Nortel Business Secure Router 252 — Fundamentals BSR252 Business Secure Router Document Number: NN47923-301 Document Version: 1.
Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 4.3 Test your internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Chapter 5 User Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Firewall . . . . . .
Table 1 Internet Account Information Worksheet 11 Table 2 Front panel details 14 Table 3 Rear panel details 15 Nortel Business Secure Router 252 — Fundamentals
NN47923-301
Preface 7 Preface This Quick Start Guide provides instructions for installing and configuring your Nortel Business Secure Router 252 as an Office Gateway for your network. After completing this guide, you can access the Internet securely through your Nortel Business Secure Router 252. Before you begin This guide is intended for network managers who are installing the Nortel Business Secure Router 252 for the first time.
Preface ENET Ethernet IP Internet Protocol ISP Internet Service Provider LAN local area network LLC logical link control PPPoA Point-to-Point Protocol over ADSL PPPoE Point-to-Point Protocol over Ethernet RFC request for comment SUA single user account TCP/IP Transmission Control Protocol/Internet Protocol VC virtual channel VCI virtual channel identifier VPI virtual path identifier WAN wide area network Related publications For more information about using the Nortel Busines
Preface 9 How to get help If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel service program, contact Nortel Technical Support. To obtain contact information online, go to www.nortel.com/cgi-bin/comments/ comments.cgi, then click on Technical Support.
Preface NN47923-301
Chapter 1 Introducing the Business Secure Router 11 Chapter 1 Introducing the Business Secure Router The Nortel Business Secure Router 252 is the ideal secure gateway for all data passing between the Internet and the LAN. By integrating Network Address Translation (NAT), firewall and Virtual Private Network (VPN) capability, the Nortel Business Secure Router 252 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Chapter 1 Introducing the Business Secure Router NN47923-301
Chapter 2 Hardware installation 13 Chapter 2 Hardware installation Caution: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. Caution: AC Power Adapter Specifications Only use the approved Phihong Model PSA21R-180 power supply with this device. NOTE: Attach the appropriate plug to the power supply first before inserting it into the power outlet.
Chapter 2 Hardware installation 2.1 Front panel Table 2 Front panel details NN47923-301 LABEL DESCRIPTION Step 1: 1-4 Connect a computer to one of these ports with an Ethernet cable. These ports are auto-negotiating (can connect at 10 or 100Mb/s) and auto-sensing (automatically adjusts to the type of Ethernet cable you use, straight-through or crossover). Step 2 Connect this port to an ADSL-enabled telephone jack (or DSL splitter).
Chapter 2 Hardware installation 15 2.2 Rear panel Table 3 Rear panel details LABEL DESCRIPTION Step 3 18V DC Connect the included power adaptor (use only this adapter) to this power socket. After you have made the connections, connect the power cable to a power supply and look at the front panel LEDs. The power LED blinks while performing system testing and then stays on if the testing is successful. The Ethernet port LEDs turn on if the ports are properly connected.
Chapter 2 Hardware installation NN47923-301
Chapter 3 Setting up your computer IP address 17 Chapter 3 Setting up your computer IP address The Business Secure Router is already set up to assign your computer an IP address. Use this section to set up your computer to receive an IP address or assign it a static IP address in the 192.168.1.2 to 192.168.1.127 range with a subnet mask of 255.255.255.0. This is necessary to ensure that your computer can communicate with your Business Secure Router.
Chapter 3 Setting up your computer IP address Nortel recommends that you do not use a static IP address in the same range as the Business Secure Router DHCP server address pool (192.168.1.2 to 192.168.1.127 by default). 6 NN47923-301 Click Advanced. Remove any previously installed gateways in the IP Settings tab and click OK to go back to the Internet Protocol TCP/IP Properties screen.
Chapter 3 Setting up your computer IP address 19 7 Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). a If you know your DNS server IP addresses, click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. b If you have more than two DNS servers, click Advanced, select the DNS tab and then configure the two DNS servers using the Add button.
Chapter 3 Setting up your computer IP address NN47923-301
Chapter 4 Configuring your Business Secure Router 21 Chapter 4 Configuring your Business Secure Router Choose one of these methods to access and configure the Business Secure Router. This guide shows you how to use the WebGUI wizard only. See Nortel Business Secure Router 252 Configuration — Basics (NN47923-500) and Nortel Business Secure Router 252 Configuration — Advanced (NN47923-501) for background information about all Business Secure Router features and SMT configuration.
Chapter 4 Configuring your Business Secure Router 3 NN47923-301 Nortel recommends you change the default password! Enter a new password, retype it to confirm it and click Apply. Alternatively click Ignore to proceed to the main menu if you do not want to change the password now.
Chapter 4 Configuring your Business Secure Router 23 4 Click Apply in the Replace Factory Default Certificate screen to create a certificate using your Business Secure Router MAC address, which will be specific to this device. 5 The WebGUI MAIN MENU screen appears. • Select WIZARD if you want help configuring your Business Secure Router for the first time. Select a link under MAIN MENU in the navigation panel to configure a Business Secure Router feature.
Chapter 4 Configuring your Business Secure Router 4.2 Using the wizard to configure for internet access 1 NN47923-301 Select WIZARD to display the first wizard screen.
Chapter 4 Configuring your Business Secure Router 25 From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Select the encapsulation type your ISP uses from the Encapsulation drop-down list box. Choices vary depending on what you select in the Mode field. Select the multiplexing method used by your ISP from the Multiplex drop-down list box.
Chapter 4 Configuring your Business Secure Router Internet Connection with PPPoE If your ISP provides the name of your PPPoE service provider, enter it in the Service Name field. Enter the user name and password exactly as your ISP gives you. Select Obtain an IP Address Automatically if you have a dynamic WAN IP address; otherwise select Static IP Address and type your ISP assigned WAN IP address in the text box below.
