LANCOM 821+ LANCOM 1711 VPN LANCOM 1721
Contents
1. 64 8 1 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings Security settings Your LANCOM Router has numerous security functions You find in this chap ter all information you need for an optimal protection The security settings wizard Access to the configuration of a device permits not only to read out critical information such as WEP key or Internet password Rather also the entire set tings of the security functions e g firewall can be altered then So an unau thorized configuration access endangers not only a single device but the entire network Your LANCOM Router has a password protection for the configuration access This protection is already activated during the basic configuration by entering a password The device locks access to its configuration for a specified period of time after a certain number of failed log in attempts Both the number of failed attempts and the duration of the lock can be set as needed By default access is locked for a period of five minutes after the fifth failed log in attempt Wizard for LANconfig Mark your LANCOM Router in the selection window Select from the com mand bar Extras Setup Wizard Setup Wizard for LANCOM 1811 Wireless DSL xj Setup Wizard for LANCOM 1811 Wireless DSL This wizard lets you configure your device for specific applications quickly and easily What do you want to do Set up Inteme2. off no logic connection green flashing Establishing first connection green inverse flashing Establishing further connection green constantly on Connection s established green flickering Data traffic send or receive Data traffic via the DSL connection off no physical connection green constantly on physical connection to network device operational green flickering Data traffic send or receive 25 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation ISDN status O ISDNdata ETH 1 to ETH 4 LANCOM 821 and LANCOM 1721 VPN LAN 1 to LAN 4 LANCOM 1711 VPN 26 Status of ISDN Sq connection off Not connected or no Sp voltage no error message green blinking Initializing D channel establishing contact with the connec tion point green constantly on D channel ready for use red blinking Error CRC error framing error etc red constantly on Activation of D channel failed an Sg bus error Many ISDN connections and PBXs put the Sq bus into a power save mode after a certain time The Sq bus is automatically reactivated as required and the ISDN status LED will once again light up green If the ISDN status LED goes out automatically this does not indicate Separate status display for both ISDN B channels off No connection established green blinking Dialling green flashing Establishing first connection green flashing
3. With LANCAPI by LANCOM it is possible to send faxes comfortably from your workstation PC without having connected a fax device To do so you need to install several components m the LANCAPI client It provides the connection between your worksta tion PC and the LANCAPI server m the LANCOM VPN This tool simulates a fax device on your workstation PC m the MS Windows fax service This is the interface between the fax appli cations and the virtual fax The installation of the LANCAPI client is described in the reference manual This chapter shows the installation of LANCOM LANCOM VPN and MS Win dows fax service LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 7 Sending faxes with LANCAPI 7 1 Installation of the LANCOM LANCOM VPN Select the entry Install LANCOM software in the setup program of your LANCOM CD Highlight the option LANCOM VPN click Next and follow the instruc tions of the installation routine LANCOM Software Setup Software Components Specify which software components you want to be installed during setup o A LANconfig E A LANmonitor Og LANCAPI B LANCAPI Dial Up Networking Support m 61 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 7 Sending faxes with LANCAPI When the installation was successful the LANCOM LANCOM VPN is entered into the Phone and Modem Options of the control panel amp Control Panel File Edit View Favori
4. Inthe following Security settings window specify a password for config uration access Note that the password is case sensitive and ensure that it is sufficiently long at least 6 characters You may specify whether the device may only be configured from the local network or whether remote configuration via the WAN i e a remote net work is also permissible Please note that enabling this will also permit remote configuration via the Internet You should always make sure that the configuration access is suitably protected e g with a password Inthe next window select your DSL provider from the list that is displayed Confirm your choice with Apply If you select My provider is not listed here you must enter the transfer protocol used by your DSL provider manually in the next window Confirm your choice with Apply Connect charge protection can limit the cost of DSL connections to a pre determined amount if desired Confirm your choice with Apply The basic setup wizard reports that all the necessary information has been provided You can end the wizard with Go on 39 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration 3 4 TCP IP settings to workstation PCs The correct addressing of all devices within a LAN is extremely important for TCP IP networks In addition all computers must know the IP addresses of two central points in the LAN Default gateway
5. receives all packets that are not addressed to comput ers within the local network m DNS server translates network names www lancom de or names of computers www lancom de to actual IP addresses The LANCOM Router can perform the functions of both a default gateway and a DNS server In addition as a DHCP server it can also automatically assign valid IP addresses to all of the computers in the LAN The correct TCP IP configuration of the PCs in the LAN depends on the method used to assign IP addresses within the LAN m IP address assignment via the LANCOM Router default In this operating mode the LANCOM Router not only assigns IP addresses to the PCs in the LAN it also uses DHCP to specify its own IP address as that of the default gateway and DNS server The PCs must therefore be configured so that they automatically obtain their own IP address and the IP addresses of the standard gateway and DNS server via DHCP IP address assignment via a separate DHCP server The workstation PCs must be configured so that they automatically obtain their own IP address and the IP addresses of the standard gateway and DNS server via DHCP The IP address of the LANCOM Router must be stored on the DHCP server so that the DHCP server transmits it to the PCs in the LAN as the standard gateway In addition the DHCP server should also specify the LANCOM Router as a DNS server Entering the password in the web browser aixi Ee When you a
6. Security tab It is particularly required to assign a password to the configuration if you want to allow remote configuration Have you permitted remote configuration If you do not require remote configuration then deactivate it If you require remote configuration then be sure to assign a password protec tion for the configuration see previous section The field for deactivating the remote configuration is also contained in LANcontig in the Manage ment configuration area on the Security tab Select here under Access rights of remote networks for all types of configuration the option not allowed Have you provided the SNMP configuration with a password Also protect the SNMP configuration with a password The field for pro tection of the SNMP configuration with a password is also contained in LANconfig in the Management configuration area on the Security tab Have you activated the Firewall The Stateful Inspection Firewall of the LANCOM ensures that your local network cannot be attacked from the outside The Firewall can be ena bled in LANconfig under Firewall QoS on the register card General Do you make use of a Deny All Firewall strategy For maximum security and control you prevent at first any data transfer through the Firewall Only those connections which are explicitly desired have to allowed by the a dedicated Firewall rule then Thus Trojans and cert
7. tools and contact the device directly with this IP address Use LANconfig Connect a PC with a terminal program via the serial configuration interface to the device Starting the wizards in WEBconfig Start your web browser e g Internet Explorer Netscape Navigator Opera and call the LANCOM Router there http lt IP address of the LANCOM gt or with a name as discribed above If you cannot access an unconfigured LANCOM Router the problem may be due to the netmask of the LAN with less than 254 possible hosts netmask gt 255 255 255 0 please ensure that the IP address X X X 254 is located in your own subnet LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration The WEBconfig main menu will be displayed The setup wizards are tailored precisely to the functionality of the spe cific LANCOM Router As a result your device may offer different wiz ards than those shown here If you have chosen automatic TCP IP configuration please continue with Step If you would like to configure the TCP IP settings manually assign an available address from a suitable address range to the LANCOM Router Also set whether or not it is to operate as a DHCP server Confirm your entry with Apply Enter the wireless parameters Select a network name SSID and a radio channel Turn on if necessary the function for closed network Confirm your choice with Next
8. whether a DHCP server is already active in the LAN Dependent on the situation the device is able to switch on its own DHCP server or alternatively to activate its DHCP client mode In this second operating mode the device itself can obtain an IP address from a DHCP server already existing in the LAN Network without DHCP server In a network without DHCP server unconfigured LANCOM devices activate their own DHCP server service after starting and assign appropriate IP addresses and gateway information to the other workstations within the LAN provided that the workstations are set to obtain their IP address automatically auto DHCP In this constellation the device can be accessed with any web browser from each PC with activated auto DHCP function through the name LANCOM or by its IP address 172 23 56 254 T LANCOM 1811 Wireless DSL Microsoft Internet Explorer iol x File Edit View Favorites Tools Help Back p 8 a Qsearch F LANCOM 1811 Wireless DSL Microsoft Internet Explo ER http HILANCOM File Edit View Favorites Tools Help Back gt O A A GQsearch Favorites BE i acoy o O If the configuration PC does not obtain its IP address from the LANCOM DHCP server figure out the current IP address of this PC with Start gt Execute gt cmd and command ipconfig at the prompt under Windows 2000 or Windows XP with Start gt Execute gt cmd and the command winipcfg at the prompt under Wi
9. 17 18 19 34 45 Filter 69 Required information 46 Lock ports 69 LANCAPI 19 31 IP address 33 50 LANCOM setup 30 IP address of the LANCOM 29 LANCOM VPN Option 20 IP masquerading 15 17 20 68 LANconfig 31 35 79 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Index run setup wizards LANmonitor LANtools System preconditions Line management M MAC address filter 15 Minimum bandwidth MSN N NAT see IP masquerading NetB NetB 10S IOS proxy Netmask Network segment 29 P Package contents Password 34 36 45 PAT see IP masquerading PBX Phon Ping Plain Plain POTS Power adapter PPP e line Ethernet IP 21 27 PPP client PPPo PPTP E Preshared Key Q Shared Secret Quality of Service R Remote Access Service RAS 80 Configuring the dial in computer 44 31 22 18 20 16 55 50 19 33 50 28 57 Enable software compression Function IPX NetBIOS Searching for Windows workgroups Security aspects Server setup specify MSN TCP IP User name Remote configuration Remote configuration access Remote configuration via ISDN Reset connect charge protection Reset switch Resetting the configuration Restarting the device Router Router function S Searching for Windows workgroups Security Firewall wizard Security settings wizard Security checklist Security features Security settings Setting up access to th
10. Be sure to give the two devices different names m The name of the remote station is needed for its identification m Enter the subscriber number of the remote station in the ISDN subscriber number field The complete subscriber number including all necessary area and country codes is required The stated ISDN caller ID is used to identify and authenticate callers When a LANCOM Router receives a call it compares the ISDN caller ID entered for the remote station with the actual caller ID transferred via the D channel An ISDN caller ID generally consists of an area code and an MSN 47 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks 48 The password for the ISDN connection is an alternative to the use of the ISDN caller ID It is always used to authenticate callers that do not send an ISDN caller ID The exact same password must be entered on both sides It is used for calls in both directions The Shared Secret is the central password for security within the VPN The exact same password has to be entered on both sides Data compression increases the transfer speed of the connection at no additional cost This is completely unlike the bundling of two ISDN chan nels with MLPPP Multi Link PPP The transfer rate will be doubled but there will also be additional telephone costs for two connections Settings for the TCP IP router In TCP IP networks addressing has a special significance Please not
