Nortel Business Secure Router 222 Configuration — Advanced BSR222 Business Secure Router Document Number: NN47922-501 Document Version: 1.
Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 SSH . . . . . . . . . . . . . . . . . . . . . . .
Contents 5 Chapter 2 Introducing the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Introduction to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Accessing the SMT via the console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents IP Alias Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Chapter 5 Internet access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Introduction to internet access setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Ethernet encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7 SUA (Single User Account) Versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Applying NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 SUA Address Mapping Set . . . . . .
Contents Chapter 12 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Chapter 13 System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 9 Example of FTP commands from the command line . . . . . . . . . . . . . . . . . . . . . . 182 GUI-based FTP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 TFTP and FTP over WAN Management Limitations . . . . . . . . . . . . . . . . . . . . . . 183 Backup configuration using TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 TFTP command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 17 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Remote Management Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 18 Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Introduction . . . . . . . . . .
Contents 11 Appendix D PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 PPPoE in action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Benefits of PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Traditional dial-up scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Appendix H Command Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 13 Brute force password guessing protection. . . . . . . . . . . . . . . . . . . . . . . . 335 Appendix M SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 SIP Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 SIP Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents NN47922-501
Figures Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 39 Figure 2 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 3 SMT Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 4 Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Figure 5 Menu 23.
Figures Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation 93 Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) . . . . . . . . . . . 96 Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) . . . . . 96 Figure 32 Menu 11.1: Remote Node Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Figure 33 Menu 11.1.5: Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 17 Figure 63 Menu 21: Filter and Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Figure 64 Menu 21.1: Filter Set Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Figure 66 Executing an IP filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Figure 67 Menu 21.1.1.1: Generic Filter Rule . . . . . .
Figures Figure 98 Restore using FTP session example . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Figure 99 System Maintenance: Restore Configuration . . . . . . . . . . . . . . . . . . . . . 188 Figure 100 System Maintenance: Starting Xmodem Download Screen . . . . . . . . . . 189 Figure 101 Successful Restoration Confirmation Screen . . . . . . . . . . . . . . . . . . . . . 189 Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware . . . . . . . . . . . . . . . .
Figures 19 Figure 133 Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Figure 134 Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Figure 135 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Figure 136 Security Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Figure 137 Login Screen .
Figures Figure 168 SIP User Agent Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Figure 169 SIP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Figure 170 SIP Redirect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Figure 171 Business Secure Router SIP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1 Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Table 2 Main menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Table 3 Main menu summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Table 4 General setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Table 5 Configure dynamic DNS menu fields . . . . . .
Tables Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set . . . . . . 116 Table 31 15.2.1: NAT Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Table 32 Menu 15.3: Trigger Port setup description . . . . . . . . . . . . . . . . . . . . . . . 130 Table 33 Abbreviations used in the Filter Rules Summary Menu . . . . . . . . . . . . . 140 Table 34 Rule abbreviations used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 23 Table 64 Subnet 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Table 65 Subnet 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Table 67 Class C subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Table 68 Class B subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Table 69 Sys commands . . . . .
Tables NN47922-501
Preface Before you begin This guide is designed to assist you with advanced configuration of your Business Secure Router for its various applications. Note: This guide explains how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. See the basic manual for how to use the WebGUI to configure your Business Secure Router. Not all features can be configured through all interfaces.
Preface A single keystroke is written in Arial font and enclosed in square brackets, for instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
Preface 27 How to get help If you do not see an appropriate number in this list, go to www.nortel.com/cs. USA and Canada Authorized Distributors Technical Support - GNTS/GNPS Telephone: 1-800-4NORTEL (1-800-466-7835) If you already have a PIN Code, you can enter Express Routing Code (ERC) 196#. If you do not yet have a PIN Code, or for general questions and first line support, you can enter ERC 338#. Web Site: www.nortel.
Preface Fax: 44-191-555-7980 E-mail: emeahelp@nortel.com CALA (Caribbean & Latin America) Technical Support - CTAS Telephone: 1-954-858-7777 E-mail: csrmgmt@nortel.com APAC (Asia Pacific) Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.
Preface Philippines 1800-1611-0063 Singapore 800-616-2004 South Korea 0079-8611-2001 Taiwan 0800-810-500 Thailand 001-800-611-3007 Service Business Centre & Pre-Sales Help Desk +61-2-8870-5511 29 Nortel Business Secure Router 222 Configuration — Advanced
Preface NN47922-501
Chapter 1 Getting to know your Nortel Business Secure Router 222 This chapter introduces the main features and applications of the Business Secure Router. Introducing the Nortel Business Secure Router 222 The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).
Chapter 1 Getting to know your Nortel Business Secure Router 222 Table 1 Feature Specifications Feature Specification Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of concurrent VPN IPSec Connections 60 Number of IP pools can be used to assign IP addresses to remote users 3 for VPN client termination Number of configurable split networks for VPN client termination 16 Number of configurable inverse split networks for VPN client termination 16 Number of
Chapter 1 Getting to know your Nortel Business Secure Router 222 33 Auxiliary port The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails. Time and date Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router.
Chapter 1 Getting to know your Nortel Business Secure Router 222 Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. SSH The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 1 Getting to know your Nortel Business Secure Router 222 35 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
Chapter 1 Getting to know your Nortel Business Secure Router 222 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. The Business Secure Router supports one PPTP server connection at any given time.
Chapter 1 Getting to know your Nortel Business Secure Router 222 37 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).
Chapter 1 Getting to know your Nortel Business Secure Router 222 Full network management The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.
Chapter 1 Getting to know your Nortel Business Secure Router 222 39 Applications for the Nortel Business Secure Router 222 Secure broadband internet access and VPN You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.
Chapter 1 Getting to know your Nortel Business Secure Router 222 Hardware Setup Refer to Nortel Business Secure Router 222 — Fundamentals (NN47922-301) for hardware connection instructions. Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions.
Chapter 2 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. Introduction to the SMT The Business Secure Router SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a Telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via the console port, how to navigate the SMT, and how to configure SMT menus.
Chapter 2 Introducing the SMT After the tests, the Business Secure Router asks you to press [ENTER] to continue, as shown in Figure 2. Figure 2 Initial screen initialize ch =0, ethernet address: 00:A0:C5:22:1A:03 initialize ch =1, ethernet address: 00:A0:C5:22:1A:04 Press ENTER to continue... Logging on to the SMT The logon screen appears after you press [ENTER], prompting you to enter the username, as shown in Figure 3. Type the username (nnadmin is the default) and press [ENTER].
Chapter 2 Introducing the SMT 43 Table 2 lists several operations you must be familiar with before attempting to modify the configuration. Table 2 Main menu commands Operations Keystrokes Descriptions Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER]. Move up to a previous menu [ESC] Press the [ESC] key to move back to the previous menu.
Chapter 2 Introducing the SMT Figure 4 Main menu Business Secure Router Main Menu Getting Started 1. 2. 3. 4. Advanced Management General Setup WAN Setup LAN Setup Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup 21. 22. 23. 24. 26. Filter and Firewall Setup SNMP Configuration System Security System Maintenance Schedule Setup 99.Exit Enter Menu Selection Number: Table 3 describes the fields in Figure 4.
Chapter 2 Introducing the SMT 45 Table 3 Main menu summary No. Menu Title Function 22 SNMP Configuration Use this menu to configure SNMP-related parameters. 23 System Security Use this menu to change your password and enable network user authentication. 24 System Maintenance From displaying system status to uploading firmware, this menu provides comprehensive system maintenance. 26 Schedule Setup Use this menu to schedule outgoing calls.
Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview NN47922-501
SMT menu 1 - general setup Introduction to general setup Menu 1 - general setup contains administrative and system-related information. Configuring general setup Enter 1 in the main menu to open Menu 1: general setup. The Menu 1 - General Setup screen appears, as shown in Figure 7. Fill in the required fields. Figure 7 menu 1: general setup Menu 1 - General Setup System Name= Business Secure Router Domain Name= www.nortel.
Chapter 2 SMT menu 1 - general setup Table 4 describes the fields in Figure 7. Table 4 General setup menu fields NN47922-501 Field Description Example System name Choose a descriptive name for identification purposes. Business Nortel recommends you enter your computer name in Secure Router this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes - and underscores _ are accepted. Domain name Enter the domain name (if you know it) here. If you nortel.
Chapter 2 SMT menu 1 - general setup 49 Table 4 General setup menu fields Field Description Example First system DNS server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because Second system without it, you must know the IP address of a machine before you can access it.
Chapter 2 SMT menu 1 - general setup Table 4 General setup menu fields Field Description Example You must also configure a VPN branch office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address. A Private DNS entry with the IP address set to 0.0.0.
Chapter 2 SMT menu 1 - general setup 51 Figure 8 Configure dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
Chapter 2 SMT menu 1 - general setup Table 5 Configure dynamic DNS menu fields Field Description Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http://www.dyndns.org/ Example traffic is redirected to a URL that you have previously specified (see www.dyndns.org for details).
Chapter 3 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. Introduction to WAN and dial backup setup This chapter explains how to configure settings for your WAN port and how to configure the Business Secure Router for a dial backup connection.
Chapter 3 WAN and Dial Backup Setup Figure 9 Menu 2 Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 6 describes the MAC address fields in Figure 9. See Table 7 for descriptions of the dial-backup fields.
Chapter 3 WAN and Dial Backup Setup 55 Dial backup The Dial Backup port or CON/AUX port can be used in reserve as a traditional dial-up connection if the broadband connection to the WAN port fail. This feature is not available on all models.
Chapter 3 WAN and Dial Backup Setup Figure 10 Menu 2: dial backup setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 7 describes the fields in Figure 10. Table 7 Menu 2: dial backup setup Field Description Example Active Use this field to turn the dial-backup feature on (Yes) or off (No).
