ZyXEL Communications 652 Network Router User Manual
Contents
1. eene 24 5 Figure 25 1 VPN SMT Menu Tree m eiie e e HR PR ias 25 1 Figure 25 2 Menu 27 VPN IPSec Setup 25 2 Figure 25 3 IPSec summary Pell ond enano CP Ra deer end ER DE Qd atid tes 25 3 Figure 25 4 Telecommuter s Prestige Confgeuraton eren 25 5 Figure 25 5 Headquarters Prestige Configuration eese enne nere nre 25 5 Figure 25 6 Menu 27 1 IPSec Summa eee nne teen no none cnn trennt tntn nenne teen nenne 25 6 Fig re 25 7 Menu Eet eeben pO E E c pi e ek deus 25 9 Figure 25 8 Two Phases to set up the IPSec SA 25 13 Figure 25 9 Menu 27 1 1 1 IKE Setup eta Enero eterni od Tert Ronan esp tero bees 25 15 Figure 25 10 Menu 27 1 1 2 Manual Semi 25 18 Figure 26 1 Menu 27 2 SA Monitor EEN 26 1 Figure 27 1 Example VPN Initiator IPSec Log 27 1 Figure 27 2 Example VPN Responder IPSec Log 27 2 Figure 28 1 Configuration Text File Format Column Descriptions oconoconncnononocconccnnononncnncnncnnnonanonnnnonos 28 2 Figure 28 2 Invalid Parameter Entered Command Line Example eene 28 3 Figure 28 3 Valid Parameter Entered Command Line Example eee 28 3 Figure 28 4 Internal SPTGEN FTP Download Example esee nennen 28 3 Figure 28 5 Internal SPTGEN FTP Upload sample 28 4 Diagram 1 Single PC per Router Hardware Configuration eese A Diagram 2 Prestige as PPPOE Client de dE NEE B Diagram 3 Virtual Circuit Topology esee eene enne enne trennen nre n rne C Diasr2. xDSL Lines 10 100MB Figure 6 3 Sample IP Addresses for a TCP IP LAN to LAN Connection To configure the TCP IP parameters of a remote node first configure fields in Menu 11 1 Remote Node Profile as shown in the following table For more details on the IP Option fields refer to Internet Access Table 6 1 TCP IP Related Fields in Menu 11 1 Remote Node Profile FIELD DESCRIPTION EXAMPLE Route Make sure IP is among the protocols in the Route field in Menu 11 1 IP Remote Node Profile Edit Press SPACE BAR to select Yes and press ENTER to display menu Yes IP Bridge Remote Node TCP IP Configuration 6 3 Prestige 652 ADSL Security Router The following table Menu 11 3 Remote Node Network Layer Options Bridge Options Ethernet Addr Timeout min 0 IP Options IP Address Assignment Static Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to Cancel Figure 6 4 Remote Node Network Layer Options Table 6 2 TCP IP Remote Node Configuration shows the fields in Menu 11 3 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE IP Address Press SPACE BAR and then ENTER to select Dynamic if the remote Static Assignment node is using a dynamica
3. 11 9 IP Spooning se easet 9 4 9 7 Maximum Incomplete Low 11 9 IP Static Route sss 6 7 Max incomplete Hehe 11 7 IP Static Route Setup 6 8 Max incomplete Low 11 7 11 10 IPSec standard 1 2 MB ita See Maximum Burst Size Index GG Prestige 652 ADSL Security Router Media Access Control 7 1 Message Logong 18 5 Metric nit 5 8 6 6 6 10 Multicast aiii 5 8 6 6 Multiplexing n EE 4 11 V C based 3 nie tede 4 11 Multiplexing 1 5 4 11 4 16 5 2 Multiprotocol Encapsulation 4 12 My WAN Address 5 7 6 5 N Nailed Up Connection ssssss 5 3 E EE 16 16 Application ooooononiocnonnnonnconcconccnnocnncn nono nconnos 8 3 Applying NAT in the SMT Mens 8 6 COMPU at 8 8 Definitions oett 8 1 Examples E E EET 8 20 How NAT Works ossessi 8 2 Mapping Types sse 8 4 Non NAT Friendly Application Programs 8 28 8 29 Ordering Rules sss 8 13 What NAT does x etes 8 2 NetBIOS commands eese 9 6 Network Address Translation NAT 8 1 21 1 Network Management 1 5 O One Minute High cia 11 9 One Minute Low ooooconccccnncocinonnnnnincnnoncnncnninoso 11 9 One Minute Hehe 11 7 P Packet Et OE cheer tue ds 18 2 A er ee 18 3 A eese 18 3 Packet Filtering sse 9 13 Packet Filtering Firewalls 9 1 Packet Information
4. Active Protocol Press SPACE BAR to choose from ESP Tunnel ESP Transport AH Tunnel or AH Transport and then press ENTER Choosing an ESP combination causes the AH Setup fields to be non applicable N A ESP Tunnel ESP Setup The ESP Setup fields are N A if you chose an AH Active Protocol SPI Decimal The SPI must be unique and from one to four integers 0 to 9 1234 Encryption Algorithm Press SPACE BAR to choose from NULL 3DES or DES and then press ENTER Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any character may be used including spaces but trailing spaces are truncated Fill in the Key1 field when you choose DES and fill in fields Key1 to Key3 when you choose 3DES 89abcde Key2 Enter a unique eight character key It can be comprised of any character including spaces but trailing spaces are truncated Key3 Enter a unique eight character key It can be comprised of any character including spaces but trailing spaces are truncated 25 18 VPN IPSec Setup Prestige 652 ADSL Security Router Table 25 7 Menu 27 1 1 2 Manual Setup FIELD DESCRIPTION EXAMPLE Authentication Algorithm Press SPACE BAR to c
5. Protocol Support DHCP Support DHCP Dynamic Host Configuration Protocol allows the individual clients computers to obtain the TCP IP configuration at start up from a centralized DHCP server The Prestige has built in DHCP server capability enabled by default It can assign IP addresses an IP default gateway and DNS servers to DHCP clients The Prestige can also act as a surrogate DHCP server DHCP Relay where 1t relays IP address assignments from the actual DHCP server to the clients IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network IP Policy Routing IPPR Traditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator PPP Point to Point Protocol link layer protocol Transparent bridging for unsupported network layer protocols RIP I RIP II IGMP Proxy Getting To Know Your Prestige 1 3 Prestige 652 ADSL Security Router ICMP support IP QoS support MIB I support RFC 1213 Networking Compatibility Your Prestige is compatible with the major ADSL
6. Service NM Normal MD Minimum Delay MT Maximum Throughput MR Maximum Reliability MC Minimum Cost IP Policy Routing 22 3 Prestige 652 ADSL Security Router Type a number from 1 to 6 to display Menu 25 1 1 IP Routing Policy see the next figure This menu allows you to configure a policy rule Menu 25 1 1 IP Routing Policy Policy Set Name test Active Yes Criteria IP Protocol 6 Type of Service Normal Packet length 40 Precedence 0 Len Comp N A Source addr start 1 1 1 1 end 1 1 1 1 port start 20 end 20 Destination addr start 2 2 2 2 end 2 2 2 2 port start 20 end 20 Action Matched Gateway addr 92 168 1 1 Log No 1 Type of Service Max Thruput Precedence 0 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 22 3 IP Routing Policy Table 22 2 IP Routing Policy FIELD DESCRIPTION Policy Set Name This is the policy set name assigned in Menu 25 IP Routing Policy Setup Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria IP Protocol IP layer 4 protocol for example UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Care Normal Min Delay Max Thruput Min Cost or Max Reliable Precedence Precedence value of the incoming packet Press SPACE BAR and then ENTER to select a value fr
7. 19 2 1 Backup Configuration Follow the instructions as shown in the next screen Menu 24 5 System Maintenance Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Locate the rom 0 file 4 Type get rom 0 to back up the current router configuration to your workstation For details on FTP commands please consult the documentation of your FTP client program For details on backup using TFTP note that you must remain in this menu to back up using TFTP please see your router manual Press ENTER to Exit Figure 19 1 Telnet in Menu 24 5 19 2 2 Using the FTP Command from the Command Line Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your Prestige Step 3 Press ENTER when prompted for a username Step 4 Enter your password as requested the default is 1234 Step 5 Enter bin to set transfer mode to binary Step 6 Use get to transfer files from the Prestige to the computer for example get rom 0 config rom transfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit th
8. I MENU 12 1 5 IP STATIC ROUTE SETUP SMT MENU 12 1 5 FIN FN PVA INPUT 120105001 IP Static Route set 5 Name lt Str gt 120105002 IP Static Route set 5 Active lt 0 No 1 Yes gt 120105003 IP Static Route set 5 Destination IP 0 0 0 0 address 120105004 IP Static Route set 5 Destination IP 0 subnetmask Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 120105005 IP Static Route set 5 Gateway 0 0 0 0 120105006 IP Static Route set 5 Metric 120105007 IP Static Route set 5 Private lt 0 No 1 Yes gt I MENU 12 1 6 IP STATIC ROUTE SETUP SMT MENU 12 1 6 FIN FN PVA INPUT 120106001 IP Static Route set 6 Name lt Str gt 120106002 IP Static Route set 6 Active lt 0 No 1 Yes gt 120106003 IP Static Route set 6 Destination IP 0 0 0 0 address 120106004 IP Static Route set 6 Destination IP 0 subnetmask 120106005 IP Static Route set 6 Gateway 0 0 0 0 120106006 IP Static Route set 6 Metric 120106007 IP Static Route set 6 Private lt 0 No 1 Yes gt I MENU 12 1 7 IP STATIC ROUTE SETUP SMT MENU 12 1 7 FIN FN PVA INPUT 120107001 IP Static Route set 7 Name lt Str gt 120107002 IP Static Route set 7 Active lt 0 No 1 Yes gt 120107003 IP Static Route set 7 Destination IP 0 0 0 0 address 120107004 IP Static Route set 7 D
9. sss 11 7 IP Address Assignment ce 4 12 Hidden Menus esses 2 11 ENET ENCAP LLL 4 12 hop count ee eee 6 6 PPPoA or PP 4 12 FF Index Prestige 652 ADSL Security Router REC VAS deni E 4 12 ET KC 2 6 IP Alias Set p ida 4 6 K IP o UE 16 13 Key Fields For Configuring Rules 12 2 Logic Flow A 16 12 L Trama anat 16 11 LAN S deiecti tutae ot eqietstume 18 3 IP network number 4 2 LAN to WAN Rules eeeeee 12 3 TP Packet aider geeiert eegen Greet 16 14 LAN Diada iae 9 4 9 6 IP Policies coin 22 5 Link type niece eet tenete dess 18 2 IP Policy Routing IPPR 1 4 4 5 LLC based Muloplexmng ee eeeseeeeeeeenees 6 2 Applying an IP Policy ss 22 5 Local Network Ethernet IP Poltetes 22 5 Rule Summary sse 12 4 CIate Way leet EEN eee eet ide 22 5 Log and Trace siete 18 5 IP3POOL 28 is ee 4 4 Log acht 18 7 See 25 11 25 12 Log SCIGell iu iie TEO 14 1 IP Prot col 4e set toe tee s 22 4 Logging Oeton 16 11 16 15 IP Routing Polen 22 4 ENT EE 5 5 IP Routing Policy OUPPRT oo 22 1 Loge ien tenete ne hen 14 1 Benet o o oat Eee 22 1 M CRA 22 1 MAC address 7 3 Criteria oa 22 1 Malena 11 4 Load Sharng sss 22 1 Main Menu eee deed 2 11 SUD sia 22 2 Management Information Base MIB 17 2 IP Routing Policy Setup 22 3 Maximum Incomplete High
10. Chapter 17 SNMP Configuration This chapter explains SNMP Configuration menu 22 SNMP is only available if TCP IP is configured 17 1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige supports SNMP version one SNMPv1 The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured MANAGER AGENT Managed Device Managed Device Managed Device Figure 17 1 SNMP Management Model SNMP Configuration 17 1 Prestige 652 ADSL Security Router An SNMP managed network consists of two main components agents and a manager An agent is a management software module that resides in a managed device the Prestige An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets
11. Content Fitter Destination IP Address 888 Firewall Any E VPN Remote Management DestAdd DestEdit DestDelete Service Available Services Maintenance d Serv C syslog UDP 514 Logout This is your Syslog custom port This is the address range of the syslog servers Forward J None y Click Apply when finished Apply Cancel Delete Figure 13 5 Syslog Rule Configuration Customized Services 13 7 Prestige 652 ADSL Security Router Step 6 On completing the configuration procedure for these Internet firewall rules the Rule Summary screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall WAN to LAN Rule Summary Wizard Setup The default action for packets not matching following rules Block D M Default Permit Log Advanced Setup Password No Source IP Destination IP Service Action Log i E d 10 0 0 10 10 0 015 Any amp SystesUDP 514 hd Forward Mone Dynamic DNS j M E E Time Zone IR EI Content Filter E E Firewall x z YPN Remote Management E E Maintenance E i Logout E E Rules Reorder Move rule number Y to rule number 1 7 Mo
