ZyXEL P-661H-D User's Manual
Contents
1. IKE is more secure than manual key because IKE negotiation can generate new keys and SPls randomly for the VPN connection 13 What is Phase 1 ID for In IKE phase 1 negotiation IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request However in some application remote VPN box or client software is using an 30 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes IP address dynamically assigned from ISP so P 661H D needs additional information to make the decision Such additional information is what we call phase 1 ID In the IKE payload there are local and peer ID field to achieve this 14 What is FQDN FQDN Fully Qualified Domain Name IKE standard takes it as one type of Phase 1 ID As we mentioned Phase 1 ID is an identification for each VPN peer The type of Phase 1 ID may be IP FQDN DNS Ueser FQDN E mail The content of Phase 1 ID depends on the Phase 1 ID type The following is an example for how to configure phase 1 ID ID type Content IP 202 132 154 1 DNS www zyxel com E mail support zyxel com tw Please note that on Prestige if DNS or E mail type is choosen you can still use a random string as the content such as this_is_ Prestige It s not neccessary to follow the format exactly By default the device takes IP as phase 1 ID type for itself and it s remote peer But if it s remo2. gt wan atm vchunt dis Configure Buffer 1 RemoteNode Read Only VCI EN VPI VCI T eo e w w w Jser setting 81 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 3 Delete items from the auto haunting preconfigured table by useing command wan atm vchunt remove lt remote node gt lt vpi gt lt vci gt fan atm vehunt remove i A zan atm vchunt display 1 configure Buffer 2 RemoteNode Read Only J VPI VCI EN VFI SOS 4AQ00H 0 635 0 101 STtH ag 660 0 0 i i i i e Using Zero configuration You can enable disable Zero Configuration in Network gt WAN gt Advanced Setup ATM Qos ATH Gas Type CBR ae cell sec 0 cell sec Sustain Cell Rate 0 icell sec Maximum Burst Size T cell zero Configuration apply 1 After configure the auto haunting preconfigured table You just need a PC connected to the device LAN Ethernet port with the DSL sync up 2 Open your web browser to access a Web site It should prompt and request for your username password of your ISP account if your ISP provide PPPoE or PPPOA service 3 After key in the correct info it will than test the connection If it is successful it will than close the browser and you can open a new browser to surf the Internet If the connection test fail it will go back to the page ask for user name and password 82 All contents copyright 2006 ZyXEL Communication
3. 2 What is the expected throughput In our test we can get about 1 6Mbps data rate on 15Kft using the 26AWG loop The shorter the loop the better the throughput is 3 What is the microfilter used for Generally the voice band uses the lower frequency ranging from 0 to 4KHz while ADSL data transmission uses the higher frequency The micro filter acts as a low pass filter for your telephone set to ensure that ADSL transmissions do not interfere with your voice transmissions For the details about how to connect the micro filter please refer to the user s manual 4 How do I know the ADSL line is up You can see the DSL LED Green on the P 661H D s front panel is on when the ADSL physical layer is up 5 How does the P 661H D work on a noisy ADSL Depending on the line quality the P 661H D uses Fall Back and Fall Forward to automatically adjust the date rate 17 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 6 Does the VC based multiplexing perform better than the LLC based multiplexing Though the LLC based multiplexing can carry multiple protocols over a single VC it requires extra header information to identify the protocol being carried on the virtual circuit VC The VC based multiplexing needs a separate VC for carrying each protocol but it does not need the extra headers Therefore the VC based multiplexing is more efficient 7 How do I know the details
4. Connect To E ettings DB County region China 86 Enter the area code without the long distance pretis Area code Phone number Connect using COM COMI TCP IP Minsack Gna Se Use country region code and area code Redial on busy Disconnected ANSI Vy TCPYIP SCROLL CAPS NUM Capture Printecho dost z 192 168 1 1 p eee 23 O O cen TOPVIP ingack J Cancel Step 3 So that after you invoke the relevant commands you could save the logs you ve captured 105 All contents copyright 2006 ZyXEL Communications Corporation Send File Receive File Capture Text Send Text File SPELLS to Printer 610 616 616 616 616 616 616 676 6 6 96 t J R 6666 J R 8092 J R 0092 MPOAOO RI0092 HPOABB RIBB9 HPOAGB RIOO9 MPOABB RIBB9 HPOAGO RLA G MPOAGB RI O66 HPOAGO RLA G MPOAGBB RI O68 MPOABB T 1468 ENET1 T 60092 UDP 192 168 1 33 HPOAOG RLO E HPOAGO RLA G HPOAGO RLA G HPOAGO RLA G HPOAGO RLA G MPOAGBB RI O68 HPOABE RL BGG HPOAGO RLA G MPOAGB RI O86 HPOABB RIBB9 ARP Request 172 Ethernet Packet Ethernet Packet P 661H D Series Support Notes 29 21 211 gt 1 2 25 21 131 UDP 1172 25 21 51 13 gt 1 2 29 21 2959 137 Ethernet Packet Ethernet Packet UDP 1172 25 21 51 137 gt 172 25 21 259 137 Ethernet Packet Ethernet Packet ARP Request 172 Ethernet Pa
5. ZyXEL P 661H D Series Support Notes We have tested P 661H D successfully with the following third party VPN gateway e Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES e NetScreen 5 ScreenOS 2 6 0r6 e SonicWALL SOHO 2 e WatchGuard Firebox ll e Avaya VPN e Netopia VPN e III VPN 8 What VPN software has been tested with P 661H D successfully We have tested P 661H D successfully with the following third party VPN software e SafeNet Soft PK 3DES edition e Checkpoint Software e SSH Sentinel 1 4 e SecGo IPSec for Windows e F Secure IPSec for Windows e KAME IPSec for UNIX e Nortel IPSec for UNIX e Intel VPN v 6 90 e FreeS WAN for Linux e SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test e Windows 2000 IPSec 9 What is the difference between the My IP Address and Secure Gateway IP Address in VPN Setup Web Page My IP Adderss is the Internet IP address of the local P 661H D The Secure Gateway IP Address is the Internet IP address of the remote IPSec gateway 10 Is the host behind NAT allowed to use IPSec VPN Gateway embedded AH tunnel mode ESP tunnel NAT mode VPN client gateway behind ESP tunnel mode 34 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes NAT NAT in Transport mode None The NAT router must support IPSec pass through For example for P 661H D SUA NAT routers
6. TCP IP Properties Ei Ei Bindings Advanced NeBos DNS Configuration Gateway WINS Configuration P Address n IF address can be automatically assigned to this computer IF your network does not automatically assign IP addresses ask pour network administrator for an address and then type it in the space below C Specify an IP address Set up your P 661H D under routing mode The following procedure shows you how to configure your P 661H D as Routing mode for routing traffic We will use Web Configurator to guide you through the related menu 1 Configure P 661H D as routing mode and configure Internet setup parameters in Web Configurator Advanced Setup Network gt WAN gt Internet Connection Key Settings 40 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Option Description Select the correct Encapsulation type that your ISP supports For Encapsulation j example RFC 1483 Select the correct Multiplexing type that your ISP supports For Multiplexing camie LC VPI amp VCI Specify a VPI Virtual Path Identifier and a VCI Virtual Channel number Identifier given to you by your ISP IP Address Set to Dynamic if the ISP provides the IP for the P 661H D dynamically Otherwise set to Static and enter the IP in the IP Assignment Address field 2 Configure a LAN IP for the P 661H D and the DHCP settings in Web Configurator Advanced Set
7. Dynamic DNS Type J Enable wildcard Option C Enable off line option Only applies to custom DNS IP Address Update Policy Use WAN IP Address OD Dynamic ONS server auto detect IP Address Ouse specified IF Sddress 0 0 0 0 Key Settings Option Description Enter the DDNS server in this field Currently we support WWW DYNDNS ORG Active Toggle to Yes Service Provider Enter the hostname you subscribe from the above DDNS server Host Name For example zyxel com tw 64 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes User Name Enter the user name that the DDNS server gives to you Password Enter the password that the DDNS server gives to you Enter the hostname for the wildcard function that the Enable Wildcard WWW DYNDNS ORG supports Note that Wildcard option is available only when the provider is http AWwww dyndns org 7 Network Management Using SNMP e ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some P 661H D routers It is implemented based on the SNMPv1 so it will be able to communicate with SNMPv1 NMSs Further users can also add ZyXEL s private MIB in the NMS to monitor and control additional system variables The ZyXEL s private MIB tree is shown in figure 3 For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NM
8. In this case we use bridge mode which works as an ADSL modem to connect to the ISP The ISP will generally give one Internet account and limit only one computer to access the Internet For most Internet users having multiple computers want to share an Internet account for Internet access they have to add another Internet sharing device like a router In this case we use the router mode which works as a general Router plus an ADSL Modem 7 How do I know am using PPPoE PPPoE requires a user account to login to the provider s server If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the P 661H D if the ISP uses PPPoE 8 Why does my provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Besides PPPoE supports a broad range of existing applications and service including authentication accounting Secure access and configuration management 9 What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your computer to be more easily accessed from various locations on the Interne
9. P 661H D s single user account See the figure below 68 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes LANI 192 168 1 0 24 LAN2 192 168 2 0 24 ISP LANS 192 168 3 0 24 The Prestige s IP Alias connects three local networks to the Internet The P 661H D supports three virtual LAN interfaces via its single physical Ethernet interface The first network can be configured in Web Configurator Advanced Setup Network gt LAN gt DHCP Setup The second and third networks that we call IP Alias 1 and IP Alias 2 can be configured in Network gt LAN gt IP Alias There are three internal virtual LAN interfaces for the P 661H D to route the packets from to the three networks correctly They are enifO for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the P 661H D as shown below when the three networks are configured If the P 661H D s DHCP is also enabled the IP pool for the clients can be any of the three networks co Telnet 192 168 1 1 Device Gateway Metric stat Timer Idle 2460 86 68 2 HAZhb B eneth 19 2 168 i 1 H4ib 8 eneth 19 2 168 2 i H4ib 6 eneth 192 168 3 1 H4ib B Fas ip i enif mtu 1568 inet 192 168 1 1 netmask OxfFfFFFFFAB broadcast 192 168 1 255 RIP R Hone Ta None InOctets SA5858 CInUnicast 2339 CinMulticast LInDiscards H CInErrors 6 ClnaUnknownProtos OutOctet
10. Users can gain benefit from such application when the scale of branch offices is very large because no additional VPN tunnels between branch offices are needed In this support note we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration As the figure shown below each branch office have a VPN tunnel to headquarter thus PCs in branch offices can access systems in headquarter via the tunnel Through VPN routing Prestige series now provide you a solution to let PCs in branch offices talk to each other through the existing VPN tunnels concentrated on the headquarter m a PC 1 PC 2 Branch A Branch B 96 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The IP addresses we use in this example are as shown below WAN 202 3 1 1 WAN 202 1 1 1 WAN 202 2 1 1 LAN 192 168 3 1 LAN 192 168 1 1 LAN 192 168 2 1 192 168 3 0 24 192 168 1 0 24 192 168 2 0 24 Setp 1 Setup VPN in branch office A Because VPN routing enables branch offices to talk to each other via tunnels concentrated on headquarter In this step we configure an IPSec rule in Prestige Branch_A for PCs behind branch office A to access both LAN segments of headquarter and branch office B Because the LAN segments of headquarter and branch office B are continuous we merge them into one single rule by including these two segments in Remote
11. system logs are migrated to centralized logs So you can view firewall logs in Centralized logs Web Configurator Advanced setup Maintenance gt Logs gt View Log The log keeps 128 entries the new entries will overwrite the old entries when the log has over 128 entries Before you can view firewall logs there are two steps you need to do 1 Enable log function in Centralized logs setup via either one of the following methods 26 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes e Web configuration Advanced Setup Maintenance gt Logs gt Log Settings check Access Control and Attacks options depending on your real situation e Cl command sys logs category access attack 2 Enable log function in firewall default policy or in firewall rules After the above two steps you can view firewall logs via e Web Configurator Advanced setup Maintenance gt Logs gt View Log e View the log by Cl command sys logs disp You can also view Centralized logs via mail or syslog please configure mail server or Unix Syslog server in Web configuration Advanced Setup Maintenance gt Logs gt Log Settings 4 When does the P 661H D generate the firewall alert The P 661H D generates the alert when an attack is detected by the firewall and sends it via Email So to send the alert you must configure the mail server and Email address using Web Configurator Advanced Set
12. the default port and the client IP have to be specified in Web Configurator Network gt NAT gt SUA Server Setup 11 How do I configure P 661H D with NAT for internal servers Generally without IPSec to configure an internal server for outside access we need to configure the server private IP and its service port in SUA NAT Server Table However if both NAT and IPSec is enabled in P 661H D the edit of the table is necessary only if the connection is a non secure connection For secure connections none SUA server settings are required since private IP is reachable in the VPN case 12 am planning my P 661H D behind a NAT router What do I need to know Suppose host P 661H D NAT Router Internet Secure host Some tips for the configuration 1 The NAT router must support to pass through IPSec protocol Only ESP tunnel mode is possible to work in NAT case Default port UDP Port 500 and the P 661H D s WAN IP must be configured in NAT Router s SUA NAT Server Table 2 On the Secure host side WAN IP of the NAT router is the tunneling endpoint for this case not the WAN IP of P 661H D For example On P 661H D My IP Address P 661H D s WAN IP Secure Gateway IP Address Secure host s IP On Secure host My IP Address Secure host s IP Secure Gateway IP Address NAT Routers WAN IP 13 How can I keep a tunnel alive To keep a tunnel alive you can check keep alive option when configuring your VPN tunnel W
13. 282 3978 H2 216 62 3968 2 18 62 618 82 18 62 618 H2 216 62 838 62 16 62 8368 82 7 18 63 658 82 18 63 658 H2 10 03 276 H2 10 03 276 27 18 63 478 H2 18 63 4968 H2 16 63 718 62 16 635 716 22 18 63 928 82 18 603 928 H2 16 64 146 62 16 64 146 82 718 64 368 82 18 64 368 H2 10 04 586 H2 16 64 588 trep w on tred brirf ENETH RLABS4 I ENETAH T 128 ENETA RCAAS4 I ENET T 8125 ENETH RL HS 4 ENETH T 176 ENETH RTAAS4 I ENETH T 196 1 ENETH RLABS4 I ENETH T A196 1 ENETH RLAAS4 I ENETH T 196 1 ENETH RL HS 4 ENET T LHiY6 ENET A RL HS4 ENETH T 196 1 ENETH RLOHS 4 ENETH T LA196 ENETH RLAAS4 I ENETH T 196 1 ENETH RLABS4 I ENETH T LH176 1 2 Trace WAN packet 192 168 2 1 33 1829 7192 168 1 1223 192 168 1 1223 2192 168 1 33 21829 192 168 1 33521829 2192 168 1 1223 192 168 1 21223 5192 168 1 33 21829 192 168 1 33 1829 7192 168 1 1223 192 168 1 1223 2192 168 1 33 21829 192 168 1 2335 21829 2192 168 1 1223 192 168 1 21223 5192 168 1 33 21829 192 168 1 33 1829 7192 168 1 1223 192 168 1 1223 2192 168 1 33 21829 192 168 1 335 21829 2192 168 1 1223 192 168 1 21223 5192 168 1 33 21829 192 168 1 3321829 7192 168 1 1223 192 168 1 1223 7192 168 1 33 21829 192 168 1 2335 21829 2192 168 1 1223 192 168 1 1223 5192 168 1 33 21829 192 168 1 2 33 21829 7192 168 1 1223 192 168 1 1223 2192 168 1 33 21829 192 168 1 33521829 219
14. Edit Address Mapping Rulez Se ee ee Type one to one 7M Local Start IP estes l oo Local End IP Global Start IP lt 200 0 0 3 pee Global End IP MA Server Mapping Set Rule 3 Setup Select Many to One type to map the other clients to IGA3 200 0 0 3 Edit Address Mapping Rule3 Type ianyto One se Local Start IP 0 0 0 0 Local End IF 255 255 255 255 Global Start IP lt 200 0 0 3 oe Global End IP ae Server Mapping Set MA Edit Details Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA Edit Address Mapping Ruled Type Jee Local Start IF i f We Global Start IP lt 200 0 0 3 a Server Mapping Set 2 Edit Details Cancel Menu Network gt NAT gt Address Mapping should look as follows now 61 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes General Port Forwarding Address Mapping Address Mapping Rules Local Start IP Local End IP Global Start IP Global End IP Modity ileal 1 192 165 1 10 200 0 0 1 2 192 168 1 11 200 0 Be z 1 1 3 Sal gy atta geal 455 200 0 0 3 M i 4 200 0 0 3 Server 5 6 T 5 9 nd GL GA GL i Eb Eb Eb Eb E Eb E a E 10 Step 3 Now we configure all other incoming traffic to go to our web server and mail server from Web Configurator Advanced Setup Network gt NAT gt Port Address Mapping Def
