Symantec Firewall/VPN 200R
Contents
1. 3 11 Contig Password secos rReRU SERE ocean eee eee br yess EX ees ess 3 11 To configure a password 1 1 useen nnne 3 12 Advanced Configuration Adyanced PPPoE ute rues Rt ni taco bis analy eire ie xt t DA N A aS 4 1 Dynamic DNS Seryices censo tune ope th ew tein Deere ga ens fee bbe eae 4 4 Optional Dynamic DNS settings 4 6 ROUNE e UU DER Gite dee ian ena wicker bees Cee a 4 6 Routing table data ncn m 4 8 Other routers on the local LAN 0 1 ect een eee 4 8 Host IP and Group o n nunnan nanana 4 10 Access Filters Pc DET 4 12 Security GfoUups ance eux ER REOR REOR RENE e RO RR ee Moe RU RUE 4 13 Special Applications 0 ccc ee 4 14 Virtual Servets 2 ee ete b ege ba C E Pe RU Pao RR goad 4 17 Types of Virtual Servers 0 ee eee e 4 17 Virtual Servers example IP Address seen by Internet users 4 19 Custom Virtual Server esset tete sky UR PEDCYHPY RE ues a RR Rd eed 4 20 Existing Custom Virtual Servers seeeleeeeee ees 4 21 Exposed Host DM 5 rer per RR RR ee ene ROO I UR d 4 22 Expert Eevel e ciuteetuiemaiec muse uM fi TE E Eu ME 4 24 Expert Level Connection fields 1 0 0 0 cece cece eee 4 26 Load Balance 1 sae A e a oir Re ER EUR RR hag 4 26 SMTP Bind ie 4 35 0s andere ae tu eth pe ese sd aes wap Eois ARE 4 26 Idl Renew DHCP ois nee Ae oe wares olia aan ERR sg eaten Rc ee tees 4 26 MIULANPC c cm 4 26 Echo Request Timeout iper cross SUY 32. vi Customer service Visit Symantec Customer Service online at http service symantec com for assistance with non technical questions and for information on how to do the following e Subscribe to the Symantec Support Solution of your choice e Obtain product literature or trialware Locate resellers and consultants in your area Replace missing or defective CD ROMS disks manuals and so on Update your product registration with address or name changes Get order return or rebate status information Access customer service FAQs Posta question to a Customer Service representative For upgrade orders visit the online upgrade center at http www symantec com upgrades or call the Customer Service Order Desk at 800 568 9501 Worldwide service and support Technical support and customer service solutions vary by country For information on Symantec and International Partner locations outside of the United States please contact one of the service and support offices listed below or connect to http www symantec com select the country you want information about and click Go vii Service and support offices North America Symantec Corporation 175 W Broadway Eugene OR 97401 U S A Automated Fax Retrieval Argentina and Uruguay Symantec Region Sur Cerrito 1054 Piso 9 1010 Buenos Aires Argentina Asia Pacific Rim Brazil viii Symantec Australia Pty Ltd 408 Victoria Road Glades
3. Symantec 11141 10 101041 Firewall VPN 200 SE VPN V 65x 10 10 10 3 192 156 0 3 10 10 10 4 Figure 7 4 VPN Dynamic tunnel diagram Symantec Firewall VPN Dynamic tunnel configuration On the Symantec Firewall VPN appliance select the VPN Dynamic option from the configuration page You should be presented with a screen similar to Figure 7 5 on page 7 6 Initially the screen you see should be blank with a few of the defaults entered In order to properly configure a dynamic tunnel you will need the following information from the SEVPN e Gateway IP address of the SEVPN Shared Secret Destination network protected by the SEVPN Netmask of the destination network protected by the SEVPN Encryption parameters on SEVPN DES 3DES SHA etc e Perfect Forward Secrecy setting VPNDynamic Key eo IPSec Security Association Select Securit ET 200_to_sevpn z Select only if Updating or Deleting existing configuration Update Fields Below Select SA above first unless Adding Name 200 to sevpn Enable C Disable WAN Port WAN 1 gt You must bind the VPN tunnel to WAN Port PPPoE Session Session 1 Select PPPoE session to bind VPN tunnel Phase 1 I Negotiation Main Mode Aggressive Mode Encryption and ESP 3DES SHAT v Authentication Method ESP 3DES SHAT SA Lifetime o Minutes Data Volume Limit 0 KBytes Inactivity Timeout Minutes Perfect Forward Secrecy C Enable Disable IDType IPAd
4. Incoming SPI 257 300 Outgoing SPI 300 257 Encryption and Authentication ESP DES MD5 ESP DES MD5 Method Encryption Key 0X1234567890123456 0X1234567890123456 Authentication Key 0X1234567890123456789012 3456789012 0X1234567890123456789012 3456789012 Remote Security Gateway Gateway Address 2 2 22 1 1 1 1 NetBIOS Broadcast Disable Disable Gobal Tunnel Disable Disable Remote Subnet 1 IP 192 168 0 0 192 168 100 0 Remote Subnet 1 Mask 255 255 255 0 255 255 255 0 5 7 To configure a VPN with Dynamic Key VPN Dynamic Key o IPSec Security Association Select Security AEST NER z Select only if Updating or Deleting existing configuration Update Fields Below Select SA above first unless Adding Name Enable Disable WAN Part WAN 1 gt You must bind the VPN tunnel to a WAN Port PPPoE Session Session1 v Select PPPoE session to bind VPN tunnel Phase 1 Negotiation Encryption and AHMDS Authentication Method ees M SA Lifetime Minutes Data Volume Limit KBytes Inactivity Timeout Minutes Perfect Forward Secrecy Enable Disable ID Type IPAddress x Phased ID Gateway Address o Enter 0 0 0 0 for Client to Gateway tunnel ID Type IP Address x Select Distinguished Name for Client to Gateway tunnels Leave Phaset ID and Shared Secret blank for Phasel Client SA Remote Client ID must match a User in Client List Pre Shared Key For Gateway
5. Inthe Host Name field enter the same host name from your computer You must enter the host name retrieved from the computer connected to the Internet service Note The host and domain names are case sensitive 2 Inthe Domain Name field enter the same domain name from the computer that was previously connected to the Internet Home customers should enter their full Home e mail address to access their e mail server Domain Name field 3 Enter your Network Adapter Address MAC in the Network Adapter Address MAC fields Some ISPs authenticate on the adapter MAC address of your Ethernet card to confirm who you are The Symantec Firewall VPN might have to mimic your computer by adapter address to connect to your ISP You must enter the MAC address retrieved from the computer connected to the Internet service 4 Click Save after entering all information To configure for cable modem using DHCP You may already be connected The Connection Status is on the top of the Main Setup Screen If it displays Connected you should be able to browse theWeb If you have a cable modem account and the Connection Status displays Disconnected 1 Click Main Setup 2 Goto the Optional Network Settings section of the screen 3 Enter your network adapter MAC or ISP supplied host name or domain name 3 5 4 Enter the MAC see below or Host Domain Name in the appropriate fields Note The host and domain names are case sensitiv
6. The Symantec Enterprise VPN Client software enables a remote personal computer PC to safely send information in a secure tunnel through the Internet to a private network that is protected by the Symantec Firewall VPN 200R Symantec Enterprise VPN Client connects the PC to the Symantec Firewall VPN which provides secure access to the private network To create a secure tunnel you must configure both ends of the tunnel One end is the Symantec Firewall VPN 200R and the other end is the Symantec Enterprise VPN Client The following sections describe how to configure both end points of the Symantec Enterprise VPN Client to Symantec Firewall VPN 200R secure tunnel Symantec Enterprise VPN Client can also be configured behind the Symantec Firewall VPN 200R In a behind the Symantec Firewall VPN configuration the Symantec Enterprise VPN Client can enable secure tunnels that pass through the Symantec Firewall VPN 200R to remote gateways By default the Symantec Firewall VPN can multiplex several IPSec pass through connections over a single IP adress Note You can not connect through an IPSec pass through connection to a VPN Gateway that has been defined in a VPN tunnel locally Symantec Enterprise Symantec VPN Client Symantec Enterprise Firewall PN 200R VPN Client Computer Figure 8 1 Symantec Enterprise VPN Client configurations To ensure the safe transmission of data in the tunnels Symantec Enterprise VPN Client uses a suite o
7. To configure a password Enter the password 2 Re enter the password to verify 3 Click Save If you forget your password you will have to perform a manual reset see Chapter 9 Trouble Shooting or reset the unit through the serial console Re flashing the firmware will not reset the password Advanced Configuration Advanced PPPoE Most users will not need to access this page since the default settings of the Symantec Firewall VPN are optimal for most situations and will make PPPoE accounts behave transparently Advanced PPPoE AN Port amp Session WAN Note Leave on Session 1 Port WAN 1 PPPoE Session Session 1 unless you have a multi session PPPoE account Update Fields Below Connect on Demand M Enable Idle Time Qut o Minutes Static IP Address o o o o Only for static ISP accounts hoose Service Only for ISPs that have additional PPPoE services Query Services Select Service Authentication User Name Password Verify Save All Cancel Clear Log anually Connect or Disconnect Your PPPoE Account Connect Disconnect Figure 4 1 Advanced PPPoE screen To configure Advanced PPPoE Note You must be DISCONNECTED in order to use this feature 1 Select the WAN Port from the WAN Port drop down list 2 Ifyou have a multi session PPPoE account select the appropriate session from the PPPoE Session drop down list Repeat the following steps for each PPPoE session If you
8. trap alerts 4 28 U Unit LAN IP 3 10 User Identity 8 4 User Interface 1 8 V Virtual Servers 4 17 Virtual Web Server 4 4 VPN Client Identity 5 1 VPN Dynamic Key 5 1 VPN Static Key 5 1 VPN Client 1 5 VPN Client Identity 5 14 VPN gateways 1 2 VPN tunnels 1 2 5 1 Ww WAN Port 1 6 WAN Upgrade 4 28
9. 6 Internet Key Exchange 8 2 Internet Security Association 8 2 Internet Service Provider cable 1 1 IP Address Sharing 1 2 IPSec 1 3 IPsec Type 4 27 K Key Management Protocol 8 2 L LAN IP and DHCP screen 3 10 LAN LED 2 5 LAN Ports 1 6 Language 4 27 Language Selection screen 3 2 Load Balance 4 26 Load Balancing 1 2 log 1 3 Log Level 4 27 Log Settings 6 9 Log Type 6 10 M Main Mode 5 9 Main Setup 3 2 3 3 3 4 Manual Reset 6 6 Modem WAN Link LED 1 6 MTU LAN PC 4 26 N NAT 1 2 NAT Function 4 27 NetBIOS Broadcast 5 4 network card 2 1 nxtftp utility 10 1 0 Outgoing SPI 5 4 P password 3 11 PAT 1 2 power adapter 2 1 2 4 Power Indicator LED 1 6 Power Supply 1 7 PPPoE 4 1 PPPoE Internet Account 2 3 Prefect Forward Secrecy 5 10 Pre Shared key 5 14 R Remote Access 4 28 remote client 1 2 Remote Management 1 3 remote management 4 28 Reset 1 7 RIP V2 4 27 RIP2 4 7 routing 4 6 routing table 4 8 S SA Life 5 10 Security gateway adding 8 7 downloading from 8 3 Security Group 4 14 Serial Configuration Console 6 4 Serial Port 1 7 Service and Support 3 vi SEVPN 7 1 SMTP Bind 4 26 SNMP 1 3 SNMP Trap Receiver 4 28 Special Applications 4 14 Stateful Inspection 1 1 Static IP 6 3 Static IP and DNS 3 7 Static IP Internet Account 2 3 Status Screen 3 9 Symantec Enterprise VPN Server 7 1 T TCP IP Network Protocol 2 2 Technical Support 3 vi Transmit Receive LED 1 6
10. 6 Inthe Incoming Protocol field choose either TCP or UDP as the protocol type for receiving consult the application s support 7 Inthe Incoming Port Range fields enter the Start and Finish ports used by your Application when it s receiving data If one port is used enter the same number in both fields 8 Click Add to add a new entry Click Delete to selete the entry shown and free up Symantec Firewall VPN memory Click Update if you have changed the entry shown Click Clear Form before adding a new entry 4 16 Virtual Servers Virtual Servers allow you to host any type of standard server Web FTP DNS Whols POP3 Finger SMTP VPN News Gopher and Telnet using the Symantec Firewall VPN This lets you setup a Web server behind the firewall External users connect to a domain assigned by the Dynamic DNS feature or the modem port IP address to access a virtual server The Symantec Firewall VPN automatically routes the traffic to the appropriate Host IP on the LAN Types of Virtual Servers The Symantec Firewall VPN supports two types of Virtual Servers Pre defined Standard server types The only data required 1s the IP Address of the server on your LAN Custom defined Non standard servers You must provide additional information about the server TCP or UDP port numbers This can be done in the Custom Virtual Server screen Virtual Servers o B eL WEB Server 18 z fiz fo v FTP fiz fies i
11. Address 192 168 0 1 Symantec Firewall VPN s IP Address For Router B s Default Route Destination IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Gateway IP Address 192 168 1 30 Symantec Firewall VPN s local router Host IP and Group This screen lets you assign Static IPs define the access group see Access Filters and bind multiple PPPoE sessions to individual hosts on the LAN Static IPs reservations in the Symantec Firewall VPN s DHCP table should be assigned for all Virtual Servers Laptops to avoid IP conflicts when their cards sleep and printers connected directly to the LAN On the Symantec Firewall VPN Model 200s you can bind a Host to a specific WAN port This prevents the Host from using both WAN ports when dual Broadband connection binding is in effect This is useful for servers or applications that must always be on a specific IP The default is Disabled Select Host If you have previously made an entry to this screen and you want to Update or Delete it you must first select it from the drop down list and then click Update Fields Below to access its settings Otherwise if adding a new entry do not select from the menu or click Clear Form before adding a new entry 4 10 HOSTIP amp GROUP ost Network Identity Select Host zl Select only if Updating or Deleting Update Fields Below Select host above first unless Adding Hast Name Network maT 1 MAC Address ost Settings a Check then enter IP bel
12. Domain Name Backup Analog ISDN Network Adapter Log Settings MAC Ad Tes Note Dont change unless needed by your ISP Expert Level Save Cancel Refresh Figure 1 5 Example of the user interface for Symantec Firewall VPN 100 1 8 Installation Prerequisites The Symantec Firewall VPN package contains the following The Symantec Firewall VPN unit A 2 m 6 5 ft CATS grade Ethernet cable CD with User Manual utilities and Symantec Enterprise VPN Client 200R only 9v DC 1000 mA power adapter Quick Start Card Network requirements You will need the following to use the Symantec Firewall VPN A cable or DSL Internet account or other network connection A cable or DSL modem or other network device with an RJ45 Ethernet 10BaseT compatible connection This is usually available from your ISP upon request An Ethernet 10BaseT or 100BaseT compatible network card on computer s you want to connect to the Firewall VPN e A standard Web Browser e TCP IP Network Protocol This is usually already installed in your computer and is a part of all modern operating systems UTP CATS grade cabling with RJ45 connector to connect computers to the Symantec Firewall VPN 1 cable included Cautions and warnings Follow all warnings notes and instructions marked on the Symantec Firewall VPN e To protect the unit from overheating make sure it is not blocked or covered Do not use or store the Symantec Fi
13. Firewall VPN 200R for a dynamic tunnel to Symantec Enterprise VPN Client 1 From the Symantec Firewall VPN 200R Main Menu select Client Identity 8 3 VPN Client Identity o User Identity Select User z Select only if Updating or Deleting current Users Update Fields Below Select User above first unless Adding Enable User Nama Must match Client ID offered by remote VPN client Pre Shared Key Add Delete Update Entry Clear Form Cancel Name Enable Pre Shared Key Figure 8 3 Client Identity screen 2 Under User Identity click Enable 3 Inthe User Name field enter a user name 4 Inthe Pre Shared Key field enter your pre shared key 5 The pre shared key must be between 20 and 64 characters 6 Click Add 7 From the Symantec Firewall VPN 200R Main Menu select VPN Dynamic Key 8 Under IPSec Security Association in the Name field enter a descriptive name 9 Click the Enable radio button to enable the security association 10 Inthe Phase 1 Negotiation field click the Aggressive Mode radio button 8 4 11 Inthe Encryption and Authentication Method list select a method This method must match the encryption and authentication method you use when configuring the Symantec Enterprise VPN Client end of the tunnel 8 5 VPN Dynamic Key o IPSec Security Association Select Securit gt Ti Puoi ue z Select only if Updating or Deleting existing configuration Update Fields Below Sele