12. Using the Prestige Web Configurator 11 7 Prestige 652 ADSL Security Router 2 Ifthe Blocking Time timeout is greater than 0 then the Prestige blocks all new connection requests to the host giving the server time to handle the present connections The Prestige continues to block all new connection requests until the Blocking Time expires The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click Advanced Setup Firewall and Alert to bring up the next screen ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Configuration Alert Wizard Setup The firewall is set by default to prevent attacks on your network Any detected attacks will automatically generate a log entry You can also choose to generate an alert whenever such an attack is detected Advanced Setup Generate alert when attack detected Password E d Denial of Service Thresholds NAT One Minute Low a0 Dynamic DNS One Minute High 100 Time Zone P PINE Maximum Incomplete Low a0 e Firewall Maximum Incomplete High 100 ESPN TCP Maximum Incomplete fio EE FT Blocking Time fio minute Maintenance Logout Back Apply Reset Figure 11 4 Attack Alert 11 8 Using the Prestige Web Configurator Prestige 652 ADSL Security Router The following table describes the fields in this screen
13. When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For example a Web server typically listens on port 80 Please note that while a computer may be intended for use over a single port such as Web on port 80 other ports are also active Ifthe person configuring or managing the computer is not careful a hacker could attack it over an unprotected port Some of the most common IP ports are Firewalls 9 3 Prestige 652 ADSL Security Router Table 9 1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 9 4 2 Types of DoS Attacks There are four types of DoS attacks 1 To dE 2 Those that exploit bugs in a TCP IP implementation Those that exploit weaknesses in the TCP IP specification Brute force attacks that flood a network with useless data IP Spoofing Ping of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems l a Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted
14. 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 25 10 VPN IPSec Setup Prestige 652 ADSL Security Router Table 25 4 Menu 27 1 1 IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field This field is N A when 0 is configured in the Port Start field N A Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields are N A when the Secure Gateway Addr field is configured to 0 0 0 0 Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Use RANGE for a specific range of IP addresses Use SUBNET to specify IP addresses on a network by their subnet mask SUBNET IP Addr Start When the Addr Type field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Addr Type field i
15. 4 11 3 PPPoA Please refer to RFC 2364 for more information on PPP over ATM Adaptation Layer 5 AALS Refer to RFC 1661 for more information on PPP 4 11 4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 AALS The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protocol is carried over a separate ATM virtual circuit VC based multiplexing Please refer to the RFC for more detailed information 4 12 IP Address Assignment A static IP is a fixed IP that your ISP gives you A dynamic IP is not fixed the ISP assigns you a different one each time The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP However the encapsulation method assigned influences your choices for IP Address and ENET ENCAP Gateway 4 12 1 Using PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and ENET ENCAP Gateway fields are not applicable N A If you have a static IP then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field 4 12 2 Using RFC 1483 Encapsulation In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above 4 12 3 Using ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP F
16. IP Filter Set 1 Rule 6 Dest Port Comp O none 1 equal 2 1 not equal 3 less 4 great er gt 210106008 IP Filter Set 1 Rule 6 Src IP address 0 0 0 0 210106009 IP Filter Set 1 Rule 6 Src Subnet Mask 210106010 IP Filter Set 1 Rule 6 Src Port 0 210106011 IP Filter Set 1 Rule 6 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er gt 210106013 IP Filter Set 1 Rule 6 Act Match lt 1 check 3 next 2 forward 3 dr op gt 210106014 IP Filter Set 1 Rule 6 Act Not Match lt 1 check 2 next 2 forward 3 dr op gt Z Example Internal SPTGEN Screens Prestige 652 ADSL Security Router MENU 24 11 REMOTE MANAGEMENT CONTROL SMT MENU 24 11 FIN FN PVA 241100001 TELNET Server Port These values 241100002 TELNET Server Access O all 1 none 2 Lan must be 3 Wan gt between 0 65535 241100003 TELNET Server Secured IP address 241100004 FTP Server Port 241100005 FTP Server Access O all 1 none 2 Lan 3 Wan gt 241100006 FTP Server Secured IP address This a value 241100007 WEB Server Port mut fe 241100008 WEB Server Access O all 1 none 2 Lan npe 3 Wan gt i 241100009 WEB Server Secured IP address Example Internal SPTGEN Screens AA Prestige 652 ADSL Security Router Index A Brute force Attack 9 6 Action for Matched Packets 12 11 Budget Mana
17. This field displays Tunnel mode or Transport mode See earlier for a discussion of these You need to finish configuring the VPN policy in menu 27 1 1 1 or 27 1 1 2 if 22 is displayed Tunnel IPSec Algorithm This field displays the security protocols used for an SA ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption AH Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet This provides an additional level of security AH choices are MD5 default 128 bits and SHA 1 160 bits Both AH and ESP increase the Prestige s processing requirements and communications latency delay You need to finish configuring the VPN policy in menu 27 1 1 1 or 27 1 1 2 if is displayed ESP DES MD5 Key Mgt This field displays the SA s type of key management IKE or Manual IKE Remote Addr Start When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is a static IP address on the network behind the remote IPSec router When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP address in a range of computers on the netwo
18. 28 1 1 Internal SPTGEN File Modification Important Points to Remember e Each parameter you enter must be preceded by one ID sign and one space e Some parameters are dependent on others For example if you disable the Configured field in menu 1 see Figure 28 1 then you disable every field in this menu e Ifyou enter a parameter that is invalid in the Input column the Prestige will not save the configuration and the command line will display the Field Identification Number Figure 28 2 shown next is an example of what the Prestige displays if you enter a value other than 0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 28 1 28 2 Internal SPTGEN Prestige 652 ADSL Security Router field value is not legal error 1 ROM t is not saved error Line ID 10000000 reboot to get the original configuration Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 Figure 28 2 Invalid Parameter Entered Command Line Example The Prestige will display the following if you enter parameter s that are valid Please wait for the system to write SPT text file ROM UY sacs Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 Figure 28 3 Valid Parameter Entered Command Line Example 28 2 Internal SPTGEN FTP Download Example 1 Launch your FTP application 2 Enter bin e ftp 192 168 1 1
19. ATHE to view all available Prestige boot module commands Some are shown in the next screen Most commands aid in advanced troubleshooting and should only be used by qualified engineers Boot Module Commands Prestige 652 ADSL Security Router Debug ATHE ATBAx ATENx y ATSE ATTI h m s ATDA y m d ATDS ATDT ATDUx y ATRBx ATRWx ATRLx ATGO x ATGR ATGT ATRTw x y Z ATSH ATDOx y ATTD ATUR ATLC ATXSx ATSS Command Listing just answer OK print help change baudrate 1 38 4k 2 19 2k 3 9 6k 4 57 6k 5 115 2k set BootExtension Debug Flag y password show the seed of password generator change system time to hour min sec or show current time change system date to year month day or show current date dump RAS stack dump Boot Module Common Area dump memory contents from address x for length y display the 8 bit value of address x display the 16 bit value of address x display the 32 bit value of address x run program at addr x or boot router boot router run Hardware Test Program RAM test level w from address x to y z iterations dump manufacturer related data in ROM download from address x for length y to PC via XMODEM download router configuration to PC via XMODEM upload router firmware to flash ROM upload router configuration file to flash ROM xmodem select x 0 CRC mode default x 1 checksum mode display system registers Diagram 5 Boot Module Command
20. NG eS Figure 16 2 Filter Rule Process 16 2 Filter Configuration Prestige 652 ADSL Security Router You can apply up to four filter sets to a particular port to block various types of packets Because each filter set can have up to six rules you can have a maximum of 24 rules active for a single port For incoming packets your Prestige applies data filters only Packets are processed depending on whether a match is found The following sections describe how to configure filter sets The Filter Structure of the Prestige A filter set consists of one or more filter rules Usually you would group related rules for example all the rules for NetBIOS into a single set and give it a descriptive name You can configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system 16 2 Configuring a Filter Set To configure a filter set follow the steps shown next Step 1 Enter 21 in the main menu to open menu 21 Menu 21 Filter and Firewall Setup Filter Setup Firewall Setup View Firewall Log Enter Menu Selection Number Figure 16 4 Menu 21 Filter and Firewall Setup Step 2 Enter 1 to bring up the following menu Filter Configuration 16 3 Prestige 652 ADSL Security Router Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 7 2 NetBIOS WAN 8 TO 3 NetBIOS_LAN E AE A 4 PPPoE 10 Ss 5 TEL FTP WEB SNM MEL rs 6 12
21. Packet into IP Filter Filter Active No Yes Y Apply SrcAddrMask to Sre Addr ate Sie eg Matched aly P Addr Matched Y Apply DestAddrMask to Dest Addr E Not Matched DATE Matched Check LA IP Protocol Not Matched gt Matched ETIN Matched Ee Matched ege More Yes REGES Y No Action Not Matched Y Action Matched Check Next Rule Check Next Rule Drop Forward Drop Forward fi Drop Packet gt Check Next Rule Si C Accept Packet D S EM 2 Gs Figure 16 11 Executing an IP Filter Filter Configuration 16 11 Prestige 652 ADSL Security Router 16 3 2 Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets For IP it is generally easier to use the IP rules directly For generic rules the Prestige treats a packet as a byte stream as opposed to an IP packet You specify the portion of the packet to check with the Offset from 0 and the Length fields both in bytes The Prestige applies the Mask bit wise ANDing to the data portion before comparing the result against the Value to determine a match The Mask and Value fields are specified in hexadecimal numbers Note that 1t takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits
22. Table 11 3 Attack Alert FIELD DESCRIPTION DEFAULT VALUES attack detected Generate alert when A detected attack automatically generates a log entry Check this box to generate an alert as well as a log whenever an attack is detected See the Logs Chapter for more information on logs and alerts Denial of Service Thres holds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Prestige continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the Prestige deletes half open sessions as required to accommodate new connection attempts 100 half open sessions per minute The above numbers cause the Prestige to start deleting half open sessions when more than 100 session establishment attempts have been detected in the last minute and to stop deleting half open sessions when fewer than 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The Prestige continues to delete half open re
23. There are two logging facilities in the Prestige The first is the error logs and trace records that are stored locally The second is the UNIX syslog facility for message logging 18 3 1 Viewing Error Log The first place you should look for clues when something goes wrong is the error log Follow the procedures to view the local error trace log Step 1 Type 24 in the main menu to display Menu 24 System Maintenance Step 2 From menu 24 type 3 to display Menu 24 3 System Maintenance Log and Trace Menu 24 3 System Maintenance Log and Trace 1 View Error Log 2 UNIX Syslog Please enter selection Figure 18 6 Menu 24 3 System Maintenance Log and Trace Step 3 Enter 1 from Menu 24 3 System Maintenance Log and Trace to display the error log in the system System Information and Diagnosis 18 5 Prestige 652 ADSL Security Router After the Prestige finishes displaying the error log you will have the option to clear it Samples of typical error and information messages are presented in the next figure 59 Thu Jan 01 00 00 03 1970 PPOf INFO LAN promiscuous mode lt 0 gt 60 Thu Jan 01 00 00 03 1970 PPOO WARN SNMP TRAP 0 cold start 61 Thu Jan 01 00 00 03 1970 PPOO INFO main init completed 62 Thu Jan 01 00 00 19 1970 PPOO INFO SMT Session Begin 63 Thu Jan 01 00 00 24 1970 PPO0a WARN MPOA Link Down Clear Error Log y n Figure 18 7 Sample Error and Information Messages 1
24. example of a log sent by e mail Table 10 1 View Firewall Log FIELD DESCRIPTION EXAMPLES This is the index number of the firewall log 128 entries 23 are available numbered from 0 to 127 Once they are all used the log wraps around and the old logs are lost Time This is the time the log was recorded in this format mm dd yy e g Jan 1 00 You must configure menu 24 10 for real time ase gsc aa eae aes REO otherwise the clock will start at 2000 01 01 00 00 00 Ph mm ss e g 00 00 00 the last time the Prestige was reset Packet This field lists packet information such as protocol and From and To IP addresses Information src dest port numbers TCP UDP or protocol type rn and code ICMP Protocol and port numbers Reason This field states the reason for the log Le was the not match rule matched did not match or was there an attack 1 01 dest IP The set and rule coordinates X Y gt where X 1 2 S Y 00 10 follow with a simple explanation There are This means this packet does two policy sets set 1 X 1 is for LAN to WAN rules not match the destination IP and set 2 X 2 for WAN to LAN rules Y represents address in set 1 rule 1 Other the rule in the set You can configure up to 10 rules in reasons instead of dest IP any set Y 01 to 10 Rule number 00 is the default are src IP dest port src port rule and protocol This is a log for a DoS attack attack land ip spoofing ic
25. telecommuter can initiate the IPSec tunnel 25 4 VPN IPSec Setup Prestige 652 ADSL Security Router Prestige Prestige Telecommuter My IP Address Public Dynamic IP address Corporate Secure Gateway IP Address Headqua rters Public Static IP address Figure 25 4 Telecommuter s Prestige Configuration Prestige Prestige VPN Tunnel Telecommuter My IP Address Public Static IP address Secure Gateway IP Address Corporate Public Dynamic IP address Headq uarters 0 0 0 0 Figure 25 5 Headquarters Prestige Configuration The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management A Prestige with Secure Gateway Address set to 0 0 0 0 can receive multiple VPN connection requests using the same VPN rule at the same time VPN IPSec Setup 25 5 Prestige 652 ADSL Security Router Key Mgt Name Taiwan zwb50 China Menu 27 1 IPSec Summary Local Addr Start Local Addr End Remote Addr Start Remote Addr End 192 168 1438 IKE O Zo 172 16 2 46 adis 1 1 1 1 IKE 4 4 205 2909 0 0 192 168 1 42 IKE N A Select Command None Press ENTER to Confirm or ESC to Cancel Figure 25 6 Menu 27 1 IPSec Summary Table 25 3 Menu 27 1 IPSec Summary IPSec Algorithm Secure Gw Addr ESP DES MD5 193811372 AH SHA1 zw50test zyxel ESP DES MD5 0 0
26. use the default VPI Enter your Virtual Path Identifier here VCI Enter your Virtual Channel Identifier here My Login Enter the login name assigned by your ISP for PPP PPPoE only My Password Enter the password associated with your ISP assigned My Login for PPPoA PPPoE only Idle Timeout Enter the time lapse in seconds before you PPPoE or PPP automatically disconnect from the PPPoE or PPP server IP Address Enter if your IP address if it is not dynamically assigned Network Address Full Feature SUA Only or None Translation Internet Access 4 13 Prestige 652 ADSL Security Router FIELD DESCRIPTION YOUR INFO DNS Server Primary DNS server Address Secondary DNS server Assignment Enter when using RFC 1483 Encapsulation or a static IP address ENET ENCAP IP Address Gateway Gateway IP Address Enter when using ENET ENCAP Encapsulation 4 13 1 Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and burstiness or fluctuation of data transmission over an ATM network This agreement helps eliminate congestion which is important for transmission of real time data such as audio and video connections Peak Cell Rate PCR is the maximum rate at which the sender can send cells This parameter may be lower but not higher than the maximum line speed 1 ATM cell is 53 bytes 424 bits so a maximum s
27. 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to Cancel Figure 7 1 Menu 11 3 Remote Node Bridging Options Table 7 1 Remote Node Bridge Options FIELD DESCRIPTION Bridge menu 11 1 Make sure this field is set to Yes Edit IP Bridge menu Press SPACE BAR to select Yes and press ENTER to display menu 11 3 11 1 Ethernet Addr Timeout Type the time in minutes for the Prestige to retain the Ethernet Address min menu 11 3 information in its internal tables while the line is down If this information is retained your Prestige will not have to recompile the tables when the line comes back up When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 7 2 2 Bridge Static Route Setup Similar to network layer static routes a bridging static route tells the Prestige the route to a node before a connection is established You configure bridge static routes in menu 12 3 1 go to menu 12 choose option 3 then choose a static route to edit as shown next 7 2 Bridging Setup Prestige 652 ADSL Security Router Menu 12 3 1 Edit Bridge Static Route Route 1 Route Name Active
28. 0 0 Select Rule N A FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 001 Name This field displays the unique identification name for this VPN rule The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here A Y signifies that this VPN rule is active Y Local Addr When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to 192 168 1 35 Start Single this is a static IP address on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a static IP address on the LAN behind your Prestige Local Addr When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to 192 168 1 38 End Single this is the same static IP address as in the Local Addr Start 25 6 VPN IPSec Setup Prestige 652 ADSL Security Router Table 25 3 Menu 27 1 IPSec Summary FIELD DESCRIPTION EXAMPLE field When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the LAN behind your Prestige Encap
29. 192 168 1 64 Sa art end N A Destination addr start end N A port start end 80 Action Matched Gateway addr 192 168 1 1 Log No Type of Service No Change Precedence No Change Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 22 7 IP Routing Policy Example Step 3 Check Menu 25 1 IP Routing Policy Setup to see if the rule is added correctly Step 4 Create another policy set in menu 25 Step 5 Create a rule in menu 25 1 for this set to route packets from any host IP 0 0 0 0 means any host with protocol TCP and port FTP access through another gateway 192 168 1 100 22 8 IP Policy Routing Prestige 652 ADSL Security Router Menu 25 1 1 IP Routing Policy Policy Set Name Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp N A Source addr start 0 0 0 0 end N A port start 0 end N A Destination addr start 0 0 0 0 end N A port start 20 end 21 Gateway addr 192 168 1 100 Log No Type o ervice No Change Precedence No Change Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 22 8 IP Routing Policy Step 6 Check Menu 25 1 IP Routing Policy Setup to see if the rule is added correctly Step 7 Apply both policy sets in menu 3 2 as shown next Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1
30. 2 3 determines the action for this packet 9 8 Firewalls Prestige 652 ADSL Security Router 4 Based on the obtained state information a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected 5 The outbound packet is forwarded out through the interface 6 Later an inbound packet reaches the interface This packet is part of the connection previously established with the outbound packet The inbound packet is evaluated against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rule and the connection s state table entry is updated as necessary Based on the updated state information the inbound extended access list temporary entries might be modified in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminates or times out the connection s state table entry is deleted and the connection s temporary inbound access list entries are del
31. 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 The command bin sets the User 192 168 1 1 none transfer mode to binary 331 Enter PASS command 3 Get rom t file The command get transfers files Password 230 Logged in ftp gt bin 200 Type I OK ftp gt get rom t from the Prestige to your computer The name rom t is the configuration filename on the Prestige edit the rom t text file by a text editor and save it 4 Edit the rom t file using a text editor do not use a word processor You must leave this FTP screen to edit Figure 28 4 Internal SPTGEN FTP Download Example Internal SPTGEN 28 3 Prestige 652 ADSL Security Router You can rename your rom t file when you save it to your computer but it must be named rom t when you upload it to your Prestige 28 3 Internal SPTGEN FTP Upload Example 2 e ftp 192 168 1 1 1 Launch Ju FTP application 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 6 331 Enter PASS command 2 Enter bin The command bin Password sets the transfer mode to binary 230 Logged in ftp gt bin 200 Type I OK ftp put rom t 3 Upload your rom t file from Etpebye your computer to the Prestige using the put command computer to the Prestige 4 Exit this FTP application Figure 28 5 Internal SPTGEN FTP Upload Example 28 4 Internal SPTGE
