Nortel Business Secure Router 222 Configuration — Basics BSR222 Business Secure Router Document Number: NN47922-500 Document Version: 1.
Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 IEEE 802.1x for network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Content filtering . . . . . . . . . . . . . . . . . . . . . .
Contents 5 Navigating the Business Secure Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Chapter 3 Wizard setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Wizard overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Wizard setup: General Setup and System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Domain Name . . . . . . . . . . . . . . .
Contents Preventing heavy data traffic from impacting telephone calls . . . . . . . . . . . . . 75 Setting Up a Remote Office with a UNIStim IP Telephone . . . . . . . . . . . . . . . 75 Inter-Operability With Third-Party Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 VPN Connections With Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 5 System screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7 Chapter 7 WAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 TCP/IP Priority (Metric) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Configuring Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring servers behind SUA (example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Configuring SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configuring Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Trigger Port Forwarding example . . . . . .
Contents 9 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 When to use the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Chapter 11 Firewall screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Chapter 13 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 11 My IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Configuring Branch Office VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Configuring an IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Importing a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Trusted remote host certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Add or edit a directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 13 Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Chapter 18 Remote management screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Remote management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Remote management limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Remote management and NAT . . . . . . . . . . .
Contents Chapter 19 UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Universal Plug and Play overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 How do I know if I am using UPnP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Cautions with UPnP . . . . .
Contents 15 Chapter 22 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Status screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Appendix B Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 VPN/IPSec Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 41 Figure 2 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Figure 3 Change password screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 4 Replace certificate screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 5 Example Xmodem Upload . . . . . . . . . . . .
Figures Figure 30 Traffic Redirect LAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Figure 31 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Figure 32 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Figure 33 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Figure 34 How NAT works . . . . .
Figures 19 Figure 65 IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Figure 66 Transport and Tunnel mode IPSec encapsulation . . . . . . . . . . . . . . . . . 208 Figure 67 IPSec summary fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Figure 68 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Figure 69 NAT router between VPN switches . . . . .
Figures Figure 100 Bandwidth Manager: Class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Figure 101 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Figure 102 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Figure 103 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Figure 104 EAP Authentication . . . . . . . . . . . . . . . . . . . . . . .
Figures 21 Figure 135 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Figure 136 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Figure 137 Add/Remove programs: Windows setup . . . . . . . . . . . . . . . . . . . . . . . . 364 Figure 138 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Figure 139 Network connections . . . . . . . . . .
Figures Figure 170 Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Figure 171 Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Figure 172 Internet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Figure 173 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1 Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Table 2 Wizard 2: Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Table 3 Wizard 2: PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Table 4 Wizard2: PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Table 5 Private IP Address Ranges . . . . . . . . . . . . . . . .
Tables Table 30 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Table 31 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Table 32 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Table 33 IP Static Route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Table 34 Edit IP Static Route . . . . .
Tables 25 Table 65 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Table 66 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Table 67 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Table 68 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Table 69 My Certificate details . . . . . . .
Tables Table 100 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Table 101 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Table 102 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Table 103 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 27 Table 135 RFC-2408 ISAKMP Payload Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Table 136 PKI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Table 137 Certificate Path Verification Failure Reason Codes . . . . . . . . . . . . . . . . 440 Table 138 IIEEE 802.1X Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Table 139 Log categories and available settings . . . . . . .
Tables NN47922-500
Preface Before you begin This guide assists you through the basic configuration of your Business Secure Router for its various applications. Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See Nortel Business Secure Router 222 Configuration — Advanced (NN47922-501) for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. Not all features can be configured through all interfaces.
Preface A single keystroke is written in Arial font and enclosed in square brackets. For instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
Preface 31 How to get Help This section explains how to get help for Nortel products and services. Getting Help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Preface Getting Help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.
Chapter 1 Getting to know your Nortel Business Secure Router 222 This chapter introduces the main features and applications of the Business Secure Router. Introducing the Nortel Business Secure Router 222 The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).
Chapter 1 Getting to know your Nortel Business Secure Router 222 Table 1 Feature Specifications Feature Specification Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels (Client and/or Branch Office) 10 Maximum number of concurrent VPN IPSec Connections 60 Number of IP pools can be used to assign IP addresses to remote users 3 for VPN client termination Number of configurable split networks for VPN client termination 16 Number of configurable
Chapter 1 Getting to know your Nortel Business Secure Router 222 35 Auxiliary port The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails. Time and date Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router.
Chapter 1 Getting to know your Nortel Business Secure Router 222 Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. SSH The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 1 Getting to know your Nortel Business Secure Router 222 37 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
Chapter 1 Getting to know your Nortel Business Secure Router 222 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. The Business Secure Router supports one PPTP server connection at any given time.
Chapter 1 Getting to know your Nortel Business Secure Router 222 39 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).
Chapter 1 Getting to know your Nortel Business Secure Router 222 Full network management The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.
Chapter 1 Getting to know your Nortel Business Secure Router 222 41 Applications for the Nortel Business Secure Router 222 Secure broadband internet access and VPN You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.
Chapter 1 Getting to know your Nortel Business Secure Router 222 Hardware Setup Refer to Nortel Business Secure Router 222 — Fundamentals (NN47922-301) for hardware connection instructions. Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions.
Chapter 2 Introducing the WebGUI This chapter describes how to access the Business Secure Router WebGUI and provides an overview of its screens. WebGUI overview The WebGUI is an HTML based management interface that a user can use for easy setup and management of the Business Secure Router via an Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1 024 by 768 pixels.
Chapter 2 Introducing the WebGUI 1 Launch your web browser. 2 Type 192.168.1.1 as the URL. 3 Type the user name (nnadmin is the default) and the password (PlsChgMe! is the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields. Figure 2 Login screen 4 NN47922-500 A screen asking you to change your password (highly recommended) appears and is shown in Figure 3.
Chapter 2 Introducing the WebGUI 45 Figure 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device.
Chapter 2 Introducing the WebGUI The MAIN MENU screen appears. Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back on to the Business Secure Router if this happens to you. Restoring the factory default configuration settings If you just want to restart the Business Secure Router, press the rear panel RESET button for one to three seconds.
Chapter 2 Introducing the WebGUI 47 5 Wait for the Starting XMODEM upload message before activating Xmodem upload on your terminal. Figure 5 is an example of an Xmodem configuration upload using HyperTerminal. 6 Click Transfer, then Send File to display the screen illustrated in Figure 5. Figure 5 Example Xmodem Upload 7 After the firmware uploads successfully, enter atgo to restart the router.
Chapter 2 Introducing the WebGUI Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays.
Chapter 2 Introducing the WebGUI 49 Figure 7 Contact Support Nortel Business Secure Router 222 Configuration — Basics
Chapter 2 Introducing the WebGUI NN47922-500
Chapter 3 Wizard setup This chapter provides information on the Wizard screens in the WebGUI. Wizard overview The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel Business Secure Router 222 — Fundamentals (NN47922-301) to know what to enter in each field. Leave a field blank if you do not have the required information.
Chapter 3 Wizard setup Domain Name The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Business Secure Router via DHCP. Click Next to configure the Business Secure Router for Internet access.
Chapter 3 Wizard setup 53 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet.
Chapter 3 Wizard setup Table 2 describes the fields in Figure 9. Table 2 Wizard 2: Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection. Service Type Choose from Standard, RR-Telstra (Telstra authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Toshiba (Road Runner Toshiba authentication method).
Chapter 3 Wizard setup 55 Figure 10 Wizard 2: PPTP Encapsulation Table 3 describes the fields in Figure 10. Table 3 Wizard 2: PPTP Encapsulation Label Description ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list. User Name Type the username given to you by your ISP. Password Type the password associated with the username above. Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out.
Chapter 3 Wizard setup Table 3 Wizard 2: PPTP Encapsulation Label Description PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the c:id and n:name format. For example, C:12 or N:My ISP.
Chapter 3 Wizard setup 57 By implementing PPPoE directly on the Business Secure Router (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Business Secure Router does that part of the task. Furthermore, with NAT, all the computers on the LAN have Internet access. Figure 11 Wizard2: PPPoE Encapsulation Table 4 describes the fields in Figure 11.
Chapter 3 Wizard setup Table 4 Wizard2: PPPoE Encapsulation Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out. Idle Timeout Type the time, in seconds, that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen.
Chapter 3 Wizard setup 59 You can obtain your IP address from the IANA, from an ISP, or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. If you are part of a much larger organization, consult your network administrator for the appropriate IP addresses.
Chapter 3 Wizard setup The subnet mask specifies the network number portion of an IP address. Your Business Secure Router computes the subnet mask automatically based on the IP address that you enter. You do not need to change the subnet mask computed by the Business Secure Router unless you are instructed to do otherwise. DNS Server address assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.nortel.com is 47.
Chapter 3 Wizard setup 61 The WAN port of your Business Secure Router is set at half-duplex mode, as most cable or DSL modems only support half-duplex mode. Make sure your modem is in half-duplex mode. Your Business Secure Router supports full duplex mode on the LAN side. Table 6 Example of network properties for LAN servers with fixed IP addresses Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254. Subnet mask 255.255.255.0 Gateway (or default route) 192.168.1.
Chapter 3 Wizard setup Figure 12 Wizard 3 Table 7 describes the fields in Figure 12. Table 7 Wizard 3 Label Description WAN IP Address Assignment NN47922-500 Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address. IP Address Enter your WAN IP address in this field if you select Use Fixed IP Address.
Chapter 3 Wizard setup 63 Table 7 Wizard 3 Label Description IP Subnet Mask Enter the IP subnet mask in this field if you select Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen. Gateway IP Address Enter the gateway IP address in this field if you select Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen.
Chapter 3 Wizard setup Table 7 Wizard 3 Label Description First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router’s WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you click Finish.
Chapter 3 Wizard setup 65 Basic Setup Complete Well done! You have successfully set up your Business Secure Router to operate on your network and access the Internet.
Chapter 3 Wizard setup NN47922-500
Chapter 4 User Notes General Notes There are some router functions that, although performing as expected, might cause some confusion. These are summarized below. General 1 Default Address Mapping Rules When First Enable NAT Full Feature. When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.
Chapter 4 User Notes If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu. 5 Clicking Sound The Business Secure Router will click once every two minutes until an ADSL line is connected.
Chapter 4 User Notes 69 VPN Client Termination 1 Change of User Account Does Not Drop Existing Connections If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products.
Chapter 4 User Notes VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned.
Chapter 4 User Notes 71 The number controls the operating mode: None (disabled) RIP-1 only RIP-2 only Both RIP-1 and RIP-2 Advanced Router Configuration The following notes are intended to help with advanced router configuration. Setting up the router when the system has a server 1 If you are using a Full-Feature NAT configuration, first, do the following... a 2 In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the 'Public' IP address of the server.
Chapter 4 User Notes 2 b Enter the authentication information, with either a pre-shared key or an imported certificate. c Enter the IP Address assigned to the router WAN port. This should be a static address, or a dynamic DNS name, and the IP address of the remote router. d Select the encryption and authentication algorithms. e Add an IP policy, by specifying the IP address ranges of the local and remote hosts that will use the tunnel. Repeat these steps at the other end of the branch.
Chapter 4 User Notes 73 Scenario 2: A BCM50 in each site, each acting as the backup call server for the other site 1 At each site, a Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is connected to the router, and both have booted. b Add the IP phones to the site as per BCM50 installation guide.
Chapter 4 User Notes Allowing remote management of a LAN-connected BCM50 1 Create the appropriate NAT server rules to add the BCM50. Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and Element Manager access: One named BCM_HTTPS, with port number 443, and the IP address of the BCM50 One named BCM_EM, with the port number 5989, and the IP address of the BCM50 Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool.
Chapter 4 User Notes 75 5 In the FIREWALL, set up a LAN-to-LAN rule to block traffic between the guest subnet (DHCP Pool) and the corporate subnet (IP Alias subnet). Note: If branch tunnels are being used, the policies on these tunnels should exclude the guest subnet. Preventing heavy data traffic from impacting telephone calls To ensure voice quality during heavy data traffic, bandwidth needs to be reserved for voice traffic.
Chapter 4 User Notes Under VPN / Global Setting, enable Exclusive Mode, and fill in the MAC address of the telephone set. Under Bandwidth Management, set up WAN bandwidth management to reserve 110 kbps of bandwidth for UDP traffic (protocol ID 17). See the preceding section titled, “Preventing heavy data traffic from impacting telephone calls. 3 Provision the IP set with the corporate call server address.