11. connected via a serial port or in the network Device gt Find If you cannot access an unconfigured LANCOM Router the problem may be due to the netmask of the LAN with less than 254 possible hosts netmask gt 255 255 255 0 please ensure that the IP address X X X 254 is located in your own subnet 35 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration 36 If you have chosen automatic TCP IP configuration please continue with Step If you would like to configure the TCP IP settings manually assign an available address from a suitable address range to the LANCOM Router Confirm your choice with Next Specify whether or not the router should act as a DHCP server Make your selection and confirm with Next In the following window specify the password for configuration access Note that the password is case sensitive and ensure that it is sufficiently long at least 6 characters In addition you may specify whether the device may only be configured from the local network or whether remote configuration via the WAN i e a remote network is also permissible Please note that enabling this will also permit remote configuration via the Internet You should always make sure that the configuration access is protected with a password Inthe next window select your DSL provider from the list that is displayed If you select My provider is not listed here you must
12. moden Subscriber The LANCOM Router can also utilize other broadband connections e g cable modem that offer a 10 100Base Tx Ethernet connector over PPPoE PPTP or plain Ethernet with or without DHCP ADSL over ISDN or ADSL over POTS ADSL can operate over modern ISDN telephone service as well as conven tional analog service POTS Plain Old Telephone Service There are however different technical specifications for the two telephone systems For this reason devices in the LANCOM Router series are offered in two different versions A version for ADSL over POTS and a version for ADSL over ISDN 11 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction 1 2 For LANCOM 1711 VPN and LANCOM 1721 VPN You can determine which telephone system a device supports by looking at the model description on the bottom of the device The label containing the device name also contains an additional code which stands for the telephone system the device supports Annex A ADSL over POTS Annex B ADSL over ISDN An Annex A type LANCOM Router can only be used with ADSL over POTS service Similarly an Annex B device can only be used with ADSL over ISDN service Retrofitting a device to function with a different telephone system is not possible ADSL over ISDN connections also exist that do not operate in conjunction with ISDN but which use a conventional analog telephone connectio
13. not stack the devices and do not expose them to direct insolation 2 5 Software installation This section covers the installation of the included system software LANtools for Windows You may skip this section if you use your LANCOM Router exclusively G with computers running operating systems other than Windows 2 5 1 Starting LANCOM setup Place the LANCOM CD in your CD drive The LANCOM setup program will start automatically If the setup program does not start automatically run AUTORUN EXE G in the root folder of the LANCOM CD 30 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation In Setup select Install LANCOM Software The following selection menus will appear on the screen LANCOM Software Setup x Software Components Specify which software components you want to be installed during setup Place a checkmark beside each software component you want to install or remove the checkmark to exclude it from installation Ka LANconfig v f LANmonitor amp LANCAPI EF LANCAPI Dial Up Networking Support gh CAPI Faxmodem 9 LANCOM Advanced VPN Client xl Enables you to configure your LANCOM device in ease from your computer lt Back Cancel 2 5 2 Which software should you install m LANconfig is the configuration program for all LANCOM routers and Wireless LAN access points WEBconfig can be used alternatively or in addi
14. selecting it from the address range reserved for private use e g 10 0 0 1 with the netmask 255 255 255 0 At the same time you will set the address range that the DHCP server uses for the other devices in the network provided that the DHCP server is switched on You have previously used IP addresses for the computers in your LAN Information required for manual TCP IP configuration During manual TCP IP configuration the setup wizard will prompt you for the following information IP address and netmask for the LANCOM Router Assign a free IP address from the address range of your LAN to the LANCOM Router and specify the netmask 33 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration 34 3 1 2 m Enable DHCP server Disable the DHCP server function in the LANCOM Router if you would like to have a different DHCP server assign the IP addresses in your LAN Configuration protection The password for configuration access to the LANCOM Router protects the configuration against unauthorized access The configuration of the router contains a considerable amount of sensitive information such as your Internet access information We therefore strongly recommend protecting it with a password The setup wizard for the basic configuration automatically disables remote configuration access via ISDN thus protecting your configuration against tampering ISDN remote configura
15. this rule and what actions will be executed when the rule will apply to a data packet You finally give a name to the new rule activate it and define whether further rules should be observed when the rule will apply to a data packet The wizard will inform you as soon as the entries are complete Complete the configuration with Finish Configuration under WEBconfig Under WEBconfig it is possible to check and modify all parameters related to the protection of the Internet access under Configuration gt Firewall QoS gt Rules gt Rule Table The security checklist The following checklist provides a comprehensive overview of all security set tings for professionals Most of the points on this checklist are no subject of concern in simple configurations since these generally adequate security set tings are already implemented during basic configuration and by the security wizard Detailed information on the security settings listed here can be found G in the reference manual 67 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings 68 m Have you assigned a password for the configuration The simplest option for the protection of the configuration is the estab lishment of a password As long as a password hasn t been set anyone can change the configuration of the device The field for entering the password is contained in LANcontig in the Management configuration area on the
16. COM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access Providing dial up access Your LANCOM Router supports dial up connections to permit individual com puters full access to your network This service is also known as RAS Remote Access Service In principle the RAS access can be realized in two different ways m VPN Fora RAS access via VPN the connection between the LAN and the dial in PC is established over a specially secured connection through the public Internet The router in the LAN requires VPN support the dial in PC an access to the Internet and the LANCOM VPN Client m ISDN For a RAS access via ISDN a direct connection between the LAN and the dial in PC is established over an ISDN dial up connection The router in the LAN requires an ISDN interface the dial up PC an ISDN adapter or an ISDN modem The data transfer protocol is PPP Therefore the support of all usual devices and operating systems is ensured A setup wizard handles the configuration of the dial up connection in the usual convenient manner Security aspects You must of course protect your LAN against unauthorized access An LANCOM Router therefore offers a whole range of security mechanisms that can provide an outstanding level of protection m VPN Network couplings via VPN transmit data by IPSec The data are encrypted by AES 3 DES Blowfish or CAST encryption algorithms m ISDN For network couplings via ISDN the c
17. DHCP 40 DHCP server 19 33 34 36 39 40 Dialing prefix 34 Dial up access 53 Dial up adapter 57 DNS access to the remote LAN 49 DNS server 19 40 Documentation 21 Domain 49 Download 10 downstream 10 DSL data transfer is too slow 71 provider 36 39 transfer protocol 39 DSL technologies 10 DSL transfer protocol 36 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Index E IP router 19 Encryption 45 53 IPoE 43 F IPSec 45 53 Ea 10 IPX 57 l Binding 50 56 Filter mechanisms 18 External Network Number 50 56 Firewall 15 20 69 l Frame type 50 Firewall filter 66 Internal Net Number 56 FirmSafe 20 Flat rate 43 IPX conventions 50 IPX router 19 H Settings 49 Hardware installation 28 ISDN 17 l caller ID 47 54 55 ICMP 69 Connect charge information 36 connection 30 Installation 21 Connector cable 21 ADSL 29 D channel 55 configuration port 29 data compression 43 DSL 29 ae Dial in number 43 ISDN 29 l dynamic channel bundling 43 LAN 28 MSN 34 36 LANtools 30 NTBA 30 power adapter 29 i password for connection 48 Interconnection 45 So port 27 28 Security aspects 45 ISDN connection Internet access 17 19 42 a Basic settings 34 Authentication data 42 l ISDN leased line option 20 Default gateway 43 DNS server 43 DN modem 23 ISDN PBX 34 Tarate ji ISDN Sp connection 19 IP address 43 0 Netmask 43 L Internet provider 42 LAN Intrusion Detection 15 Connector cable 21 IP LAN to LAN coupling
18. DSL Reset DC12V ETH4 ETH3 Voltage switch Connection for the included power adapter Switch with four 10 100Base Tx connections USB connection Serial configuration port ISDN Sp port ADSL port Reset switch 27 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation LANCOM 1711 VPN 28 2 4 poze pog AC12V ISDN Sp Config COM Res ans Lim g bbee Voltage switch Connection for the included power adapter Switch with four 10 100Base Tx connections WAN port ISDN Sp port Serial configuration port Reset switch The reset switch has two different functions depending on the length of time that it is pressed Restarting the device soft reset push the button for less than five seconds The device will restart Resetting the configuration hard reset push the button for more than five seconds All the device s LEDs will light up green and stay on As soon as the reset switch is released the device will restart with factory default settings Hardware installation The installation of the LANCOM Router base station takes place in the follow ing steps LAN connect the LANCOM Router to your LAN or to an individual PC For that purpose plug the included network cable green plugs into the LAN connector of the device and the other end into a free network connecting socket o
19. Establishing further connection green constantly on Connection established via B channel green flickering Data traffic send or receive Status of the four LAN ports in the integrated switch off No network device connected green constantly on Connection to network device operational no data traffic Data traffic green flickering red flickering Collision of packets Security only LANCOM 1711 VPN VPN only LANCOM 1721 VPN and LANCOM 1711 vN 2 3 2 LANCOM 821 and LANCOM 1721 VPN LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation sStatus of the firewall Indicates the status of the security settings and averted attacks to the protected network green constantly on Security settings ok Packet filter rules are set red blinking Insecure configuration green red flickering Security alert data packet filtered by firewall rules Status of a VPN connection Only active with LANCOM VPN Option installed Ex off No VPN tunnel established green blinking Negotiating VPN connection green flashing Establishing first connection green inverse flashing Establishing further connection green constantly on VPN connection established The back of the unit The connections and switches of the router are located on the back panel not available on LANCOM 821 ml i i oO o ETH2 ETH1 O USB Config COM ISDN Sg A
20. LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN 2006 LANCOM Systems GmbH Wuerselen Germany All rights reserved While the information in this manual has been compiled with great care it may not be deemed an assurance of product characteristics LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery The reproduction and distribution of the documentation and software included with this product is subject to written per mission by LANCOM Systems We reserve the right to make any alterations that arise as the result of technical develop ment All explanations and documents for registration of the products you find in the appendix of this documentation if they were present at the time of printing Trademarks Windows Windows XP and Microsoft are registered trademarks of Microsoft Corp The LANCOM Systems logo LCOS and the name LANCOM are registered trademarks of LANCOM Systems GmbH All other names mentioned may be trademarks or registered trademarks of their respective owners This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org Subject to change without notice No liability for technical errors or omissions LANCOM Systems GmbH Adenauerstr 20 B2 52146 Wuerselen Germany www lancom de Wuerselen May 2006 110443 0506 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Preface Preface Thank you for placi
21. LANconfig and WEBconfig Thanks to the information that you have collected in advance the basic configuration is quick and effortless At the end of this chapter we will show you the settings that are needed for the LAN s workstations to ensure trouble free access to the router TCP IP settings to workstation PCs on page 40 Which information is necessary The basic configuration wizard will take care of the basic TCP IP configuration of the router protect the device with a configuration password and will set up the ISDN connection if required The following descriptions of the informa tion required by the wizard are grouped in these three configuration sections m TCP IP settings protection of the configuration information on DSL connection information on ISDN connection configuring connect charge protection TCP IP settings The TCP IP configuration can be realized in two ways either as a fully auto matic configuration or manually No user input is required for the fully auto matic TCP IP configuration All parameters are set automatically by the setup wizard During manual TCP IP configuration the wizard will prompt you for the usual TCP IP parameters IP address netmask etc more on these topics later Fully automatic TCP IP configuration is only possible in certain network envi ronments The setup wizard therefore analyses the connected LAN to deter mine whether it supports fully automatic configuration LANCO