32. 3 Menu 27 1 IPSec tree Eeer cds 25 6 Table 25 4 Menu 27 1 1 IPSec Set iinne nennen enne ener 25 9 Table 25 5 Menu 27 1 1 1 IKE Sepp 25 15 Table 25 6 Active Protocol Encapsulation and Security Protocol sss 25 17 Table 25 7 Menu 27 1 1 2 Manual Setup ete RR TOR ERES Uie rts 25 18 Table 26 1 Menu 27 2 SA Moni ER I ere rete er I re oe Ero ee raro ER rro ee E Eie eden 26 1 Table 27 1 Sample IKE Key Exchange Logs enne enne nennen enne nennen 27 2 Table 27 2 Sample IPSec Logs During Packet Transmission sse 27 4 Table 27 3 RFC 2408 ISAKMP Payload Tvpes nono ncnno crono nono nronn ener nennen 27 4 Table 29 1 Troubleshooting the LAN LEID 29 1 Table 29 2 Troubleshooting the DSL LED ooooconocccocononononcnononononnnonnnonnnnnncnn nono cono nn nn corr enne nnne nennen 29 2 Table 29 3 Troubleshooting the LAN Interface ccceccesecsseesseeseeeseeeeceeceecnsecsecsecsaecsaecaeecaeeeneeeneeaeeenes 29 2 Table 29 4 Troubleshooting the WAN Interface 29 2 Table 29 5 Troubleshooting Internet Access 29 3 Table 29 6 Troubleshooting the Password sse eene nennen 29 3 Table 29 7 Troubleshooting the Web Configurator sess 29 4 Table 29 8 Troubleshooting Remote Management 29 4 xxii List of Tables Prestige 652 ADSL Security Router Preface Congratulations on your purchase of the Prestige 652 ADSL Router with VPN and Firewall There are two Prestige 652 models one for ADSL over P
33. 4 21 3 SUM dedo ein o rne 12 4 ria ad 5 1 18 2 Timeout ii 12 13 Remote Node Proble 5 4 2 EE ees 5 1 5 2 SA Monitor enne 26 1 REES Decet 18 2 Sample IP Addresses sss 6 3 Remote Node Tiaffes c ce 16 22 saving the Materias 9 7 Required fields 2 11 SSES RESET Button LLL 2 3 Duration rien eh nina 23 2 ER Seen ase es See Sustain Cell Rate Index II Prestige 652 ADSL Security Router Security Association 26 1 Static Route Setup 6 6 Security In General 9 12 Static Routing Topology sss 6 7 Security Ramifications esses 12 2 SUA Single User Account See NAT Server8 5 8 9 8 12 8 15 8 16 8 17 8 18 8 22 Subnet Mask 4 2 4 10 5 7 6 5 6 9 12 12 18 4 SE Support Disk XXIV A O v 12 2 Sapp online EE xxiv Service Type coooooconocononoconconnconcconconcconccnnnonnnnos 13 3 SYN Flood LLL 9 4 9 5 ee ee e 9 5 A A rd Syntax Convention XXVI ERU UR IA Ge dii T E 13 4 18 6 PTE ERIE os Ee Syslog IP Address oooocoonccnncnnononononononnnonnonnnnnos 18 7 QUITE cti a 9 6 Beete ZE 18 6 ene System Community sese 17 3 Canwhand Taterpreter Modeucsssnenanst 18 9 Configuration essere 17 2 Condole Port il cce ceci 18 5 A aie sarin wee 17 2 Ee EEN 18 8 LEE 17 2 EE 18 5 MIBS cornada 17 2 NE RE NON 18 6 Trap 17 2 o cssaccosccncoisccncerenarsnies 18 3 OS repaso ge System Status 18 1 notior Destinato Ee E System
34. Alert Apply Cancel Delete Figure 12 4 Creating Editing A Firewall Rule Table 12 3 Creating Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Source Address Click SrcAdd to add a new address SrcEdit to edit SrcAdd 12 10 Creating Custom Rules Prestige 652 ADSL Security Router Table 12 3 Creating Editing A Firewall Rule rule generates an alert when the rule is matched FIELD DESCRIPTION OPTIONS an existing one or SrcDelete to delete one Please SrcEdit see the next section for more information on adding and editing source addresses SrcDelete Destination Address Click DestAdd to add a new address DestEdit to DestAdd edit an existing one or DestDelete to delete one DestEdit Please see the following section on adding and esto editing destination addresses DestDelete Services Please see Table 12 2 for more information on gt gt Available Selected services available Highlight a service from the uU Sie SIRI Available Services box on the left then click gt gt to SES add it to the Selected Services box on the right To remove a service highlight it in the Selected Services box on the right then click lt lt Edit Available Service Click this button to go to the list of available custom services Action for Matched Should packets that match this rule be blocked or Block Packets forwarded Make your choice from the drop down F d list box No
35. EHE ivan eer IR ee iD E E Ee eoe 9 1 92 Typesof Firewalls nee tette tdci 9 1 9 3 Introduction to ZyXEL s Firewall cccccecccsseesseesceesceeeeeeeceeceseeesecaeceeecseecaeeeaeeeeeeeeeeeeesereerees 9 2 9 4 Denial of ServiCe ui 9 3 9 5 dstatetul Inspection 2 uoo eR iq he tee et eerte tette 9 7 9 6 Guidelines For Enhancing Security With Your Firewall esse 9 11 975 Packet Filterinig Vs Firewall ene eR een eei 9 12 Chapter 10 Introducing the Prestige Firewall 4 eaae eee eese esee eene eee tn notes tn setas tn sts snan 10 1 10 1 Remote Management and the Firewall sss 10 1 10 2 Access Methods ci decr HR re eoe EE 10 1 10 3 Using Prestige SMT Menus eee eee Ree D ede ee n ra e CS E E C d dam ee de 10 1 Chapter 11 Using the Prestige Web Configurator eeeeeeee retener eene en nete nete neta sets sse ta neto ossia ato 11 1 11 1 Web Configurator Login and Main Menu Screens cccccesceeseessceeeceseceseceseceecaeecseeeneeneeenes 11 1 11 2 Enabling the Firewall eode oe eee e ate Sech E MERE ete eee det dd 11 2 19 3 Etat BEE eege 11 2 11 4 Attacke Alt a ee 11 6 Chapter 12 Creating Custom Rules i 5 cccusssssencocessonescencsseosesensesunssosessonesseeansevsesensessoscesesdesensestessonssoseesse 12 1 ENEE 12 1 12 2 Rule Logic OM dansa iia 12 1 12 3 Connection Direction cn ee aa none innen enne a nA anna trennen etre trenes 12 3 12 4 Rule Summary 5 A impetus
36. Enter Filter Set Number to Configure 0 Edit Comments N A Press ENTER to Confirm or ESC to Cancel Figure 16 5 Menu 21 1 Filter Set Configuration Step 3 Select the filter set you wish to configure 1 12 and press ENTER Step 4 Enter a descriptive name or comment in the Edit Comments field and press ENTER Step 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary 16 4 Filter Configuration Prestige 652 ADSL Security Router Menu 21 1 2 Filter Rules Summary A Type Filter Rules Mmn 1 Y SA 0 0 0 0 DA 0 0 0 0 DP 137 NDN 2 0X IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 NDN 3 X LE Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 NDN 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 NDN 5 Y LP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 NDN 6 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 NDF Enter Filter Rule Number 1 6 to Configure Figure 16 6 NetBIOS WAN Filter Rules Summary Menu 21 1 3 Filter Rules Summary Filter Rules Pr 17 SA 0 0 0 0 SP 137 DA 0 0 0 0 CODE 0h ND I FH Enter Filter Rule Number 1 6 to Configure Figure 16 7 NetBIOS _LAN Filter Rules Summary Filter Configuration 16 5 Prestige 652 ADSL Security Router Menu 21 1 4 Filter Rules Summary Filter Rules Off 12 Len 2 Mask ffff Value 8863 Off 12 Len 2 Mask ffff Value 8864 1 2 3 4 5 6 Enter Filter Rule Number 1 6 to Configure Figure 16 8 PPPoE F
37. IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03 ROlmF 4 PPP Log SdemdSyslogSend SYSLOG PPPLOG SYSLOG NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZYXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZYXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZYXEL ppp CCP Closing 18 4 Diagnostic The diagnostic facility allows you to test the different aspects of your Prestige to determine if it is working properly Menu 24 4 allows you to choose among various types of diagnostic tests to evaluate your system as shown in the following figure Menu 24 4 System Maintenance Diagnostic xDSL System 1 Reset xDSL 21 Reboot System 22 Command Mode TCP IP 12 Ping Host Enter Menu Selection Number Host IP Address N A Figure 18 9 Menu 24 4 System Maintenance Diagnostic Follow the procedure next to get to Diagnostic Step 1 From the main menu type 24 to open Menu 24 System Maintenance Step 2 From this menu type 4 Diagnostic to open Menu 24 4 System Maintenance Diagnostic 18 8 System Information and Diagnosis Prestige 652 ADSL Security Router The following table describes the diagnostic tests available in menu 24 4 for and the connections Table 18
38. IP Alias Setup nnne enne ener nnne nnne nnns 4 7 Figure 4 6 Menu 1 General Setup ANEREN 4 8 Figure 4 7 Menu 3 2 TCP IP and DHCP Ethernet Sep 4 9 List of Figures xii Prestige 652 ADSL Security Router Figure 4 8 Example of Traffic Shaping a etna th ot tate tea a a 4 15 Figure 4 9 Internet Access Pis 4 15 Figure 5 1 Menu 11 Remote Node Setup 5 2 Figure 5 2 Menu 11 1 Remote Node Proble 5 4 Figure 5 3 Remote Node Network Layer Options nennen ener nenne 5 7 Figure 5 4 Menu 11 5 Remote N de Filt r rninn ni enei ieit conca na rettet rennen theta tnnc 5 9 Figure 5 5 Menu 11 5 Remote Node Filter PPPoE or PPPoA Encapsulation esses 5 9 Figure 6 1 Menu 11 6 for RFC 1483 or ENET ENCAP with VC based Muloplexmg 6 2 Figure 6 2 Menu 11 6 for LLC based Multiplexing or PPPoA or PPPoE Encapsulation 6 2 Figure 6 3 Sample IP Addresses for a TCP IP LAN to LAN Connecton een 6 3 Figure 6 4 Remote Node Network Layer Options ener 6 5 Figure 6 5 Sample Static Routing Topology sse neret nnne 6 7 Figure 6 6 Menu 12 Static Route Setup 6 8 Figure 6 7 Menu 12 1 IP Static Route Sep 6 8 Figure 6 8 Edit IP Static Rued e DI RO Bee redactae ps 6 9 Figure 7 1 Menu 11 3 Remote Node Bridging Options sss eee 7 2 Figure 7 2 Menu 12 3 1 Edit Bridge Static Route 7 3 Fig re 8 1 How NAT Works hinterher niece ada e Fe nen 8 3 Figure 8 2
39. IPSec Log This chapter interprets common IPSec log messages 27 1 IPSec Logs To view the IPSec and IKE connection log type 3 in menu 27 and press ENTER to display the IPSec log as shown next The following figure shows a typical log from the initiator of a VPN connection Index Date Time Main Mode request to lt 192 168 100 101 gt lt SA gt lt SA gt lt KE gt lt NONCE gt lt KE gt lt NONCE gt lt ID gt lt HASH gt lt ID gt lt HASH gt Phase 1 IKE SA process done Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt 011 Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt 012 01 Jan 02 Send HASH Clear IPSec Log y n 0 0 0 0 0 0 0 0 0 0 0 Figure 27 1 Example VPN Initiator IPSec Log IPSec Log 27 1 Prestige 652 ADSL Security Router The following figure shows a typical log from the VPN connection peer Index Date Time Main Mode request from lt 192 168 100 100 gt lt SA gt lt SA gt lt KE gt lt NONCE gt lt KE gt lt NONCE gt lt ID gt lt HASH gt lt ID gt lt HASH gt 1 IKE SA process done HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Phase 2 Quick Mode DEI HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt 012 0 06 lt HASH gt Clear IPSec Log 0 0 0 0 0 0 0 0 0 0 0 Figure 27 2 Example VPN Responder IPSec Log This menu is useful for troub
40. Incoming protocol filters 256 Set 4 30201023 IP Alias 2 Outgoing protocol filters 256 Set 1 30201024 IP Alias 2 Outgoing protocol filters 256 Set 2 30201025 IP Alias 2 Outgoing protocol filters 256 Set 3 30201026 IP Alias 2 Outgoing protocol filters 256 Set 4 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router MENU 4 INTERNET ACCESS SETUP SMT MENU 4 FIN FN PVA INPUT 40000000 Configured lt 0 No 1 Yes gt 1 40000001 ISP lt 0 No 1 Yes gt 1 40000002 Active lt 0 No 1 Yes gt 1 40000003 ISP s Name ChangeMe 40000004 Encapsulation 2 PPPOE 3 RFC 2 1483 4 PPPoA 5 ENET ENCAP gt 40000005 Multiplexing lt 1 LLC based 2 VC based This value 40000006 VPI must be between 40000007 VCI 0 32 40000008 Service Name Str _ F This value 40000009 My Login lt Str gt ECOS 40000010 My Password lt Str gt between 0 655355 40000011 Single User Account lt 0 No 1 Yes gt 40000012 IP Address Assignment O Static 1 Dynamic 1 gt 40000013 IP Address 0 0 0 0 40000014 Remote IP address 0 0 0 0 40000015 Remote IP subnet mask Go between 0 32 40000016 ISP incoming protocol filter set 1 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000
41. Information for Canadian Users The Industry Canada label identifies certified equipment This certification means that the equipment meets certain telecommunications network protective operation and safety requirements The Industry Canada label does not guarantee that the equipment will operate to a user s satisfaction Before installing this equipment users should ensure that 1t is permissible to be connected to the facilities of the local telecommunications company The equipment must also be installed using an acceptable method of connection In some cases the company s inside wiring associated with a single line individual service may be extended by means of a certified connector assembly The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment For their own protection users should ensure that the electrical ground connections of the power utility telephone lines and internal metallic water pipe system if present are connected together This precaution may be particularly important in rural areas Caution Users should not attempt to make such connections themsel