Chapter 5 System screens This chapter provides information on the System screens. System overview This section provides background information on features that you cannot configure in the Wizard. DNS overview There are three places where you can configure DNS (Domain Name System) setup on the Business Secure Router.
Chapter 5 System screens Figure 13 depicts an example where three VPN tunnels are created from Business Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters.
Chapter 5 System screens 79 Figure 14 System general setup Table 8 describes the fields in Figure 14. Table 8 System general setup Label Description System Name Choose a descriptive name for identification purposes. Nortel recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted. Domain Name Enter the domain name (if you know it) here.
Chapter 5 System screens Table 8 System general setup Label Description System DNS Servers (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Business Secure Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Chapter 5 System screens 81 Dynamic DNS With Dynamic DNS, you can update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (as in NetMeeting or CU-SeeMe). You can also access your FTP server or Web site on your own computer using a domain name (for instance, myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Chapter 5 System screens Figure 15 DDNS Table 9 describes the fields in Figure 15. Table 9 DDNS NN47922-500 Label Description Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (,).
Chapter 5 System screens 83 Table 9 DDNS Label Description Password Enter the password associated with your username (up to 31 characters). Enable Wildcard Select the check box to enable DYNDNS Wildcard. Off Line This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.
Chapter 5 System screens Figure 16 Password Table 10 describes the fields in Figure 16. Table 10 Password NN47922-500 Label Description Administrator Setting The administrator can access and configure all of the Business Secure Router's features. Old Password Type your existing system administrator password (PlsChgMe! is the default password). New Password Type your new system password (up to 31 characters).
Chapter 5 System screens 85 Table 10 Password Label Description Client User Setting The client user is the person who uses the Business Secure Router's Contivity Client VPN tunnel. The client user can do the following: • Configure the WAN ISP and IP screens. • Configure the VPN Contivity Client settings (except the Advanced screen’s exclusive use mode for client tunnel and MAC address allowed settings). • View the SA monitor. • Configure the VPN Global Setting screen. • View logs.
Chapter 5 System screens When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried. Table 11 Default Time Servers a.ntp.alphazed.net ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.
Chapter 5 System screens 87 Figure 17 Time and Date Nortel Business Secure Router 222 Configuration — Basics
Chapter 5 System screens Table 12 describes the fields in Figure 17. Table 12 Time and Date Label Description Current Time and Date Current Time This field displays the time on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the time with the time server. Current Date This field displays the date on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the date with the time server.
Chapter 5 System screens 89 Table 12 Time and Date Label Description Time Zone Setup Time Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Enable Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening. Select this option if you use Daylight Saving Time.
Chapter 5 System screens ALG With Application Layer Gateway (ALG), applications can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow. Note: You must enable the FTP, H.323 or SIP ALG in order to use bandwidth management on that application. Configuring ALG To change the ALG settings of your Business Secure Router, click SYSTEM and then ALG. The screen appears as shown in Figure 18.
Chapter 5 System screens 91 Table 13 describes the labels in Figure 18. Table 13 ALG Label Description Enable FTP ALG Select this check box to allow FTP (File Transfer Protocol) to send and receive files through the Business Secure Router. Enable H.323 ALG Select this check box to allow applications using H.323 to go through the Business Secure Router. H.
Chapter 5 System screens NN47922-500
Chapter 6 LAN screens This chapter describes how to configure LAN settings. LAN overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, configure RIP and multicast settings, and partition your physical network into logical networks.
Chapter 6 LAN screens DNS servers Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN. LAN TCP/IP The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. Factory LAN defaults The LAN parameters of the Business Secure Router are preset in the factory with the following values: • • IP address of 192.168.1.
Chapter 6 LAN screens 95 Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP Direction is set to Both and RIP Version to RIP-1.
Chapter 6 LAN screens Configuring IP Click LAN to open the IP screen.
Chapter 6 LAN screens 97 Table 14 describes the fields in Figure 19. Table 14 LAN IP Label Description DHCP Server With DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) individual clients (workstations) can obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the Business Secure Router provides TCP/IP configuration for the clients.
Chapter 6 LAN screens Table 14 LAN IP Label Description First DNS Server Second DNS Server Third DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.
Chapter 6 LAN screens 99 Table 14 LAN IP Label Description RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 6 LAN screens Configuring Static DHCP With Static DHCP, you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your Business Secure Router’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown in Figure 20.
Chapter 6 LAN screens 101 Table 15 Static DHCP Label Description IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Configuring IP Alias With IP Alias, you can partition a physical network into different logical networks over the same Ethernet interface.
Chapter 6 LAN screens Figure 21 IP Alias Table 16 describes the fields in Figure 21. Table 16 IP Alias NN47922-500 Label Description IP Alias 1,2 Select the check box to configure another LAN network for the Business Secure Router. IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign.
Chapter 6 LAN screens 103 Table 16 IP Alias Label Description RIP Direction With RIP (Routing Information Protocol, RFC1058 and RFC 1389), a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/ None. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically.
Chapter 6 LAN screens NN47922-500
Chapter 7 WAN screens This chapter describes how to configure WAN settings. WAN Overview This section provides background information on features that you cannot configure in the Wizard. 7.1 TCP/IP Priority (Metric) The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Chapter 7 WAN screens The dial backup or traffic redirect routes cannot take priority over the WAN routes. Configuring Route Click WAN to open the Route screen. Figure 22 WAN: Route Table 17 describes the fields in Figure 22. Table 17 WAN: Route Label Description WAN The default WAN connection is 1 as your broadband connection via the WAN port must always be your preferred method of accessing the WAN.
Chapter 7 WAN screens 107 Table 17 WAN: Route Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Configuring WAN ISP To change your Business Secure Router’s WAN ISP settings, click WAN, then the WAN ISP tab. The screen differs by the encapsulation. Ethernet Encapsulation The screen shown in Figure 23 is for Ethernet encapsulation.
Chapter 7 WAN screens Table 18 describes the fields in Figure 23. Table 18 Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (Road Runner Telstra authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Toshiba (Road Runner Toshiba authentication method). The following fields do not appear with the Standard service type.
Chapter 7 WAN screens 109 Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the Business Secure Router (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Business Secure Router does that part of the task. Furthermore, with NAT, all of the computers on the LAN have access.
Chapter 7 WAN screens Table 19 describes the fields in Figure 24. Table 19 PPPoE Encapsulation Label Description Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (for example, DSL, cable, or wireless) connection.
Chapter 7 WAN screens 111 Figure 25 PPTP Encapsulation Table 20 describes the fields in Figure 25. Table 20 PPTP Encapsulation Label Description Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that makes secure transfer of data from a remote client to a private server possible by creating a Virtual Private Network (VPN) using TCP/IP based networks. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet.
Chapter 7 WAN screens Table 20 PPTP Encapsulation Label Description Password Type the password associated with the username. Nailed up Connection Select Nailed Up Connection if you do not want the connection to time out. Idle Timeout This value specifies the time, in seconds, that elapses before the Business Secure Router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Chapter 7 WAN screens 113 Figure 26 RR Service type Table 21 describes the fields in Figure 26. Table 21 RR Service Type Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Select from Standard, RR-Toshiba (Road Runner Toshiba authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Telstra. Choose a Road Runner service type if your ISP is Time Warner's Road Runner; otherwise choose Standard.
Chapter 7 WAN screens Configuring WAN IP To change the WAN IP settings of your Business Secure Router, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select. If your ISP did not assign you a fixed IP address, click Get automatically from ISP (Default); otherwise click Use fixed IP Address and enter the IP address in the field My WAN IP Address.
Chapter 7 WAN screens 115 Figure 27 WAN: IP Nortel Business Secure Router 222 Configuration — Basics
Chapter 7 WAN screens Table 22 describes the fields in this Figure 27. Table 22 WAN: IP Label Description Get automatically from ISP Select this option if your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option if your ISP assigned a fixed IP address. IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Chapter 7 WAN screens 117 Table 22 WAN: IP Label Description RIP Direction With RIP (Routing Information Protocol), a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, the Business Secure Router incorporates RIP information that it receives.
Chapter 7 WAN screens Table 22 WAN: IP Label Description Allow between WAN and LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you must also enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.
Chapter 7 WAN screens 119 Using the MAC address screen, users can configure the MAC address of the WAN port by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC address. Otherwise, click Spoof this computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC address you are cloning.
Chapter 7 WAN screens Figure 30 Traffic Redirect LAN Setup Business Secure Router Configuring Traffic Redirect To change your Business Secure Router’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown in Figure 31.
Chapter 7 WAN screens 121 Figure 31 Traffic Redirect Table 23 describes the fields in Figure 31. Table 23 Traffic Redirect Label Description Active Select this check box to have the Business Secure Router uses traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation. The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router's Internet connection terminates.
Chapter 7 WAN screens Table 23 Traffic Redirect Label Description Check WAN IP Address Configuration of this field is optional. If you do not enter an IP address here, the Business Secure Router uses the default gateway IP address. Configure this field to test your Business Secure Router's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address). If you are using PPTP or PPPoE Encapsulation, type 0.0.0.
Chapter 7 WAN screens 123 Figure 32 Dial Backup Setup Nortel Business Secure Router 222 Configuration — Basics
Chapter 7 WAN screens Table 24 describes the fields in Figure 32. Table 24 Dial Backup Setup Label Description Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the logon name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again in this field. Authentication Type Use the drop-down list to select an authentication protocol for outgoing calls.
Chapter 7 WAN screens 125 Table 24 Dial Backup Setup Label Description Used Fixed IP Address Select this check box if your ISP assigned you a fixed IP address and then enter the IP address in the following field. My WAN IP Address Leave the field set to 0.0.0.0 (default) to have the ISP or other remote router dynamically (automatically) assign your WAN IP address, if you do not know it. Type your WAN IP address here, if you know it (static).
Chapter 7 WAN screens Table 24 Dial Backup Setup Label Description RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, the Business Secure Router incorporates RIP information that it receives.
Chapter 7 WAN screens 127 Table 24 Dial Backup Setup Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Advanced Modem Setup AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
Chapter 7 WAN screens Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 33. Note: Consult the manual of your WAN device connected to your dial backup port for specific AT commands.
Chapter 7 WAN screens 129 Table 25 describes the fields in Figure 33. Table 25 Advanced Setup Label Description Example Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call. ~ ~~+++~~ath represents a one-second wait. For example, ~~~+++~~ath can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
Chapter 7 WAN screens Table 25 Advanced Setup NN47922-500 Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh.
Chapter 8 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Business Secure Router. NAT overview NAT (Network Address Translation—NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network, is changed to a different IP address known within another network. NAT definitions Inside/outside denotes where a host is located relative to the Business Secure Router.
Chapter 8 Network Address Translation (NAT) Screens Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. Table 26 summarizes this information.
Chapter 8 Network Address Translation (NAT) Screens 133 How NAT works Each packet has two addresses–a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN.
Chapter 8 Network Address Translation (NAT) Screens In Figure 35, B can send packets, with source IP address e.f.g.h and port 20202 to A because A previously sent a packet to IP address e.f.g.h and port 20202. B cannot send packets, with source IP address e.f.g.h and port 10101 to A because A has not sent a packet to IP address e.f.g.h and port 10101.
Chapter 8 Network Address Translation (NAT) Screens 135 Figure 36 NAT application with IP Alias Business Secure Router NAT mapping types NAT supports five types of IP/port mapping. They are: • • • • • One to One: In One-to-One mode, the Business Secure Router maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Business Secure Router maps multiple local IP addresses to one global IP address.
Chapter 8 Network Address Translation (NAT) Screens Table 27 summarizes these types.
Chapter 8 Network Address Translation (NAT) Screens 137 SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
Chapter 8 Network Address Translation (NAT) Screens Port forwarding: Services and Port Numbers The most often used port numbers are shown in Table 28. Refer to Assigned Numbers (RFC 1700) for further information about port numbers. Refer to the Supporting CD for more examples and details on SUA/NAT.
Chapter 8 Network Address Translation (NAT) Screens 139 Figure 37 Multiple servers behind NAT example Business Secure Router Configuring SUA Server Note: If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen are discarded. Click SUA/NAT to open the SUA Server screen. Refer to Chapter 10, “Firewalls,” on page 155 and Chapter 11, “Firewall screens,” on page 171 for port numbers commonly used for particular services.
