Prestige 334 Broadband Router with Firewall User’s Guide Version 3.
Prestige 334 User’s Guide Copyright Copyright © 2004 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Prestige 334 User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
Prestige 334 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Prestige 334 User’s Guide 5 ZyXEL Limited Warranty
Prestige 334 User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONEA WEB SITE LOCATION SALES E-MAIL FAX FTP SITE support@zyxel.com.tw +886-3-578-3942 WORLDWIDE NORTH AMERICA GERMANY DENMARK NORWAY SWEDEN FINLAND www.zyxel.
Prestige 334 User’s Guide a. “+” is the (prefix) number you enter to make an international telephone call.
Prestige 334 User’s Guide Table of Contents Copyright .................................................................................................................. 2 Federal Communications Commission (FCC) Interference Statement ............... 3 ZyXEL Limited Warranty.......................................................................................... 4 Customer Support.................................................................................................... 6 Preface ................
Prestige 334 User’s Guide 1.2.2.17 Port Forwarding .............................................................................35 1.2.2.18 DHCP (Dynamic Host Configuration Protocol) ..............................35 1.2.2.19 Full Network Management ............................................................35 1.2.2.20 RoadRunner Support ....................................................................35 1.2.2.21 Logging and Tracing ......................................................................
Prestige 334 User’s Guide 4.5 Configuring Password ........................................................................................60 4.6 Configuring Time Setting ....................................................................................60 Chapter 5 LAN Screens........................................................................................................... 64 5.1 LAN Overview ....................................................................................................
Prestige 334 User’s Guide 7.3.1 Default Server IP Address ........................................................................91 7.3.2 Port Forwarding: Services and Port Numbers ..........................................91 7.3.3 Configuring Servers Behind SUA (Example) ............................................92 7.4 Configuring SUA Server ....................................................................................93 7.5 Configuring Address Mapping .............................................
Prestige 334 User’s Guide Chapter 11 Firewall.................................................................................................................. 126 11.1 Introduction .....................................................................................................126 11.1.1 What is a Firewall? ................................................................................126 11.1.2 Stateful Inspection Firewall. ..................................................................126 11.1.
Prestige 334 User’s Guide 14.1.3.1 Encryption ...................................................................................150 14.1.3.2 Data Confidentiality .....................................................................151 14.1.3.3 Data Integrity ...............................................................................151 14.1.3.4 Data Origin Authentication ..........................................................151 14.1.4 VPN Applications ...............................................
Prestige 334 User’s Guide 15.17.2 Telecommuters Using Unique VPN Rules Example ...........................181 15.18 VPN and Remote Management ...................................................................182 Chapter 16 Centralized Logs .................................................................................................. 184 16.1 View Log ........................................................................................................184 16.2 Log Settings ...........................
Prestige 334 User’s Guide Chapter 21 Menu 3 LAN Setup ............................................................................................... 212 21.1 LAN Setup ......................................................................................................212 21.1.1 General Ethernet Setup ........................................................................212 21.2 Protocol Dependent Ethernet Setup ..............................................................213 21.
Prestige 334 User’s Guide 25.5 General NAT Examples ..................................................................................244 25.5.1 Example 1: Internet Access Only ..........................................................245 25.5.2 Example 2: Internet Access with an Inside Server ...............................245 25.5.3 Example 3: Multiple Public IP Addresses With Inside Servers .............246 25.5.4 Example 4: NAT Unfriendly Application Programs ...............................250 25.
Prestige 334 User’s Guide 29.3.1.1 CDR ............................................................................................279 29.3.1.2 Packet triggered ..........................................................................279 29.3.1.3 Filter log .....................................................................................280 29.3.1.4 PPP log ......................................................................................280 29.3.1.5 Firewall log ...................................
Prestige 334 User’s Guide Chapter 32 Remote Management ........................................................................................... 306 32.1 Remote Management .....................................................................................306 32.1.1 Remote Management Limitations .........................................................307 Chapter 33 Call Scheduling .................................................................................................... 310 33.
Prestige 334 User’s Guide Appendix H TMSS ..................................................................................................................... 356 Appendix I Triangle Route ......................................................................................................
Prestige 334 User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 36 Figure 2 VPN Application .................................................................................................... 37 Figure 3 Change Password Screen .................................................................................... 39 Figure 4 The MAIN MENU Screen of the Web Configurator ...............................................
Prestige 334 User’s Guide Figure 37 Static Route: Edit ................................................................................................ 104 Figure 38 Configuring UPnP ............................................................................................... 108 Figure 39 Service Settings .................................................................................................. 117 Figure 40 Virus Protection ........................................................................
Prestige 334 User’s Guide Figure 80 Network Temporarily Disconnected .................................................................... 195 Figure 81 Maintenance Configuration ................................................................................. 196 Figure 82 Configuration Restore Successful ....................................................................... 197 Figure 83 Temporarily Disconnected ...................................................................................
Prestige 334 User’s Guide Figure 123 Menu 15.2.1 Specifying an Inside Server ......................................................... 246 Figure 124 NAT Example 3 ................................................................................................. 247 Figure 125 NAT Example 3: Menu 11.3 .............................................................................. 248 Figure 126 Example 3: Menu 15.1.1.1 ...............................................................................
Prestige 334 User’s Guide Figure 166 Valid Commands ............................................................................................... 299 Figure 167 Menu 24.9 System Maintenance : Call Control ................................................. 299 Figure 168 Budget Management ......................................................................................... 300 Figure 169 Menu 24.9.2 - Call History ................................................................................
Prestige 334 User’s Guide 25 List of Figures
Prestige 334 User’s Guide List of Tables Table 1 Screens Summary ................................................................................................. 41 Table 2 Wizard 2: Ethernet Encapsulation ......................................................................... 46 Table 3 Wizard 2: PPPoE Encapsulation ........................................................................... 48 Table 4 Wizard 2: PPTP Encapsulation ........................................................................
Prestige 334 User’s Guide Table 37 Content Filter ....................................................................................................... 135 Table 38 Remote Management: WWW .............................................................................. 140 Table 39 Remote Management: Telnet .............................................................................. 141 Table 40 Remote Management: FTP .................................................................................
Prestige 334 User’s Guide Table 80 Applying NAT in Menus 4 & 11.3 ......................................................................... 238 Table 81 SUA Address Mapping Rules .............................................................................. 240 Table 82 Menu 15.1.1 First Set .......................................................................................... 242 Table 83 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set ........................... 243 Table 84 Menu 15.
Prestige 334 User’s Guide 29 List of Tables
Prestige 334 User’s Guide Preface Congratulations on your purchase of the Prestige 334 Broadband Router with Firewall. This manual is designed to guide you through the configuration of your Prestige for its various applications. Note: Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured through all interfaces. This manual may refer to the Prestige 334 or Broadband Router with Firewall as the Prestige.
Prestige 334 User’s Guide User Guide Feedback Help us help you! E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you! Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices.
Prestige 334 User’s Guide CHAPTER 1 Getting to Know Your Prestige This chapter introduces the main features and applications of the Prestige. 1.1 Prestige Internet Security Gateway Overview The Prestige is the ideal secure gateway for all data passing between the Internet and LAN’s. By integrating NAT, firewall, media bandwidth management and VPN capability, ZyXEL’s Prestige is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Prestige 334 User’s Guide 1.2.1.5 Reset Button The Prestige reset button is built into the rear panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. 1.2.2 Non-Physical Features 1.2.2.
Prestige 334 User’s Guide 1.2.2.7 Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. 1.2.2.8 Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes. 1.2.2.
Prestige 334 User’s Guide 1.2.2.14 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. The Prestige supports SNMP version one (SNMPv1) and version two (SNMPv2). 1.2.2.
Prestige 334 User’s Guide • Unix syslog facility support. • Firewall logs. • Content filtering logs. 1.2.2.22 Upgrade Prestige Firmware via LAN The firmware of the Prestige can be upgraded via the LAN (refer to Maintenance- F/W Upload Screen). 1.2.2.23 Embedded FTP and TFTP Servers The Prestige’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration. 1.3 Applications for the Prestige Here are some examples of what you can do with your Prestige.
Prestige 334 User’s Guide Figure 2 VPN Application 37 Chapter 1 Getting to Know Your Prestige
Prestige 334 User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the Prestige web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The embedded web configurator allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Prestige 334 User’s Guide Figure 3 Change Password Screen You should now see the MAIN MENU screen) Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the Prestige if this happens to you 2.