22. Linking two networks VPN IP network address of the remote network 10 0 2 0 10 0 1 0 VPN Netmask of the remote network 255 255 255 0 255 255 255 0 VPN Domain name of the remote network head branch VPN Hide local stations for access to remote net yes no yes no work Extranet VPN ISDN TCP IP routing for access to remote network yes no yes no ISDN IPX routing for access to remote network yes no yes no VPN ISDN NetBIOS routing for access to remote net yes no yes no work VPN ISDN Name of remote workgroup NetBIOS only workgroup1 workgroup2 ISDN Data compression on off gt on off ISDN Channel bundling on off gt on off Incase your device has an ISDN connection the wizard asks whether the remote site has ISDN as well The type of IP address must be stated for both sides for VPN connections via the Internet There are two types of IP addresses static and dynamic An explanation of the two IP address types can be found in the reference manual Thanks to Dynamic VPN connections can be enabled not only between gateways with fixed static IP addresses but even between gate ways with dynamic IP addresses The active initiation of VPN connec tions towards remote sites with dynamic IP addresses requires ISDN m If you haven t already named your LANCOM Router the wizard will ask you for a new unique device name With this entry you will rename your LANCOM Router
23. M 1721 VPN E Chapter 6 Providing dial up access m Additional TCP IP settings Assignment of IP address and name server address enabled IP header compression disabled These settings will permit a PC to dial into a remote LAN via ISDN and access its resources in the usual manner 6 3 Instructions for LANconfig Launch the Provide Dial In access RAS wizard Follow the wizard s instructions and enter the required information amp Setup Wizard for LANCOM 1811 Wireless DSL Setup Wizard for LANCOM 1811 Wireless DSL This wizard lets you configure your device for specific applications quickly and easily What do you want to do A Check security settings A Set up Intenet access ts Provide remote acces also VPN 3 Connect two local area networks also VPN A Configure firewall 4 Configure Dynamic DNS Back Cancel The wizard will return a message to indicate that it has all the information it needs Close the wizard with Finish Configure Dial Up Networking access on the dial in PC as described Next test the connection see box Ping quick testing for TCP IP con nections on page 52 6 4 Instructions for WEBconfig RAS access via VPN cannot be configured using the wizard under WEBconfig yet It can only be set up in the expert configuration For details please refer to the reference manual From the main menu launch the Connect two local networks w
24. M 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration New LAN fully automatic configuration possible If all connected network devices are still unconfigured the setup wizard will suggest fully automatic TCP IP configuration This may be the case in the fol lowing situations asingle PC is connected to the router setup of a new network Fully automatic TCP IP configuration will not be available when integrating the LANCOM Router in an existing TCP IP LAN In this case continue with the section Information required for manual TCP IP configuration on page 33 The result of the fully automatic TCP IP configuration the router will be assigned the IP address 172 23 56 1 netmask 255 255 255 0 In addition the integrated DHCP server will be enabled so that the LANCOM Router can automatically assign IP addresses to the devices in the LAN Configure manually nevertheless The fully automatic TCP IP configuration is optional You may also select man ual configuration instead Make your selection after the following considera tions Choose automatic configuration if you are not familiar with networks and IP addresses Select manual TCP IP configuration if you are familiar with networks and IP addresses and one of the following conditions is applicable You have not yet used IP addresses in your network but would like to do so now You would like to specify the IP address for your router
25. P 9 4 Cable testing 10 Appendix 10 1 Performance data and specifications 10 2 Contact assignment 10 2 1 ADSL interface 10 2 2 Ethernet WAN interface LANCOM 1711 VPN 10 2 3 ISDN Sg interface 10 2 4 Ethernet interfaces 10 100Base T 10 2 5 Configuration interface Outband 10 3 CE declaration of conformity 65 65 65 66 66 66 67 67 71 71 71 72 72 74 74 75 75 75 76 76 77 77 1 1 1 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction Introduction The models LANCOM 821 LANCOM 1721 VPN and LANCOM 1711 VPN are fully featured routers that therefore also can be used in combination with the integrated firewall for providing secure Internet access to a complete local network LAN The VPN option which is either integrated already or can be activated subs quently enables the LANCOM 1721 VPN and LANCOM 1711 VPN to act as powerful Dynamic VPN gateways for external offices or mobile users The LANCOM Router models offer each a DSL or ADSL connector and also an ISDN connector The ISDN line can be used as back up for the DSL connection for remote management of the router as basis for the office communication via LANCAPI or for establishing VPN connections to remote sites with dynamic IP addresses By using the Voice over IP function these devices can transfer voice data over broadband Internet connections as well How does ADSL work Since the late 1980s scientists
26. PN LANCOM 1721 VPN E Contents 4 Setting up Internet access 42 4 1 Instructions for LANconfig 44 4 2 Instructions for WEBcontig 44 5 Linking two networks 45 5 1 What information is necessary 46 5 1 1 General information 46 5 1 2 Settings for the TCP IP router 48 5 1 3 Settings for the IPX router 49 5 1 4 Settings for NetBIOS routing 50 5 2 Instructions for LANconfig 51 5 3 Instructions for WEBconfig 51 6 Providing dial up access 53 6 1 Which information is required 53 6 1 1 General information 54 6 1 2 Settings for TCP IP 55 6 1 3 Settings for IPX 56 6 1 4 Settings for NetBIOS routing 56 6 2 Settings for the dial in computer 57 6 2 1 Dial up via VPN 57 6 2 2 Dial up via ISDN 57 6 3 Instructions for LANconfig 58 6 4 Instructions for WEBconfig 58 7 Sending faxes with LANCAPI 60 7 1 Installation of the LANCOM LANCOM VPN 61 7 2 Installation of the MS Windows fax service 62 7 3 Sending a fax 63 7 3 1 Send a fax with any given office application 63 7 3 2 Send a fax with the MS Windows fax service 63 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Contents 8 Security settings 8 1 The security settings wizard 8 1 1 Wizard for LANconfig 8 1 2 Wizard for WEBconfig 8 2 The firewall wizard 8 2 1 Wizard for LANconfig 8 2 2 Configuration under WEBconfig 8 3 The security checklist 9 Troubleshooting 9 1 No WAN connection is established 9 2 DSL data transfer is slow 9 3 Unwanted connections under Windows X
27. TS RTS RxD RI TxD DSR DCD DTR c o N a n wR Pw N GND 10 3 CE declaration of conformity The CE declarations of conformity for LANCOM routers are available for down load on the LANCOM web site www lancom de 77 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Index Index Numerics 10 100Base TX 3 DES A Accounting ADSL Connect Connector cable Transmission rates ADSL modem ADSL over ISDN ADSL over POTS ADSL over ISDN ADSL over POTS AES Annex A Annex B Autosensing B Basic configuration Blowfish C Callback Callback function Calling Line Identity CLI CAPI interface CAST charge lock Common ISDN Application Programming Interface CAPI Configuration access Configuration file Configuration interface Connector cable Configuration password Configuration port 78 27 28 45 53 34 27 21 10 10 74 74 11 11 45 53 12 12 29 32 45 53 18 20 45 53 55 60 45 53 24 60 36 39 69 20 21 68 27 28 Configuration protection 20 34 Connect charge protection 35 36 39 Connect charge budget 34 Connect charge metering 34 Contact assignment 75 ADSL interface 75 Configuration interface 77 Ethernet interface 76 Ethernet WAN interface 75 ISDN S interface 76 LAN interface 76 Outband 77 WAN interface 76 D Data frequencies 10 Declaration of conformity 77 Default gateway 40 Denial of Service Protecion 16
28. ain Email viruses loose their communication way back The Firewall rules are summarized in LANconfig under Firewall Qos on the register card Rules Have you activated the IP masquerading IP masquerading is the hiding place for all local computers for connection to the Internet Only the router module of the unit and its IP address are visible on the Internet The IP address can be fixed or assigned dynami cally by the provider The computers in the LAN then use the router as a gateway so that they themselves cannot be detected The router separates Internet and intranet as if by a wall The use of IP masquerading is set LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings individually for each route in the routing table The routing table can be found in the LANconfig in the IP router configuration section on the Routing tab Have you excluded certain stations from access to the router Access to the internal functions of the devices can be restricted using a special filter list Internal functions in this case are configuration sessions via LANconfig WEBconfig Telnet or TFTP This table is empty by default and so access to the router can therefore be obtained by TCP IP using Tel net or TFTP from computers with any IP address The filter is activated when the first IP address with its associated network mask is entered and from that point on only those IP addresses contained in this i
29. at up to 8 Mbps down stream and upload at up to 800 Kbps upstream These maximum rates can be reduced as required by the ADSL provider A typical access plan might specify for example from 1 up to 3 Mbps download and from128 up to 384 Mbps upload speed All services via a single cable thanks to the splitter With ADSL all traditional telephony applications telephone fax answering machine PBX can still be used without restrictions So called splitters make this possible Splitters are devices that separate the telephone line s voice frequencies from the data frequencies and ensure that the signals are for warded to the appropriate networks Voice signals are passed on to the exist ing telephone network while data signals are forwarded to their destinations i e Internet providers via high bandwidth network connections A splitter is also used at the subscriber end to permit ADSL modems routers and conventional telephone equipment to be used at the same time The LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction router is connected to a seperate ADSL modem the ADSL modem is connected to the splitter Telephone Router Subscriber In some models like in the picture below the ADSL modem is integrated directly in the router a separate ADSL modem is not required Telephone DSL access multiplexer a ADSL provider Router with integrated ADSL
30. ble virtually everywhere and typically has low access costs Significant savings can thus be achieved in relation to switched or ded icated connections especially over long distances The physical connection no longer exists directly between two participants instead the participants rely on their connection to the Internet The access technology used is not relevant in this case ideally is the use of broadband 1 3 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction technologies such as DSL Digital Subscriber Line But also a conventional ISDN line can be used The technologies of the individual participants do not have to be compatible to one another as would be the case for conventional direct connections A single Internet access can be used to establish multiple simultaneous logical connections to a variety of remote stations The resulting savings and high flexibility makes the Internet or any other IP network an outstanding backbone for a corporate network Firewall The integrated Stateful Inspection Firewall ensures an effective protection against undesired intrusion in your network by permitting only incoming data traffic as reaction to outgoing data traffic The router s IP masquerading func tion hides all workstations of the LAN behind a single public IP address The actual identities IP addresses of the individual workstations remain con cealed Firewall filters of the router permit speci
31. e Internet SNMP Protection of the configuration Software installation Splitter SSID Stateful Inspection Stateful Inspection Firewall Status displays ADSL data ADSL link 57 18 56 56 56 53 19 53 34 55 54 39 34 20 24 28 28 28 16 50 66 65 67 17 71 42 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN ISDN channel ISDN status LAN Online Power 23 Security VPN WAN data WAN status Switch 27 System preconditions T TCP TCP IP 21 check connection Settings 32 36 Settings to PCs in the LAN Windows size TCP IP configuration Automatic fully automatic 32 manual 32 TCP IP filter 15 20 TCP IP router Settings 26 26 26 24 24 27 27 25 25 28 21 69 57 52 39 40 72 39 33 33 69 48 E Index Telephone 10 Telephone answering device 10 Transfer protocol 71 U UDP 69 Upload 10 upstream 10 V Virtual Private Network VPN 17 19 Voice frequencies 10 Voice over IP 18 Voltage switch 27 VPN client 57 W WAN Connector cable 21 WAN connection problems establishing the connection 71 WEBconfig 37 password 40 Starting the wizards 38 System preconditions 22 Wide Area Network WAN 16 81
32. e Y Y Y LANCOM CD Y Y Y Printed documentation Y Y Y If anything is missing please contact your retailer or the address stated on the delivery slip of the unit System preconditions Computers that connect to a LANCOM Router must meet the following mini mum requirements Operating system that supports TCP IP e g Windows XP Windows Mil lennium Edition Me Windows 2000 Windows 98 Windows 95 Win dows NT Linux BSD Unix Apple Mac OS OS 2 BeOS 21 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation 2 3 2 3 1 LANCOM 821 and LANCOM 1721 VPN LANCOM 1711 VPN 22 Access to the LAN via the TCP IP protocol The LANtools and the LANCAPI functions also require a Windows G operating system A web browser is required for access to WEBcontfig Introducing LANCOM Router This section introduces your device We will give you an overview of all status displays connections and switches While the information in this section is useful for the installation of the device it is not absolutely essential You may therefore skip this sec tion for the time being and go straight forward to Hardware instal lation on page 28 Status displays The front and the rear panels of the unit feature a series The various LANCOM Router models have different numbers of indicators on the front panel depending on their functionality Front side The various LANCOM Router models have diff