Chapter 3 WAN and Dial Backup Setup 57 Table 7 Menu 2: dial backup setup Field Description Example Edit Advanced Setup To edit the advanced setup for the Dial Backup port, move the cursor to this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup. Yes After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Chapter 3 WAN and Dial Backup Setup Figure 11 Menu 2.1 advanced WAN setup Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= atdt Dial Timeout(sec)= 60 Drop= ~~+++~~ath Retry Count= 0 Answer= ata Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Drop DTR When Hang Up= Yes Call Back Delay(sec)= 15 AT Response Strings: CLID= NMBR = Called Id= Speed= CONNECT Press ENTER to Confirm or ESC to Cancel: Table 8 describes the fields in Figure 11.
Chapter 3 WAN and Dial Backup Setup 59 Table 8 Advanced WAN port setup: AT commands fields Field Description Default Speed Enter the keyword preceding the connection speed. CONNECT Dial Timeout (sec) Enter a number of seconds for the Business Secure Router to keep trying to set up an outgoing call before timing out (stopping). The Business Secure Router times out and stops if it cannot set up an outgoing call within the timeout value.
Chapter 3 WAN and Dial Backup Setup Figure 12 Menu 11.2 remote node profile (Backup ISP) Menu 11.2 - Remote Node Profile (Backup ISP) Rem Node Name= GUI Active= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Edit PPP Options= No Rem IP Addr= 0.0.0.
Chapter 3 WAN and Dial Backup Setup 61 Table 9 Fields in menu 11.2 remote node profile (Backup ISP) Field Description Example Authen This field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your Business Secure Router will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only. CHAP/PAP Pri Phone # Sec Phone # Enter the first (primary) phone number from the ISP for this remote node.
Chapter 3 WAN and Dial Backup Setup Table 9 Fields in menu 11.2 remote node profile (Backup ISP) Field Description Example Schedules You can apply up to four schedule sets here. For more details, refer to Chapter 18, “Call scheduling,” on page 213. 1,3,5 Nailed-Up Connection Press [SPACE BAR] to select Yes to set this connection No to always be on, regardless of whether or not there is (default) any traffic. Select No to have this connection act as a dial-up connection.
Chapter 3 WAN and Dial Backup Setup 63 Figure 13 Menu 11.2.1: Remote node PPP options Menu 11.2.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Table 10 describes the Remote Node PPP Options Menu, and contains instructions about how to configure the PPP options fields.
Chapter 3 WAN and Dial Backup Setup Figure 14 Menu 11.2.2: remote node network layer options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= None Metric= 15 Private= No RIP Direction= Both Version= RIP-2B Multicast= None Enter here to CONFIRM or ESC to CANCEL: Table 11 describes the fields in Figure 14.
Chapter 3 WAN and Dial Backup Setup 65 Table 11 Remote node network layer options menu fields Field Description Example Network Address Translation With Network Address Translation (NAT), you can None translate an Internet protocol address used within one (default) network (for example a private IP address used in a local network) to a different IP address known within another network (for example, a public IP address used on the Internet).
Chapter 3 WAN and Dial Backup Setup Editing logon script For some remote gateways, text logon is required before PPP negotiation is started. The Business Secure Router provides a script facility for this purpose. The script has six programmable sets; each set is composed of an Expect string and a ‘Send’ string. After matching a message from the server to the ‘Expect’ field, the Business Secure Router returns the set’s Send string to the server.
Chapter 3 WAN and Dial Backup Setup 67 login successful. Starting PPP... after you enter the password, then you must create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the Business Secure Router starts PPP prematurely right after sending your password to the server. If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the Business Secure Router times out and drops the line.
Chapter 3 WAN and Dial Backup Setup Figure 15 Menu 11.2.3: remote node setup script Menu 11.2.3 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Table 12 describes the fields in Figure 15. Table 12 Menu 11.2.
Chapter 3 WAN and Dial Backup Setup 69 Remote node filter Move the cursor to the field Edit Filter Sets in menu 11.2, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.2.4 Remote Node Filter. Use menu 11.2.4 to specify the filter sets to apply to the incoming and outgoing traffic between this remote node and the Business Secure Router to prevent certain packets from triggering calls.
Chapter 3 WAN and Dial Backup Setup NN47922-501
Chapter 4 LAN setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN setup This section describes how to configure the Business Secure Router for LAN connections. Accessing the LAN menus From the main menu, enter 3 to open Menu 3 – LAN setup Figure 17 Menu 3: LAN setup. Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 4 LAN setup Figure 18 Menu 3.1: LAN port filter setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 19 Menu 3: TCP/IP and DHCP setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 4 LAN setup 73 Figure 20 Figure 21-4 menu 3.2: TCP/IP and DHCP Ethernet setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.2 IP Address= 192.168.1.1 Size of Client IP Pool= 126 IP Subnet Mask= 255.255.255.
Chapter 4 LAN setup Table 13 DHCP Ethernet setup menu fields NN47922-501 Field Description Example Size of Client IP Pool This field specifies the size or count of the IP address pool. 126 First DNS Server Second DNS Server Third DNS Server The Business Secure Router passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address).
Chapter 4 LAN setup 75 Use the instructions in Table 14 to configure TCP/IP parameters for the LAN port. Table 14 LAN TCP/IP setup menu fields Field Description Example IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. 192.168.1.1 (default) IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign.
Chapter 4 LAN setup Figure 21 Menu 3.2.1: IP Alias setup Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
Chapter 4 LAN setup 77 Table 15 IP Alias setup menu field Field Description Example RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are Both, In Only, Out Only or None. None Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are RIP-1, RIP-2B or RIP-2M. RIP-1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the Business Secure Router.
Chapter 4 LAN setup NN47922-501
Chapter 5 Internet access This chapter shows you how to configure your Business Secure Router for Internet access. Introduction to internet access setup Use the information from your ISP along with the instructions in this chapter to set up your Business Secure Router to access the Internet. There are three different menu 4 screens, depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine which encapsulation type you should use.
Chapter 5 Internet access Figure 22 Menu 4: internet access setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Table 16 describes the fields in Figure 22.
Chapter 5 Internet access 81 Table 16 Menu 4: internet access setup menu fields Field Description Retype to Confirm Enter the password again to make sure that you have entered it correctly. Login Server The Business Secure Router finds the Road Runner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address.
Chapter 5 Internet access After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the screen show in Figure 23.
Chapter 5 Internet access 83 Figure 24 Internet access setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ****** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= Full Feature Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 18 describes the fields in Figure 24.
Chapter 5 Internet access Basic setup complete Well done! You have successfully connected, installed and set up your Business Secure Router to operate on your network, as well as access the Internet. Note: When the firewall is activated, the default policy can communicate to the Internet if the communication originates from the LAN, and blocks all traffic to the LAN that originates from the Internet. You can deactivate the firewall in menu 21.2 or via the Business Secure Router embedded WebGUI.
Chapter 6 Remote Node setup This chapter shows you how to configure a remote node. Introduction to Remote Node setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 Remote Node Profile, Menu 11.1.
Chapter 6 Remote Node setup Figure 25 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit: Remote Node profile setup This section explains how to configure the remote node profile menu. Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.
Chapter 6 Remote Node setup 87 Figure 26 Menu 11.1: Remote Node profile for Ethernet Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 19 describes the fields in Figure 26.
Chapter 6 Remote Node setup Table 19 Fields in menu 11.1 Field Description Example Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. poellc Outgoing My Login This field is applicable for PPPoE encapsulation only. Enter the logon name assigned by your ISP when the Business Secure Router calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server.
Chapter 6 Remote Node setup 89 Figure 27 Menu 11.1: Remote Node profile for PPPoE Encapsulation Menu 11.
Chapter 6 Remote Node setup Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up, regardless of traffic demand. The Business Secure Router does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Business Secure Router tries to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive.
Chapter 6 Remote Node setup 91 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. See Appendix F, “PPTP,” on page 257 for information about PPTP. Figure 28 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.
Chapter 6 Remote Node setup Table 21 Fields in Menu 11.1 (PPTP Encapsulation) Field Description Example Connection ID/ Name Enter the connection ID or connection name in the N:My ISP ANT. It must follow the “c:id” and “n:name” format. This field is optional and depends on the requirements of your DSL modem. Schedules You can apply up to four call schedule sets here.
Chapter 6 Remote Node setup 93 Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
Chapter 6 Remote Node setup Table 22 Remote Node Network Layer Options Menu Fields NN47922-501 Field Description Example Gateway IP Addr This field is applicable to Ethernet encapsulation only. Enter the gateway IP address assigned to you if you are using a static IP address. My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only.
Chapter 6 Remote Node setup 95 Table 22 Remote Node Network Layer Options Menu Fields Field Description Example Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/RIP-2M or None. N/A Multicast IGMP (Internet Group Multicast Protocol) is a None network-layer protocol used to establish membership in a (default) Multicast group. The Business Secure Router supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Chapter 6 Remote Node setup Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) Menu 11.1.
Chapter 6 Remote Node setup 97 Figure 32 Menu 11.1: Remote Node Profile Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 6 Remote Node setup Traffic Redirect setup Configure parameters that determine when the Business Secure Router forwards WAN traffic to the backup gateway using Menu 11.1.5 — Traffic Redirect Setup. Figure 33 Menu 11.1.5: Traffic Redirect setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Check WAN IP Address= 0.0.0.
Chapter 6 Remote Node setup 99 Table 24 Menu 11.1.5: Traffic Redirect setup Field Description Example Check WAN IP Address Enter the IP address of a reliable nearby computer (for example, your ISP’s DNS server address) to test your Business Secure Router’s WAN accessibility. The Business Secure Router uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PPPoE Encapsulation, enter 0.0.0.