Chapter 8 Network Address Translation (NAT) Screens Figure 38 SUA/NAT setup Table 29 describes the fields in Figure 38. Table 29 SUA/NAT setup NN47922-500 Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not specified in this screen are discarded.
Chapter 8 Network Address Translation (NAT) Screens 141 Table 29 SUA/NAT setup Label Description Active Select this check box to enable the SUA server entry. Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry. Name Enter a name to identify this port forwarding rule. Start Port Enter a port number here. To forward only one port, enter it again in the End Port field.
Chapter 8 Network Address Translation (NAT) Screens Figure 39 Address Mapping Table 30 describes the fields in Figure 39. Table 30 Address Mapping NN47922-500 Label Description Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 and 255.255.255.
Chapter 8 Network Address Translation (NAT) Screens 143 Table 30 Address Mapping Label Description Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (that is, PAT, port address translation), the Single User Account feature. 3.
Chapter 8 Network Address Translation (NAT) Screens Figure 40 Address Mapping edit Table 31 describes the fields in Figure 40. Table 31 Address Mapping edit NN47922-500 Label Description Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address.
Chapter 8 Network Address Translation (NAT) Screens 145 Table 31 Address Mapping edit Label Description Global End IP This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh.
Chapter 8 Network Address Translation (NAT) Screens Figure 41 Trigger Port Forwarding process: example Business Secure Router 1 Jane (A) requests a file from the Real Audio server (port 7070). 2 Port 7070 is a trigger port and causes the Business Secure Router to record Jane’s computer IP address. The Business Secure Router associates Jane's computer IP address with the incoming port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170.
Chapter 8 Network Address Translation (NAT) Screens 147 Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router, click SUA/NAT and the Trigger Port tab. The screen appears as shown in Figure 42. Note: Only one LAN computer can use a trigger port (range) at a time.
Chapter 8 Network Address Translation (NAT) Screens Table 32 describes the fields in Figure 42. Table 32 Trigger Port NN47922-500 Label Description No. This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted, including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Chapter 9 Static Route screens This chapter shows you how to configure static routes for your Business Secure Router. Static Route overview Each remote node specifies only the network to which the gateway is directly connected, and the Business Secure Router has no knowledge of the networks beyond. For instance, the Business Secure Router knows about network N2 in Figure 43 through remote node Router 1.
Chapter 9 Static Route screens Figure 43 Example of Static Routing topology Business Secure Router Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen. Note: The first static route entry is for the default WAN route. You cannot modify or delete this static default route.
Chapter 9 Static Route screens 151 Figure 44 Static Route screen Table 33 describes the fields in Figure 43. Table 33 IP Static Route summary Label Description # Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Chapter 9 Static Route screens Configuring Route entry Select a static route index number and click Edit. The screen is illustrated in Figure 45. Fill in the required information for each static route. Figure 45 Edit IP Static Route Table 34 describes the fields in Figure 45. Table 34 Edit IP Static Route NN47922-500 Label Description Route Name Enter the name of the IP static route. Leave this field blank to delete this static route.
Chapter 9 Static Route screens 153 Table 34 Edit IP Static Route Label Description Metric Metric represents the cost of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number.
Chapter 9 Static Route screens NN47922-500
Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the Business Secure Router firewall. Firewall overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term firewall is a system or group of systems that enforces an access control policy between two networks. It can also be defined as a mechanism used to protect a trusted network from an untrusted network.
Chapter 10 Firewalls Packet Filtering firewalls Packet filtering firewalls restrict access based on the source or destination computer network address of a packet and the type of application. Application level firewalls Application level firewalls restrict access by serving as proxies for external servers. Because they use programs written for specific Internet services, such as HTTP, FTP and Telnet, they can evaluate network packets for valid application specific data.
Chapter 10 Firewalls 157 Introduction to the Business Secure Router firewall The Business Secure Router firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the WebGUI). The Business Secure Router’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet.
Chapter 10 Firewalls Figure 46 Business Secure Router firewall application Business Secure Router Denial of Service Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks.
Chapter 10 Firewalls 159 When computers communicate on the Internet, they use the client/server model, where the server listens on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Note that, while a computer can be intended for use over a single port, such as Web on port 80, other ports are also active and vulnerable to attack by hackers.
Chapter 10 Firewalls 2 Weaknesses in the TCP/IP specification leave it open to SYN Flood and LAND attacks. These attacks are executed during the handshake that initiates a communication session between two applications. Figure 47 Three-way handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.
Chapter 10 Firewalls 161 Figure 48 SYN flood In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3 A brute force attack, such as a Smurf attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data.
Chapter 10 Firewalls Figure 49 Smurf attack • ICMP vulnerability ICMP is an error reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 35 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY • Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are shown in Table 36— all others are illegal.
Chapter 10 Firewalls 163 All SMTP commands are illegal except for those displayed in Table 37. Table 37 Legal SMTP commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY • NOOP Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes, when a packet filter firewall is configured incorrectly, an attacker can traceroute the firewall and gain knowledge of the network topology inside the firewall.
Chapter 10 Firewalls In summary, stateful inspection: • • Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. Figure 50 Stateful inspection Business Secure Router Figure 50 shows the Business Secure Router’s default firewall rules in action, and demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Chapter 10 Firewalls 165 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, the Action for packets that don’t match firewall rules field determines the action for this packet.
Chapter 10 Firewalls • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
Chapter 10 Firewalls 167 After the Business Secure Router receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection that originated on the LAN). UDP/ICMP security UDP and ICMP do not contain any connection information (such as sequence numbers).
Chapter 10 Firewalls Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server opens a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet is normally rejected. In order to achieve the above scenario, the Business Secure Router inspects the application level FTP data.
Chapter 10 Firewalls 169 Packet filtering vs. firewall Below are some comparisons between the filtering and firewall functions of the Business Secure Router. Packet filtering: • • • The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. Packet filtering only checks the header portion of an IP packet.
Chapter 10 Firewalls • • The firewall uses session filtering, or smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session. The firewall provides e-mail service to notify you of routine reports and when alerts occur. When to use the firewall NN47922-500 1 To prevent DoS attacks and prevent hackers cracking your network.
Chapter 11 Firewall screens This chapter shows you how to configure your Business Secure Router firewall. Access methods The WebGUI is, by far, the most comprehensive firewall configuration tool your Business Secure Router has to offer. For this reason, Nortel recommends that you configure your firewall using the WebGUI. With SMT screens, you can activate the firewall.
Chapter 11 Firewall screens By default, the Business Secure Router’s stateful packet inspection blocks packets traveling in the following directions: • • WAN to LAN WAN to WAN/Business Secure Router This prevents computers on the WAN from using the Business Secure Router as a gateway to communicate with other computers on the WAN, or to manage the Business Secure Router, or both. You can define additional rules and sets or modify existing ones, but exercise extreme caution in doing so.
Chapter 11 Firewall screens 173 Rule logic overview Note: Study these points carefully before configuring rules. Rule checklist 1 State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.
Chapter 11 Firewall screens Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the WebGUI screens. Key fields for configuring rules Action Set the action to either Block or Forward. Note: Block means the firewall silently discards the packet. Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it.
Chapter 11 Firewall screens 175 the LAN interface is an example of traffic destined for the Business Secure Router’s LAN interface itself. You can also use LAN to LAN/Business Secure Router rules with IP alias to control routing between two subnets on the LAN. WAN to WAN/Business Secure Router rules apply to packets coming in through the WAN interface that are destined for either the Business Secure Router’s WAN interface itself or a different subnet on the WAN.
Chapter 11 Firewall screens Figure 52 WAN to LAN traffic Business Secure Router Configuring firewall Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in Figure 53. The Business Secure Router applies the firewall rules in order, starting from the first rule for a packet’s direction of travel. When the traffic matches a rule, the Business Secure Router takes the action in the rule and stops checking the firewall rules.
Chapter 11 Firewall screens 177 If you list a general rule before a specific rule, traffic that you want to be controlled by the specific rule can get the general rule applied to it instead. Any traffic that does not match the first firewall rule matches the default rule and the Business Secure Router forwards the traffic.
Chapter 11 Firewall screens Figure 53 Enabling the firewall Table 38 describes the fields in Figure 53. Table 38 Firewall rules summary: First screen NN47922-500 Label Description Enable Firewall Select this check box to activate the firewall. The Business Secure Router performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. The firewall allows traffic to go through your VPN tunnels.
Chapter 11 Firewall screens 179 Table 38 Firewall rules summary: First screen Label Description Bypass Triangle Route Select this check box to have the Business Secure Router permit the use of asymmetrical route topology on the network (not reset the connection). Firewall Rules Storage Space in Use This read-only bar shows how much of the Business Secure Router's memory for recording firewall rules is currently being used. The bar turns from green to red when the maximum is approached.
Chapter 11 Firewall screens Table 38 Firewall rules summary: First screen Label Description Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. Click Insert to display the screen where you configure a firewall rule. Move Select a rule’s Index option button and type a number for where you want to put that rule. Click Move to move the rule to the number that you typed.
Chapter 11 Firewall screens 181 Figure 54 Creating and editing a firewall rule Table 39 describes the fields in Figure 54. Table 39 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule. Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it. Packet Direction Use the drop-down list to select the direction of packet travel to which you want to apply this firewall rule.
Chapter 11 Firewall screens Table 39 Creating and editing a firewall rule Label Description Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. The source address can be a particular (single) IP, a range of IP addresses (for example, 192.168.1.10 to 192.169.1.50), a subnet or any IP address. See the next section for more information about adding and editing source addresses.
Chapter 11 Firewall screens 183 Configuring source and destination addresses To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen. Either action displays the screen shown in Figure 55. Figure 55 Adding or editing source and destination addresses Table 40 describes the fields in Figure 55.
Chapter 11 Firewall screens Configuring custom ports You can also configure customized ports for services not predefined by the Business Secure Router (see “Predefined services” on page 188 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) Web site. Click the Add button under Custom Port while editing a firewall to configure a custom port. This displays the screen illustrated in Figure 56.
Chapter 11 Firewall screens 185 Example firewall rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 Click the Firewall link and then the Summary tab. 2 In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 3 Click Insert to display the firewall rule configuration screen.
Chapter 11 Firewall screens 6 Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 58 Firewall rule edit IP example 7 In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as shown in Figure 59 and click Apply. Figure 59 Edit custom port example 8 The firewall rule configuration screen displays. Use the arrows between Available Services and Selected Services to configure it as shown in Figure 60.
Chapter 11 Firewall screens 187 Figure 60 MyService rule configuration example After completing the configuration procedure for this Internet firewall rule, the Rule Summary screen will look like the on illustrated in Figure 61. Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router.
Chapter 11 Firewall screens Figure 61 My Service example rule summary Predefined services The Available Services list box in the Edit Rule screen (see Figure 54) displays all predefined services that the Business Secure Router already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Chapter 11 Firewall screens 189 type. For example, look at the default configuration labeled “(DNS)”. (UDP/ means UDP port 53 and TCP port 53. Custom services can also be configured using the Custom Ports function, which is discussed in “Configuring custom ports” on page 184. TCP:53) Table 42 Predefined services Service Description AIM/New-ICQ(TCP:5190) AOL Internet Messenger service, used as a listening port by ICQ. AUTH(TCP:113) Authentication protocol used by some servers.
Chapter 11 Firewall screens Table 42 Predefined services NN47922-500 Service Description NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System (NFS) is a client/server distributed file service that provides transparent file sharing for network environments. NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
Chapter 11 Firewall screens 191 Table 42 Predefined services Service Description SIP-V2(UDP:5060) The Session Initiation Protocol (SIP) is an application layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SSH(TCP/UDP:22) Secure Shell Remote Logon Program. STRM WORKS(UDP:1558) Stream Works Protocol.
Chapter 11 Firewall screens Configuring attack alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen (Figure 62) you can choose to generate an alert whenever an attack is detected. For DoS attacks, the Business Secure Router uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.
Chapter 11 Firewall screens 193 The Business Secure Router measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. After the number of existing half-open sessions rises above a threshold (max-incomplete high), the Business Secure Router starts deleting half-open sessions as required to accommodate new connection requests.
Chapter 11 Firewall screens The Business Secure Router also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click the Attack Alert tab to bring up the screen shown in Figure 62. Figure 62 Attack alert Table 43 describes the fields in Figure 62. Table 43 Attack alert Label Description Generate alert when A detected attack automatically generates a log entry.
