on. 0 is the default and signifies any protocol. For example, if you select 1 (ICMP), only ICMP packets can go through the tunnel.
Chapter 10 VPN 165 Table 50 VPN Branch Office — IP Policy Label Description Type Select one of the following port mapping types. 1. One-to-One: One-to-one mode maps one private IP address to one virtual IP address. Port numbers do not change with one-to-one NAT mapping. 2. Many-to-One: Many-to-One mode maps multiple private IP addresses to one virtual IP address. This is equivalent to SUA (for example, PAT, port address translation), Business Secure Router's Single User Account feature. 3.
166 Chapter 10 VPN Table 50 VPN Branch Office — IP Policy Label Description Virtual Ending IP Address When the Type field is configured to One-to-one or Many-to-One, this field is N/A. When the Type field is configured to Many One-to-one, enter the ending (static) IP address of the range of IP addresses that you want to use for the VPN tunnel. Local Local IP addresses must be static and correspond to the remote VPN switch's configured remote IP addresses.
Chapter 10 VPN 167 Table 50 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. Use 1 for ICMP, 6 for TCP, 17 for UDP, and so on. 0 is the default and signifies any protocol. For example, if you select 1 (ICMP), only ICMP packets can go through the tunnel. If you specify a protocol other than 1 (ICMP) or 0 (any protocol), you cannot use the control ping feature.
168 Chapter 10 VPN Table 50 VPN Branch Office — IP Policy Label Description Ending IP Address / Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your Business Secure Router. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Business Secure Router.
Chapter 10 VPN 169 Figure 62 VPN Branch Office — IP Policy - Port Forwarding Server Table 51 describes the fields in Figure 62. Table 51 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
170 Chapter 10 VPN Table 51 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field. To forward a series of ports, type the start port number here and the end port number in the End Port field. End Port Type a port number in this field. To forward only one port, type the port number in the Start Port field above and then type it again in this field.
Chapter 10 VPN 171 In Phase 1 you must: • • • • • • Choose a negotiation mode. Authenticate the connection by entering a preshared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1, DH2, and DH5). Set the IKE SA lifetime. In this field you can determine how long an IKE SA will stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires.
172 Chapter 10 VPN Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange, and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Chapter 10 VPN 173 This can be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Business Secure Router. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which can have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
174 Chapter 10 VPN Table 52 describes the fields in Figure 64. Table 52 VPN Branch Office Advanced Rule Setup Label Description Enable Replay Detection As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by setting this field to YES. Phase 1 A phase 1 exchange establishes an IKE SA (Security Association).
Chapter 10 VPN 175 Table 52 VPN Branch Office Advanced Rule Setup Label Description Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1, a 768-bit random number. DH2 refers to Diffie-Hellman Group 2, a 1 024-bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5, a 1 536-bit random number. Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec.
176 Chapter 10 VPN Table 52 VPN Branch Office Advanced Rule Setup Label Description SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It can range from 60 to 3 000 000 seconds (almost 35 days). A short SA life time increases security by forcing the two VPN switches to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Chapter 10 VPN 177 A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. This screen is read-only. Table 53 describes the fields in this tab. Note: When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is idle and does not time out until the SA lifetime period expires.
178 Chapter 10 VPN Table 53 VPN SA Monitor Label Description Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Business Secure Router processing requirements and communications latency (delay). Refresh Click Refresh to display the current active VPN connections. This button is available when you have active VPN connections.
Chapter 10 VPN 179 Figure 66 VPN Global Setting Table 54 describes the fields in Figure 66. Table 54 VPN Global Setting Label Description Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
180 Chapter 10 VPN Table 54 VPN Global Setting Label Description Contivity Client Fail-Over The Contivity Client fail-over feature allows a Contivity client to establish a VPN connection to a backup VPN switch when the default remote VPN switch (specified in the Destination field) is not accessible. The VPN fail-over feature must also be set up in the remote VPN switch. First Gateway Second Gateway Third Gateway These read-only fields display the IP addresses of the backup VPN switches.
Chapter 10 VPN 181 Figure 67 VPN Client Termination BCM50e Integrated Router Configuration — Basics
182 Chapter 10 VPN Table 55 describes the fields in Figure 67. Table 55 VPN Client Termination N0115788 Label Description Enable Client Termination Turn on the client termination feature if you want the BCM50e Integrated Router to support VPN connections from computers using Contivity VPN Client software. Local User Database Select this option to have the BCM50e Integrated Router use its internal list of users to authenticate the Contivity VPN clients.
Chapter 10 VPN 183 Table 55 VPN Client Termination Label Description Encryption Select the combinations of protocol and encryption and authentication algorithms that the BCM50e Integrated Router is to use for the phase 2 VPN connections (VPN tunnels) with Contivity VPN clients. The ESP (Encapsulation Security Payload) protocol (RFC 2406) uses encryption as well as the services offered by AH.
184 Chapter 10 VPN Table 55 VPN Client Termination Label Description IP Address Pool Have the BCM50e Integrated Router assign IP addresses to the Contivity VPN clients from a pool of IP address that you define. Select the pool to use. Click Configure IP Address Pool to define the ranges of IP addresses that you can select from. Enable Perfect Forward Secrecy Perfect Forward Secrecy (PFS) is disabled by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Chapter 10 VPN 185 Figure 68 VPN Client Termination IP pool summary Table 56 describes the fields in Figure 68. Table 56 VPN Client Termination IP pool summary Label Description Return to ->Client Termination Page Click this link to return to the screen used to configure the general settings for use with all of the Contivity VPN Client tunnels. # These numbers are an incremental value. The position of the IP address pool in the list does not matter.
186 Chapter 10 VPN VPN Client Termination IP pool edit In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen. Then click the Configure IP Address Pool link to open the VPN Client Termination IP Pool Summary screen. Click the radio button next to an IP address pool entry and click Edit to open the following screen where you can configure the entry’s settings.
Chapter 10 VPN 187 Table 57 VPN Client Termination IP pool edit Label Description Pool Size Specify how many IP addresses the BCM50e Integrated Router is to give out from the pool created by the starting address and subnet mask. 256 is the maximum. Apply Click Apply to save your changes to the BCM50e Integrated Router. Cancel Click Cancel to return to the IP Pool Summary screen without saving your changes.
188 Chapter 10 VPN Figure 70 VPN Client Termination advanced N0115788
Chapter 10 VPN 189 Table 58 describes the fields in Figure 70. Table 58 VPN Client Termination advanced Label Description NAT Traversal Select Enabled in order to Use NAT traversal when there is a NAT router between the BCM50e Integrated Router and the Contivity VPN clients. The Contivity VPN clients must also have NAT traversal enabled. You also need to specify the UDP port that is used for the VPN traffic.