Chapter 6 Remote Node setup NN47922-501
Chapter 7 IP Static Route Setup This chapter shows you how to configure static routes with your Business Secure Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 34 to configure IP static routes in menu 12. 1. Note: The “Reserved” static route entry is for the default WAN route. You cannot modify or delete a static default route. Figure 34 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 2. ________ 3.
Chapter 7 IP Static Route Setup 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. Figure 35 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 2 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Table 25 describes the IP Static Route Menu fields.
Chapter 7 IP Static Route Setup 103 Table 25 IP Static Route Menu Fields Field Description Metric Enter a number from 1 to 15 to set the priority for the route among the Business Secure Router routes. The smaller the number, the higher priority the route has. Private This parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Chapter 7 IP Static Route Setup NN47922-501
Chapter 8 Dial-in User Setup This chapter shows you how to create user accounts on the Business Secure Router. Dial-in User Setup By storing user profiles locally, your Business Secure Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your Business Secure Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup. Figure 36 Menu 14- Dial-in User Setup Menu 14 - Dial-in User Setup 1. 2. 3. 4. 5. 6. 7. 8.
Chapter 8 Dial-in User Setup Figure 37 Menu 14.1- Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 26 describes the fields in Figure 37. Table 26 Menu 14.1- Edit Dial-in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive.
Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Business Secure Router. Using NAT Note: You must create a firewall rule in addition to setting up SUA/ NAT, to allow traffic from the WAN to be forwarded through the Business Secure Router. SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Chapter 9 Network Address Translation (NAT) Figure 38 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: Figure 39 shows how you appl
Chapter 9 Network Address Translation (NAT) 109 Figure 39 Menu 11.1.2: Applying NAT to the Remote Node Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Table 27 describes the fields in Figure 39. Table 27 Applying NAT in Menus 4 & 11.1.
Chapter 9 Network Address Translation (NAT) NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.1.2, the SMT uses Set 1. When you select SUA Only, the SMT uses the pre-configured Set 255 (read only).
Chapter 9 Network Address Translation (NAT) 111 Figure 41 Menu 15.1: Address Mapping Sets Menu 15.1 — Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: SUA Address Mapping Set Enter 255 to display the screen shown in Figure 42 (see “SUA (Single User Account) Versus NAT” on page 107). The fields in this menu cannot be changed.
Chapter 9 Network Address Translation (NAT) Figure 42 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx Local Start IP Local End IP --- --------------- --------------- 0.0.0.0 255.255.255.255 1. 2. Global Start IP --------------- Global End IP Type --------------- ------ 0.0.0.0 M-1 0.0.0.0 Server 3. 4. 5. 6. 7. 8. 9. 10. Press ENTER to Confirm or ESC to Cancel: Table 28 explains the fields in Figure 42. Note: Menu 15.1.
Chapter 9 Network Address Translation (NAT) 113 Table 28 SUA Address Mapping Rules Field Description Example Local End IP Local End IP is the ending local IP address (ILA). If 255.255.255.255 the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA). If you 0.0.0.0 have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA).
Chapter 9 Network Address Translation (NAT) Figure 43 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP --- --------------- --------------- Global Start IP --------------- Global End IP Type --------------- ------ 1. 2 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Chapter 9 Network Address Translation (NAT) 115 have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. If you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 29 Fields in menu 15.1.1 Field Description Example Set Name Enter a name for this set of rules. This is a required field.
Chapter 9 Network Address Translation (NAT) Figure 44 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Press ENTER to Confirm or ESC to Cancel: Table 30 describes the fields in Figure 44. Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Description Example Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Chapter 9 Network Address Translation (NAT) 117 Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Global IP Start End Description Example Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many-to-One or Server. 0.0.0.0 Enter the ending global IP address (IGA). This field is N/A for N/A One-to-One, Many-to-One and Server types.
Chapter 9 Network Address Translation (NAT) Figure 45 Menu 15.2: NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) 119 Figure 46 15.2.1: NAT Server Configuration 15.2.1 - NAT Server Configuration Index= 1 ----------------------------------------------------------------Name= Active= No Start port= 0 End port= 0 IP Address= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 31 15.2.1: NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry.
Chapter 9 Network Address Translation (NAT) 5 Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Figure 47 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act.
Chapter 9 Network Address Translation (NAT) 121 Figure 48 Multiple servers behind NAT example Business Secure Router General NAT examples The following are some examples of NAT configuration. Internet access only In the Internet access example shown in Figure 49, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Chapter 9 Network Address Translation (NAT) Figure 50 Menu 4: Internet access & NAT example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choose the SUA Only option from the Network Address Transla
Chapter 9 Network Address Translation (NAT) 123 Example 2: Internet access with an inside server Figure 51 NAT Example 2 Business Secure Router In this case, you do exactly as shown in Figure 51 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure 52.
Chapter 9 Network Address Translation (NAT) Figure 52 Menu 15.2: Specifying an inside server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) 125 The example situation looks like this: Figure 53 NAT example 3 Business Secure Router 1 In this case you must configure Address Mapping Set 1 from Menu 15.1 Address Mapping Sets. Therefore, you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.1.2) (see Figure 54). 2 Enter 15 from the main menu. 3 Enter 1 to configure the Address Mapping Sets. 4 Enter 1 to begin configuring this new set.
Chapter 9 Network Address Translation (NAT) Figure 54 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: Figure 55 shows how to configure the first rule.
Chapter 9 Network Address Translation (NAT) 127 Figure 55 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.
Chapter 9 Network Address Translation (NAT) Figure 56 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP --- --------------- --------------- Global Start IP --------------- Global End IP Type --------------- ------ 1. 192.168.1.10 10.132.50.1 1-1 2 10.132.50.2 1-1 10.132.50.3 M-1 192.168.1.11 3. 0.0.0.0 255.255.255.255 4. 10.132.50.3 Server 5. 6. 7. 8. 9. 10.
Chapter 9 Network Address Translation (NAT) 129 Figure 57 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) Figure 58 Menu 15.3: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Rule Name Start Port Trigger End Port Start Port End Port ---------------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12.
Chapter 9 Network Address Translation (NAT) 131 Table 32 Menu 15.3: Trigger Port setup description Field Description Example End Port Enter a port number or the ending port number in a range of port 7170 numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Business Secure Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers.
Chapter 9 Network Address Translation (NAT) NN47922-501
Chapter 10 Introducing the firewall This chapter shows you how to get started with the firewall. Using SMT menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown in Figure 59. Figure 59 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 60.
Chapter 10 Introducing the firewall Figure 60 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies. You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the WebGUI to configure the firewall.
Chapter 11 Filter configuration This chapter shows you how to create and apply filters. Introduction to filters Your Business Secure Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters. Data filtering screens the data to determine if the packet is allowed to pass.
Chapter 11 Filter configuration Figure 61 Outgoing packet filtering process C all Filtering A ctiveD ata O utgoing P acket D ata Filtering N o m atch M atch D rop packet B uilt-in default C all Filters N o m atch U ser-defined C all Filters (if applicable) M atch D roppacket if linenot up N o m atch Initiatecall if linenot up S endpacket andreset IdleTim er M atch D roppacket if linenot up O r O r S endpacket but donot reset IdleTim er S endpacket but donot reset IdleTim er For incom
Chapter 11 Filter configuration 137 Figure 62 Filter rule process Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Filter Set Fetch First Filter Rule Fetch Next Filter Rule Yes Yes Next Filter Set Available? No Next filter Rule Available? No Active? Yes No Check Next Rule Execute Filter Rule Forward Drop Drop Packet Accept Packet You can apply up to four filter sets to a particular port to block multiple types of packets.
Chapter 11 Filter configuration Configuring a Filter Set The Business Secure Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 63 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2.
Chapter 11 Filter configuration 139 2 Enter 1 to bring up the menu 21.1. Figure 64 Menu 21.1: Filter Set Configuration Menu 21.
Chapter 11 Filter configuration Table 33 Abbreviations used in the Filter Rules Summary Menu Field Description # The filter rule number: 1 to 6. A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More: “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete.
Chapter 11 Filter configuration 141 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, for example, protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Chapter 11 Filter configuration Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 11 Filter configuration 143 Table 35 TCP/IP Filter Rule Menu fields Field Description Options IP Address Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. 0.0.0.0 IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65 535. This field is ignored if it is 0.
Chapter 11 Filter configuration Table 35 TCP/IP Filter Rule Menu fields Field Description Options Log Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets are logged. Action Matched - Only packets that match the rule parameters are logged. Action Not Matched - Only packets that do not match the rule parameters are logged. Both – All packets are logged.
Chapter 11 Filter configuration 145 Figure 66 Executing an IP filter Packet into IP Filter Filter Active? No Yes Apply SrcAddrMask to Src Addr Check Src IP Addr Not Matched Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Not Matched Matched Check IP Protocol Not Matched Matched Check Src & Dest Port Not Matched Matched More? Yes No Action Matched Drop Drop Packet Action Not Matched Check Next Rule Check Next Rule Drop Forward Forward Check Next Rule Accept Packet Nortel Busin
Chapter 11 Filter configuration Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. With generic rules you can filter non-IP packets. For IP packets, it is generally easier to use the IP rules directly. For generic rules, the Business Secure Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Chapter 11 Filter configuration 147 Table 36 describes the fields in the Generic Filter Rule menu. Table 36 Generic Filter Rule Menu fields Field Description Options Filter # This is the filter set, filter rule coordinates, for example, 2,3 refers to the second filter set and the third rule of that set. Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed below each type will be different.
Chapter 11 Filter configuration Table 36 Generic Filter Rule Menu fields Field Description Options Action Not Matched Select the action for a packet not matching the rule. Check Next Rule Forward Drop After you complete filling in Menu 21.1.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data is now be displayed on Menu 21.1.1 Filter Rules Summary.