Chapter 11 Firewall screens 195 Table 43 Attack alert Label Description One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the Business Secure Router deletes half-open sessions, as required, to accommodate new connection attempts.
Chapter 11 Firewall screens NN47922-500
Chapter 12 Content filtering This chapter provides a brief overview of content filtering using the embedded WebGUI. Introduction to content filtering With Internet content filtering, you can create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering via SMT menu 21.1.
Chapter 12 Content filtering Configure Content Filtering Click Content Filter on the navigation panel, to open the screen show in Figure 63.
Chapter 12 Content filtering 199 Table 44 describes the fields in Figure 63. Table 44 Content filter Label Description Restrict Web Features Select the boxes to restrict a feature. When you download a page containing a restricted feature, that part of the web page appears blank or grayed out. ActiveX A tool for building dynamic and active Web pages and distributed object applications.
Chapter 12 Content filtering Table 44 Content filter NN47922-500 Label Description Time of Day to Block Time of Day to Block allows the administrator to define during which time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected. Enter the time period, in 24-hour format, during which content filtering will be enforced.
Chapter 13 VPN This chapter introduces the basics of IPSec VPNs and covers the VPN WebGUI. See Chapter 20, “Logs Screens,” on page 371 for information about viewing logs and the appendices for IPSec log descriptions. VPN A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines.
Chapter 13 VPN or • As a VPN router that can have encrypted connections to multiple remote VPN routers. With this role, it can also serve as a termination point for encrypted connections from computers using Nortel’s Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software. See Table 1 on page 33 for details about the VPN specifications of the Nortel Business Secure Router 222. VPN screens overview Table 46 summarizes the main functions of the VPN screens.
Chapter 13 VPN 203 Security Association A Security Association (SA) is a contract between two parties indicating which security parameters, such as keys and algorithms, they use. Table 46 VPN Screens Overview Screens Description Summary This screen lists all of your VPN rules. Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Nortel Business Secure Router 222 operate as a VPN client.
Chapter 13 VPN Data confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data is not altered during transmission. Data origin authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service.
Chapter 13 VPN 205 Figure 65 IPSec architecture IPSec algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and Triple DES algorithms.
Chapter 13 VPN The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404), provide an authentication mechanism for the AH and ESP protocols. The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. After the SA is established, the transport of data can commence.
Chapter 13 VPN 207 An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 47 AH and ESP ESP Encryption AH DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data.
Chapter 13 VPN Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 66 Transport and Tunnel mode IPSec encapsulation Transport mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Chapter 13 VPN 209 Outside header: The outside IP header contains the destination IP address of the VPN switch. Inside header: The inside IP header contains the destination IP address of the final system behind the VPN switch. The security protocol appears after the outer IP header and before the inside IP header. IPSec and NAT Read this section if you are running IPSec on a host computer behind the Business Secure Router. NAT is incompatible with the AH protocol in both Transport and Tunnel mode.
Chapter 13 VPN Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload, which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT, although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints (see “NAT Traversal” on page 215 for details).
Chapter 13 VPN 211 Dynamic Secure Gateway Address If the remote VPN switch has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the remote VPN switch’s address. In this case, only the remote VPN switch can initiate SAs. This is useful for telecommuters initiating a VPN tunnel to the company network. Summary screen Figure 67 helps explain the main fields in the WebGUI. Figure 67 IPSec summary fields Business Secure Router Click VPN to open the Summary screen.
Chapter 13 VPN Figure 68 Summary IP Policies NN47922-500
Chapter 13 VPN 213 Table 49 describes the fields in Figure 68. Table 49 Summary Label Description Contivity VPN Client The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. The Contivity VPN Client uses the IPSec protocol to establish a secure end-to-end connection. If you want to set the Contivity Client rule to active, you must set all other VPN rules to inactive.
Chapter 13 VPN Table 49 Summary Label Description Edit Click the radio button next to a VPN index number and then click Edit to edit a specific VPN policy. Delete Click the radio button next to a VPN policy number you want to delete and then click Delete. When a VPN policy is deleted, subsequent policies do not move up in the page list.
Chapter 13 VPN 215 office rules. See the VPN Branch Office Rule Setup screen (Figure 72 on page 223). Unlike keep alive, any time the Business Secure Router restarts, it also automatically renegotiates any nailed up tunnels. In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Also different from keep alive, the peer VPN switch does not have to have a Business Secure Router compatible nailed up feature enabled in order for this feature to work.
Chapter 13 VPN NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. VPN switch B checks the UDP port 500 header and responds. VPN switches A and B build a VPN connection. NAT Traversal configuration Enable or disable NAT traversal in the VPN Branch Office Rule Setup screen (see Figure 72 on page 223).
Chapter 13 VPN 217 Figure 70 VPN Contivity Client rule setup Table 50 VPN Contivity Client rule setup Label Description Connection Type Select Branch Office to manually configure a VPN rule. This has the Nortel Business Secure Router 222 operate as a VPN router. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. This has the Nortel Business Secure Router 222 operate as a VPN client.
Chapter 13 VPN Table 50 VPN Contivity Client rule setup Label Description Destination This field specifies the IP address or the domain name (up to 31 case-sensitive characters) of the remote VPN switch. You can use alphanumeric characters, the underscore, dash, period and the @ symbol in a domain name. No spaces are allowed. User Name Enter the username exactly as the VPN switch administrator gives it to you. Password Enter the password exactly as the VPN switch administrator gives it to you.
Chapter 13 VPN 219 Table 51 describes the fields in Figure 71. Table 51 VPN Contivity Client advanced rule setup Label Description Group Authentication Enable Group Authentication to have the Business Secure Router send a Group ID and Group Password to the remote VPN switch for initial authentication. After a successful initial authentication, a RADIUS server associated with the remote VPN switch uses the User Name and Password to authenticate the Business Secure Router.
Chapter 13 VPN ID Type and content With aggressive negotiation mode (see “Negotiation Mode” on page 239 for more information), the Business Secure Router identifies incoming SAs by ID type and content since this identifying information is not encrypted, so that is can distinguish between multiple rules for SAs that connect from remote VPN switches that have dynamic WAN IP addresses.
Chapter 13 VPN 221 Table 52 Local ID type and content fields Local ID type= Content= E-mail Type an e-mail address (up to 31 characters) by which to identify this Business Secure Router. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address.
Chapter 13 VPN The two Business Secure Routers shown in Table 55 cannot complete their negotiation because Business Secure Router B’s Local ID type is IP, but Business Secure Router A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. Table 55 Mismatching ID Type and Content Configuration Example Business Secure Router A Business Secure Router B Local ID type: IP Local ID type: IP Local ID content: 1.1.1.10 Local ID content: 1.1.1.
Chapter 13 VPN 223 Figure 72 VPN Branch Office rule setup Nortel Business Secure Router 222 Configuration — Basics
Chapter 13 VPN Table 56 describes the fields in Figure 72. Table 56 VPN Branch Office rule setup NN47922-500 Label Description Connection Type Select Branch Office to manually configure a VPN rule. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch. You can only configure one Contivity client rule.
Chapter 13 VPN 225 Table 56 VPN Branch Office rule setup Label Description Available/ Selected IP The Available IP Policy table displays network routes. Use the Policy Add, Edit and Delete buttons to configure this list. Move the network routes that you want to use the VPN tunnel down into the Selected IP Policy table. Select a network route's radio button in the Available IP Policy table, then click the down arrows to move it into the Selected IP Policy table.
Chapter 13 VPN Table 56 VPN Branch Office rule setup NN47922-500 Label Description Local IP Address This field displays the IP address (or range of IP addresses) of the computers on your Business Secure Router's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Chapter 13 VPN 227 Table 56 VPN Branch Office rule setup Label Description Remote IP Address This field displays the IP addresses of computers on the remote network behind the remote VPN switch. This field displays a single (static) IP address when the IP policy's Remote Address Type field is configured to Single Address in the IP Policy screen.
Chapter 13 VPN Table 56 VPN Branch Office rule setup NN47922-500 Label Description Certificate Use the drop-down list to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click My Certificates to go to the My Certificates screen, where you can view the Business Secure Router's list of certificates. Local ID Type Select IP to identify this Business Secure Router by its IP address.
Chapter 13 VPN 229 Table 56 VPN Branch Office rule setup Label Description Peer Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you make the VPN connection or leave the field blank to have the Business Secure Router automatically use the address in the Secure Gateway Address field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote VPN switch.
Chapter 13 VPN Table 56 VPN Branch Office rule setup NN47922-500 Label Description ESP Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next). AH Select AH if you want to use AH (Authentication Header Protocol).
Chapter 13 VPN 231 Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy’s settings. The Branch Office – IP Policy setup screen is shown in Figure 73.
Chapter 13 VPN Table 57 describes the fields in Figure 73. Table 57 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. Use 1 for ICMP, 6 for TCP, 17 for UDP, and so on. 0 is the default and signifies any protocol. For example, if you select 1 (ICMP), only ICMP packets can go through the tunnel.
Chapter 13 VPN 233 Table 57 VPN Branch Office — IP Policy Label Description Type Select one of the following port mapping types. 1. One-to-One: One-to-one mode maps one private IP address to one virtual IP address. Port numbers do not change with one-to-one NAT mapping. 2. Many-to-One: Many-to-One mode maps multiple private IP addresses to one virtual IP address. This is equivalent to SUA (for example, PAT, port address translation), Business Secure Router's Single User Account feature. 3.
Chapter 13 VPN Table 57 VPN Branch Office — IP Policy Label Description Virtual Ending IP Address When the Type field is configured to One-to-one or Many-to-One, this field is N/A. When the Type field is configured to Many One-to-one, enter the ending (static) IP address of the range of IP addresses that you want to use for the VPN tunnel. Local Local IP addresses must be static and correspond to the remote VPN switch's configured remote IP addresses.
Chapter 13 VPN 235 Table 57 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. Use 1 for ICMP, 6 for TCP, 17 for UDP, and so on. 0 is the default and signifies any protocol. For example, if you select 1 (ICMP), only ICMP packets can go through the tunnel. If you specify a protocol other than 1 (ICMP) or 0 (any protocol), you cannot use the control ping feature.
Chapter 13 VPN Table 57 VPN Branch Office — IP Policy Label Description Ending IP Address / Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your Business Secure Router. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Business Secure Router.
Chapter 13 VPN 237 Figure 74 VPN Branch Office — IP Policy - Port Forwarding Server Table 58 describes the fields in Figure 74. Table 58 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Chapter 13 VPN Table 58 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field. To forward a series of ports, type the start port number here and the end port number in the End Port field. End Port Type a port number in this field. To forward only one port, type the port number in the Start Port field above and then type it again in this field.
Chapter 13 VPN 239 In Phase 1 you must: • • • • • • Choose a negotiation mode. Authenticate the connection by entering a preshared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1, DH2, and DH5). Set the IKE SA lifetime. In this field you can determine how long an IKE SA will stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires.
Chapter 13 VPN Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange, and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Chapter 13 VPN 241 This can be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Business Secure Router. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which can have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
Chapter 13 VPN Table 59 describes the fields in Figure 76. Table 59 VPN Branch Office Advanced Rule Setup Label Description Enable Replay Detection As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by setting this field to YES. Phase 1 A phase 1 exchange establishes an IKE SA (Security Association).
Chapter 13 VPN 243 Table 59 VPN Branch Office Advanced Rule Setup Label Description Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1, a 768-bit random number. DH2 refers to Diffie-Hellman Group 2, a 1 024-bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5, a 1 536-bit random number. Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec.
Chapter 13 VPN Table 59 VPN Branch Office Advanced Rule Setup Label Description SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It can range from 60 to 3 000 000 seconds (almost 35 days). A short SA life time increases security by forcing the two VPN switches to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Chapter 13 VPN 245 A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. This screen is read-only. Table 60 describes the fields in this tab. Note: When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is idle and does not time out until the SA lifetime period expires.
Chapter 13 VPN Table 60 VPN SA Monitor Label Description Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Business Secure Router processing requirements and communications latency (delay). Refresh Click Refresh to display the current active VPN connections. This button is available when you have active VPN connections.
Chapter 13 VPN 247 Figure 78 VPN Global Setting Table 61 describes the fields in Figure 78. Table 61 VPN Global Setting Label Description Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Chapter 13 VPN Table 61 VPN Global Setting Label Description Contivity Client Fail-Over The Contivity Client fail-over feature allows a Contivity client to establish a VPN connection to a backup VPN switch when the default remote VPN switch (specified in the Destination field) is not accessible. The VPN fail-over feature must also be set up in the remote VPN switch. First Gateway Second Gateway Third Gateway These read-only fields display the IP addresses of the backup VPN switches.