Prestige 334 User’s Guide • Click to view the web configurator in the language of your choice. • Click LOGOUT at any time to exit the web configurator. • Click MAINTENANCE to view information about your Prestige or upgrade configuration/firmware files. Maintenance includes Status (Statistics), DHCP Table, F/ W (firmware) Upload, Configuration (Backup, Restore, Defaults) and Restart. Figure 4 The MAIN MENU Screen of the Web Configurator 2.3.
Prestige 334 User’s Guide The following table describes the sub-menus. Table 1 Screens Summary LINK TAB WIZARD SETUP SYSTEM Use these screens for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC address assignment. General This screen contains administrative and system-related information. DDNS Use this screen to set up dynamic DNS. Password Use this screen to change your password.
Prestige 334 User’s Guide Table 1 Screens Summary LINK TAB FUNCTION REMOTE MGMT TELNET Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the Prestige. FTP Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the Prestige. WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the Prestige.
Prestige 334 User’s Guide 43 Chapter 2 Introducing the Web Configurator
Prestige 334 User’s Guide CHAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. 3.1 Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in each field. Leave a field blank if you don’t have that information. 3.
Prestige 334 User’s Guide Figure 5 Wizard 1: General Setup 3.3 Wizard Setup: Screen 2 The Prestige offers three choices of encapsulation. They are Ethernet, PPP over Ethernet or PPTP. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet.
Prestige 334 User’s Guide Figure 6 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. Table 2 Wizard 2: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPP over Ethernet or PPTP for a dial-up connection.
Prestige 334 User’s Guide 3.3.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for instance, Radius).
Prestige 334 User’s Guide Figure 7 Wizard 2: PPPoE Encapsulation The following table describes the labels in this screen. Table 3 Wizard 2: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up connection. Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above.
Prestige 334 User’s Guide Refer to the appendix for more information on PPTP. Note: The PRESTIGE supports one PPTP server connection at any given time. Figure 8 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen Table 4 Wizard 2: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP.
Prestige 334 User’s Guide Table 4 Wizard 2: PPTP Encapsulation LABEL DESCRIPTION Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your ISP. Back Click Back to return to the previous screen. Next Click Next to continue. 3.
Prestige 334 User’s Guide Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Prestige 334 User’s Guide You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom" file. Table 6 Example of Network Properties for LAN Servers with Fixed IP Addresses Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Prestige 334 User’s Guide Table 7 Wizard 3: WAN Setup LABEL DESCRIPTION Gateway IP Address Type the IP address of the gateway. The gateway is an immediate neighbour of your Prestige that will forward the packet to the destination. The gateway must be a router on the same segment as your Prestige's LAN or WAN port. System DNS Server Address Assignment (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa.
Prestige 334 User’s Guide Figure 10 Wizard Finish Well done! You have successfully set up your Prestige to operate on your network and access the Internet.
Prestige 334 User’s Guide 55 Chapter 3 Wizard Setup
Prestige 334 User’s Guide CHAPTER 4 System Screens This chapter provides information on the System screens. 4.1 System Overview See the Wizard Setup chapter for more information on the next few screens. 4.2 Configuring General Setup Click SYSTEM to open the General screen.
Prestige 334 User’s Guide Figure 11 System General Setup The following table describes the labels in this screen. Table 8 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name). This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Prestige 334 User’s Guide Table 8 System General Setup LABEL DESCRIPTION Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 4.3 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.
Prestige 334 User’s Guide Figure 12 DDNS The following table describes the labels in this screen. Table 9 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (",").
Prestige 334 User’s Guide Table 9 DDNS LABEL DESCRIPTION Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 4.5 Configuring Password To change your Prestige’s password (recommended), click SYSTEM, then the Password tab. The screen appears as shown. This screen allows you to change the Prestige’s password. Figure 13 Password The following table describes the labels in this screen.
Prestige 334 User’s Guide Figure 14 Time Setting The following table describes the labels in this screen. Table 11 Time Setting 61 LABEL DESCRIPTION Use Time Server when Bootup Select the time service protocol that your time server sends when you turn on the Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format.
Prestige 334 User’s Guide Table 11 Time Setting LABEL DESCRIPTION New Date This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this field and then click Apply. Time Zone Choose the Time Zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Savings Select this option if you use daylight savings time.
Prestige 334 User’s Guide 63 Chapter 4 System Screens
Prestige 334 User’s Guide CHAPTER 5 LAN Screens This chapter describes how to configure LAN settings. 5.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks. 5.
Prestige 334 User’s Guide • IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) • DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 5.3.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
Prestige 334 User’s Guide 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The Prestige supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2).
Prestige 334 User’s Guide Figure 15 LAN IP The following table describes the labels in this screen. Table 12 LAN IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Leave the DHCP Server check box selected unless your ISP instructs you to do otherwise. Clear it to disable the Prestige acting as a DHCP server.
Prestige 334 User’s Guide Table 12 LAN IP LABEL DESCRIPTION First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and Second DNS Server the Prestige's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Third DNS Server Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.
Prestige 334 User’s Guide Table 12 LAN IP LABEL DESCRIPTION Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.
Prestige 334 User’s Guide Figure 16 Static DHCP The following table describes the labels in this screen. Table 13 Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 5.
Prestige 334 User’s Guide Figure 17 IP Alias The following table describes the labels in this screen. Table 14 IP Alias 71 LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation. IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Prestige 334 User’s Guide CHAPTER 6 WAN Screens This chapter describes how to configure WAN settings. 6.1 WAN Overview See the Wizard Setup chapter for more information on the fields in the WAN screens. 6.2 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks.
Prestige 334 User’s Guide Figure 18 WAN: Route The following table describes the labels in this screen. Table 15 WAN: Route LABEL DESCRIPTION WAN Traffic Redirect The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN. The default priority of the routes is WAN and then Traffic Redirect. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 6.
Prestige 334 User’s Guide Figure 19 Ethernet Encapsulation The following table describes the labels in this screen. Table 16 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR-Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login.
Prestige 334 User’s Guide For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users. One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection.
Prestige 334 User’s Guide Figure 20 PPPoE Encapsulation The following table describes the labels in this screen. Table 17 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPP over Ethernet choice is for a dial-up connection using PPPoE. The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e. xDSL, cable, wireless, etc.
Prestige 334 User’s Guide 6.4.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation.
Prestige 334 User’s Guide Table 18 PPTP Encapsulation LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Nailed-up Connection Select Nailed-Up Connection if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the Prestige automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Prestige 334 User’s Guide Figure 22 WAN: IP The following table describes the labels in this screen. Table 19 WAN: IP LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the ISP default selection. 79 Use fixed IP address Select this option If the ISP assigned a fixed IP address. My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Prestige 334 User’s Guide Table 19 WAN: IP LABEL DESCRIPTION Network Address Translation Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address.
Prestige 334 User’s Guide Table 19 WAN: IP LABEL DESCRIPTION Multicast Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Prestige 334 User’s Guide Otherwise, click Spoof this computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. It is recommended that you clone the MAC address prior to hooking up the WAN Port. 6.
Prestige 334 User’s Guide Figure 25 Traffic Redirect LAN Setup 6.8 Configuring Traffic Redirect To change your Prestige’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. Figure 26 WAN: Traffic Redirect The following table describes the labels in this screen. Table 20 Traffic Redirect 83 LABEL DESCRIPTION Active Select this check box to have the Prestige use traffic redirect if the normal WAN connection goes down.
Prestige 334 User’s Guide Table 20 Traffic Redirect LABEL DESCRIPTION Metric This field sets this route's priority among the routes the Prestige uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down.
Prestige 334 User’s Guide 85 Chapter 6 WAN Screens
Prestige 334 User’s Guide CHAPTER 7 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Prestige. 7.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 7.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Prestige.
Prestige 334 User’s Guide Note: NAT never changes the IP address (either local or global) of an outside host. 7.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Prestige 334 User’s Guide Figure 27 How NAT Works 7.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Prestige 334 User’s Guide Figure 28 NAT Application With IP Alias 7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option).
Prestige 334 User’s Guide The following table summarizes these types. Table 22 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION One-to-One ILA1ÅÆ IGA1 1-1 Many-to-One (SUA/PAT) ILA1ÅÆ IGA1 ILA2ÅÆ IGA1 … M-1 Many-to-Many Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA1 ILA4ÅÆ IGA2 … M-M Ov Many One-to-One ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA3 … M-1-1 Server Server 1 IPÅÆ IGA1 Server 2 IPÅÆ IGA1 Server 3 IPÅÆ IGA1 Server 7.