15. Type as IP and Content as 0 0 0 0 in the example Peer ID Type as IP and Content as 0 0 0 1 in the example Address Information Local ID Type z k Content 0 0 0 0 My IP Address 2029S Feer ID Type IF w Content Secure Gateway Address Dsemomose Note Make sure the ID Type and content consistent between the two VPN secure gateways As in the example we ve finished this field on Prestige A then when we configure Prestige B we should make it fit the following table Prestigio A Prestige B Local ID Type JP O 0 0 0 0 0 0 0 1 Peer ID Type Io 0 0 0 0 7 Fill in VPN Protocol Pre Shared Key Encryption Algorithm Authentication Algorithm in the Security Protocol field Select one VPN Protocol from the pull down menu ESP in the example Input a proper Pre Shared Key in the right table 01234567 in the example Select Encryption Algorithm to DES and Authentication Algorithm to SHA1 Security Protocol YPN Protocol Pre Shared Key 01234567 Encryption Algorithm DES w u BL iE an Alge ne rt apply 1 Sansa 90 All contents copyright 2006 ZyXEL Communications Corporation ZyXE CC CCCCC 661H D Series Support Notes Note If there s a NAT router between the two VPN Secure Gateways we should only choose ESP VPN Protocol The minimum length of Pre Shared Key is 8 8 Acommon VPN Rule has been completed you can click Apply to save it But if you want to make more spe
16. as they become available 2 What s Multilingual Embedded Web Configurator Multilinggual Embedded Web Configurator means that it can display with 3 kinds of languanges English French and German By factory default it displays with English and you can change it in Web GUI 3 How do l access the P 661H D Command Line Interface CLI The Command Line Interface is for the Administrator use only and it could be accessed via telnet session Note It is protected by super password 1234 by factory default 4 How do update the firmware and configuration file You can do this if you access the P 661H D as Administrator You can upload the firmware and configuration file to Prestige from Web Condigurator or using FTP or TFTP client software You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware Please do not power off the router right after the FTP or TFTP uploading is finished the router will upload the firmware to its flash at this moment Note There may be firmware that could not be upgraded from Web Configurator In this case ZyXEL will prepare special Upload Software for you Please read the firmware release note carefully when you want to upload a new fireware 5 How do I upgrade backup the ZyNOS firmware by using TFTP client program via LAN The P 661H D allows you to transfer the firmware to P 661H D using TFTP program via LA
17. end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet H 42 10 62 396 ENET RLAHS4 TCP 192 168 1 33 21829 71972 168 1 12235 index timer second channel receive transmit length protocol sourcelP port destIP port There are two ways to dump the trace Online Trace display the trace real time on screen Offline Trace capture the trace first and display later The details for capturing the trace in CLI as follows First of all you need to telnet to the P 661H D firstly The password is Administrator passwords admin by default e Online Trace 1 Trace LAN packet e Disable to capture the WAN packet by entering sys trep channel mpoa00 none e Enable to capture the LAN packet by entering sys trcp channel enet0 bothway e Enable the trace log by entering sys trcp sw on amp sys trcl sw on e Display the brief trace online by entering sys tred brief e Display the detailed trace online by entering sys tred parse Example 101 All contents copyright 2006 ZyXEL Communications Corporation P 661H D Series Support Notes trcep channel mpoa none trep channel enet bothway NE 4 1 2 3 4 5 6 7 B B3 DW e p pek ph pek pe pb pek pk pak E a G g non A whe amp Ne i a r e Ne a s E s E e y M2 18
18. ener cern rrr bere erer err eter errr terre 20 E eh a 1 be etn A E Sn Re ne ee eee Ree eee er 20 1 What is a network firewall cccccccsccecseeeseeeeeeeeesseeeeaeeeens 20 2 What makes P 661H D secure cceccecseeeeeeeeeeeeeeeeeaeeees 20 3 What are the basic types of firewalls ccceccceeeceeeee ees 20 4 What kind of firewall is the P 661H D cc eeeeeeeeeeeees 21 5 Why do you need a firewall when your router has packet PITS TING and NAT DUIN scnsted acetate Reo oee etal e il ome 21 6 What is Denials of Service DOS attack eeeeeeeee eens 21 7 What is Ping of Death attack ccccccceececseeeceeseseeeeseeees 22 8 What is Teardrop attack 0 0 0 ceccccccccseecceeeseeeeseeeeseeeeseeees 22 9 What is SYN Flood attack 0 0 ccccccceeeecseeeeeeeeeeseeeeesaeees 22 10 What is LAND attack 0 0 0 eccccceeeeeeeeeeseeeeesaeeeeeaeeeeeas 22 11 What is Brute force attack cccccccccseeeeseeeeseeeeeeeeeaeeeens 23 12 What is IP Spoofing attack ccccccccseeeeseeeeeeeeeeeeeeaeeeens 23 13 What are the default ACL firewall rules in P 661H D7 23 GOMMOUMANON semester d aasnahagineda aes Aedes e oe eee 23 1 How do configure the firewall ccccccccssseeseeeeeseeeeenes 23 2 How do prevent others from configuring my firewall 23 3 Why can t configure my P 661H D using Web Configurator Telnet over WAN ccccc
19. of my ADSL line statistics e You can use the following Cl commands to check the ADSL line Statistics Cl gt wan adsl perfdata Cl gt wan adsl status Cl gt wan adsl linedata far Cl gt wan adsl linedata near e You can also do it in Web Configurator Advanced Setup Maintenance gt Diagnostic gt DSL Line gt DSL Status DSL Line DSL Line SAR Driver Counters Display inPkts OxOO000000 inbiscards outPEts OxOO000000 oautDiscards inF4PEts OxOO0000000 outF4Pkrts inFSPEts OxOO000000 oautFSPrts OxOO0000001 closechan O rxEate bps OxO0000000 Ox0o0000000 OxO00000000 Ox0o0000000 OxO00000000 o DSL Line Status noise margin upstream O db output power downstream O db attenuation upstream O db 0 31 00 00 00 O00 00 00 00 00 00 00 00 00 00 O00 OO 32 63 00 00 00 00 O00 O00 00 00 00 00 00 00 O00 64 95 OO OO 00 O00 OO OOF 00 00 O00 O00 00 00 00 OO OO SS Se SS ATM Status ATM Loopback Test lt DSL Line Status gt Reset ADSL Line a oa z Capture All Logs gt 8 What are the signaling pins of the ADSL connector The signaling pins on the P 661H D s ADSL connector are pin 3 and pin 4 The middle two pins for a RJ11 cable 9 What is triple play 18 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes More and more Telco ISPs are providing three kinds of services VoIP Video and Internet over one existing ADSL connec
20. parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We dont make any advanced setup in the example e The correspondent rule for Branch_B_ 2 in headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B 2 My IP Address is the IP Address of Headquarter 202 1 1 1 in the example Secure Gateway Address is WAN IP of Prestige in Branch_B 202 2 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We don t make any advanced setup in the example 100 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Support Tool 1 LAN WAN Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN
21. the LAN Interface of P 661H D you can access Web Configurator via http 192 168 1 1 Note Don t forget to type in the Administrator Password 2 How do prevent others from configuring my firewall There are several ways to protect others from touching the settings of your firewall 23 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL C 661H D Series Support Notes 1 Change the default Administrator password since it is required when setting up the firewall 2 Limit who can access to your P 661H D s Web Configurator or CLI You can enter the IP address of the secured LAN host in Web Configurator Advanced Setup Advanced gt Remote MGNT gt Service gt Secured Client IP to allow special access to your P 661H D TE W W W W W Fort Access Status LAM amp WAR m AE lt Secured Client IP all Selected 0 0 0 0 CL Note 1 For UPnoPto function normally the HTTP service must be available for LAN computers using UPnP 2 You may also need to create a Firewallrule The default value in this field is 0 0 0 0 which means you do not care which host Is trying to telnet your P 661H D or access the Web Configurator of 3 Why can t I configure my P 661H D using Web Configurator Telnet over WAN There are four reasons that WWW Telnet from WAN is blocked 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet f
22. the protocol ID as 6 TCP for the rule ip policyrouting set criteria serviceType 0 Set the criteria type of service as don t care for this rule ip policyrouting set criteria precedence 8 Set the precedence as don t care for this rule ip policyrouting set criteria packetlength 0 Set the packet length as 0 for the rule ip policyrouting set criteria srcip 192 168 1 2 192 168 1 20 Set the source IP address for the rule Start 192 168 1 2 end 192 168 1 20 ip policyrouting set criteria srcport 0 Set the source port for the rule Start 0 ip policyrouting set criteria destip 0 0 0 0 Set the destination port for the rule Start 0 0 0 0 ip policyrouting set criteria destport 80 80 Set the destination port for the rule Start 80 end 80 ip policyrouting set action actmatched Set the action for the rule Matched ip policyrouting set action gatewaytype 0 Set gateway type for the rule Gateway Address ip policyrouting set action gatewayaddr 192 168 1 254 Set the gateway address for the rule 192 168 1 254 ip policyrouting set criteria serviceType 0 Set the action type of service as dont care for this rule ip policyrouting set criteria precedence 8 Set the action precedence as don t care for this rule ip policyrouting set action log no Set log option for the rule no log ip polictrouting set save Save the rule Step 3 Apply the IP policy routing There are two interfaces to apply the policy set they are t
23. tor Help 16 44 18 The 192 168 1 1 is the IP address of the Prestige The local file is the source file of the ZyNOS firmware that is available in your hard disk The remote file is the file name that will be saved in Prestige Check the port number 69 and 512 Octet blocks for TF TP Check Binary mode for file transfering 2 Using TFTP to upload download SMT configurations via LAN Step 1 TELNET to your Prestige first before running the TFTP software Step 2 Type the command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software step 4 To download the P 661H D configuration please get the remote file rom 0 from the Prestige Step 5 To upload the P 661H D configuration please save the remote file as rom 0 in the Prestige An example re TFTP32 File Options Help Host 192 168 1 1 Port 69 Timeout ho Send timeout to Server Block Size Send Fetch p12 Local File prestige rom Match Files Binary W Ea Remote File rom g Abort Press F1 tor Help 16 46 06 107 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The 192 168 1 1 is the IP address of the Prestige The local file is the source file of your configuration file that is available in your hard disk The remote file is the file name that will be saved in Prestige Check the port number 69 and 512 Oc
24. 192 168 1 11 to IGA2 200 0 0 2 e Rule 3 Many to One type to map the other clients to IGA3 200 0 0 3 e Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN 59 All contents copyright 2006 ZyXEL Communications Corporation Step 1 In this case we need to map ILA to more than one IGA therefore we must choose the Full Feature option from the NAT field in currently active remote node and assign IGA3 to P 661H D s WAN IP Address IP Address obtain an IP Address Automatically Static IP Address Default Gateway Gateway Subnet Mask RIP Direction Version Multicast NAT Step 2 Go to Web Configurator Advanced Setup Network gt NAT gt Address Mapping to begin configuring Address Mapping Set 1 We can see there are 10 blank rule table that could be configured See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Edit Address Mapping Rulel Local Start IP Local End IF Global Start IP lt 200 0 0 1 Global End IP MA Server Mapping Set NA Edit Details Cancel Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 200 0 0 2 60 All contents copyright 2006 ZyXEL Communications Corporation
25. 2 1 1 1 Key Settings cl Command Description Select NAT address mapping set and set mapping set ip nat addrmap map map set name but set name is optional name Example gt Ip nat addrmap map 2 Test Set NAT address mapping rule If the type is not inside server then the type field will still need a l dummy value like 0 ip nat addrmap rule rule insert edit type local start IP local end IP many to many overload many to many non overload global start IP global end IP server inside server set Type is 0 4 one to one many to one Example gt p nat addrmap rule 1 edit 3 192 168 1 10 192 168 1 20 172 1 1 1 172 1 1 1 33 All contents copyright 2006 ZyXEL Communications Corporation 4yXFt oC CCCCC 661HH D Series Support Notes Save the NAT server set buffer into flash Clear the server set set must use save command ip nat server clear set to let it save into flash Activate the rule rule rule number is 1 to 24 the ip nat server edit rule active l San number 25 36 is for UPNP application ip nat server edit rule svrport lt start Configure the port range from lt start port gt to lt end port gt lt end port gt port gt ip nat server edit rule remotehost Configure the IP address range of remote host Leave it to be default value if you don t need this command ip nat server edit rule leasetime Configure the lease t
26. 2 168 1 1223 192 168 1 21223 5192 168 1 33 21829 192 168 1 3321829 7192 168 1 1223 192 168 1 1223 7192 168 1 33 1829 e Disable the capture of the LAN packet by entering sys trep channel enet0 none e Enable to capture the WAN packet by entering sys trep channel mpoa00 bothway e Enable the trace log by entering sys trep sw on amp sys trcl sw on e Display the brief trace online by entering sys tred brief e Display the detailed trace online by entering sys tred parse Example All contents copyright 2006 ZyXEL Communications Corporation 102 P 661H D Series Support Notes e x trep channel enet none trep channel mpoa bothway trep w on tred parse oi A A es NE WE NE Ne wI A A ee Frame MPOABH RECU Size 66 686 Time 62 28 24 5168 Frame Type Ethernet Packet Ethernet Header Destination MAC Addr HH1 3497 HHHHH1 Source MAC Addr Network Type IP Header IP Version Header Length Type of Service Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP HHBASHEF2ZEVS Bx CTCP IP gt 4 2H Hx lt A gt Mx28 40b x FAF 161435 Hx2 4x8 xi 4113 gt Ax lt TCP gt Bx PCD 48989 gt MxDEACHAFS 222 2 172 138 243 gt Destination IP HxACL9153A 172 25 21 585 TGP Header Source Port Destination Port Sequence Humber Ack Number Header Length Flags Window Size Checksum Urgent Ptr MxAF28 CARRE Mx2966 1059
27. 789 Bx326B4309 84589091355 BxADS25B3A 629118081482 gt 2H ee Hx2BE6 11238 gt BxAZ3B 1415319 Hx lt H TGP Data CLength 6 Captured 6 gt HHH HA HH AA HA HH HA RAW DAT e Disable the capture of the WAN packet by entering sys trcp channel mpoa00 none e Enable the capture of the LAN packet by entering sys trcp channel enet0 bothway e Enable the trace log by entering sys trcp sw on amp sys trcl sw on e Wait for packet passing through the Prestige over LAN e Disable the trace log by entering sys trep sw off amp sys trcl sw off e Display the trace briefly by entering sys trep brief e Display specific packets by using sys trcp parse lt from_index gt lt to_index gt 103 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes e Capture the detailed logs by Hyper Terminal Step 1 Initiate a hyper terminal connection from your PC Suppose you connected to the LAN port of P 661H D T New Connection Hyper Terminal File Edit View Call Transfer Help D amp HD fal Disconnected Auto detect Auto detect Step 2 Click the properties to configure parameters to telnet to the P 661H D 104 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes e 1 HyperTerminal Ca 52 nBGd a Lite at ete Hele File Edit view Call Iransret Help gt 1 Properties Eg
28. All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Most of the cases static IP addresses are used for VPN tunneling endpoints But for SOHO users generally it is a dynamic case In this case this IP will not be available to be predefined in the VPN box There are some tips when configure Prestige in any dynamic case e Prestige static WAN IP v s peer side dynamic IP We need to note 1 In VPN settings of Prestige please specify the IP address of Secure Gateway as 0 0 0 0 2 The VPN connection can ONLY be initiated from dynamic side to static side in order to update its dynamic IP to the static side 3 In peer side are you using Win2K built in IPSec In this case W2K won t capture the dynamic IP address automatically for you You have to obtain your dynamic IP address and then go back to IPSec configuration to setup your current IP address e Prestige dynamic WAN IP v s peer side static IP We need to note 1 In VPN settings of Prestige please specify the IP address of My IP as 0 0 0 0 Prestige will automatically bind it s current WAN IP address to IPSec 2 IPSec tunnel in this case can ONLY be initiated from Prestige 3 In peer side are you using SonicWALL NetScreen SonicWALL requires you to enter an ID in FQDN format to identify Prestige e Prestige dynamic WAN IP v s peer side dynamic IP In this case we need to use DDNS Dynamic Domain Name Service Th
29. CI Specify a VPI Virtual Path Identifier and a VCI Virtual Channel number Identifier given to you by your ISP 2 Turn off DHCP Server and configure a LAN IP for the P 661H D in Web Configurator Advanced Setup Network gt LAN We use 192 168 1 1 as the LAN IP for P 661H D in this case Step 1 Disactive DHCP Server and apply it Step 2 Assign an IP to the LAN Interface of P 661H D e g 192 168 1 1 2 Internet Access Using P 661H D under Routing mode For most Internet users having multiple computers want to share an Internet account for Internet access they have to install an Internet sharing device like a router In this case we use the P 661H D which works as a general Router plus an ADSL Modem Set up your workstation 1 Ethernet connection 39 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL iP 61H D Series Support Notes Connect the LAN ports of all computers to the LAN Interface of P 661H D using Ethernet cable 2 TCP IP configuration since the P 661H D is set to DHCP server as default so you need only to configure the workstations as the DHCP clients in the networking settings In this case the IP address of the computer is assigned by the P 661H D The P 661H D can also provide the DNS to the clients via DHCP if it is available For this setup in Windows we check the option Obtain an IP address automatically in its TCP IP setup Please see the example shown below