Chapter 13 VPN 249 Figure 79 VPN Client Termination Nortel Business Secure Router 222 Configuration — Basics
Chapter 13 VPN Table 62 describes the fields in Figure 79. Table 62 VPN Client Termination NN47922-500 Label Description Enable Client Termination Turn on the client termination feature if you want the Business Secure Router to support VPN connections from computers using Contivity VPN Client software. Local User Database Select this option to have the Business Secure Router use its internal list of users to authenticate the Contivity VPN clients.
Chapter 13 VPN 251 Table 62 VPN Client Termination Label Description Encryption Select the combinations of protocol and encryption and authentication algorithms that the Business Secure Router is to use for the phase 2 VPN connections (VPN tunnels) with Contivity VPN clients. The ESP (Encapsulation Security Payload) protocol (RFC 2406) uses encryption as well as the services offered by AH.
Chapter 13 VPN Table 62 VPN Client Termination Label Description IP Address Pool Have the Business Secure Router assign IP addresses to the Contivity VPN clients from a pool of IP address that you define. Select the pool to use. Click Configure IP Address Pool to define the ranges of IP addresses that you can select from. Enable Perfect Forward Secrecy Perfect Forward Secrecy (PFS) is disabled by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.
Chapter 13 VPN 253 Figure 80 VPN Client Termination IP pool summary Table 63 describes the fields in Figure 80. Table 63 VPN Client Termination IP pool summary Label Description Return to ->Client Termination Page Click this link to return to the screen used to configure the general settings for use with all of the Contivity VPN Client tunnels. # These numbers are an incremental value. The position of the IP address pool in the list does not matter.
Chapter 13 VPN VPN Client Termination IP pool edit In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen. Then click the Configure IP Address Pool link to open the VPN Client Termination IP Pool Summary screen. Click the radio button next to an IP address pool entry and click Edit to open the following screen where you can configure the entry’s settings.
Chapter 13 VPN 255 Table 64 VPN Client Termination IP pool edit Label Description Pool Size Specify how many IP addresses the Business Secure Router is to give out from the pool created by the starting address and subnet mask. 256 is the maximum. Apply Click Apply to save your changes to the Business Secure Router. Cancel Click Cancel to return to the IP Pool Summary screen without saving your changes.
Chapter 13 VPN Figure 82 VPN Client Termination advanced NN47922-500
Chapter 13 VPN 257 Table 65 describes the fields in Figure 82. Table 65 VPN Client Termination advanced Label Description NAT Traversal Select Enabled in order to Use NAT traversal when there is a NAT router between the Business Secure Router and the Contivity VPN clients. The Contivity VPN clients must also have NAT traversal enabled. You also need to specify the UDP port that is used for the VPN traffic.
Chapter 13 VPN Table 65 VPN Client Termination advanced Label Description Accept ISAKMP Initial The Business Secure Router can accept the INITIAL-CONTACT Contact Payload status messages to inform it that the Contivity VPN client is establishing a first SA. The Business Secure Router then deletes the existing SAs because it assumes that the sending Contivity VPN client has restarted and no longer has access to any of the existing SAs.
Chapter 13 VPN 259 Table 65 VPN Client Termination advanced Label Description Password Management You can have the Business Secure Router use some password requirements to enhance security. Alpha-Numeric Password Required Use this to have the Business Secure Router require the Contivity VPN client passwords to have both numbers and letters. Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed.
Chapter 13 VPN NN47922-500
Chapter 14 Certificates This chapter gives background information about public-key certificates and explains how to use them. Certificates overview The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Chapter 14 Certificates The Business Secure Router uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that is sent after establishing a connection. The method used to secure the data that is sent through an established connection depends on the type of connection. For example, a VPN tunnel can use the triple DES encryption algorithm. The certification authority uses its private key to sign certificates.
Chapter 14 Certificates 263 Configuration summary This section summarizes how to manage certificates on the Business Secure Router. Figure 83 Certificate configuration overview Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the Business Secure Routers’ CA-signed certificates. Use the Trusted CA screens to save CA certificates to the Business Secure Router. Use the Trusted Remote Hosts screens to import self-signed certificates.
Chapter 14 Certificates Figure 84 My Certificates NN47922-500
Chapter 14 Certificates 265 Table 66 describes the labels in Figure 84. Table 66 My Certificates Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 14 Certificates Table 66 My Certificates Label Description Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays, asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features are configured to use. Do the following to delete a certificate that shows *SELF in the Type field. 1.
Chapter 14 Certificates 267 • • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that can be encrypted. The Business Secure Router currently allows the importation of a PKS#7 file that contains a single certificate. PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form.
Chapter 14 Certificates Figure 85 My Certificate Import Table 67 describes the labels in Figure 85. Table 67 My Certificate Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. NN47922-500 Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate to the Business Secure Router. Cancel Click Cancel to quit and return to the My Certificates screen.
Chapter 14 Certificates 269 Creating a certificate Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the Business Secure Router create a self-signed certificate, enroll a certificate with a certification authority, or generate a certification request. For more information, see Figure 86.
Chapter 14 Certificates Table 68 describes the labels in the Figure 86. Table 68 My Certificate create Label Description Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
Chapter 14 Certificates 271 Table 68 My Certificate create Label Description Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the Business Secure Router generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
Chapter 14 Certificates Table 68 My Certificate create Label Description Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the Business Secure Router is generating the self-signed certificate or certification request.
Chapter 14 Certificates 273 Figure 87 My Certificate details Nortel Business Secure Router 222 Configuration — Basics
Chapter 14 Certificates Table 69 describes the labels in Figure 87. Table 69 My Certificate details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You can use any character (not including spaces). Property Default self-signed certificate that signs the imported remote host certificates.
Chapter 14 Certificates 275 Table 69 My Certificate details Label Description Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization or Country. With self-signed certificates, this is the same as the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
Chapter 14 Certificates Table 69 My Certificate details Label Description Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
Chapter 14 Certificates 277 Figure 88 Trusted CAs Table 70 describes the labels in Figure 88. Table 70 Trusted CAs Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates. # This field displays the certificate index number.
Chapter 14 Certificates Table 70 Trusted CAs NN47922-500 Label Description Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization, or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Chapter 14 Certificates 279 Importing a Trusted CA’s certificate Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen, shown in Figure 89. Follow the instructions in this screen to save a trusted certification authority’s certificate to the Business Secure Router. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 89 Trusted CA import Table 71 describes the labels in Figure 89.
Chapter 14 Certificates Table 71 Trusted CA import Label Description Apply Click Apply to save the certificate on the Business Secure Router. Cancel Click Cancel to quit and return to the Trusted CAs screen. Trusted CA Certificate details Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen, shown in Figure 90.
Chapter 14 Certificates 281 Figure 90 Trusted CA details Nortel Business Secure Router 222 Configuration — Basics
Chapter 14 Certificates Table 72 describes the labels in Figure 90. Table 72 Trusted CA details NN47922-500 Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You can use any character (not including spaces).
Chapter 14 Certificates 283 Table 72 Trusted CA details Label Description Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities can use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Chapter 14 Certificates Table 72 Trusted CA details Label Description Certificate in PEM This read-only text box displays the certificate or certification request (Base-64) in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII Encoded Format characters to convert the binary certificate into a printable form.
Chapter 14 Certificates 285 Figure 91 Trusted remote hosts Table 73 describes the labels in Figure 91. Table 73 Trusted Remote Hosts Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 14 Certificates Table 73 Trusted Remote Hosts Label Description Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company), or C (Country). Nortel recommends that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable.
Chapter 14 Certificates 287 Figure 92 Remote host certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 93 Certificate details Verify (over the phone, for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields.
Chapter 14 Certificates Importing a certificate of a trusted remote host Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the Business Secure Router, see Figure 94. Note: The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its file name before you can import it.
Chapter 14 Certificates 289 Table 74 describes the labels in Figure 94. Table 74 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the Business Secure Router. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen.
Chapter 14 Certificates Figure 95 Trusted remote host details NN47922-500
Chapter 14 Certificates 291 Table 75 describes the labels in Figure 95. Table 75 Trusted remote host details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You can use any character (not including spaces).
Chapter 14 Certificates Table 75 Trusted remote host details Label Description Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the Business Secure Router uses RSA encryption) and the length of the key set in bits (1 024-bits, for example).
Chapter 14 Certificates 293 Table 75 Trusted remote host details Label Description Apply Click Apply to save your changes to the Business Secure Router. You can only change the name of the certificate. Cancel Click Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen. Directory servers Click CERTIFICATES, Directory Servers to open the Directory Servers screen (Figure 96).
Chapter 14 Certificates Table 76 describes the labels in Figure 96. Table 76 Directory Servers Label Description PKI Storage Space in Use This bar displays the percentage of the Business Secure Router’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is approached. When the bar is red, consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server.
Chapter 14 Certificates 295 Figure 97 Directory server add Table 77 describes the labels in Figure 97. Table 77 Directory server add Label Description Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list to select the access protocol used by the directory server.
Chapter 14 Certificates Table 77 Directory server add Label Description Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field. You can change the server port number if needed, however, you must use the same server port number that the directory server uses. The default server port number for LDAP is 389. Login Setting Login The Business Secure Router must authenticate itself in order to assess the directory server.
Chapter 15 Bandwidth management This chapter describes the functions and configuration of bandwidth management. Bandwidth management overview With bandwidth management, you can allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the Business Secure Router forwards certain types of traffic (especially real-time applications) with minimum delay.
Chapter 15 Bandwidth management Bandwidth classes and filters Use bandwidth subclasses to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth subclass based on a specific application or subnet. Use the Class Setup tab (see “Bandwidth Manager Class Configuration” on page 303) to set up a bandwidth class name, bandwidth allotment, and filter specifics.
Chapter 15 Bandwidth management 299 Figure 98 Subnet based bandwidth management example Application and subnet based bandwidth management You can also create bandwidth classes based on a combination of a subnet and an application. Table 78 shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 78 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A From Subnet B FTP 64 Kb/s 64 Kb/s H.
Chapter 15 Bandwidth management Configuring summary Click BW MGMT to open the Summary screen. Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. Figure 99 Bandwidth Manager: Summary Table 79 describes the labels in Figure 99. Table 79 Bandwidth Manager: Summary NN47922-500 Label Description WAN LAN These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Chapter 15 Bandwidth management 301 Table 79 Bandwidth Manager: Summary Label Description Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class (see “Configuring class setup” on page 301). Nortel recommends that you set this speed to match what the device connected to the port can handle.
Chapter 15 Bandwidth management Figure 100 Bandwidth Manager: Class setup Table 80 describes the labels in Figure 100. Table 80 Bandwidth Manager: Class Setup NN47922-500 Label Description Interface Select an interface from the drop-down list for which you wish to set up classes. Bandwidth Management This field displays whether bandwidth management on the interface you selected in the field above is enabled (Active) or not (Inactive). Add Subclass Click Add Sub-class to add a subclass.
Chapter 15 Bandwidth management 303 Table 80 Bandwidth Manager: Class Setup Label Description # This is the number of a filter entry. The ordering of your filters is important, as they are applied in turn. Use the Move button to reorder your filters. Filter Name This is the Class Name that you configured in the Edit Class screen. Service If you selected a predefined application (FTP, H.323 or SIP), it displays here.
Chapter 15 Bandwidth management Figure 101 Bandwidth Manager: Edit class Table 81 describes the labels in Figure 101. Table 81 Bandwidth Manager: Edit class Label Description Class Configuration NN47922-500 Class Name Use the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kb/s.
Chapter 15 Bandwidth management 305 Table 81 Bandwidth Manager: Edit class Label Description Filter Configuration Enable Bandwidth Filter Select Enable Bandwidth Filter to have the Business Secure Router use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields, which are only available when you enter the destination or source IP address).
Chapter 15 Bandwidth management Table 81 Bandwidth Manager: Edit class Label Description Source IP Address Enter the source IP address. Source Subnet Mask Enter the destination subnet mask. This field is N/A if you do not specify a Source IP Address. Source Port Enter the port number of the source. See Table 82 for some common services and port numbers. Protocol ID Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP.