14. Symantec Enterprise VPN Client as entered on the Symantec Enterprise VPN Client VPN Policy Timeouts tab In the Inactivity Timeout field enter the inactivity timeout in minutes The Inactivity Timeout value should match of the Symantec Enterprise VPN Client as entered on the Symantec Enterprise VPN Client VPN Policy Timeouts tab In the Perfect Forward Secrecy field click the Enable radio button Under Remote Security Gateway in the Gateway Address field enter 0 0 0 0 In the ID Type field select Distinguishing Name You do not need to enter a Phasel ID because the Symantec Firewall VPN automatically searches its database for a matching user IDs Click Add The Symantec Firewall VPN 200R endpoint of the tunnel 1s now configured Configure Symantec Enterprise VPN Client for a Dynamic tunnel to Symantec Firewall VPN 200R The following table outlines the steps required to configure Symantec Enterprise VPN Client for a Dynamic Tunnel to the Symantec Firewall VPN 200R See the Symantec Enterprise VPN Client Administrator s Guide for more information 8 7 Table 8 1 Symantec Enterprise VPN Client configuration Symantec Enterprise VPN Client Configuration Steps Configuration Guide Chapter Section Subsection 1 Launch Symantec Enterprise VPN Getting Started Client 2 Create a new Gateway Managing Gateways Adding a Gateway 3 Enter the Outside Address or the Managing Gateways Addin
15. THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES iv IN NO CASE SHALL SYMANTEC S OR ITS LICENSORS LIABILITY EXCEED THE PURCHASE PRICE FOR THE APPLIANCE The disclaimers and limitations set forth above will apply regardless of whether you accept the Software or the Appliance 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Sym
16. bx us bv v Be A Su ox VE ex VES 4 26 Expert Level Advanced Features section fields 0 00 00 e ee eae 4 27 Allow IDENT Port 04 23 4 0004ho004 seid seid boot boe bed re ge eA 4 27 NAT F nctlob exe Re be RERO C UR paced ep PR Rx P Pe 4 27 RIP V2 s so5 Neale bani etu BUSSE Ue p eu Voli su toc E Oe ERA RES 4 27 Log Level 2 212 beech ects RERO CRRRUCEPRERN ER ED ERE E PER XA 4 27 IPSEC TYP mM 4 27 Language speen e e DIE epe E Sas abd xe 4 27 Expert Level SNMP Trap Receiver section fields 0 0 02000 4 28 Expert Level Remote Access IP Range section fields 45 4 28 Allow Remote Upgrade 0 0 ccc ccc e eet n ene 4 28 Configuring Virtual Private Networks VPN To configure a VPN using Static Key 20 cece eect teen eee 5 3 To update a VPN configuration using Static Key 20 0 c eee eee eee 5 5 To delete a VPN configuration using Static Key 0 0c eee eee eee 5 5 Static tunnel example encreire ree ipe E e 5 6 To configure a VPN with Dynamic Key 0 2 cee eect eee 5 8 To update a VPN configuration using Dynamic Key lees esses 5 11 To delete a VPN configuration using Dynamic Key 000000 eee 5 11 Dynamic tunnel example 0 cece e 5 12 VPN Client Identity 1i cst ene paseo dae eae PETRA E RE T LEE 5 14 Utilities Backup Analog ISDN sssseseseeee ene n ene ne nee 6 1 Serial configuration console
17. correctly Please refer to the software manufacturer s web site for information about using their application with firewalls If you still have a problem you can use the Exposed Host function This should work with almost every application but It is a security risk since the firewall is disabled for the exposed PC Only one 1 PC can use this feature When the Exposed Host feature is being used the Special Applications and Virtual Server features should be disabled Problem 4 PPPoE will not authenticate Solution PPPoE needs to be setup properly or you may need to upgrade your firmware Below are some known issues 9 2 Please remember to click Save after entering all your options in the PPPoE setup screen User name and Password need to be exactly as your provider requires Upper Case Lower Case Service name suffix may be needed to connect Check with your provider to make sure that you are using the correct username and password along with any suffixes that may be required You can try using your user name plus the sign The domain extension of your service provider Example John sympatico ca If your provider is supporting services the Get Services button on the Advanced PPPoE screen will provide the same effect without the need of the suffix 9 3 9 4 Firmware Upgrades The Symantec Firewall VPN does its job by following a set of instructions that are coded into its permanent memory These instructions are c
18. determine whether that WAN connection is functioning or not even if traffic is idle on the WAN needed for backup activation Every 20 seconds the unit pings the ISP s gateway or DNS to see if it is connected Normally this is fine except some ISPs prevent pings to their gateways Enter a www or IP address into this field for an additional ping test if the gateway does not respond do not use the http prefix Test by pinging manually first Not used for PPPoE To configure Backup Analog ISDN 1 Under Backup check the Enable check box When enabled the Symantec Firewall VPN connects automatically when broadband disconnects 2 Under Connection in the Internet Access fields check the Normal or ISDN or Analog Only no Broadband check boxes to identify your connection type 3 Click Hang Up or Dial to manually disconnect or connect to your ISP analog account Note Always click Save after altering settings 4 Under ISP Account Information enter your Analog ISDN ISP account information a Inthe User Name field enter your Analog ISDN ISP account user name b Inthe Password field enter your Analog ISDN ISP account password c Inthe Verify field re enter your Analog ISDN ISP account password d Inthe IP Address field enter your IP Address Consult your ISP for the IP address e Inthe Dial up Telephone 1 field enter your ISP s dial up number as a continuous string without any spaces or dashes You can enter up to 3 phone
19. for standard dynamic Internet accounts or accounts where a DHCP server gives out the information You can override and enter your own settings for any Internet account 5 Click Save after entering all information DNS Gateway section The DNS Gateway is an optional DNS Server providing local and remote name resolution over VPNs All DNS requests will be forwarded to the IP address you enter in the DNS Gateway IP field If the internal DNS server is down the unit can be configured to forward all DNS requests to the ISP s DNS servers 3 8 Status The Status screen displays the current status and configuration of the Firewall VPN Status eo WAN 1 External Port Connection Status Network Mask IP Address Physical Address Gateway DHCP Client DNS IP Address es WAN 2 External Port Connection Status Network Mask IP Address Physical Address Gateway DHCP Client DNS IP Address es LAN Internal Ports IP Address Physical Address Network Mask DHCP Server Firmware Version Exposed Computer X Network Address Special Applications Tianslatioh Virtual Servers Hardware ID Refresh Screen Figure 3 3 Status screen Physical Address is the MAC address of the Firewall VPN both LAN and WAN If you have trouble accessing the Internet confirm that you have a WAN IP address If you do there might be a DNS or other problem at your ISP In any case have this screen handy when calling Symantec Support LAN
20. information The Symantec Firewall VPN always assigns an IP address for the DNS server 192 168 0 1 by default unless static DNSs are set This is normal as the Symantec Firewall VPN will take care of DNS requests sent to the ISP You can disable the DHCP server in the Firewall VPN This is useful if you already have a DHCP server on your network or if the computers on your LAN have Static IPs entered into their network properties For example if you have a web server on your site you will want to assign it a static address The DHCP Range shows the range of IP addresses you want given out by the DHCP server The DHCP Table lists all the hosts in the Firewall VPN s DHCP server and their properties If you make any changes click Save after entering all information Config Password This password protects the Symantec Firewall VPN s Web interface by asking for authentication when accessing the unit It is recommended that you set a password when working in an office environment to prevent possible reconfiguration You should always have a password when enabling remote configuration see the Expert Level screen In addition Symantec recommends that the unit should be externally remotely managed through a VPN Tunnel 3 11 Password Interface Authentication User Name is always admin Password Verify Save Cancel Figure 3 5 Config Password screen Note The User Name is always admin when logging into the Firewall VPN
21. not authenticate 0 cee eee ee eee eee 9 2 Firmware Upgrades To upgrade firmware eee cece cette nent eens 10 2 Index Product Overview The Symantec Firewall VPN appliance family of products address the complete set of needs for a small office remote office branch office or small business to easily and securely get networked and connected to an Internet Service Provider or central office The Symantec Firewall VPN appliance protects your computers from intrusion The Firewall feature makes your network invisible from the outside and it turns away all unauthorized external requests for information from your network The Symantec Firewall VPN also offers a complete Turnkey VPN solution You can enable your company to communicate securely using the Internet as your own private corporate network This allows telecommuters remote offices trusted partners and vendors to access your servers while maintaining the security you and your users require The Symantec Firewall VPN is designed for small or remote offices connected by DSL T1 lines or cable modems The Symantec Firewall VPN also allows you to share your high speed broadband Internet connection with more than one computer You can use it to network all of your office s PCs printers and servers quickly and easily to create a local area network Unlike other similar home office products this family of products provides advanced capabilities needed by busi
22. numbers to dial if the first are busy 5 Under Modem Settings enter your modem information a From the Modem drop down menu select your modem type Consult your modem s user manual for the best settings Several modems are predefined If your modem isn t listed you ll need to select Others and enter an 6 3 initialization string for your modem If you do not know what to enter for an initialization string consult your modem company From the Line Speed drop down menu select your ISP connection s line speed If you have trouble connecting lower the line speed From the Line Type drop down menu select your line type Line type is usually Dial Up but select Leased Line if this is your setup Dial Type and Strings Do not change these settings unless you do not have tone dial Consult your modem manual if you want to change dial strings In the Idle Time Out field enter the inactivity time in minutes if you wish to automatically disconnect from your Analog ISDN account after a period of inactivity Enter 0 to leave the modem always on Analog Status provides information useful for technical support should there be a problem with your PPP Analog ISDN connection Serial configuration console The Symantec Firewall VPN can be configured or reset through the Serial port using the included Null Modem Cable connected to the COM port of a computer This configuration console is very useful for installing the Symantec Firewal
23. trouble connecting to your ISP Dynamic DNS Service Dynamic DNS Service is a way for people outside to connect to your computers using a domain name even when you have a dynamic IP account from your ISP your IP address changes from time to time If you setup a Virtual Web Server people will always be able to access it by entering your domain name for example www mydyndns com 4 4 Dynamic DNS Service Account Information Enable WAN Port WANT User Name E Password 0 Verify Sever Hast Name OO Optional Settings Wildcards Backup MX Mail Exchanger Force DNS Update Update Note Do not use unless required the service wil be automatically updated only when needed Save Cancel Figure 4 2 Dynamic DNS Service screen The Symantec Firewall VPN contacts a Dynamic DNS service every time your IP changes and updates it automatically The Dynamic DNS service then updates DNS servers throughout the world Dynamic DNS services are available for pay and for free The Dynamic DNS client in the Symantec Firewall VPN is compatible with most standard services To configure Dynamic DNS The information for the client fields in the following process should be obtained from your ISP Click Enable Select your WAN Port from the WAN Port drop down list Enter your Basic Settings This is your account information Enter exactly as given to you by the service Click on Save Optional Dynamic DNS settin
24. useful if you already have a NAT device on your network and are using the Symantec Firewall VPN as a PPPoE dial up device only You must have routing entries made on the routing table or be using RIP2 for proper communication with NAT disabled RIP V2 Lets you enable RIP2 functionality of the unit RIP2 is a dynamic routing protocol used to direct traffic over routed networks Log Level Choosing Debug will give more detailed information in the status log that is useful for Symantec support It also throws all WAN side packets into the LAN for easy port scanning Keep this setting at user level unless needed as Debug mode can cause collisions under heavy traffic loads IPsec Type IPsec pass through is implemented automatically by the Symantec Firewall VPN Keep at 2 SPI unless instructed by Symantec support None lets you use your VPN client in Exposed Host DMZ mode if having problems connecting from behind the Symantec Firewall VPN Language You can choose one of the available languages for the user interface by checking the check box next to the language 4 27 Expert Level SNMP Trap Receiver section fields Sets the IPs to receive the trap alerts from the unit Expert Level Remote Access IP Range section fields The Symantec Firewall VPN s web interface can be accessed remotely from a range of IP addresses For security reasons Symantec recommends that all external remote management be done through a VPN tunnel When usin
25. value is 1 Other routers on the local LAN Other routers on the local network must use the Symantec Firewall VPN s local router as the default route The entries will be the same as the Symantec Firewall VPN s local router with the exception of the Gateway IP Address For a router with a direct connection to the Symantec Firewall VPN s local router the Gateway IP Address is the address of the Symantec Firewall VPN s local router For routers that must forward packets to another router before reaching the Symantec Firewall VPN s local router the Gateway IP Address is the address of the intermediate router 4 8 192 168 0 100 192 168 1 30 Segment 1 Segment 0 192 168 1 XX Router A 192 168 0 XX Firewall PN 192168 0 1 Computer 192 168 1 90 Segment 2 192 168 3 XX 192 158 1 240 DM TEES 192 168 2 248 192 166 2 70 Computer Figure 4 4 Routes example For the LAN shown above with two routers and three LAN segments the Symantec Firewall VPN s Routing Table requires two entries as follows Entry 1 Segment 1 Destination IP Address 192 168 1 0 Subnet Mask 255 255 255 0 Gateway IP Address 192 168 0 100 Metric 1 Entry 2 Segment 2 Destination IP Address 192 168 2 0 Subnet Mask 255 255 255 0 Gateway IP Address 192 168 0 100 Metric 2 4 9 For Router A s Default Route Destination IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Gateway IP