42. NAT Application With IP Alias eese enne ener nennen ene tnntr rennen ennt 8 4 Figure 8 3 Menu 4 Applying NAT for Internet Access 8 7 Figure 8 4 Menu 11 3 Applying NAT to the Remote Node 8 8 Figure 8 5 Menu 15 NAT Seng EENS ta 8 9 Figure 8 6 Menu 15 1 Address Mapping Sets eere 8 9 Figure 8 7 Menu 15 1 255 SUA Address Mapping Rules nono nncnnnos 8 11 Figure 8 S Me u 15 1 1 First Set sere en aede e a eI Ou deeds 8 12 Figure 8 9 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set 8 15 Figure 8 10 Menu 15 2 NAT Server Setup 8 18 xiii List of Figures Prestige 652 ADSL Security Router Figure 8 11 Menu 15 2 1 NAT Server Setup roires neant an a E i 8 18 Figure 8 12 Multiple Servers Behind NAT Esample con nonnon enne 8 19 Figure 8 13 NAT Example a 8 20 Figure 8 14 Menu 4 Internet Access amp NAT sample 8 21 Figure 3 15 NAT Example 2 aiii 8 22 Figure 8 16 Menu 15 2 1 Specifying an Inside Server sse 8 23 Figure 3 17 NAT Example iia ast entere E dee cp gts 8 25 Figure 8 18 Example 3 Men ll Buin itinere etr tei ee Ee rH dere Ree eee fe Ee 8 26 Figure 8 19 Example 3 Menta io e dette 8 26 Figure 8 20 Example 3 Final Menu SI 8 27 isure 8 2 NATD Example E 8 29 Figure 8 22 Example 4 Menu 15 1 1 1 Address Mapping Rule 8 29 Figure 8 23 Example 4 Menu 15 1 1 Address Mapping Rule 8 30 Figure 9 1 Prestige Firewall Application ennemi nre
43. RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Please see section 25 2 for more information 24 2 2 Key Management Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration in order to set up a VPN Please see sections 25 5 and 25 6 for more information 24 4 Introduction to IPSec Prestige 652 ADSL Security Router 24 3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode Original IP TCP Data IP Packet Header Header Transport Mode IP IPSec TCP Data Protected Packet Header Header Header Tunnel Mode IP IPSec IP TCP Data Protected Packet Header Header Header Header Figure 24 4 Transport and Tunnel Mode IPSec Encapsulation 24 3 1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet In Transport mode the IP packet contains the security protocol AH or ESP located after the original IP header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to ve
44. RIP 1 Multicast None IP addresses IP Policies of the DNS Edit IP Alias No servers Press ENTER to Confirm or ESC to Cancel This is the IP address of the Press Space Bar to Toggle Prestige Figure 4 7 Menu 3 2 TCP IP and DHCP Ethernet Setup Follow the instructions in the following table on how to configure the DHCP fields Table 4 2 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Setup DHCP If set to Server your Prestige can assign IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server in this case Server default When DHCP is used the following items need to be set Client IP Pool Starting This field specifies the first of the contiguous addresses in the IP 192 168 1 33 Address address pool Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Internet Access 4 9 Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Primary DNS Server Enter the IP addresses of the DNS servers The DNS servers Secondary DNS Server are passed to th
45. Table 25 5 Menu 27 1 1 1 IKE Setup FIELD DESCRIPTION EXAMPLE Press SPACE BAR to choose from 3DES or DES and then press ENTER Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slightly slower Press SPACE BAR to choose from SHA1 or MD5 and then press ENTER MD5 SA Life Time Seconds Define the length of time before an IKE Security Association automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected 28800 default Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH1 Phase 2 Active Protocol Press SPACE BAR to choose from ESP or AH and then press ENTER See earlier for a discussion of these protocols ESP Encryption Algorithm Press SPACE BAR to choose from NULL 3DES or DES and then press ENTER Select NULL to set up a tunnel without encryption DES Authentication Al
46. Under NAT usado a t EE D se teas 21 1 Table of Contents ix Prestige 652 ADSL Security Router 21 3 Telnet Capabi TE 21 1 PAR Miu 21 2 PALME Cr ON 21 2 216 Remote Mana meda iecore ans user ie be EE 21 2 21 7 Remote Management and NAT sse nennen eren ener eren nennen enne 21 4 21 8 Systen LinleoUte ele Eengel 21 4 Chapter 22 IP Policy Rotting eoe eres int eorr oet sonuassoseeseasesonvesuaseasessosaassosssensnssbeaeceseanessosesesesasdswnes gt 22 1 22 l Intfoduction ss inte eoe et e aede 22 1 22 2 A eo tiet cet a idee ed den e E ese tete tos 22 1 22 3 Routing Poliy sere tse eet eter t deg T GR IS PST 22 1 22 4 IP Routing Policy Setup 22 2 22 5 Applying an IP Policy cnet he eee te deed eed 22 5 22 6 IP Policy Routing Example esset ne ede eene edes 22 7 CALL SCHEDULING VPN IPSEC AND INTERNAL SPTGEN esee V Chapter 23 Call Scheduling eee eee eee eee eese eese ressesie een stus tn eo tns tn sense tasa tas tosta nor cono anao 23 1 23 Introduction cente hte te be RO EE e eec tege eda Hepat edd 23 1 Chapter 24 Introduction to IPSec 4 eee eee eee ee esee esee eene oeps iots sesks sese tasto sese ens tone seta sea 24 1 SNE ET le 24 1 24 2 IPS c Architecture iii ee emet ete tenes 24 3 24 3 Encapsulati nh onte i eto de i a i ede teet 24 5 24 4 IPS c and NAT ote So RIO Waa dA REL TIE esa Tee Be EGRE e roc oe ee 24 5 Chapter 25 VPN IPS c Setup ooo erroe nee e
47. action is dictated by this rule Block Forward or None Click Back to return to the previous screen Click Previous Page or Next Page to view other pages in your log Click Refresh to renew the log screen or Clear to clear all the logs Click the Help icon for field descriptions 14 2 Logs Prestige 652 ADSL Security Router Chapter 15 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs Content filtering is the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21 1 To access these functions from the Main Menu click Advanced then Content Filter to display the Content Filter menus Use the help icon for more detailed information on the fields in each screen 15 1 Keyword Configure the Prestige to block Web sites that use certain keywords in their URL 15 2 Schedule The Prestige allows the administrator to define time periods and days during which content filtering should be enabled 15 3 Trusted Configure this screen to exclude a computer or a range of computers from content filtering 15 4 Logs This screen displays the results of your content filter policies Content Filtering 15 1 Advanced Management Part IV AD
48. be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall The Prestige blocks all IP Spoofing attempts 9 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering is called saving the state When the outside system responds to your request the firewall compares the received packets with the saved state to determine if they are allowed in The Prestige uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet By default the Prestige s stateful inspection allows all communications to the Internet that originate from the LAN and blocks all traffic to the LAN that originates from the Internet In summary stateful inspection a Allows all sessions originating from the LAN local network to the WAN Internet Firewalls 9 7
49. cancel and go back to the previous screen 5 3 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11 1 then press SPACE BAR to select Yes Press ENTER to display Menu 11 5 Remote Node Filter Use Menu 11 5 Remote Node Filter to specify the filter set s to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls You can specify up to 4 filter sets separated by comma for example 1 5 9 12 in each filter field Note that spaces are accepted in this field The Prestige has a prepackaged filter set NetBIOS WAN that blocks NetBIOS packets Include this in the call filter sets call protocol filter 1 when using PPPoE if you want to prevent NetBIOS packets from triggering calls to a remote node Remote Node Configuration 5 7 Prestige 652 ADSL Security Router Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Figure 5 4 Menu 11 5 Remote Node Filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters Device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters Device filters Enter here to CONFIRM or ESC to CANCEL Figure 5 5 Menu 11 5 Remote Node Filter PPPoE or PPP Encapsula
50. connection already but the IKE key exchange has not finished yet Duplicate requests with the same cookie The Prestige has received multiple requests from the same peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations don t match Please check all protocols and settings for these phases For example one party may be using 3DES encryption but the other party is using DES encryption so the connection will fail Verifying Local ID failed Verifying Remote ID failed During IKE Phase 2 negotiation both parties exchange policy details including local and remote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule fd If the security gateway is 0 0 0 0 the Prestige will use the peer s Local Addr as its Remote Addr If this IP range conflicts with a previously configured rule then the connection is not allowed Invalid IP IP start gt lt IP end The peer s Local IP Addr range is invalid Remote IP IP start IP end conflicts If the security gateway is 0 0 0 0 the Prestige will use the peer s Local Addr as its Remote Addr If a peer s Local Addr range conflicts with other connections then the Prestige will not accept VPN connection requests from this peer A
51. current system firmware Do You Wish To Proceed Y N Figure 19 16 Menu 24 7 1 as seen using the Console Port Step 2 After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar 19 4 9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Send File to display the following screen Send File iix Type the firmware file s Folder C Product location or click Browse to look for it Filename CAProductifirmware but Browse Protocol modern m Choose the Xmodem protocol Then click Send Figure 19 17 Example Xmodem Upload After the firmware upload process has completed the Prestige will automatically restart 19 14 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 19 4 10 Uploading Configuration File Via Console Port Step 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload
52. e 4 12 Filter Rules Summary Error Logo suani dt ee e Et 18 5 Sariple i sse RR Rae rede 16 19 Error Information Messages Filter Set Sample A eee 18 6 Class 16 9 Ethernet Encapsulation oooooonocnnnnincniccnonnnnnnnos 8 16 Filtering essssseeeeere 16 1 16 9 Ethernet Traffic 16 20 Filtering Process Example Internal SPTGEN Screens L Outgoing Packets 16 2 F Firewall SE EE 111 Access Method 10 1 Filename Copnventtons esses 19 1 Activating iege RUE 10 2 Filter sans eee RORIS 3 5 Address Tawpe 12 12 Applying Filters sess 16 19 Alerts EE 11 2 Ethernet Graffe 16 20 Connection Directon eee 12 3 Ethernet Traffic 16 20 Creating Editing Rules ooooonnnnnnnnnninno 12 9 Filter Rules adapta tods 16 7 Custom Ports See Custom Ports Filter Structure 16 4 Bema esses 11 2 Generic Filter Rule 16 14 Enabling ees 11 2 Remote Node sees 5 8 Firewall Vs Eltere 9 12 Remote Node Fier 5 8 Guidelines For Enhancing Security 9 11 Remote Node Filters A 16 20 Introduction sese 9 2 Sample eise 16 18 LAN to WAN Rules ooooooooioccooniocnconccononnos 12 3 SUA cis Re CHEERS 16 16 Logs Renee ees 10 2 TCP IP Filter Rule 16 9 Log TIMET eeececeeeseesseeeceeseeeseeeeeeeeenseenees 11 4 Index EE Prestige 652 ADSL Security Router LO alo dapes 11 3 Hop HE csi steet ant 5 8 6 10 Policies ai RR URGES