190 Chapter 10 VPN Table 58 VPN Client Termination advanced Label Description Accept ISAKMP Initial The Business Secure Router can accept the INITIAL-CONTACT Contact Payload status messages to inform it that the Contivity VPN client is establishing a first SA. The Business Secure Router then deletes the existing SAs because it assumes that the sending Contivity VPN client has restarted and no longer has access to any of the existing SAs.
Chapter 10 VPN 191 Table 58 VPN Client Termination advanced Label Description Password Management You can have the BCM50e Integrated Router use some password requirements to enhance security. Alpha-Numeric Password Required Use this to have the BCM50e Integrated Router require the Contivity VPN client passwords to have both numbers and letters. Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed.
192 Chapter 10 VPN N0115788
193 Chapter 11 Certificates This chapter gives background information about public-key certificates and explains how to use them. Certificates overview The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
194 Chapter 11 Certificates The Business Secure Router uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that is sent after establishing a connection. The method used to secure the data that is sent through an established connection depends on the type of connection. For example, a VPN tunnel can use the triple DES encryption algorithm. The certification authority uses its private key to sign certificates.
Chapter 11 Certificates 195 Configuration summary This section summarizes how to manage certificates on the Business Secure Router. Figure 71 Certificate configuration overview Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the Business Secure Routers’ CA-signed certificates. Use the Trusted CA screens to save CA certificates to the Business Secure Router. Use the Trusted Remote Hosts screens to import self-signed certificates.
196 Chapter 11 Certificates Figure 72 My Certificates N0115788
Chapter 11 Certificates 197 Table 59 describes the labels in Figure 72. Table 59 My Certificates Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates.
198 Chapter 11 Certificates Table 59 My Certificates Label Description Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays, asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features are configured to use. Do the following to delete a certificate that shows *SELF in the Type field. 1.
Chapter 11 Certificates 199 • • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that can be encrypted. The Business Secure Router currently allows the importation of a PKS#7 file that contains a single certificate. PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form.
200 Chapter 11 Certificates Figure 73 My Certificate Import Table 60 describes the labels in Figure 73. Table 60 My Certificate Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. N0115788 Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate to the Business Secure Router. Cancel Click Cancel to quit and return to the My Certificates screen.
Chapter 11 Certificates 201 Creating a certificate Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the Business Secure Router create a self-signed certificate, enroll a certificate with a certification authority, or generate a certification request. For more information, see Figure 74.
202 Chapter 11 Certificates Table 61 describes the labels in the Figure 74. Table 61 My Certificate create Label Description Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
Chapter 11 Certificates 203 Table 61 My Certificate create Label Description Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the Business Secure Router generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
204 Chapter 11 Certificates Table 61 My Certificate create Label Description Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the Business Secure Router is generating the self-signed certificate or certification request.
Chapter 11 Certificates 205 Figure 75 My Certificate details BCM50e Integrated Router Configuration — Basics
206 Chapter 11 Certificates Table 62 describes the labels in Figure 75. Table 62 My Certificate details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You can use any character (not including spaces). Property Default self-signed certificate that signs the imported remote host certificates.
Chapter 11 Certificates 207 Table 62 My Certificate details Label Description Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization or Country. With self-signed certificates, this is the same as the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
208 Chapter 11 Certificates Table 62 My Certificate details Label Description Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
Chapter 11 Certificates 209 Figure 76 Trusted CAs Table 63 describes the labels in Figure 76. Table 63 Trusted CAs Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates. # This field displays the certificate index number.
210 Chapter 11 Certificates Table 63 Trusted CAs N0115788 Label Description Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization, or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Chapter 11 Certificates 211 Importing a Trusted CA’s certificate Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen, shown in Figure 77. Follow the instructions in this screen to save a trusted certification authority’s certificate to the Business Secure Router. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 77 Trusted CA import Table 64 describes the labels in Figure 77.
212 Chapter 11 Certificates Table 64 Trusted CA import Label Description Apply Click Apply to save the certificate on the Business Secure Router. Cancel Click Cancel to quit and return to the Trusted CAs screen. Trusted CA Certificate details Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen, shown in Figure 78.
Chapter 11 Certificates 213 Figure 78 Trusted CA details BCM50e Integrated Router Configuration — Basics
214 Chapter 11 Certificates Table 65 describes the labels in Figure 78. Table 65 Trusted CA details N0115788 Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You can use any character (not including spaces).
Chapter 11 Certificates 215 Table 65 Trusted CA details Label Description Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities can use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
216 Chapter 11 Certificates Table 65 Trusted CA details Label Description Certificate in PEM This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII (Base-64) Encoded Format characters to convert the binary certificate into a printable form.
Chapter 11 Certificates 217 Figure 79 Trusted remote hosts Table 66 describes the labels in Figure 79. Table 66 Trusted Remote Hosts Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates.
218 Chapter 11 Certificates Table 66 Trusted Remote Hosts Label Description Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company), or C (Country). Nortel recommends that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable.
Chapter 11 Certificates 219 Figure 80 Remote host certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 81 Certificate details Verify (over the phone, for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields.
220 Chapter 11 Certificates Importing a certificate of a trusted remote host Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the Business Secure Router, see Figure 82. Note: The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its file name before you can import it.
Chapter 11 Certificates 221 Table 67 describes the labels in Figure 82. Table 67 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the Business Secure Router. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen.
222 Chapter 11 Certificates Figure 83 Trusted remote host details N0115788
Chapter 11 Certificates 223 Table 68 describes the labels in Figure 83. Table 68 Trusted remote host details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You can use any character (not including spaces).
224 Chapter 11 Certificates Table 68 Trusted remote host details Label Description Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the Business Secure Router uses RSA encryption) and the length of the key set in bits (1 024-bits, for example).
Chapter 11 Certificates 225 Table 68 Trusted remote host details Label Description Apply Click Apply to save your changes to the Business Secure Router. You can only change the name of the certificate. Cancel Click Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen. Directory servers Click CERTIFICATES, Directory Servers to open the Directory Servers screen (Figure 84).
226 Chapter 11 Certificates Table 69 describes the labels in Figure 84. Table 69 Directory Servers Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server.
Chapter 11 Certificates 227 Figure 85 Directory server add Table 70 describes the labels in Figure 85. Table 70 Directory server add Label Description Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list to select the access protocol used by the directory server.
228 Chapter 11 Certificates Table 70 Directory server add Label Description Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field. You can change the server port number if needed, however, you must use the same server port number that the directory server uses. The default server port number for LDAP is 389. Login Setting Login The Business Secure Router must authenticate itself in order to assess the directory server.