26. 0 3500 externally 6 Click Add to add a new entry or one of the following Click Delete to delete the entry shown and free up Symantec Firewall VPN memory Click Update if you have changed the entry shown Click Clear Form before adding a new entry Exposed Host DMZ This screen will let you define a custom server accessible from the outside by the Symantec Firewall VPN s external WAN IP address The unit redirects all requests not explictily allowed by a virtual server rule to the exposed host The Symantec Firewall VPN then redirects the request to your internal local IP address for the virtual server You should first check the Virtual Servers screen to make sure your server is not already predefined For security reasons make sure the exposed machine is locked down to prevent illegal access and compromise of the system 4 22 Exposed Host e Caution This feature allows one 1 computer to have unrestricted 2 way communication with Internet servers or users This is useful for hosting games or special servers applications Because of the security risk this feature should be activated only when required LAN IP o Note Reserve IP in Host IP amp Group Address 2 0 0 I0 if used often WAN Port WANT 7f Session DHCP Client C Enable Disable Cancel Figure 4 11 Exposed Host DMZ To configure an Exposed Host 1 Enter the LAN IP address of the host PC you want to Expose 2 Select the WAN Port from t
27. 5 csse or y ag up RR RES ER ELE Y 6 4 Mahal reset eet e RP ERES ped dd RP ERWRE RES CEP HUE 6 6 Configuration backup 5s e pERA Pe PRIM Rated cae ane elie ea cele 6 7 View Log uei eiei ee E AE E ICE Ed CR ed ded ede e od 6 8 Log Settings uenesxenbeC de ENDE Do FER Ea o ERE Na M ed 6 8 Configuring the Symantec Firewall VPN to the Symantec Enterprise VPN Static tunnel zoo eens a betes bets hee eee MP NES pM RS 7 2 Symantec Firewall VPN Static tunnel configuration 00 000 eee 7 3 SEVPN Static tunnel configuration slsesleeee ere 7 6 Dynamic tunnel entm pepe Pede Mere Fe EPIO RES 7 7 Symantec Firewall VPN Dynamic tunnel configuration 00000 7 7 SEVPN Dynamic tunnel configuration 0 cee eect eee 7 10 Connecting to Symantec Enterprise VPN Client Configuring Symantec Enterprise VPN Client with Symantec Firewall VPN 200R 8 2 Configure Symantec Firewall VPN 200R for a dynamic tunnel to Symantec Enterprise VPN Chenit 5 35 cile RR CU WR Des nb bob Po eae ee 8 3 Configure Symantec Enterprise VPN Client for a Dynamic tunnel to Symantec Firewall VPN 200R ercepeae iine i Cone ein dist inks Ce Cae p doe 8 7 Trouble Shooting Problem 1 Can not connect to the Symantec Firewall VPN to configureit 9 1 Problem 2 When I enter a URL or IP address I get a time out error 9 1 Problem 3 Some applications do not run properly when using the Firewall VPN 9 2 Problem 4 PPPoE will
28. IP and DHCP Caution DO NOT change these settings unless needed by your network If you do you may lose connectivity with the Firewall VPN requiring a manual reset to defaults 3 9 LAN IP amp DHCP o UNIT LAN IP IP Address Network Mask DHCP Server C Enable C Disable Range Start P f Range End P f Save Cancel DHCP Table Host Name IP Address Physical Address Status Figure 3 4 LAN IP and DHCP screen UNIT LAN IP The Unit LAN IP is the IP Address of the Symantec Firewall VPN on your LAN your hosts see it as their default Gateway Caution If you change this and click Save YOU WILL NOT BE ABLE TO ACCESS THE SYMANTEC FIREWALL VPN UNLESS YOU REBOOT release and renew your host IP because the unit s IP address network mask and default gateway have just changed The combination of the IP address and network mask determines the destination subnet for the packets This information is required for properly routing packets through and IP network Custom ISP accounts might require a change otherwise leave it at its default of 255 255 255 0 Class C network DHCP The DHCP server in the Firewall VPN enabled by default serves IP addresses and DNS information to up to 253 computers connected to it For this to work your computers must be set to Obtain IP Automatically or Obtain from DHCP Server in the control panel see Configuring your computer on page 2 5 for more
29. Off if not connected Obtain IP amp DNS Automatically Unless Static IP is set Enabled C Note For DHCP Connections Alive EE 7 Site IP or URL PPPoE Enable only for use with PPPoE connections Enabled C ET Name Password Verify X Password Optional Network Settings Host Ss Name popan i Name Network Adapter mao UL OE Address Figure 3 1 Firewall VPN200 Symantec Main Setup screen The Main Setup screen is the first screen you see when you browse to the Symantec Firewall VPN It contains the basic settings fields needed to get you up and running on the Internet This screen is used to configure both WAN Port 1 and WAN Port 2 3 3 The Connection Status section at the top of the screen indicates whether you are Connected Connecting when dialing PPPoE or Disconnected To configure using the Symantec Firewall VPN 200 Main Setup screen 3 4 If the Main Setup screen is not displayed click Main Setup on the Main Menu The Main Menu as always displayed on the left side of the User Interface Do one of the following e Ifyou are using an ISP account whose IP address is provided automatically by a DHCP server click on the Enable radio button in the Obtain IP amp DNS Automatically section This radio button is enabled by default and applies to most Cable accounts It should connect you immediately Connection Status mode Normal if you have such an account If it does not click the
30. Reset button on the Firewall VPN If you still do not connect you may need to change the Network Adapter MAC address For more information see Required by Optional Network Settings section on page 3 5 If you have a Static IP Internet account or are using the Symantec Firewall VPN internally or on another network leave this setting Enabled Then enter the Static IP information using the Static IP amp DNS screen as described in Static IP and DNS on page 3 7 If you have a PPPoE Internet Account click the Enable radio button in the PPPoE section You are likely to be using PPPoE if you previously used dial up software on your computer with a username and password to establish your connection through a DSL modem The Symantec Firewall VPN will dial for you so you should disable or uninstall the dail up software You must also a Enterthe user name given to you by the ISP b Enter and verify the password given to you by the ISP You should connect in a moment You might have to reboot your computer to update its IP information to access the Internet If you have trouble verify that your PPPoE user name and password are correct Required by Optional Network Settings section Some ISPs require additional information for authentication If you have trouble connecting you can enter that information in the Required by Some Service Providers section of the Main Setup screen To configure the Optional Network Settings fields 1
31. Subnet 2 P o Mask DoS Remote Subnet 3 P EEG Mask SSS Remote Subnet 4 p Mask Remote Subnet 5 p Mask oT Add Delete Update Entry Clear Form Cancel Figure 7 3 VPN Static configuration screen 7 4 Initially the screen you see should be blank with a few of the defaults entered In order to properly configure a static tunnel you will need the following information from the SEVPN Gateway IP address of the SEVPN Destination network protected by the SEVPN Netmask of the destination network protected by the SEVPN Local SPI Remote SPI Encryption parameters on SEVPN DES 3DES SHAI etc Privacy Algorithm Key Integrity Algorithm Key To configure the tunnel l 2 In the Name field enter a new name for this tunnel Check Enable Select the WAN Port you want to bind the VPN tunnel to Select the PPPoE Session you want to bind the tunnel to Set the Incoming SPI to match the Remote SPI from the SEVPN Set the Outgoing SPI to match the Local SPI from the SEVPN Select the Encryption and Authentication Method to match the parameters from the SEVPN Set the Encryption Key to match the Privacy Algorithm Key from the SEVPN If you are using 3DES you will need to append together the three keys from the SEVPN to form one key Set the Authentication Key to match Integrity Algorithm Key on the SEVPN Set the Gateway Address to be the Gateway Address of the SEVPN 11 Check Disable for NetBIOS Broadc
32. Symantec Firewall VPN 100 200 200R Models Installation and Configuration Guide October 2001 Ss symantec The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright Notice Copyright 1998 2001 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Microsoft MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation IBM OS 2 and OS 2 Warp are registered trademarks of International Business Machines Corporation Novell and NetWare are registered trademarks of Novell Corporation 3Com and EtherLink are registered trademarks of 3Com Corporation Compaq is a registered trademark of Compaq Corporation Zip and Ja
33. VPN 2 Flip DIP switch 1 amp 2 to the ON position DOWN 3 Putthe power plug back into the Symantec Firewall VPN 4 Openupa DOS prompt by clicking Start then Run Type command and click OK 5 CD to your temp folder with the firmware and nxtftp command 6 Type nxtftp 192 168 0 1 PUT firmware name gt and press Enter 7 After a few moments you should see a success message If not reboot your computer and try again 8 Retum the DIP switches to their normal positions 10 2 A Access Filters 4 12 Advanced PPPoE 4 1 Aggressive Mode 5 9 5 10 Alive Indicator 6 3 Analog ISDN 6 3 Authentication Key 5 4 Automatic Backup 6 1 B Backup Analog ISDN 6 1 Backup Active LED 1 6 Backup Analog ISDN 6 3 C Configuration Back Up 6 7 Configuration Interface 1 7 Custom Virtual Server 4 20 D DHCP 1 2 DHCP server 3 11 Dial Up Back Up 1 2 DIP Switch 1 7 Disconnect on hang up 8 3 DNS Gateway 3 8 DNS Server 3 8 Dynamic DHCP 6 3 Dynamic DNS 4 4 Dynamic DNS Service 4 4 Dynamic IP DHCP Internet Account 2 3 E Echo Request Timeout 4 26 Encryption Key 5 4 Encryption Method 5 4 Error Indicator LED 1 6 Ethernet cable 2 1 Expert Level 4 24 Exposed Host 4 23 F firmware upgrade 10 1 Full Duplex 1 6 G Gateway adding 8 7 downloading from 8 3 H High Availability 1 2 Host IP and Group 4 11 l IDENT Port 4 27 Idle Renew DHCP 4 26 Inactivity timeout 8 3 Incoming SPI 5 4 International Symbols 1
34. You can obtain this information from your ISP Connecting the cables It is strongly recommended that you install your Symantec Firewall VPN with only one computer directly connected to it at first This will greatly simplify any troubleshooting during installation 2 3 After the install is successful with a single computer you can then add additional computers and or hubs to the Symantec Firewall VPN The following installation assumes this simple network setup Modem WAN LAN Ports LAN Link LEDs 10 BaseT Ports Figure 2 1 Symantec Firewall VPN 200 front panel 9v DC Power Switch Power Input Figure 2 2 Symantec Firewall VPN 200 back panel To connect the cables 1 Insert the 9v DC 1000 mA power adapter that was included with the Symantec Firewall VPN and plug it into an electrical outlet Make sure to ONLY use the adapter that came with the unit 2 Remove the cable that came with your modem from your computer if applicable and insert the free end into the modem WAN port of the Symantec Firewall VPN You should see the WAN link light illuminate green If not check that you are using the same cable that came with the modem For the Symantec Firewall VPN 200 Repeat this step for each additional modem port with a separate modem or connection you can mix cable DSL or routed connections on the two modem ports 2 4 You should see a green link light on the corresponding LAN LED If not confirm that your compu
35. able for NetBIOS Broadcast Check Disable for Global Tunnel Set Destination Network 1 Network to the destination network protected by the SEVPN Set Mask to the netmask of the destination network protected by the SEVPN Click the ADD button to add the new tunnel to the system The tunnel should now be operational on both end You should verify this by opening up a DOS command line and pinging a running machine on the remote network There will be a small delay and the initial ping response will time out This period of time is when the keys are exchanging between both ends of the tunnel 7 9 SEVPN Dynamic tunnel configuration The follwoing table is a brief list of the steps to configure the SEVPN Table 7 2 SEVPN Dynamci tunnel configuration steps Configuration Steps Create a Security Gateway for the SEVPN Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide Chapter Defining Security Gateways Create a Subnet for the Local Network Defining Subnet Entities Create a Security Gateway for the Symantec Firewall VPN appliance Defining Security Gateways Create a Subnet for the remote network Defining Subnet Entities Create a Secure Tunnel making sure to select one of the static policies configure the keys and set the SPIs Configuring Secure Tunnels and Configuring an IPsec Static VPN Policy 7 10 Connecting to Symantec Enterprise VPN Client
36. alled Firmware The Firmware contains all of the features and functionality of the Firewall VPN These firmware upgrades are available from Symantec s home page Your current firmware version number is available from the Status interface screen If it is older than the firmware on the website you can download that firmware to update your Symantec Firewall VPN The following procedure assumes you have the unit on its default IP of 192 168 0 1 Replace the IP in the instructions below if you have changed this Performing a firmware upgrade might erase your configuration settings this is usually not the case but certain firmwares could have this effect Please take note of your settings before upgrading the firmware You should not use a configuration backup file from an older firmware to restore your settings To upgrade you ll need the firmware you downloaded from Symantec s website and the nxtftp utility which is available on the CD in the Utilities folder there is both a Windows and DOS command there we ll use the DOS command here Put both the new firmware and the nxtftp utility into a temp folder on your hard drive Note Ifyou have a computer other than Windows you can use that computer s TFTP command set to binary option to perform this same procedure TFTP is fairly universal and is available on Macintosh Unix Linux etc To upgrade firmware 1 Power off the unit by pulling the adapter plug from the back of the Firewall
37. antec Firewall VPN The Main Menu of the Management Configuration is located on the left side of the screen at all times The Symantec Firewall VPN 100 and 200 have slightly different interfaces because the 200 has two WAN modem ports and each WAN port can have different configurations The 100 has one WAN modem port To start the User interface 1 2 Start your browser If you have proxy settings on your browser clear them now If you do not know how to clear proxy settings see the instructions that follow Type http 192 168 0 1 into the address bar of your browser Press the Enter key on your keyboard The Symantec Firewall VPN Main Setup screen displays as shown in Figure 3 1 on page 3 3 To clear Proxy settings on your Internet Explorer Browser 1 Choose Tools gt Internet Options 2 Click the Connections tab 3 Click LAN Settings 4 Remove all checks from all the boxes and click OK 5 Click Never Dial a Connection 6 Chck OK To slear Proxy settings on your Netscape Browser 1 Choose Edit Preferences 2 Click Advanced 3 Click Proxies 4 Click Direct Connection to the Internet Basic configuration The following sections provide an overview of the basic tasks for configuring your Symantec Firewall VPN Each screen in the user interface has a separate section that describes its functions Use the Main Setup screen to set your initial connection or modify your connection parameters at an
38. antec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 6 Export Regulation You agree to comply strictly with all applicable export control laws including the US Export Administration Act and its associated regulations and acknowledge Your responsibility to obtain licenses as required to export re export or import the Appliance Export or re export of the Appliance to Cuba North Korea Iran Iraq Libya Syria or Sudan is prohibited 7 General If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Appliance and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement may only be modified by a License Module or by a written document which has been signed by both You and S