Chapter 11 Filter configuration 149 3 Enter the index of the filter set you wish to configure (for example 3) and press [ENTER]. 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in Figure 69. Figure 69 Example Filter: Menu 21.1.3.1 Menu 21.1.3.
Chapter 11 Filter configuration Figure 70 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number (1-6) to Configure: 1 After you have created the filter set, you must apply it. NN47922-501 1 Enter 11 from the main menu to go to menu 11. 2 Then enter 1 to open Menu 11.
Chapter 11 Filter configuration 151 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data that’s going through between LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.
Chapter 11 Filter configuration Applying a Filter This section shows you where to apply the filters after you design them. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and block incoming Telnet, FTP and HTTP connections. Note: Nortel recommends that you apply filters if you do not activate the firewall. Applying LAN Filters LAN traffic filter sets are useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.
Chapter 11 Filter configuration 153 Applying Remote Node Filters Go to menu 11.1.4 (shown in Figure 73 – note that call filter sets are only present for PPPoE encapsulation) and enter the numbers of the filter sets, as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and to block incoming Telnet, FTP and HTTP connections.
Chapter 11 Filter configuration NN47922-501
Chapter 12 SNMP Configuration This chapter explains SNMP configuration menu 22. Note: SNMP is only available if TCP/IP is configured. SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password. Figure 74 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= PlsChgMe!RO Set Community= PlsChgMe!RW Trusted Host= 0.0.0.
Chapter 12 SNMP Configuration Table 37 describes the SNMP configuration parameters. Table 37 SNMP Configuration Menu Fields Field Description Example Get Community Type the Get community, which is the password for the incoming Get- and GetNext requests from the management station. Public (default) Set Community Type the Set community, which is the password for incoming Set requests from the management station.
Chapter 12 SNMP Configuration 157 Table 38 SNMP Traps Trap # Trap Name Description 6 whyReboot (defined in MIB) A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start). 6a For intentional reboot: A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", and others).
Chapter 12 SNMP Configuration NN47922-501
Chapter 13 System security This chapter describes how to configure the system security on the Business Secure Router. System security You can configure the system password, an external RADIUS server and 802.1x in this menu. System password Figure 75 Menu 23 System security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: Nortel recommends you change the default password.
Chapter 13 System security Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 76 Menu 23 system security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security – RADIUS Server, as shown in Figure 77. Figure 77 Menu 23.2 System Security: RADIUS server Menu 23.
Chapter 13 System security 161 Table 39 describes the fields in Figure 77. Table 39 Menu 23.2 System Security: RADIUS Server Field Description Authentication Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external authentication server. Server Address Enter the IP address of the external authentication server in dotted decimal notation. Port # The default port of the RADIUS server for authentication is 1812.
Chapter 13 System security IEEE 802.1x The IEEE 802.1x standards outline enhanced security methods for both the authentication of users and encryption key management. Follow the steps below to enable EAP authentication on your Business Secure Router. 1 From the main menu, enter 23 to display Menu23 – System Security. Figure 78 Menu 23 System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: 2 Enter 4 to display Menu 23.
Chapter 13 System security 163 Table 40 describes the fields in Figure 79. Table 40 Menu 23.4 System Security: IEEE802.1x Field Description Port Control Press [SPACE BAR] and select a security mode. Select No Authentication Required to allow any computer access to your network without entering usernames and passwords. This is the default setting. Selecting Authentication Required means computers have to enter usernames and passwords before access to the network is allowed.
Chapter 13 System security Table 40 Menu 23.4 System Security: IEEE802.1x Field Description Authentication Databases The authentication database contains user login information. The local user database is the built-in database on the Business Secure Router. The RADIUS is an external server. Use this field to decide which database the Business Secure Router should use (first) to authenticate a user. Before you specify the priority, make sure you have set up the corresponding database correctly first.
Chapter 14 System information and diagnosis This chapter covers SMT menus 24.1 to 24.4. Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your Business Secure Router. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown in Figure 80.
Chapter 14 System information and diagnosis Figure 80 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11.
Chapter 14 System information and diagnosis 167 Figure 81 Menu 24.1: System Maintenance: Status Figure 82 Menu 24.1 — System Maintenance — Status Port WAN LAN Port WAN LAN Status Down 100M/Full Menu 24.1 - System Maintenance - Status 00:02:07 Thu. Jan. 01, 2004 TxPkts 0 12 Rx B/s 0 64 Ethernet Address 00:13:49:00:00:02 00:13:49:00:00:01 System up Time: RxPkts 0 7 Cols 0 0 IP Address 0.0.0.0 192.168.1.1 Tx B/s 0 0 IP Mask 0.0.0.0 255.255.255.
Chapter 14 System information and diagnosis Table 41 System Maintenance: Status Menu Fields Field Description Rx B/s Shows the reception speed in Bytes per second on this port. Up Time Total amount of time the line has been up. Ethernet Address The Ethernet address of the port listed on the left. IP Address The IP address of the port listed on the left. IP Mask The IP mask of the port listed on the left. DHCP The DHCP setting of the port listed on the left.
Chapter 14 System information and diagnosis 169 Figure 83 System Information and Console Port Speed Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: System Information System Information gives you information about your system, as shown in Figure 84. More specifically, it gives you information on your routing protocol, Ethernet address and IP address.
Chapter 14 System information and diagnosis Figure 84 Menu 24.2.1: System Maintenance Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP RAS F/W Version: VBSR222_2.6.0.0.003b1 | 07/19/2006 Country Code: 255 LAN Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.
Chapter 14 System information and diagnosis 171 Console port speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your Business Secure Router supports 9 600 (default), 19 200, 38 400, 57 600, and 115 200 b/s for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in Figure 85. Figure 85 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.
Chapter 14 System information and diagnosis Figure 87 Menu 24.3.2: System Maintenance: Syslog Logging Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= No Syslog Server IP Address= ? Log Facility= Local 1 Press ENTER to Confirm or ESC to Cancel Configure the syslog parameters described in Table 43 to activate syslog, and then choose what you want to log.
Chapter 14 System information and diagnosis 173 board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote Call Number) L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.
Chapter 14 System information and diagnosis IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port dpo: Destination port Mar 03 10:39:43 202.132.155.97 RAS: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 RAS: IP[Src=192.168.1.33 Dst=202.132.155.
Chapter 14 System information and diagnosis 175 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.
Chapter 14 System information and diagnosis Flags = 0x00 Fragment Offset = 0x00 Time to Live = 0xFE (254) Protocol = 0x06 (TCP) Header Checksum = 0xFB20 (64288) Source IP = 0xC0A80101 (192.168.1.1) Destination IP = 0x00000000 (0.0.0.0) TCP Header: Source Port = 0x0401 (1025) Destination Port = 0x000D (13) Sequence Number = 0x05B8D000 (95997952) Ack Number = 0x00000000 (0) Header Length = 24 Flags = 0x02 (....S.
Chapter 14 System information and diagnosis 177 Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This opens Menu 24.4 - System Maintenance - Diagnostic. Figure 89 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP Setup Test System 11.
Chapter 14 System information and diagnosis Figure 90 WAN & LAN DHCP Business Secure Router Table 44 describes the diagnostic tests available in menu 24.4 for your Business Secure Router and associated connections. Table 44 System Maintenance menu diagnostic Field Description Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Chapter 15 Firmware and configuration file maintenance This chapter tells you how to backup and restore your configuration file, as well as upload new firmware and configuration files. Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It comes with a rom filename extension.
Chapter 15 Firmware and configuration file maintenance If your (T)FTP client does not allow you to have a destination filename different than the source, you must rename the firmware and config file names as the Business Secure Router only recognizes rom-0 and ras. Be sure you keep unaltered copies of both files for later use. Table 45 is a summary.
Chapter 15 Firmware and configuration file maintenance 181 since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download or upload and you do not have to rename the files. Note that terms download and upload are relative to the computer.
Chapter 15 Firmware and configuration file maintenance 5 Enter bin to set transfer mode to binary. 6 Use get to transfer files from the Business Secure Router to the computer, for example, get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it config.rom. See earlier in this chapter for more information on filename conventions. 7 Enter quit to exit the ftp prompt.
Chapter 15 Firmware and configuration file maintenance 183 Table 46 General commands for GUI-based FTP clients Command Description Initial Remote Directory Specify the default remote directory (path). Initial Local Directory Specify the default local directory (path). TFTP and FTP over WAN Management Limitations TFTP, FTP and Telnet over WAN do not work when: • • • • You disable Telnet service in menu 24.11. You apply a filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) to block Telnet service.
Chapter 15 Firmware and configuration file maintenance 4 Launch the TFTP client on your computer and connect to the Business Secure Router. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the Business Secure Router and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o).
Chapter 15 Firmware and configuration file maintenance 185 Table 47 General commands for GUI-based TFTP clients Command Description Remote File This is the filename on the Business Secure Router. The filename for the firmware is “ras” and for the configuration file, is “rom-0”. Binary Transfer the file in binary mode. Abort Stop transfer of the file. Refer to Chapter 17, “Remote Management,” on page 209 for information about configurations that disallow TFTP and FTP over WAN.
Chapter 15 Firmware and configuration file maintenance Figure 95 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Click Receive. After a successful backup, the screen shown in Figure 96 appears. Press any key to return to the SMT menu. Figure 96 Successful Backup Confirmation Screen ** Backup Configuration completed. OK. ### Hit any key to continue.
Chapter 15 Firmware and configuration file maintenance 187 Restore Using FTP For details about back up using FTP and TFTP, refer to “Backup configuration” on page 180. Figure 97 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Business Secure Router.