229 Chapter 12 Bandwidth management This chapter describes the functions and configuration of bandwidth management. Bandwidth management overview With bandwidth management, you can allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the Business Secure Router forwards certain types of traffic (especially real-time applications) with minimum delay.
230 Chapter 12 Bandwidth management Bandwidth classes and filters Use bandwidth subclasses to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth subclass based on a specific application or subnet. Use the Class Setup tab (see “Bandwidth Manager Class Configuration” on page 235) to set up a bandwidth class name, bandwidth allotment, and filter specifics.
Chapter 12 Bandwidth management 231 Figure 86 Subnet based bandwidth management example Application and subnet based bandwidth management You can also create bandwidth classes based on a combination of a subnet and an application. Table 71 shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 71 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A From Subnet B FTP 64 Kb/s 64 Kb/s H.
232 Chapter 12 Bandwidth management Configuring summary Click BW MGMT to open the Summary screen. Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. Figure 87 Bandwidth Manager: Summary Table 72 describes the labels in Figure 87. Table 72 Bandwidth Manager: Summary N0115788 Label Description WAN LAN These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Chapter 12 Bandwidth management 233 Table 72 Bandwidth Manager: Summary Label Description Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class (see “Configuring class setup” on page 233). Nortel recommends that you set this speed to match what the device connected to the port can handle.
234 Chapter 12 Bandwidth management Figure 88 Bandwidth Manager: Class setup Table 73 describes the labels in Figure 88. Table 73 Bandwidth Manager: Class Setup N0115788 Label Description Interface Select an interface from the drop-down list for which you wish to set up classes. Bandwidth Management This field displays whether bandwidth management on the interface you selected in the field above is enabled (Active) or not (Inactive). Add Subclass Click Add Sub-class to add a subclass.
Chapter 12 Bandwidth management 235 Table 73 Bandwidth Manager: Class Setup Label Description # This is the number of a filter entry. The ordering of your filters is important, as they are applied in turn. Use the Move button to reorder your filters. Filter Name This is the Class Name that you configured in the Edit Class screen. Service If you selected a predefined application (FTP, H.323 or SIP), it displays here.
236 Chapter 12 Bandwidth management Figure 89 Bandwidth Manager: Edit class Table 74 describes the labels in Figure 89. Table 74 Bandwidth Manager: Edit class Label Description Class Configuration N0115788 Class Name Use the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kb/s. The recommendation is a setting between 20 kbps and 20 000 kbps for an individual class.
Chapter 12 Bandwidth management 237 Table 74 Bandwidth Manager: Edit class Label Description Filter Configuration Enable Bandwidth Filter Select Enable Bandwidth Filter to have the Business Secure Router use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields, which are only available when you enter the destination or source IP address).
238 Chapter 12 Bandwidth management Table 74 Bandwidth Manager: Edit class Label Description Source Port Enter the port number of the source. See Table 75 for some common services and port numbers. Protocol ID Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Apply Click Apply to save your changes to the Business Secure Router. Cancel Click Cancel to exit this screen without saving.
Chapter 12 Bandwidth management 239 Figure 90 Bandwidth management statistics Table 76 describes the labels in Figure 90. Table 76 Bandwidth management statistics Label Description Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted. Tx Bytes This field displays the total number of bytes transmitted.
240 Chapter 12 Bandwidth management Monitor To view the device’s bandwidth usage and allotments, click BW MGMT, then the Monitor tab. The screen appears as shown in Figure 91. Figure 91 Bandwidth manager monitor Table 77 describes the labels in Figure 91. Table 77 Bandwidth manager monitor N0115788 Label Description Interface Select an interface from the drop-down list to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the class.
241 Chapter 13 Authentication server The Business Secure Router can use either the local user database internal to the Business Secure Router or an external RADIUS server for an unlimited number of users. Introduction to Local User database By storing user profiles locally on the Business Secure Router, your Business Secure Router is able to authenticate users without interacting with a network RADIUS server. However, there is a limit on the number of users you can authenticate in this way.
242 Chapter 13 Authentication server Figure 92 Local User database Table 78 describes the labels in Figure 92. Table 78 Local User database N0115788 Label Description User ID This field displays the logon name for the user account. Active This field displays Yes if the user account is enabled or No if it is disabled. User type This field displays whether the user account can be used for a IEEE 802.1X or IPSec logon (or both). Last Name This field displays the user’s last name.
Chapter 13 Authentication server 243 Table 78 Local User database Label Description Status This field displays the status of IPSec user accounts. A dash appears for all other accounts. Valid displays if an IPSec user can use the account to logon. Expired displays if an IPSec user can no longer use the account to logon.
244 Chapter 13 Authentication server Figure 93 Local User database edit N0115788
Chapter 13 Authentication server 245 Table 79 describes the labels in Figure 93. Table 79 Local User database edit Label Description Active Select this check box to turn on the user account. Clear this check box to turn off the user account. User Type Select 802.1X to set this user account to be used for a IEEE 802.1X logon. Select IPSec to set this user account to be used for an IPSec logon. Select 802.1X/IPSec to set this user account to be used for both IEEE 802.1X and IPSec logons.
246 Chapter 13 Authentication server Table 79 Local User database edit Label Description Split Tunnel Networks This field applies when you select Enabled in the Split Tunneling field. Select the network for which you force traffic to be encrypted and go through the VPN tunnel. Inverse Split This field applies when you select Enabled - Inverse or Enabled - Inverse (locally connected) in the Split Tunneling field.
Chapter 13 Authentication server 247 Table 80 describes the labels in Figure 94. Table 80 Current split networks Label Description Return to Local User Database -> User Edit Page Click this link to return to the screen where you configure a local user database entry. Current Split Networks This is the list of names of split or inverse split networks. Add Click Add to open another screen where you can specify split or inverse split networks.
248 Chapter 13 Authentication server Figure 95 Current split networks edit Table 81 describes the labels in Figure 95. Table 81 Current split networks edit N0115788 Label Description Network Name Enter a name to identify the split network. IP Address Enter the IP address for the split network in dotted decimal notation. Netmask Enter the netmask for the split network in dotted decimal notation.
Chapter 13 Authentication server 249 Table 81 Current split networks edit Label Description Current Subnets for Network: This box displays the subnets that belong to this split network. Add Click Add to save your split network configuration. Delete Select a network subset and click Delete to remove it. Clear Click Clear to remove all of the configuration field and subnet settings. Apply Click Apply to save your changes to the Business Secure Router.