39. ared key The pre shared key must be between 20 and 64 characters 5 Click Add 5 16 Utilities Backup Analog ISDN This screen lets you set up the Automatic Backup or Analog ISDN connection information You must connect an external modem analog or ISDN to the Symantec Firewall VPN s serial port in order to use this feature In backup mode the Symantec Firewall VPN will automatically dial when broadband drops It will also automatically re engage broadband when it comes back online You can also manually engage the Analog ISDN connection Backup Analog ISDN ackup Enable Connection Internet Access Normal ISDN or Analog Only no Broadband Hang Up Dial Save Cancel Refresh ISP Account Information User Name o Password oo Verify y IPAddess o jo o D Provided by ISP Dial up Telephone 1 Only digits example 2123335555 Dial up Telephone 2 NENNEN Dial up Telephone 3 7 Modem Settings Model gt Initialization string for Others only AT amp F Line Speed 4800 Line Type Dial Up Line Dial Type tone Dial String ATDT Redial String ATDL Idle Time Out 2 Minutes Analog Status Port Status Physical Link PPP Link PPP IP Address Phone Line Speed Figure 6 1 Backup Analog ISDN screen D NS If your Internet connection type is Dynamic DHCP or Static IP the Alive Indicator must be set The Alive Indicator is used by the Symantec Firewall VPN to
40. ast 12 Check Disable for Global Tunnel 13 Set Remote Subnet to the destination network protected by the SEVPN 14 Set Mask to the netmask of the destination network protected by the SEVPN 15 Click the ADD button to add the new tunnel to the system The tunnel should now be operational on both ends You should verify this by opening up a DOS command line and pinging a running machine on the remote network SEVPN Static tunnel configuration The following table contains a brief list of the steps to configure the SEVPN Table 7 1 SEVPN configuration steps Symantec Enterprise Firewall and Configuration Steps Symantec Enterprise VPN Configuration Guide Chapter 1 Create a Security Gateway for the Defining Security Gateways SEVPN 2 Create a Subnet for the Local Defining Subnet Entities Network 3 Create a Security Gateway for the Defining Security Gateways Symantec Firewall VPN appliance 4 Create a Subnet for the remote Defining Subnet Entities network 5 Create a Secure Tunnel making Configuring Secure Tunnels and Configuring sure to select one of the static an IPsec Static VPN Policy policies configure the keys and set the SPIs Dynamic tunnel Dynamic tunnels differ from static tunnels in that both ends of the tunnel exchange the encryption keys dynamically You do not have to configure these ahead of time 10 10 10 2 192 168 40 1 192 168 0 2 192 168 0 1
41. ber Use 0X as a prefix for hex numbers 8 Form the Encryption Method drop down list select an Encryption Method 9 Inthe Encryption Key field enter your Encryption Key The Encryption Key is a minimum of 8 characters or 16 hex numbers for DES and 24 characters or 48 Hex numbers for 3 DES 10 Inthe Authentication Key field enter your Authentication Key The Authentication Key is a minimum of 16 characters or 32 hex numbers for MD5 and 20 characters or 40 hex numbers for SHA1 11 Inthe Gateway Address field enter the Gateway Address of the Destination Network The format for the Gateway Address is a minimum of seven digits x x x x and a maximum of fifteen digits xxx xxx xxx xxx For the VPN client set to 0 0 0 0 You can also use a DNS name in the Gateway Address field 12 Click the Enable NetBIOS Broadcast radio button to forward Netbios broadcast packets 5 4 13 14 15 Set to Enable to support Network Neighborhood on Windows through a VPN tunnel In the Remote Subnet 1 field enter the IP address of your Destination Network In the Mask field enter the Subnet Mask of your Destination Network The format for the Destination Network Mask field is a minimum of seven digits x x x x and a maximum of fifteen digits xxx xxx xxx xxx If you have more than one Remote Network repeat the previous two steps for each additional Destination Network Click Add to save your VPN Static Key information and create you
42. bled IP Add Protocol Internal Internal External E ams nansa ass rotoco Start Port End Port Start Port ED Figure 4 10 Custom Virtual Servers screen Existing Custom Virtual Servers If you have previously made an entry to this screen and you want to update or delete it you must first select it from the Select Entry drop down list and then click Update Fields Below to access it s settings If you are adding a new entry do not select from the main menu or click Clear Form before adding new entry To configure a Custom Virtual Server 1 Under Virtual Server Configuration in the Name field enter any short descriptive name for your Custom Virtual Server 2 Checkoruncheck the Enable box to enable or disable your server Remember to click Update Entery if using with an existing virtual server 3 Enter your server LAN IP Virtual Servers need a local host with a static IP address to operate effectively Setup a static local IP for your server using the Host IP amp Group screen or on the server itself Enter that IP here 4 Choose either TCP or UDP as the server protocol type 5 Inthe Port Ranges fields enter the Start and Finish ports used by your server for both Internal and External If only one port is used enter the same number in both Start and Finish fields Usually Internal and External should be the same but you can Translate ports if different values are entered for example 2000 2500 internally can be translated to 300
43. co Ea enh Hees mtb cee dee Woe 2 1 Network requirements 0 ccc cette s 2 1 Cautions and Warnings wis ceca gee ru pee Faken Fo pean Ce sew ee ua ss 2 2 Internet account information ssseeseeeeee m 2 3 Connecting the cables i suero ERERNUERRSNWENENVERRENGDIewnerSe E 2 3 To connect the cables isses Rr RR ERR IPSE UR EE 2 4 Configuring your computer sosass cerea PLE sue GG bag CX pre E bx wa 2 5 Configuration Management Configuration interface 0 eee ce e 3 1 To start the User interface eme be re RRRDOOPPRRS EE FRIES ROS RES 3 1 Basic configuration s c606 cb ca e deer RE RERO PRO AREE E RELAY a Ed 3 2 Language Selection screen isses cpi soe eee bees AP VELEXWE REESE RU 3 2 Main Setup Screen 4 cits be A RIED ttie balan heeds Gu EE ERU ER Ead 3 3 To configure using the Symantec Firewall VPN 200 Main Setup screen 3 4 Required by Optional Network Settings section 0 00 cee eee eee ee 3 5 To configure for cable modem using DHCP 0 0c cee eee eee 3 5 To configure for DSL or cable modem using PPPoE 2 005 3 6 Static IP and DNS sc ercatprbd np RR ERGRPPSRSOREUYGRENeRIDQOEEXX ERA ED 3 7 DNS Gateway section llsesssesseeeleeeee ehe 3 8 Datus oss rerit spp Rataa PLAN EO eos DE PEDE EPOR ERE EXE 3 9 LAN IP and DHCP iei eter ee eR Ree HER I NONE EORR adire 3 9 UNIT LAN IR serrr uen b eebrbeebr pe Con eer Enos e Ea eu 3 10 DHCP ec
44. coming Samo ees Protocol Start Port End Port Protocol Start Port End Port Figure 4 7 Special Applications screen To configure Special Applications 1 Under Existing Special Apps select an entry from the drop down list Some of the predefined Special Application entries are available from this menu since they are all disabled by default you must select enable and update the entry plus any that you have added yourself If you have previously made an entry to this screen and you want to update or delete it you must first select it from the drop down list and then click Update Fields Below to access it s settings This is true for enabling predefined Special Applications If you are adding a new entry don t select from the menu or click Clear Form before adding new entry 2 Under Special Application Data enter the name of the special application in the name field Give your Special App any short descriptive name 3 Check or uncheck Enable to enable or disable your special application disabling will close the ports defined below Remember to click Update if using with an existing special application 4 From the Outgoing Protocol drop down list choose either TCP or UDP as the protocol type for sending data consult the application s support 5 Inthe Outgoing Port Range fields enter the start and finish ports used by your application when it s sending data If only one port is used enter the same number in both fields
45. ct SA above first unless Adding Name vpnclient Enable Disable PPPoE Session Session 1 gt Select PPPoE session to bind VPN tunnel TM C Main Mode Aggressive Mode Encryption and ESPDESMD5 Authentication Method ESP DES MDS SA Lifetime 480 Minutes Data Volume Limit 21 00000 KBytes Inactivity Timeout 0 Minutes Perfect Forward Secrecy Enable Disable ID Type IP Address Phase1 ID Remote Security Gateway Gateway Address 0 0 0 0 Enter 0 0 0 0 for Client to Gateway tunnel ID Type Distinguished Name x Select Distinguished Name for Client to Gateway tunnels Leave Phase ID and Shared Secret Phasel in blank for Client SA Remote Client ID must match a User in Client List Pre Shared Key For Gateway to Gateway Tunnels NetBIOS Broadcast C Enable Disable Global Tunnel C Enable Disable Remote Subnet 1 p Mask Figure 8 4 VPN Dynamic Key screen 18 In the SA Lifetime field enter the number of minutes the security association will last before rekeying The SA Lifetime number of minutes should match the Time expiration of the Symantec Enterprise VPN Client as entered on the Symantec Enterprise VPN Client VPN Policy screen See Zable 8 1 Symantec Enterprise VPN Client configuration on page 8 8 In the Data Volume Limit field enter the number of Kbytes that can pass through the tunnel before the security association rekeys The Data Volume Limit number of Kbytes should match the
46. ction at the end of this agreement the Excluded Software the software the Software which accompanies the appliance you have purchased the Appliance is the property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software you will have certain rights to use the Software after your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to you as well as the copy of the Software provided to you on a CD ROM or other media in connection with the Appliance the Restore Software Except as may be modified by a Symantec license certificate license coupon or license key each a License Module which accompanies precedes or follows this license your rights and obligations with respect to the use of this Software are as follows You may A use the Software solely as part of the Appliance for no more than the number of users as have been licensed to you by Symantec under a License Module B use the Restore Software solely to restore the Appliance to its original factory functionality in the event the Software preloaded on the Appliance is corrupted or becomes unusable C make copies of the printed documentation which accompanies the Appliance as necessary to support your authorized use of the Appliance and D after written notice to Symantec in connection with a transfer of the Appliance transf
47. data integrity and data confidentiality through encryption Data integrity ensures that the data has not been modified in transfer It guarantees the receiver that the data it receives is exactly what was sent by the sender Data confidentially ensures that sensitive data can not be read by a third party clear text is scrambled with an encryption key or multiple encryption keys and can only be unscrambled with the agreed upon secret key In addition to these basic services IPSec includes a variety of mechanisms that provide authentication protection from replay attacks and protection from denial of service attacks Together all these services provide the infrastructure that allows a company to use an insecure medium such as the Internet to safely transfer sensitive information The Symantec Firewall VPN supports two types of VPN models gateway to gateway and client to gateway 200R only Gateway to gateway tunnels protect entire subnets For example they can be used to connect branch offices to the central office over the Internet thus eliminating costly leased lines Using the Symantec Firewall VPN 200R client to gateway VPN tunnels allow telecommuters or remote users to safely connect over the Internet to the office This model minimizes costs associated with modem pools and costly 800 dial up charges as employees can use ISPs with local dial up numbers to transparently connect to the office The Symantec Firewall VPN offers the foll
48. dress J PhseliD Gateway Address imzw8401 Enter 0 0 0 0 for Client to Gateway tunnel ID Type IPAddress J Select Distinguished Name for Client to Gateway tunnels Leave Phase ID and Shared Secret blank for Client SA Remote Client ID must Phase ID match a User in Client List Pre Shared Key 01234567890123456788 For Gateway to Gateway Tunnels NetBIOS Broadcast C Enable Disable Global Tunnel C Enable Disable Remote Subnet 1 p 1010100 Mask 255 255 255 0 Remote Subnet 2 P D Mask Remote Subnet 3 P D Mask C y 1 Remote Subnet 4 P D Mask 1 Remote Subnet 5 P 7 Mask Add Delete Update Entry Clear Form Cancel Security Association List Status Name Security Gateway Remote Subnet Encryption Method Figure 7 5 VPN Dynamic configuration screen To configure the tunnel l 2 In the Name field enter a new name for this tunnel Check Enable Select the WAN Port you want to bind the VPN tunnel to Select the PPPoE Session you want to bind the tunnel to Check Main Mode for Phase I Negotiation Select the Encryption and Authentication Method to match the parameters from the SEVPN Check the option for Perfect Forward Secrecy to match the SEVPN configuration Under the Remote Security Gateway set the Gateway Address to be the Gateway Address of the SEVPN Set ID Type to IP Address Set Pre Shared Key to the be the Shared Secret from the SEVPN Check Dis
49. e 5 Click Save The Symantec Firewall VPN restarts and attempts to connect to the Internet 6 Waita moment then click Back to the Main Setup page 7 Click Refresh in your browser The Symantec Firewall VPN should display Connected in the Connection Status field If it doesn t try refreshing again in a moment or consult the Chapter 9 Troubleshooting To configure for DSL or cable modem using PPPoE You will need your User Name and Password in order to procede 1 Open the Main Setup screen 2 Click the Enabled radio button below the PPPoE header 3 Inthe User Name field enter your PPPoE Dial Up user name exactly as given by your ISP Note Some ISPs use the domain in the username when logging on for example john gte net and some just use the userID for example john 4 Inthe Password field re enter your PPPoE password 5 Inthe Verify field enter your PPPoE password again This makes sure there are no typos because the password is hidden 6 Click Save 7 Wait a moment then click Back to the Main Setup 8 Refresh on your browser You should see Connected or Connecting in the Connection Status field If you do not try refreshing again in a moment or consult the Chapter 9 Troubleshooting 3 6 Static IP and DNS If you have a Static IP account from your ISP or are using the Symantec Firewall VPN behind another gateway device enter the network information on the Static IP and DNS screen This screen is simi
50. e of the remote gateway 0 0 0 0 is reserved for client to gateway configurations 15 In the Pre Shared Key field enter your Pre Shared Key The Pre Shared Key is a pre defined key used by the two end points of a VPN tunnel to identify each other 5 10 20 The Pre Shared Key is a minimum of 20 characters and a maximum of 64 characters Under For Gateway to Gateway Tunnels click the Enable NetBIOS Broadcast radio button to forward Netbios broadcast packets Click the Global Tunnel Enable or Disable radio button Enabling the Global Tunnel for a VPN tunnel forces all outbound Internet traffic to go through the VPN tunnel This is useful for security policies that call for all internal traffic to pass through a centralized gateway In the Remote Subnet 1 IP field enter the IP address of your Destination Network The format for the Gateway Address is a minimum of seven digits x x x x and a maximum of fifteen digits Xxx xxx xxx xxx In the Remote Subnet 1 Mask field enter the Subnet Mask of your Remote Subnet If you have more than one Remote Subnet repeat the previous two steps for each additional Remote Subnet Click Add to save your VPN Dynamic Key information and create your VPN To update a VPN configuration using Dynamic Key From the Main Menu select VPN Dynamic Key From the Security Association drop down list select a Security Association Name to view information about that Security Association Clic