Prestige 334 User’s Guide You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.
Prestige 334 User’s Guide The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Please also refer to the Supporting CD for more examples and details on SUA/NAT.
Prestige 334 User’s Guide Figure 29 Multiple Servers Behind NAT Example 7.4 Configuring SUA Server Note: If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management. Click SUA/NAT to open the SUA Server screen. Refer to Table 23 for port numbers commonly used for particular services.
Prestige 334 User’s Guide Figure 30 SUA/NAT Setup The following table describes the labels in this screen. Table 24 SUA/NAT Setup LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management.
Prestige 334 User’s Guide 7.5 Configuring Address Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Prestige 334 User’s Guide Table 25 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. 3.
Prestige 334 User’s Guide Figure 32 Address Mapping Edit The following table describes the labels in this screen. Table 26 Address Mapping Edit 97 LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e.
Prestige 334 User’s Guide 7.6 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address.
Prestige 334 User’s Guide 7.6.2 Two Points To Remember About Trigger Ports 1 Trigger events only happen on data that is going coming from inside the Prestige and going to the outside. 2 If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can’t trigger it. 7.7 Configuring Trigger Port Forwarding To change your Prestige’s trigger port settings, click SUA/NAT and the Trigger Port tab. The screen appears as shown.
Prestige 334 User’s Guide Table 27 Trigger Port LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Prestige forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers. End Port Type a port number or the ending port number in a range of port numbers.
Prestige 334 User’s Guide 101 Chapter 7 Network Address Translation (NAT) Screens
Prestige 334 User’s Guide CHAPTER 8 Static Route Screens This chapter shows you how to configure static routes for your Prestige. 8.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the Prestige has no knowledge of the networks beyond. For instance, the Prestige knows about network N2 in the following figure through remote node router R1.
Prestige 334 User’s Guide Figure 36 Static Route The following table describes the labels in this screen. Table 28 Static Route LABEL DESCRIPTION # Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway.
Prestige 334 User’s Guide Figure 37 Static Route: Edit The following table describes the labels in this screen. Table 29 Static Route: Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Prestige 334 User’s Guide 105 Chapter 8 Static Route Screens
Prestige 334 User’s Guide CHAPTER 9 UPN P This chapter introduces the Universal Plug and Play feature. 9.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Prestige 334 User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 9.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.
Prestige 334 User’s Guide Figure 38 Configuring UPnP The following table describes the labels in this screen. Table 30 Configuring UPnP LABEL DESCRIPTION Enable the Universal Plug and Play (UPnP) feature Select this checkbox to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).
Prestige 334 User’s Guide 9.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start and Control Panel. Doubleclick Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next.
Prestige 334 User’s Guide 9.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. 4 The Windows Optional Networking Components Wizard window displays. 5 Select Networking Service in the Components selection box and click Details.
Prestige 334 User’s Guide 9.5 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Prestige 334 User’s Guide 9.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Prestige 334 User’s Guide 5 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray 6 Double-click the icon to display your current Internet connection status. 9.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Prestige 334 User’s Guide 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. 9.5.
Prestige 334 User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. 6 Right-click the icon for your ZyXEL device and select Properties.
Prestige 334 User’s Guide CHAPTER 10 Trend Micro Security Services This chapter contains information about configuring Trend Micro Security Services settings, virus protection, parental controls and customization. 10.1 Trend Micro Security Service Overview Trend Micro Security Services (TMSS) are a range of services including virus protection and parental controls designed to address the security needs of computers on a network that access the Internet via broadband routers.
Prestige 334 User’s Guide Figure 39 Service Settings The following table describes the labels in this screen. Table 31 Service Settings LABEL DESCRIPTION Enable Trend Micro Security Services Select the checkbox to enable Trend Micro Security Services on your Prestige. Note: Make sure that you have not restricted access to ActiveX, Cookies or Web Proxy features in the Advanced Filter screen. If you restrict Web access to these features you will not be able to use TMSS.
Prestige 334 User’s Guide Table 31 Service Settings LABEL DESCRIPTION Exception List You can specify on which computer(s) the TMSS Web page will not be displayed. The default setting is to have all computers display the Web page. Computer(s) that will display Trend Micro Home Network Security Services: This box displays the IP addresses of the computers that are enabled with TMSS on your network.
Prestige 334 User’s Guide Figure 40 Virus Protection The following table describes the labels in this screen. Table 32 Virus Protection LABEL DESCRIPTION Check for Trend Micro Internet Security Automatically check for update components Select the checkbox to have the Prestige download the latest scan engine version and virus pattern version from the Trend Micro website. Check for update components every Choose when to automatically check the Trend Micro Active Update server for updated components.
Prestige 334 User’s Guide Table 32 Virus Protection LABEL DESCRIPTION Computer Name This field displays the name of a client computer. Antivirus Software This field displays the current antivirus software on a client computer. Virus Pattern This field displays the current version number of the pattern file on a client computer. Scan Engine This field displays the current virus scan program of the client computer.
Prestige 334 User’s Guide Figure 41 Parental Controls License Status If you have registered with TMSS and your license is valid, you can configure the Parental Controls configuration screen.
Prestige 334 User’s Guide Figure 42 Parental Controls The following table describes the labels in this screen. Table 33 Parental Controls LABEL DESCRIPTION Enable Parental Controls Select the check box to enable this feature on your Prestige. Note: The Prestige automatically checks the status of your Trend Micro license. If the license becomes invalid, Parental Controls is disabled and Figure 41 is shown.
Prestige 334 User’s Guide Table 33 Parental Controls LABEL DESCRIPTION Time of Day to Block (24Hour Format) Select the time of day you want web page blocking to take effect. Configure blocking to take effect all day by selecting the All Day check box. You can also configure specific times by entering the start time in the Start (hr) and Start (min) fields and the end time in the End (hr) and End (min) fields. Enter times in 24-hour format; for example, "3:00pm" should be entered as "15:00".
Prestige 334 User’s Guide Table 33 Parental Controls LABEL DESCRIPTION Exclude specified address Select the radio button to apply Parental Controls to all of the computers in ranges from the Parental the network except those displayed in the Selected IP Addresses box. Control enforcement. Available IP Addresses This box displays the IP addresses of all computers in the network. Note: A maximum of 10 client IP addresses are displayed in this box.
Prestige 334 User’s Guide Figure 43 Parental Controls Statistics If a category has been selected in the previous screen a blocked attempt is displayed. If a category has not been selected in the previous screen, attempts and accesses to Web pages within those categories are displayed. The following table describes the labels in this screen.
Prestige 334 User’s Guide C H A P T E R 11 Firewall This chapter gives some background information on firewalls and explains how to get started with the Prestige firewall. 11.1 Introduction 11.1.1 What is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks.
Prestige 334 User’s Guide The Prestige has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web.
Prestige 334 User’s Guide Figure 44 Firewall: Settings The following table describes the labels in this screen. Table 35 Firewall: Settings LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The Prestige performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Route Select this check box to have the Prestige firewall ignore the use of triangle route topology on the network.
Prestige 334 User’s Guide 11.3 The Firewall, NAT and Remote Management Figure 45 Firewall Rule Directions 11.3.1 LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. How can you block certain LAN to WAN traffic? You may choose to block certain LAN-to-WAN traffic in the Services screen (click the Services tab).
Prestige 334 User’s Guide • Configuring WAN or LAN & WAN access for services in the Remote Management screens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/Prestige firewall rules. WAN-to-WAN/Prestige firewall rules are Internet to the Prestige WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/Prestige packets to log.
Prestige 334 User’s Guide Figure 46 Firewall: Service The following table describes the labels in this screen. Table 36 Firewall: Service LABEL 131 DESCRIPTION Enable Services Blocking Select this check box to enable this feature. Available Service This is a list of pre-defined services (ports) you may prohibit your LAN computers from using. Select the port you want to block using the drop-down list and click Add to add the port to the Blocked Service field.
Prestige 334 User’s Guide Table 36 Firewall: Service LABEL DESCRIPTION Clear All Click Clear All to empty the Blocked Service. Day to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Block Select the time of day you want service blocking to take effect. Configure (24-Hour Format) blocking to take effect all day by selecting the All Day check box.
Prestige 334 User’s Guide 133 Chapter 11 Firewall
Prestige 334 User’s Guide CHAPTER 12 Content Filtering This chapter provides a brief overview of content filtering using the embedded WebGUI. 12.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.