53. eon eo voe vant oer ii eve se iN aT eve ee EESTE ESNS d dv 25 1 25 1 VPN IPSec Setup x seemed EE t re dente catre iie RIP 25 1 252 IPSec Algorithms itte ae OR OE ee ede i iu ee aes 25 2 25 3 Sec Summary ee ette e ottenere eet eo E EN ER ha etg added 25 3 DAT MEM NITIDE 25 8 25 IKE Setupii3 oes ete ERR a re RE ELE isa 25 12 25 6 M nual Setup ec aad vae cete eR SEENEN tes 25 17 W I OO WEIEN TU ON 26 1 Weds lte e 26 1 Chapter 27 IPSec TEE 27 1 DTN A A NN 27 1 Chapter 28 Internal SPTGEN ocooccocnoonoonnonnocnocnnoonaconnoonnonnnonnnoanconnconnconocanoco nooo nconncon coco non nor coco sens senses canos 28 1 28 1 The Configuration Text File Format 28 1 28 2 Internal SPTGEN FTP Download Example sse 28 3 28 3 Internal SPTGEN FTP Upload sample 28 4 ADDITIONAL INFORMATION AAA VI Chapter ERT UL TEE 29 1 29 1 Problems Starting Up the Prestige sess 29 1 29 2 Problems with the LAN LED 29 1 29 3 Problems with the DSL LED Au 29 2 X Table of Contents Prestige 652 ADSL Security Router 29 4 29 5 29 6 29 7 29 8 29 9 Problems with the LAN Interface 29 2 Problems with the WAN Interface 29 2 Problems with Internet ACCESS nennen eene nenne nnne enne conan nr nc entes enne ten en 29 3 Problems with the Password 5e deitate 29 3 Problems with the Web Confeurator enne 29 4 Problems with Remote Management 29 4 Table of Contents xi Prestige 652 ADSL Security Router List of Figure
54. for Sending Click which day of the week you want to send the alert Sunday through Alerts from the drop down list box Saturday Time for Sending Alerts Click the up or down arrows to the right of the list box to choose a time to send the alerts Click Back to return to the previous screen Click Apply to save your customized settings and exit this screen Click Reset to return to the previous configuration Use the Help icon to find field descriptions 11 4 Using the Prestige Web Configurator Prestige 652 ADSL Security Router 11 3 3 SMTP Error Messages If there are difficulties in sending e mail the following error messages appear Please see the Support Notes on the included disk for information on other types of error messages E mail error messages appear in SMT menu 24 3 1 as SMTP action request failed ret The 22 are described in the following table Table 11 2 SMTP Error Messages 1 means Prestige out of socket 2 means tcp SYN fail 3 means smtp server OK fail 4 means HELO fail 5 means MAIL FROM fail 6 means RCPT TO fail 7 means DATA fail 8 means mail data send fail 11 3 4 Example E mail Log An End of Log message displays for each mail in which a complete log has been sent The following is an example of a log sent by e mail Using the Prestige Web Configurator 11 5 Prestige 652 ADSL Security Router q
55. for example FFFFFFFF To configure a generic rule select an empty filter set in menu 21 1 for example 8 Select Generic Filter Rule in the Filter Type field and press ENTER to open Menu 21 1 5 1 Generic Filter Rule as shown in the following figure Menu 21 1 8 1 Generic Filter Rule Filter 4 5 1 Filter Type Generic Filter Rule Active No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 16 12 Menu 21 1 5 1 Generic Filter Rule The next table describes the fields in the Generic Filter Rule menu 16 12 Filter Configuration Prestige 652 ADSL Security Router Table 16 4 Generic Filter Rule Menu Fields FIELD DESCRIPTION EXAMPLE Filter This is the filter set filter rule coordinates for instance 2 3 refers to the 8 1 second filter set and the third rule of that set Filter Type Press SPACE BAR and then ENTER to select a type of rule Generic Filter Parameters displayed below each type will be different Choices are Rule Generic Filter Rule or TCP IP Filter Rule Active Select Yes to turn on or No to turn off the filter rule No default Offset Type the starting byte of the data portion in the packet that you want to 0 compare The range for this field is from O to 255 default L
56. for example UDP and TCP headers To configure TCP IP rules select TCP IP Filter Rule in the Filter Type field and press ENTER to open Menu 21 1 7 1 TCP IP Filter Rule as shown next Menu 21 1 7 1 TCP IP Filter Rule Filter 4 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 16 10 Menu 21 1 7 1 TCP IP Filter Rule The following table describes how to configure your TCP IP filter rule 16 8 Filter Configuration Prestige 652 ADSL Security Router Table 16 3 TCP IP Filter Rule Menu Fields FIELD DESCRIPTION EXAMPLE Filter This is the filter set filter rule coordinates for instance 2 3 refers to 7 1 the second filter set and the third filter rule of that set Filter Type Use SPACE BAR and then ENTER to choose a rule Parameters TCP IP Filter displayed for each type will be different Choices are TCP IP Filter Rule Rule or Generic Filter Rule Active Use SPACE BAR and then ENTER to select Yes to activate or No No to deactivate the filter rule default IP Protocol This i
57. if the remote Static Assignment node is using a dynamically assigned IP address or Static if it is using a static fixed IP address You will only be able to configure this in the ISP node also the one you configure in menu 4 all other nodes are set to Static Rem IP Addr This is the IP address you entered in the previous menu Rem Subnet Type the subnet mask assigned to the remote node Mask My WAN Addr Some implementations especially UNIX derivatives require separate IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number In that case type the IP address assigned to the WAN port of your Prestige NOTE Refers to local Prestige address not the remote router address NAT Press SPACE BAR and then ENTER to select Full Feature if you SUA Network have multiple public WAN IP addresses for your Prestige Select SUA Only Address Only if you have just one public WAN IP address for your Prestige The Translation SMT uses Address Mapping Set 255 menu 15 1 see section 8 3 7 Select None to disable NAT Address When Full Feature is selected in the NAT field configure address 2 5 6 Remote Node Configuration Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Mapping Set mapping sets in menu 15 1 Select one of the NAT server sets 2 10 in menu 15 2 see the NAT chapter for details and type that number here When SUA Only is selected in the NAT field the
58. log when a policy is executed When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 22 5 Applying an IP Policy This section shows you where to apply the IP policies after you design them 22 5 1 Ethernet IP Policies From Menu 3 Ethernet Setup type 2 to go to Menu 3 2 TCP IP and DHCP Ethernet Setup You can choose up to four IP policy sets from 12 by typing their numbers separated by commas for example 2 4 7 9 IP Policy Routing 22 5 Prestige 652 ADSL Security Router Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP None Client IP Pool Starting Address N A Size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A Remote DHCP Server N A TCP IP Setup IP See 192 168 1 1 Type IP IP Subnet Mask 255 255 255 0 Policy sets RIP Direction Both here Version RIP 2B Multicast IGMP v2 IP Policies 2 4 7 9 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Figure 22 4 Menu 3 2 TCP IP and DHCP Ethernet Setup Go to menu 11 3 shown next and type the number s of the IP Routing Policy set s as appropriate You can cascade up to four policy sets by typing their numbers separated by commas Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Static Ether
59. message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the system Warning 1 Proceeding with the upload will erase the current configuration file 2 The system s console port speed Menu 24 2 2 may change when it is restarted please adjust your terminal s speed accordingly The password may change menu 23 also 3 When uploading the DEFAULT configuration file the console port speed will be reset to 9600 bps and the password to WE MR Do You Wish To Proceed Y N Figure 19 18 Menu 24 7 2 as seen using the Console Port Step 2 After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar Step 3 Enter atgo to restart the Prestige 19 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Firmware and Configuration File Maintenance 19 15 Prestige 652 ADSL Security Router Send File zl C Product config rom Figure 19 19 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo 19 16 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router Chapter 20 System Maintenance and Informatio
60. negotiated protocol is different from that in the user profile even when the negotiated protocol is stronger than specified If the peer disconnects right after a successful authentication make sure that you specify the correct authentication protocol when connecting to such an implementation 5 2 Remote Node Setup For the TCP IP parameters perform the following steps to edit Menu 11 3 Remote Node Network Layer Options as shown next Step 1 In menu 11 1 make sure IP is among the protocols in the Route field Step 2 Move the cursor to the Edit IP Bridge field press SPACE BAR to select Yes then press ENTER to display Menu 11 3 Remote Node Network Layer Options Remote Node Configuration 5 5 Prestige 652 ADSL Security Router Menu 11 3 Remote Node Network Layer Options Bridge Options Ethernet Addr Timeout min 0 IP Options IP Address Assignment Static Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT SUA Only Address Mapping Set 2 Metric 2 Private No RIP Direction None Version RIP 1 Multicast None IP Policies 3 4 5 6 Press ENTER to Confirm or ESC to Cancel Figure 5 3 Remote Node Network Layer Options The next table explains fields in Menu 11 3 Remote Node Network Layer Options Table 5 2 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE IP Address Press SPACE BAR and then ENTER to select Dynamic
61. of files including large files that may not be possible by e mail H 323 TCP 1720 Net Meeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide b we HTTPS HTTPS is a secured http session often used in e commerce ICQ UDP 4000 This is a popular Internet chat program IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IPSEC TUNNEL ESP 0 The IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments Creating Custom Rules 12 7 Prestige 652 ADSL Security Router Table 12 2 Predefined Services SERVICE DESCRIPTION NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING ICMP 0 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server throu
62. on how to transfer the configuration file to your Prestige using the SMT menus b Use the RESET button on the rear panel of the Prestige see the next section Use this method for cases when the password or IP address of the Prestige is not known c Use the web configurator to restore defaults see the web configurator HTML help 2 8 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router 2 8 2 Procedure To Use The Reset Button Make sure the SYS led is on not blinking before you begin this procedure 1 Press the RESET button for ten seconds then release it If the SYS LED begins to blink the defaults have been restored and the Prestige restarts Otherwise go to step 2 2 Turn the Prestige off 3 While pressing the RESET button turn the Prestige on 4 Continue to hold the RESET button The SYS LED will begin to blink and flicker very quickly after about 10 or 15 seconds This indicates that the defaults have been restored and the Prestige is now restarting Release the RESET button and wait for the Prestige to finish restarting Hardware Installation and Initial Setup 2 9 Prestige 652 ADSL Security Router 2 8 3 Prestige 652 SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige Menu 1 Menu 3 Menu 4 Menu 11 Menu 12 General Setup LAN Setup Intemet Access Setup Remote Node Setup Static Routing Setup Menu 1 1 Menu 31 onfig