30. FTP to Upload the Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TFIP client you can also upload the firmware and configuration files to the Prestige using FTP To use this feature your workstation must have a FTP client software See the example shown below e Using FTP client software Note The remote file name for the firmware is ras and the configuration file is rom 0 Use FTP client from your workstation to connect to the Prestige by PIEP entering the IP address of the Prestige Press Enter key to ignore the username because the Prestige does Step2 not check the username Enter the CLI password as the FTP login password the default is Plepa admin Step 4 Enter command bin to set the transfer type to binary Step 5 Use put command to transfer the file to the Prestige Example step 1 Connect to the Prestige by entering the Prestige s IP and Administrator password in the FTP software Set the transfer type to Auto Detect or 109 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Binary Edit Host General Advanced mite Label Host Twpe Prestige Anto Detect Host Address Intal Remote Directo 192 168 1 1 User ID Faswornd Remote Directory Filter p M Local Filtering Login type Transfer type Initial Local Directory E i
31. L Communications Corporation ZyXEL P6H Series Support Notes _ Select service name as PPTP fill in the Server IP Address then press button Add Port Forwarding Default Server Setup Default Server 197 168 1 34 Port Forwarding Service Na a PPTP w Server IF a 192 168 1 10 ji De Eo O See Active Service Name Start Port Server IP Address Modify When you have finished the above settings you can ping to the remote Win9x client from WinNT This ping command is used to demonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achievable you can place a VPN call from the remote Win9x client For example C ping 203 66 113 2 When a dial up connection to ISP is established a default gateway is assigned to the router traffic through that connection Therefore the output below shows the default gateway of the Win9x client after the dial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 661H D router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or S Web Configurator Status gt WAN Information If the Internet IP address is a fixed IP address provided by ISP in SUA mode then you can always use this IP address for reaching the VPN
32. N The procedure for uploading ZyNOS via TFTP is as follows a Use the TELNET client program in your PC to login to your P 661H D All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes b Enter Cl command sys stdio 0 to disable Stdio idle timeout c To upgrade firmware use TFTP client program to put firmware in file ras in the Prestige After data transfer is finished the P 661H D will program the upgraded firmware into FLASH ROM and reboot itself d To backup your firmware use the TFTP client program to get file ras from the Prestige 6 How do restore P 661H D configurations by using TFTP client program via LAN a Use the TELNET client program in your PC to login to your P 661H D b Enter Cl command sys stdio 0 disable Stdio idle timeout c To backup the P 661H D configurations use TFTP client program to get file rom 0 from the P 661H D d To restore the P 661H D configurations use the TFTP client program to put your configuration in file rom 0 in the P 661H D 7 What should I do if forget the system password In case you forget the system password you can erase the current configuration and restore factory defaults this way Use the RESET button on the rear panel of P 661H D to reset the router After the router is reset the LAN IP address will be reset to 192 168 1 1 the common user password will be reset to user the Administrator pass
33. N node wan node index lt node gt Usage node 1 8 corresponding to the remote node 1 8 wan node filter lt incoming outgoing gt lt tcpip generic gt lt setl gt lt set2 gt lt set3 gt lt set4 gt Usage You can apply at most four filter sets to one remote node wan node save 84 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes e Apply to LAN Interface lan index index Usage index 1 main LAN 2 IP Alias 1 3 IP Alias 2 lan filter lt incoming outgoing gt lt tcpip generic gt lt set1 gt lt set2 gt lt set3 gt lt set4 gt Usage You can apply at most four filter sets to LAN Interface lan save 3 If you are very advanced user you could edit filter set by the following command sys filter set set rule Usage Set up a filter set index to edit a set set 1 12 rule 1 6 sys filter set type typelD Usage typelD tcpip or generic Note In one filter set you should configure all the rules in one type either tcpip or generic sys filter set enable Usage Enable active the rule sys filter set You could configure a filter rule on demand the newest command is available on release note sys filter set save Usage Dont forget to save the rule everytime you ve configured it Reference Commands Set the index of filter set rule you must apply this sys filter set index set rule command first before you begin to configure t
34. None one client only 6901 client IP None for Chat File transfer Video and Voice None 1723 client IP Default client IP None for Chat 6701 client IP 7648 client IP Default client IP Default client IP 1720 client IP 1503 client IP Default client IP Default client IP 5631 client IP 5632 client IP 22 client IP Default Client 6901 client IP None for Chat File transfer Video and Voice 6701 client IP 43 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Network Time Protocol NTP None 123 server IP Win2k Terminal Server None 3389 server IP Remote Anything None 3996 4000 client IP 5500 client IP Virtual Network Computing None 5800 client IP VNC 5900 client IP AIM AOL Instant Messenger None for Chat and IM None for Chat and IM e Donkey None 4661 4662 client IP coca wide None Default client IP Conferencing IVISTA 4 1 None 80 server IP Microsoft Xbox Live None N A Since SUA enables your LAN to appear as a single computer to the Internet it is not possible to configure similar servers on the same LAN behind SUA Because White Pine Cu SeeMe uses dedicate ports port 7648 amp port 24032 to transmit and receive data therefore only one local Cu SeeMe is allowed within the same LAN In SUA mode only one local NetMeeting user is allowed because the outsiders can not distinguish between local users using the same inte
35. Normal e ASCII Local Directory Filter i Anonymous Binary i Double f Anto Detect Step 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file Ei Private 192 158 1 1 Global CAFE CuteFTP 3 0 ETF Session Bookmark Commands Queue View Directory Macro Window Help ONS2NIAalI t o olean mxx ea COMMANMO gt LIST a 150 Opening data connection for UST STATUS gt Recetved 135 bytes Ok E STATUS gt Time 0 00 01 Efficiency 0 13 kBytes s 135 bytes s CPE A 5 fwrrouter SIZE i Size Date 907KB 01 07 02 10 56 g87KB 01707701 12 00 eye 16K6 017 05 29 10 24 aa rom 0 16K6 01707701 12 00 rww rw rw 110 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes step 4 The Prestige reboots automatically after the uploading is finished Please do not power off the router at this moment 111 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Cl Command Reference Command Syntax and General User Interface Cl has the following command syntax command lt iface device gt subcommand param command subcommand param command help command subcommand help General user interface 1 Shows the following commands and all majo
36. ON NOES ween enn eke Rees 37 General Application Notes eccora ae A EAREN 37 1 Internet Access Using P 661H D under Bridge mode 37 2 Internet Access Using P 661H D under Routing mode 39 3 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 3 Setup the P 661H D as a DHCP Relay cceeeeeeeeeees 41 A UANO eaaa aston eraelcc ees tek eione elena eee ele ee 42 5 USING FUP CAtuke NA sistas ots recep crseregejose Salsnswieiedee 51 6 Using the Dynamic DNS DDNS ee ceceeeeeeeeeeee ees 63 7 Network Management Using SNMP cccsecccseeeeeeeeeeees 65 SUSINO V 6 a tee nee aire eterna ee eer ne aetna ener ee renee 68 Os WISIN WP Ald a de lus nde Se ati irik Spee adios Sis 68 TO USMOUIP F ONGCY ROUINO orun a eee oeeceeeee eats 70 Ts WSiInG Gall SCHEGUINNG erare A AD 74 12 MSIE WNW ASU oei 76 13 Using Bandwidth Management ccccseeeeseeeeseeeeeeeeens 77 14 Using Zero COnfiQuration cccccccseececseeeeeseeeeeeeeeeseeeeees 80 15 How could configure triple play on P 661H D 83 16 How to configure packet filter on P 661H D 0 83 IPSEC VPN Application NOS sereis ewe 87 1 How to use P 661H D to build VPN Tunnel with another VPN Gateway SOMWANC Zear stactey ntasslaintarctacutacstacntasdtatetaucto uta 87 2 How to build a VPN between Secure Gateway with Dynamic VVAIN TP PCOS S Zooss
37. P 661H D Series ADSL2 4 port Security Gateway Support Notes Version3 40 Mar 2006 ZyXEL Unleash Networking Power ZyXEL P 661H D Series Support Notes FAOn vee ieiaieas sieve ieee eae eee 5 FAS SG Feo ae Ree eer er er OER An er ae ER ORE eT ane eR ae er ay ee one one aac errr 5 dic WV ANAS Z VINO S raaa E RNR 5 2 What s Multilingual Embedded Web Configurator ceceseeeeeeee 5 3 How do access the P 661H D Command Line Interface CLI 5 4 How do update the firmware and configuration file ccceeeee 5 5 How do upgrade backup the ZyNOS firmware by using TFTP client 0 010 V2 10 giant re Bn 2 gerne er er rire er Pear re Ie ere 5 6 How do restore P 661H D configurations by using TFTP client Prodan WIN testes cheer cece lector E etcetera aac 6 7 What should do if forget the system password ccceceeeeeeeeee 6 8 How to use the Reset DuttOn ccc cccccsececeeeceeeeeeeeseeeseeeeaeeseeesaes 6 9 What is SUA When should use SUA 0 ccceeeeeseeeeeeeeeeeneeeesaees 6 10 What is the difference between SUA and Full Feature NAT 7 11 Is it possible to access a server running behind SUA from the outside temet HOw can FOOIE Saget Soret attest stare eal ie tela erate eae 7 12 When do need select Full Feature NAT ccccceeeeeeeeeeeeeeeeeeeees 8 13 What IP Port mapping does Multi NAT Support ce eceeeeeeeeeees 8 14 H
38. Port Enter the source port number of the traffic Enter the protocol number for the traffic 1 for ICMP 6 for TCP or 17 for Protocol ID UDP After configuration BWM you can check current bandwidth of the configured traffic in Web Configurator Advanced Setup Advanced gt Bandwidth MGMT gt Monitor 14 Using Zero Configuration e Zero Configuration and VC auto hunting Zero Configure feature can help customer to reduce the burden of setting efforts Whenever system ADSL links up system will send out some probing patterns system will analyze the packets returned from ISP and decide which services the ISP may provide Because ADSL is based on a ATM network so system have to pre configured a VPI VCI hunting pool before Auto Configure function begins to work The Zero Configuration feature can hunt the encapsulation and VPI VCI value and system will automatically configure itself if the hunting result is successfully This feature has two constraints 1 It supports the ISP provides one kind of service PPPoE PPPOA etc only otherwise the hunting will get confusing and failed 2 VC auto hunting only supports dynamic WAN IP address If the router is set a static WAN IP address VC auto hunting function will be disabled The entry of hunting pool must also contain the VPI VCI and which kinds of hunting patterns you wish to send Whenever system send out all the probing patterns with specific VPI VCI system will wait for 5 10 s
39. S manager some traps are sent to the SNMP manager when anyone of the following events happens 1 coldStart defined in RFC 1215 lf the machine coldstarts the trap will be sent after booting 2 warmStart defined in RFC 1215 lf the machine warmstarts the trap will be sent after booting 3 linkDown defined in RFC 1215 If any link of IDSL or WAN is down the trap will be sent with the port number The port number is its interface index under the interface group 4 linkUp defined in RFC 1215 If any link of IDSL or WAN is up the trap will be sent with the port number The port number is its interface index under the interface group 5 authenticationFailure defined in RFC 1215 65 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes When receiving any SNMP get or set requirement with wrong community this trap is sent to the manager 6 whyReboot defined in ZYXEL MIB When the system is going to restart warmstart the trap will be sent with the reason of restart before rebooting 1 For intentional reboot In some cases download new files Cl command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 2 For fatal error system has to reboot for some fatal errors And traps with the message of the fatal code will be sent Produets l poyeVariables Group pERT Variabl
40. Web Configurator Advanced Setup Network gt NAT gt Port Forwarding The following table explains the fields in this above screen Field Description Option Example set This is sequence number for Address Mapping Sets 255 for SUA Internal 0 0 0 0 for the This is the starting local IP address ILA Start IP Many to One type This is the starting local IP address ILA If the rule is for all local IPs then the Start IP is 0 0 0 0 andthe 255 255 255 255 End IP is 255 255 255 255 Global Start This is the starting global IP address IGA If you IP have a dynamic IP enter 0 0 0 0 as the Global Start Local End IP 0 0 0 0 52 All contents copyright 2006 ZyXEL Communications Corporation IP Global End iP This is the ending global IP address IGA N A Many to One and Type This is the NAT mapping types y Server Here we ll guide you to configure Address Mapping Sets from Web Configurator and CLI Since in Web Configurator we can only edit the rules for Address Mapping Sets 1 The other Address Mapping Sets 2 8 can only be configured in CLI e Now let s begin with Web Configurator Firstly lets come to Web Configurator Advanced Setup Network gt NAT gt Address Mapping Address Mapping a Address Mapping Rules Local Start IP Local End IP Global StartIP Global End IP Type Q amp 1 Z 3 4 5 6 T Li 9 no id d ied Eb E Eb E Eb Eb E Eb E j l This menu is for Addre
41. aad EEMB 1 2 3 On the SUMMARY menu select a policy to edit by clicking Edit On P 661H D we can build at most 2 VPN Tunnels Just make a click on the Edit button in the table we can begin to configure the VPN rule 4 In the IPSEC Setup field toggle Active check box and give a name Test in the example to this policy Select IPSec Key Mode to IKE Negotiation Mode to Main and Encapsulation Mode to Tunnel just the same as we will configure in Prestige B IPSec Setup Cl keep Alive CI NAT Traversal IPSec Key Mode Negotiation Mode Main Encapsulation Mode DNS Server for IPSec VPN 5 Fill in the Local and Remote secure hosts information in the Local and Remote field Local Address Type is Single and IP Address Start is PC 1 s IP 192 168 1 33 in the example Remote Address Type is Single and IP Address Start is PC 2 s IP 192 168 2 33 in the example Local Local Address Type IP Address Start 192 168 133 End Subnet Mask E Remote Remote ddress Type IF Address Start 192 166 2 353 End Subnet Mask ooo 89 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL CC P661H D Series Support Notes _ 6 Fill in the VPN Gateway information in the Address Information field My IP Address is the WAN IP of Prestige A 202 132 154 1 in the example Secure Gateway Address is the remote secure gateway Prestige B s WAN IP 168 10 10 66 in the example Local ID
42. as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns org and still reach your hostname Yes the P 661H D supports DDNS wildcard that http www dyndns org supports When using wildcard you simply enter yourhost dyndns org in the Host field in Menu 1 1 Configure Dynamic DNS 12 Can the P 661H D s SUA handle IPSec packets sent by the IPSec gateway Yes the P 661H D s SUA can handle IPSec ESP Tunneling mode We know when packets go through SUA SUA will change the source IP address and source port for the host To pass IPSec packets SUA must understand the ESP packet with protocol number 50 replace the source IP address of the IPSec gateway to the router s WAN IP address However SUA should not change the source port of the UDP packets which are used for key managements Because the remote gateway checks this source port during connections the port thus is not allowed to be changed 13 How do I setup my P 661H D for routing IPSec packets over SUA For outgoing IPSec tunnels no extra setting is required 13 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes For forwarding the inbound IPSec ESP tunnel A Default server set is required You could configure it in Web Configurator Advanced Setup Network gt NAT gt Port Forwarding gt Default Server Setup Port Forward
43. ased routing to direct traffic from different users through different connections Quality of Service QoS Organizations can differentiate traffic by setting the precedence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost path while using low path for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths e How does the IPPR work A policy defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria include the source address and port IP protocol ICMP UDP TCP etc destination address and port TOS and precedence fields in the IP header and length The inclusion of length criterion is to differentiate between interactive and bulk traffic Interactive applications e g Telnet tend to have short packets while bulk traffic e g file transfer tends to have large packets 71 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The actions that can be taken include routing the packet to a different gateway and hence the outgoing interface and the TOS and precedence fields in the IP header IPPR follows the existing packet filtering facility of ZyNOS in styl
44. ations Corporation ZyXEL P 661H D Series Support Notes The packet filter function on P 661H D is the same as before just that you could only configure the filter set and apply them by command in CLI It s very complex for common users to do it So here s the recommendation 1 Usually if you want to block special packets you could edit a firewall rule in Web Configurator 2 By factory default ZyXEL has preconfigured many filter sets for your reference you can check them by command sys filter set index set rule Usage set 1 12 rule 1 6 Commonly the preconfigured filter sets are as follows lt set 2 rule 1 6 gt lt set 3 rule 1 gt lt set 4 rule 1 gt sys filter set display For example ce Telnet 192 168 1 1 Pas sus Filter set index 2 1 Pas sun Filter set display Set 2 Rule 1 Filter Type TCP IP IP Protocol 6 IP Source Route Wo Destination IP Address 4 6 0 8 IP Mask 6 6 6 6 Port 137 Port Compare lt Mone t1 Equali2 MotEqualis Less i4 Greater gt 1 Source IP Address 6 6 0 8 IP Mask 6 6 6 6 Port Port Compare amp Mone t1 Equali2 MotEqualis Less i4 Greater gt B TCP Establish Wo Action Matched lt i1 Check Next i2 Forwardi3 Drop gt 3 Action Wot Matched 1 Check Mext t2 Forwardi3 Drops 1 ras This could satisfy mostly requirement You could select any of them to apply to the WAN node or LAN Interface on demand The command is as follows e Apply to WA