Chapter 15 Firmware and configuration file maintenance 8 Enter quit to exit the ftp prompt. The Business Secure Router automatically restarts after a successful restore process. Restore using FTP session example Figure 98 Restore using FTP session example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Chapter 15 Firmware and configuration file maintenance 189 Figure 100 System Maintenance: Starting Xmodem Download Screen Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Click Send. Run the HyperTerminal program by clicking Transfer, then Send File. Starting XMODEM download (CRC mode) ... CCCCCCCCC After a successful restoration, the screen shown in Figure 101 appears. Press any key to restart the Business Secure Router and return to the SMT menu.
Chapter 15 Firmware and configuration file maintenance Firmware file upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the Business Secure Router, the screens for uploading firmware and the configuration file using FTP appear. Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.
Chapter 15 Firmware and configuration file maintenance 191 Configuration file upload The screen shown in Figure 103 appears when you access menu 24.7.2 via Telnet. Figure 103 Telnet Into Menu 24.7.2 System Maintenance Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "nnadmin" and SMT password as requested. 3.
Chapter 15 Firmware and configuration file maintenance (config.rom) to the Business Secure Router and renames it rom-0. Likewise get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it “config.rom.” See “Filename conventions” on page 179 for more information about filename conventions. 7 Enter “quit” to exit the ftp prompt. Note: The Business Secure Router automatically restarts after a successful file upload.
Chapter 15 Firmware and configuration file maintenance 193 2 Use Telnet from your computer to connect to the Business Secure Router and log on. Because TFTP does not have any security checks, the Business Secure Router records the IP address of the Telnet client and accepts TFTP requests only from this address. 3 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance.
Chapter 15 Firmware and configuration file maintenance Uploading via console port FTP or TFTP are the preferred methods for uploading firmware to your Business Secure Router. However, in the event of your network being down, uploading files is only possible with a direct connection to your Business Secure Router via the console port. Under normal conditions, Nortel does not recommend uploading files via the console port, as FTP or TFTP are faster.
Chapter 15 Firmware and configuration file maintenance 195 Uploading Xmodem firmware using HyperTerminal 1 Click Transfer, and then Send File to display the screen in Figure 106. Figure 106 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol Click Send. 2 After the configuration upload process is complete, restart the Business Secure Router by entering atgo. Uploading configuration file via console port 1 Select 2 from Menu 24.
Chapter 15 Firmware and configuration file maintenance Figure 107 Menu 24.7.2 as seen using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
Chapter 15 Firmware and configuration file maintenance 197 Uploading Xmodem configuration file using HyperTerminal 1 Click Transfer, then Send File to display the screen shown in Figure 108. Figure 108 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Click Send. 2 After the configuration upload process is complete, restart the Business Secure Router by entering atgo.
Chapter 15 Firmware and configuration file maintenance NN47922-501
Chapter 16 System Maintenance menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. Command Interpreter mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection.
Chapter 16 System Maintenance menus 8 to 10 Figure 109 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Firmware Update 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Command syntax The command keywords are in Courier New font.
Chapter 16 System Maintenance menus 8 to 10 201 means that you must specify the type of netbios filter and whether to turn it on or off. Command usage A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished.
Chapter 16 System Maintenance menus 8 to 10 Call control support The Business Secure Router provides two call control functions: budget management and call history. Note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. With the budget management function, you can set a limit on the total outgoing call time of the Business Secure Router within certain times.
Chapter 16 System Maintenance menus 8 to 10 203 Figure 112 Budget Management Menu 24.9.1 - Budget Management Remote Node 1.ChangeMe Connection Time/Total Budget No Budget Elapsed Time/Total Period No Budget 2.GUI No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call is dropped and further outgoing calls to that remote node is blocked.
Chapter 16 System Maintenance menus 8 to 10 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 113 Call History Menu 24.9.2 - Call History Phone Number 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dir Rate #call Max Min Total Enter Entry to Delete(0 to exit): Table 50 describes the fields in Figure 113.
Chapter 16 System Maintenance menus 8 to 10 205 Time and Date setting There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Business Secure Router. With Menu 24.10, you can update the time and date settings of your Business Secure Router. The real time is then displayed in the Business Secure Router error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenancet.
Chapter 16 System Maintenance menus 8 to 10 Figure 115 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): 01 : 07 : 41 N/A N/A N/A Current Date: New Date (yyyy-mm-dd): 2000 - 01 - 01 N/A N/A N/A Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr): Jan. - 1st Jan. - 1st - Sat. - Sat.
Chapter 16 System Maintenance menus 8 to 10 207 Table 51 Time and Date Setting Fields Field Description Current Date This field displays an updated date only when you reenter this menu. New Date Enter the new date in year, month and day format. This field is available when you select Manual in the Time Protocol field. Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT).
Chapter 16 System Maintenance menus 8 to 10 Resetting the Time The Business Secure Router resets the time in three instances: • • • NN47922-501 After you make changes to and leave menu 24.10 After starting up the Business Secure Router starts up, if a time server configured in menu 24.
Chapter 17 Remote Management This chapter covers remote management found in SMT menu 24.11. Remote Management With remote management, you can determine which services and protocols can access which Business Secure Router interface (if any) from which computers.
Chapter 17 Remote Management Figure 116 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 Port = 21 Access = Disable Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = Disable Secure Client IP = 0.0.0.
Chapter 17 Remote Management 211 Table 52 Menu 24.11 – Remote Management control Field Description Certificate Press [SPACE BAR] and then [ENTER] to select the certificate that the Business Secure Router uses to identify itself. The Business Secure Router is the SSL server and must always authenticate itself to the SSL client (the computer that requests the HTTPS connection with the Business Secure Router).
Chapter 17 Remote Management NN47922-501
Chapter 18 Call scheduling Using call scheduling (applicable only for PPPoA or PPPoE encapsulation), you can dictate when a remote node is called and for how long. Introduction Using the call scheduling feature, the Business Secure Router can manage a remote node and dictate when a remote node is called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.
Chapter 18 Call scheduling Lower numbered sets take precedence over higher numbered sets, thereby avoiding scheduling conflicts. For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the Business Secure Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on. You can design up to 12 schedule sets, but you can only apply up to four schedule sets for a remote node.
Chapter 18 Call scheduling 215 If a connection is already established, your Business Secure Router does not drop it. After the connection is dropped manually or it times out, then that remote node cannot be triggered until the end of the Duration. Table 53 Menu 26.1 Schedule Set Setup Field Description Example Active Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to activate the schedule set.
Chapter 18 Call scheduling After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure 119. Figure 119 Applying Schedule Sets to a Remote Node (PPPoE) Menu 11.
Appendix A Setting up your computer IP address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, and Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Appendix A Setting up your computer IP address Figure 120 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: a In the Network window, click Add. b Select Adapter and click Add. c Select the manufacturer and model of your network adapter and click OK.
Appendix A Setting up your computer IP address 219 a Click Add. b Select Client and click Add. c Select Microsoft from the list of manufacturers. d Select Client for Microsoft Networks from the list of network clients and click OK. e Restart your computer so your changes take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Appendix A Setting up your computer IP address — If you know your DNS information, select Enable DNS and type the information in the fields below (you do not need to fill them all in). Figure 122 Windows 95/98/Me: TCP/IP Properties: DNS configuration 4 Click the Gateway tab. — If you do not know your gateway’s IP address, remove previously installed gateways. — If you have a gateway IP address, type it in the New gateway field and click Add.
Appendix A Setting up your computer IP address 221 Windows 2000/NT/XP 1 For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 123 Windows XP: Start menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections.
Appendix A Setting up your computer IP address 3 Right-click Local Area Connection and then click Properties. Figure 125 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties.
Appendix A Setting up your computer IP address 223 5 The Internet Protocol TCP/IP Properties window appears (the General tab in Windows XP). — If you have a dynamic IP address, click Obtain an IP address automatically. — If you have a static IP address, click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced.
Appendix A Setting up your computer IP address — In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. — Click Add. — Repeat the previous three steps for each default gateway you want to add. — Click OK when finished.
Appendix A Setting up your computer IP address 225 10 Turn on your Business Secure Router and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type ipconfig and press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Appendix A Setting up your computer IP address 2 Select Ethernet built-in from the Connect via list. Figure 130 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Business Secure Router in the Router address box.
Appendix A Setting up your computer IP address 227 Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 131 Macintosh OS X: Apple menu 2 Click Network in the icon bar. — Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list.
Appendix A Setting up your computer IP address 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Business Secure Router in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your Business Secure Router and restart your computer (if prompted).
Appendix B Triangle Route The Ideal Setup When the firewall is on, your Business Secure Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Business Secure Router to protect your LAN against attacks. Figure 133 Ideal Setup Business Secure Router The Triangle Route Problem You can have more than one connection to the Internet (through one or more ISPs).
Appendix B Triangle Route 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 The Business Secure Router reroutes the SYN packet through Gateway B on the LAN to the WAN. 3 The reply from the WAN goes directly to the computer on the LAN without going through the Business Secure Router. As a result, the Business Secure Router resets the connection, as the connection is not acknowledged.
Appendix B Triangle Route 231 2 The Business Secure Router reroutes the packet to Gateway B, which is in Subnet 2. 3 The reply from WAN goes to the Business Secure Router. 4 The Business Secure Router ends the response to the computer in Subnet 1.
Appendix B Triangle Route NN47922-501
Appendix C Importing certificates This appendix shows examples for importing certificates. Import Business Secure Router certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in Figure 136 to do this.
Appendix C Importing certificates Importing the Business Secure Router Certificate into Internet Explorer For Internet Explorer to trust a self-signed certificate from the Business Secure Router, simply import the self-signed certificate into your operating system as a trusted certification authority.