Chapter 15 Bandwidth management 307 Figure 102 Bandwidth management statistics Table 83 describes the labels in Figure 102. Table 83 Bandwidth management statistics Label Description Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted. Tx Bytes This field displays the total number of bytes transmitted.
Chapter 15 Bandwidth management Monitor To view the device’s bandwidth usage and allotments, click BW MGMT, then the Monitor tab. The screen appears as shown in Figure 103. Figure 103 Bandwidth manager monitor Table 84 describes the labels in Figure 103. Table 84 Bandwidth manager monitor NN47922-500 Label Description Interface Select an interface from the drop-down list to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the class.
Chapter 16 IEEE 802.1x IEEE 802.1x overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of users and encryption key management. Authentication can be done using the local user database internal to the Business Secure Router (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.
Chapter 16 IEEE 802.1x • Access-Request Sent by the Business Secure Router requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The Business Secure Router sends a proper response from the user and then sends another Access-Request message.
Chapter 16 IEEE 802.1x 311 Your Business Secure Router supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database. Figure 104 shows an overview of authentication when you specify a RADIUS server on your Business Secure Router. Figure 104 EAP Authentication Business Secure Router The steps below provide a general description of how IEEE 802.1x EAP authentication works. 1 The user sends a start message to the Business Secure Router.
Chapter 16 IEEE 802.1x Figure 105 802.1X Table 85 describes the labels in Figure 105. Table 85 802.1X NN47922-500 Label Description Authentication Type Select Authentication Required, No Access or No Authentication Required from the drop-down list. Select Authentication Required to authenticate all users before they can access the network. Select No Authentication Required to allow all users to access your network without authentication.
Chapter 16 IEEE 802.1x 313 Table 85 802.1X Label Description Authentication Databases The authentication database contains user login information. The local user database is the built-in database on the Business Secure Router. The RADIUS is an external server. Use this drop-down list to select the first database the Business Secure Router will use to authenticate a user. Before you specify the priority, make sure you have set up the corresponding database correctly first.
Chapter 16 IEEE 802.
Chapter 17 Authentication server The Business Secure Router can use either the local user database internal to the Business Secure Router or an external RADIUS server for an unlimited number of users. Introduction to Local User database By storing user profiles locally on the Business Secure Router, your Business Secure Router is able to authenticate users without interacting with a network RADIUS server. However, there is a limit on the number of users you can authenticate in this way.
Chapter 17 Authentication server Figure 106 Local User database Table 86 describes the labels in Figure 106. Table 86 Local User database NN47922-500 Label Description User ID This field displays the logon name for the user account. Active This field displays Yes if the user account is enabled or No if it is disabled. User type This field displays whether the user account can be used for a IEEE 802.1X or IPSec logon (or both). Last Name This field displays the user’s last name.
Chapter 17 Authentication server 317 Table 86 Local User database Label Description Status This field displays the status of IPSec user accounts. A dash appears for all other accounts. Valid displays if an IPSec user can use the account to logon. Expired displays if an IPSec user can no longer use the account to logon.
Chapter 17 Authentication server Figure 107 Local User database edit NN47922-500
Chapter 17 Authentication server 319 Table 87 describes the labels in Figure 107. Table 87 Local User database edit Label Description Active Select this check box to turn on the user account. Clear this check box to turn off the user account. User Type Select 802.1X to set this user account to be used for a IEEE 802.1X logon. Select IPSec to set this user account to be used for an IPSec logon. Select 802.1X/IPSec to set this user account to be used for both IEEE 802.1X and IPSec logons.
Chapter 17 Authentication server Table 87 Local User database edit Label Description Split Tunnel Networks This field applies when you select Enabled in the Split Tunneling field. Select the network for which you force traffic to be encrypted and go through the VPN tunnel. Inverse Split This field applies when you select Enabled - Inverse or Enabled - Inverse Tunnel (locally connected) in the Split Tunneling field.
Chapter 17 Authentication server 321 Table 88 describes the labels in Figure 108. Table 88 Current split networks Label Description Return to Local User Database -> User Edit Page Click this link to return to the screen where you configure a local user database entry. Current Split Networks This is the list of names of split or inverse split networks. Add Click Add to open another screen where you can specify split or inverse split networks.
Chapter 17 Authentication server Figure 109 Current split networks edit Table 89 describes the labels in Figure 109. Table 89 Current split networks edit NN47922-500 Label Description Network Name Enter a name to identify the split network. IP Address Enter the IP address for the split network in dotted decimal notation. Netmask Enter the netmask for the split network in dotted decimal notation.
Chapter 17 Authentication server 323 Table 89 Current split networks edit Label Description Current Subnets for Network: This box displays the subnets that belong to this split network. Add Click Add to save your split network configuration. Delete Select a network subset and click Delete to remove it. Clear Click Clear to remove all of the configuration field and subnet settings. Apply Click Apply to save your changes to the Business Secure Router.
Chapter 17 Authentication server Figure 110 RADIUS Table 90 describes the labels in Figure 110. Table 90 RADIUS Label Description Authentication Server NN47922-500 Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the Business Secure Router. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
Chapter 17 Authentication server 325 Table 90 RADIUS Label Description Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Key Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the Business Secure Router.
Chapter 17 Authentication server NN47922-500
Chapter 18 Remote management screens This chapter provides information on the Remote Management screens. Remote management overview Remote management allows you to determine which services and protocols can access which Business Secure Router interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Chapter 18 Remote management screens 1 A filter in SMT menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a Telnet, FTP, or Web service. 2 A service is disabled in one of the remote management screens. 3 The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Business Secure Router disconnects the session immediately. 4 An SMT console session is running.
Chapter 18 Remote management screens 329 Introduction to HTTPS HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts Web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party), and data integrity (you know if data has been changed).
Chapter 18 Remote management screens Figure 111 HTTPS implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, the Business Secure Router blocks all HTTP connection attempts. Configuring WWW To change your Business Secure Router’s Web settings, click REMOTE MGMT to open the WWW screen.
Chapter 18 Remote management screens 331 Figure 112 WWW Table 91 describes the labels in Figure 112. Table 91 WWW Label Description HTTPS Server Certificate Select the Server Certificate that the Business Secure Router uses to identify itself. The Business Secure Router is the SSL server and must always authenticate itself to the SSL client (the computer that requests the HTTPS connection with the Business Secure Router).
Chapter 18 Remote management screens Table 91 WWW Label Description Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the Business Secure Router, for example, 8443, you must notify people who need to access the Business Secure Router WebGUI to use https://Business Secure Router IP Address:8443 as the URL.
Chapter 18 Remote management screens 333 Internet Explorer warning messages When you attempt to access the Business Secure Router HTTPS server, a Windows dialog box appears, asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the Business Secure Router. The Security Alert screen shown in Figure 113 appears in Internet Explorer. Select Yes to proceed to the WebGUI logon screen; if you select No, then WebGUI access is blocked.
Chapter 18 Remote management screens Select Accept this certificate permanently to import the Business Secure Router’s certificate into the SSL client.
Chapter 18 Remote management screens 335 Figure 115 Security Certificate 2 (Netscape) Avoiding the browser warning messages The following section describes the main reasons that your browser displays warnings about the Business Secure Router’s HTTPS server certificate and what you can do to avoid seeing the warnings. • • The issuing certificate authority of the Business Secure Router’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Chapter 18 Remote management screens a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. b Click CERTIFICATES. Find the certificate that was displayed in the Server Certificate field and check its Subject column. CN stands for certificate’s common name (see Figure 119 on page 340 for an example). Use this procedure to have the Business Secure Router use a certificate with a common name that matches the Business Secure Router’s actual IP address.
Chapter 18 Remote management screens 337 Figure 116 Logon screen (Internet Explorer) Nortel Business Secure Router 222 Configuration — Basics
Chapter 18 Remote management screens Figure 117 Login screen (Netscape) Click Login to proceed. The screen shown in Figure 118 appears. The factory default certificate is a common default certificate for all Business Secure Router models.
Chapter 18 Remote management screens 339 Figure 118 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device. Click CERTIFICATES to open the My Certificates screen. You see information similar to that shown in Figure 119.
Chapter 18 Remote management screens Figure 119 Device-specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate. The My Certificates screen appears (Figure 120).
Chapter 18 Remote management screens 341 Figure 120 Common Business Secure Router certificate SSH overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 18 Remote management screens Figure 121 SSH Communication Example How SSH works Figure 122 summarizes how a secure connection is established between two remote hosts. Figure 122 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result to the server.
Chapter 18 Remote management screens 343 The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
Chapter 18 Remote management screens Figure 123 SSH Table 92 describes the labels in Figure 123. Table 92 SSH Label Description Server Host Key Select the certificate whose corresponding private key is to be used to identify the Business Secure Router for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 14, “Certificates,” on page 261for details).
Chapter 18 Remote management screens 345 Note: Nortel recommends that you disable Telnet and FTP when you configure SSH for secure connections. Secure Telnet using SSH examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the Business Secure Router. The configuration and connection steps are similar for most SSH client programs. For more information about SSH client programs, refer to your SSH client program user’s guide.
Chapter 18 Remote management screens Example 2: Linux This section describes how to access the Business Secure Router using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the Business Secure Router. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the Business Secure Router (using the default IP address of 192.168.1.1).
Chapter 18 Remote management screens 347 Figure 126 SSH Example 2: Log on $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The SMT main menu displays.
Chapter 18 Remote management screens Figure 127 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp> put firmware.bin ras Uploading firmware.
Chapter 18 Remote management screens 349 Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen. Figure 129 Telnet Table 93 describes the fields in Figure 129. Table 93 Telnet Label Description Server Port You can change the server port number for a service if needed, however, you must use the same port number in order to use that service for remote management. Server Access Select the interfaces (If any) through which a computer can access the Business Secure Router using this service.
Chapter 18 Remote management screens Configuring FTP You can upload and download the Business Secure Router’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. To change your Business Secure Router’s FTP settings, click REMOTE MANAGEMENT, and then the FTP tab. The screen appears as shown in Figure 130. Figure 130 FTP Table 94 describes the fields in Figure 130.
Chapter 18 Remote management screens 351 Table 94 FTP Label Description Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service. Select All to allow any computer to access the Business Secure Router using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service.
Chapter 18 Remote management screens Figure 131 SNMP Management Model An SNMP-managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Business Secure Router). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 18 Remote management screens 353 • • • • Get-Allows the manager to retrieve an object variable from the agent. GetNext-Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set-Allows the manager to set values for object variables within an agent.
Chapter 18 Remote management screens REMOTE MANAGEMENT: SNMP To change your Business Secure Router’s SNMP settings, click REMOTE MANAGEMENT, and then the SNMP tab. The screen appears as shown in Figure 132. Figure 132 SNMP Table 96 describes the fields in Figure 132. Table 96 SNMP Label Description SNMP Configuration NN47922-500 Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is “PlsChgMe!RO”.
Chapter 18 Remote management screens 355 Table 96 SNMP Label Description Trusted Host If you enter a trusted host, your Business Secure Router only responds to SNMP messages from this address. In the field, 0.0.0.0 (default) means your Business Secure Router responds to all SNMP messages it receives, regardless of source. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
Chapter 18 Remote management screens Figure 133 DNS Table 97 describes the fields in Figure 133. Table 97 DNS Label Description Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interfaces (if any) through which a computer can send DNS queries to the Business Secure Router. Secured Client IP Address A secured client is a trusted computer that is allowed to send DNS queries to the Business Secure Router.
Chapter 18 Remote management screens 357 If an outside user attempts to probe an unsupported port on your Business Secure Router, an ICMP response packet is automatically returned. This allows the outside user to know the Business Secure Router exists. The Business Secure Router series support antiprobing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your Business Secure Router when unsupported ports are probed.
Chapter 18 Remote management screens Table 98 Security NN47922-500 Label Description Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the Business Secure Router by probing for unused ports. If you select this option, the Business Secure Router does not send ICMP response packets to port requests for unused ports, thus leaving the unused ports and the Business Secure Router unseen.
Chapter 19 UPnP This chapter introduces the Universal Plug and Play feature. Universal Plug and Play overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities, and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
Chapter 19 UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports can present network security issues. Network information and configuration can also be obtained and modified by users in some network environments. All UPnP-enabled devices can communicate freely with each other without additional configuration.