45. ault Server Setup Default Server 0 0 0 0 Port Forwarding Service Mame WA Server IP Address 0 0 0 0 Active Service Name Start Port End Port Server IP Address Modify Ww ic 1 WE 192 138 1 g m 192 168 1 20 g ii 4 Support Non NAT Friendly Applications some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this 62 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P6H Series Support Notes _ User 1 ILAI 192 168 1 10 Prestige User 2 ILA2 1927 166 1 11 User 3 ILA3 192 1686 112 One rule configured for using Many to Many No Overload mapping type is shown below Edit Address Mapping Rule5 Type A Many to Many Mo Overload i Local Start IP 192 168 1 10 Local End IP 19 166142 _ uo Global Start IP abs h 2000012 m Global End IP Jo Server Mapping Set Edit Details We can also do this by configure threeOne to One mapping type rules 6 Using the Dynamic DNS DDNS e What is DDNS The DDNS service an IP Registry provides a public central database where information such as email addresses hostnames IPs etc can be stored and retrieved This solves the problems if your DNS server u
46. cial configuration you could click Advanced to continue YPN IKE Advanced Setup Protocal lo Enable Replay Detection MO Local Start Port 0 Endo Remote Start Port 0 Enda Phasel Negotiation Mode Main Pre Shared Key 01254567 Encryption Algorithm DES Authentication Algorithm MDS S4 Life Time Seconds 26800 Active Protocol Encryption Algorithm Authentication Algorithm SA Life Time Seconds Encapsulation Perfect Forward Secrecy PFS Note If you make any change in advanced setup you need to configure the same on Prestige B We don t do any anvanced setup in the example Then we have finished the configuration on Preatige A Step 2 Setup Prestige B Similar to the settings for Prestige A Prestige B is configured in the same way except that 1 Local Address Type is Single and IP Address Start is PC 2 s IP 192 168 2 33 in the example Remote Address Type is Single and IP Address Start is PC 1 s IP 192 168 1 33 in the example 2 My IP Address is the WAN IP of Prestige B 168 10 10 66 in the example 91 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Secure Gateway Address is the remote secure gateway Prestige A s WAN IP 202 132 154 1 in the example 3 Local ID Type Content should be the same as Prestige A s Peer ID Type Content IP 0 0 0 1 in the example Peer ID Type Content should be the same as Pr
47. cket Ethernet Packet Ethernet Packet Ethernet Packet ARP Request 172 Ethernet Packet Ethernet Packet ARP Request 172 Ethernet Packet Ethernet Packet ARP Request 172 Ethernet Packet 29 21 163 gt 172 25 21 91 137 gt 192 168 1 259 137 20 21 204 gt 172 25 21 71 20 21 204 gt 17 2 29 21 71 29 21 181 gt 1 2 25 21 179 Creates a File of all incoming text 2 Firmware Configurations Uploading and Downloading using TFTP e Using TFTP client software e Upload download ZyNOS via LAN e Upload download Prestige configurations via LAN 1 Using TFTP to upload download ZyNOS via LAN Step 1 TELNET to your Prestige first before running the TFTP software Step 2 Type the Cl command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 Enter the IP address of the Prestige Step 5 To upload the firmware please save the remote file as ras to Prestige After the transfer is complete the Prestige will program the upgraded firmware into FLASH ROM and reboot itself An example 106 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes re TFTP32 File Options Help Host 192 168 1 1 Port 69 Timeout ho Send timeout to Server Block Size Send Fetch 512 Local File prestige bin Match Files Binary W Ea Remote File ras Abort Press F1
48. d call on the line on 12 00 a m 2005 12 27 The maximum length of time this connection is allowed is 16 hours To implement this we need to invoke the following command one by one wan callsch index 1 Set call schedule index 1 You must apply this command first before you begin to configure call schedule wan callsch name Test Set the schedule name as Test wan callsch active Yes Enable schedule wan callsch startdate 2005 12 27 Set schedule start date as 2005 12 27 74 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes wan callsch oncedate 2005 12 27 Set the schedule used just once it works on 2005 12 27 wan callsch starttime 12 00 Set the schedule start time as 12 00 wan callsch duration 16 00 Set schedule duration time as 16 hours wan callsch action 2 Set action as dial on demand wan callsch save Save the current call schedule set Key Settings Start date of this schedule rule It can be unmatched with weekday Start Date setting For example if Start Date is 2000 10 02 Monday but Monday setting in weekday can be No The node will always keep up during the setting period It is equivalent F orced On to diable the idel timeout The node will always keep doen during the setting period The Forced Down connected remote node will be dropped Enable Dial On Demand The remote node accepts Dial on demand during this period The
49. e Many to Many Overload Many to Many No Overload and Server The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA e One to One In One to One mode the P 661H D maps one ILA to one IGA e Many to One In Many to One mode the P 661H D maps multiple ILA to one IGA This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA is optional in today s Prestige routers e Many to Many Overload In Many to Many Overload mode the P 661H D maps the multiple ILA to shared IGA e Many One to One In Many One to One mode the P 661H D maps each ILA to unique IGA e Server In Server mode the P 661H D maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The following table summarizes the five types NAT Type IP Mapping One to One ILA1 lt gt IGA1 Many to One ILA1 lt gt IGA1 SUA PAT ILA2 lt gt IGA1 ILA1 lt gt IGA1 ILA2 lt gt IGA2 en Ne ILA3 lt gt IGAT ILA4 lt gt IGA2 ILA1 lt gt IGA1 Ma
50. e and in implementation The policies are divided into sets where related policies are grouped together A use defines the policies before applying them to an interface or a remote node in the same fashion as the filters There are 12 policy sets with 6 policies in each set e Setup the IP Policy Routing Setp 1 Set the index of IP routing policy set rule by command ip policyrouting set index set rule Suppose set 1 rule 1 in this example Step 2 Suppose we d like to edit the rule like this Policy Set Name Test Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 0 Precedence Don t Care Len Comp N A Source addr start 192 168 1 2 end 192 168 1 20 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 192 168 1 254 Log No Type of Service No Change Precedence No Change This policy example forces the Web packets originated from the clients with IP addresses from 192 168 1 2 to 192 168 1 20 be routed to the remote LAN via the gateway 192 168 1 254 To implement this we need to invoke the following command one by one ip policyrouting set name Test Set the name as Test of IP routing policy rule ip policyrouting set active yes Enable the rule ip policyrouting set criteria protocol 6 72 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Set
51. e A 2 My IP Address is the IP Address of Headquarter 202 1 1 1 in the example Secure Gateway Address is WAN IP of Prestige in Branch_A 202 3 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We don t make any advanced setup in the example e The correspondent rule for Branch_B_1 in headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 1 255 This section covers the LAN segment of Headquarter office 99 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Remote Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B 2 My IP Address is the IP Address of Headquarter 202 1 1 1 in the example Secure Gateway Address is WAN IP of Prestige in Branch_B 202 2 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that
52. e Action Matched Drop e Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the output data filters e Deny bounce back packet e Allow packets that originate from us Filter rule setup e Filter Type TCP IP Filter Rule e Active Yes e Destination IP Addr a b c d e Destination IP Mask w x y z e Action Matched Drop e Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 10 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Product FAQ 1 How can manage P 661H D Multilingual Embedded Web GUI for Local and Remote management CLI Command line interface Telnet support Administrator Password Protected for remote configuration change and status monitoring FTP TFTP sever firmware upgrade and configuration backup and restore are supported Administrator Password Protected 2 What is the default password for Web Configurator There are two different accounts for P 661H D Web Configurator Common User Account and Administrator Account By factory default the password for the two accounts are e Common User Account user e Administrator Account 1234 You can change the password after you logging in the Web Configurator Please record your new password whenever you change it The system will lock you out if you have forgotten your pas
53. e according to the line rate for example 2 3 Mbps line rate will result PCR as 5424 cell sec 17 What do the ATM QoS Types CBR UBR VBR nRT VBR RT mean Constant bit rate CBR An ATM bandwidth allocation service that requires the user to determine a fixed bandwidth requirement at the time the connection is set up so that the data can be sent in a steady stream CBR service is often used when transmitting fixed rate uncompressed video Unspecified bit rate UBR An ATM bandwidth allocation service that does not guarantee any throughput levels and uses only available bandwidth UBR is often used when transmitting data that can tolerate delays such as e mail Variable bit rate VBR An ATM bandwidth allocation service that allows users to specify a throughput capacity i e a peak rate and a sustained rate but data is not sent evenly You can select VBR for bursty traffic and bandwidth sharing with other applications It contains two subclasses Variable bit rate nonreal time VBR nRT Variable bit rate real time VBR RT 18 What is content filter Internet Content filter allows you to create and enforce Internet access policies tailored to your needs Content filter gives you the ability to block web sites that contain key words that you specify in the URL You can set a schedule for 15 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes when the P 661H D performs content
54. e is for branch office B to access branch office A 1 Local Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B Remote Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A 98 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 2 My IP Address is the WAN IP of Prestige in Branch_B 202 2 1 1 in the example Secure Gateway Address is IP address of Headquarter 202 1 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We dont make any advanced setup in the example Step 3 Setup VPN in Headquarter e The corresponding rule for Branch_A in headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 1 255 This section covers the LAN segment of Headquarter office Remote Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch offic
55. e principle to allocate bandwidth on this interface Priority Based allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Check this box if you would like to give residuary bandwidth from Interface to the classes who need more bandwidth than configured amount Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the bandwidth of each class at the configured value Please note that to meat the second condition you should also disable Use All Managed Bandwidth in the BWM rule Step 2 Go to Web Configurator Advanced Setup Advanced gt Bandwidth MGMT gt Rule Setup select the interface Service Priority and Allocated Bandwidth for this rule then click button Add to apply this rule 78 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Rule Setup O Rule Setup oreak D sevila rrioko A sanana Djems sa i To LAN Interface A ee ee ee E jActive Rule Name Destination Port Priority Bandwidth kbps Modi or apply Cancel Step 3 You can modify the rule by clicking the button Edit on the rule Rule Configuration Caacine Bulle Name gt vy CBW Budget 10 gt Priority gt High Tse All Managed Bandwidth Filter Configuration A mg T LPa Service User defined Destyration 4ddr Piestination Subnet Net
56. e the following figure Client 1 ILAI Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP Client 4 ILA4 2 Internet Access with an Internal Server Client 1 ILA Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP FTP Server ILA4 In this case we do exactly as the figure use the convenient pre configured SUA Only set and also go to Web Configurator Advanced Setup Network gt NAT gt Port Forwarding to specify the Internet Server behind the NAT as 58 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL CC CCC P661H D Series Support Notes _ below Port Forwarding Default Server Setup Default Server 0 0 0 0 Port Forwarding 1 FTF 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types are used General Server 192 168 1 20 Other Clients 192 168 1 X Prestige FIF Server 1 192 168 1 10 3 IGAs Assigned by ISP FIP Server 2 192 168 1 11 Mapping Multiple IGAs for clients and servers In this case we have 3 IGAs from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules e Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 e Rule 2 One to One type to map the FTP Server 2 with ILA2
57. econds and get the response from ISP the response patterns will decide which kinds of ADSL 80 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes services of the line will be After that system will save back the correct VPI VCI and also services encapsulation type into profile of WAN interface e Configure the VC auto hunting preconfigured table 1 Display auto haunting preconfigured table by using command from CLI wan atm vchunt disp cas wan atm vchunt disp 1 Configure Buffer Read Only RN VPI VCI RN VPI VCI etting 400H 3fH 2 Add items to the auto haunting preconfigured table by using commands wan atm vchunt add lt remoteNodelndex gt lt vpi gt lt vci gt lt service bit hex gt wan atm vchunt save Note lt remote node gt input the remote node index 1 8 lt vpi gt vpi value lt vVCi gt vci value lt service gt it s a hex value bit0 PPPoE VC 1 bit PPPoE LLC 2 bit2 PPPoA VC 4 bit38 PPPoA LLC 8 bit4 Enet VC 16 bit5 Enet LLC 32 For example 1 If you need service PPPoE LLC and Enet LLC then the service bits will be 2 32 34 decimal 22 hex you must input 22 2 If you want to enable all service for VC hunting the service bits will be 14 2 4 8 16 32 63 decimal 3f hex you must input 3f Need to perform save after this by command wan atm vchunt save s gt wan atm vchunt add wan atm vchunt sav
58. en od capes lieu here aus ose hansen acetone 93 3 Configure NAT for internal servers cceeeeeeeeeeeeeeeeeeeeees 95 4 VPN Routing between Branch Office through Headquarter 96 SUPPO TOOl hansa lene ire siete nearer nner ines Aer rer etree Cole rsee Serer mre rere rrr sere cere rrrer 101 I LANWAN Packet ACG sissaies cietnd en dtetndendteNedwediniaien aut eten Mateaendaxieeen aie 101 a ays ad Wl ol A ere tn rere EE rn re E or A 101 oe Us 6 gt aan reer ene Pe een are oer ier ennai enor ener eine 103 Capture the detailed logs by Hyper Terminal 000 104 2 Firmware Configurations Uploading and Downloading using TFTP 106 eUsing TF IP client SOftWALEC ccccsecccseeeceeeeseeseseeeesseeeees 106 eUsing TF TP command on Windows N1 cccseeeeeeeeees 108 eUsing TFTP command on UNIX 1 0 0 ceeeceeeeeeeeeseeeeeaeeeees 108 3 Using FTP to Upload the Firmware and Configuration Files 109 CI C mmand Referente siirdada srr incre err irr errr tre 112 4 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes FAQ ZyNOS FAQ 1 What is ZyNOS ZyNOS is ZyXEL s proprietary Network Operating System It is the platform on all Prestige routers that delivers network services and applications It is designed in a modular fashion so it is easy for developers to add new features New ZyNOS software upgrades can be easily downloaded from our FTP sites
59. eo ANa 14 15 Why do we perform traffic shaping in the P 661H D 14 16 What do the parameters PCR SCR MBS mean cce 15 1 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 17 What do the ATM QoS Types CBR UBR VBR nRT VBR RT mean se PEER SPER OR P occas A EE EA P RERE eee ee ee ge sere eden dense 15 162 VV Nat IS coment TINET sessen au wengunmgaiee aise 15 AD SETA araoe cern crer Cres Cerner rr ern trench er crer rer errr cher errr rererrr cere Ter cer errr ae 17 1 How does ADSL compare to Cable MOdeEMS cccccseeeeeneeeeeeees 17 2 What is the expected throughput cccsscccseeeceseceeeeceeeeseeeeneuees 17 3 What is the microfilter used for 0 0 cecccsececseeeceececeeseceeeecsusessusensaees 17 4 How do know the ADSL line iS UP ccceecccseeeceeeceeeesaeeeseeeesaeees 17 5 How does the P 661H D work on a noisy ADSL ccccscceeeeeeeees 17 6 Does the VC based multiplexing perform better than the LLC based FU VUCTUN ON XING 2s cs ata rd A nse Sed Bh ga nh Sta sen lacs 18 7 How do know the details of my ADSL line statistics 08 18 8 What are the signaling pins of the ADSL connector cccee 18 Z WaS il om 8 2 1 a geen meee ene Pre nee et ee eter er oe ce eee ee ee ee ere 18 Fir wall FAQ Ieeenerrr eer mrrer rence reer err reer err eer reestr
60. ere are many different solutions for it 1 Prestige v s Prestige LAN LAN 2 Ly A Ly PC 1 PC 2 Prestige A Prestige B IPSec Tunne Solution 1 94 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Step 1 In Prestige A please register a DDNS account from http www dyndns org or http dynupdate no ip com setp 2 Enable DynDNS function on Prestige A via Web configurator Advanced gt Dynamic DNS And in VPN settings on Prestige A please specify the IP address of My IP as 0 0 0 0 and Secure Gateway as 0 0 0 0 Here we take P 661H D Web Configurator as the example Step 3 In Prestige B please specify the IP address of My IP as 0 0 0 0 and Secure Gateway as the domain name you registered for Prestige A Step 4 Please always initiate VPN tunnel from Prestige B on which Secure Gateway is configured as dynamic domain name Solution 2 step 1 Register DynDNS account from http www dyndns org or http dynupdate no ip com for both PrestigeA amp PrestigeB Step 2 In PrestigeA configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeB Step 3 In PrestigeB configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeA step 4 You can initiate VPN tunnel from PrestigeA or PrestigeB by this solution 2 Prestige v s 3rd Party This is highly dependent on which kind of 3rd party you use Generally s