Prestige 334 User’s Guide Figure 47 Content Filter The following table describes the labels in this screen. Table 37 Content Filter 135 LABEL DESCRIPTION Restrict Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. ActiveX A tool for building dynamic and active Web pages and distributed object applications.
Prestige 334 User’s Guide Table 37 Content Filter LABEL DESCRIPTION Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address. Keyword List This list displays the keywords already added. Add Click Add after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed.
Prestige 334 User’s Guide 137 Chapter 12 Content Filtering
Prestige 334 User’s Guide CHAPTER 13 Remote Management Screens This chapter provides information on the Remote Management screens. 13.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Prestige 334 User’s Guide 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 5 There is a firewall rule that blocks it. 13.1.
Prestige 334 User’s Guide Figure 48 Remote Management: WWW The following table describes the labels in this screen. Table 38 Remote Management: WWW LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the Prestige using this service.
Prestige 334 User’s Guide Figure 49 Telnet Configuration on a TCP/IP Network 13.4 Configuring TELNET Click REMOTE MGMT and the TELNET tab to display the screen as shown. Figure 50 Remote Management: Telnet The following table describes the labels in this screen. Table 39 Remote Management: Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Prestige 334 User’s Guide Table 39 Remote Management: Telnet LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. 13.5 Configuring FTP You can upload and download the Prestige’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Prestige 334 User’s Guide 13.6 SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. The Prestige supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation.
Prestige 334 User’s Guide SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent.
Prestige 334 User’s Guide Figure 53 Remote Management: SNMP The following table describes the labels in this screen. Table 42 Remote Management: SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Prestige 334 User’s Guide Table 42 Remote Management: SNMP LABEL DESCRIPTION Secured Client IP Address A secured client is a “trusted” computer that is allowed to communicate with the Prestige using this service. Select All to allow any computer to access the Prestige using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Prestige using this service. Apply Click Apply to save your customized settings and exit this screen.
Prestige 334 User’s Guide Table 43 Remote Management: DNS LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. 13.8 Configuring Security To change your Prestige’s security settings, click REMOTE MGMT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your Prestige, an ICMP response packet is automatically returned.
Prestige 334 User’s Guide Table 44 Security LABEL DESCRIPTION Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the Prestige by probing for unused ports. If you select this option, the Prestige will not respond to port request(s) for unused ports, thus leaving the unused ports and the Prestige unseen.
Prestige 334 User’s Guide 149 Chapter 13 Remote Management Screens
Prestige 334 User’s Guide CHAPTER 14 Introduction to IPSec This chapter introduces the basics of IPSec VPNs 14.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. 14.1.
Prestige 334 User’s Guide Figure 56 Encryption and Decryption 14.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 14.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. 14.1.3.4 Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 14.1.
Prestige 334 User’s Guide Figure 57 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Prestige 334 User’s Guide Figure 58 Transport and Tunnel Mode IPSec Encapsulation 14.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). With ESP, protection is applied only to the upper layer protocols contained in the packet.
Prestige 334 User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing.
Prestige 334 User’s Guide 155 Chapter 14 Introduction to IPSec
Prestige 334 User’s Guide CHAPTER 15 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Appendices for IPSec log descriptions. 15.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 15.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
Prestige 334 User’s Guide An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 46 AH and ESP ESP AH DES (default) MD5 (default) Data Encryption Standard (DES) is a widely used method MD5 (Message Digest 5) produces a 128of data encryption using a secret key. DES applies a 56-bit bit digest to authenticate packet data. key to each 64-bit block of data.
Prestige 334 User’s Guide 15.4.1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network. Note: The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 15.
Prestige 334 User’s Guide Figure 60 VPN: Summary The following table describes the labels in this screen. Table 47 VPN: Summary LABEL DESCRIPTION # The VPN policy index number. Active This field displays whether the VPN policy is active or not. A Y signifies that this VPN policy is active. N signifies that this VPN policy is not active. Local Addr. This is the IP address of the computer on your local network behind your Prestige. Remote Addr.
Prestige 334 User’s Guide 15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires ( the IPSec Algorithms section for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Both IPSec routers must have a Prestige-compatible keep alive feature enabled in order for this feature to work.
Prestige 334 User’s Guide • Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A. 15.7.2 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server.
Prestige 334 User’s Guide 15.8 ID Type and Content With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Prestige to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
Prestige 334 User’s Guide Table 49 Peer ID Type and Content Fields PEER ID TYPE CONTENT E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address. The domain name also does not have to match the remote router’s IP address or what you configure in the Secure Gateway Address field below. 15.8.
Prestige 334 User’s Guide 15.10 Editing VPN Rules Click Edit on the Summary screen or click the Rule Setup tab to edit VPN rules. Figure 64 VPN: Rule Setup (Basic) The following table describes the labels in this screen. Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall.
Prestige 334 User’s Guide Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION IPSec Keying Mode Select IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting. 165 Local Address The local IP address must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same local or remote IP address, but not both.
Prestige 334 User’s Guide Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION Secure Gateway Address Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE). The remote address fields do not apply when the Secure Gateway Address field is configured to 0.0.0.0.
Prestige 334 User’s Guide Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION Authentication Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. Advanced Click Advanced to configure more detailed settings of your IKE key management.
Prestige 334 User’s Guide • Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman publickey cryptography – see Section Perfect Forward Secrecy (PFS). Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out.
Prestige 334 User’s Guide This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Prestige. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange). 15.12 Configuring Advanced IKE Settings Select Advanced at the bottom of the Rule Setup IKE screen.
Prestige 334 User’s Guide Figure 66 VPN IKE: Advanced Chapter 15 VPN Screens 170
Prestige 334 User’s Guide The following table describes the labels in this screen. Table 52 VPN IKE: Advanced 171 LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Keep Alive Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Prestige automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
Prestige 334 User’s Guide Table 52 VPN IKE: Advanced LABEL DESCRIPTION Remote Address End/ Mask When the remote IP address is a single address, type it a second time here. When the remote IP address is a range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote IP address is a subnet address, enter a subnet mask on the network behind the remote IPSec router. Remote Port Start 0 is the default and signifies any port.
Prestige 334 User’s Guide Table 52 VPN IKE: Advanced 173 LABEL DESCRIPTION Peer Content The configuration of the peer content depends on the peer ID type. • For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the Prestige will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description).
Prestige 334 User’s Guide Table 52 VPN IKE: Advanced LABEL DESCRIPTION IPSec Protocol Select ESP or AH from the drop-down list box. The Prestige's IPSec Protocol should be identical to the secure remote gateway. The ESP (Encapsulation Security Payload) protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below).
Prestige 334 User’s Guide 15.13.1 Security Parameter Index (SPI) An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security Parameter Index) along with a destination IP address uniquely identify a particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to the local VPN gateway.
Prestige 334 User’s Guide Figure 67 Setup: Manual The following table describes the labels in this screen. Table 53 Rule Setup: Manual LABEL DESCRIPTION Active Select this check box to activate this VPN policy. IPSec Keying Mode Select IKE or Manual from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management. Protocol Number Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Prestige 334 User’s Guide Table 53 Rule Setup: Manual 177 LABEL DESCRIPTION Local Port End Type a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Local Port Start is left at 0, Local Port End will also remain at 0. Remote Address Start Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Prestige 334 User’s Guide Table 53 Rule Setup: Manual LABEL DESCRIPTION Encryption Algorithm Select DES or 3DES from the drop-down list box. The Prestige's encryption algorithm should be identical to the secure remote gateway. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.
Prestige 334 User’s Guide Figure 68 SA Monitor The following table describes the labels in this screen. Table 54 SA Monitor LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay).
Prestige 334 User’s Guide Figure 69 VPN: Global Setting The following table describes the labels in this screen. Table 55 VPN: Global Setting LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to find other computers. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Prestige 334 User’s Guide Having everyone use the same pre-shared key may create a vulnerability. If the pre-shared key is compromised, all of the VPN connections using that VPN rule are at risk. A recommended alternative is to use a different VPN rule for each telecommuter and identify them by unique IDs (see the Telecommuters Using Unique VPN Rules Example section ).. Table 56 Telecommuter and Headquarters Configuration Example TELECOMMUTER HEADQUARTERS My IP Address: 0.0.0.