Chapter 19 UPnP 361 Figure 135 Configuring UPnP Table 99 describes the fields in Figure 135. Table 99 Configuring UPnP Label Description Device Name This identifies the device in UPnP applications. Enable the Universal Plug and Play (UPnP) feature Select this check box to activate UPnP. Be aware that anyone can use a UPnP application to open the WebGUI's logon screen without entering the Business Secure Router's IP address (although you must still enter the password to access the WebGUI).
Chapter 19 UPnP Displaying UPnP port mapping Click UPnP and then Ports to display the screen as shown in Figure 136. Use this screen to view the NAT port mapping rules that UPnP creates on the Business Secure Router. Figure 136 UPnP Ports Table 100 describes the labels in Figure 136. Table 100 UPnP Ports Label Description Retain UPnP port forwarding Select this check box to have the Business Secure Router retain UPnP created NAT rules even after restarting.
Chapter 19 UPnP 363 Table 100 UPnP Ports Label Description External Port This field displays the port number that the Business Secure Router listens on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The Business Secure Router forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN).
Chapter 19 UPnP Figure 137 Add/Remove programs: Windows setup 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to return to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. Figure 138 Communications Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP.
Chapter 19 UPnP 365 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window appears. Figure 139 Network connections 4 Select Networking Service in the Components selection box and click Details.
Chapter 19 UPnP 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 141 Windows XP networking services 6 Click OK to return to the Windows Optional Networking Component Wizard window and click Next. Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device.
Chapter 19 UPnP 367 2 Right-click the icon and select Properties. Figure 142 Internet gateway icon 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.
Chapter 19 UPnP 4 You can edit or delete the port mappings or click Add to manually add port mappings. Figure 144 Internet connection properties advanced setup Figure 145 Service settings Note: When the UPnP-enabled device is disconnected from your computer, all port mappings are deleted automatically.
Chapter 19 UPnP 369 5 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. Figure 146 Internet connection icon 6 Double-click the icon to display your current Internet connection status. Figure 147 Internet connection status WebGUI easy access With UPnP, you can access the WebGUI without first finding out its IP address. This is helpful if you do not know the IP address of your Business Secure Router.
Chapter 19 UPnP 3 Select My Network Places under Other Places Figure 148 Network connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your Business Secure Router and select Invoke. The WebGUI logon screen displays.
Chapter 20 Logs Screens This chapter contains information about configuring general log settings and viewing the Business Secure Router’s logs. Refer to Appendix B, “Log Descriptions,” on page 423 for example log message explanations. Configuring View Log With the WebGUI, you can look at all of the Business Secure Router’s logs in one location. Click LOGS to open the View Log screen.
Chapter 20 Logs Screens Figure 150 View Log Table 101 describes the fields in Figure 150. Table 101 View Log NN47922-500 Label Description Display The categories that you select in the Log Settings page display in the drop-down list. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded.
Chapter 20 Logs Screens 373 Table 101 View Log Label Description Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to delete all the logs. Configuring Log settings To change your Business Secure Router’s log settings, click Logs, then the Log Settings tab. The screen appears as shown in Figure 151.
Chapter 20 Logs Screens Figure 151 Log settings NN47922-500
Chapter 20 Logs Screens 375 Table 102 describes the fields in Figure 151. Table 102 Log settings Label Description Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages are not sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Business Secure Router sends.
Chapter 20 Logs Screens Table 102 Log settings Label Description Log Select the categories of the logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) can be so numerous that it becomes easy to ignore other important log messages.
Chapter 20 Logs Screens 377 • How much traffic has been sent to and from the LAN IP addresses to and from which the most traffic has been sent Note: The Web site hit count not be 100% accurate because sometimes when an individual Web page loads, it can contain references to other Web sites that also get counted as hits. The Business Secure Router records Web site hits by counting the HTTP GET packets.
Chapter 20 Logs Screens Table 103 describes the fields in Figure 152. Table 103 Reports Label Description Collect Statistics Select the check box and click Apply to have the Business Secure Router record report data. Send Raw Traffic Statistics to Syslog Server for Analysis Select the check box and click Apply to have the Business Secure Router send unprocessed traffic statistics to a syslog server for analysis. You must have the syslog server already configured in the Log Settings screen.
Chapter 20 Logs Screens 379 Figure 153 Web site hits report example Table 104 describes the fields in Figure 153. Table 104 Web site hits report Label Description Web Site This column lists the domain names of the Web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first. The Business Secure Router counts each page viewed in a Web site as another hit on the Web site.
Chapter 20 Logs Screens Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Chapter 20 Logs Screens 381 Table 105 describes the fields in Figure 154. Table 105 Protocol/ Port Report Label Description Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the Business Secure Router. The protocols or service ports are listed in descending order with the most used protocol or service port listed first. Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed.
Chapter 20 Logs Screens Figure 155 LAN IP address report example Table 106 describes the fields in Figure 155. Table 106 LAN IP Address Report NN47922-500 Label Description IP Address This column lists the LAN IP addresses to and from which the most traffic has been sent. The LAN IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first.
Chapter 20 Logs Screens 383 Reports specifications Table 107 lists detailed specifications on the reports feature. Table 107 Report Specifications Label Description Number of Web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 232 hits can be counted per Web site. The count starts over at 0 if it passes four billion. Bytes count limit: Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.
Chapter 20 Logs Screens NN47922-500
Chapter 21 Call scheduling screens With call scheduling (applicable for PPPoA or PPPoE encapsulation only), you can dictate when a remote node is to be called and for how long. Call scheduling introduction Using the call scheduling feature, the Business Secure Router can manage a remote node and dictate when a remote node is to be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
Chapter 21 Call scheduling screens Figure 156 Call schedule summary Table 108 describes the fields in Figure 156. Table 108 Call Schedule Summary NN47922-500 Label Description # This is the call schedule set number. Name This field displays the name of the call schedule set. Active This field shows whether the call schedule set is turned on (Yes) or off (No). Start Date This is the date (in year-month-day format) that the call schedule set takes effect.
Chapter 21 Call scheduling screens 387 Table 108 Call Schedule Summary Label Description Start Time This is the time (in hour-minute format) when the schedule set takes effect. Duration Time This is the maximum length of time (in hour-minute format) that the schedule set applies the action displayed in the Action field. Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field.
Chapter 21 Call scheduling screens If a connection has been already established, your Business Secure Router will not drop it. After the connection is dropped manually or it times out, that remote node can not be triggered again until the end of the Duration. Table 109 Call schedule edit NN47922-500 Label Description Schedule Name Enter a name (up to 16 characters) for the call schedule set. You can use numbers, the letters A-Z (upper or lower case) and the underscore (_) and @ symbols.
Chapter 21 Call scheduling screens 389 Applying Schedule Sets to a remote node Once your schedule sets are configured, you must then apply them to the remote node. You can apply schedule sets when the Business Secure Router is set to use PPPoE or PPTP encapsulation (refer to “Configuring WAN ISP” on page 107). Click WAN, WAN IP to display the WAN IP screen as shown in Figure 158. Use the screen to apply up to four schedule sets.
Chapter 21 Call scheduling screens Figure 158 Applying Schedule Sets to a remote node NN47922-500
Chapter 22 Maintenance This chapter displays system information such as firmware, port IP addresses, and port traffic statistics. Maintenance overview The maintenance screens can help you view system information, upload new firmware, manage configuration, and restart your Business Secure Router. Status screen Click MAINTENANCE to open the Status screen, where you can monitor your Business Secure Router. Note that these fields are READ-ONLY and only used for diagnostic purposes.
Chapter 22 Maintenance Figure 159 System Status Table 110 describes the fields in Figure 159. Table 110 System Status Label Description System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name is also on a sticker on your device. If you are uploading firmware, be sure to upload firmware for this exact model name.
Chapter 22 Maintenance 393 Table 110 System Status Label Description LAN Port IP Address This is the LAN port IP address. IP Subnet Mask This is the LAN port subnet mask. DHCP This is the LAN port DHCP role–Server or None. System statistics Read-only information here includes port status and packet specific statistics. Also provided are system up time and poll intervals. The Poll Interval(s) field is configurable.
Chapter 22 Maintenance Table 111 System Status: Show statistics Label Description Tx B/s This displays the transmission speed, in bytes per second, on this port. Rx B/s This displays the reception speed, in bytes per second, on this port. Up Time This is the total amount of time the line has been up. System Up Time This is the total time the Business Secure Router has been on. Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Chapter 22 Maintenance 395 Figure 161 DHCP Table Table 112 describes the fields in Figure 161. Table 112 DHCP Table Label Description # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. MAC Address This field shows the MAC address of the computer with the name in the Host Name field. Every Ethernet device has a unique MAC (Media Access Control) address.
Chapter 22 Maintenance Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions to upload firmware to your Business Secure Router. Figure 162 Firmware upload Table 113 describes the fields in Figure 162. Table 113 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.
Chapter 22 Maintenance 397 Figure 163 Firmware Upload In Process The device automatically restarts in this time, causing a temporary network disconnect. In some operating systems, you can see the icon Shown in Figure 164 on your desktop. Figure 164 Network Temporarily Disconnected After two minutes, log on again and check your new firmware version in the System Status screen. If the upload was not successful, the screen shown in Figure 165 appears.
Chapter 22 Maintenance Configuration screen Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown in Figure 166. Figure 166 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Business Secure Router to its factory defaults. The warning screen appears (see Figure 167).
Chapter 22 Maintenance 399 Figure 167 Reset warning message You can also press the RESET button on the rear panel to reset the factory defaults of your Business Secure Router. The Business Secure Router’s LAN IP address changes back to 192.168.1.1 and the password reverts to “PlsChgMe!”. Backup configuration With backup configuration, you can back up and save the device’s current configuration to a 104 KB file on your computer.
Chapter 22 Maintenance Restore configuration With restore configuration, you can upload a new or previously saved configuration file from your computer to your Business Secure Router. Table 114 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them.
Chapter 22 Maintenance 401 Figure 169 Network Temporarily Disconnected If you uploaded the default configuration file, you need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Nortel Business Secure Router 222 — Fundamentals (NN47922-301) guide for details about how to set up your computer’s IP address. If the upload was not successful, click Return to return to the Configuration screen.
Chapter 22 Maintenance Figure 170 Restart screen NN47922-500
Appendix A Troubleshooting This chapter covers potential problems and the corresponding remedies. Problems Starting Up the Business Secure Router Table 115 Troubleshooting the Start-Up of your Business Secure Router Problem Corrective Action None of the LEDs turn on when I turn on the Business Secure Router. Make sure that the Business Secure Router’s power adapter is connected to the Business Secure Router and plugged in to an appropriate power source.
Appendix A Troubleshooting Problems with the LAN LED Table 116 Troubleshooting the LAN LED Problem Corrective Action The LAN LEDs do not turn on. Check your Ethernet cable connections. Check for faulty Ethernet cables. Make sure your computer’s Ethernet Card is working properly. Problems with the LAN interface Table 117 Troubleshooting the LAN Interface Problem Corrective Action I cannot access the Business Secure Router from the LAN. Check your Ethernet cable type and connections.
Appendix A Troubleshooting 405 Problems with the WAN interface Table 118 Troubleshooting the WAN Interface Problem Corrective Action Cannot get WAN IP address from the ISP. Refer to the Nortel Business Secure Router 222 — Fundamentals (NN47922-301) guide for initial set up of the Business Secure Router.The ISP provides the WAN IP address after authentication. Authentication can be through the username and password, the MAC address, or the host name.
Appendix A Troubleshooting Problems accessing an internet Web site Table 120 Troubleshooting Web Site Internet Access Problem Corrective Action Cannot connect to a Web site on the Internet. Disable content filtering and clear your browser cache. Try connecting to the Web site again. If you can now connect to this site, the content filter blocked original access. Check your content filter settings if this was not your intention.
Appendix A Troubleshooting 407 Problems with the WebGUI Table 122 Troubleshooting the WebGUI Problem Corrective Action I cannot access the WebGUI. Make sure that there is not an SMT console session running. Check that you have enabled Web service access. If you have configured a remote management secured client IP address, your computer’s IP address must match it. For WAN access, you must configure remote management to allow server access from the Wan (or all).
Appendix A Troubleshooting Allowing Pop-up Windows, JavaScript and Java Permissions In order to use the WebGUI, you must allow: • • • Web browser pop-up windows from your device JavaScript Java permissions Internet Explorer Pop-up Blockers Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions vary Disable pop-up blocking to log on to your device, if necessary.