61. es There is no restriction that the IPSec hosts and the security gateway must be separate machines Both IPSec protocols AH and ESP can operate in either transport mode and tunnel mode 9 What is SA A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 10 What is IKE IKE is short for Internet Key Exchange Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration to set up a VPN There are two phases in every IKE negotiation phase 1 Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec 11 What is Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called Pre shared because you have to share it with another party before you can communicate with them over a secure connection 12 What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPls are determined e For IKE VPN the key and SPls are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys and SPIs to send packets between two networks e For manual key VPN the encryption key authentication key if needed and SPls are predetermined by the administrator when configuring the security association
62. es select Packet Direction WAN to LAN and create a firewall rule that forwards IKE UDP 500 16 Can P 661H D behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously No P 661H D can t support them simultaneously You need to choose either one If P 661H D is to support IPSec passthrough you have to disable the VPN function on P 661H D To disable it you can either deactivate each VPN rule or issue a Cl command ipsec switch off from CLI 36 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Application Notes General Application Notes 1 Internet Access Using P 661H D under Bridge mode e Setup your workstation e Setup your P 661H D under bridge mode lf the ISP limits some specific computers to access Internet that means only the traffic to from these computers will be forwarded and the other will be filtered In this case we use P 661H D which works as an ADSL bridge modem to connect to the ISP The ISP will generally give one Internet account and limit only one computer to access the Internet Set up your workstation 1 Ethernet connection To connect your computer to the P 661H D s LAN port the computer must have an Ethernet adapter card installed For connecting a single computer to the P 661H D we use a Ethernet cable 2 TCP IP configuration In most cases the IP address of the computer is assigned by the ISP dynamically so y
63. es Group pIPxVariables Group pAPTVariables Group pERSYariable Group pial Invariables Group pRemotellodevariahbles Group pRemoteUservariables Group Zyxel Traps Figure 3 8EL Private MIB Tree Downloading ZyXEL s private MIB e Configure the P 661H D for SNMP 66 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The SNMP related settings in P 661H D are configured in Web Configurator Advanced Setup Advanced gt Remote MGNT gt SNMP The following steps describe a simple setup procedure for configuring all SNMP settings Access Status LAM SAM A Secured Client IP Oal Selected 192 168 1 33 a SNMP Configuration Get Community public Set Community public TrapCommunity public lt TrapDestination 1927 168 1 33 T gt Ari Note You may also need to create a Firewallrule Key Settings Option Descriptions Get Enter the correct Get Community This Get Community must match the Get and GetNext community requested from the NMS The default is Community public Set Enter the correct Set Community This Set Community must match the Community Set community requested from the NMS The default is public Enter the IP address of the NMS The P 661H DHW DX will only respond Trusted l Host to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 661H DHW DxX will respond to all NMS managers Tra Enter the c
64. ess control or caching that some proxies support 4 What kind of firewall is the P 661H D 1 The P 661H D s firewall inspects packets contents and IP headers It is applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The P 661H D s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The P 661H D s firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 661H D s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 661H D s firewall provides email service to notify you for routine reports and when alerts occur 5 Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although packet filter and NAT restrict access to particular computers and networks however for the other companies this sec
65. estige A s Local ID Type Content IP 0 0 0 0 in the example Step 3 Verify if the VPN Tunnel has been established successfully lf the connection between PC 1 and PC 2 is ok we know the tunnel works Please try to ping from PC 1 to PC 2 or PC 2 to PC 1 If PC 1 and PC 2 can ping to each other ping 192 168 2 33 or 192 168 1 33 in the example it means that the IPSec tunnel has been established successfully If the ping fail there are two methods to troubleshoot IPSec in Prestige 1 Check the VPN Monitor On P 661H D Web Configurator Security gt VPN gt Monitor you can check every active IPSec connections The VPN Name Encapsulation and IPSec Algorithm will be shown in the Monitor Table If you can t see the name of your IPSec rule it means that the SA establishment fails You need to go to the VPN Setup Page to check your settings _ Encapsulation Refresh e Use Cl command ipsec debug on lf the Monitor shows that the VPN tunnel has been established successfully but the PC1 and PC 2 can t reach each other We can invoke command ipsec debug 1 in CLI for trouble shooting There should be lots of detailed messages printed out to show how negotiations are taken place If IPSec connection fails please dump ipsec debug 1 and send the dump information to Support Engineer for a solution The following shows an example of dumped messages You can refer to Support Tool gt 1 WAN LAN Packet Trace gt Capt
66. et like the source destination addresses but ESP does not ESP can provide authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality 5 am planning my P 661H D VPN configuration What do I need to know You can find the VPN options in Web Configurator Advanced Setup Security gt VPN For configuring a box to box VPN there are some tips 1 If there is a NAT router running in the front of P 661H D please make sure the NAT router supports IPSec passthrough 2 In NAT case only IPSec tunneling mode is supported Here s a brief Summary for IPSec and NAT NAT Condition Supported IPSec Protocol VPN Gateway embedded NAT AH Tunnel mode ESP Tunnel mode 32 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes VPN Gateway behind NAT ESP Tunnel mode NAT in Transport mode None 3 Source IP Destination IP Please do not number the LANs local and remote using the same range of private IP addresses This will make VPN destination addresses and the local LAN addresses are indistinguishable and VPN will not work 4 Secure Gateway IP Addre
67. etworks in Network gt LAN gt IP Alias by configuring the P 661H D s second and third LAN IP addresses Key Settings Active it and enter the second LAN IP address for the P 661H D This will create the second route in the enif0 0 interface Active it and enter the third LAN IP address for the P 661H D This will create the third route in the enif0 1 interface IP Alias 1 IP Alias 2 10 Using IP Policy Routing e What is IP Policy Routing IPPR Traditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Network administrators can use IPPR to distribute traffic among multiple paths For example if a network has both the Internet 70 All contents copyright 2006 ZyXEL Communications Corporation 4yXFtCCCCCCCC 6611 0 Series Support Notes and remote node connections we can route the Web packets to the Internet using one policy and route the FTP packets to the remote LAN using another policy See the figure below Prestige Internet Remote LAN Router Use IPPR to distribute traffic among multiple paths e Benefits Source Based Routing Network administrators can use policy b
68. filtering You can also specify trusted IP Addresses on LAN for which the P 661H D will not perform content filtering You can configure the details about it in Web Configurator Advanced setup Security gt Content Filter 16 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes ADSL FAQ 1 How does ADSL compare to Cable modems ADSL provides a dedicated service over a single telephone line cable modems offer a dedicated service over a shared media While cable modems have greater downstream bandwidth capabilities up to 30 Mbps that bandwidth is shared among all users on a line and will therefore vary perhaps dramatically as more users in a neighborhood get online at the same time Cable modem upstream traffic will in many cases be slower than ADSL either because the particular cable modem is inherently slower or because of rate reductions caused by contention for upstream bandwidth slots The big difference between ADSL and cable modems however is the number of lines available to each There are no more than 12 million homes passed today that can support two way cable modem transmissions and while the figure also grows steadily it will not catch up with telephone lines for many years Additionally many of the older cable networks are not capable of offering a return channel consequently such networks will need significant upgrading before they can offer high bandwidth services
69. g IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryptographic security services These services allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution 7 What secure protocols does IPSec support There are two protocols provided by IPSec they are AH Authentication Header protocol number 51 and ESP Encapsulated Security Payload protocol number 50 8 What are the differences between Transport mode and Tunnel mode The IPSec protocols AH and ESP can be used to protect either an entire IP payload or only the upper layer protocols of an IP payload Transport mode is mainly for an IP host to protect the data generated locally while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability In this case Transport mode only protects the upper layer protocols of IP payload user data Tunneling mode protects the entire IP payload including user data 29 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Not
70. gments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 9 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users 10 What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 22 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 11 What is Brute force attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the ne
71. he filter rules sys filter set name set name Set the name of filter set sys filter set type tcpip generic Set the type of filter rule 85 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Set the destination port and compare type compare sys filter set destport port compare type could be O none 1 equal 2 not type none equal notequal less greater np aaa d 9 equal 3 less 4 greater sys filter set srcip address subnet mask Set the source IP address and subnet mask sys filter set srcport port compare Set the source port and compare type compare type none equal not type could be O none 1 equal 2 not equal less greater equal 3 less 4 greater sys filter set tcoEstab yes no Set TCP establish option sys filter set more yes no Set the more option to yes no sys filter set log type 0 3 none match Set the log type it could be 0 3 none match not notmatch both match both sys filter set actmatch type 0 2 l Set the action for match checknext forward drop sys filter set actnomatch type 0 2 Set the action for not match checknext forward drop sys filter set offset Set offset for the generic rule sys filter set length Set the length for generic rule sys filter set mask Set the mask for generic rule sys filter set value depend on length in hex Set the value for generic rule sys filter set c
72. he LAN interface and WAN interface It depends where the gateway specified in the policy rule is located If the gateway you specified is located on the local LAN you apply the policy set in LAN interface If the gateway you specified is located on the remote WAN site you apply the policy set in WAN interface Apply to WAN Interface Suppose we apply it to remote node 1 in the example wan node index 1 wan node ippolicy 1 73 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 11 Using Call Scheduling e What is Call Scheduling Call scheduling enables the mechanism for the P 661H D to run the remote node connection according to the pre defined schedule This feature is just like the scheduler ina video recorder which records the program according to the specified time Users can apply at most 4 schedule sets in Remote Node The remote node configured with the schedule set could be Forced On Forced Down Enable Dial On Demana or Disable Dial On Demand on specified date and time e How to configure a Call Scheduling You can configure a call scheduling in CLI Suppose we want to edit a call schedule set like this Call Schedule Set 1 Set name Test Active Yes Start Date yyyy mm dd 2005 12 27 How Often Once Once Date yyyy mm dd 2005 12 27 Start Time hh mm 12 00 Duration hh mm 16 00 Action Enable Dial on demand This schedule example permits a deman
73. ime Leave it to be default value if lt seconds gt you dont want this command ip nat server edit rule rulename Configure the name of the rule Leave it to be default lt string gt value if you don t want this command ip nat server edit rule forwardip lt IP l Configure the LAN IP address to be forwarded address gt ip nat server edit rule protocol Configure the protocol to be used TCP UDP or ALL lt ITCP UDP ALL gt it must be capital NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish you can make inside servers for different services e g Web or FTP visible to the outside users even though NAT makes your network appears as a single machine to the outside world A server is identified by the port number e g Web service is on port 80 and FTP on port 21 As an example see the following figure if you have a Web server at 192 168 1 86 and a FTP server at 192 168 1 33 then you need to specify for port 80 Web the server at IP address 192 168 1 36 and for port 21 FTP another at IP address 192 168 1 33 FIP Server 192 168 1 33 Web Server 192 168 1 36 EN Global IP assigned by the ISP 56 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 6 61H D Series Support Notes _ Please note that a server can support more than one service e g a server can provide both FTP and Mail
74. ind SUA Prestige Remote client Web Server Introduction lf you wish you can make internal servers e g Web ftp or mail server accessible for outside users even though SUA makes your LAN appear as a single machine to the outside world A service is identified by the port number Also since you need to specify the IP address of a server behind the P 661H D a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time P 661H D is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for is forwarded to the default server If the default server is not defined the service request is simply discarded Configuration To make a server visible to the outside world specify the port number of the service and the inside address of the server in Web Configurator Advanced 45 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Setup Network gt NAT gt Port Forwarding The outside users can access the local server using the P 661H D s WAN IP address which can be obtained from Web Configurator Status gt WAN Information For example Configuring an internal Web server for outside access Suppose the server IP Address is 192 168 1 10 1 Fill in the service name and server IP Address press button Add Po
75. ind branch office A and headquarter we have to specify these two segments in Remote section However if we include these two segments in one rule the LAN segment of branch office B will be also included in this single rule which means intercommunication inside branch office B will run into VPN tunnel To avoid such situation we need two separate rules to cover the LAN segment of branch office A and headquarter e The first rule in Branch_ B Branch _ B _1 This rule is for branch office B to access headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B Remote Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 1 255 This section covers the LAN segment of headquarter office 2 My IP Address is the WAN IP of Prestige in Branch_B 202 2 1 1 in the example Secure Gateway Address is IP address of Headquarter 202 1 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We don t make any advanced setup in the example e The second rule in Branch_B Branch B 2 This rul
76. ing Default Server Setup Default Server 0 0 0 0 E Port Forwarding Service Name Waay 8 server IP Address 0 0 0 0 Start Port Server IP Address Modify It is because SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this server in Web configurator Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the P 661H D s WAN IP address So we have to configure the internal IPsec client as a default server unspecified service port when it acts a server gateway 14 What is Traffic Shaping Traffic Shaping allocates the bandwidth to WAN dynamically and aims at boosting the efficiency of the bandwidth If there are serveral VCs in the P 661H D but only one VC activated at one time the P 661H D allocates all the Bandwidth to the VC and the VC gets full bandwidth If another VCs are activated later the bandwidth is yield to other VCs after ward 15 Why do we perform traffic shaping in the P 661H D The P 661H D must manage traffic fairly and provide bandwidth allocation for different sorts of applications such as voice video and data All applications have their own natural bit rate Large data transactions have a fluctuating natural bit rate The P 661H D is able to support variable tratfic amo