Prestige 334 User’s Guide See the following graphic for an example where three telecommuters each use a different VPN rule to initiate a VPN connection to a Prestige located at headquarters. The Prestige at headquarters identifies each by its secure gateway address (a dynamic domain name) and uses the appropriate VPN rule to establish the VPN connection. Figure 71 Telecommuters Using Unique VPN Rules Example 15.
Prestige 334 User’s Guide 183 Chapter 15 VPN Screens
Prestige 334 User’s Guide CHAPTER 16 Centralized Logs This chapter contains information about configuring general log settings and viewing the Prestige’s logs. Refer to the appendices for example log message explanations. 16.1 View Log The web configurator allows you to look at all of the Prestige’s logs in one location. Click the LOGS in the navigation panel to open the View Log screen.
Prestige 334 User’s Guide Figure 72 View Logs The following table describes the labels in this screen. Table 57 View Logs LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see section ) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. 185 Time This field displays the time the log was recorded.
Prestige 334 User’s Guide 16.2 Log Settings You can configure the Prestige’s general log settings in one location. Click the LOGS in the navigation panel and then the Log Settings tab to open the Log Settings screen. Use the Log Settings screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige to send. An alert is a type of log that warrants more serious attention.
Prestige 334 User’s Guide Figure 73 Log Settings The following table describes the labels in this screen. Table 58 Log Settings LABEL DESCRIPTION Address Info Mail Server 187 Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Prestige 334 User’s Guide Table 58 Log Settings LABEL DESCRIPTION Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Prestige sends. Not all Prestige models have this field. Send Log To The Prestige sends logs to the e-mail address specified in this field. If this field is left blank, the Prestige does not send logs via e-mail.
Prestige 334 User’s Guide 189 Chapter 16 Centralized Logs
Prestige 334 User’s Guide CHAPTER 17 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 17.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Prestige. 17.2 Status Screen Click MAINTENANCE to open the Status screen, which you can use to monitor your Prestige. Note that these fields are READ-ONLY and only for diagnostic purposes.
Prestige 334 User’s Guide Figure 74 Maintenance Status The following table describes the labels in this screen. Table 59 Maintenance Status LABEL DESCRIPTION System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name should also be on a sticker on your Prestige. If you are uploading firmware, be sure to upload firmware for this exact model name.
Prestige 334 User’s Guide 17.2.1 System Statistics Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 75 Maintenance System Statistics The following table describes the labels in this screen. Table 60 Maintenance System Statistics LABEL DESCRIPTION Port This is the WAN, LAN port.
Prestige 334 User’s Guide Click MAINTENANCE, and then the DHCP Table tab. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP Client information (including IP Address, Host Name and MAC Address) of all network clients using the DHCP server. Figure 76 Maintenance DHCP Table The following table describes the labels in this screen. Table 61 Maintenance DHCP Table LABEL DESCRIPTION # This is the index number of the host computer.
Prestige 334 User’s Guide Use the upgrade tool file with a "*.exe" extension found in the ZIP file and follow the steps to begin the firmware upgrade. 17.4.1 Preparing your Prestige for Firmware Upload 1 Change the login password of the Prestige to the factory default password of “1234”. 2 Change the IP address of the Prestige to the factory default IP address of “192.168.1.1” and make sure that your computer can connect to the Prestige.
Prestige 334 User’s Guide Figure 78 Upgrade Tool Click Upgrade to start uploading the new firmware file. Note: Do not turn off the Prestige while firmware upload is in progress! If you log into your Prestige before the upgrade is complete, the following screen is displayed. Figure 79 Upload Warning 6 The Prestige automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Prestige 334 User’s Guide • Change your Prestige password and IP address back to your preferred setting. 8 Log in again and check your new firmware version in the System Status screen. 17.5 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.
Prestige 334 User’s Guide Click Backup to save the Prestige’s current configuration to your computer 17.5.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your Prestige. Table 62 Maintenance Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the file you want to upload.
Prestige 334 User’s Guide If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 84 Configuration Restore Error 17.5.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Prestige to its factory defaults as shown on the screen. The following warning screen will appear.
Prestige 334 User’s Guide Figure 86 System Restart 199 Chapter 17 Maintenance
Prestige 334 User’s Guide CHAPTER 18 Introducing the SMT This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus. 18.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Prestige 334 User’s Guide Figure 87 Login Screen Enter Password : **** 18.1.3 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige. Figure 88 SMT Menu Overview 18.2 Navigating the SMT Interface The SMT(System Management Terminal) is the interface that you use to configure your Prestige.
Prestige 334 User’s Guide Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 63 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER]. Move up to a previous menu [ESC] Press [ESC] to move back to the previous menu. Move to a “hidden” Press [SPACE menu BAR] to change No to Yes then press [ENTER].
Prestige 334 User’s Guide Figure 89 SMT Main Menu Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Prestige 334 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Password 4. Internet Access Setup 24. System Maintenance 26. Schedule Setup 27. VPN/IPSec Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup 99. Exit Enter Menu Selection Number: 18.2.
Prestige 334 User’s Guide 18.3 Changing the System Password Change the Prestige default password by following the steps shown next. 1 Enter 23.1 in the main menu to display Menu 23.1 - System Security - Change Password. 2 Type your existing system password in the Old Password field, for example “1234”, and press [ENTER] Figure 90 Menu 23 System Password Menu 23.
Prestige 334 User’s Guide 205 Chapter 18 Introducing the SMT
Prestige 334 User’s Guide CHAPTER 19 Menu 1 General Setup Menu 1 - General Setup contains administrative and system-related information. 19.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network.
Prestige 334 User’s Guide Figure 91 Menu 1 General Setup. Menu 1 - General Setup System Name= Domain Name= zyxel.com.tw First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Press ENTER to Confirm or ESC to Cancel: 2 Fill in the required fields. Refer to the table shown next for more information about these fields.
Prestige 334 User’s Guide 19.2.1 Procedure to Configure Dynamic DNS Note: If you have a private WAN IP address, then you cannot use Dynamic DNS To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next. Figure 92 Menu 1.1 Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
Prestige 334 User’s Guide Table 66 Menu 1.1 Configure Dynamic DNS FIELD DESCRIPTION Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http:/ /www.dyndns.org/ traffic is redirected to a URL that you have previously specified (see www.dyndns.org for details).
Prestige 334 User’s Guide CHAPTER 20 Menu 2 WAN Setup This chapter describes how to configure the WAN using menu 2. 20.1 Introduction to WAN This chapter explains how to configure settings for your WAN port. 20.2 WAN Setup From the main menu, enter 2 to open menu 2. Figure 93 Menu 2 WAN Setu Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Prestige 334 User’s Guide 211 Chapter 20 Menu 2 WAN Setup
Prestige 334 User’s Guide CHAPTER 21 Menu 3 LAN Setup This chapter covers how to configure your wired Local Area Network (LAN) settings. 21.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3. Figure 94 Menu 3 LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 21.1.
Prestige 334 User’s Guide 21.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. • For TCP/IP Ethernet setup refer to the Internet Access Application chapter. • For bridging Ethernet setup refer to the Bridging Setup chapter. 21.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3 — LAN Setup.
Prestige 334 User’s Guide Table 68 DHCP Ethernet Setup Fields FIELD DESCRIPTION Size of Client IP Pool This field specifies the size, or count of the IP address pool. The Prestige passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Select From ISP if your ISP dynamically assigns DNS server information (and the Server Prestige's WAN IP address).
Prestige 334 User’s Guide 21.3.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. Figure 97 Physical Network & Partitioned Logical Networks You must use menu 3.2 to configure the first network.
Prestige 334 User’s Guide Table 70 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Prestige. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are Both, In Only, Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version.
Prestige 334 User’s Guide 217 Chapter 21 Menu 3 LAN Setup
Prestige 334 User’s Guide CHAPTER 22 Internet Access This chapter shows you how to configure your Prestige for Internet access . 22.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your Prestige to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use. 22.
Prestige 334 User’s Guide Figure 99 Menu 4 Internet Access Setup Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Prestige 334 User’s Guide Table 71 Internet Access Setup (Ethernet Gateway IP Address Enter the gateway IP address associated with your static IP. Network Address Translation Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT.
Prestige 334 User’s Guide Figure 100 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field
Prestige 334 User’s Guide Figure 101 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation fi
Prestige 334 User’s Guide 223 Chapter 22 Internet Access
Prestige 334 User’s Guide CHAPTER 23 Remote Node Configuration This chapter covers remote node configuration. 23.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 Remote Node Profile, Menu 11.