250 Chapter 13 Authentication server Figure 96 RADIUS Table 82 describes the labels in Figure 96. Table 82 RADIUS Label Description Authentication Server N0115788 Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the Business Secure Router. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
Chapter 13 Authentication server 251 Table 82 RADIUS Label Description Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Key Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the Business Secure Router.
252 Chapter 13 Authentication server N0115788
253 Chapter 14 Remote management screens This chapter provides information on the Remote Management screens. Remote management overview Remote management allows you to determine which services and protocols can access which Business Secure Router interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
254 Chapter 14 Remote management screens 1 A filter in SMT menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a Telnet, FTP, or Web service. 2 A service is disabled in one of the remote management screens. 3 The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Business Secure Router disconnects the session immediately. 4 Another remote management session of the same type (web, FTP or Telnet) is running.
Chapter 14 Remote management screens 255 Introduction to HTTPS HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts Web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party), and data integrity (you know if data has been changed).
256 Chapter 14 Remote management screens Figure 97 HTTPS implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, the Business Secure Router blocks all HTTP connection attempts. Configuring WWW To change your Business Secure Router’s Web settings, click REMOTE MGMT to open the WWW screen.
Chapter 14 Remote management screens 257 Figure 98 WWW Table 83 describes the labels in Figure 98. Table 83 WWW Label Description HTTPS Server Certificate Select the Server Certificate that the Business Secure Router uses to identify itself. The Business Secure Router is the SSL server and must always authenticate itself to the SSL client (the computer that requests the HTTPS connection with the Business Secure Router).
258 Chapter 14 Remote management screens Table 83 WWW Label Description Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the Business Secure Router, for example, 8443, you must notify people who need to access the Business Secure Router WebGUI to use https://Business Secure Router IP Address:8443 as the URL.
Chapter 14 Remote management screens 259 Internet Explorer warning messages When you attempt to access the Business Secure Router HTTPS server, a Windows dialog box appears, asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the Business Secure Router. The Security Alert screen shown in Figure 99 appears in Internet Explorer. Select Yes to proceed to the WebGUI logon screen; if you select No, then WebGUI access is blocked.
260 Chapter 14 Remote management screens Select Accept this certificate permanently to import the Business Secure Router’s certificate into the SSL client.
Chapter 14 Remote management screens 261 Figure 101 Security Certificate 2 (Netscape) Avoiding the browser warning messages The following section describes the main reasons that your browser displays warnings about the Business Secure Router’s HTTPS server certificate and what you can do to avoid seeing the warnings. • • The issuing certificate authority of the Business Secure Router’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
262 Chapter 14 Remote management screens a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. b Click CERTIFICATES. Find the certificate that was displayed in the Server Certificate field and check its Subject column. CN stands for certificate’s common name (see Figure 105 on page 266 for an example). Use this procedure to have the Business Secure Router use a certificate with a common name that matches the Business Secure Router’s actual IP address.
Chapter 14 Remote management screens 263 Figure 102 Logon screen (Internet Explorer) BCM50e Integrated Router Configuration — Basics
264 Chapter 14 Remote management screens Figure 103 Login screen (Netscape) Click Login to proceed. The screen shown in Figure 104 appears. The factory default certificate is a common default certificate for all Business Secure Router models.
Chapter 14 Remote management screens 265 Figure 104 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device. Click CERTIFICATES to open the My Certificates screen. You see information similar to that shown in Figure 105.
266 Chapter 14 Remote management screens Figure 105 Device-specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate. The My Certificates screen appears (Figure 106).
Chapter 14 Remote management screens 267 Figure 106 Common Business Secure Router certificate SSH overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
268 Chapter 14 Remote management screens Figure 107 SSH Communication Example How SSH works Figure 108 summarizes how a secure connection is established between two remote hosts. Figure 108 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result to the server.
Chapter 14 Remote management screens 269 The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
270 Chapter 14 Remote management screens Figure 109 SSH Table 84 describes the labels in Figure 109. Table 84 SSH Label Description Server Host Key Select the certificate whose corresponding private key is to be used to identify the Business Secure Router for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 11, “Certificates,” on page 193for details).
Chapter 14 Remote management screens 271 Note: Nortel recommends that you disable Telnet and FTP when you configure SSH for secure connections. Secure Telnet using SSH examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the Business Secure Router. The configuration and connection steps are similar for most SSH client programs. For more information about SSH client programs, refer to your SSH client program user’s guide.
272 Chapter 14 Remote management screens Example 2: Linux This section describes how to access the Business Secure Router using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the Business Secure Router. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the Business Secure Router (using the default IP address of 192.168.1.1).
Chapter 14 Remote management screens 273 Figure 112 SSH Example 2: Log on $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The SMT main menu displays.
274 Chapter 14 Remote management screens Figure 113 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp> put firmware.bin ras Uploading firmware.
Chapter 14 Remote management screens 275 Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen. Figure 115 Telnet Table 85 describes the fields in Figure 115. Table 85 Telnet Label Description Server Port You can change the server port number for a service if needed, however, you must use the same port number in order to use that service for remote management. Server Access Select the interfaces (If any) through which a computer can access the Business Secure Router using this service.
276 Chapter 14 Remote management screens Configuring FTP You can upload and download the Business Secure Router’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. To change your Business Secure Router’s FTP settings, click REMOTE MANAGEMENT, and then the FTP tab. The screen appears as shown in Figure 116. Figure 116 FTP Table 86 describes the fields in Figure 116.
Chapter 14 Remote management screens 277 Table 86 FTP Label Description Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service. Select All to allow any computer to access the Business Secure Router using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service.
278 Chapter 14 Remote management screens Figure 117 SNMP Management Model An SNMP-managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Business Secure Router). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 14 Remote management screens 279 • • • • Get-Allows the manager to retrieve an object variable from the agent. GetNext-Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set-Allows the manager to set values for object variables within an agent.
280 Chapter 14 Remote management screens REMOTE MANAGEMENT: SNMP To change your Business Secure Router’s SNMP settings, click REMOTE MANAGEMENT, and then the SNMP tab. The screen appears as shown in Figure 118. Figure 118 SNMP Table 88 describes the fields in Figure 118. Table 88 SNMP Label Description SNMP Configuration N0115788 Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is “PlsChgMe!RO”.