77. internal server or client applications can be accessed by using the P 661H D s WAN IP Address SUA Supporting Table The following are the required Web Configurator Advanced Setup Network gt NAT gt Port Forwarding for the various applications running SUA mode ZyXEL SUA Supporting Table HTTP None 80 client IP FTP None 21 client IP TELNET None 23 client IP and active Telnet service from WAN POP3 None 110 client IP SMTP None 25 client IP 42 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL mIRC Windows PPTP ICQ 99a ICQ 2000b ICQ Phone 2000b Cornell 1 1 Cu SeeMe White Pine 3 1 2 Cu SeeMe White Pine 4 0 Cu SeeMe Microsoft NetMeeting 2 1 amp 3 01 Cisco IP TV 2 0 0 RealPlayer G2 VDOLive Quake1 067 Quakell2 30 Quakelll1 05 beta StartCraft Quick Time 4 0 pcAnywhere 8 0 IPsec ESP tunneling mode Microsoft Messenger Service 3 0 Microsoft Messenger Service 4 6 4 7 5 0 none UPnP Net2Phone P 661H D Series Support Notes None for Chat For DCC please set Default Client IP None None for Chat For DCC please set ICQ gt preference gt connections gt firewall and set the firewall time out to 80 seconds in firewall setting None for Chat None None 7648 client IP amp 24032 client IP 7648 client IP amp 24032 client IP None None None None None None None 6112 client IP None None
78. ith this option whenever phase 2 SA lifetime is due IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay But to reduce the consumption of system resource if VPN tunnels get 35 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes disconnected either manually by idle timer or because of power cycle packet triggering is still necessary to make the tunnel up 14 Single Range Subnet which types of IP address do P 661H D support in VPN IPSec P 661H D supports all of the types In other words you can specify a single PC arange of PCs or even a network of PCs to utilize the VPN IPSec service 15 Can P 661H D support VPN passthrough Yes P 661H D can support VPN IPSec PPTP passthrough P 661H D series don t only support IPSec VPN gateway it can also be a NAT router supporting VPN IPSec PPTP passthrough lf the VPN connection is initiated from the security gateway behind P 661H D no configuration is necessary for NAT Firewall If the VPN connection is initiated from the security gateway outside of P 661H D NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to Web Configurator Network gt NAT gt Port Forwarding put the secure gateway s IP address in default server To configure Firewall forwarding please go to Web Configurator Security gt Firewall gt Rul
79. lear Clear the current filter set sys filter set save Save the filter set parameters l l Display Filter set information W o parameter it will sys filter set display set rule dena boier iniotaton sys filter set freememory Discard Changes 86 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes IPSEC VPN Application Notes 1 How to use P 661H D to build VPN Tunnel with another VPN Gateway Software This page will guide you to setup a VPN connection between two Prestige routers In addition to Prestige to Prestige Prestige can also talk to other VPN hardwards softwares The tested VPN hardwares are shown below e Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES e NetScreen 5 ScreenOS 2 6 0r6 e SonicWALL SOHO 2 e WatchGuard Firebox II e ZyXEL VPN solution e Avaya VPN e Netopia VPN e lil VPN The tested VPN softwares are shown below e Checkpoint VPN software e WIN2K VPN software e Soft PK VPN software e Linux FreeS WAN VPN e SSH Sentinel e Intel VPN client software Let s focus on the how to configure VPN tunnel on Prestige now e Prestige to Prestige Tunnel As the figure shown below the tunnel between Prestige 1 and Prestige 2 ensures the packets flow between PC 1 and PC 2 are secure Because the packets go through the IPSec tunnel are encrypted To achieve this VPN tunnel the settings required for each Prestige are explained in the follo
80. mask Destination Port Source Address nurce Subnet Netrmask ojo o ojlo oj o oj 5 oj o oja o 9 3 W E Key Settings RuleName Give this rule a name for example WWW BW Budget Configure the bandwidth you would like to allocate to this rule Priority Enter a number between 0 and 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Check this box if you would like to let this class to borrow bandwidth from Use All it s parents when the required bandwidth is higher than the configured Managed amount Do not check this if you want to limit the bandwidth of this class Bandwidth at the configured value Please note that you should also disable Maximize Bandwidth Usage on the interface to meet the condition Service Select User defined SIP FTP or H 323 to specify the traffic types Destination Enter the IP address of destination that meets this class IP Address 79 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Destination Subnet Enter the destination subnet mask Mask Destination Port que Enter the destination port number of the traffic Source IP Enter the IP address of source that meats this class Note that for traffic from LAN to WAN since BWM is before NAT you should use the IP Address address before NAT processing Source Subnet Enter the destination subnet mask Mask Source
81. nd SUA The port number of the PPTP has to be entered in the Web Configurator Advanced Setup Network gt NAT gt Port Forwarding on P 661H D to forward to the appropriate private IP address of Windows NT server 48 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Prestige PPTP Client PPTP Server Example The following example shows how to dial to an ISP via the P 661H D and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PPTP server WinNT PP TP client Win9x and the P 661H D 1 PPTP server setup WinNT e Add the VPN service from Control Panel gt Network e Add an user account for PPTP logged on user e Enable RAS port e Select the network protocols from RAS such as IPX TCP IP NetBEUI e Set the Internet gateway to P 661H D 2 PPTP client setup Win9x e Add one VPN connection from Dial Up Networking by entering the correct username amp password and the IP address of the P 661H D s Internet IP address for logging to NT RAS server e Set the Internet gateway to the router that is connecting to ISP 3 P 661H D setup e Before making a VPN connection from Win9x to WinNT server you need to connect P 661H D router to your ISP first e Enter the IP address of the PPTP server WinNT server and the port number for PPTP as shown below 49 All contents copyright 2006 ZyXE
82. nd so allows you to configure 8 NAT Address Mapping Sets You must specify which NAT Address Mapping Set 1 8 to use in the remote node when you select Full Feature NAT You can edit 10 rules for each Address Mapping Set You can edit the rules for Address Mapping Sets 1 in Web Configurator The other Address Mapping sets 2 8 can only be configured in CLI Command Line Interface The NAT Server Set is a list of LAN side servers mapped to external ports We can configure it in Web Configurator Advanced Setup Network gt NAT gt Port Forwarding To use the NAT server sets you ve configured a Server rule must be set up inside the NAT Address Mapping set Please see NAT Server Sets for further information on how to apply it When you select SUA Only the P 661H D will use a default SUA Address Mapping set for it It has two rules Many to One and Server You can see it in CLI by command ip nat lookup 255 co Telnet 192 168 1 1 Fas ip nat lookup 255 HAT Lookup Information on set 255 addr 6x9456c6f4 timer Period 1606 rule Internal Start Internal End External Start External End amp 2 idk t ype i 0 0 0 6 255 255 255 255 6 0 0 0 4 6 6 8 iz 8 1 conelype Port Restricted Cone gt 2 0 0 6 6 4 6 6 8 SS 4 6 8 8 1 8 SUR conelype Port Restricted Cone gt Reference Count For Active Rules Please note that the fields in this menu are read only However the settings of the rule set 2 can be modified in
83. ng different virtual connections Certain traffic may be discarded if the virtual connection experiences congestion Traffic shaping defines a set of actions taken by the P 661H D to avoid congestion traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections 14 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 16 What do the parameters PCR SCR MBS mean Traffic shaping parameters PCR SCR MBS can be set in Web Configurator Advanced Setup Network gt Remote Node gt Edit gt ATM Setup Peak Cell Rate PCR The maximum bandwidth allocated to this connection The VC connection throughput is limited by PCR Sustainable Cell Rate SCR The least guaranteed bandwidth of a VC When there are multi VCs on the same line the VC throughput is guaranteed by SCR Maximum Burst Size MBS The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs Total bandwidth of the line is dedicated to single VC if there is only one VC on the line However as the other VC asking the bandwidth the MBS defines the maximum number of cells transmitted via this VC with Peak Cell rate before yielding to other VCs The P 661H D holds the parameters for shaping the traffic among its virtual channels If you do not need traffic shaping please set SCR 0 MBS 0 and PCR as the maximum valu
84. ny ILA2 lt gt IGA2 ILA3 lt gt IGA3 One to One _ ILA4 lt gt IGA4 Server 1 IP lt gt IGA1 Server 2 IP lt gt IGA1 Server 14 How many network users can the SUA NAT support The Prestige does not limit the number of the users but the number of the sessions The P 661H D supports 1024 sessions that you can use the ip nat session command in CLI to see You can also use ip nat hashTable wanif0 to view the current active NAT sessions 15 What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group You can configure the filter rule in CLI Note In ZyNOS you can not mix different filter groups in the same filter set 16 How can protect against IP spoofing attacks The P 661H D s filter sets provide a means to protect against IP spoofing attacks The basic scheme is as follows For the input data filter e Deny packets from the outside that claim to be from the inside All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes e Allow everything that is not spoofing us Filter rule setup e Filter type TCP IP Filter Rule e Active Yes e Source IP Addr a b c d e Source IP Mask w x y z
85. oe Whatis Phase TID TO en Osete tee cae elaine 30 TAs Wind IS DIN scensctncs tate ssoctaimtountocstaentaimesantormiaenemineaestauee 31 15 When should use FQDN cc ecccceeeeceeeeeeeeeteeseeeseeneeeeees 31 FIV AIC OG FAO oana A 31 le FIOW GO CONTIQUIO VPN 2 di cite sicncdde nenene E 31 2 What kind of VPN protocols are supported on P 661H D 32 3 What types of encryption does P 661H D VPN support 32 4 What types of authentication does P 661H D VPN support 32 5 am planning my P 661H D VPN configuration What do MECOiTO KINOW 7 seraa tetas ah atat elt itt hts Ae ad Ja 32 6 Does P 661H D support dynamic secure gateway IP 33 7 What VPN gateway has been tested with P 661H D SUCCESS UY Oar te ch cere teed eet destdecd E 33 8 What VPN software has been tested with P 661H D SUC CSS SYS aE sea aie et ee ain kent bee eat Se 34 11 How do configure P 661H D with NAT for internal servers A EA ounce AN N E EE A E A A E ut EE 35 12 am planning my P 661H D behind a NAT router What do ISSO INOW ansaa S 35 13 How can keep a tunnel alive cc ceccececeeeeseeeeeeeeeeees 35 14 Single Range Subnet which types of IP address do P 661H D support in VPN IPS C ccccccsesceceseeeseeeeeeeeeeenes 36 15 Can P 661H D support VPN passthrough 600 36 16 Can P 661H D behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously 36 APPIICALI
86. ommunity name in each sent trap to the NMS This Trap p l Community must match what the NMS is expecting The default is Community oublic 67 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Enter the IP address of the NMS that you wish to send the traps to If 0 0 0 0 is entered the P 661H DHW DX will not send trap any NMS manager Trap Destination Note You may need to edit a firewall rule to permit SNMP Packets 8 Using syslog Syslog Server IP Address A eas 0 Server Mame or IP Address Log Facility Active Log and Alert You can configure it in Web Configurator Advanced Setup Maintenance gt Logs gt Log Settings gt Syslog logging Key Settings Active Select it to active UNIX Syslog Syslog IP Address Enter the IP address of the UNIX server that you wish to send the syslog Log Facility Select from the 7 different local options The log facility lets you log the message in different server files Refer to your UNIX manual 9 Using IP Alias e What is IP Alias In a typical environment a LAN router is required to connect two local networks The P 661H D can connect three local networks to the ISP ora remote node we call this function as IP Alias In this case an internal router is not required For example the network manager can divide the local network into three networks and connect them to the Internet using
87. ote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Internet access and 2 frame relay ISDN Primary Rate Interface or T1 lines to carry data A VPN may allow a company to carry the data traffic over its Internet access lines thus reducing the need for some installed lines 3 What are most common VPN protocols There are currently three major tunneling protocols for VPNs They are Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Internet Protocol Security IPSec 4 What is PPTP 28 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade 5 What is L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet 6 What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engineering Task Force to provide security services compatible with the existin
88. ou have to configure the computer as a DHCP client which obtains the IP from the ISP using DHCP protocol The ISP may also provide the gateway DNS via DHCP if they are available Otherwise please enter the static IP addresses for all that the ISP gives to you in the network TCP IP settings For Windows we check the option Obtain an IP address automatically in its TCP IP setup please see the example shown below 37 All contents copyright 2006 ZyXEL Communications Corporation 4yXFt CC CCCCCC 6611 0 Series Support Notes T CP IP Properties ep oepok PA gel Setup your P 661H D under bridge mode The following procedure shows you how to configure your P 661H D as bridge mode We will use Web Configurator to guide you through the related menu 1 Configure P 661H D as bridge mode and configure Internet setup parameters in Web Configurator Advanced Setup Network gt WAN gt 38 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Internet Connection Internet Access Setup General SS Arjidye _ ee ncapsulatron RFC 1493 lt p f IP Address Corn Cne C advanced setup _ Key Settings Option Description Select the correct Encapsulation type that your ISP supports For Encapsulation example RFC 1483 Select the correct Multiplexing type that your ISP supports For example Multiplexing P g typ y PP P LLC VPI amp V
89. ow many network users can the SUA NAT support 9 15 What are Device filters and Protocol filters cccecccseeeeeeeeeeeeeees 9 16 How can protect against IP spoofing attacks ccccecceseeeeseeeees 9 Prod FAG onnaa 11 1 How can manage P 661H D iiaii a a 11 2 What is the default password for Web Configurator cccsccceee 11 3 What s the difference between Common User Account and AdMIMS ATOR ACCOMM 8 Scere csdistics la alice E E racers lane ataxia 11 4 How do know the P 661H D s WAN IP address assigned by the ISP E E E E ana Se aaa an aE aa TTS 11 5 What is the micro filter or splitter used fOr ce ccceeeceeeeeeeeeeeeeeenees 11 6 The P 661H D supports Bridge and Router mode what s the difference DEIWEENINGIN 7 nncues aria aes aoe enna ea acetic at 12 Ts OW CO LV KAOW Lani USING PPPOE breroan coh la eupeleeuracre teeta 12 8 Why does my provider use PPPOE cccccseeeeeeeeeeeseeeeeeeeeeeaeeeeeas 12 OWL IS DING aana nite aera saa RENORP ee 12 10 When do need DDNS service 0 ec eeccceecceeceeeeeteeeeeeeseeeseeesaeeeas 13 11 What is DDNS wildcard Does the P 661H D support DDNS wildcard sss ashes E E DS aR nw EE 13 12 Can the P 661H D s SUA handle IPSec packets sent by the IPSec CALS WAY 2 saiia a dla detain delisted 13 13 How do I setup my P 661H D for routing IPSec packets over SUA 13 14 What is Tame SMa DING toss see scat caetc
90. peaking this 3rd party VPN solution must support either of the two items e Support DDNS for update of it s dynamic WAN IP If Prestige is to be the VPN initiator e Support Secure Gateway can be configured by Domain Name If Prestige is to be the VPN responder 3 Configure NAT for internal servers Some tips for this application Generally without IPSec to configure an internal server for outside access we need to configure the server private IP and its service port in SUA NAT Server Table The NAT router then will forward the incoming connections to the 95 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes internal server according to the service port and private IP entered in SUA NAT Server Table However if both NAT and IPSec is enabled in Prestige the edit of the table is necessary only if the connection is a non secure connections For secure connections none SUA server settings are required since private IP is reachable in the VPN case Remember IPSec is an IP in IP encapsulation the internal IP header is not translated by NAT For example Internal Server Prestige NAI IPSec ADSL Modem Internet Remote Network 4 VPN Routing between Branch Office through Headquarter This page guides us how to setup VPN routing between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter plays as a VPN relay
91. private LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These headers information include the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP 20 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency however they may lack the granular application level acc
92. r Ssub commands 2 exit Exit Subcommand To get the latest Cl Command list The latest Cl Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL public WEB site http www zyxel com support download_ index php to download firmware package zip you should unzip the package to get the release note in PDF format 112 All contents copyright 2006 ZyXEL Communications Corporation