Appendix C Importing certificates 235 2 Click Install Certificate to open the Install Certificate wizard.
Appendix C Importing certificates 3 Click Next to begin the Install Certificate wizard.
Appendix C Importing certificates 237 4 Select where you want to store the certificate and click Next.
Appendix C Importing certificates 5 Click Finish to complete the Import Certificate wizard. Figure 141 Certificate Import Wizard 3 6 Click Yes to add the Business Secure Router certificate to the root store.
Appendix C Importing certificates 239 Figure 143 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the Business Secure Router. You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active (see “Certificates” in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for details).
Appendix C Importing certificates Figure 144 Business Secure Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificate, your personal certificates and a password to install the personal certificates.
Appendix C Importing certificates 241 Installing the CA’s certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown in Figure 145. Figure 145 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing your personal certificates You need a password in advance. The CA can issue the password or you can specify it during the enrollment.
Appendix C Importing certificates 1 Click Next to begin the wizard.
Appendix C Importing certificates 243 2 The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate.
Appendix C Importing certificates 3 Enter the password given to you by the CA.
Appendix C Importing certificates 245 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Appendix C Importing certificates 5 Click Finish to complete the wizard and begin the import process. Figure 150 Personal certificate import wizard 5 6 Figure 151 shows the screen that appears when the certificate is correctly installed on your computer.
Appendix C Importing certificates 247 Using a certificate when accessing the Business Secure Router example Use the following procedure to access the Business Secure Router via HTTPS. 1 Enter https://Business Secure Router IP Address/ in your browser’s web address field. Figure 152 Access the Business Secure Router via HTTPS 2 When Authenticate Client Certificates is selected on the Business Secure Router, you are asked to select a personal certificate to send to the Business Secure Router.
Appendix C Importing certificates 3 The Business Secure Router login screen appears.
Appendix D PPPoE PPPoE in action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 155). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Appendix D PPPoE Figure 155 Single-PC per Router Hardware Configuration Business Secure Router How PPPoE works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC acts as an L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
Appendix D PPPoE 251 Figure 156 Business Secure Router as a PPPoE Client Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced
Appendix D PPPoE NN47922-501
Appendix E PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Appendix E PPTP PPTP and the Business Secure Router When the Business Secure Router is deployed in such a setup, it appears as a PC to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98, and NT clients to an NT server in a remote location. Using the pass-through feature, users on the network can access a different remote server using the Business Secure Router's Internet connection.
Appendix E PPTP 255 PAC must have IP connectivity; however, the PAC must also have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS. Figure 159 PPTP protocol overview Microsoft includes PPTP as a part of the Windows OS.
Appendix E PPTP Figure 160 Example message exchange between PC and an ANT PPP data connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Appendix F Hardware specifications Cable pin assignments Table 54 General specifications Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA MTBF 416 107 hrs (Mean Time Between Failures) Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10/100Mb/s Half / Full autonegotiation Ethernet Specification for LAN/ VPN Ports 10/100Mb/s Half / Full autonegotiation, autosensing In a serial communications connection, generally a computer is DTE (DataTerminal Equipment) and a mode
Appendix F Hardware specifications Figure 161 Console or dial backup port pin layouts 1 P i n 5 P i n 1 P i n 9 P i n 6 Table 55 Console or dial backup port pin assignments 1 CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD Pin 3 = DTE-TXD Pin 4 = DCE –DSR Pin 4 = DTE-DTR Pin 5 = GND Pin 5 = GND Pin 6 = DCE –DTR Pin 6 = DTE-DSR Pin 7 = DCE –CTS Pin 7 = DTE-RTS Pin 8 = DCE –RTS Pin 8 = D
Appendix F Hardware specifications 259 Figure 162 Ethernet cable pin assignments WAN/LAN Ethernet Cable Pin Layout: Straight-Through Crossover (Switch) 1 IRD + (Adapter) 1 OTD + (Switch) 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 3 OTD + 3 IRD + 3 OTD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - 6 OTD - (Switch) 1 IRD + IRD - AC Power Adapter Specifications Use only power supplies listed in the user instructions.
Appendix F Hardware specifications NN47922-501
Appendix G IP subnetting IP addressing Routers route based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • • • • Class A addresses have a 0 in the left-most bit.
Appendix G IP subnetting Table 56 Classes of IP addresses IP Address: Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note: Host IDs of all zeros or all ones are not allowed. Therefore: A class C network (8 host bits) can have 28 –2 or 254 hosts. A class B address (16 host bits) can have 216 –2 or 65 534 hosts.
Appendix G IP subnetting 263 Subnet masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask contains 32 bits. If there is a 1 in the bit, then the corresponding bit of the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. Subnet masks are expressed in dotted decimal notation just as IP addresses are.
Appendix G IP subnetting Table 59 shows all possible subnet masks for a class C address using both notations. Table 59 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255.255.255.0 /24 0000 0000 255.255.255.128 /25 1000 0000 255.255.255.192 /26 1100 0000 255.255.255.224 /27 1110 0000 255.255.255.240 /28 1111 0000 255.255.255.248 /29 1111 1000 255.255.255.252 /30 1111 1100 The first mask shown is the class C natural mask.
Appendix G IP subnetting 265 Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The borrowed host ID bit can be either 0 or 1, thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. Note: In the following charts, shaded or bolded last-octet bit values indicate host ID bits borrowed to form network ID bits.
Appendix G IP subnetting 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Appendix G IP subnetting 267 Table 64 Subnet 3 Network number Last Octet Bit Value IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Table 65 Subnet 4 Network number Last Octet Bit Value IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001.
Appendix G IP subnetting Table 66 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address 7 192 193 222 223 8 224 225 254 255 Table 67 is a summary for class C subnet planning. Table 67 Class C subnet planning No. Borrowed Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.
Appendix G IP subnetting 269 Table 68 Class B subnet planning No. “Borrowed” Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 5 255.255.248.0 (/21) 32 2 046 6 255.255.252.0 (/22) 64 1 022 7 255.255.254.0 (/23) 128 510 8 255.255.255.0 (/24) 256 254 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1 024 62 11 255.255.255.224 (/27) 2 048 30 12 255.255.255.240 (/28) 4 096 14 13 255.255.255.248 (/29) 8 192 6 14 255.255.255.252 (/30) 16 384 2 15 255.255.
Appendix G IP subnetting NN47922-501
Appendix H Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • The command keywords are in Courier New font.
Appendix H Command Interpreter Sys commands Table 69 lists and describes the system commands. Each of these commands must be preceded by sys. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Table 69 Sys commands Command Description atsh Displays the MRD field. callhist Displays the call history. display remove Removes an entry from the call history. name [name] Sets or displays the client logon name.
Appendix H Command Interpreter 273 Table 69 Sys commands Command Description remove Removes extra phone numbers. Resets node and mask. reset feature Displays a list of the device’s major features. firmware Displays the ISDN firmware type. firewall See “Sys firewall commands” on page 297 for information about the system firewall commands. hostname [hostname] Sets or displays the system name. 8021x Records logs for IEEE 802.1X.
Appendix H Command Interpreter Table 69 Sys commands Command Description urlblocked [0:none/1:log/ 2:alert/3:both] Records and/or sends alerts for web access blocked logs. urlforward [0:none/1:log] Records web access forward logs. Clears the log. clear display [access|attack|error|ike|i psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] Displays all logs or specifies a category of logs. clear Clears the error log. disp Displays the error log.
Appendix H Command Interpreter 275 Table 69 Sys commands Command Description subject [mail subject] Sets the log e-mail’s subject. auth Enables or disables SMTP authentication. user Sets the SMTP authentication username. passwd Sets the SMTP authentication password. Saves the log settings from the buffer. save syslog active [0:no/1:yes] Enables or disables syslog logging. display Displays the syslog settings.
Appendix H Command Interpreter Table 69 Sys commands Command Description nat Configures remote node NAT. nailup Configures a remote node connection to be nailed up (always on). mtu Sets the remote node Maximum Transmission Unit. Blocks access to a remote node. accessblock save stdio [entry no.] Saves remote node information. [minute] Sets or displays the management terminal idle timeout value.
Appendix H Command Interpreter 277 Table 69 Sys commands Command Description others Sets the idle-timeout value for other sessions. parse, brief, disp Sets the level of detail that should be displayed. “parse” displays the most detail and “disp” displays the least. switch [on|off] Enables or disables the system trace log or displays the current setting. online [on|off] Enables or disables the trace log onscreen display (for example, in the Telnet management window).
Appendix H Command Interpreter Table 69 Sys commands Command Description Sends the trace packets to another system using UDP. udp udp switch [on|off] Enables or disables the sending of the trace packets to another system using UDP or displays the current setting. udp addr Sets the target IP address for sending trace packets using UDP. udp port Sets the UDP port (should match that of the target IP address) for sending trace packets using UDP.
Appendix H Command Interpreter 279 Table 69 Sys commands Command Description [minute] Sets or displays the password error blocking timeout value. active [0:no/1:yes] Activates or deactivates the saved UPnP settings. config [0:deny/1:permit] Allows users to make configuration changes through UPnP. pwderrtm upnp Displays UPnP information display firewall [0:deny/1:pass] Saves UPnP information. load reserve Allows UPnP to pass through the firewall. [0:deny/1:permit] Saves UPnP information.
Appendix H Command Interpreter Table 69 Sys commands Command Description restart Restarts DDNS. logout This command has no effect. display Displays the CPU utilization. cpu Exit Command Table 70 Exit Command Command Description exit Ends the command interpreter session. Ethernet Commands Table 71 lists and describes the Ethernet commands. Each of these commands must be preceded by ether. For example, type ether config to display information on the LAN configuration.