51. ed personal firewall feature 1 5 Symantec Firewall VPN international symbols Table 1 1 Symantec Firewall VPN international symbols Symbol Meaning Power Indicator LED Error Indicator LED LAN WAN 1 Transmit Receive LED Backup Active LED Modem WAN Link LED WAN Port LAN Ports Full Duplex 1 6 Symbol Meaning Power Supply Ce Reset On Off DIP Switch Serial Port O rh rn Management Configuration interface The Symantec Firewall VPN has a web browser based user interface that provides screens for creating configurations viewing status and accessing logs The Symantec Firewall VPN 200 user interface has duplicate Setup fields for both WAN ports on the Main Setup screen as well as other interface screens This management interface can be secured using the available VPN feature E symantec Symantec Firewall VPN General Main Setup Static IP amp DNS Status Connection Status View Log PAM Obtain IP amp DNS Automatically Uniess Static IP is set VPN Enabled Note For DHCP Connections Static Key Dynamic Key Client Identity Main Setup PPPOE Enable only for use with PPPoE connections Advanced Enabled C Host IP amp Group Access Filters REG Special Applications Password Verify Virtual Servers epus eS Optional Network Settings Advanced PPPoE Host Name EE Dynamic DNS Routing
52. elow Select SA above first unless Adding Name Enable Disable PPPoE Session Session 1 v Select PPPoE session to bind VPN tunnel Incoming SPI ts Outgoing SPI Encryption and aMMDs Authentication Method AH MD5 Mv Encryption Key Authentication Key To Remote Security Gateway Gateway Address NetBIOS Broadcast C Enable Disable Global Tunnel C Enable Disable Remote Subnet 1 p 1 Mask i Remote Subnet 2 P C Mask Remote Subnet 3 P o Mask o Remote Subnet 4 P Mask Remote Subnet 5 p NENNEN Mask Ada Delete Update Entry Clear Form Cancel Figure 5 1 VPN Static Key screen 1 From the Main Menu select VPN Static Key 5 3 2 Inthe Name field enter a descriptive name for the Security Association The Security Association Name must be between 1 and 15 characters long 3 Click the Enable radio button 4 From the WAN drop down list select a WAN port 5 From the PPPoE Session drop down list select the Session number Use Session 1 if you only have one session available from your ISP 6 Inthe Incoming SPI field enter your Incoming Security Parameter Index SPI The Security Parameter Index SPI is a hexidecimal number 0 9 a f A F or a decimal number Use 0X as a prefix for hex numbers 7 Inthe Outgoing SPI field enter your Outgoing Security Parameter Index SPI The Security Parameter Index SPI is a hexidecimal number 0 9 a f A F or a decimal num
53. er field holds a maximum of 39 characters 4 Inthe Email Receiver field enter the receiver of the Email The Email Receiver field holds a maximum of 39 characters If you want more than one receiver separate them using a comma 5 Under Log Type check the boxes for the types of messages you want to log 6 Under Time in the Alternate NTP Server field enter the IP address of the alternate NTP Server If you are using a proxy or are behind a firewall that requires an NTP gateway enter its IP address here Otherwise standard NTP servers will be used to obtain the time for log entries 7 Click Save 6 10 Configuring the Symantec Firewall VPN to the Symantec Enterprise VPN The Symantec Firewall VPN offers the ability to create tunnels between itself and a Symantec Enterprise VPN Server SEVPN This tunnel can either be created statically or dynamically using IKE This chapter outlines the steps necessary to create both static and dynamic tunnels Note This chapter focuses on the steps needed on the Symantec Firewall VPN only This chapter assumes that the SEVPN is already configured and information on that configuration is available Refer to the applicable sections in the Symantec Enterprise Firewall and Symantec Enterprise VPN Installation Guide and the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide if you need help configuring the SEVPN Symantec Fireweall PN 200 Figure 7 1 Syma
54. er the Software on a permanent basis to another person or entity provided that you retain no copies of the Software Symantec consents to the transfer and the transferee agrees in writing to the terms of this agreement You may not A sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software B use the Restore Software for any purpose other than to restore the Appliance to the original factory functionality C use if you received the Software distributed on an Appliance containing multiple Symantec products any Symantec software on the Appliance for which you have not received a permission in a License Module or D use the Software in any manner not authorized by this license 2 Content Updates Certain Symantec software products utilize content that is updated from time to time antivirus products utilize updated virus definitions content filtering products utilize updated URL lists firewall products utilize updated firewall rules vulnerability assessment products utilize updated vulnerability data etc collectively these are referred to as Content Updates You may obtain Content Updates for any period for which you have purchased a subscription for Content Updates for the product or otherwise separately acquired the right to obtain Content Updates This license does no
55. essible using an encrypted management link The level of logging is configurable Remote Accessibility The Secure Remote Management feature ensures accessibility that an ISP or a central office to manage these devices from a remote location The Symantec Firewall VPN can also be monitored via SNMPvI Tools These tools are available for download and range in price from free to very expensive Logs can be generated by these tools for a complete picture of network performance IPSec VPN Pass Through In addition to creating VPN tunnels using the Symantec Firewall VPN as an end point the Symantec Firewall VPN automatically recognizes IPSec VPN sessions and allows them to pass through the firewall Enabling VPN sessions from internal clients to remote servers if you desire Other Networking Features The Symantec Firewall VPN provides many other advanced networking features designed to ensure it can grow with your needs Features Symantec Firewall VPN 100 The Symantec Firewall VPN 100 model features include e Four LAN ports with 10 100 autosense switch One 10 Mbps WAN port No hard user limit but recommended for offices with up to 15 users e Allthe features previously listed in the Product Overview except for Load Balancing and remote VPN clients e Power supplies 1 3 e Traffic connectivity and error lights e Serial port for auto modem backup e DIP Switches Used for disabling the DHCP Server Resetting the unit acti
56. et connection you have in order to proceed with the installation For the purposes of this manual it should be one of three different types PPPoE Internet account Most large DSL ISPs have adopted this method If you have Dial Up software on your computer to access your account then you most likely have a PPPoE account You will need your User Name and Password before installing the Firewall VPN Disable or uninstall the PPPoE Dial Up Software Dynamic IP DHCP Internet account Most Cable ISPs some DSL Sometimes no information is required just connecting the Symantec Firewall VPN and rebooting your computer will get you connected The MAC Network Adapter address of your Ethernet card might be needed if used by your ISP See below for instructions on how to obtain it The Host Name or Domain Name on your computer might be needed if it is a coded name given to you by your ISP Static IP Internet account or network connection You will need your IP Address Network Mask Gateway and DNS Some ISPs usually cable have abbreviated names for your e mail servers and Web home page This is the case if your Internet home page is a very short name like www or web rather than www symantec com or your e mail server s name is something like pop3 or mail instead of mail symantec com You MUST obtain the actual server names Internet names in order to access the Web and e mail when using the Symantec Firewall VPN
57. f standardized security protocols including the Internet Security Association and Key Management Protocol ISAKMP the Internet Key Exchange IKE policy and the IP Security IPSec protocol Access to Symantec Enterprise VPN Client is password protected to prevent others from creating tunnels into the Symantec Firewall VPN 200R even if your computer is stolen For added security Symantec Enterprise VPN Client includes a personal firewall which restricts the ports through which data packets can be received Configuring Symantec Enterprise VPN Client with Symantec Firewall VPN 200R Security gateways must be configured at both the Symantec Firewall VPN and in Symantec Enterprise VPN Client Every gateway can accommodate multiple tunnels Therefore when you add or remove a security gateway from the Symantec Enterprise VPN Client database you are also adding or removing all of the tunnels that are associated with the security gateway 8 2 192 158 0 1 237 0 130 143 Symantec Enterprise VPN Client Symantec Enterprise Firewall PN Computer 192 168 0 3 Figure 8 2 Symantec Enterprise VPN Client Remote Tunnel Configuration Tunnels must be connected each time you reboot your PC After the gateways and tunnels are connected they remain connected until you disconnect them an inactivity timeout occurs a dial up connection is lost you exit Windows or shut down Symantec Enterprise VPN Client Configure Symantec
58. ferent domain You can choose WANI or WAN2 None no binding is the default Idle Renew DHCP If you are experiencing disconnects from a DHCP type Internet account after periods of inactivity enter a value into this field minutes after which the Symantec Firewall VPN will try to automatically renew the connection You must experiment to find the best value the higher the better You can also Force Renew by clicking the button MTU LAN PC The Symantec Firewall VPN negotiates the MTU size from your ISP You should leave this value unless for some reason the ISP is providing an MTU that s not optimal MTU problems are evidenced by problems seeing certain websites sending long e mails or extremely decreased performance MTU can be set for each WAN port Echo Request Timeout You should leave this setting unless told to change by Symantec support 4 26 Expert Level Advanced Features section fields Allow IDENT Port Port 113 IDENT normally contains the Host Name Company Name information By default the Symantec Firewall VPN has all ports stealth This makes your computer s invisible to those outside Some servers like a certain E Mail or MIRC servers use the IDENT port of the system accessing them Enabling this setting makes Port 113 Closed not Stealth it is NOT Open Only enable if you are having problems accessing a server NAT Function Disabling NAT turns the Symantec Firewall VPN into a bridge or pure router This is
59. g a Gateway DNS Name of the Symantec Firewall VPN 200R 4 Uncheck Symantec Firewall Managing Gateways Adding a Gateway PowerVPN 5 Enter Shared Secret Managing Gateways Adding a Gateway 6 Enter Client ID Managing Gateways Adding a Gateway 7 Create anew IKE policy with unique Managing Gateways Adding a Gateway name or use one of the predefined Defining an IKE Policy policies 8 Create a new tunnel Managing Tunnels Adding a Tunnel 9 Enter the inside subnet of the Managing Tunnels Adding a Tunnel Symantec Firewall VPN 200R 10 Create anew VPN policy or use a Managing Tunnels Adding a Tunnel predefined policy Defining a VPN Policy 11 Connect tunnel Managing Tunnels Connecting a Tunnel 8 8 Trouble Shooting Problem 1 Can not connect to the Symantec Firewall VPN to configure it Solution Check the following The Symantec Firewall VPN is properly installed network connections are OK and the Symantec Firewall VPN is powered ON Ensure that your PC and the Symantec Firewall VPN are on the same network segment If you are installing the Symantec Firewall VPN for the first time ensure that your PC is using an IP Address within the range 192 168 0 2 to 192 168 0 255 thus compatible with the Firewall VPN s default IP Address of 192 168 0 1 Verify that the Subnet Mask be set to 255 255 255 0 in order to reach the Firewall VPN In Windows you can check these settings by using Control Pane
60. g a VPN tunnel simply point your growser to the internal IP address of the Symantec Firewall VPN To remotely configure the unit enter the start and end IP range enter the same value for both if it s asingle IP You can then access the unit from an external web browser by entering the WAN port IP followed by port 8088 For example type http 207 158 227 235 8088 into your external browser if 207 158 227 235 was the address obtained from your ISP by the Symantec Firewall VPN You must be accessing from the IP range specified Also you should set the Configuration Password for security Allow Remote Upgrade You can Enable Allow Remote Upgrade if you wish to remotely perform TFTP upgrades to the unit s firmware from the above IP range The default is Disabled 4 28 Configuring Virtual Private Networks VPN This chapter describes the procedures for configuring VPN tunnels using VPN Static Key VPN Dynamic Key and VPN Client Identity features of the Symantec Firewall VPN User Interface It also provides a brief overview of VPNs encryption and authentication Virtual Private Networks allow companies to safely use unsecure communication channels to transport sensitive data The most widely used VPN technology in the industry is based on the IPSec IP Security standards IPSec is a suite of standards approved by the IETF Internet Engineering Task Force organization The IPSec suite introduces security protocols that provide
61. gs These settings are not necessary for use but are used for e mail forwarding using your new domain and alternate domain names The Force DNS Update button is there only for special circumstances Normally Dynamic DNS services do not like you manually updating your information unless your IP changes To configure Optional settings 1 Click on Wildcards 2 Click on Backup MX 3 Enter Mail Exchanger 4 Click Save after entering all information Routing When there is more than one router on a network you must add routing settings on the Firewall VPN to tell it what traffic goes to which router The unit supports static routes or RIP2 dynamic routing protocol routing When you specify routing the Symantec Firewall VPN can automatically forward the packet to the correct router 4 6 Routing Note Entries not needed if using RIP2 dynamic routing protocol Entries in Routing Table Select Entry z Select if Updating or Deleting Update Fields Below Select entry above first unless Adding Destination IP Network Mask Gateway Td AA di Td Interface Internal LAN Metric E Ada Delete Update Entry Clear Form Cancel Routing Table List Destination Mask Gateway Interface Metric Figure 4 3 Routing screen If RIP2 is not being used on the network you must make entries in the static routing table through the Routing interface screen Use the static routing table only when needed If you make i
62. have a single session PPPoE account leave the PPPoE session at Session 1 3 Click Update Fields 4 Use the Connections section to specify whether you connect or disconnect your PPPoE account manually or automatically a The Connect on Demand is enabled by default which means the Symantec Firewall VPN will connect automatically when an Internet request is made like browsing a web site If you want to connect manually disable the check box and connect by clicking Connect b Inthe Idle Time Out field enter the number of minutes of inactivity after which you want the Symantec Firewall VPN to disconnect the PPPoE connection c Enter 0 to keep the connection always on and to prevent the Symantec Firewall VPN from ever hanging up If the value is more than 0 enable Connect on Demand to redial automatically when needed d Ifyou have a Static IP PPPoE Internet account enter the IP address in the Static IP Address field otherwise leave the value at zero Note This is for PPPoE only 5 Ifyour ISP has different services available for your PPPoE account use the Choose Services section to access them a Click Query Services b Select the service from the drop down list then connect as normal 6 Enter your User Name 7 Enter your Password 8 Verify your Password 9 Click Save All to process the screen 4 3 The log file located in View Log screen provides useful information about your PPPoE connection if you have any