Chapter 14 Remote management screens 281 Table 88 SNMP Label Description Trusted Host If you enter a trusted host, your Business Secure Router only responds to SNMP messages from this address. In the field, 0.0.0.0 (default) means your Business Secure Router responds to all SNMP messages it receives, regardless of source. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
282 Chapter 14 Remote management screens Figure 119 DNS Table 89 describes the fields in Figure 119. Table 89 DNS Label Description Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interfaces (if any) through which a computer can send DNS queries to the Business Secure Router. Secured Client IP Address A secured client is a trusted computer that is allowed to send DNS queries to the Business Secure Router.
Chapter 14 Remote management screens 283 If an outside user attempts to probe an unsupported port on your Business Secure Router, an ICMP response packet is automatically returned. This allows the outside user to know the Business Secure Router exists. The Business Secure Router series support antiprobing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your Business Secure Router when unsupported ports are probed.
284 Chapter 14 Remote management screens Table 90 Security N0115788 Label Description Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the Business Secure Router by probing for unused ports. If you select this option, the Business Secure Router does not send ICMP response packets to port requests for unused ports, thus leaving the unused ports and the Business Secure Router unseen.
285 Chapter 15 UPnP This chapter introduces the Universal Plug and Play feature. Universal Plug and Play overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities, and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
286 Chapter 15 UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports can present network security issues. Network information and configuration can also be obtained and modified by users in some network environments. All UPnP-enabled devices can communicate freely with each other without additional configuration.
Chapter 15 UPnP 287 Figure 121 Configuring UPnP Table 91 describes the fields in Figure 121. Table 91 Configuring UPnP Label Description Device Name This identifies the device in UPnP applications. Enable the Universal Plug and Play (UPnP) feature Select this check box to activate UPnP. Be aware that anyone can use a UPnP application to open the WebGUI's logon screen without entering the Business Secure Router's IP address (although you must still enter the password to access the WebGUI).
288 Chapter 15 UPnP Displaying UPnP port mapping Click UPnP and then Ports to display the screen as shown in Figure 122. Use this screen to view the NAT port mapping rules that UPnP creates on the Business Secure Router. Figure 122 UPnP Ports Table 92 describes the labels in Figure 122. Table 92 UPnP Ports Label Description Retain UPnP port forwarding Select this check box to have the Business Secure Router retain UPnP created NAT rules even after restarting.
Chapter 15 UPnP 289 Table 92 UPnP Ports Label Description External Port This field displays the port number that the Business Secure Router listens on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The Business Secure Router forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).
290 Chapter 15 UPnP Figure 123 Add/Remove programs: Windows setup 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to return to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. Figure 124 Communications Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP.
Chapter 15 UPnP 291 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window appears. Figure 125 Network connections 4 Select Networking Service in the Components selection box and click Details.
292 Chapter 15 UPnP 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 127 Windows XP networking services 6 Click OK to return to the Windows Optional Networking Component Wizard window and click Next. Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device.
Chapter 15 UPnP 293 2 Right-click the icon and select Properties. Figure 128 Internet gateway icon 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.
294 Chapter 15 UPnP 4 You can edit or delete the port mappings or click Add to manually add port mappings. Figure 130 Internet connection properties advanced setup Figure 131 Service settings Note: When the UPnP-enabled device is disconnected from your computer, all port mappings are deleted automatically.
Chapter 15 UPnP 295 5 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. Figure 132 Internet connection icon 6 Double-click the icon to display your current Internet connection status. Figure 133 Internet connection status WebGUI easy access With UPnP, you can access the WebGUI without first finding out its IP address. This is helpful if you do not know the IP address of your Business Secure Router.
296 Chapter 15 UPnP 3 Select My Network Places under Other Places Figure 134 Network connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your Business Secure Router and select Invoke. The WebGUI logon screen displays.
297 Chapter 16 Logs Screens This chapter contains information about configuring general log settings and viewing the Business Secure Router’s logs. Refer to Appendix B, “Log Descriptions,” on page 349 for example log message explanations. Configuring View Log With the WebGUI, you can look at all of the Business Secure Router’s logs in one location. Click LOGS to open the View Log screen.
298 Chapter 16 Logs Screens Figure 136 View Log Table 93 describes the fields in Figure 136. Table 93 View Log N0115788 Label Description Display The categories that you select in the Log Settings page display in the drop-down list. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded.
Chapter 16 Logs Screens 299 Table 93 View Log Label Description Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to delete all the logs. Configuring Log settings To change your Business Secure Router’s log settings, click Logs, then the Log Settings tab. The screen appears as shown in Figure 137.
300 Chapter 16 Logs Screens Figure 137 Log settings N0115788
Chapter 16 Logs Screens 301 Table 94 describes the fields in Figure 137. Table 94 Log settings Label Description Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages are not sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Business Secure Router sends.
302 Chapter 16 Logs Screens Table 94 Log settings Label Description Log Select the categories of the logs that you want to record. Logs include alerts.1 Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) can be so numerous that it becomes easy to ignore other important log messages.
Chapter 16 Logs Screens 303 • How much traffic has been sent to and from the LAN IP addresses to and from which the most traffic has been sent Note: The Web site hit count not be 100% accurate because sometimes when an individual Web page loads, it can contain references to other Web sites that also get counted as hits. The Business Secure Router records Web site hits by counting the HTTP GET packets.
304 Chapter 16 Logs Screens Table 95 describes the fields in Figure 138. Table 95 Reports Label Description Collect Statistics Select the check box and click Apply to have the Business Secure Router record report data. Send Raw Traffic Statistics to Syslog Server for Analysis Select the check box and click Apply to have the Business Secure Router send unprocessed traffic statistics to a syslog server for analysis. You must have the syslog server already configured in the Log Settings screen.
Chapter 16 Logs Screens 305 Figure 139 Web site hits report example Table 96 describes the fields in Figure 139. Table 96 Web site hits report Label Description Web Site This column lists the domain names of the Web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first. The Business Secure Router counts each page viewed in a Web site as another hit on the Web site.
306 Chapter 16 Logs Screens Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Chapter 16 Logs Screens 307 Table 97 describes the fields in Figure 140. Table 97 Protocol/ Port Report Label Description Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the Business Secure Router. The protocols or service ports are listed in descending order with the most used protocol or service port listed first. Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed.
308 Chapter 16 Logs Screens Figure 141 LAN IP address report example Table 98 describes the fields in Figure 141. Table 98 LAN IP Address Report N0115788 Label Description IP Address This column lists the LAN IP addresses to and from which the most traffic has been sent. The LAN IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first. Amount This column displays how much traffic has gone to and from the listed LAN IP addresses.
Chapter 16 Logs Screens 309 Reports specifications Table 99 lists detailed specifications on the reports feature. Table 99 Report Specifications Label Description Number of Web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 232 hits can be counted per Web site. The count starts over at 0 if it passes four billion. Bytes count limit: Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.