93. remote node denies any demand dial during the period For the existing connected nodes it will be dropped after idle timeout and no triggered up Disable Dial On Demand Start Time Start Time and Duration of this schedule Duration e Apply the schedule to the Remote node Multiple scheduling rules can program in a Remote node and they have priority For example if we program the sets as 1 2 3 4 in remote node then the set 1 will override set 2 3 4 set 2 will override 3 4 and so on We can apply the schedule to the remote node in CLI by the commands wan node index index wan node callsch index wan node save For example if we want to apply the call schedule set 1 to remote node 1 we could use the commands wan node index 1 wan node callsch 1 wan node save 75 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL CCCC_ P661H D Series Support Notes _ e Time Service in P 661H D There is no RTC Real Time Clock chip so the P 661H D should launch a mechanism to get current time and date from external server in boot time Time service is implemented by the Daytime protocol RFC 867 Time protocol RFC 868 and NTP protocol RFC 1305 You have to assign an IP address of a time server and then the P 661H D will get the date time and time zone information from this server You can configure it in Web Configurator Advanced Setup Maintenance gt System gt Time Setting Time Setting Curren
94. rface in this example Enter the total speed for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface s root class select how you want the bandwidth to be allocated Priority Based means bandwidth is allocated via priority so the traffic with highest priority would be served first then the second priority is served secondly and so on If 77 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Fairness Based is chosen then the bandwidth is allocated by ratio Which means if A class needs 300 kbps B class needs 600 kbps then the ratio of A and B s actual bandwidth is 1 2 So if we get 450 kbps in total then A would get 150 kbps B would get 300 kbps We select Priority Based in this example Summary Summary Bi Manager manages the bandwidth of traffic flowing out of router on the specific interface BW Manager can be switched on off independently for each interface Reset Key Settings Active Speed Scheduler Maximize Bandwidth Usage Check the box to enable BWM on the interface Note that if you would like to manage traffic from WAN to LAN you should apply BWM on LAN interface If you would like to management traffic from WAN to DMZ please apply BWM on DMZ interface Enter the total soeed to manage on this interface This value is the budget of the class tree s root Choose th
95. rnet IP Certain Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 661H D will not be able to provide information of that server on the internet 5 Quake II has the same limitations as that of Quake I P 661H D supports MSN Messenger 4 6 4 7 5 0 video voice pass through NAT In addition for the Windows OS supported UPnP Universal Plug and Play such as Windows XP and Windows ME UPnP supported in P 661H D is an alternative solution to pass through MSN Messenger video voice traffic For more detail please refer to UPnP application note P 661H D support Microsoft Xbox Live with factory default configuration Configurations For example if the workstation operating Cu SeeMe has an IP of 192 168 1 34 then the default SUA server must be set to 192 168 1 34 The peer Cu SeeMe user can reach this workstation by using P 661H D s WAN IP address which can be obtained from Web Configurator Status gt WAN Information 44 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Port Forwarding Address Mapping Default Server Setup Default Server 192 168 1 34 Port Forwarding Service Name WWW Server IP Address 0 0 0 0 active Service Name Start Port End Port Server IP Address Modify Cancel Configure an Internal Server beh
96. rom WAN you must turn the firewall off or create a firewall rule to allow WWW Telnet connection from WAN The WAN to LAN ACL summary will look like as shown below WWW For accessing Web Configurator Source IP Remote trusted host Destination IP router WAN IP Service TCP 80 Action Forward TELNET For accessing Command Line Interface Source IP Telnet Client host Destination IP router WAN IP Service TCP 23 Action Forward 2 You have disabled WWW Telnet service in Web Configurator Advanced setup Advanced gt Remote MGNT 24 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Telnet Fort Eo amesa Status OOO O O O o AA Secured Client IP all O Selected 0 0 0 0 Arg Mote You may also need to create a Firewallrule 3 WWW Telnet service is enabled but your host IP is not the secured host entered in Web Configurator Advanced setup Advanced gt Remote MGNT Telnet Telnet Access Status LAM ZARN PCUOPEC 0 0 0 0 Tou may also need to create a Firewallrule 4 A filter set which blocks WWW Telnet from WAN is applied to WAN node You can check by command wan node index index wan node display 4 Why can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you mu
97. rom the outside Internet How can I do it Yes it is possible because P 661H D delivers the packet to the local server by looking up to a SUA server table Therefore to make a local server accessible to the outside users the port number and the inside IP address of the server All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes must be configured You can configure it in Web Configurator Advanced Setup Network gt NAT gt Port Forwarding 12 When do I need select Full Feature NAT e Make multiple local servers on the LAN accessible from outside with multiple global IP addresses With SUA visible servers had to be mapped to different ports since the servers share only one global IP But when you select Full Feature you can make multiple local servers mapping the same port or not on the LAN accessible from outside with multiple global IP addresses e Support Non NAT Friendly Applications some servers providing Internet applications such as some MIRC servers do not allow users to login using the same IP address Thus users on the same network can not login to the same server simultaneously In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address 13 What IP Port mapping does Multi NAT support Multi NAT supports five types of IP port mapping One to One Many to On
98. rt Forwarding Default Server Setup Default Server 192 168 1 34 Port Forwarding Scie nemel Server IP Address 192 168 1 10 gt Add Active Service Name Start Port End Port Server IP Address Modi Apply 2 If add successfully the Web Configurator will display message Configuration updated successfully at the bottom You can see the port forwarding rule on the same page the default port for Web Server is 80 Port Forwarding Default Server Setup Default Server 192 168 1 34 Port Forwarding Service Name WWW 8 Server IP Address 0 0 0 0 I 192 166 1 1 mi ee Canea 3 If you want to change the port for Web Server you could press button Modify on corresponding rule then modify and apply it Default port numbers for some services Service Port Number 46 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www hitp Web 80 Configure a PPTP server behind SUA Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself In order to run the Windows 9x PPTP client you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking u
99. s 1862338 OutUnicast 2669 OutMulticast Out Discards A OutErrors Hl enifH A mtu 1568 inet 192 168 2 1 netmask BxfFFFFFAR broadcast 192 168 2 255 RIP RkX None TR None LInOctets AH CInUnicast 4H ClnMulticast LI nDiscards H CInErrors AH ClnxaUnknownProtos LOutOctets A COutUnicast Al COutMulticast OutDiscards A COutErrors A enif ii mtu 1568 inet 192 168 3 1 netmask AxfFFFFFAR broadcast 192 168 3 255 RIP R Hone Ta None InOctets Hl CInUnicast 6H CIlnMulticast LI nDiscards H CInErrors 4H ClnxaUnknownProtos 69 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes You can edit filter rule to accept or deny LAN packets from to the IP alias 1 2 go through the P 661H D by command in CLI lan index index number Usage index number 1 main LAN 2 IP Alias 1 3 IP Alias 2 lan filter lt incoming outgoing gt lt tcpip generic gt set Usage set the corresponding filter set number you ve configured lan save e IP Alias Setup 1 Edit the first network in Web Configurator Advanced Setup Network gt LAN gt IP DHCP Setup by configuring the P 661H D s first LAN IP address Key Settings DHCP If the P 661H D s DHCP server is enabled the IP pool for the clients can Setup be any of the three networks TCP IP Enter the first LAN IP address for the P 661H D This will create the first Setup route in the enifO interface 2 Edit the second and third n
100. s Corporation ZyXEL P 661H D Series Support Notes 4 Basically the zero configuration only work on the VC that was preconigured in the auto haunting preconfigured table 15 How could configure triple play on P 661H D The common triple play scenario is as follows DartA Ore ES il i IO A Wt A Li V NIT Seeeeeeeee ATUR IP DSLAM VL Switch CPE Access Network Triple Play is a port based policy to forward packets from different LAN port to different PVCs thus we could assign different parameters to the PVC CBR UBR VBR RT VBR nRT to guarantee different applications We could configure triple play on P 661H D via CLI The command is sys tripleplay set lt EportID gt lt PVCID gt For example sys tripleplay set 1 1 sys tripleplay set 2 2 sys tripleplay set 3 3 The traffic from Ethernet port 1 must be forwarded to PVC1 vice versa The traffic from Ethernet port 2 must be forwarded to PVC2 vice versa The traffic from Ethernet Port3 must be forwarded to PVC3 vice versa 16 How to configure packet filter on P 661H D The P 661H D allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port 83 All contents copyright 2006 ZyXEL Communic
101. s now moving in the opposite direction the checksums are recomputed and the packet is delivered to its true destination This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it 10 What is the difference between SUA and Full Feature NAT When you edit a remote node in Web Configurator Advanced Setup Network gt Remote Node gt Edit there will be three options for you e None e SUA Only e Full Feature SUA Single User Account in previous ZyNOS versions is a NAT set with 2 rules Many to One and Server With SUA visible servers had to be mapped to different ports since the servers share only one global IP The P 661H D now has Full Feature NAT which supports five types of IP Port mapping One to One Many to One Many to Many Overload Many to Many No Overload and Server You can make special application when you select Full Feature NAT For example With multiple global IP addresses multiple severs using the same port e g FTP servers using port 21 20 are allowed on the LAN for outside access The P 661H D supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 661H D supports 8 sets since there are 8 remote nodes By fatory default the NAT is select as SUA in Web Configurator Advanced Setup Network gt NAT gt General gt NAT Setup 11 Is it possible to access a server running behind SUA f
102. section If by any chance the two segments are not continuous we strongly recommend you to setup different rules for these segments Create a VPN Rule with name Branch_A The configuration is the same as Prestige to Prestige Tunnel just the IP Address is a little different 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 2 255 This section covers the LAN segment of both headquarter and branch office B 2 My IP Address is the WAN IP of Prestige in Branch_A 202 3 1 1 in the example Secure Gateway Address is IP address of Headquarter 202 1 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter We don t make any advanced setup in the example Step 2 Setup VPN in branch office B 97 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Be very careful about the remote IP address in branch office B because systems behind branch office B want to access systems beh
103. seeeceeseeeaeseeeeeeesaeeees 24 4 Why can t upload the firmware and configuration file using FTP OVErWAN reena cece E eae are ete 25 EOG ANO AIC Reamer een neem Recent ere Sema e mee eR mtn Reine re erry 26 1 When does the P 661H D generate the firewall log 26 2 What does the log SNOW tO US cecceseeeeceeeeseeeeseeeeseeees 26 3 How do view the firewall l0Q cccceccesseeeeseeeeeeeeeeeaeeeeees 26 4 When does the P 661H D generate the firewall alert 27 5 What is the difference between the log and alert 27 VPN FAO oore E aE E 28 2 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes GR 21 a1 tl te emer mere ee nee A ee Beier er Pen Pree Pee eer ee ae et rere 28 EAN a oe IN atpstet asta ag aun TE 28 2 Why do need VPN innan R N ESS 28 3 What are most common VPN protocols cccseeeeeeees 28 A VOGEL ISP PAP a meee 28 S Whare EZ UP rr 29 6 VME IS UP SCC ari en sdenieedess eeenoadeysnersaende 29 7 What secure protocols does IPSec Support cccee 29 8 What are the differences between Transport mode and MANNELIG attractant core EE at data dash ceota tv etanera teeta datuid dead ates 29 O NVNOUIS SA wets rai too wien E 30 10 VINE AS IKE Taisin 30 11 What is Pre Shared Key einn a 30 12 What are the differences between IKE and manual key VPN RSSa esse a tis Ae aes emo NSS AK 30 t
104. server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Server dialog box for reaching the PPTP server After the VPN link is established you can start the network protocol application such as IP IPX and NetBEUI 50 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL lt Connect To User name Password VPA server f 40 113 1 225 rea 5 Using Full Feature NAT P 661H D Series Support Notes kl Ed When P 661H D is in Routing mode you can select NAT Option as Full Feature in Network gt Remote Node gt Edit None O sua Only Full Feature Key Settings Field Network Address Translation Configuring NAT Options Full Feature None SUA Only Description When you select this option you can select Address Mapping Set Number 1 8 in the pull down menu on the right NAT is disabled when you select this option When you select this option this remote node will use default SUA Address Mapping Set You can see it in CLI by command ip nat lookup 255 It s a read only sets with two rules Many to One and server mapping Select Full Feature when you require other mapping types Address Mapping Sets and NAT Server Sets 51 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The P 661H D has 8 remote nodes a
105. service while another provides only Web Service The following procedures show how to configure a server behind NAT step 1 Login Web Configurator Advanced Setup Network gt NAT gt Port Forwarding Step 2 Select the service name from the pull down menu and fill in the server Address on Server IP Address then click button Add to save it Port Forwarding Default Server Setup Default Server 0 0 0 0 Port Forwarding Service al P Server IP METTER 0 0 00 0 0 0 step 3 You could click the button Edit on the rule to modify the Service name server IP Address Start End Port The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www hitp Web 80 PPTP Point to Point Tunneling 1723 Protocol e Examples e Internet Access Only e Internet Access with an Internal Server e Using Multiple Global IP addresses for clients and servers e Support Non NAT Friendly Applications 1 Internet Access Only 57 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes In our Internet Access example we only need one rule where all our ILAs map to one IGA assigned by the ISP You can just use the default SUA NAT or you could select Full Feature NAT and select an Address Mapping Set with a Many to One Rule Se
106. ses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the P 661H D to access the internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 661H D you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the P 661H D 63 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes When the ISP assigns the P 661H D a new IP the P 661H D must inform the DDNS server the change of this IP so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server i e www zyxel com tw is still usable The DDNS servers the P 661H D supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to e Setup the DDNS 1 Before configuring the DDNS settings in the P 661H D you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server 2 Login Web Configurator Advanced Setup Advanced gt Dynamic DNS Select Active Dynamic DNS option Dynamic DNS Dynamic DNS Setup CL Active Dynamic DONS Service Provider WV DynDNS ORG
107. ses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the Internet 47 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes RAS HT RAS wan i Client Zale Serer Window98 PPTP Client Internet NT RAS Server Protocol Stack PPTP appears as new modem type Virtual Private Networking Adapter that can be selected when setting up a connection in the Dial Up Networking folder The VPN Adapter type does not appear elsewhere in the system Since PPTP encapsulates its data stream in the PPP protocol the VPN requires a second dial up adapter This second dial up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade Configuration This application note explains how to establish a PPTP connection with a remote private network in the P 661H D SUA case In ZyNOS all PPTP packets can be forwarded to the internal PPTP Server WinNT server behi
108. ss It is usually a static IP so that we can pre configure it in P 661H D for making VPN connections If it is a dynamic IP given by ISP you still can configure this IP address after the remote P 661H D is on line and its WAN IP is available from ISP Or you can use DDNS as below 6 Does P 661H D support dynamic secure gateway IP Yes If the remote VPN gateway uses dynamic IP we enter 0 0 0 0 as the Secure Gateway IP Address in P 661H D In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side If both gateways use dynamic IP addresses we can use DDNS on one side For example e Both sides are dynamic IP address Router A DDNS enabled Router B Secure GW DNS name Prestige dyndns or a D Internet WA a IPSec Tunnel Mode My IP 0 0 0 0 Secure GW 0 0 0 0 With DDNS enabled My IP 0 0 0 0 Secure GW Prestige dyndns org With DDNS support through the Router A s WAN IP changes time to time the DNS name of router A is still valid Router B could establish VPN tunnels with router A by specifying ASecure GW as Router A s DNS name even if router B itself is dynamic IP address too Note In the example the VPN connection can only be initiated from Router B 7 What VPN gateway has been tested with P 661H D successfully 33 All contents copyright 2006 ZyXEL Communications Corporation