63. he WAN Port drop down list 3 Select the session from the Session drop down list 4 Click the Enable radio button 5 Click Save 4 23 Expert Level This screen provides advanced settings for the Symantec Firewall VPN Most users can safely ignore these settings because the defaults are optimal and the most secure Symantec Firewall VPN 200 features broadband connection binding with its dual Modem Ports You can mix connection types on the ports actually for backup reasons this is recommended So you can bind a cable Internet connection and a DSL connection or Static IP and SDSL PPPoE and DHCP The Symantec Firewall VPN 200 will bind the bandwidth on your two connections by sending network packets to both WAN ports If you want you can bind hosts to a single WAN port Any single download on the network will not be able to exceed the maximum bandwidth available on a single WAN but the overall effect of this binding is that the entire network experiences vastly improved performance The more computers you have the greater the performance increase you ll notice over a single Internet connection If you make any changes to the Expert Level Screen click Save Clicking Restore Defaults returns the Symantec Firewall VPN to factory settings 4 24 ExpertLevel o Connection Load Balance WAN 1 WAN 2 96 SMTP Bind None v Idle Renew DHCP Minutes Force Renew MTULANPC waNt wau2 Echo Request Timeout n sec Re
64. ion after using the Console 6 5 Manual reset Sometimes by making an incorrect setting in the LAN IP amp DHCP screen or forgetting your configuration password will prevent you from accessing the unit Pressing the Reset switch on the unit will not restore these default IP settings or erase the password You must follow the steps below to regain connectivity with the Firewall VPN This procedure does the following Restores the unit s IP address to the default 192 168 0 1 e Restores the unit s network mask to the default 255 255 255 0 Clears the interface password Enables the DHCP Server To manually reset the Symantec Firewall VPN Note Read these steps completely before starting to reset the Firewall VPN Note You ll need a paper clip for this procedure 1 Turn off power to the Symantec Firewall VPN by pulling the power plug from the back of the unit 2 SetDIP switch 1 to ON down Sip 3 Insert the power plug back into the unit and WAIT 4 SECONDS 4 Immediately using the paper clip Flip DIP switch 1 OFF UP 5 Flip DIP switch 1 ON DOWN again 6 6 6 Flip DIP switch 1 OFF UP This re boot sequence should be completed within 10 seconds of plugging in the power to the Firewall VPN 7 When you see LAN Link LEDs flash and the Reset Sequence begins again the unit is now reset 8 Remove the power plug 9 Wait for a moment and re insert the power plug Itis important that you do not wiggle
65. k All Internet Access Use Packet Filters Below Quick Filters Check Protocols you want to Allow Click above FIRST I Telnet I TFTP C FTP Mail News Conf Port HTTP Gopher DNS Archie SNMP Real Audio Custom Filters Enter Ports you want to Allow TCP Packets UDP Packets Name THIF TIT TIT TH TIT TIT Figure 4 6 Access Filters Security Groups By default all computers are part of the Everyone group and have no restrictions on Internet use To define filters first select the group specify the use of packet filters and then enter the filters for that group using this screen To modify an entry you made previously select it from the drop down menu and then click Update Fields Below to access it s settings Note You must BIND local hosts to the group they are in by using the Host IP amp Group screen as described in Host IP and Group on page 4 10 4 13 To configure Access Filters Note Always click Save after each group setting 1 Selecta Security Group from the Select Group drop down list Associate hosts with Security Groups using the Host IP amp Group Screen 2 Click Update Fields Below 3 Inthe Group Filter Setting section click the Use Packet Filters Below radio button This section defines the overall setting that applies to the selected group You MUST choose Use Packet Filters Below in order to select filters 4 Inthe Quick Filters section check the items you want to b
66. k Update Fields Below Enter all new or changed information Click Update Entry to save your changes and update the VPN To delete a VPN configuration using Dynamic Key 1 From the Main Menu select VPN Dynamic Key 2 From the Security Association drop down list select a Security Association Name to view information about that Security Association 3 Click Delete to delete the VPN Dynamic tunnel example The following example consists of a network diagram of a gateway to gateway dynamic tunnel and a table Table 5 3 on page 5 13 that shows all of the entries required to configure both endpoints of this dynamic tunnel 192 168 100 3 192 158 0 1 192 168 100 1 Symantec Firewall PN 200 Symantec Firewall PN 100 192 168 100 4 192 168 0 4 Figure 5 5 Dynamic tunnel example 5 12 Table 5 3 Dynamic tunnel network example settings VPN Dynamic Key screen fields Symantec FW VPN 100 settings Symantec FW VPN 200 settings IPSec Security Association Method Name dynamicIKE 100 to 200 dynamicIKE 200 to 100 Enable Disable Enable Enable Wan Port WANI WAN2 PPPoE Session Session 1 Session 1 Phase 1 Negotiation Main Mode Main Mode Encryption and Authentication ESP DES MD5 ESP DES MD5 SA Lifetime 0 0 means no limit 0 0 means no limit Data Volume Limit 0 0 means no limit 0 0 means no limit Inactivity Timeout 0 0 means n
67. k as the Symantec Firewall VPN Ifthis is for a virtual server ensure that the IP address matches the IP address you entered using the Virtual Server screen See Virtual Servers on page 4 17 5 Select this host s group from the Access Group drop down list The access groups are defined on the Access Filters screen 6 Inthe Bind with PPPoE Session drop down list select the session to bind to this host Use this only when multiple PPPoE sessions are defined It requires a special ISP PPPoE account 7 Click Add to Add the new entry or Click Delete to delete the entry shown and free up Symantec Firewall VPN memory Click Update if you have changed the entry shown Click Clear Form before Adding a new entry Access Filters Access Filters control the types of information allowed out of your LAN For example to allow the use of Real Audio on the LAN you can select its protocol here or select No Restrictions Most standard protocols are predefined or you can define custom filters There are five security groups that you can define so you can have different levels of access for different computers 4 12 Access Filters Security Groups Associate Hosts with Security Groups under Host IP amp Group Se amp Settings Select Group Everyone j Update Fields Below Click after selecting above Clear Fields Below Clear settings for group above Group Filter Settings Must set before using filters C No Restrictions C Bloc
68. l Network to check the Properties for the TCP IP protocol in use by your network card Check and make sure you do not have any proxy settings in your browser If you have a computer directly connected to the Symantec Firewall VPN make sure you are using a Straight Thru Cable provided with the unit or bought at your local network supply store Make sure your NIC card is 10 100BaseT compatible Problem 2 When I enter a URL or IP address get a time out error Solution Try the following troubleshooting steps Check if other computers work with the same URL If they do ensure that your computer s IP settings are correct IP address Subnet Mask Default gateway and DNS Make sure you have used an IP range that is not in use by any service provider 192 168 X X or 10 X X X If the other computers can not connect as well make sure you have properly connected the Symantec Firewall VPN as shown in Installation If the Symantec Firewall VPN 1s configured correctly check your Internet connection xDSL Cable modem etc directly with your computer to ensure that it is working correctly Problem 3 Some applications do not run properly when using the Firewall VPN Solution Use the Special Applications screen to allow the use of special Internet applications The Symantec Firewall VPN processes the data passing through it so it is not transparent The application may require the release of TCP and UDP ports that would otherwise not function
69. l VPN into an existing network This prevents the Symantec Firewall VPN from interfering with the network when it is connected With the Serial Configuration console you can 6 4 Change the LAN IP address from the default of 192 168 0 1 Change the LAN Network Mask Disable Enable the DHCP Server enabled by default Change the Start and Finish IP range for the DHCP server To use the Serial console 1 Connect the Null Modem cable from your computer s COM port to the Serial port on the Firewall VPN 2 Set DIP Switch 3 to ON Down position on the Firewall VPN 3 Start up a terminal program HyperTerminal is included with Windows 4 Setto connect directly to your COM port usually COMI or COM2 5 You must set the communications settings as follows to connect to the Firewall VPN Baud 9600 Bits per Second Data Bits 8 Parity None Stop Bits 1 Flow Control None 6 Once your terminal is connected with the above settings press the Reset switch on the Firewall VPN You should see the console terminal screen appear Local IP Address 192 168 0 1 Local Network Mask 255 255 ss DHCP Server 1 Enable 2 Disable Start IP fiddress 192 168 0 2 Finish IP fiddress 192 168 0 51 Reine to default Saw Select E SAME OMe Figure 6 2 Console terminal screen 7 Make your selections and remember to select SAVE 7 after you are done 8 Set DIP Switch 3 to OFF up posit
70. l subscription ends you must renew your subscription before you can update your virus firewall or web content protection Without these updates your vulnerability to attack increases Renewal subscriptions are available for a nominal charge Every effort has been made to ensure the accuracy of this information However the information contained herein is subject to change without notice Symantec Corporation reserves the right for such change without prior notice ix Product Overview Firewall Stateful Inspection 20 00 e 1 1 Networking ee ct rerne es ogi ERR RR RR ERR ARR RR RUPEE ee RR 1 2 Virtual Private Networking VPN 000s eee cece cette eens 1 2 High Availability Load Balancing 1 2 Automatic Dial Up Back Up 0 cette eens 1 2 IP Address Sharing 0 cece cece ect eh 1 2 Logging Onboard Logging seeseeeeeeee e 1 3 Remote Accessibility he 1 3 IPSec VPN Pass Through 2 0 eas e EIER PIE EE 1 3 Other Networking Features lsseeeeeeeeeee teen ene 1 3 Peatutes ive be ER RePb erede E eS ES RR E hed aon dd nee a dawn een Ged 1 3 Symantec Firewall VPN 100 lsssesseeseeeeee 1 3 Symantec Firewall VPN 200 sss 1 5 Symantec Firewall VPN 200R 00 cece tte n eee 1 5 Symantec Firewall VPN international symbols 00 00 e eee neces 1 6 Management Configuration interface 00 eee cee eens 1 7 Installation Prerequisites i2 Ete dee to
71. lar to a computer s Network Properties screen Static IP amp DNS o WAN 1 IP Not for use with PPPoE or dynamic IP accounts IP Address C i C Note Status will always show connected if non zero Network Mask Default Gateway WAN 2 IP Not for use with PPPoE or dynamic IP accounts IP Address pL mm oe SE will always show connected Network Mask A 5 Default Gateway A l R When Enabled If VPN or Loca DNS C Enable Disable Gateway is down ONS requests are fowarded to ISP or Static ONS IPs Use ISP or Static DNS as Backup Cancel Restore Defaults Figure 3 2 Symantec Firewall VPN 200 Static IP amp DNS screen To configure Static IP amp DNS Complete the information on the Static IP amp DNS screen as follows 1 Under the WAN IP section in the IP Address field enter the IP address of the external WAN side of the Firewall VPN 2 Inthe Network Mask field enter the network mask 3 7 This mask determines where packets are sent internal or external Custom ISP accounts might require a change otherwise leave it at its default of 255 255 255 0 Class C network 3 Inthe Default Gateway field enter the default gateway Symantec Firewall VPN sends any packet it does not know to route to the default gateway 4 Inthe Domain Name Servers field enter up to three Domain Name Servers Domain Name Servers are needed for Static accounts Entries are not needed
72. lock 5 Inthe Custom Filters section provide a short name and the Start and Finish ports used by the protocol You must know the packet type TCP or UDP and ports used by the protocol you wish to block Ifone port is used enter the same number in both fields Multiple protocols and ranges can be defined for very flexible access filters for each group 6 Click Save after entering all information for a group Special Applications Certain applications with two way communication need ports opened up in the firewall in order to function This is true of most games and video teleconferencing software Some popular titles are already predefined but are disabled by default You can enable them here or add new entries To find out what ports and protocols your application needs for operation it s best to consult the application s support section and search for Firewall or NAT usage Some applications might need more than one entry defined and enabled for example when they have multiple port ranges in use 4 14 Special Applications o Existing Special Apps Select Entry Select if Updating or Deleting Update Fields Below Select entry above first uniess Adding Special Application Data Name Enable Outgoing rcP v Protocol ai Stat Fish Incoming rcP v Protocol jue Stat Finish Add Delete Update Entry Clear Form Cancel Special Application List Outgoing Outgoing Outgoing Incoming Incoming In
73. ncorrect entries you may lose your connection to the unit and have to preform a manual reset Existing entries If you have previously made an entry to this screen and you want to update or delete it you must first select it using Select Entry and then click Update Fields Below to access its settings If you are adding a new entry click Clear Form to start with a blank form Routing table data An entry in the routing table is required for each LAN segment on your network so that any other segment attached to this device can share data back and forth The data in the Routing Table is as follows Table 4 1 Routing data DestinationIP The network address of the remote network segment For standard class Address C networks the network address is the first three fields of the Destination IP Address The fourth last field can be left at 0 Subnet Mask The Subnet Mask used on the remote network segment For class C networks the standard Subnet Mask is 255 255 255 0 GatewayIP The IP Address of the router on the network segment to which this device Address is attached NOT the router on the remote network segment Normally refered to as the next hop in the network Interface Select the appropriate interface Internal LAN or External WAN from the drop down list Model 200 users have two External Interfaces to choose from Metric The number of routers that must be traveled to reach the remote LAN segment The default
74. nesses such as integrated high availability automatic dial up backup and virtual private networking VPN Firewall Stateful Inspection Stateful Inspection provides protection against hackers while enabling high speed access to the Internet It also supports advanced functions that enable more flexible configuration The Symantec Firewall VPN works with and complements our enterprise firewalls such as the Symantec Enterprise Firewall or VelociRaptor It is not a replacement for enterprise firewalls but is designed to provide the right suite of features at the right price Networking The Symantec Firewall VPN also enables a local area network LAN This allows all the connected computers to share files printers and other network devices The multiport 10 100 switch working with the built in DHCP server enables multiple users to connect to a shared network with nothing more than a standard ethernet cable The DHCP server leases IP addresses to computers as they connect to a local network This combination ensures quick and easy network setup for even the most inexperienced PC users Also included is PPPoE support and features such as NAT and PAT Virtual Private Networking VPN The VPN feature ofthe Symantec Firewall VPN enables secure and inexpensive tunneling between the local site and other sites such as the central office or ISP All of the Symantec Firewall VPN models act as VPN gateways VPN end points for gateway to gateway VPN