63. please see sections 4 and 5 of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to the permanent group of all IP hosts including gateways All hosts must join the 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The Prestige supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 At start up the Prestige queries all directly connected networks to gather group membership After that the Prestige periodically updates this information IP Multicasting can be enabled disabled on the Prestige LAN and or WAN interfaces using menus 3 2 LAN and 11 3 WAN Select None to disable IP Multicasting on these interfaces 4 5 IP Policies Traditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 see P Policy Routing and apply them on the Prestige LAN and or WAN interfaces using menus 3 2
64. press ESC at any time to cancel If all your settings are correct your Prestige should connect automatically to the Internet If the connection fails note the error message that you receive on the screen and take the appropriate troubleshooting steps Internet Access 4 17 Advanced Applications Part II ADVANCED APPLICATIONS Prestige 652 ADSL Security Router Chapter 5 Remote Node Configuration This chapter covers the parameters that are protocol independent Protocol dependent configuration TCP IP and Bridging is covered in the following chapters A remote node is required for placing calls to a remote gateway A remote node represents both the remote gateway and the network behind it across a WAN connection When you use menu 4 to set up Internet access you are configuring one of the remote nodes 5 1 Remote Node Setup This section describes the protocol independent parameters for a remote node 5 1 1 Remote Node Profile To configure a remote node follow these steps Step 1 From the main menu enter 11 to display Menu 11 Remote Node Setup Step 2 When menu 11 appears as shown in the following figure enter the number of the remote node that you want to configure Menu 11 Remote Node Setup ChangeMe ISP SUA c0 AO GA Enter Node to Edit Figure 5 1 Menu 11 Remote Node Setup Remote Node Configuration 5 1 Prestige 652 ADSL Security Route
65. protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the firewall in a secured locked room Firewalls 9 11 Prestige 652 ADSL Security Router 9 6 1 Security In General You can never be too careful Factors outside your firewall filtering or NAT can cause security breaches Below are some generalizations about what you can do to minimize them 1 11 Encourage your company or organization to develop a comprehensive security plan Good network administration takes into account what hackers can do and prepares against attacks The best defense against hackers and crackers is information Educate all employees about the importance of security and how to minimize risk Produce lists like this one DSL or cable modem connections are always on connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e mail Never e mail sensitive information such as passwords credit card information etc without encrypting the information first Never submit sensitive information via a web page unless the web site uses secure connections You can identify a secure connection by looking for a small key icon on the bottom of your br
66. protects against Denial of Service DOS attacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so SE Name ACL Default Set WAN to LAN Set Name ACL Default Set Please configure the Firewall function through Web Configurator Press ENTER to Confirm or ESC to Cancel Figure 10 2 Menu 21 2 Firewall Setup Configure the firewall rules using the web configurator or CLI commands 10 3 2 Viewing the Firewall Log In menu 21 enter 3 to view the firewall log An example of a firewall log is shown next Time Packet Information Reason Action O Jan 1 00 From 192 168 17 1 To 192 168 17 255 default policy block 15 l Jan 15 2 Jan 15 Clear Firewall Log y n 43 19 UDP src port 00520 dest port 00520 lt 2 00 gt T 00 ExXom 172 20 1179 TO 2172 21 1 66 default policy block 43 20 UDP src port 03571 dest port 00161 2 00 1 00 From 172 21 1 148 To 172 21 255 255 default policy block 43 20 UDP src port 00137 dest port 00137 lt 2 00 gt Figure 10 3 Example Firewall Log 10 2 Introducing the Prestige Firewall Prestige 652 ADSL Security Router An End of Log message displays for each mail in which a complete log has been sent The following is an
67. received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations e Get Allows the manager to retrieve an object variable from the agent e GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPvI when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations e Set Allows the manager to set values for object variables within an agent e Trap Used by the agent to inform the manager of some events 17 2 Supported MIBs The Prestige supports RFC 1215 and MIB II as defined in RFC 1213 The focus of the MIBs is to let administrators collect statistic data and monitor status and performance 17 3 SNMP Configuration To configure SNMP select option 22 from the main menu to open Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password 17 2 SNMP Configuration Prestige 652 ADSL Security Router Menu 22 SNMP Configuration SNMP Get Community public Set Community public Trusted Hgst 0 0 0 0 Trap Co
68. sec 0 Apply your schedule sets here Figure 23 3 Applying Schedule Set s to a Remote Node PPPoE You can apply up to 4 schedule sets separated by commas for one remote node Change the schedule set numbers to your preference s 23 4 Call Scheduling Prestige 652 ADSL Security Router Chapter 24 Introduction to IPSec This chapter introduces the basics of IP Sec VPNs 24 1 Introduction 24 1 1 VPN A VPN Virtual Private Network provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication 24 1 2 IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 24 1 3 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 24 1 4 Other Terminology gt Encryption Encryption is a mathematical operation that transforms data from plaintext readable to ciphertext scrambled
69. section 12 5 for more information on predefined services 12 2 Creating Custom Rules Prestige 652 ADSL Security Router Source Address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Destination Address What is the connection s destination address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet 12 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 12 3 1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure Policy gt LAN to WAN gt Rules you in essence want to limit some or all users from accessing certain services on the WAN See the following figure Prestige By default all outgoing connections LAN to WAN are allowed unless you create rules blocking certain LAN users Figure 12 1 LAN to WAN Traffic Creating Custom Rules 12 3 Prestige 652 ADSL Security Router 12 3 2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections WAN to LAN If you wish to allow certain WAN users to have access to your LAN you will need to create custom rules to allow it See the following figure By default NO incoming connections WAN to LAN are allowed unless you create rules allowing certai
70. sese 14 2 Packet Triggered sss 18 7 Packets A E 18 2 PAP La ak eer 5 5 Password 2 7 2 13 5 5 17 2 PO cit 18 9 Ping of Death 9 4 PoOmt 10 POME icons xxvii policy based routing sss 22 1 IN RE 9 3 9 4 Port Configuration sese 13 4 IR UE 2 4 POTS Splitter in ates 2 5 PPP aii 5 2 PPPoA Encapsulapon 6 2 PPP D0g e eege ee 18 7 18 8 HH Index Prestige 652 ADSL Security Router PPPoE Encapsulation seseeeeeseeeeseeees eee 5 3 5 9 Restore Confteurapon sess 19 7 Precedentes 22 1 22 4 Return address oocoooccnnnoncconononcconanacononnnnrnnnnss 11 4 Prestige Firewall Application 9 3 REC a da 5 2 Prestige Web Confteurator 11 1 RFC 2364 ciclista 5 2 5 4 Privates e 2s ho bettie 5 8 6 6 6 10 RIP 4 10 5 8 6 6 See Routing Information luni 16 10 Protocol Protocol Filter rules sss 16 16 Ee Ka o Dit Ct Ons i nie cree Ere ce iore 4 3 Guil dO SUN BR ree ur cursar 24 Mersin enu orden ates 4 3 R Routing Policy sss 22 1 pa PONE bed 18 4 22 2 eenegen EC AM Rate A eee 12 1 12 4 ERE C rq cur et ce 18 2 E E E 12 1 Transmission esses 18 2 x E p EE EEGEN Key Fields ione buds 12 2 Remote DHCP Server 4 10 EE Gem EEN 2122 te seed Rhein e ie a 12 1 E EAEE E IE TE E 10 1 a NSN MICO qose stra ae tus Remote Management and NAT 21 4 A EE PM Renate ManagementiLumitatongens 19
71. source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Prestige keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored The following figure illustrates this 8 2 NAT Prestige 652 ADSL Security Router NAT Table Inside Local Inside Global IP Address IP Address LAN 192 168 1 10 IGA 1 WAN 192 168 1 11 IGA 2 192 168 1 12 IGA 3 Computer IP 192 168 1 13 IGA4 192 168 1 13 Computer IP 192 168 1 12 Computer IP 192 168 1 11 Inside Global Addresses IGA Inside Local Addresses ILA Computer IP 192 168 1 10 Figure 8 1 How NAT Works 8 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct WAN networks More examples follow at the end of this chapter NAT 8 3 Prestige 652 ADSL Security Router LAN1 192 168 1 X Network Server Server in Admin 192 168 1 1 Admin Network PC2 PC3 IP 1 IGA 1
72. their numbers separated by commas Edit IP Alias The Prestige supports three logical LAN interfaces via its single No physical Ethernet interface with the Prestige itself as the gateway for default each LAN network Press SPACE BAR to change No to Yes and press ENTER to for menu 3 2 1 your configuration or When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save press ESC at any time to cancel 4 10 Internet Access Prestige 652 ADSL Security Router 4 9 VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers supplied by your telephone company The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Please see the Appendices for more information 4 10 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexing method required by your ISP 4 10 1 VC based Multiplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual circuit for example VCI carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 4 10 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying information being cont
73. through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot Weaknesses in the TCP IP specification leave it open to SYN Flood and LAND attacks These attacks are executed during the handshake that initiates a communication session between two applications Firewalls Prestige 652 ADSL Security Router Client Server SYN E Figure 9 2 Three Way Handshake Under normal circumstances the application that initiates a session sends a SYN synchronize packet to the receiving server The receiver sends back an ACK acknowledgment packet and its own SYN and then the initiator responds with an ACK acknowledgment After this handshake a connection is established 2 a SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an i