Prestige 334 User’s Guide Figure 102 Menu 11.1 Remote Node Profile for Ethernet Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= MyISP Active= Yes Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Relogin Every (min)= N/A Route= IP Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Prestige 334 User’s Guide Table 74 Menu 11.1 Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3 - Remote Node Network Layer Options. Session Options Edit Filter Sets This field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.5 to edit the filter sets. See the Remote Node Filter section for more details.
Prestige 334 User’s Guide 23.2.2.2 Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Prestige does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Prestige 334 User’s Guide Figure 104 Menu 11.1 Remote Node Profile for PPTP Encapsulation Menu 11.
Prestige 334 User’s Guide Figure 105 Menu 11.3 Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.
Prestige 334 User’s Guide Table 77 Remote Node Network Layer Options FIELD DESCRIPTION Metric Enter a number from 1 to 15 to set this route’s priority among the Prestige’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has. Private This field is valid only for PPTP/PPPoE encapsulation. This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts.
Prestige 334 User’s Guide Figure 106 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 107 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.
Prestige 334 User’s Guide Figure 108 Menu 11.6: Traffic Redirect Setup Menu 11.6 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 2 Period(sec)= 5 Timeout(sec)= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 78 Menu 11.
Prestige 334 User’s Guide 233 Chapter 23 Remote Node Configuration
Prestige 334 User’s Guide CHAPTER 24 Static Route Setup This chapter shows how to setup IP static routes. 24.1 IP Static Route Setup To configure an IP static route, use Menu 12 – Static Routing Setup (shown next). Figure 109 Menu 12 IP Static Route Setup Menu 12 - IP Static Route Setup 1. 2. 3. 4. 5. 6. 7. 8. ________ ________ ________ ________ ________ ________ ________ ________ Enter selection number: Now, type the route number of a static route you want to configure.
Prestige 334 User’s Guide Figure 110 Menu12.1 Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields for Menu 12.1 – Edit IP Static Route Setup. Table 79 Menu12.1 Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.1.
Prestige 334 User’s Guide CHAPTER 25 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 25.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige 25.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Prestige 334 User’s Guide Figure 111 Menu 4 Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu
Prestige 334 User’s Guide Figure 112 Menu 11.3 Applying NAT to the Remote Node Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following table describes the options for Network Address Translation. Table 80 Applying NAT in Menus 4 & 11.
Prestige 334 User’s Guide Figure 113 Menu 15 NAT Setup Menu 15 - NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: 25.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Figure 114 Menu 15.1 Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: Enter 255 to display the next screen (see the SUA (Single User Account) Versus NAT section ).
Prestige 334 User’s Guide Figure 115 Menu 15.1.255 SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type -------------- --------------- --------------- --------------- -----0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu.
Prestige 334 User’s Guide Figure 116 Menu 15.1.1 First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP --- --------------- -------------- --------------- --------------1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit Type ------ Select Rule= Press ENTER to Confirm or ESC to Cancel: Note: If the Set Name field is left blank, the entire set will be deleted. Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Prestige 334 User’s Guide Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 82 Menu 15.1.1 First Set FIELD DESCRIPTION Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted. Action The default is Edit. Edit means you want to edit a selected rule (see following field).
Prestige 334 User’s Guide Figure 117 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 0.0.0.0 End = N/A Global IP: Start= 0.0.0.0 End = N/A Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu. Table 83 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Prestige 334 User’s Guide Figure 118 Menu 15.2.1 NAT Server Setup Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 21 25 192.168.1.33 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: 3 Enter a port number in an unused Start Port No field.
Prestige 334 User’s Guide 25.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Prestige 334 User’s Guide Figure 122 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Figure 123 Menu 15.2.1 Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 192.168.1.10 2. 0 0 0.0.0.0 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6.
Prestige 334 User’s Guide 4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN. The example situation looks somewhat like this: Figure 124 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.
Prestige 334 User’s Guide Figure 125 NAT Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation = Full Feature Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following figures show how to configure the first rule.
Prestige 334 User’s Guide Figure 126 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 127 Example 3: Final Menu 15.1.1 Set Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Menu 15.1.1 Name= NAT_SET Local Start IP --------------192.168.1.10 192.168.1.11 0.0.0.
Prestige 334 User’s Guide Figure 128 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.21 3. 25 25 192.168.1.20 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: HTTP:80 FTP:21 Telnet:23 SMTP:25 POP3:110 PPTP:1723 25.5.
Prestige 334 User’s Guide Figure 129 NAT Example 4 Note: Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload mapping types. Follow the steps outlined in example 3 to configure these two menus as follows Figure 130 Example 4: Menu 15.1.1.1 Address Mapping Rule. Menu 15.1.1.
Prestige 334 User’s Guide Figure 131 Example 4: Menu 15.1.1 Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type -------------- -------------- --------------- --------------- -----192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M:M NO OV Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: 25.
Prestige 334 User’s Guide Figure 132 Menu 15.3 Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port ---------------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12. 0 0 0 0 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 84 Menu 15.
Prestige 334 User’s Guide CHAPTER 26 Enabling the Firewall This chapter shows you how to get started with the Prestige firewall. 26.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it. • The firewall allows remote management from the LAN. 26.
Prestige 334 User’s Guide Figure 133 Menu 21.2 Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so. Active: No You can use the Web Configurator to configure the firewall.
Prestige 334 User’s Guide CHAPTER 27 Filter Configuration This chapter shows you how to create and apply filters. 27.1 Introduction to Filters Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Prestige 334 User’s Guide 27.1.1 The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Prestige 334 User’s Guide Figure 135 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 27.2 Configuring a Filter Set The Prestige includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21.
Prestige 334 User’s Guide Figure 136 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 137 Menu 21.1: Filter Set Configuration Menu 21.
Prestige 334 User’s Guide Table 85 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION m Action Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N“ means to check the next rule. n Action Not Matched “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule.
Prestige 334 User’s Guide To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next Figure 138 Menu 21.1.1.1 TCP/IP Filter Rule. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Prestige 334 User’s Guide Table 87 TCP/IP Filter Rule FIELD DESCRIPTION OPTIONS Source IP Address Enter the source IP Address of the packet you wish to filter. This 0.0.0.0 field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Source: IP Addr. 0.0.0.0 Port # Enter the source port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0.
Prestige 334 User’s Guide Figure 139 Executing an IP Filter 27.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Prestige 334 User’s Guide Figure 140 Menu 21.1.4.1 Generic Filter Rule Menu 21.1.4.1 - Generic Filter Rule Filter #: 4,1 Filter Type= Generic Filter Rule Active= No Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in the Generic Filter Rule menu.
Prestige 334 User’s Guide Table 88 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Action Matched Select the action for a packet matching the rule. Check Next Rule Forward Drop Action Not Matched Select the action for a packet not matching the rule. Check Next Rule Forward Drop Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel.
Prestige 334 User’s Guide Figure 142 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Prestige 334 User’s Guide Figure 143 Example Filter Rules Summary: Menu 21.1.3 # 1 2 3 4 5 6 Menu 21.1.3 - Filter Rules Summary A Type Filter Rules M m n - ---- --------------------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Prestige 334 User’s Guide Figure 144 Protocol and Device Filter Sets 27.5 Firewall Versus Filters Firewall configuration is discussed in the firewall chapters of this manual. Further comparisons are also made between filtering, NAT and the firewall. 27.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The Prestige already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Prestige 334 User’s Guide Figure 145 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 27.6.2 Applying Remote Node Filters Go to menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
Prestige 334 User’s Guide CHAPTER 28 SNMP Configuration This chapter explains SNMP Configuration menu 22. 28.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. The Prestige supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
Prestige 334 User’s Guide The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include the number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model.
Prestige 334 User’s Guide Figure 148 Menu 22 SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The following table describes the SNMP configuration parameters. Table 89 Menu 22 SNMP Configuration FIELD DESCRIPTION SNMP: Get Community Type the Get Community, which is the password for the incoming Get- and GetNext requests from the management station.
Prestige 334 User’s Guide Table 90 SNMP Traps TRAP # TRAP NAME DESCRIPTION 4 linkUp (defined in RFC-1215) A trap is sent with the port number. 5 authenticationFailure (defined in RFC-1215) A trap is sent to the manager when receiving any SNMP gets or sets requirements with wrong community (password). 6 whyReboot (defined in ZYXEL-MIB) A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
Prestige 334 User’s Guide CHAPTER 29 System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 – System Maintenance, as shown in the following figure. Figure 149 Menu 24 System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4.