75. ntec Firewall VPN connecting to Symantec Enterprise VPN Static tunnel Static tunnels are configured by specifying all of the key information for the tunnel on both ends Each end must match identically for the tunnel to work properly Static tunnels can use either DES or 3DES strength for encapsulation Symantec Firewall VPN Static tunnel configuration 192 168 40 1 19216802 19216801 c Sewanee 1010404 Firewall VPN 200 SE VPN 6 5 x 182 158 0 3 10 10 10 4 Figure 7 2 VPN Static tunnel diagram On the Symantec Firewall VPN appliance select the VPN Static option from the configuration page You should be presented with a screen similar to Figure 7 3 on page 7 4 VPN Static Key IPSec Security Association Select Security Asaneistion gt Select only if Updating or Deleting existing configuration Update Fields Below Select SA above first unless Adding Name 200_to_S EVPN Enable Disable WAN Port WAN 1 You must bind the VPN tunnel to a WAN Port PPPoE Session Session 1 Select PPPoE session to bind VPN tunnel Incoming SPI 257 Outgoing SPI 257 Encryption and Authentication Method ESP DES MEIS Encryption Key 0x1234567890123456 Authentication Key oxi 2345678901234567890123456789012 Remote Security Gateway Gateway Address fi 92 168 40 1 NetBIOS Broadcast C Enable Disable Global Tunnel C Enable Disable Remote Subnet 1 p f10 10 10 0 Mask 255 255 255 0 Remote
76. o limit 0 0 means no limit Perfect Forward Secrecy Enable Enable Local Security Gateway ID Type IP Address IP Address Phase 1 ID blank blank Remote Security Gateway Gateway Address 2 2 22 1 1 1 1 ID Type IP Address IP Address Phase 1 ID blank blank Pre Shared Key everygoodboydoesfine everygoodboydoesfine For Gateway to Gateway Tunnels NetBIOS Broadcast disable disable VPN Dynamic Key Symantec FW VPN 100 Symantec FW VPN 200 screen fields settings settings Global Tunnel disable disable Remote Subnet 1 IP 192 168 0 0 192 168 100 0 Remote Subnet 1 Mask 255 255 255 0 255 255 255 0 VPN Client Identity VPN Client Identity 2 User Identity Select User gt Select only if Updating or Deleting current Users Update Fields Below Select User above first unless Adding Enable User Name Must match Client ID offered by remote VPN client Pre Shared Key Add Delete Update Entry Clear Form Cancel Name Enable Pre Shared Key Figure 5 6 VPN Client Identity screen The VPN Client Identity screen identifies and enables VPN Client users It also defines Pre Shared keys 5 14 To add a new VPN Client user 1 From the Symantec Firewall VPN 200R Main Menu select Client Identity 2 Under User Identity click Enable 3 Inthe User Name field enter your user name 4 Inthe Pre Shared Key field enter your pre sh
77. operly packaged freight and insurance prepaid with the RMA number prominently displayed on the exterior of the shipment packaging and with the Appliance Symantec will have no obligation to accept any Appliance which is returned without an RMA number Upon completion of repair or if Symantec decides in accordance with the warranty to replace a defective Appliance Symantec will return such repaired or replacement Appliance to You freight and insurance prepaid In the event that Symantec in its sole discretion determines that it is unable to replace or repair the Hardware Symantec will refund to You the F O B price paid by You for the defective Appliance Defective Appliances returned to Symantec will become the property of Symantec Symantec does not warrant that the Appliance will meet your requirements or that operation of the Appliance will be uninterrupted or that the Appliance will be error free THE ABOVE WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO
78. oppy for safe keeping 9 Youcan now return DIP switches 1 amp 2 to OFF View Log The Symantec Firewall VPN View Log screens displays a record of system events View Log UTC Time Message Source Destination Note Figure 6 3 View Log screen Log Settings This screen lets you set the type of log entries recorded and to set log forwarding parameters Logs generated on the Symantec Firewall VPN are buffered in a limited memory space When the log is full new entries overwrite the oldest ones so it is best to have the log forwarded 6 8 Log Settings o Syslog Sal Enter IP or Domain of a host running standard Syslog utility SMTP Server Email Sender Email Receiver Email Log System M System activity connection status Debug Debug information Blocked Blocked packets by access filter Dropped M Dropped packets by rule of firewall Attack Detected attack If using an NTP proxy enter it here Alternate NTP Server Otherwise standard NTP servers are used Save Cancel Clear Log Figure 6 4 Log Settings screen To configure Log Settings 1 Under Forwarding in the Syslog Server field enter the IP address of a host running a standard Syslog utility to receive the Log file 2 Inthe SMTP field enter the IP address or URL of the SMTP server you want to receive the Log file in the SMTP Server under Email Settings 3 Inthe Email Sender field enter the email address of the sender of the email The Email Send
79. ot depend on the IP address of the two devices therefore it is often used for VPN tunnels where IP address are not known ahead of time For example telecommuters typically get a dynamic IP address from their ISPs so nothing else is needed to identify the requestor Typically in client to gateway configurations a user ID is the form of identification 7 From the Encryption Method drop down list select an Encryption Method 8 Inthe SA Lifetime field enter the life time in minutes that the Security Association will stay active before automatically rekeying 9 Inthe SA Data Volume Limit field enter the amount of data in Kbytes that can pass through the VPN before the Security Association automatically rekeys 10 Inthe Inactivity Timeout Seconds field enter the inactivity time in seconds before the VPN will automatically close down 11 Click the Perfect Forward Secrecy Enable or Disable radio button to set Perfect Forward Secrecy PFS for a Diffie Hellman exchange in IKE phase 2 12 Under Local Security Gateway from the ID Type drop down list select the IKE Phase 1 negotiation ID type IP Address or Distinguished Name 13 Inthe Phase 1 ID field enter the value or name for the Phase 1 ID The default is IP address of the gateway when IP Type is selected 14 Under Remote Security Gateway in the Gateway Address field enter the Gateway Address of the Destination Network The Gateway Address could be an IP address or the DNS nam
80. ow Reserved in Access Group Everyone gt Bind with WAN Port Disabled C Enabled WAN 1 Bind with ppp Session 1 Leave on Session 1 unless you have a PPPoE Session PPPoE Session muiti session PPPoE account Add Delete Update Entry Clear Form Cancel Name PEREN US Reserved IP Security Group PPPoE Session Address Figure 4 5 Host IP and Group To configure Host IP and Group l In the Host Network Identity section enter a Host Name Give the host a short descriptive name This can be the same as the Host Name in the computer s network properties if you want Enter the Network Adapter Address The Symantec Firewall VPN identifies the host by the adapter address of its Network Interface Card NIC usually an Ethernet Card You must enter the address of the Host s NIC into this field 4 11 3 Inthe Host Settings section check the Reserve Entry In DHCP Table check box to assign a Static local IP to the computer via the DHCP server on the Firewall VPN This means that the Symantec Firewall VPN will automatically reserve the IP address below specifically for this host and will give this IP only to this host whenever it boots You can leave the computer s network properties to Obtain IP Address Automatically since the Symantec Firewall VPN will ensure its IP always stays the same 4 Inthe Reserved IP field enter the IP address you want for this computer It must be on the same class networ
81. owing IPsec Encryption types AH MD5 ESP 3DES AH SHAI1 ESP 3DES MD5 ESP DES ESP 3DES SHAI ESP DES MD5 ESP MD5 ESP DES SHAI ESP SHA1 Table 5 1 IPSec Encryption types The Symantec Firewall VPN offers two types of VPN tunnels Static Key and Dynamic Key VPN Static Key tunnel A user manually enters an authentication key long string of numbers and letters as well as an encryption key another string used for the encryption algorithm if encryption is used The keys must match on both sides of the VPN Also an SPI Security Parameter Index is manually entered and included with every packet transmitted between gateways The SPI is a unique identifier to the gateway that identifies what set of keys belong to what packet VPN Dynamic Key tunnel IKE Internal Key Exchange automatically generates authentication and encryption keys Typically a long password called a shared secret is entered The gateway needs to recognize this password for authentication to succeed If the shared secret matches then SPIs authentication and encryption keys are automatically generated and the tunnel is created The gateway usually re keys generates a new key automatically at set intervals to ensure the integrity of the key 5 2 To configure a VPN using Static Key VPN Static Key IPSec Security Association Select Security eA z Select only if Updating or Deleting existing configuration Update Fields B
82. r Static VPN tunnel To update a VPN configuration using Static Key From the Main Menu Select VPN Static Key From the Security Association drop down list select a Security Association Name to view information about that Security Association Click on Update Fields Below Enter all new or changed information Click Update Entry button to save your changes and update the VPN To delete a VPN configuration using Static Key From the Main Menu Select VPN Static Key From the Security Association drop down list select a Security Association Name to view information about that Security Association Click Delete to delete the VPN 5 5 Static tunnel example The following example consists of a network diagram of a gateway to gateway static tunnel and a table Table 5 2 on page 5 7 that shows all of the entries required to configure both endpoints of static tunnel this 5 6 192 168 100 3 192 168 0 1 192 168 100 1 144 1 Symantec Firewall PN 200 Symantec Firewall PN 100 192 168 100 4 192 168 0 4 Figure 5 2 Static tunnel network diagram Table 5 2 Static tunnel network example settings VPN Static Key screen fields Symantec FW VPN 100 settings Symantec FW VPN 200 settings IPSec Security Association Name static 100 to 200 static 200 to 100 Enable Disable Enable Enable Wan Port WANI WAN 2 PPPoE Session Session 1 Session 1
83. ranty period or refund the money you paid for the Appliance The warranties contained in this agreement will not apply to any Software or Hardware which A has been altered supplemented upgraded or modified in any way or B has been repaired except by Symantec or its designee Additionally the warranties contained in this agreement do not apply to repair or replacement caused or necessitated by i events occurring after risk of loss passes to You such as loss or damage during shipment ii acts of God including without limitation natural acts such as fire flood wind earthquake lightning or similar disaster iii improper use environment installation or electrical supply improper maintenance or any other misuse abuse or mishandling iv governmental actions or inactions v strikes or work stoppages vi Your failure to follow applicable use or operations instructions or manuals or vii such other events outside Symantec s reasonable control Upon discovery of any failure of the Hardware or component thereof to conform to the applicable warranty during the applicable warranty period You are required to contact us within ten 10 days after such failure and seek a return material authorization RMA number Symantec will promptly issue the requested RMA as long as we determine that you meet the conditions for warranty service The allegedly defective Appliance or component thereof shall be returned to Symantec securely and pr
84. rewall VPN in an environment that exceeds temperature and humidity specifications Do not place the Symantec Firewall VPN near a radiator or heat register or in a built in installation unless adequate ventilation is provided Before cleaning the Symantec Firewall VPN unplug it from wall outlet Do not use liquid cleaners or aerosol cleaners Use a damp cloth for cleaning Do not place cords or cables where they may be walked on or tripped over Be sure to comply with any applicable local safety standards or regulations e General purpose cables are provided with the Symantec Firewall VPN Any cables or other requirements mandated by local authority are your responsibility Cables that are attached to devices in different locations that have different power sources and grounding may have hazardous voltage potentials Consult a qualified electrical consultant before installing the Symantec Firewall VPN to see if this phenomenon exists and 1f necessary take corrective action e Never touch annunciated telephone wires or terminals unless the line has been disconnected Avoid using telephone equipment or installing the Symantec Firewall VPN during an electrical storm e Never install telephone jacks lines network cables the Symantec Firewall VPN or power connections in wet locations 2 2 e Never spill liquid of any kind on the Symantec Firewall VPN Internet account information You must determine what type of Intern
85. t otherwise permit you to obtain and use Content Updates 3 Limited Warranty Symantec warrants that the media on which the Restore Software is distributed will be free from defects for a period of thirty 30 days from the date of purchase of the Appliance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money you paid for the Restore Software Symantec warrants that the Software will perform on the Appliance in substantial compliance with the written documentation accompanying the Appliance for a period of thirty 30 days from the date of purchase of the Appliance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option repair or replace any defective Software returned to Symantec within the warranty period or refund the money you paid for the Appliance Symantec warrants that the hardware component of the Appliance the Hardware shall be free from defects in material and workmanship under normal use and service and substantially conform to the written documentation accompanying the Appliance for a period of three hundred sixty five 365 days from the date of purchase of the Appliance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option repair or replace any defective Hardware returned to Symantec within the war
86. ter is powered on and your Ethernet card is functioning properly This is true for every connection you make to the Symantec Firewall VPN Always check for a corresponding green link LED Configuring your computer Configuring your computer involves setting up your computer to automatically accept the IP addressing from the Symantec Firewall VPN s DHCP Server This forms an internal network LAN separate from the outside with its own private IP addressing scheme Configuration procedures may vary depending on the operating system of your computer The following is for Windows NT only Follow the procedures below for each additional computer you connect to the Symantec Firewall VPN Click Start gt Settings gt Control Panel Open Network then select TCP IP if there is more than one TCP IP pick the one bound to your Ethernet card Click Properties Verify that Obtain an IP address automatically is selected Click the Gateway tab Confirm that there are no entries Click the DNS Configuration tab Confirm that DNS disabled is selected If there are entries under any of these tabs make a note of them before clearing as they may have to be entered into the Symantec Firewall VPN Reboot your computer 2 5 2 6 Configuration Management Configuration interface The Symantec Firewall VPN has a Web based configuration interface Use any standard web browser running on your computer to configure settings on the Sym