33. e network inter connection VPN tunnel via the Internet VPN gateways Conventional via ISDN Without VPN a LAN to LAN interconnection can alternatively be real ized via ISDN In this case an intelligent line management and sophisticated filter mechanisms keeps connection costs low m Remote access to the company network via VPN or ISDN The work of many office workers in modern organizations is less and less dependent on any definite location the most important factor here is unimpaired access to shared and freely available information Remote Access Service RAS is the magic word here Employees working from home or field staff can dial into the company network via VPN or ISDN When working with remote access via ISDN the router protects the company network the call back function only grants access to known and registered users 1 5 Voice over IP Using Voice over IP offers considerable potential savings in the costs of cor Vol porate communication LANCOM routers with VoIP support enable voice data to be transferred in parallel over existing data connections LANCOM Systems supports not only networking with new VoIP installations it also enables the integration of existing telephony equipment LANCOM VoIP solutions offer several advantages Secured transfer of VoIP voice data with IPSec VPN Intelligent call routing to SIP providers proprietary VoIP servers or into the plain old telephone syste
34. e that two interconnected networks are logically separate from one another Each must therefore have its own network number in our example 10 0 1 x and 10 0 2 x These network numbers may not be identical 10 0 1 100 0123 123456 LAN of head office IP 10 0 1 0 Netmask 255 255 255 0 Domain head company pc1 branch comany VPN or ISDN connection N 10 0 2 10 server head company gt 10 0 2 100 T 0789 654321 LAN of branch office IP 10 0 2 0 Netmask 255 255 255 0 Domain branch company Unlike when accessing the Internet all of the IP addresses in the involved net works are visible on the remote side when coupling networks not just those of the router The computer with the IP address 10 0 2 10 in the branch office LAN sees the server 10 0 1 2 in the headquarters and can access it assuming it has the appropriate rights and vice versa LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks DNS access to the remote LAN Thanks to DNS it is not only possible to access remote computers in a TCP IP network via their IP address but also by using freely defined names For example the computer with the name pcl branch company IP 10 0 2 10 will not only be able to access the server of the head office via its IP address but also via its name server head company The only precondi tion the domain of the remote netwo
35. e the reference manual Perform the configuration on both routers one at a time From the main menu launch the Connect two local area networks wiz ard Follow the wizard s instructions and enter the required information The wizard will return a message to indicate that it has all the information it needs Close the wizard with Terminate After finishing the configuration of both routers you can test the network connection Try to contact a computer in the remote LAN e g with a 51 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN 52 Chapter 5 Linking two networks ping The LANCOM Router should automatically set up a connection to the remote station and contact the required computer Ping quick testing for TCP IP connections To test a TCP IP connection simply send a ping from your computer to a computer in the remote network For more information on the ping command please see the documentation of your operating system IPX and NetBIOS connection can be GROATE tested by searching for a remote Novel SUR ety AE e MEE ts CALLS aa EEE Server or a computer in the remote Win KRJTEELI 10 8 2 0 bytes 32 time lt 1 ms Reply from G 2 8 time lt 1 ms dows workgroup from your computer Reply from 9 2 B time lt 1Gms Reply from 10 0 2 808 bytes 32 time lt i ms Ping statistics for 16 6 2 6 Packets Sent 4 Received oxi mat ow Desni Only LANCOM 1721 VPN and LANCOM 1711 VPN 6 1 LAN
36. egister devices Sending a fax After installing all required components you have several possibilities to send a fax from your workstation PC If you have already an existing data file you can send it directly from your respective application If you only want to send a short message select the MS Windows fax service You can use of course any other fax software alternatively Send a fax with any given office application Open as usual a document in your office application and select the menu item File Print Adjust the fax device as printer VT zx General M Select Printer Add Printer e Auto HP DeskJet 930C 932C 935C Status Ready I Print to file Preferences Location Comment Find Printer Click on OK A wizard appears that will guide you through the remaining sending process Send a fax with the MS Windows fax service Open the window Printers and Faxes from the control panel Double click with the left mouse button the icon of the fax device 63 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 7 Sending faxes with LANCAPI The fax client console will open Select the menu item Send a Fax A wiz ard will assist you through the remaining sending process amp Fax Console Send a Fax Recipient Information Enter the name and number of the person you want to send the fax to or click Address Book to select a fax recipient
37. enter the transfer protocol used by your DSL provider manually Confirm your choice with Next Enter the ISDN subscriber numbers as MSNs i e without area code on which the router will accept calls Multiple numbers are separated by semicolons If you do not specify any MSNs the router will answer all incoming calls on the ISDN connection In addition you can enter a trunk code for dialling into ISDN Finally you should specify whether or not the tariff information is to be transmitted at your ISDN connection Confirm your choice with Next Connect charge protection can limit the cost of DSL and ISDN connections to a predetermined amount if desired Confirm your choice with Next Complete the configuration with Finish Section TCP IP settings to workstation PCs auf Seite 40 will describe the settings required for the individual workstations in the LAN 33 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration Instructions for WEBconfig To configure the router with WEBconfig you must know how to address it in the LAN The reaction of the devices as well as their accessibility for configu ration via web browser is dependent on whether a DHCP server and a DNS server are already active in the LAN and whether these two server processes exchange the assignment of IP addresses to symbolic names within the LAN between each other After powered on unconfigured LANCOM devices check first
38. erent numbers of indicators on the front panel depending on their functionality LANCOM LANCOM 1721 VPN Systems i B a 2 E g 1711 VPN LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation Top panel The two LEDs on the top panel provide a convenient overview of the most important status information especially when the device is installed vertically Power Online Meanings of the LEDs In the following sections we will use different terms to describe the behaviour of the LEDs m Blinking means that the LED is switched on or off at regular intervals in the respective indicated colour Flashing means that the LED lights up very briefly in the respective col our and stay then clearly longer approximately 10x longer switched off Inverse flashing means the opposite The LED lights permanently in the respective colour and is only briefly interrupted m Flickering means that the LED is switched on and off in irregular inter vals Power This LED indicates that the device is operational After the device has been switched on it will flash green for the duration of the self test After the self test either an error is output by a flashing red light code or the device starts and the LED remains lit green off Device off green blinking Self test when powering up green constantly on Device ready for use red blinking alternately Device i
39. ers are being used on both sides A network interconnection may also be realized with routers from other manufacturers A mixed setup usually requires more extensive configuration measures for both devices however Please refer to the reference manual for more information in this regard A setup wizard handles the configuration of the connection in the usual con venient manner Security aspects You must of course protect your LAN against unauthorized access A LANCOM Router therefore offers a whole range of security mechanisms that can provide an outstanding level of protection m VPN Network couplings via VPN transmit data by IPSec The data are encrypted by AES 3 DES Blowfish or CAST encryption algorithms m ISDN For network couplings via ISDN the connection password the checking of the ISDN number and the callback function ensure the secu rity of the connection 45 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks 5 1 5 1 1 The ISDN call back function cannot be configured using the wizard It can only be set up in the expert configuration For details please see the reference manual What information is necessary The wizard will prompt you for the necessary information on a step by step basis If possible however you should have it available before launching the wizard To explain the significance of the information requested by the wizard we will be using a typ
40. es is not terminated with the correct impedance at the other end 73 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 10 Appendix 10 Appendix 10 1 Performance data and specifications Connections Ethernet LAN 4x 10 100Base TX auto sensing switch with node hub auto sensing WAN ADSL Annex A devices ADSL over POTS as per ITU 10 100Base TX auto G 992 1 Annex A ANSI 71 413 ITU G 992 2 sensing G Lite G 994 1 G hs Annex B devices ADSL over ISDN as per ITU G 992 1 Annex B as well as proprietary ADSL over ISDN Texas Instruments ADI Alcatel ETSI TS 101 388 ISDN ISDN SO bus Outband Power supply serial V 24 V 28 port 8 pol mini DIN in combination with LANCOM modem adapter kit suited for connection of external analogue or GSM modems 12V over external power adapter Housing 210 x 143 x 45 mm W x H x D rugged plastic case connectors on the rear side stackable provision for wall mounting Standards EU CE certification EN 55022 EN 55024 EN 60950 Environment Temperature range 0 C to 40 C at 80 max Temperature range temperature humidity non condensing 0 C to 55 C at 80 range max humidity non condensing Options LANCOM Leased Line Option Art No 00789 SIP Gateway option from LCOS 6 0 Accessories LANCOM VPN Option 25 channels hardware accelerated max 25 simultaneous connec tions 50 connections co
41. f the devices does not show any discernible errors You can test the cabling with the built in cable tester of your LANCOM Change under WEBconfig to menu item Expert configuration gt Status gt LAN statistics gt Cable test Enter here the name of the interface to be LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 9 Troubleshooting tested e g DSL1 or LAN 1 Pay attention to the correct spelling of the interfaces Start the test for the specified interface by clicking on Execute Expert Configuration amp Status amp LAN statistics Cable Test Enter here any additional arguments for the command you are about to execute Arguments osu ra Change then to menu item Expert configuration gt Status gt LAN statis tics gt Cable test results The results of the cable test for the individual interfaces are show up in a list Expert Configuration amp Status amp LAN statistics Cable Test Results Port Rx Status Rx Distance Tx Status Tx Distance DSL1 open om open om LAN 1 unknown unknown LAN 2 unknown unknown LAN 3 unknown unknown LAN 4 unknown unknown The following results can occur OK Cable plugged in correctly line ok open with distance Om No cable plugged in or interruption within less than 10 meters distance open with indication of distance Cable is plugged in but defect short circuited at the indicated distance m Impedance error The pair of cabl
42. f your local network into a free socket of a hub switch or into the network socket of an individual PC 821 1621 only 1711 only LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation The LAN connector identifies automatically the transfer rate 10 100 Mbps of the connected network device autosensing A parallel connec tion of devices with different speeds and types is possible You should never have more than one unconfigured LANCOM Router in a network segment at any given time All unconfigured LANCOM Router devices use the same IP address with the final digits 254 which would result in an address conflict To avoid problems always configure multiple LANCOM Router devices one at a time immedi ately assigning each device a unique IP address one that does not end with 254 821 1621 only ADSL connect the ADSL interface to the splitter using the supplied ADSL connector cable transparent plugs DSL connect the WAN interface to the DSL modem socket using the supplied DSL connector cable dark blue plugs ISDN to connect the LANCOM Router to the ISDN plug one end of the supplied ISDN connector cable light blue plugs in the ISDN Sp port LANCOM 821 and LANCOM 1721 VPN or LANCOM 1711 VPN of the router and the other end into an ISDN Sp multi device mode or point to point mode connection Configuration port you may optionally connect the router directly to