109. ss Mapping Set 1 you can edit 10 Address Mapping Rules for Set 1 You can edit or remove a rule by clicking the two buttons on the rule table Click the Edit Button on the rule 1 then you can enter the window in which you can edit an individual rule and configure the Mapping Type Local and Global Start End IPs 53 All contents copyright 2006 ZyXEL Communications Corporation ZyXEE CC CCCCC 6611 0 Series Support Notes Edit Address Mapping Rulel eee ocal Start IP acal End IF obal Start IP alobal End IF Server Mapping Set Cancel The following table describes the fields in this screen Field Description Option Example 1 One to One 2 Many to One 3 Many to Many You can select one of the five mapping types from the Type eae Overload ull down menu p 4 Many to Many No Overload 5 Server Start This is the starting local IP address ILA 0 0 0 0 cal This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the IP End oe 255 255 255 255 End IP as 255 255 255 255 This field is N A for One to One type This is the starting global IP address IGA If you have Start 0 0 0 0 Global a dynamic IP enter 0 0 0 0 as the Global Start IP oba ip This is the ending global IP address IGA This End field is N A for One to One Many to One and Server 200 1 1 64 types Note For all Local and Global IPs the End IP address must begin after the IP Star
110. st turn the firewall off or create a firewall rule to allow FTP connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP FTP host Destination IP P 661H D s WAN IP Service FTP TCP 21 TCP 20 Action Forward 25 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL CC P661H D Series Support Notes _ 2 You have disabled FTP service in Web Configurator Advanced setup Advanced gt Remote MGNT 3 FTP service is enabled but your host IP is not the secured host entered in Web Configurator Advanced setup Advanced gt Remote MGNT 4 A filter set which blocks FTP from WAN is applied to WAN node You can check by command wan node index index wan node display Log and Alert 1 When does the P 661H D generate the firewall log The P 661H D generates the firewall log immediately when the packet matches a firewall rule The log for Default Firewall Policy LAN to WAN WAN to LAN WAN to WAN is generated automatically with factory default setting but you can change it in Web Configurator 2 What does the log show to us The log supports up to 128 entries There are 5 columns for each entry Please see the example shown below Tine aaa Destination I 12 13 2005 wen l ACCESS 1 n TA Firewall default policy TCP Lto W 192 168 1 33 3466 207 69 188 186 5000 DERMID 3 How do I view the firewall log All logs generated in P 661H D including firewall logs IPSec logs
111. sword 3 What s the difference between Common User Account and Administrator Account For Common User Account it can only access the status monitor of P 661H D and check the current system status For Administrator Account besides accessing the status monitor of P 661H D itcan also access Winzard setup Advanced setup of P 661H D Moreover only with Administrator Password you could manage the P 661H D via FTP TFTP or Telnet 4 How do I know the P 661H D s WAN IP address assigned by the ISP You can view My WAN IP lt from ISP gt x x x x shown in Web Configurator Status gt Device Information gt WAN Information to check this IP address 5 What is the micro filter or splitter used for Generally the voice band uses the lower frequency ranging from 0 to 4KHz while ADSL data transmission uses the higher frequency The micro filter acts as a low pass filter for your telephone set to ensure that ADSL transmissions 11 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes do not interfere with your voice transmissions For the details about how to connect the micro filter please refer to the user s manual 6 The P 661H D supports Bridge and Router mode what s the difference between them When the ISP limits some specific computers to access Internet that means only the traffic to from these computers will be forwarded and the other will be filtered
112. t To use the service you must first apply an account from several free Web servers such as http www dyndns org Without DDNS we always tell the users to use the WAN IP of the P 661H D to reach our internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 661H D you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server 12 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the P 661H D When the ISP assigns the P 661H D a new IP the P 661H D updates this IP to DDNS server so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server i e www zyxel com tw is still usable 10 When do I need DDNS service When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service The DDNS server allows to alias a dynamic IP address to a static hostname Whenever the ISP assigns you a new IP the P 661H D sends this IP to the DDNS server for its updates 11 What is DDNS wildcard Does the P 661H D support DDNS wildcard some DDNS servers support the wildcard feature which allows the hostname yourhost dyndns org to be aliased to the same IP address
113. t Time and Date Current Time 11 08 14 Current Date 2005 12 27 Time and Date Setup Manual New Time hh mm ss New Date Coyyy mm dd J piz p Get from Time Serve Hime Protocol Daytime RFC 86 Se Server ai dress IERE Tat Time Zone Setup Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon Landon w Enable Daylight Savings Start Date af 2005 01 02 at o o clock End Date of Jat 2005 01 02 at o clock 12 Using IP Multicast e What is IP Multicast Traditionally IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP hosts group and 224 0 0 2 is assigned to the multicast routers group IGMP Internet Group Management Protocol is the protocol used to support multicast groups The latest version is version 2 see RFC2236 IP hosts use IGMP to report their multicast group membership to any immediate neighbor multicast routers so the multicast routers can decide if a multicast packet 76 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes needs to be forwarded At start up the P 661H D queries all directly connec
114. t address i e you cannot have an End IP address beginning before the Start IP address e Configure Address Mapping Sets in CLI Setp 1 Telnet to the P 661H D We suppose the LAN IP Address of P 661H D is 192 168 1 1 Step 2 Select one Address Mapping Set 1 8 by command ip nat addrmap map map set name set name is optional Suppose we configure set 2 in the example 54 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Setp 3 Set NAT address mapping rule for the Address Mapping Set you just configured Set 2 in this example by command ip nat addrmap rule rule insert edit type local start IP local end IP global start IP global end IP server set Suppose we set a Many to One rule for set 2 by command ip nat addrmap rule 1 edit 1 192 168 1 10 192 168 1 20 172 1 1 1 172 1 1 1 Setp 4 Save the configuration by command ip nat addrmap save You can apply the Address Mapping Set 2 to remote nodes in Web Configurator when you select Full Feature NAT See the intire process as follows Fas ip nat addrmap map 2 Test Fas ip nat addrmap rule 1 edit 1 192 168 1 18 192 168 1 26 172 1 1 1 172 1 1 1 CONFIG WAT Address MAP seti2 rule Pas ip nat addrmap save ip nat addrmap save ok Set 5 You can lookup the successfully configured Address Mapping Sets by command ip nat addrmap disp ras ip nat addrmap disp a5 2 192 168 1 28 17
115. te peer is using DNS or E mail you have to ajust the settings to pass phase 1 ID checking 15 When should use FQDN If your VPN connection is Preatige to Prestige and both of them have static IP address and there is no NAT router in between you can ignore this option Just leave Local Peer ID type as IP lf either side of VPN tunneling end point is using dynamic IP address you may need to configure ID for the one with dynamic IP address And in this case Aggressive mode is recommended to be applied in phase 1 negotiation Advanced FAQ 1 How do I configure VPN You can configure VPN via Web Configurator Advanced Setup Security gt VPN gt Summary 31 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 2 What kind of VPN protocols are supported on P 661H D All P 661H D series support IPSec VPN in other words we can build IPSec VPN on P 661H D And also note that P 661H D is of VPN IPSec PPTP passthrough supported NAT 3 What types of encryption does P 661H D VPN support P 661H D supports DES SDES AES encryption 4 What types of authentication does P 661H D VPN support VPN vendors support a number of different authentication methods P 661H D VPN supports both SHA1 and MD5 AH provides authentication integrity and replay protection but not confidentiality Its main difference with ESP is that AH also secures parts of the IP header of the pack
116. ted networks to gather group membership After that the P 661H D updates the information by periodic queries The P 661H D implementation of IGMP is also compatible with version 1 The multicast setting can be turned on or off on Ethernet and remote nodes e IP Multicast Setup 1 Enable IGMP in P 661H D s LAN in Web Configurator Advanced Setup Network gt LAN gt IP gt Advanced Setup 2 Enable IGMP in P 661H D s remote node in Web Configurator Advanced Setup Network gt Remote Node gt Edit gt Multicast Key Settings Multicast IGMP v1 for IGMP version 1 IGMP v2 for IGMP version 2 13 Using Bandwidth Management e Why Bandwidth Management BWM Nowadays we have many different traffic types for Internet applications Some traffic may consume high bandwidth such as FTP File Transfer Protocol some other traffic may not require high bandwidth but they require stable supply of bandwidth such as VoIP traffic The VolP quality would not be good if all of the outgoing bandwidth is occupied via FTP Additionally chances are that you would like to grant higher bandwidth for some body specially who is using specific IP address in your network All of these are reasons why we need bandwidth management e Using BWM Setp 1 Go to Web Configurator Advanced Setup Advanced gt Bandwidth MGMT gt Summary activate bandwidth management on the interface you would like to manage We enable the BWM function on WAN inte
117. tet blocks for TFTP Check Binary mode for file transfering e Using TFTP command on Windows NT Step 1 TELNET to your Prestige first before using TF TP command Step 2 Type the Cl command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Download ZyNOS via LAN c tftp i PrestigelP get ras localfile Step 4 Upload P 661H D configurations via LAN c tftp i PrestigelP put localfile rom 0 Step 5 Download P 661H D configurations via LAN c tftp i PrestigelP get rom 0 localfile e Using TFTP command on UNIX Before you begin 1 TELNET to your Prestige first before using TF TP command 2 Type the Cl command sys sidio 0 to disable console idle timeout in Command Line Interface CLI Example copwu faelinux cppwul telnet 192 168 1 1 Trying 192 168 1 1 Connected to 192 168 1 1 Escape character is T Password ras gt sys stdio 0 Open a new window copwu faelinux cppwul tftp 1 192 168 1 1 get rom 0 local rom lt change to binary mode lt download configurations copwu faelinux cppwul tftp 1 192 168 1 1 put local rom rom 0 lt upload configurations copwu faelinux cppwuls tftp 1 192 168 1 1 get ras local ras lt download firmware 108 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes copwu faelinux copwul tftp 1 192 168 1 1 put local ras ras lt upload firmware 3 Using
118. tion e The different services such as video VoIP and Internet access require different Qulity of Service e The high priority is Voice VoIP data e The Medium priority is Video IPTV data e The low priority is internet access such as ftp etc pe Other Service Triple Play is a port based policy to forward packets from different LAN port to different PVCs thus you can configure each PVC separately to assign different QoS to different application 19 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Firewall FAQ General 1 What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic 2 What makes P 661H D secure The P 661H D is pre configured to automatically detect and thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The P 661H D supports Network Address Translation NAT which translates the private local addresses to one or multiple public addresses This adds a level of security since the clients on the
119. twork the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible 12 What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall 13 What are the default ACL firewall rules in P 661H D There are two default ACLs pre configured in the P 661H D one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets Configuration 1 How do I configure the firewall You can use the Web Configurator to configure the firewall for P 661H D By factory default if you connect your PC to
120. up Maintenance gt Logs gt Log Settings You can also specify how frequently you want to receive the alert in it 5 What is the difference between the log and alert A log entry is just added to the log inside the P 661H D and e mailed together with all other log entries at the scheduled time as configured An alert is e mailed immediately after an attacked is detected 27 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes VPN FAQ General FAQ 1 What is VPN A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication 2 Why do I need VPN There are some reasons to use a VPN The most common reasons are because of security and cost Security 1 Authentication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the rem
121. up Network gt LAN 3 Setup the P 661H D as a DHCP Relay e What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P 661H D supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it is configured as DHCP relay it is responsible for forwarding the requests and responses negotiating between the DHCP clients and the server See figure 1 DHEP Server Prestige DHCP Client ige as a DHCP Relay e Setup the P 661H D as a DHCP Relay We could set the P 661H D as a DHCP Relay by the following command in CLI Ip dhcp enifO mode relay lp dhcp enifO relay server Server IP Address 41 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 4 SUA Notes Tested SUA NAT Applications e g Cu SeeMe ICQ NetMeeting Prestige Cu neeMe Player F Cu seeMe Player Introduction Generally SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users However some applications such as Cu SeeMe and ICQ will need to connect to the local user behind the P 661H D In such case a SUA server must be configured to forward the incoming packets to the true destination behind SUA After the required server are configured in Web Configurator Advanced Setup Network gt NAT gt Port Forwarding the
122. ure the detailed logs by Hyper Terminal to do it 92 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Prestige gt ipsec debug 1 IPSEC debug level 1 Prestige gt catcher recv pkt numPkt lt 1 gt get_hdr nxt_payload lt 1 gt exchMode lt 2 gt m_id lt 0 gt len lt 80 gt f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001 80040001 80030001 800b0001 800c0e10 In isadb_get_entry nxt_pyld 1 exch 2 New SA 2 View IPSec Log We can also view the log for IPSec and IKE connections for trouble shooting On P 661H D we can check the logs via Web Configurator or CLI The log menu is also useful for troubleshooting please capture to us if necessary For example Select IPSec and IKE in Web Configurator Maintenance gt Logs gt Log Settings Active Log and Alert Log Send Immediate Alert F System Maintenance d System Errors F System Errors d Access Control C access Control Blocked Web Sites LJ UPnP C attacks L Forward web Sites JipSec C Blocked Web Sites LJIKeE C Attacks C any IP Then after a successful or failed VPN connection we could view the relevant information from Web Configurator Maintenance gt Logs gt View Log Yiew Log Yiew Logs Email Log Now Clear Log 2 How to build a VPN between Secure Gateway with Dynamic WAN IP Address 93
123. urity may be insufficient because packets filters typically cannot maintain session state Thus for greater security a firewall is considered 6 What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks 21 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes 1 Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 3 Brute force attacks that flood a network with useless data such as Smurf attack 4 IP Spoofing 7 What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot 8 What is Teardrop attack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original packet except that it contains an offset field The Teardrop program creates a series of IP fra
124. wing sections 87 All contents copyright 2006 ZyXEL Communications Corporation 4yXFtCCC C C G6A1H D Series Support Notes _ LAN LAN 2 Prestige A Prestige B IPsec Tunne The IP addresses we use in this example are as below LAN 192 168 1 1 LAN 192 168 2 1 We NOSES WAN 202 132 154 1 WAN 168 10 10 66 all Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side If both of VPN gateways use dynamic IP we need DDNS service to implement it You can finish the configuration via Web Configurator on Prestige Step 1 Set up Prestige A 1 Using a web browser login Prestige Web Configurator by giving the LAN IP address of Prestige in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Note For P 661H D you need to login Multilingual Web Configurator using Administrator account the default password is admin 2 Go to VPN Setup page to edit a VPN Rule On P 661H D you could begin with Security gt VPN gt Summery 88 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes Setup Summary No active Name Local Address Remote Address Encap a si An
125. word will be reset to 1234 8 How to use the Reset button a Turn your P 661H D on Make sure the POWER led is on not blinking b Press the RESET button for longer than one second and shorter than five seconds and release it If the POWER LED begins to blink the P 661H D s wireless auto security function OTIST has been enabled c Press the RESET button for six seconds and release it If the POWER LED begins to blink the default configuration have been restored and the P 661H D restarts 9 What is SUA When should I use SUA SUA Single User Account is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account When Prestige acting as SUA receives a packet from a local client destined for the outside Internet it replaces the source address in the IP packet header All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 661H D Series Support Notes with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP When reply packets from the external Internet are received by Prestige the original IP source address and TCP UDP source port numbers are written into the destination fields of the packet since it i
Download Pdf Manuals
Related Search