Chapter 4 Configuring your Business Secure Router 27 Internet Connection with ENET ENCAP Select Obtain an IP Address Automatically if you have a dynamic WAN IP address; otherwise select Static IP Address and type your ISP assigned WAN IP address and the subnet mask in the fields provided. In the ENET ENCAP Gateway field, enter the gateway IP address given by your ISP. From the Network Address Translation drop-down list box, select SUA Only, Full Feature or None.
Chapter 4 Configuring your Business Secure Router Internet Connection with PPPoA Refer to “Internet Connection with PPPoE” on page 26 for field descriptions. 3 NN47923-301 Verify the settings in the screen shown next. This screen varies depending on what mode and encapsulation type you use. To change the LAN information on the Business Secure Router, click Change LAN Configurations. Otherwise click Save Settings to save the configuration and skip to step 5.
Chapter 4 Configuring your Business Secure Router 29 If you want to change your Business Secure Router LAN settings, click Change LAN Configuration to display the screen as shown next Nortel Business Secure Router 252 — Fundamentals
Chapter 4 Configuring your Business Secure Router . 4 Enter the IP address of your Business Secure Router in dotted decimal notation in the LAN IP Address field. For example, 192.168.1.1 (factory default). Note: If you change the Business Secure Router's LAN IP address, you must use the new IP address if you want to access the WebGUI again. Enter a subnet mask in dotted decimal notation in the LAN Subnet Mask field.
Chapter 4 Configuring your Business Secure Router 31 Specify the first of the contiguous addresses in the IP address pool in the Client IP Pool Starting Address field. Specify the size or count of the IP address pool in the Size of Client IP Pool field. When DHCP relay is used, set the following: Type the IP address of the DHCP server in dotted decimal notation (like 192.168.1.5) in the DHCP Server Address field.
Chapter 4 Configuring your Business Secure Router . 4.3 Test your internet connection Launch your web browser and go to www.nortel.com. You do not need a dial-up program such as Dial-Up Networking. Internet access is just the beginning. Refer to the Nortel Business Secure Router 252 Configuration — Basics (NN47923-500) and Nortel Business Secure Router 252 Configuration — Advanced (NN47923-501) for more detailed information about the complete range of Nortel Business Secure Router 252 features.
Chapter 5 User Notes 33 Chapter 5 User Notes General Notes There are some router functions that, although performing as expected, might cause some confusion. These are summarized below. General 1 Default Address Mapping Rules When First Enable NAT Full Feature. When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.
Chapter 5 User Notes 5 Clicking Sound The Business Secure Router will click once every two minutes until an ADSL line is connected. Firewall 1 Address Range Validation In the firewall rules, the router does not confirm when given an address range, that the second address is higher than the first. If this type of address range is entered, the range is ignored.
Chapter 5 User Notes 35 If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products. 2 User Name Restrictions User names are limited to a maximum length of 63 characters.
Chapter 5 User Notes When defining a Client Termination account for another Business Secure Router that will connect using Contivity Client Emulation, the following configuration is required: • • • Encryption must be Triple DES with SHA1 integrity, or Triple DES with MD5 integrity. IKE Encryption must be Triple DES with Diffie-Hellman Group 2. Perfect Forward Secrecy (PFS) must be enabled.
Chapter 5 User Notes 37 Both RIP-1 and RIP-2 Advanced Router Configuration The following notes are intended to help with advanced router configuration. Setting up the router when the system has a server 1 If you are using a Full-Feature NAT configuration, first, do the following... a 2 In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the 'Public' IP address of the server. For both SUA-Only and Full-Feature NAT configurations, do the following...
Chapter 5 User Notes 2 Repeat these steps at the other end of the branch. Note: If VPN Client Termination is used on these sites, the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site.
Chapter 5 User Notes 39 2 Create a tunnel between the sites, as described above. 3 Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide. Configuring the router to act as a Nortel VPN Server (Client Termination) 1 2 Under VPN / Client Termination, a Enable Client Termination. b Select authentication type and the encryption algorithms supported. c If the clients are assigned IP addresses from a pool, define the pool, and enable it.
Chapter 5 User Notes Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool. 2 Create the appropriate Firewall rules to add BCM50 access.
Chapter 5 User Notes 41 1 Determine your actual WAN up-stream bandwidth by connecting to a web site such as http://myvoipspeed.visualware.com/. 2 On BANDWIDTH MANAGEMENT / Summary, activate WAN bandwidth management, and fill in your actual uplink speed in the WAN Speed field.. 3 On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass, and reserve sufficient bandwidth based on the number of telephones, for Protocol ID 17 (UDP Traffic).
Chapter 5 User Notes Inter-Operability With Third-Party Routers VPN Connections With Cisco Routers When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router, the following configuration rules should be followed: NN47923-301 1 Ensure that the WAN IP of the BSR222/252 router and the Cisco router are not in the same subnet. 2 Configure the connection to use DES Encryption and MD5 Authentication.
Chapter 6 Troubleshooting 43 Chapter 6 Troubleshooting Problem: None of the LEDs turn on when you turn on the Business Secure Router Make sure that you have the correct power adapter connected to the Business Secure Router and that it is plugged in to an appropriate power source. Check all cable connections. If the LEDs still do not turn on, you may have a hardware problem. In this case, contact your local vendor.
Chapter 6 Troubleshooting Problem: You cannot get a WAN IP address from the ISP The ISP provides the WAN IP address after authenticating the username and password, the MAC address, or the host name. Find out the verification method used by your ISP. You need a username and password if you are using PPPoE or PPPoA encapsulation. Make sure that you have entered the correct service type, username, and password (the username and password are case-sensitive).