43. fic IP addresses protocols and ports to be blocked With MAC address filters it is also possible to specifically monitor the access of workstations in the LAN to the IP routing function of the device Firewall LANCOM Further important features of the Firewall are Intrusion Detection Break in attempts into the local network or on the central Firewall are rec ognized repelled and logged by the Intrusion Detection system IDS of the LANCOM DSL Thereby it can be selected between logging within the device email notification SNMP trap or SYSLOG alarms 15 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction 1 4 Denial of Service Protection Attacks from the Internet can be break in attempts as well as attacks with the aim of blocking the accessibility and functionality of individual services Therefore a LANCOM DSL is equipped with appropriate protec tive mechanisms which recognize well known hacker attacks and which guarantee the functionality Quality of Service Traffic management The generic term Quality of Service brief QoS summarizes the functions of the LANCOM which guarantee certain service qualities The advantage is that the QoS functions can take place by means of the existing powerful classification methods of the Firewall e g limitation of subnetworks single workstations or certain services Guaranteed minimum bandwidths give priority to enterprise critical appli cati
44. fused with the private LAN IP address default gateway and DNS server These values can be received automatically from pro viders that support DHCP User name and password ISDN dial in number User name and password Additional connection options You may also enable or disable further options in the wizard depending on whether or not they are supported by your Internet provider Time based billing or flat rate select the accounting model used by your Internet provider When using time based billing you can set the LANCOM Router to automatically close existing connections if no data has been trans ferred within a specified time the so called idle time In addition you can activate a line monitor that identifies inactive remote stations faster and therefore can close the connection before the idle time has elapsed Active line monitoring can also be used with flat rate billing to con tinuously check the function of the remote station You also have the option of keeping flat rate connections alive if required Dropped connections are then automatically re established m Dynamic channel bundling ISDN only if required the second ISDN B channel will automatically be bundled to the connection This doubles the available bandwidth it may also double your connect charges as well however What s more your ISDN connection will be busy in this case with all o
45. have been working on the idea of using con ventional telephone lines for video and multimedia applications High speed via standard telephone lines Their approach was based on the use of telephone lines only for the distance between the subscriber and the next local exchange From the switching center the data is then transferred via high speed connections to the desired destination or target network i e the Internet This minimization of the tel ephone line distance used permits considerably higher transfer rates than would be possible when relying solely on the telephone network ADSL connection via telephone line Local exchange central office LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction 10 All DSL technologies of which ADSL is the most common are based on this concept Thanks to their high transfer speeds DSL connections are well suited for Internet access Ideal for Internet surfers The ADSL version of DSL was designed for applications in which the user receives high volumes of data but only transmits relatively small volumes A typical example for this would be access to the world wide web www Only a few commands mouse clicks are required to initiate the download of very large volumes of data such as graphics texts audio or video files The user typically only sends very small amounts of data across the Internet connec tion With an ADSL connection a user can download
46. ical deployment as an example setting up a link between a branch office and its headquarters The routers involved are named HEAD_OFFICE and BRANCH Please refer to the following tables for the entries to be made for each of the routers Arrows mark the dependencies between the entries General information The following details are required for the installation of LAN to LAN couplings The first column indicates whether the information is required for network couplings over VPN standard method using preshared keys and or ISDN Further details to network couplings via VPN using enhanced methods e g digital certificates can be found in the LCOS reference manual VPN ISDN connection available yes no yes no VPN Type of the local IP address static dynamic static dynamic VPN Type of the remote IP address static dynamic 4 static dynamic VPN ISDN Name of the local device HEAD BRANCH VPN ISDN Name of the remote station BRANCH pd HEAD VPN ISDN Remote ISDN calling number 0123 123456 0789 654321 VPN ISDN Remote ISDN caller ID 0789 654321 pa 0123 123456 VPN ISDN Password for secure transmission of the IP Password lt gt Password address VPN Shared secret for encryption Secret gt Secret VPN IP address of remote station 10 0 2 100 10 0 1 100 46 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5
47. ing two typical IPX networks to form a WAN requires three IPX network numbers forthe LAN of the head office forthe LAN of the branch office 49 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks 50 for the higher level WAN The IPX network numbers in the head and branch offices are specified to the respective remote sides IPX internal net f 00020002 WAN IPX network no 00000009 3 VPN or ISDN connection T 0123 123456 T 0789 654321 LAN of the head office LAN of the branch office IPX network no 00000001 IPX network no 00000002 Binding Ethernet_Il Binding Ethernet_Il The three required network numbers are designated as External Network Numbers by the IPX conventions Like IP network addresses the apply to an entire LAN segment On the other hand internal IPX numbers are used to address specific Novell servers in the LAN All three specified network num bers must be distinct from one another and from all used internal IPX network numbers In addition it may be necessary to enter the frame type binding Specifying the IPX network number and binding used is not necessary if the remote network also contains a Novell server It is only necessary to enter the network number for the WAN manually in this case Settings for NetBIOS routing NetBIOS routing can be set up quickly All that is required in addition to the i
48. its users can access the Web and send and receive e mail All connections to the outside world are based on dedicated lines i e switched or leased lines Dedicated lines are very reliable and secure On the other hand they involve high costs In general the costs for dedicated lines are dependent on the distance Especially in the case of long distance con nections keeping an eye out of cost effective alternatives can be worthwhile The appropriate hardware must be available in the headquarters for every type of required connection analog dial up ISDN leased lines In addition 13 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction 14 to the original investment costs ongoing costs are also incurred for the administration and maintenance of this equipment Networking via the Internet The following structure results when using the Internet instead of direct con nections Workstation in remote ca Subsidi gt access All participants have fixed or dial up connections to the Internet Expensive dedicated lines are no longer needed All that is required is the Internet connection of the LAN in the headquar ters Special switching devices or routers for dedicated lines to individual participants are superfluous The subsidiary also has its own connection to the Internet The RAS PCs connect to the headquarters LAN via the Internet The Internet is availa
49. izard Follow the wizard s instructions and enter the required information 58 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access Configure Dial Up Networking access on the dial in PC as described Next test the connection see box Ping quick testing for TCP IP con nections on page 52 59 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 7 Sending faxes with LANCAPI 60 7 Sending faxes with LANCAPI LANCAPI from LANCOM Systems is a special version of the popular CAPI inter face CAPI Common ISDN Application Programming Interface establishes the connection between ISDN adapters and communications programs For their part these programs provide the computers with office communications func tions such as a fax machine or answering machine The main advantages of using LANCAPI are economic LANCAPI provides all Windows workstations integrated in the LAN local area network with unlim ited access to office communications functions such as fax machines answer ing machines online banking and eurofile transfer All functions are supplied via the network without the necessity of additional hardware at each individ ual workstation thus eliminating the costs of equipping the workstations with ISDN adapters or modems All you need do is install the office communica tions software on the individual workstations PCs with fax software fax ISDN adapter
50. lues m User name and password Users authenticate themselves with this information when dialling in m Incoming number The LANCOM Router uses the optional ISDN caller ID as an additional user authentication This security function should not be used when users dial in from differing locations Please refer to chapter Linking two networks on page 45 for advice about the other values required for the installation of a RAS access LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access The ISDN calling line identity CLI The ISDN caller ID also known as CLI Calling Line Identity this is the telephone number of the caller which is transmitted to the participant receiving the call As a rule it consists of the country and area codes and an MSN The CLI is well suited for authentication purposes for two reasons it is very difficult to manip ulate and the number is transferred free of charge via the ISDN control channel D channel 6 1 2 Settings for TCP IP Each active RAS user must be assigned an IP address when using the TCP IP protocol LAN of the head office IP 10 0 1 0 Remote workstation IP 10 0 1 101 VPN or ISDN SS connection focuoneeeeee ISDN adapter User SAMPLE T 0123 123456 T 0123 777888 This IP address can be permanently assigned when setting up a user However it is simpler to let the LANCOM Router automatically assign free IP add
51. m Migration from existing ISDN analog telephones and PBXs to VoIP High availability VoIP site coupling with backup Comprehensive QoS functions with integrated broadband management 18 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction 1 6 What can your LANCOM Router do The following table contains a direct comparison of the properties and func tions of your devices with other models Applications Internet access Y Y Y LAN to LAN coupling via VPN Y Y LAN to LAN coupling via ISDN va Y oY RAS server via VPN Y Y RAS server via ISDN Y Y Y IP router Y Y Y IPX router via ISDN e g for coupling of Novell networks or dialling into Y Y Y Novell networks NetBIOS proxy for coupling of Microsoft peer to peer networks via ISDN Y Y Y DHCP and DNS server for LAN and WAN Y Y Y N N mapping for coupling networks using the same IP address ranges Y Y Y Bridge function for coupling networks via ISDN connection Y Y Y Port Mapping to set up LAN ports as additional WAN ports Y Y Policy based routing for policy based selection of target routes Y Y Load balancing for bundling of multiple DSL channels 2 channels 4 channels 4 channels LANCAPI server for the operating with office applications as fax or Y Y answering machine via ISDN interface WAN connection Connection for DSL or cable modem Y Y Y Integrated ADSL modem ADSL2 ready Y Y ISDN Sg bus i
52. n A prominent example would be Deutsche Telekom s T DSL service Which use does VPN offer A VPN Virtual Private Network can be used to set up cost effective public IP networks for example via the ultimate network the Internet The models LANCOM 1721 VPN and LANCOM 1711 VPN are equipped with 5 channels by default The additional LANCOM VPN Option can extend VPN support to 25 active tunnels The VPN 25 Option also activates the VPN hardware accelerator in the LANCOM 1721 VPN While this may sound unspectacular at first in practice it has profound effects To illustrate this let s first look at a typical corporate network without VPN technology In the second step we will see how this network can be optimized by the deployment of VPN LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction Conventional network infrastructure First let s have a look at a typical network structure that can be found in this form or similar forms in many companies Workstation in remote access e g homework Subsidiary The corporate network is based on the internal network LAN in the head quarters This LAN is connected to the outside world in three ways A subsidiary is connected to the LAN typically using a leased line PCs dial into the central network via modem or ISDN connections Remote Access Service RAS The central LAN has a connection to the Internet so that
53. n multi device mode or in point to point mode with auto Y Y Y matic D channel protocol identification Supports static and dynamic channel bundling per MLPPP and BACP as well as Stac data compression Hi fn Port for external modem analogue or GSM requires LANCOM modem Y Y Y adapter kit from LCOS 5 0 19 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction LAN connection 4 individual Fast Ethernet LAN ports switchable separately e g as LAN switch or separate DMZ ports auto crossover S USB 2 0 Host Port for future extensions S Security functions IPSec encryption in external software VPN client S 5 integrated VPN tunnels for protection of network connections IPSec encryption in hardware optional activation via the VPN 25 Option IP masquerading NAT PAT to hide all workstations of the LAN behind one common public IP address Stateful Inspection Firewall Firewall filters for a selective locking of IP addresses protocols and ports MAC address filter control e g the access of LAN workstations to IP routing functions Configuration protection to block brute force attacks Y NINIS U NNN N SINIS Y NSIN N NSIS Configuration Configuration with LANconfig or with web browser additionally terminal mode for Telnet or other terminal programs SNMP interface and TFTP server function Remote configuration via ISDN with ISDN PPP connec