Prestige 334 User’s Guide Figure 150 Menu 24.1 System Maintenance : Status Menu 24.1 - System Maintenance - Status Port WAN LAN Status Down 100M/Full Port WAN LAN TxPkts 0 0 Ethernet Address 00:A0:C5:01:23:46 00:A0:C5:01:23:45 System up Time: RxPkts 0 0 Cols 0 0 IP Address 0.0.0.0 192.168.1.1 Tx B/s 0 0 00:49:12 Sat. Jan. 01, 2000 Rx B/s 0 0 IP Mask 0.0.0.0 255.255.255.0 Up Time 0:00:00 0:49:10 DHCP Client Server 0:49:15 Name: P334 Routing: IP ZyNOS F/W Version: V3.60(JJ.
Prestige 334 User’s Guide Table 92 System Maintenance: Status Menu Fields FIELD DESCRIPTION ZyNOS F/W Version The ZyNOS Firmware version and the date created. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24. 29.2 System Information To get to the System Information: 1 Enter 24 to display Menu 24 — System Information and Console Port Speed. 2 Enter 2 to display Menu 24.2 — System Information.
Prestige 334 User’s Guide Figure 152 Menu 24.2.1 System Maintenance : Information Menu 24.2.1 - System Maintenance - Information Name: P334 Routing: IP ZyNOS F/W Version: V3.60(JJ.3)b1 | 08/20/2004 LAN Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this menu. Table 93 Menu 24.2.1 System Maintenance : Information FIELD DESCRIPTION Name Displays the system name of your Prestige.
Prestige 334 User’s Guide Figure 153 Menu 24.2.2 System Maintenance : Change Console Port Speed Menu 24.2.2 – System Maintenance – Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: 29.3 Log and Trace There are two logging facilities in the Prestige. The first is the error logs and trace records that are stored locally. The second is the syslog facility for message logging. 29.3.
Prestige 334 User’s Guide 29.3.1.1 CDR CDR Message Format SdcmdSyslogSend ( SYSLOG_CDR, SYSLOG_INFO, String); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
Prestige 334 User’s Guide 29.3.1.3 Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port dpo: Destination port Mar 03 10:39:43 202.132.155.
Prestige 334 User’s Guide 29.3.1.5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”) rule: where a means "set" number; b means "rule" number.
Prestige 334 User’s Guide Figure 155 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 02 00 RAW DATA: 0000: 45 0010: 00 0020: 60 Press any key 00 00 02 to 44/ 44 Time: 17:02:44.
Prestige 334 User’s Guide Figure 156 Menu 24.4 System Maintenance : Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. Internet Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A 29.4.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in LAN & WAN DHCP. LAN DHCP has already been discussed.
Prestige 334 User’s Guide Table 95 System Maintenance Menu Diagnostic FIELD DESCRIPTION WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. Internet Setup Test Enter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 - Internet Access. Please refer to the Internet Access chapter for more details. This feature is only available for dial-up connections using PPPoE or PPTP encapsulation. Reboot System Enter 11 to reboot the Prestige.
Prestige 334 User’s Guide 285 Chapter 29 System Information and Diagnosis
Prestige 334 User’s Guide CHAPTER 30 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 30.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension.
Prestige 334 User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the Prestige and the external filename refers to the filename not on the Prestige, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 – System Maintenance – Information to confirm that you have uploaded the correct firmware version.
Prestige 334 User’s Guide Figure 158 Telnet in Menu 24.5 Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current Prestige configuration to your workstation.
Prestige 334 User’s Guide 30.2.3 Example of FTP Commands from the Command Line Figure 159 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit 30.2.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
Prestige 334 User’s Guide 30.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next. 1 Use telnet from your computer to connect to the Prestige and log in.
Prestige 334 User’s Guide 30.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 98 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Prestige and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.
Prestige 334 User’s Guide Figure 160 Telnet into Menu 24.6. Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested. 3.
Prestige 334 User’s Guide 30.3.2 Restore Using FTP Session Example Figure 161 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit 30.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Prestige 334 User’s Guide Figure 162 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
Prestige 334 User’s Guide 4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the Prestige, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Prestige and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer (config.rom) to the Prestige and renames it “rom-0”. Likewise “get rom-0 config.
Prestige 334 User’s Guide 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. 4 Launch the TFTP client on your computer and connect to the Prestige. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the Prestige and the computer.
Prestige 334 User’s Guide 297 Chapter 30 Firmware and Configuration File Maintenance
Prestige 334 User’s Guide CHAPTER 31 System Maintenance This chapter leads you through SMT menus 24.8 to 24.10. 31.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands.
Prestige 334 User’s Guide 31.1.2 Command Usage A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 166 Valid Commands Copyright (c) 1994 - 2004 ZyXEL Communications Corp. P334> ? Valid commands are: sys exit device ether poe pptp config ip ipsec ppp P334> 31.2 Call Control Support The Prestige provides two call control functions: budget management and call history.
Prestige 334 User’s Guide Figure 168 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget 1.MyISP No Budget Elapsed Time/Total Period No Budget The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset.
Prestige 334 User’s Guide Figure 169 Menu 24.9.2 - Call History Menu 24.9.2 - Call History Phone Number Dir Rate #call Max Min Total 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to exit): The following table describes the fields in this menu. Table 100 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. Dir This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call.
Prestige 334 User’s Guide Figure 170 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control Time and Date Setting Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.
Prestige 334 User’s Guide Figure 171 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= time-b.nist.
Prestige 334 User’s Guide Table 101 Time and Date Setting Fields FIELD DESCRIPTION End Date Enter the month and day that your daylight-savings time ends on if you selected Yes in the Daylight Saving field. Once you have filled in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. 31.3.1 Resetting the Time The Prestige resets the time in three instances: 1 On leaving menu 24.10 after making changes.
Prestige 334 User’s Guide 305 Chapter 31 System Maintenance
Prestige 334 User’s Guide CHAPTER 32 Remote Management This chapter covers remote management (SMT menu 24.11). 32.1 Remote Management Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: • Internet (WAN only) • ALL (LAN and WAN) • LAN only • Neither (Disable).
Prestige 334 User’s Guide Figure 172 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 Web Server: Port = 80 Access = ALL Secure Client IP = 0.0.0.0 SNMP Service: Port = 161 Access = LAN only Secure Client IP = 0.0.0.0 DNS Service: Port = 53 Access = LAN only Secure Client IP = 0.0.0.
Prestige 334 User’s Guide 3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4 There is an SMT console session running. 5 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 6 There is a firewall rule that blocks it.
Prestige 334 User’s Guide CHAPTER 33 Call Scheduling Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a remote node should be called and for how long. 33.1 Introduction to Call Scheduling The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record).
Prestige 334 User’s Guide You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. Note: To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown next. Figure 174 Menu 26.1 Schedule Set Setup Menu 26.
Prestige 334 User’s Guide Table 103 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration Enter the maximum length of time this connection is allowed in hour-minute format. Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field.
Prestige 334 User’s Guide 313 Chapter 33 Call Scheduling
Prestige 334 User’s Guide CHAPTER 34 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 34.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1 Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2 Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
Prestige 334 User’s Guide Figure 177 Menu 27 VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: 34.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus. Figure 178 Menu 27 Menu 27.
Prestige 334 User’s Guide Table 104 Menu 27.1 IPSec Summary FIELD Local Addr Start DESCRIPTION When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is a static IP address on the LAN behind your Prestige. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the beginning (static) IP address, in a range of computers on the LAN behind your Prestige. When the Addr Type field in Menu 27.1.
Prestige 334 User’s Guide Table 104 Menu 27.1 IPSec Summary FIELD DESCRIPTION Remote Addr End When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is the same (static) IP address as in the Remote Addr Start field. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Addr Type field in Menu 27.1.
Prestige 334 User’s Guide Figure 179 Menu 27.1.1 IPSec Setup Menu 27.1.1 – IPSec Setup Index= 1 Name= Taiwan Active= Yes Keep Alive= No Nat Traversal= No Local ID type Content= My IP Addr= 0.0.0.0 Peer ID type= IP Content= Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 DNS Server= 0.0.0.0 Local: Remote: Addr Type= SINGLE Local IP Addr= 1.1.1.1 Port Start= 0 Addr Type= SUBNET IP Addr Start= 4.4.4.4 Port Start= 0 End= N/A End/Subnet Mask= 255.255.0.
Prestige 334 User’s Guide Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Content When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Prestige.
Prestige 334 User’s Guide Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. You cannot create a VPN tunnel if you try to connect using a port number that does not match this port number or range of port numbers. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3 End Enter a port number in this field to define a port range.