87. that uses the Internet you can try this feature to troubleshoot Creating a Special Application see Special Applications on page 4 14 or Virtual Server see Custom Virtual Server on page 4 20 may be helpful You must choose a WAN port to expose the host 192 168 0 1 Internal LAN Port HERA WEB Server 207 158 227 235 Firewall PN FTP Server 192 168 010 External WAN Port 192 168 0 20 Remote PC Using Remote PC Using Remote PC Using FTP Server at WEB Server at FTP Server at ftp 207 158 227 235 http 207 158 227 235 ftp 207 158 227 235 Figure 4 9 Virtual Server network diagram example Custom Virtual Server This function defines a custom server accessible from the outside by the Firewall VPN s external WAN IP address The Symantec Firewall VPN then redirects the request to an internal local IP address for the virtual server You should first check the Virtual Server screen to make sure your server is not already predefined 4 20 Custom Virtual Servers o Existing Custom Virtual Servers Select Entry z Select if Updating or Deleting Update Fields Below Select entry above first unless Adding Virtual Server Configuration Name Enable Note Make DHCP table aor 0 0 lo 0 reservation in Host IP amp Group Protocol TCP Internal Port Range Start Finish External Port Range Start Finish o Add Delete Update Entry Clear Form Cancel Virtual Server List N Ena
88. the switch to quickly Use slow smooth movements Practice Step 4 with the power off before trying for the first time The unit should now have its IP amp network mask defaults and password cleared Configuration back up The Symantec Firewall VPN lets you back up the configuration settings you made through the user interface should something happen to the unit This procedure results in a small file that can be put on a floppy and into a firesafe box or other safe place To perform these steps you will need to use the nxtftpw utility There are two versions of the nxtftpw utility a Windows Win95 98 ME NT amp 2000 version and a DOS version Both are available on the CD in the Utilities directory The following procedure uses the Windows version To retrieve the backup file 1 Power off the unit by pulling the power plug from the back of the Firewall VPN 2 Flip DIP switch 1 and 2 to the ON position DOWN 3 Putthe power plug back into the Firewall VPN 4 Copy the nxtftpw utility from the CD to a folder on your hard drive 5 Double click the nxtftpw icon 6 Enter the IP address of the Symantec Firewall VPN into the Server IP field should be 192 168 0 1 unless you changed it 7 Enterany filename for the backup file into Local File config works 8 Press the Get button After a moment a file named config will appear into the same folder that the nxtftpw application was in You can now take this file and copy it to a fl
89. to E IPsec p p fb hh PPTP p b pP p r mai smTP fo fh fo bo r maior fo fp fo a News p p fb bo O Telnet p p fb bo O Gopher p p fb h Whois p p fb hh os P h fpf O Finger p p fb bo Cancel Figure 4 8 Virtual Servers screen To configure a Virtual Server 1 Using the Host IP amp Group screen setup a static local IP for your server or on the server itself Virtual Servers need a local host with a static IP address to operate effectively 4 18 2 Check the Enable box next to the server type Enter that local host LAN IP address to activate a pre defined virtual server You can have different virtual servers directed to the same host 3 Click Save Virtual Servers example IP Address seen by Internet users The following diagram Figure 4 9 on page 4 20 shows an example network where both Internet users are connecting to the same IP Address but are using different protocols or port numbers To Internet users all virtual servers on your network have the same IP Address This is the IP Address of the External WAN Port field displayed on your STATUS screen The previous Virtual Servers screen Figure 4 8 on page 4 18 shows the configuration for this example Exposed Host or DMZ is available for a single computer on the LAN It exposes all ports on the specified host to the outside For security you should always keep this disabled until you need to use it If you are having trouble with an application
90. to Gateway Tunnels Figure 5 3 VPN Dynamic Key screen part 1 C Main Mode Aggressive Mode For Gateway to Gateway Tunnels NetBIOS Broadcast C Enable Disable Global Tunnel C Enable Disable Remote Subnet 1 P fo Mask Remote Subnet 2 P 1 Mask Remote Subnet 3 P o Mask Remote Subnet 4 P Mask Remote Subnet 5 P Mask Add Delete Update Entry Clear Form Cancel Security Association List Status Name Security Gateway Remote Subnet Encryption Method Figure 5 4 VPN Dynamic Key screen part 2 1 From the Main Menu select VPN Dynamic Key 2 Inthe Name field enter a descriptive name for the Security Association 3 Click the Enable radio button 4 From the WAN drop down list select a WAN port 5 From the PPPoE Session drop down list select the Session number Use Session 1 if you only have one session available from your ISP 6 Click the Main Mode or Aggressive Mode radio button to set the Phase 1 Negotiation Mode Main Mode uses an exchange of six messages to validate the identity of the initiator and respondent By default main mode uses IP addresses to identify the VPN gateways However this may be overwritten with a string label if the address of the gateway is NATted on the network Main Mode provides the most protection from encryption based denial of service attacks Aggressive Mode uses three message exchanges between the initiator and respondent during key negotiation It does n
91. tp service symantec com then select your product and version This gives you access to product knowledge bases interactive troubleshooter Frequently Asked Questions FAQ and more e PriorityCare GoldCare and PlatinumCare support Fee based telephone support services are available to all registered customers For complete information please call our automated fax retrieval service at 800 554 4403 and request document 933000 For telephone support information connect to http service symantec com select your product and version and then click Go On the Service amp Support page for your product click Contact Options e Automated fax retrieval Use your fax machine to receive general product information fact sheets and product upgrade order forms by calling 800 554 4403 For technical application notes call 541 984 2490 Support for old and discontinued versions When a new version of this software is released registered users will receive upgrade information in the mail Telephone support will be provided for the old version for six months after the release of the new version Technical information may still be available through the Service amp Support Web site http service symantec com When Symantec announces that a product will no longer be marketed or sold telephone support will be discontinued 60 days later Support will be available for discontinued products from the Service amp Support Web site only
92. try 5 planation Enable Disable Note Makes port 113 seem closed not stealth Enable Disable Enable Disable User Level Debug Level 1 SPI 2SPI C 2SP LC Others None English French German Spanish SNMP Trap Receiver IP Address 1 IL HL HI ee IP Address2 iIPAddessS Allow IDENT Port NAT Function RIP v2 Log Level E 7 IPsec Type oO o0 Language Remote Access IP Range er id OF at ae r Qo Ie Q 1 tl Start IP Address o o o o End IP Address o o o o Allow Remote Upgrade Enable Disable Restore Defaults Save Cancel Figure 4 12 Expert Level screen 4 25 Expert Level Connection fields Load Balance On the Symantec Firewall VPN 200 or 200R you have the option of manually setting the Load Balance to use when using the Broadband Connection Binding feature This setting determines what percentage of packets are sent to either WAN port For slower connections use a lower value on that WAN port for best performance You only enter the WAN port 1 percentage WAN port 2 s percentage is calculated from that value SMTP Bind If you have Internet accounts from two separate ISPs connected simultaneously you might have to make sure that your e mail SMTP protocol only transmits on the WAN connection associated with your e mail server Otherwise the server might reject the e mail being sent from a dif
93. tunnels and remote client VPN to gateway tunnels model 200R High Availability Load Balancing The Symantec Firewall VPN 200 and 200R models include 2 WAN side ports that can load share across the two ports and even across two service providers using different internet connection technology for example DSL and cable Automatic Dial Up Back Up Models 100 200 and 200R include the ability to interface with an analog modem for auto dial up backup The Dial Up Back Up automatically engages a dial up connection to the internet using the serial port if the primary internet connection fails This ensures some level of connectivity even if your main Internet connection fails It will automatically disengage when the primary connection returns The serial port is used for analog or ISDN connections as well as pre configuring or resetting the unit via a terminal console The serial port can be used in Back Up mode or as the sole Internet connection of the unit until broadband is available in your area IP Address Sharing The IP Address Sharing feature allows one or two external IP addresses to be shared across an entire office This sharing creates many unique internal IP addresses from one or two external IP addresses and enables cost efficient use of Internet connectivity 1 2 Logging Onboard Logging The Symantec Firewall VPN creates a local log or record of configuration changes and security related events These logs are remotely acc
94. vating the Serial Console Interface and to configure the Symantec Firewall VPN for firmware upgrades LAN Link LEDs 100BaseT 10BaseT and Duplex LED link indicators for LAN port s Power Indicator LED Lights when the power switch is on and power is supplied to the unit Error LED indicator e LAN WAN Transmit Receive Lights when data is transferred between the WAN and LAN Backup Active LED Lights when the ISDN Analog backup feature is in progress when broadband has dropped Figure 1 1 Symantec Firewall VPN 100 front panel Figure 1 2 Symantec Firewall VPN 100 back panel 1 4 Symantec Firewall VPN 200 The Symantec Firewall VPN 200 model features include Eight LAN ports Two WAN ports No hard user limit but recommended for offices with up to 30 users Allthe features previously listed in the Product Overview e Power Indicator LED Lights when the power is supplied to the unit Error LED indicator e LAN WAN Transmit Receive Lights when data is transferred between the WAN and LAN Backup Active LED Lights when the ISDN Analog backup feature is in progress when broadband has dropped LILIALIITIIII4 Figure 1 3 Symantec Firewall VPN 200 front panel Figure 1 4 Symantec Firewall VPN 200 back panel Symantec Firewall VPN 200R The Symantec Firewall VPN 200R has all the features of the 200 model and also comes with the Symantec Enterprise VPN Client software with integrat
95. ville NSW 2111 Australia Symantec Brasil Market Place Tower Av Dr Chucri Zaidan 920 12 andar Sao Paulo SP CEP 04583 904 Brasil SA http www symantec com Fax 541 984 8020 800 554 4403 541 984 2490 http www service symantec com mx 54 11 5382 3802 Fax 54 11 5382 3888 http www symantec com region reg ap 61 2 9850 1000 Fax 61 2 9817 4550 http www service symantec com br 55 11 5189 6300 Fax 55 11 5189 6210 Europe Middle East and Africa Symantec Customer Service Center http www symantec com region reg eu P O Box 5689 353 1 811 8032 Dublin 15 Fax 353 1 811 8033 Ireland Automated Fax Retrieval 31 71 408 3782 Mexico Symantec Mexico http www service symantec com mx Blvd Adolfo Ruiz Cortines 52 5 481 2600 No 3642 Piso 14 Fax 52 5 481 2626 Col Jardines del Pedregal Ciudad de M xico D F C P 01900 M xico Other Latin America Symantec Corporation http www service symantec com mx 9100 South Dadeland Blvd Suite 1810 Miami FL 33156 U S A Subscription policy If your Symantec product includes virus firewall or web content protection you might be entitled to receive protection updates via LiveUpdate The length of the subscription could vary by Symantec product When you near the end of your subscription you will be prompted to subscribe when you start LiveUpdate Simply follow the instructions on the screen After your initia
96. y time Language Selection screen The first screen displayed after installation is the Language Selection screen It is only displayed once You can choose one of the available languages for the user interface by checking the check box next to the language If you want to change languages later go the the Expert Level screen where these language options are also available 3 2 Main Setup Screen symantec General Main Setup Static IP amp DNS Status View Log LAN IP amp DHCP Config Password VPN Static Key Dynamic Key Client Identity Advanced Host IP amp Group Access Filters Special Applications Virtual Servers Custom Virtual Servers Main Setup WAN Modem Port 1 Symantec Firewall VPN WAN Modem Port 2 Connection Status Connection Status Mode Normal C Off Backup Note Set to Off if not connected Obtain IP amp DNS Automatically Unless Static IP is set Enabled C Note For DHCP Connections Alive oe Site IP or URL Exposed Host DMZ Advanced PPPoE Dynamic DNS Routing Backup Analog ISDN Log Settings Expert Level with Nexland technology PPPoE Enable only for use with PPPoE connections Enabled C uw Name Password ry Password Optional Network Settings hop as Name CL rT Name Network L LL LLL Address Save Cancel Refresh Mode C Normal Off Backup Note Set to
97. ymantec This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software and shall return the Appliance to Symantec The disclaimers of warranties and damages and limitations on liability shall survive termination Should you have any questions concerning this Agreement or if you desire to contact Symantec for any reason please write 1 Symantec Customer Service 175 W Broadway Eugene OR 97401 USA or ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland 8 Excluded Software The Excluded Software consists of the open source code software known as Linux included with the Appliance All Excluded Soft ware is licensed under the GNU General Public License Version 2 June 1991 a copy of which is included with the user documenta tion for the Appliance The license entitles You to receive a copy of the source code for Linux only upon request at a nominal charge If you are interested in obtaining a copy of such source code please contact Symantec Customer Service at one of the above addresses for further information Service and support solutions Service and support information is available from the Help system of your Symantec product Click the Service and Support topic in the Help index Technical support Symantec offers several technical support options e StandardCare support Connect to the Symantec Service amp Support Web site at ht
98. z are registered trademarks of Iomega Corporation SuperDisk is a trademark of Imation Enterprises Corporation Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 109 8 765 43 2 1 SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE INCLUDED WITH THE APPLIANCE YOU HAVE PURCHASED TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR AND TO PROVIDE WARRANTIES ON THE APPLIANCE ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AND WARRANTY AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AND WARRANTY AGREEMENT CAREFULLY BEFORE USING THE APPLIANCE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND SYMANTEC BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY REQUESTING A LICENSE KEY OR USING THE SOFTWARE AND THE APPLIANCE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE OR NO BUTTON IF APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE 1 Software License Except for the software if any described in the Excluded Software se
Download Pdf Manuals
Related Search