54. n on the toolbar teed dhe Internal re 4 2 Instructions for WEBconfig 44 In the main menu select Setup Internet access al In the following window select your country and your Internet provider if possible and enter your access information for your Internet connection Depending on their availability the wizard will display additional options The wizard will inform you as soon as the entered information is complete Complete the configuration with Apply Only LANCOM 1721 VPN and LANCOM 1711 VPN LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks Linking two networks With the network interconnection also known as LAN to LAN coupling of the LANCOM Router two local networks are linked The LAN to LAN coupling can be realized in principle in two different ways lm VPN For coupling via VPN the connection between both LANs is estab lished over a specially secured connection through the public Internet A router with VPN support is required in both LANs ISDN For coupling via ISDN a direct connection between both LANs is established over an ISDN connection A router with ISDN interface is required in both LANs Always configure both sides Both routers involved in the network interconnection must be configured Care must be taken to ensure that the configuration information provided matches The following instructions will assume that LANCOM Router rout
55. ndows Me and Windows 9x or with the command ifconfig on the console under Linux In this case the LANCOM is reachable under the IP address x x x 254 x stands for the first three blocks in the IP address of the configuration PC 37 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration 38 Network with DHCP server If a DHCP server is active in the LAN to assign IP addresses an unconfigured LANCOM device will turn off its own DHCP server It will change into DHCP client mode and will obtain an IP address from the DHCP server of the LAN This IP address is not known at first The accessibility of the device depends on the name resolution m f there is a DNS server for name resolution in the LAN which inter changes the assignment of IP addresses to names with the DHCP server then the device can be accessed by the name LANCOM lt MAC address gt e g LANCOM 00a057xxxxxx io x Eile Edit View Favorites Tools Help Back gt amp A A Qsearch Geyravorites meda B Address http iLanCom ooaos700094A GO in Pn M The MAC address can be found on a label at the bottom of the device m f there is no DNS server in the LAN or it is not linked to the DHCP server then the device can not be reached by the name The following options remain in this case Figure out the DHCP assigned IP address of the LANCOM by suitable
56. nfigurable for VPN in WAN Art no 60083 LANCOM Modem Adapter Kit for connecting modems analogue or GSM to the serial configuration interface Art no 110288 LANCOM Rack Mount Option Art no 61501 74 LANCOM Advanced VPN Client Art no 61600 LANCOM Advanced VPN Client 10 bulk Art no 61601 LANCOM Advanced VPN Client 25 bulk Art no 61602 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 10 Appendix 10 2 Contact assignment 10 2 1 ADSL interface 6 pin RJ45 socket 2 3 4 b 5 6 10 2 2 Ethernet WAN interface LANCOM 1711 VPN 6 pin RJ45 socket ojo ja juw N l LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 10 Appendix 76 10 2 3 ISDN So interface 8 pin RJ45 socket corresponding to ISO 8877 EN 60603 7 1 lt mM z 12345678 3 T 2a 4 R 1a 5 R 1b 6 T 2b 7 p 8 10 2 4 Ethernet interfaces 10 100Base T 8 pin RJ45 socket corresponding to ISO 8877 EN 60603 7 1 T 2 T 3 R 4 5 gt 6 R 7 8 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 10 Appendix 10 2 5 Configuration interface Outband 8 pin mini DIN socket C
57. nformation for the TCP IP protocol used is the name of a Windows workgroup from in the router s own LAN Remote Windows workgroups do not appear in the Windows Network Neighbourhood but can only be contacted directly e g via Find Computers 5 2 5 3 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 5 Linking two networks Instructions for LANconfig Perform the configuration on both routers one at a time Launch the Connect two local area networks wizard Follow the wizard s instructions and enter the required information Setup Wizard for LANCOM 1811 Wireless DSL Setup Wizard for LANCOM 1811 Wireless DSL This wizard lets you configure your device for specific applications quickly and easily What do you want to do J Check security settings A Set up Intemet access A 4 Configure Dynamic DNS Cancel The wizard will return a message to indicate that it has all the information it needs Close the wizard with Finish After finishing the configuration of both routers you can test the network connection Try to contact a computer in the remote LAN e g with a ping The LANCOM Router should automatically set up a connection to the remote station and contact the required computer Instructions for WEBconfig Under WEBconfig the coupling of networks via VPN cannot be con figured using the wizard It can only be set up in the expert configu ration For details please se
58. ng your trust in this LANCOM Systems product With the LANCOM Router you have chosen a powerful router that possesses integrated DSL respectively ADSL and ISDN interfaces by default as well as an integrated 4 port switch With this router you can simply and comfortably connect individual PCs or whole local networks to the high speed Internet Security settings For a carefree use of your device we recommend to carry out all security set tings e g Firewall encryption access protection charge lock which are not already activated at the time of purchase of your device The LANconfig wizard Check Security Settings will support you accomplishing this Further informa tion regarding this topic can be found in chapter Security settings We ask you additionally to inform you about technical developments and actual hints to your product on our Web page www lancom de and to down load new software versions if necessary User manual and reference manual The documentation of your device consists of two parts the user manual and the reference manual You are now reading the user manual It contains all information you need to start your LANCOM Router It also contains the most important technical specification for the device The reference manual can be found on the CD as an Acrobat PDF document It is designed as a supplement to the user manual and goes into detail on top ics that apply to a variety of devices These include f
59. nitial entry will be permitted to use the internal functions The circle of authorized users can be expanded by inputting further entries The filter entries can describe both individual computers and whole networks The access list can be found in LANconfig in the TCP IP configuration section on the General tab Have you closed critical ports with filters The firewall filters of the LANCOM Router devices offer filter functions for individual computers or entire networks Source and target filters can be set for individual ports or for ranges of ports In addition individual pro tocols or any combinations of protocols TCP UDP ICMP can be filtered It is particularly easy to set up the filters with LANconfig The Rules tab under Firewall QoS can assist you to define and change the filter rules Is your saved LANCOM Router configuration stored in a safe place Protect the saved configurations against unauthorized access in a safe place A saved configuration could otherwise be loaded in another device by an unauthorized person enabling for example the use of your Inter net connections at your expense Have you activated the mechanism that protects your WAN lines if the device is stolen After being stolen the device can theoretically be operated at another location by unauthorized persons Password protected device configura tions offer no protection from the operation of the RAS access LAN cou pling or VPN connec
60. nsecure configuration password not assigned green red blinking Time or connect charge reached 23 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation Flashing Power LED but no connection The power LED flashes red green in alternation until a configuration password has been specified Without a configuration password the configuration data of the LANCOM is insecure Under normal circum stances you would assign a configuration password during the basic configuration see instructions in the following chapter For informa tion about a later assignment of the configuration password see the section Security settings on page 65 There s no need to worry if the Power LED blinks red and you can no longer connect to the WAN This simply indicates that a preset time or connect charge limit has been reached There are three methods available for unlocking Signal for reached time Reset connect charge protection or connect charge Increase the limit that has been reached limit Completely deactivate the lock that has been triggered set limit to 0 If a time or connect charge limit has been reached you will be notified in LANmonitor To reset the connect charge protection select Reset Charge and Time Limits in the context menu right mouse click You can configure the connect charge settings in LANconfig under Management gt Costs you will only be able to access this config
61. onnection password the checking of the ISDN number and the callback function ensure the secu rity of the connection The ISDN call back function cannot be configured using the wizard It can only be set up in the expert configuration For details please see the reference manual Which information is required The wizard will set up dial up access for only one user Please run the wizard again for each additional user 53 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access 54 6 1 1 General information The following entries are required to set up a RAS connection The first column indicates whether the information is required for a connection via VPN standard method using preshared keys and or ISDN e g digital certificates can be found in the LCOS reference manual Further details to RAS connections via VPN using enhanced methods VPN ISDN User name VPN ISDN Password VPN Shared secret for encryption VPN Hide local stations for access to remote network Extranet VPN ISDN Incoming number of remote station ISDN TCP IP routing for access to remote network ISDN IPX routing for access to remote network VPN ISDN IP addresses for the dial up PCs static or dynamic by address range IP address pool VPN ISDN NetBIOS routing for access to remote network VPN ISDN Name of remote workgroup NetBIOS only Notes to the individual va
62. ons VoIP PBX installations or certain user groups More details about the function of the Stateful Inspection Firewall of your LANCOM Router can be found in the reference manual on the LANCOM CD What does a router do The following sections describe the functionality of routers in general The functions supported by your device are listed in the table What can your LANCOM Router do on page 19 Routers connect LANs at different locations and individual PCs to form a Wide Area Network WAN With the appropriate rights any computer in this WAN can access other computers and services of the complete WAN as with PC 1 accessing Server A in the remote LAN in the diagram server A Connecting a LAN to the Internet does not technically differ from coupling two LANs The only difference is that it is not just a handful of computers 1 4 1 1 4 2 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction behind the Internet provider s router Instead it is the net of the networks the public Internet Bridgehead to the WAN All routers have at least two connections atleast one for the LAN at least one for WAN connections In addition to LAN connectivity 10 100 Mbps Ethernet several models also offer an integrated switch For the connecting to the WAN the routers use ISDN xDSL cable or ADSL connectors Several devices contain additionally a wireless network card and can thus integra
63. ons that go beyond a previously set amount protecting you from unexpectedly high connection costs In LANCOM Router there are three independent budgets For DSL access you can set a maximum connection time in minutes In addition to this time budget there is also a budget for limiting ISDN connection charges In order for the limitations according to connect charge rates to func tion properly it is necessary to enter the information for connect charge rates through ISDN Any budget can be deactivated by entering the value 0 It is possible to completely turn off connect charge protection Instructions for LANconfig Start up LANconfig by clicking Start gt Programs gt LANCOM gt LANconfig LANconfig automatically detects the new LANCOM Router in the TCP IP network Then the setup wizard starts that will help you make the basic settings of the device or will even do all the work for you provided a suit able network environment exists Setup Wizard for LANCOM 1811 Wireless DSL xj Setup Wizard for LANCOM 1811 Wireless DSL Basic settings Before you can set up your new device some settings for the operation within your network must be defined If you are not yet familiar with networks and this device is the only router in your network then these settings can be defined automatically If the setup wizard does not start automatically start a manual search for new devices on all ports if the LANCOM Router is