310 Chapter 16 Logs Screens N0115788
311 Chapter 17 Call scheduling screens With call scheduling (applicable for PPPoA or PPPoE encapsulation only), you can dictate when a remote node is to be called and for how long. Call scheduling introduction Using the call scheduling feature, the Business Secure Router can manage a remote node and dictate when a remote node is to be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
312 Chapter 17 Call scheduling screens Figure 142 Call schedule summary Table 100 describes the fields in Figure 142. Table 100 Call Schedule Summary N0115788 Label Description # This is the call schedule set number. Name This field displays the name of the call schedule set. Active This field shows whether the call schedule set is turned on (Yes) or off (No). Start Date This is the date (in year-month-day format) that the call schedule set takes effect.
Chapter 17 Call scheduling screens 313 Table 100 Call Schedule Summary Label Description Start Time This is the time (in hour-minute format) when the schedule set takes effect. Duration Time This is the maximum length of time (in hour-minute format) that the schedule set applies the action displayed in the Action field. Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field.
314 Chapter 17 Call scheduling screens If a connection has been already established, your Business Secure Router will not drop it. After the connection is dropped manually or it times out, that remote node can not be triggered again until the end of the Duration. Table 101 Call schedule edit N0115788 Label Description Schedule Name Enter a name (up to 16 characters) for the call schedule set. You can use numbers, the letters A-Z (upper or lower case) and the underscore (_) and @ symbols.
Chapter 17 Call scheduling screens 315 Applying Schedule Sets to a remote node Once your schedule sets are configured, you must then apply them to the remote node. You can apply schedule sets when the Business Secure Router is set to use PPPoE or PPTP encapsulation (refer to “Configuring WAN ISP” on page 38). Click WAN, WAN IP to display the WAN IP screen as shown in Figure 144. Use the screen to apply up to four schedule sets.
316 Chapter 17 Call scheduling screens Figure 144 Applying Schedule Sets to a remote node N0115788
317 Chapter 18 Maintenance This chapter displays system information such as firmware, port IP addresses, and port traffic statistics. Maintenance overview The maintenance screens can help you view system information, upload new firmware, manage configuration, and restart your Business Secure Router. Status screen Click MAINTENANCE to open the Status screen, where you can monitor your Business Secure Router. Note that these fields are READ-ONLY and only used for diagnostic purposes.
318 Chapter 18 Maintenance Figure 145 System Status Table 102 describes the fields in Figure 145. Table 102 System Status Label Description System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name is also on a sticker on your device. If you are uploading firmware, be sure to upload firmware for this exact model name.
Chapter 18 Maintenance 319 Table 102 System Status Label Description LAN Port IP Address This is the LAN port IP address. IP Subnet Mask This is the LAN port subnet mask. DHCP This is the LAN port DHCP role–Server or None. System statistics Read-only information here includes port status and packet specific statistics. Also provided are system up time and poll intervals. The Poll Interval(s) field is configurable.
320 Chapter 18 Maintenance Table 103 System Status: Show statistics Label Description Tx B/s This displays the transmission speed, in bytes per second, on this port. Rx B/s This displays the reception speed, in bytes per second, on this port. Up Time This is the total amount of time the line has been up. System Up Time This is the total time the Business Secure Router has been on. Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Chapter 18 Maintenance 321 Figure 147 DHCP Table Table 104 describes the fields in Figure 147. Table 104 DHCP Table Label Description # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. MAC Address This field shows the MAC address of the computer with the name in the Host Name field. Every Ethernet device has a unique MAC (Media Access Control) address.
322 Chapter 18 Maintenance Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions to upload firmware to your Business Secure Router. Figure 148 Firmware upload Table 105 describes the fields in Figure 148. Table 105 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.
Chapter 18 Maintenance 323 Figure 149 Firmware Upload In Process The device automatically restarts in this time, causing a temporary network disconnect. In some operating systems, you can see the icon Shown in Figure 150 on your desktop. Figure 150 Network Temporarily Disconnected After two minutes, log on again and check your new firmware version in the System Status screen. If the upload was not successful, the screen shown in Figure 151 appears.
324 Chapter 18 Maintenance Configuration screen Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown in Figure 152. Figure 152 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Business Secure Router to its factory defaults. The warning screen appears (see Figure 153).
Chapter 18 Maintenance 325 Figure 153 Reset warning message The Business Secure Router’s LAN IP address changes back to 192.168.1.1 and the password reverts to “PlsChgMe!”. Backup configuration With backup configuration, you can back up and save the device’s current configuration to a 104 KB file on your computer. After your device is configured and functioning properly, Nortel recommends that you back up your configuration file before making configuration changes.
326 Chapter 18 Maintenance Table 106 Restore configuration Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Note: Do not turn off the device while configuration file upload is in progress. After you see a “configuration upload successful” screen, you must then wait one minute before logging on to the device again.
Chapter 18 Maintenance 327 If the upload was not successful, click Return to return to the Configuration screen. Restart screen With system restart, you can reboot the Business Secure Router without turning the power off. Click MAINTENANCE, and then Restart. Click Restart to have the Business Secure Router reboot. This does not affect the Business Secure Router's configuration.
328 Chapter 18 Maintenance N0115788
329 Appendix A Troubleshooting This chapter covers potential problems and the corresponding remedies. Problems Starting Up the Business Secure Router Table 107 Troubleshooting the Start-Up of your Business Secure Router Problem Corrective Action None of the LEDs turn on when I turn on the BCM50e Integrated Router. Make sure that the BCM50e’s power adaptor is connected to the Business Secure Router and plugged in to an appropriate power source.
330 Appendix A Troubleshooting Problems with the LAN LED Table 108 Troubleshooting the LAN LED Problem Corrective Action The LAN LEDs do not turn on. Check your Ethernet cable connections. Check for faulty Ethernet cables. Make sure your computer’s Ethernet Card is working properly. Problems with the LAN interface Table 109 Troubleshooting the LAN Interface Problem Corrective Action I cannot access the Business Secure Router from the LAN. Check your Ethernet cable type and connections.
Appendix A Troubleshooting 331 Problems with the WAN interface Table 110 Troubleshooting the WAN Interface Problem Corrective Action Cannot get WAN IP address from the ISP. Refer to the guide for initial set up of the Business Secure Router.The ISP provides the WAN IP address after authentication. Authentication can be through the username and password, the MAC address, or the host name. Use the following corrective actions to make sure the ISP can authenticate your connection.