Appendix H Command Interpreter 281 Table 71 Ether Commands Command Description accessblock <0:disable 1:enable> Blocks Internet access. speed Sets the Ethernet data speed and duplex. save Saves Ethernet data to the System Parameters Table. dump Displays the relationship between physical port and channel. dynamic Port set Sets physical port to a specific channel. Displays channel setting stored in SPT.
Appendix H Command Interpreter Table 72 IP commands Command Description renew Renews the DHCP client IP address. status [option] Displays the DHCP status. query address Displays the domain name of an IP address. name Displays the IP address of a domain name. dns Configures the system DNS server settings. system lan httpd display Shows the system DNS server settings.
Appendix H Command Interpreter 283 Table 72 IP commands Command Description add [/] [] Adds a route. addiface [/] [] Adds an entry to the routing table for the specified interface. addprivate [/] [] Adds a private route. drop [/ ] Drops a route. Displays IP statistic counters. status udp Displays the UDP status.
Appendix H Command Interpreter Table 72 IP commands Command Description telnet [port] Creates a Telnet connection to the specified host. tftp support Displays whether or not TFTP is supported. stats Displays the TFTP statistics. [ttl] [wait] [queries] Sends ICMP packets to trace the route of a remote host. join [] Add iface2 to the iface1’s group. break Remove the specified interface from the ipxparent group.
Appendix H Command Interpreter 285 Table 72 IP commands Command Description add [string] [trust/untrust/ keyword] Adds a trusted Web site, forbidden Web site or keyword blocking string. delete [string] [trust/untrust/ keyword] Deletes a trusted Web site, forbidden Web site or keyword blocking string. reset Returns to the default configuration. failcount Sets the number of times that the device can ping the target without a response before forwarding traffic to the backup gateway.
Appendix H Command Interpreter Table 72 IP commands Command Description load Loads the specified static route rule into the buffer. Saves a rule from the buffer to the System Parameters Table. save config name Sets the name for a static route. destination [/] [] Sets a static route’s destination IP address and gateway. mask Sets a static route’s subnet mask. gateway Sets a static route’s gateway IP address.
Appendix H Command Interpreter 287 Table 72 IP commands Command Description robustness rsptime [time] Sets the IGMP response time. start Turns on IGMP on the specified interface. stop Turns off IGMP on the specified interface. ttl Sets the IGMP Time To Live threshold. v1compat [on|off] Turns on or off IGMP version 1 compatibility on the specified interface. Sets the IGMP robustness variable. status Displays the IGMP status.
Appendix H Command Interpreter IPSec commands Table 73 lists and describes the IP Sec commands. Each of these commands must be preceded by ipsec. For example, type ipsec display 3 to display the third IPSec rule, if you have it configured. Table 73 IPSec commands Command debug switch Description type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTHon|off | 5:CERT on|off | 6: All> Turns the trace for IPsec debug information on or off.
Appendix H Command Interpreter 289 Table 73 IPSec commands Command Description chk_input show_runtime <0~255> Adjusts autotimer to check if any inbound IPsec traffic has passed during the specified period. If not, the Business Secure Router disconnects the tunnel. sa Displays runtime phase 1 and phase 2 SA information. spd When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to the peer’s local IP address. This command displays these runtime SPDs.
Appendix H Command Interpreter Table 73 IPSec commands Command NN47922-501 Description lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. lcIdContent Sets the local ID content. myIpAddr Sets the My IP Address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent Sets the peer ID content. secureGwAddr Sets the secure gateway address.
Appendix H Command Interpreter 291 Table 73 IPSec commands Command ikeList Description encap <0:Tunnel | 1:Transport> Sets the encapsulation mode. pfs <0:None | 1:DH1 | 2:DH2> Sets Perfect Forward Secrecy. antiReplay Turns replay detection on or off. connType <0:Branch Office | 1:Contivity Client> Specifies whether the rule is for a branch office or Contivity Client VPN connection.
Appendix H Command Interpreter Table 73 IPSec commands Command Description ikeDelete Deletes the specified IPSec rule. policyEdit Edits the specified IP policy. policySave Saves the IP policy. ipsecList Displays a summary of the IPSec (phase 2) rules. policyList Displays the IP policies. policyDelete Deletes the specified IP policy. Uses these commands to configure an IP policy for an IPSec office tunnel rule.
Appendix H Command Interpreter 293 Table 73 IPSec commands Command Description btNatType <0:single | 1:range | 2:all> Sets the type of NAT address mapping. btNatAddrStart Sets the branch tunnel NAT starting IP address. btNatArEnd Sets the branch tunnel NAT ending IP address or subnet mask. swSkipOverlapIP Turn this option on to have the device allow rules with overlapping source and destination IP addresses.
Appendix H Command Interpreter Table 73 IPSec commands Command Description clientTerm Loads client termination configuration from ROM to working buffer, you must execute this command before configuring client termination. load active Enables or disables client termination. display [user | cfg] Displays configuration and/or remote user logon status of client termination, unless a parameter is specified, displays all. Saves any client termination configuration changes to ROM.
Appendix H Command Interpreter 295 Table 73 IPSec commands Command Description ipPool natt ipPool Select which IP pool, index is based on 1, and inactive IP pool cannot be selected. load Before you configure an IP pool for client termination, you must load the specified IP pool. Currently 3 IP pools are supported, so the valid index is: 1~3 save After changing the IP pool configuration, use the save command to save the modification to the ROM.
Appendix H Command Interpreter Table 73 IPSec commands Command Description rekeyTo NN47922-501 Sets the lifetime of a single key used for data encryption. rekeyDc Sets how much data you expect to transmit via the tunnel with a single key. A setting of 0 kb disables the Rekey Data Count, rekey data count must be more than 5. domain Sets the domain name for client termination.
Appendix H Command Interpreter 297 Sys firewall commands Table 74 lists and describes the system firewall commands. Each of these commands must be preceded by sys firewall. For example, type sys firewall active yes to turn on the firewall. Table 74 Sys firewall commands Command Description acl active disp Displays ACLs or a specific ACL set # and rule #. Activates or deactivates firewall Enables or disables the firewall. disp Displays the firewall log type and count.
Appendix H Command Interpreter Bandwidth management commands Table 75 lists and describes the bandwidth management commands. Each of these commands must be preceded by bm. For example, type bm show lan to display the LAN port’s bandwidth management settings. Table 75 Bandwidth management commands Command interface Description lan enable Enables bandwidth management (BWM) for traffic going out the LAN interface. You can also specify the b/s of bandwidth.
Appendix H Command Interpreter 299 Table 75 Bandwidth management commands Command Description Deletes the class # and its filter and all its children classes and their filters in LAN. del # mod # wan add # Modifies the parameters of the class in the LAN. A bandwidth value is optional. Sets the class name. Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). The priority is unchanged if you do not set a new value.
Appendix H Command Interpreter Table 75 Bandwidth management commands Command filter Description lan add # The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Daddr Dport Saddr Sport protocol Adds a filter for class # in LAN. The filter contains destination address (netmask), destination port, source address (netmask), source port and protocol. Use 0 for items that you do not want the filter to include.
Appendix H Command Interpreter 301 Table 75 Bandwidth management commands Command Description lan <#> Displays the bandwidth usage of the specified LAN class (or all of the LAN classes if you do not specify one). The first time you use the command turns it on; the second time turns it off, and so on. wan <#> Displays the bandwidth usage of the specified WAN class (or all of the WAN classes if you do not specify one).
Appendix H Command Interpreter Table 76 Certificates commands Command NN47922-501 Description create selfsigned [key size] Creates a self-signed local host certificate. specifies a descriptive name for the generated certificate. specifies a subject name (required) and alternative name (required). The format is “subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size.
Appendix H Command Interpreter 303 Table 76 Certificates commands Command Description create cmp_enroll [key size] Creates a certificate request and enrolls for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
Appendix H Command Interpreter Table 76 Certificates commands Command Description rename Renames the specified certificate. specifies the name of the certificate to be renamed. specifies the new name the certificate is saved as. def_self_sign ed [name] Sets the specified self-signed certificate as the default self-signed certificate. [name] specifies the name of the certificate to be set as the default self-signed certificate.
Appendix H Command Interpreter 305 Table 76 Certificates commands Command Description crl_issuer [on|off] Specifies whether or not the specified CA issues CRL. specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used. import Imports the PEM-encoded certificate from stdin. specifies the name the imported remote host certificate is saved as.
Appendix H Command Interpreter Table 76 Certificates commands Command Description add [login:pswd] Adds a new directory service. specifies a descriptive name for the directory server. specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]".
Appendix H Command Interpreter 307 IEEE 802.1X commands Table 77 lists and describes the IEEE 802.1x commands. Each of these commands must be preceded by 8021x. For example, type 8021x debug level 1 to set the IEEE 802.1X debug messages to the first level. Table 77 IEEE 802.1X commands Command Description debug level Sets the IEEE 802.1x debug message level trace Displays all supplicants information in the supplicant table.
Appendix H Command Interpreter NN47922-501
Appendix I NetBIOS filter commands The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services, such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to do the following: • • • Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN.
Appendix I NetBIOS filter commands Display NetBIOS filter settings Figure 163 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes.
Appendix I NetBIOS filter commands 311 • • • 0 = LAN to WAN and WAN to LAN 3 = IPSec packet pass through 4 = Trigger Dial is a switch to enable or disable the filter. • • • For type 0, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 3, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection.