Prestige 334 User’s Guide Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by setting this field to Yes. Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to enable replay detection.
Prestige 334 User’s Guide Figure 180 Menu 27.1.1.1 IKE Setup Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= ? Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= SHA1 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Prestige 334 User’s Guide Table 106 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms Algorithm used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slightly slower. Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER]. SA Life Time Define the length of time before an IKE Security Association automatically renegoti(Seconds) ates in this field.
Prestige 334 User’s Guide 34.4.0.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. See the Web Configurator part on VPN for more information on these parameters. Table 107 Active Protocol: Encapsulation and Security Protocol MODE SECURITY PROTOCOL Tunnel ESP Transport AH 34.4.0.2 Security Parameter Index (SPI) To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.
Prestige 334 User’s Guide Table 108 Menu 27.1.1.2 Manual Setup FIELD DESCRIPTION Encryption Press [SPACE BAR] to choose from NULL, 3DES or DES and then press [ENTER]. Algorithm Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter any encryption keys. Key1 Enter a unique eight-character key.
Prestige 334 User’s Guide CHAPTER 35 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 35.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections. Note: When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes.
Prestige 334 User’s Guide Figure 182 Menu 27.2 SA Monitor Menu 27.2 - SA Monitor # --001 002 003 004 005 006 007 008 009 010 Name -------------------------------Taiwan : 3.3.3.1 – 3.3.3.3.100 Encap. --------Tunnel IPSec ALgorithm ---------------ESP DES MD5 Select Command= Refresh Select Connection= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 109 Menu 27.2 SA Monitor FIELD DESCRIPTION # This is the security association index number.
Prestige 334 User’s Guide Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Table 110 Troubleshooting PROBLEM CORRECTIVE ACTION None of the LEDs turn on when you turn on the Prestige.
Prestige 334 User’s Guide Table 110 Troubleshooting PROBLEM CORRECTIVE ACTION Access to a web page with a URL containing a forbidden keyword is not blocked. Make sure that you select the Keyword Blocking check box in the Content Filtering screen. Make sure that the keywords that you type are listed in the Keyword List. Parental Control is configured correctly, but I can still access restricted web pages. Restart the device to clear the cache.
Prestige 334 User’s Guide Appendix B PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Prestige 334 User’s Guide Figure 183 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
Prestige 334 User’s Guide Appendix C PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the computer and the modem over Ethernet.
Prestige 334 User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
Prestige 334 User’s Guide Figure 187 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Prestige 334 User’s Guide 337 Appendix C PPTP
Prestige 334 User’s Guide Appendix D NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Prestige 334 User’s Guide The filter types and their default settings are as follows. Table 113 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded. Trigger dial This field displays whether NetBIOS packets are allowed to initiate Disabled calls.
Prestige 334 User’s Guide Appendix E Log Descriptions Configure centralized logs using the embedded web configurator; see online help for details. This appendix provides descriptions of example log messages. Table 114 System Error logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Prestige 334 User’s Guide Table 116 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall.
Prestige 334 User’s Guide Appendix F Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Prestige 334 User’s Guide Figure 188 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add.
Prestige 334 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • • If your IP address is dynamic, select Obtain an IP address automatically.
Prestige 334 User’s Guide Figure 190 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • If you do not know your gateway’s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your Prestige and restart your computer when prompted.
Prestige 334 User’s Guide Figure 191 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 192 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Prestige 334 User’s Guide Figure 193 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 194 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • 347 If you have a dynamic IP address click Obtain an IP address automatically.
Prestige 334 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 195 Windows XP: Advanced TCP/IP Settings 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: • • • • • • • • In the IP Settings tab, in IP addresses, click Add.
Prestige 334 User’s Guide 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.
Prestige 334 User’s Guide Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 197 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list.
Prestige 334 User’s Guide Figure 198 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.
Prestige 334 User’s Guide • • Select Built-in Ethernet from the Show list. Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. Figure 200 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box.
Prestige 334 User’s Guide 353 Appendix F Setting up Your Computer’s IP Address
Prestige 334 User’s Guide Appendix G Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. Table 118 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute-force guessing password protection settings. sys pwderrtm 0 This command turns off the password’s protection from brute-force guessing.
Prestige 334 User’s Guide 355 Appendix G Brute-Force Password Guessing Protection
Prestige 334 User’s Guide Appendix H TMSS This appendix discusses Trend Micro Security Services setup and access. Please see your TMSS user guide for more information. Note: Make sure that you have not restricted access to ActiveX, Cookies or Web Proxy features in the Advanced Firewall Filter screen. If you restrict Web access to these features you will not be able to use TMSS. To view the TMSS dashboard, follow the steps below. 1 Click TMSS under ADVANCED in the web configurator.
Prestige 334 User’s Guide Figure 202 TMSS Welcome Screen 7 Click Continue>> to proceed to download ActiveX control. Figure 203 Download ActiveX Control 8 Select Yes to install and run ActiveX control. 9 Once the installation is complete the Home Network Security Services dashboard appears. From this screen you can take advantage of all TMSS features.
Prestige 334 User’s Guide Figure 204 Home Network Security Services Dashboard 10 See the Trend Micro User’s Guide for information on TMSS.
Prestige 334 User’s Guide 359 Appendix H TMSS
Prestige 334 User’s Guide Appendix I Triangle Route The Ideal Setup When the firewall is on, your Prestige acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Prestige to protect your LAN against attacks. Figure 205 Ideal Setup The “Triangle Route” Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices.
Prestige 334 User’s Guide Figure 206 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your Prestige supports up to three logical LAN interfaces with the Prestige being the gateway for each logical network.
Prestige 334 User’s Guide Figure 207 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your Prestige to your LAN. Therefore your LAN is protected. Figure 208 Gateways on the WAN Side How To Configure Triangle Route 1 From the SMT main menu, enter 24. 2 Enter “8” in menu 24 to enter CI command mode.
Prestige 334 User’s Guide 363 Appendix I Triangle Route
Prestige 334 User’s Guide Index A D Active 225 ActiveX 135 Allocated Budget 227 AT command 287 Authen 227 Authentication Protocol 226 Default 198 Denial of Service 254 DHCP 58, 64, 65, 67, 192, 193, 277 DNS 146 DNS Server For VPN Host 161 Domain Name 92 Dynamic DNS 58, 207 DYNDNS Wildcard 58 B Backup 196, 287 Budget Management 299, 300 E C ECHO 92 Edit IP 226 Encapsulation 225, 228 Ethernet Encapsulation 91, 224, 225 Call Control 299 Call History 300 Call Scheduling 310 Maximum Number of Schedule
Prestige 334 User’s Guide FTP 58, 64, 90, 91, 92, 138, 142, 307 FTP File Transfer 293 FTP Restrictions 138, 289, 307 FTP Server 247 G Gateway 235 Gateway IP Addr 229 Gateway IP Address 220 General Setup 56 Global 86 H Hidden Menus 202 Hop Count 235 Host 60 HTTP 92, 320 L LAN Setup 64, 72 LAN TCP/IP 64 Local 86 Log Facility 278 Login Name 219 M MAC Address 210 Management Information Base (MIB) 143, 271 Many to Many No Overload 89 Many to Many Overload 89 Many to One 89 Message Logging 278 Metric 72, 104
Prestige 334 User’s Guide O One to One 89 Outside 86 P Password 60, 200, 204, 219, 271 Period(hr) 227 Ping 283 Point-to-Point Tunneling Protocol 77, 92 POP3 92 Port Numbers 92 PPPoE 332 PPPoE Encapsulation 222, 224, 227 PPTP 92 Private 104, 230, 235 R RAS 277 Related Documentation 30 Rem Node Name 225 Remote Management Firewall 254 Remote Management and NAT 139 Remote Management Limitations 138, 307 Remote Node Filter 230 Required fields 202 Resetting the Time 304 Restore 197 Restore Configuration 291 Re
Prestige 334 User’s Guide Trace Records 278 Traffic Redirect 82, 83 Trigger Port Forwarding 252 Process 98 U Universal Plug and Play (UPnP) 106 UNIX Syslog 278 Upload Firmware 293 URL Keyword Blocking 135 Use Server Detected IP 209 User Name 59, 208 User Specified IP Addr 209 V VPN 77 W WAN DHCP 283, 284 WAN Setup 210 Web 139 Web Configurator 255 Web Proxy 135 www.dyndns.