332 Appendix A Troubleshooting Problems accessing an internet Web site Table 112 Troubleshooting Web Site Internet Access Problem Corrective Action Cannot connect to a Web site on the Internet. Disable content filtering and clear your browser cache. Try connecting to the Web site again. If you can now connect to this site, the content filter blocked original access. Check your content filter settings if this was not your intention.
Appendix A Troubleshooting 333 Table 114 Troubleshooting Remote Management I cannot remotely Check your remote management and firewall configuration. manage the Business Use the Business Secure Router’s WAN IP address when configuring from the WAN. Secure Router from the LAN or the WAN. Use the Business Secure Router’s LAN IP address when configuring from the LAN. Refer to “Problems with the LAN interface” on page 330 for instructions about checking your LAN connection.
334 Appendix A Troubleshooting Figure 157 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. N0115788 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen.
Appendix A Troubleshooting 335 Figure 158 3 Internet Options Click Apply to save this setting. Enabling Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
336 Appendix A Troubleshooting 2 Select Settings… to open the Pop-up Blocker Settings screen. Figure 159 Internet options 3 N0115788 Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1.
Appendix A Troubleshooting 337 4 Click Add to move the IP address to the list of Allowed sites. Figure 160 Pop-up Blocker settings 5 Click Close to return to the Internet Options screen. 6 Click Apply to save this setting. Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer, check that JavaScript and Java permissions are enabled.
338 Appendix A Troubleshooting 1 In Internet Explorer, click Tools, Internet Options, and then the Security tab. Figure 161 Internet options N0115788 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Appendix A Troubleshooting 339 6 Click OK to close the window. Figure 162 Security Settings - Java Scripting Internet Explorer Java Permissions 1 From Internet Explorer, click Tools, Internet Options, and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
340 Appendix A Troubleshooting 5 Click OK to close the window. Figure 163 Security Settings - Java JAVA (Sun) N0115788 1 From Internet Explorer, click Tools, Internet Options, and then the Advanced tab. 2 Make sure that Use Java 2 for
Appendix A Troubleshooting 341 4 Close your existing browser session and open a new browser. Figure 164 Java (Sun) Netscape Pop-up Blockers Note: Netscape 7.2 screens are used here. Screens for other Netscape versions vary Either disable the blocking of unrequested pop-up windows (enabled by default in Netscape) or allow pop-ups from Web sites by creating an exception for your device’s IP address.
342 Appendix A Troubleshooting Allowing Pop-ups 1 In Netscape, click Tools, Popup Manager and then select Allow Popups From This Site. Figure 165 Allow Popups from this site 2 In the Netscape search toolbar, you can enable and disable pop-up blockers for Web sites. Figure 166 Netscape Search Toolbar You can also check if pop-up blocking is disabled in the Popup Windows screen in the Privacy & Security directory. N0115788 1 In Netscape, click Edit and then Preferences.
Appendix A Troubleshooting 343 3 Clear the Block unrequested popup windows check box. Figure 167 4 Popup Windows Click OK to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, follow these steps: 1 In Netscape, click Edit, and then Preferences. 2 In the Privacy & Security directory, select Popup Windows. 3 Make sure the Block unrequested popup windows check box is selected.
344 Appendix A Troubleshooting 4 Click the Allowed Sites... button. Figure 168 Popup Windows 5 N0115788 Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.1.1.
Appendix A Troubleshooting 345 6 Click Add to move the IP address to the Site list. Figure 169 Allowed Sites 7 Click OK to return to the Popup Windows screen. 8 Click OK to save this setting. Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape, check that JavaScript and Java permissions are enabled. 1 In Netscape, click Edit and then Preferences. 2 Click the Advanced directory.
346 Appendix A Troubleshooting 4 Click OK to close the window. Figure 170 Advanced N0115788 5 Click the Advanced directory and then select Scripts & Plug-ins. 6 Make sure the Navigator check box is selected in the enable JavaScript section.
Appendix A Troubleshooting 347 7 Click OK to close the window.
348 Appendix A Troubleshooting N0115788
349 Appendix B Log Descriptions This appendix provides descriptions of example log messages. Table 115 System Error Logs Log Message Description %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per host. Table 116 System Maintenance Logs Log Message Description Time calibration is successful The router has adjusted its time based on information from the time server.
350 Appendix B Log Descriptions Table 116 System Maintenance Logs Log Message Description TELNET Login Fail Someone has failed to log on to the router via Telnet. FTP Login Successfully Someone has logged on to the router via FTP. FTP Login Fail Someone has failed to log on to the router via FTP. NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Appendix B Log Descriptions 351 Table 119 Attack Logs Log Message Description attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section about ICMP messages for type and code details. land TCP The firewall detected a TCP land attack. land UDP The firewall detected an UDP land attack.
352 Appendix B Log Descriptions Table 119 Attack Logs Log Message Description teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack. ip spoofing - no routing entry TCP The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route.
Appendix B Log Descriptions 353 Table 120 Access Logs Log Message Description Firewall default policy: ICMP (set:%d, type:%d, code:%d) ICMP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default IGMP access matched the default policy of the listed ACL policy: IGMP (set:%d) set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration.
354 Appendix B Log Descriptions Table 120 Access Logs N0115788 Log Message Description Firewall rule match: (set:%d, rule:%d) Access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule NOT match: TCP (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Business Secure Router logged it.
Appendix B Log Descriptions 355 Table 120 Access Logs Log Message Description Filter default policy DROP! Access matched a default filter policy (denied LAN IP) and the Business Secure Router dropped the packet to block access. Filter default policy FORWARD! TCP access matched a default filter policy. Access was allowed and the router forwarded the packet. Filter default policy FORWARD! UDP access matched a default filter policy. Access was allowed and the router forwarded the packet.
356 Appendix B Log Descriptions Table 120 Access Logs Log Message Description (set:%d) With firewall messages, this is the number of the ACL policy set and denotes the packet's direction (see Table 121). With filter messages, this is the number of the filter set. (rule:%d) With firewall messages, the firewall rule number denotes the number of a firewall rule within an ACL policy set.With filter messages, this is the number of an individual filter rule.
Appendix B Log Descriptions 357 For type and code details, see Table 122. Table 121 ACL Setting Notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN. 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN. 7 LAN to LAN/Business Secure Router ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router.
358 Appendix B Log Descriptions Table 122 ICMP Notes Type Code Description 3 Redirect datagrams for the Type of service and host Echo 8 0 Echo message Time exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp reply 14 0 Timestamp reply message Information request 15 0 Information request message Information reply 16 0 Information reply message Table 123 Sys
Appendix B Log Descriptions 359 Figure 172 Example VPN Initiator IPSec Log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
360 Appendix B Log Descriptions Figure 173 Example VPN Responder IPSec Log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.