64. or example m Systems design of the LCOS operating system Configuration Management Diagnosis Security Routing and WAN functions Firewall Quality of Service QoS Virtual Private Networks VPN LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Preface Model restriction Virtual Local Networks VLAN m Backup Solutions m LANCAPI m Further server services DHCP DNS charge management Model variants This user manual applies to the following models of the LANCOM Router series m LANCOM 821 m LANCOM 1721 VPN m LANCOM 1711 VPN The sections of the documentation that refer only to a range of models are marked either in the corresponding text itself or with appropriate comments placed beside the text In the other parts of the documentation all described models have been clas sified under the general term LANCOM Router This documentation was compiled by several members of our staff from a variety of departments in order to ensure you the best possible support when using your LANCOM product In case you encounter any errors or just want to issue critics or enhance ments please do not hesitate to send an email directly to info lancom de Our online services www lancom de are available to you around the clock should you have any queries regarding the topics discussed in this manual or require any further support In addition support from LANCOM Systems is also available to you Telephone numbe
65. ote access RAS YPN IPSec over WLAN te Should VPN be activated for this connection SS This wizard will help you to set up a remote access RAS For example an employee can use it to dial into the company network from outside Except for direct ISDN access this remote access will be secured using VPN Virtual Private Network This will ensure that no third party will be able to read your data even when the transmission takes place over the Internet There are different precautions to take depending on the route of remote access Which kind of remote access do you want i VPN connection over Wireless LAN IPSec over WLAN Direct ISDN connection without using YPN The wizard asks then for the values that have been defined during the instal lation of the RAS access in the LANCOM Router 6 2 2 Dial up via ISDN A number of settings must be configured on the dial in computer These are briefly listed here based on a Windows computer Dial Up Networking or another PPP client must be correctly configured Network protocol TCP IP IPX installed and bound to the dial up adapter New connection in Dial Up Networking with the call number of the router m Terminal adapter or ISDN card set to PPPHDLC m PPP selected as the Dial Up server type Enable software compression and Require data encryption unchecked Select desired network protocols TCP IP IPX 57 LANCOM 821 LANCOM 1711 VPN LANCO
66. r the connection can t be established the Online LED will light up red The reason for this is usually one of the following Problems with the cabling Only the cable provided with your device should be used to connect to the WAN This cable must be connected to the Ethernet port of your broadband access device The WAN link LED must light green indicating the physical con nection Has the correct transfer protocol been selected The transfer protocol is set along with the basic settings The basic setup wiz ard will enter the correct settings for numerous DSL providers automatically Only if your DSL provider is not listed you will have to enter manually the pro tocol being used In any case the protocol that your DSL provider supplies you with should definitely work You can monitor and correct the protocol settings under LANconfig Management P Interfaces gt Interface settings P gt WAN Interface WEBconfig Expert Configuration P gt Setup P gt Interfaces gt WAN Interface DSL data transfer is slow The data transfer rate of an broadband Internet DSL connection is dependent upon numerous factors most of which are outside of one s own sphere of influence Important factors aside from the bandwidth of one s own Internet connection are the Internet connection and current load of the desired target 71 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 9 Troubleshooting 72 9 3 9 4 Nume
67. re prompted for a user name and password Ph by your web browser when accessing the device in the future enter your personal values to the corresponding fields Please note that the password is case sensitive If you are using enter the corresponding password only Leave the user name field blank 40 011920600156 User name a X Password the common configuration account Entering the configuration password LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration Manual IP address assignment If the IP addresses in the network are assigned static ally then for each PC the IP address of the LANCOM Router must be set in the TCP IP configu ration as the standard gateway and as a DNS server For further information and help on the TCP IP settings of your LANCOM Router please see the reference manual For more informa tion on the network configuration of the workstation computers please refer to the documentation of your operating system en 41 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 4 Setting up Internet access 42 4 Setting up Internet access All computers in the LAN can take advantage of the central Internet access of the LANCOM Router The connection to the Internet provider can be estab lished via any WAN connection Internet access via ISDN can be used as a backup connection for DSL for example DSL or ISDN connection LANCOM Router rou
68. resses to users when they dial in In this case you only need to specify the IP address range that the LANCOM Router should use for RAS users During both manual and automatic IP address assignment please ensure that only free addresses from the address range of your local network are used In our example the IP address 10 0 1 101 will be assigned to the PC when con necting This IP address makes the computer a fully fledged member of the LAN with the appropriate rights it can access all of the other devices in the LAN The same applies in the other direction as well computers in the LAN will also be able to access the remote machine 55 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access 56 6 1 3 Settings for IPX Two IPX network numbers must be provided for remote access to an IPX net work m the IPX network number of the head office an additional IPX network number for the higher level WAN IPX internal net A 00020002 WAN IPX network no Remote i 00000009 workstation VPN or ISDN SS connection ISDN adapter T 0123 123456 User SAMPLE LAN of the head office T 0123 777888 IPX network no 00000001 Binding Ethernet_ll The required network numbers are designated as External Network Num bers Like IP network addresses they apply to an entire LAN segment On the other hand internal IPX numbers are used to address specific Novell se
69. rk in the wizard must be specified The domain can only be specified in the LANconfig wizard In WEBconfig enter the appropriate information later in the expert con figuration For more information see the LANCOM Router reference manual Extranet VPN Finally one can decide whether access to local stations is permitted In this Extranet VPN operating mode the IP stations do not expose their IP address to the remote LAN rather they will be hidden behind the VPN gateway s IP address instead Therefore the stations within the remote LAN cannot access IP stations in the other LAN directly For example if a headquarters LAN in Extranet VPN mode is hidden behind its gateway s address 10 10 2 100 and on of its IP stations e g 10 10 2 13 accesses the IP station 10 10 1 2 of the branch office then the branch office s IP stations deems to be a accessed by 10 10 2 100 The true IP address of the accessor 10 10 2 13 is hidden If two LANs shall be coupled in Extranet mode please ensure to enter the outbound Extranet IP address of the remote site not its Intranet address According to the example this was 10 10 2 100 The appropriate netmask for the Extranet IP address would be 255 255 255 255 then Settings for the IPX router The coupling of IPX networks via VPN cannot be configured using the wizard It can only be set up in the expert configuration For details please see the reference manual Coupl
70. rous other factors involving the Internet itself can also influence the transfer rate Increasing the TCP IP window size under Windows If the actual transfer rate of a DSL connection is significantly below the fastest rate listed by the provider there are only a few possible causes apart from the above mentioned external factors which may involve one s own equipment One common problem occurs when large amounts of data are sent and received simultaneously with a Windows PC using an asynchronous connec tion This can cause a severe decrease in download speed The cause of this problem is what is known as the TCP IP receive window size of the Windows operating system that is set to a value too small for asynchronous connec tions Instructions on how to increase the Windows size can be found in the Knowl edge Base of the support section of the LANCOM web site www lancom de Unwanted connections under Windows XP Windows XP computers attempt to compare their clocks with a timeserver on the Internet at start up This is why when a Windows XP in the WLAN is started a connection to the Internet is established by the LANCOM To resolve this issue you can turn off the automatic time synchronization on the Windows XP computers under Right mouse click on the time of day gt Properties gt Internet time Cable testing A cabling defect might have occurred if no data is transmitted over LAN or WAN connection although the configuration o
71. rs and LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Preface contact information for LANCOM Systems support can be found on a separate insert or at the LANCOM Systems website Very important instructions If not followed damage may result Important instruction that should be followed Additional instructions which can be helpful but are not required O O LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Contents Contents 1 Introduction 1 1 How does ADSL work 1 2 Which use does VPN offer 1 3 Firewall 1 4 What does a router do 1 4 1 Bridgehead to the WAN 1 4 2 Areas of deployment for routers 1 5 Voice over IP 1 6 What can your LANCOM Router do 2 Installation 2 1 Package contents 2 2 System preconditions 2 3 Introducing LANCOM Router 2 3 1 Status displays 2 3 2 The back of the unit 2 4 Hardware installation 2 5 Software installation 2 5 1 Starting LANCOM setup 2 5 2 Which software should you install 3 Basic configuration 3 1 Which information is necessary 3 1 1 TCP IP settings 3 1 2 Configuration protection 3 1 3 Settings for the DSL connection 3 1 4 Settings for the ISDN connection 3 1 5 Connect charge protection 3 2 Instructions for LANconfig 3 3 Instructions for WEBconfig 3 4 TCP IP settings to workstation PCs 12 15 16 17 17 18 19 21 21 21 22 22 27 28 30 30 31 32 32 32 34 34 34 35 35 37 40 LANCOM 821 LANCOM 1711 V
72. rvers in the LAN All three specified network numbers must be distinct from one another and from all used internal IPX network numbers In addition it may be necessary to enter the frame type binding Specifying the IPX network number and binding used is not necessary if the remote network also contains a Novell server A network number for the WAN must also be entered manually in this case however Settings for NetBIOS routing All that is required to use NetBIOS is the name of a Windows workgroup from the router s own LAN The connection is not established automatically The RAS user must manually establish a connection to the LANCOM Router via Dial Up Networking first When connected they can search for and access computers in the remote network via Find gt Computers not through the Network Neighbourhood LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 6 Providing dial up access 6 2 Settings for the dial in computer 6 2 1 Dial up via VPN For dialing into a network via VPN a workstation requires m an Internet access m a VPN client ELSA offers a 30 days trial version of the LANCOM Advanced VPN Client on Ea the LANCOM CD A detailed description of the LANCOM Advanced VPN Client and a description of its installation can also be found on the CD For configuring a new profile select the option LANCOM Advanced VPN Client in the configuration wizard s Setup Wizard for PN_NHAMEL x Provide rem
73. t access A Provide remote access RAS also VPN 4 Connect two local area networks also VPN A Configure firewall 4 Configure Dynamic DNS Select in the selection menu the setup wizard Control Security Settings and confirm your choice with Next Enter your password in the following windows and select the allowed pro tocols for the configuration access from local and remote networks Addi tionally enter the MSN for remote configuration via ISDN 65 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings 66 8 1 2 8 2 In a next step parameters of the configuration lock like number of failed log in attempts and the duration of the lock can be adjusted Now activate Stateful Inspection ping blocking and Stealth mode in the the firewall configuration The wizard will inform you when entries are complete Complete the con figuration with Finish Wizard for WEBconfig Under WEBconfig you have the possibility to run the wizard Security settings to control and change the settings The following values are handled password for the device m allowed protocols for the configuration access of local and remote net works m the MSN for remote configuration via ISDN parameters of configuration lock number of failed log in attempts and duration of the lock The firewall wizard The LANCOM Router incorporates an effective protection of your LAN and WLAN when accessing the In