Appendix A Troubleshooting 409 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. Figure 172 3 Internet Options Click Apply to save this setting. Enabling Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
Appendix A Troubleshooting 2 Select Settings… to open the Pop-up Blocker Settings screen. Figure 173 Internet options 3 NN47922-500 Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1.
Appendix A Troubleshooting 411 4 Click Add to move the IP address to the list of Allowed sites. Figure 174 Pop-up Blocker settings 5 Click Close to return to the Internet Options screen. 6 Click Apply to save this setting. Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer, check that JavaScript and Java permissions are enabled.
Appendix A Troubleshooting 1 In Internet Explorer, click Tools, Internet Options, and then the Security tab. Figure 175 Internet options NN47922-500 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Appendix A Troubleshooting 413 6 Click OK to close the window. Figure 176 Security Settings - Java Scripting Internet Explorer Java Permissions 1 From Internet Explorer, click Tools, Internet Options, and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Appendix A Troubleshooting 5 Click OK to close the window. Figure 177 Security Settings - Java JAVA (Sun) NN47922-500 1 From Internet Explorer, click Tools, Internet Options, and then the Advanced tab. 2 Make sure that Use Java 2 for
Appendix A Troubleshooting 415 4 Close your existing browser session and open a new browser. Figure 178 Java (Sun) Netscape Pop-up Blockers Note: Netscape 7.2 screens are used here. Screens for other Netscape versions vary Either disable the blocking of unrequested pop-up windows (enabled by default in Netscape) or allow pop-ups from Web sites by creating an exception for your device’s IP address.
Appendix A Troubleshooting Allowing Pop-ups 1 In Netscape, click Tools, Popup Manager and then select Allow Popups From This Site. Figure 179 Allow Popups from this site 2 In the Netscape search toolbar, you can enable and disable pop-up blockers for Web sites. Figure 180 Netscape Search Toolbar You can also check if pop-up blocking is disabled in the Popup Windows screen in the Privacy & Security directory. NN47922-500 1 In Netscape, click Edit and then Preferences.
Appendix A Troubleshooting 417 3 Clear the Block unrequested popup windows check box. Figure 181 4 Popup Windows Click OK to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, follow these steps: 1 In Netscape, click Edit, and then Preferences. 2 In the Privacy & Security directory, select Popup Windows. 3 Make sure the Block unrequested popup windows check box is selected.
Appendix A Troubleshooting 4 Click the Allowed Sites... button. Figure 182 Popup Windows 5 NN47922-500 Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.1.1.
Appendix A Troubleshooting 419 6 Click Add to move the IP address to the Site list. Figure 183 Allowed Sites 7 Click OK to return to the Popup Windows screen. 8 Click OK to save this setting. Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape, check that JavaScript and Java permissions are enabled. 1 In Netscape, click Edit and then Preferences. 2 Click the Advanced directory.
Appendix A Troubleshooting 4 Click OK to close the window. Figure 184 Advanced NN47922-500 5 Click the Advanced directory and then select Scripts & Plug-ins. 6 Make sure the Navigator check box is selected in the enable JavaScript section.
Appendix A Troubleshooting 421 7 Click OK to close the window.
Appendix A Troubleshooting NN47922-500
Appendix B Log Descriptions This appendix provides descriptions of example log messages. Table 124 System Error Logs Log Message Description %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per host. Table 125 System Maintenance Logs Log Message Description Time calibration is successful The router has adjusted its time based on information from the time server.
Appendix B Log Descriptions Table 125 System Maintenance Logs Log Message Description TELNET Login Fail Someone has failed to log on to the router via Telnet. FTP Login Successfully Someone has logged on to the router via FTP. FTP Login Fail Someone has failed to log on to the router via FTP. NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Appendix B Log Descriptions 425 Table 128 Attack Logs Log Message Description attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section about ICMP messages for type and code details. land TCP The firewall detected a TCP land attack. land UDP The firewall detected an UDP land attack.
Appendix B Log Descriptions Table 128 Attack Logs Log Message Description teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack. ip spoofing - no routing entry TCP The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route.
Appendix B Log Descriptions 427 Table 129 Access Logs Log Message Description Firewall default policy: ICMP (set:%d, type:%d, code:%d) ICMP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default IGMP access matched the default policy of the listed ACL policy: IGMP (set:%d) set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration.
Appendix B Log Descriptions Table 129 Access Logs NN47922-500 Log Message Description Firewall rule match: (set:%d, rule:%d) Access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule NOT match: TCP (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Business Secure Router logged it.
Appendix B Log Descriptions 429 Table 129 Access Logs Log Message Description Filter default policy DROP! Access matched a default filter policy (denied LAN IP) and the Business Secure Router dropped the packet to block access. Filter default policy FORWARD! TCP access matched a default filter policy. Access was allowed and the router forwarded the packet. Filter default policy FORWARD! UDP access matched a default filter policy. Access was allowed and the router forwarded the packet.
Appendix B Log Descriptions Table 129 Access Logs Log Message Description (set:%d) With firewall messages, this is the number of the ACL policy set and denotes the packet's direction (see Table 130). With filter messages, this is the number of the filter set. (rule:%d) With firewall messages, the firewall rule number denotes the number of a firewall rule within an ACL policy set.With filter messages, this is the number of an individual filter rule.
Appendix B Log Descriptions 431 For type and code details, see Table 131. Table 130 ACL Setting Notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN. 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN. 7 LAN to LAN/Business Secure Router ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router.
Appendix B Log Descriptions Table 131 ICMP Notes Type Code Description 3 Redirect datagrams for the Type of service and host Echo 8 0 Echo message Time exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp reply 14 0 Timestamp reply message Information request 15 0 Information request message Information reply 16 0 Information reply message Table 132 Sys
Appendix B Log Descriptions 433 Figure 186 Example VPN Initiator IPSec Log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
Appendix B Log Descriptions Figure 187 Example VPN Responder IPSec Log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.
Appendix B Log Descriptions 435 Table 133 Sample IKE Key Exchange Logs Log Message Description Send Mode request to Send Mode request to The Business Secure Router started negotiation with the peer. Recv Mode request from Recv Mode request from The Business Secure Router received an IKE negotiation request from the peer. Recv: IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data.
Appendix B Log Descriptions Table 133 Sample IKE Key Exchange Logs NN47922-500 Log Message Description !! Remote IP / conflicts If the security gateway is “0.0.0.0”, the Business Secure Router uses the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr” range conflicts with other connections, the Business Secure Router does not accept VPN connection requests from this peer.
Appendix B Log Descriptions 437 Table 133 Sample IKE Key Exchange Logs Log Message Description The router sent a payload type of IKE packet. -> The parameters configured for Phase 1 ID content do not match or the parameters configured for the Phase 2 ID (IP address of single, range, or subnet) do not match. Check all protocols and settings for these phases. Error ID Info Table 134 shows sample log messages during packet transmission.
Appendix B Log Descriptions Table 135 shows RFC-2408 ISAKMP payload types that the log displays. Refer to the RFC for detailed information about each type.
Appendix B Log Descriptions 439 Table 136 PKI Logs Log Message Description Failed to resolve The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved. Rcvd ca cert: The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Appendix B Log Descriptions Table 137 Certificate Path Verification Failure Reason Codes NN47922-500 Code Description 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache.
Appendix B Log Descriptions 441 Table 138 IIEEE 802.1X Logs Log Message Description Local User Database accepts user. A user was authenticated by the local user database. Local User Database reports user credential error. A user was not authenticated by the local user database because of an incorrect user password. Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database.
Appendix B Log Descriptions Table 138 IIEEE 802.1X Logs Log Message Description No Server to authenticate user. There is no authentication server to authenticate a user. Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database. Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands).
Appendix B Log Descriptions 443 Table 139 Log categories and available settings Log Categories Available Parameters urlforward 0, 1 Use 0 to record no logs for a selected category, 1 to record only logs a selected category, 2 to record only alerts for a selected category, and 3 to record both logs and alerts for a selected category. Use the sys logs save command to store the settings in the Business Secure Router (you must do this in order to record logs).
Appendix B Log Descriptions Log Command Example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> ras> ras> ras> sys sys sys sys logs logs logs logs # load category access 3 save display access .time source message 0|11/11/2002 15:10:12 |172.22.3.80:137 BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.
Index Numbers Authentication databases 313 10/100 Mb/s Ethernet WAN 34 Authentication Header 206 3DES 207 Authentication Type 124 4-Port Switch 34 Autonegotiating 10/100 Mb/s Ethernet LAN 34 Autosensing 10/100 Mb/s Ethernet LAN 34 A Auxiliary 35 Action 179 B Action for Matched Packets 182 ActiveX 199 Address Assignment 58, 60 Administrator Inactivity Timer 79 AES 207 AH 206 AH Protocol 206 Alert 179 Allocated Budget 126 Allow Through IPSec Tunnel 247 Allow Trigger Dial 118 Always On 126 Ans
Index Call Control 129 Default Server IP Address 139 Call Scheduling 37, 385 Maximum Number of Schedule Sets 385 Precedence 385 Precedence Example 385 Denial of Service 157, 158, 192, 193 Called ID 129 Calling Line Identification 129 Central Network Management 38 CHAP 124 Check WAN IP Address 122 CLID 129 Client IKE Source Port Switching 257 Client Minimum Version 258 Client Termination 248, 255 Client Termination IP Pool 254 Configuration 394 Connection ID/Name 112 Content Filtering 37, 197 Days an
Index 447 G Encapsulating Security Payload 206 ESP 206 General Setup 51, 78 ESP Protocol 206 Global 132 Ethernet 52, 53, 56 Global End IP 142, 145 Ethernet Encapsulation 107 Global Start IP 142, 144 Group Authentication 219 F Group ID 219, 250 Factory LAN Defaults 94 Group Password 219, 250 Fail Tolerance 122 H Failover Tuning 257 Features 33 Half-Open Sessions 192 Finger 138 Hardware Setup 42 Firewall 36 Access Methods 171 Address Type 183 Alerts 191 Connection Direction 174 Creating/Ed
Index Internet Control Message Protocol (ICMP) 161 MAIN MENU 48 Internet Group Multicast Protocol 95, 117 Management Information Base (MIB) 352 IP Address 58, 59, 137, 394 Many One-to-One 143, 144 IP Alias 38, 101 Many to Many No Overload 135 IP Multicast 38 Internet Group Management Protocol (IGMP) 38 Many to Many Overload 135 IP Pool Setup 93 IP Ports 159 IP Spoofing 159, 163 IP Static Route 150 IPSec VPN Capability 35, 36 ISAKMP Initial Contact Payload 258 J Java 199 K Key Fields For Conf
Index 449 NNTP 138 Predefined NTP Time Server List 85 Nortel Firmware Version 392 Preshared Key 216, 240 Number of Retransmissions 257 Priority 124 Primary Phone Number 124 Private 116, 153 O Private IP Address 58 Off Line 83 Proportional Bandwidth Allocation 298 On Demand Client Tunnel 219 Protocol/Port 378, 380 One Minute High 195 publications hard copy 30 related 30 One Minute Low 194 One to One 135 One-Minute High 193 One-to-One 144 Q Outside 132 Quick Start Guide 43 P R Packet Dire
Index RIP-2B 95, 117, 125 SMTP 138 RIP-2M 95, 117, 125 Smurf 161, 162 Roadrunner Manager 113 SNMP 39, 138, 351 Get 353 Manager 352 MIBs 353 Trap 353 RoadRunner Support 40 RoadRunner Toshiba 113 Root Class 301 Routing Information Protocol 94 RR- Service Type 112 SNMP (Simple Network Management Protocol) 39 RR-Telstra 113 Source & Destination Addresses 183 Rule Summary 187 Source Address 174, 182 Rules 171, 175 Checklist 173 Creating Custom 171 Key Fields 174 LAN to WAN 175 Logic 173 Predefine
Index 451 V TCP Security 166 TCP/IP 158, 159, 160, 348 VPN 110 Teardrop 159 VPN Client Termination 248 technical publications 30 Telnet 348 W Telnet Configuration 348 WAN MAC 118 text conventions 29 WAN Setup 60 TFTP Restrictions 327 WAN to LAN Rules 175 Third DNS Server 80 Web Proxy 199 Threshold Values 192 Web Site Hits 378 Time and Date 35 WebGUI 43, 47, 157, 168, 174 Time Setting 86 Windows Networking 117, 247 Time Warner 113 Wizard Setup 51, 52, 58 Traceroute 163 WWW 330 Traci