Appendix I NetBIOS filter commands NN47922-501
Appendix J Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. After you start up your Business Secure Router, you are given a choice to go into debug mode by pressing a key at the prompt shown in screen shown in Figure 164. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
Appendix J Boot Commands command shows product related information such as boot module version, vendor name, product model, RAS code revision, and more. With ATGO, you can continue booting the system. Most other commands aid in advanced troubleshooting and must only be used by qualified engineers. Figure 165 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
Appendix K Log descriptions This appendix provides descriptions of log messages. Table 80 System error logs Log Message Description %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per host. Table 81 System maintenance logs Log Message Description Time calibration is successful The router has adjusted its time based on information from the time server.
Appendix K Log descriptions Table 81 System maintenance logs Log Message Description TELNET Login Fail Someone has failed to log on to the router via Telnet. FTP Login Successfully Someone has logged on to the router via FTP. FTP Login Fail Someone has failed to log on to the router via FTP. NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Appendix K Log descriptions 317 Table 84 Attack logs Log Message Description attack TCP The firewall detected a TCP attack. attack UDP The firewall detected an UDP attack. attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section on ICMP messages for type and code details.
Appendix K Log descriptions Table 84 Attack logs Log Message Description teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack.
Appendix K Log descriptions 319 Table 85 Access logs Log Message Description Firewall default policy: TCP (set:%d) TCP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration.
Appendix K Log descriptions Table 85 Access logs NN47922-501 Log Message Description Firewall rule match: GRE (set:%d, rule:%d) GRE access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: OSPF (set:%d, rule:%d) OSPF access matched the listed a firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration.
Appendix K Log descriptions 321 Table 85 Access logs Log Message Description (set:%d) With firewall messages, this is the number of the ACL policy set and denotes the packet's direction (see Table 86). With filter messages, this is the number of the filter set. (rule:%d) With firewall messages, the firewall rule number denotes the number of a firewall rule within an ACL policy set.With filter messages, this is the number of an individual filter rule.
Appendix K Log descriptions Table 86 ACL setting notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN. 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN. 7 LAN to LAN/Business Secure Router ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router. 8 WAN to WAN/Business Secure Router ACL set 8 for packets traveling from the WAN to the WAN or the Business Secure Router.
Appendix K Log descriptions 323 Table 87 ICMP notes Type Code Description 0 Echo message Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 88 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname This mess
Appendix K Log descriptions Figure 166 Example VPN initiator IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
Appendix K Log descriptions 325 VPN responder IPSec log Figure 167 shows a typical log from the VPN connection peer. Figure 167 Example VPN responder IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.
Appendix K Log descriptions Table 89 Sample IKE key exchange logs NN47922-501 Log Message Description Send Mode request to Send Mode request to The Business Secure Router has started negotiation with the peer. Recv Mode request from Recv Mode request from The Business Secure Router has received an IKE negotiation request from the peer. Recv: IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data.
Appendix K Log descriptions 327 Table 89 Sample IKE key exchange logs Log Message Description !! Active connection allowed exceeded The Business Secure Router limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded. !! IKE Packet Retransmit The Business Secure Router did not receive a response from the peer and so retransmits the last packet sent.
Appendix K Log descriptions Table 90 shows sample log messages during packet transmission. Table 90 Sample IPSec logs during packet transmission LOG MESSAGE DESCRIPTION !! WAN IP changed to If the Business Secure Router’s WAN IP changes, all configured “My IP Addr” are changed to “0.0.0.0”. If this field is configured as 0.0.0.0, the Business Secure Router uses the current Business Secure Router WAN IP address (static or dynamic) to set up the VPN tunnel.
Appendix K Log descriptions 329 Table 91 RFC-2408 ISAKMP payload types CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 92 PKI logs Log Message Description Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed.
Appendix K Log descriptions Table 92 PKI logs Log Message Description Failed to decode the received ca cert The router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.
Appendix K Log descriptions 331 Table 93 Certificate path verification failure reason codes Code Description 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere). 19 CRL was not added to the cache.
Appendix K Log descriptions Table 94 IEEE 802.1X logs Log Message Description Local User Database does not support authentication method. The local user database only supports the EAP-MD5 method. A user tried to use another authentication method and was not authenticated. User logout because of session timeout expired. The router logged off a user whose session expired. User logout because of user deassociation. The router logged off a user who ended the session.
Appendix K Log descriptions 333 Configuring what you want the Business Secure Router to log Use the sys logs load command to load the log setting buffer that is used to configure which logs the Business Secure Router is to record. Use sys logs category followed by a log category and a parameter to decide what to record.
Appendix K Log descriptions Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs. Log command example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys logs logs logs logs load category access 3 save display access .
Appendix L Brute force password guessing protection Table 96 describes the commands for enabling, disabling and configuring the brute force password guessing protection mechanism for the password. Table 96 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute-force guessing password protection settings. sys pwderrtm 0 This command turns off the password’s protection from brute-force guessing.
Appendix L Brute force password guessing protection NN47922-501
Appendix M SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering, and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling.
Appendix M SIP SIP Service Domain The SIP service domain of the VoIP service provider is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-provider.com is the SIP service domain. SIP Call Progression Table 97 displays the basic steps in the setup and tear down of a SIP call. A calls B. Table 97 SIP Call Progression A B 1. INVITE 2. Ringing 3. OK 4. ACK 5.Dialogue (voice traffic) 6. BYE 7. OK NN47922-501 1 A sends a SIP INVITE request to B.
Appendix M SIP 339 SIP Servers SIP is a client-server protocol. A SIP client is an application program or device that sends SIP requests. A SIP server responds to the SIP requests. When you use SIP to make a VoIP call, it originates at a client and terminates at a server. A SIP client could be a computer or a SIP phone. One device can act as both a SIP client and a SIP server. SIP User Agent Server A SIP user agent server can make and receive VoIP telephone calls.
Appendix M SIP Figure 169 SIP Proxy Server SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server. Redirect servers do not initiate SIP requests.
Appendix M SIP 341 Figure 170 SIP Redirect Server SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your username and password when you register. RTP When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.
Appendix M SIP SIP ALG Some NAT routers can include a SIP Application Layer Gateway (ALG). A SIP ALG allows VoIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When a VoIP device (SIP client) behind the SIP ALG registers with the SIP register server, the SIP ALG translates the device’s private IP address inside the SIP data stream to a public IP address. You do not need to use STUN if your VoIP device is behind the SIP ALG.
Appendix M SIP 343 Figure 171 Business Secure Router SIP ALG Signaling session over UDP port 5060 Audio session using RTP SIP ALG and NAT The Business Secure Router dynamically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN. The SIP ALG on the Business Secure Router supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One.
Appendix M SIP If the primary WAN connection fails, the SIP client needs to re-register with the SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the Business Secure Router uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Index Numbers Call Control 202 Call History 204 10/100 Mb/s Ethernet WAN 32 ACK Message 338 Call Scheduling 35, 213 Maximum Number of Schedule Sets 213 PPPoE 216 Precedence 214 Precedence Example 214 Active 60, 63, 87 Call-Triggering Packet 175 ALG 342 Central Network Management 36 Allocated Budget 61, 90 CHAP 61, 90 Alternative Subnet Mask Notation 264 Client-server Protocol 339 Application Layer Gateway 342 Command Interpreter Mode 199 Applications 39 Community 155 AT command 56, 58,
Index Diagnostic 176 DIAL BACKUP 258 Dial Timeout 59 Filters Executing a Filter Rule 136 IP Filter Logic Flow 144 DoS (Denial of Service) 34 Firewall 34 Activating 133 SMT Menus 133 Drop Timeout 59 Flow Control 41 DSL Modem 39, 88 FTP 211 DTR 58 FTP File Transfer 190 Dynamic DNS Support 36 FTP Restrictions 183, 211 Domain Name 168, 170 E FTP Server 38, 125 Full Network Management 38 Edit IP 61, 88 EMAIL 51 G E-mail Address 51 Gateway IP Addr 94 Enable Wildcard 51 Gateway IP Address 8
Index 347 Multicast 65, 75, 95 Remote 64 IP Address Assignment 64, 81, 93 Multimedia 337 IP Addressing 261 My IP Addr 91 IP Alias 36, 76 My Login 60, 88 IP Alias Setup 75, 76 My Login Name 80 IP Classes 261 My Password 60, 80, 81, 88 IP Multicast 36 Internet Group Management Protocol (IGMP) 36 My Server IP Addr 91 IP Pool 73, 74 N IP Static Route 101, 102 Active 102 Destination IP Address 102 IP Subnet Mask 102 Name 102 Route Number 102 My WAN Address 64 Nailed-Up Connection 62, 90 Nailed-u
Index PPP 62 RoadRunner Support 38 PPPoE 35, 249 Route 88 PPPoE Encapsulation 79, 83, 86, 88, 90, 96 RTP 341 PPTP 253 Client 81, 82 Configuring a Client 81, 82 S PPTP Encapsulation 36, 91 Schedule Sets Duration 215 Private 65, 94, 103 Schedules 90, 92 Protocol Filters 77 Incoming 77 Outgoing 77 Server 80, 81, 88, 110, 113, 116, 117, 123, 124, 206 publications hard copy 26 related 26 Service Name 88 Server IP 88 Service Type 80, 87 Session Initiation Protocol 337 R setup a schedule 214
Index 349 U Subnet Masks 263 Subnetting 263 Uniform Resource Identifier 337 Syslog 171, 172 Universal Plug and Play 35 Syslog IP Address 172 Upgradeable Firmware 38 System Information 165, 168, 169 Upload Firmware 189 System Maintenance 165, 166, 167, 168, 170, 171, 172, 177, 178, 180, 183, 193, 194, 199, 202, 204, 206 UPnP 35 User Name 51 System Management Terminal 42 User Profiles 105 System Name 48 Username 42 System Status 166 V T VT100 41 TCP/IP 63, 72, 75, 92, 141, 142, 144, 147, 1