Appendix B Log Descriptions 361 Table 124 Sample IKE Key Exchange Logs Log Message Description Send Mode request to Send Mode request to The Business Secure Router started negotiation with the peer. Recv Mode request from Recv Mode request from The Business Secure Router received an IKE negotiation request from the peer. Recv: IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data.
362 Appendix B Log Descriptions Table 124 Sample IKE Key Exchange Logs N0115788 Log Message Description !! Remote IP / conflicts If the security gateway is “0.0.0.0”, the Business Secure Router uses the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr” range conflicts with other connections, the Business Secure Router does not accept VPN connection requests from this peer.
Appendix B Log Descriptions 363 Table 124 Sample IKE Key Exchange Logs Log Message Description The router sent a payload type of IKE packet. -> The parameters configured for Phase 1 ID content do not match or the parameters configured for the Phase 2 ID (IP address of single, range, or subnet) do not match. Check all protocols and settings for these phases. Error ID Info Table 125 shows sample log messages during packet transmission.
364 Appendix B Log Descriptions Table 126 RFC-2408 ISAKMP Payload Types Log Display Payload Type SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 127 PKI Logs Log Message Description Enrollment successful The SCEP online certificate enrollment succeeded.
Appendix B Log Descriptions 365 Table 127 PKI Logs Log Message Description Rcvd ca cert: The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd user cert: The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
366 Appendix B Log Descriptions Table 128 Certificate Path Verification Failure Reason Codes N0115788 Code Description 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache.
Appendix B Log Descriptions 367 Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring what you want the Business Secure Router to log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Business Secure Router is to record. Use sys logs category followed by a log category and a parameter to decide what to record.
368 Appendix B Log Descriptions Displaying Logs Use the sys logs display command to show all of the logs in the Business Secure Router’s log. Use the sys logs category display command to show the log settings for all of the log categories. Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs.
Appendix B Log Descriptions 369 Log Command Example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys logs logs logs logs load category access 3 save display access .time source message 0|11/11/2002 15:10:12 |172.22.3.80:137 BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.
370 Appendix B Log Descriptions N0115788
371 Index Numbers 10/100 Mb/s Ethernet WAN 35 3DES 139 4-Port Switch 34 A Authentication Header 138 Authentication Type 56 Autonegotiating 10/100 Mb/s Ethernet LAN 34 Autosensing 10/100 Mb/s Ethernet LAN 34 B Action 111 Backup 325 Action for Matched Packets 114 Bandwidth Class 230 ActiveX 131 Bandwidth Filter 230, 237 Address Assignment 56, 58 Bandwidth Management 229 Administrator Inactivity Timer 13 Bandwidth Management Statistics 238 AES 139 Bandwidth Manager Class Configuration 235 AH 1
372 Index Maximum Number of Schedule Sets 311 Precedence 311 Precedence Example 311 Called ID 61 Calling Line Identification 61 Central Network Management 38 CHAP 56 Check WAN IP Address 54 CLID 61 Client IKE Source Port Switching 189 Client Minimum Version 190 DES 139 Destination Address 106, 114 DHCP 50, 58, 15, 25, 26, 320 DHCP (Dynamic Host Configuration Protocol) 39 DHCP Server 29 Dial 61 Dial Backup 54 Dial Backup Port Speed 56 Dial Timeout 61 DNS 11, 281 Client Termination 180, 187 DNS Server For
Index 373 ESP Protocol 138 Global 64 Ethernet 50, 51, 54 Global End IP 74, 77 Ethernet Encapsulation 39 Global Start IP 74, 76 Group Authentication 151 F Group ID 151, 182 Factory LAN Defaults 26 Group Password 151, 182 Fail Tolerance 54 Failover Tuning 189 H Features 33 Half-Open Sessions 124 Finger 70 Host 18 Firewall 36 Access Methods 103 Address Type 115 Alerts 123 Connection Direction 106 Creating/Editing Rules 112 Custom Ports 116 Enabling 103 Firewall Vs.
374 Index IP Multicast 37 Internet Group Management Protocol (IGMP) 37 IP Pool Setup 25 IP Ports 91 IP Spoofing 91, 95 IP Static Route 82 IPSec VPN Capability 35 ISAKMP Initial Contact Payload 190 Many to Many Overload 67 Many to One 67 Many-to-Many Ov 76 Many-to-Many Overload 75, 76 Many-to-On 76 Many-to-One 75 Maximum Incomplete High 127 Maximum Incomplete Low 127 Max-incomplete High 125 J Max-incomplete Low 125, 127 Java 131 Media Access Control 32 K Key Fields For Configuring Rules 106 L MD5 139
Index 375 O Off Line 17 On Demand Client Tunnel 151 One Minute High 127 One Minute Low 126 Private IP Address 56 Proportional Bandwidth Allocation 230 Protocol/Port 304, 306 publications hard copy 30 related 30 One to One 67 One-Minute High 125 One-to-One 76 Q Quick Start Guide 43 Outside 64 P R regulatory information 2 Packet Direction 111, 113 Remote Management and NAT 254 Packet Filtering 36, 101 Remote Management Limitations 253 Packet Filtering Firewalls 88 Reports 302 PAP 56 Reset 46 P
376 Index RR-Telstra 45 Source & Destination Addresses 115 Rule Summary 119 Source Address 106, 114 Rules 103, 107 Checklist 105 Creating Custom 103 Key Fields 106 LAN to WAN 107 Logic 105 Predefined Services 120 Source and Destination Addresses 115 SSH 36, 267 S SSH Implementation 269 Start Port 80 Stateful Inspection 36, 87, 88, 95, 96, 97 Process 96 Static DHCP 32 Static Route 81, 82 SUA 69, 70, 72 SUA (Single User Account) 68 SA Monitor 176 SUA Only 48 Saving the State 95 SUA Server 71 Sched
Index 377 Third DNS Server 14 Windows Networking 49, 179 Threshold Values 124 Wizard Setup 49, 50, 56 Time and Date 35 WWW 256 Time Setting 20 Time Warner 45 Traceroute 95 Tracing 39 trademarks 2 Traffic Redirect 38, 51, 52 Trigger Port Forwarding Process 77 U UDP/ICMP Security 99 Universal Plug and Play 37 Universal Plug and Play (UPnP) 285, 287 Upgradeable Firmware 40 UPnP 37 UPnP Examples 289 UPnP Port Mapping 288 Upper Layer Protocols 99 URL Keyword Blocking 131 User Profiles 241 Username 44 V V