74. te also stations of WLANs Wireless LANs into the routing The router s task is to transfer data from the local network to the target net work via a suitable WAN connection Data is also transferred from the WAN to the desired recipients in the LAN Areas of deployment for routers Routers are mainly used for the following applications Internet access for a LAN e g via DSL or ISDN The Internet consists of countless large and small networks that are inter connected into the world s largest WAN via routers The router links all the workstation computers on your local area network to the global Internet Security functions such as IP masquerading protect your LAN against unauthorized access from outside LAN to LAN coupling via VPN or ISDN LAN to LAN coupling links individual LANs to form one large network even if this means crossing continents A typical example A branch office is to be connected to the LAN of the headquarters In principle you can connect LANs in two ways High speed coupling via VPN The fastest and most economical LAN to LAN links are possible with VPN Virtual Private Network technology as VPN uses the Internet as the basis for its communications The fast xDSL connection of the router comes into its own here The precondition a VPN gateway with 17 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 1 Introduction access to the Internet is required on either side of th
75. ter in the LAN of the Internet provider Does the setup wizard know your Internet provider A convenient wizard is available to help you set up Internet access The wizard knows the access information of major Internet providers and will offer you a list of providers to choose from If you find your Internet service provider on this list you normally will not have to enter any further transfer parameters to configure your Internet access Only the authentication data that are supplied by your provider are required Additional information for unknown Internet providers If the setup wizard does not know your Internet provider it will prompt you for all of the required information step by step Your provider will supply this information m ADSL Protocol PPP PPPoA PPPoE Plain IP IPoA or Plain Ethernet ATM parameter VPI Virtual Path Identifier and VCI Virtual Circuit Identifier VC or LLC based Multiplexing Additionally for plain IP IPoA and Plain Ethernet a dedicated public IP address with netmask not to be confused with the private LAN IP LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 4 Setting up Internet access address default gateway and DNS server These values can be received automatically from providers that support DHCP m DSL Protocol PPPoE PPTP or Plain Ethernet IPoE Additionally for Plain Ethernet own public IP address with netmask not to be con
76. ternet by its Stateful Inspection firewall and its firewall filters Basic idea of the Stateful Inspection firewall is that only self initiated data transfer is considered allowable All unasked accesses which were not initiated from the local network are inadmissible The firewall wizard assists you to create new firewall rules quickly and com fortably Please find further information about the firewall of your LANCOM Router and about its configuration in the reference manual Wizard for LANconfig The firewall wizard assists you to create new firewall rules quickly and com fortably 8 2 2 8 3 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings Mark your LANCOM Router in the selection window Select from the com mand bar Extras gt Setup Wizard Sj Setup Wizard for LANCOM 1811 Wireless DSL xj Setup Wizard for LANCOM 1811 Wireless DSL This wizard lets you configure your device for specific applications quickly and easily What do you want to do A Check security settings A Set up Internet access A Provide remote access RAS also VPN A Connect two local area networks also VPN 8 Configure Dynamic DNS Select in the selection menu the setup wizard Configuring Firewall and confirm your choice with Next In the following windows select the services protocols the rule should be related to Then you define the source and destination stations for
77. tes Tools Help Qa O B PD seach j gt Folders E l IE contro pane a T a A E EA Administrative Date and Time Display Folder Options Tools cols gt D e Keyboard LANCOM Mouse Network LANCAPI Dialing Rules Modems Advanced The following modems are installed Connections es 2 Regional and Scanners and Scheduled Sounds and Language Cameras Tasks Audio Devices a wv User Accounts Wireless Link LANCOM CAPI Faxmodem lt P Modem of Xircom CreditCard Ethemet 100 Add Remove Properties 7 2 Installation of the MS Windows fax service Select the option Printers and Faxes from the control panel Select the option Set up faxing from the window Printers and Fax Fol low if necessary the instructions of the installation tool Into the recent window an icon will appear for the newly installed fax printer Printers and Faxes File Edit View Favorites Tools Help Q ex 0 P JO search gt Folders MOi Printer Tasks E Add a printer Send a fax Fax 0 Re ady See Also a 2 Troubleshoot printing Get help with printing Other Places x 7 3 7 3 1 7 3 2 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 7 Sending faxes with LANCAPI For checking the installation click with the right mouse button on the fax icon and select Properties The LANCOM LANCOM VPN should now be entered into r
78. the serial port RS 232 V 24 of a PC Use the cable supplied for this pur pose Connect the configuration port of the LANCOM LANCOM 821 and LANCOM 1721 VPN or LANCOM 1711 VPN with a free serial port of the PC Alternatively you may connect an external modem analogue or GSM to the serial port using the LANCOM modem adapter kit if you would like to make use of an additional WAN line for remote maintenance backup con nections or dynamic VPN Connect to power Connect socket of the unit to a power supply using the included power adapter Use the supplied power supply unit only Using an unsuitable power G supply unit may cause damage or injury 29 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation Operational After a short device self test the Power LED will be per manently lit Green LAN LEDs indicate the LAN sockets that have function ing connections Example configuration for LANCOM 1711 VPN Modem adapter kit with external modem PC for configuration with serial interface The models LANCOM 821 and LANCOM 1721 VPN can be connected to the splitter directly using the integrated ADSL modem ADSL modem splitter phone line Devices with integrated ADSL modem could become quite warm dur ing their operation Concerning these models please pay attention to the ambient air temperature range of max 35 C Make sure that the ventilation is sufficient Do
79. ther incoming and outgoing calls being rejected m Data compression this permits an additional increase in data throughput 43 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 4 Setting up Internet access 4 1 LANconfig Quick access to the setup wizards Under LANcontfig the fastest way to launch the Eo i Instructions for LANconfig Highlight the LANCOM Router in the selection window From the menu bar select Tools gt Setup Wizard Setup Wizard for LANCOM 1811 Wireless DSL This wizard lets you configure your device for specific applications quickly and easily What do you want to do A Check security settings A Provide remote access RAS also VPN 4 Connect two local area networks also VPN A Configure firewall A Configure Dynamic DNS From the menu select the Setup Internet access wizard and click Next In the following window select your country and your Internet provider if possible and enter your access information Depending on their availability the wizard will display additional options for your Internet connection The wizard will inform you as soon as the entered information is complete Complete the configuration with Finish LANconfig File Edit Device View Tools Help als slale sla ols ENa alalal Name G I LANconfig Setup Wizard pscription SNHAMEL_HOME setup wizards is via the butto
80. tion access can be enabled at any time using the security wizard see Have you permitted remote configuration on page 68 Settings for the DSL connection For the WAN connection it may be necessary to enter the transfer protocol being used The wizard will e g automatically enter the correct settings for major DSL providers You only need to enter the protocol used by your access provider if the wizard does not list your provider Settings for the ISDN connection Set up the basic configuration of your ISDN connection if required You will need the following data One or more ISDN MSNs on which the router will accept calls MSNs are ISDN subscriber numbers that are assigned to you by your telephone pro vider They are normally entered without an area code These numbers are only relevant for the router functions LAN to LAN coupling RAS not for remote configuration and LANCOM VPN Option m A dialing prefix for access to the public telephone network This is nor mally required only when using an ISDN PBX 0 is the usual prefix It is used for all outgoing calls Finally you should know whether your telephone provider transmits an ISDN connect charge pulse This signal can be used LANCOM Router for connect charge budgets and the accounting function 3 1 5 3 2 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration Connect charge protection Connect charge protection blocks connecti
81. tion via a web browser m LANmonitor lets you monitor on a Windows PC all LANCOM routers and Wireless LAN access points m LANCAPI is a special form of the CAPI 2 0 interface that all workstations of the LAN need to get access to office communication functions as fax or EuroFile transfer With LANCAPI Dial Up Networking Support single workstations can realize dial up connections to an Internet provider via LANCAPI The CAPI fax modem makes you available a first class fax driver m The LANCOM VPN Client enables a setting of VPN connections from a remote workstation via Internet to a router with LANCOM VPN Option m With LANCOM Online Documentation you can copy the documenta tion files on your PC Select the appropriate software options and confirm your choice with Next The software is automatically installed 31 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 3 Basic configuration 32 3 3 1 Basic configuration The basic configuration can be performed on a step by step basis using a convenient setup wizard to guide you through the setup process and prompt you for the required information First this chapter will inform you which information is required for the basic configuration Use this section to assemble the information you will need before launching the wizard Next enter the data in the setup wizard Launching the wizard and the proc ess itself are described step by step with separate sections for
82. tions e g via Win dows network and dial up connections Serial configuration interface Callback function with PPP authentication mechanisms for restriction to fixed ISDN telephone numbers FirmSafe with firmware versions for absolutely secure software upgrades Optional software extensions YNNN S UYN 8 NSN S SIP Gateway and Proxy functionality from LCOS 6 0 S S ISDN leased line option LANCOM VPN Option with 25 active tunnels for protection of network couplings KINS Optional hardware extensions LANCOM Modem Adapter Kit for connection of analog or GSM modems to the serial interface 20 2 2 1 2 2 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation Installation This chapter will assist you to quickly install hardware and software First check the package contents and system requirements The device can be installed and configured quickly and easily if all prerequisites are fulfilled Package contents Please check the package contents for completeness before starting the installation In addition to the device itself the package should contain the following accessories Power adapter Y va Y LAN connector cable green plugs Y Y Y WAN connector cable dark blue plugs Y ADSL connector cable transparent plugs Y Y ISDN connector cable light blue plugs Y Y Y Connector cable for the configuration interfac
83. tions that are set up in the device a thief could gain access to a protected network 69 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 8 Security settings 70 The device s operation can be protected by various means for example it will cease to function if there is an interruption to the power supply or if the device is switched on in another location With the ISDN site verification the device can only be operated at one particular ISDN connection After being switched on the device calls itself at the corresponding telephone number to check that it is still connected to the proper ISDN connection The scripting function can store the entire configuration in RAM only so that restarting the device will cause the configuration to be deleted The configuration is not written to the non volatile flash memory A loss of power because the device has been relocated will cause the entire config uration to be deleted Further information can be found in the reference manual 9 1 9 2 LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 9 Troubleshooting Troubleshooting In this chapter you will find suggestions and assistance for a few common dif ficulties No WAN connection is established After start up the router automatically attempts to connect to the access pro vider During this process the Online LED will blink green If successful the LED will switch over to steady green If howeve
84. uration if Complete con figuration display is selected under View gt Options You will find the connect charge protection reset in WEBconfig and all parameters under Expert Configuration gt Setup gt Charges module Online The Online LED indicates the overall status of all WAN ports off no active connection green flashing Establishing first connection green inverse flashing Establishing further connection green constantly on At least one connection established red constantly on Error establishing the previous connection 24 ADSL Status only LANCOM 821 and LANCOM 1721 VPN WAN Status only LANCOM 1711 VPN ADSL Data only LANCOM 821 and LANCOM 1721 vpn O WAN Data only LANCOM 1711 vpn O LANCOM 821 LANCOM 1711 VPN LANCOM 1721 VPN E Chapter 2 Installation Connection status of the ADSL link off not connected green blinking Initialisation green constantly on Synchronisation succsesful red flickering Error CRC error framing error etc red constantly on Synchronisation failed red blinking Hardware error orange Connection status of the WAN connection off no logic connection green flashing Establishing first connection green inverse flashing Establishing further connection green constantly on at least one connection established red constantly on error during connection Data traffic via the ADSL link
Download Pdf Manuals
Related Search