74. type traffic Type the SCR it must be less than the PCR Maximum Burst Size MBS 0 Refers to the maximum number of cells that can be sent at the peak rate Type the MBS The MBS must be less than 65535 My Login Configure the My Login and My Password fields for PPP and PPPoE encapsulation only Enter the login name that your ISP gives you If you are using PPPoE encapsulation then this field must be of the form user domain where domain identifies your PPPoE service name N A My Password Enter the password associated with the login name above N A ENET ENCAP Gateway Enter the gateway IP address supplied by your ISP when you are using ENET ENCAP encapsulation N A IP Address Assignment Press SPACE BAR to select Static or Dynamic address assignment Static IP Address Enter the IP address supplied by your ISP if applicable 0 0 0 0 4 16 Internet Access Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Network Address Press SPACE BAR to select None SUA Only or Full SUA Only Translation Feature Please see the NAT Chapter for more details on the SUA Single User Account feature N A Address Mapping Set Type the numbers of mapping sets 1 8 to use with NAT See the NAT chapter for details When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or
75. use Many to Many No Overload mapping as port numbers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Game Player 1 192 168 1 10 Mapping Rules 1 Game Players 1 to 3 lt gt IGAs 1 to 3 Type Many to Many No Overload Game Player 2 192 168 1 1 Prestige 3 IGAs 10 132 50 1 2 IGA 1 10 132 50 2 IGA 2 10 132 50 3 IGA 3 Game Player 3 192 168 1 12 Figure 8 21 NAT Example 4 NAT 8 23 Prestige 652 ADSL Security Router Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many to Many No Overload mapping types Follow the steps outlined in example 3 to configure these two menus as follows Menu 15 1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Figure 8 22 Example 4 Menu 15 1 1 1 Address Mapping Rule After you ve configured your rule you should be able to check the settings in menu 15 1 1 as shown next 8 24 NAT Prestige 652 ADSL Security Router Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP 192 168
76. you must register with the Dynamic DNS service provider The Dynamic DNS service provider will give you a password or key The Prestige supports www dyndns org You can apply to this service provider for Dynamic DNS service 3 2 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname 3 3 General Setup To enter menu and fill in the required information follow these steps Step 1 Enter 1 in main menu to display Menu 1 General Setup Step 2 The Menu 1 General Setup screen appears as shown next Fill in the fields as explained in the following table Menu 1 General Setup System Name Location Contact Person s Name Domain Name Edit Dynamic DNS No Route IP Yes Bridge No Press ENTER to Confirm or ESC to Cancel Figure 3 1 Menu 1 General Setup Table 3 1 General Setup Menu Fields FIELD DESCRIPTION EXAMPLE System Name Choose a descriptive name for identification purposes This name can P652 required be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Location optional Enter the geographic location up to 31 characters of your Prestige MyHouse Contact Person s Enter the name up t
77. 019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 40000023 ISP outgoing protocol filter set 4 256 40000024 ISP PPPoE idle timeout 40000025 Route IP lt 0 No 1 Yes gt 1 40000026 Bridge lt 0 No 1 Yes gt 0 40000027 ATM QoS Type lt 0 CBR 1 UBR gt 1 40000028 Peak Cell Rate PCR 0 40000029 Sustain Cell Rate SCR 0 40000030 Maximum Burst Size MBS 0 I MENU 12 1 1 IP STATIC ROUTE SETUP SMT MENU 12 1 1 FIN FN PVA INPUT 120101001 IP Static Route set 1 Name lt Str gt 120101002 IP Static Route set 1 Active lt 0 No 1 Yes gt 120101003 IP Static Route set 1 Destination IP 0 0 0 0 address 120101004 IP Static Route set 1 Destination IP 0 subnetmask 120101005 IP Static Route set 1 Gateway 0 0 0 0 120101006 IP Static Route set 1 Metric 120101007 IP Static Route set 1 Private lt 0 No 1 Yes gt I MENU 12 1 2 IP STATIC ROUTE SETUP SMT MENU 12 1 2 FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active lt 0 No 1 Yes gt 120102003 IP Static Route set 2 De
78. 02 IP Filter Set 1 Rule 1 Active You may 210101003 IP Filter Set 1 Rule 1 Protocol EN aa A ge c e 210101004 IP Filter Set 1 Rule 1 Dest IP address 0 0 0 0 SMT 210101005 IP Filter Set 1 Rule 1 Dest Subnet s 210101006 IP Filter Set 1 Rule 1 Dest Port between 0 65535 137 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 210101007 IP Filter Set 1 Rule 1 Dest Port Comp O none 1 equal 2 1 not equal 3 less 4 greater gt 210101008 IP Filter Set 1 Rule 1 Src IP address 0 0 0 0 210101009 IP Filter Set 1 Rule 1 Src Subnet Mask 210101010 IP Filter Set 1 Rule 1 Src Port 0 210101011 IP Filter Set 1 Rule 1 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er 210101013 IP Filter Set 1 Rule 1 Act Match lt 1 check 3 next 2 forward 3 dr op gt 210101014 IP Filter Set 1 Rule 1 Act Not Match lt 1 check 1 next 2 forward 3 dr op gt I MENU 21 1 2 SET 1 RULE 2 SMT MENU 21 1 2 FIN FN PVA INPUT 210102001 IP Filter Set 1 Rule 2 Type 2 TCP IP 210102002 IP Filter Set 1 Rule 2 Active lt 0 No 1 Yes gt 1 210102003 IP Filter Set 1 Rule 2 Protocol 210102004 IP Filter Set 1 Rule 2 Dest IP address 0 0 0 0 210102005 IP Filter Set 1 Rule 2 Dest Subnet Mask 210102006 IP Filter Set 1 Rule 2 Dest Port 138 210102007 IP Filter Set 1 Rule 2 Dest Port Comp O no
79. 1 1 1 or menu 27 1 1 2 to fully configure and use a VPN Table 25 4 Menu 27 1 1 IPSec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN rule index number you selected in the previous menu 1 Name Enter a unique identification name for this VPN rule The name may be up Taiwan to 32 characters long but only 10 characters will be displayed in Menu 27 1 IPSec Summary Active Press SPACE BAR to choose either Yes or No Choose Yes and press Yes ENTER to activate the VPN tunnel This field determines whether a VPN rule is applied before a packet leaves the firewall My IP Addr Enter the WAN IP address of your Prestige The Prestige uses its current 0 0 0 0 WAN IP address static or dynamic in setting up the VPN tunnel if you leave this field as 0 0 0 0 VPN IPSec Setup 25 9 Prestige 652 ADSL Security Router Table 25 4 Menu 27 1 1 IPSec Setup FIELD DESCRIPTION EXAMPLE The VPN tunnel has to be rebuilt if this IP address changes Secure Gateway Addr Type the WAN IP address or the domain name up to 31 characters of the IPSec router with which you re making the VPN connection Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address the Key Management field must be set to IKE see later See the Secure Gateway Address section for more details ZwbOtest com tw Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc 0 is the de
80. 1 10 192 168 1 12 10 132 50 1 1 2 3 4 5 6 T 8 9 0 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Figure 8 23 Example 4 Menu 15 1 1 Address Mapping Rules NAT 8 25 Firewall and Content Filters Part III Firewall and Content Filters Part III introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an overview of content filtering Prestige 652 ADSL Security Router Chapter 9 Firewalls This chapter gives some background information on firewalls and explains how to get started with the Prestige firewall 9 1 What ls a Firewall Originally the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another The networking term firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It should never be the on1y mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security
81. 1 Reset Counters ESC Exit Figure 18 2 Menu 24 1 System Maintenance Status The following table describes the fields present in Menu 24 1 System Maintenance Status Table 18 1 System Maintenance Status Menu Fields FIELD DESCRIPTION Node Lnk This is the node index number and link type Link types are PPPoA ENET 1483 Status Shows the status of the remote node TxPkts The number of transmitted packets to this remote node RxPkts The number of received packets from this remote node Errors The number of error packets on this connection Tx B s Shows the transmission rate in bytes per second Rx B s Shows the receiving rate in bytes per second Up Time Time this channel has been connected to the current remote node My WAN IP The IP address of the ISP remote node from ISP Ethernet Shows statistics for the LAN 18 2 System Information and Diagnosis Prestige 652 ADSL Security Router FIELD DESCRIPTION Status Shows the current status of the LAN Tx Pkts The number of transmitted packets to the LAN Rx Pkts The number of received packets from the LAN Collision Number of collisions WAN Shows statistics for the WAN Line Status Shows the current status of the xDSL line which can be Up or Down Upstream Speed Shows the transfer rate of traffic going out from the Prestige to the WAN Downstream Shows the transfer rate of traffic
82. 12 1 HTML Helps eR See Remote Management 10 1 HTTP 8 17 9 1 9 3 9 4 25 11 25 12 Rule Checklist ies 12 1 HyperTerminal program 19 6 19 9 Rule Lopera 12 1 I Rule Precedence ooooonoocccconocccoconcccnnonncnnonoss 12 4 TAN Ayora Res 4 2 4 3 Rule Security Ramifications s sse0000 12 2 ICMP 6echo eener ia 9 6 VIC da 12 6 IA ncn hit 5 3 SIMD Meng e e rere trt rentes 10 1 IGMP support 5 8 6 6 TyYpeSzosondti tamsan en eras 9 1 IAS eeir isise eessiiseisii eresie 2 7 When To USE vito 9 13 Interactive Appliceattons 22 1 Frame Relay cocinas iii n 1 6 Internal SPTGEN sss 1 2 28 1 Front Panel FTP Download Example 28 3 Illustration sese 2 1 FTP Upload Example 28 4 ELP ansam ROBES 19 4 21 2 21 3 Points to Remember oooonocccccnnoncccconancconnnnos 28 2 FTP Fil Transfer inte 19 10 Text File cte denne 28 1 FTP Restrictions ooooocononcccnononcnonananonnnns 19 4 21 3 Internal SPTGEN Screens sess L NEE 8 25 Internet dccess haetini asie ai 4 1 F ll Rate nenna Ze eege eds 2 4 Internet Access xxiv l 1 1 6 1 7 2 12 3 5 4 1 G 4 13 4 15 4 16 Gateway e e E e EEEE E elelececsiens 6 9 KEE E Gateway Node sss 7 3 ENEE General Setup ss oes Se ROO RAS 3 1 EE Ee H IP Address 4 10 6 5 6 9 7 3 16 11 18 4 18 9 22 3 Half Open Sessions
83. 12 Firewalls Prestige 652 ADSL Security Router 9 7 1 Packet Filtering a a The router filters packets as they pass through the router s interface according to the filter rules you designed Packet filtering is a powerful tool yet can be complex to configure and maintain especially if you need a chain of rules to filter a service Packet filtering only checks the header portion of an IP packet When To Use Filtering To block allow LAN packets by their MAC addresses To block allow special IP packets which are neither TCP nor UDP nor ICMP packets To block allow both inbound WAN to LAN and outbound LAN to WAN traffic between the specific inside host network A and outside host network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 9 7 2 Firewall a a a The firewall inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer IP headers up to the application layer The firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound
84. 33 Size of Client IP Pool 64 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None P Policies 1 2 G A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 22 9 Applying IP Policies IP Policy Routing 22 9 Call Scheduling VPN IPSec and Internal SPTGEN Part V Call Scheduling VPN IPSec and Internal SPTGEN A EELER a UE CE EE eee AN CR ee meas EE Prestige 652 ADSL Security Router Chapter 23 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long 23 1 Introduction The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long This feature is similar to the scheduler in a video cassette recorder that lets you specify times to record programs You can apply up to 4 schedule sets in Menu 11 1 Remote Node Profile From the main menu enter 26 to access Menu 26 Schedule Setup as shown next Menu 26 Schedule Setup Schedule Schedule Set Name Set Name T AlwaysOn 7 2 8 3 9 4 10 5 11 6 12 Enter Schedule Set Number to Configure Edit Name Press ENTER to Confirm or ESC to Cancel Figure 23 1 Menu 26 Schedule Setup Lower numbered sets take preceden
85. 4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the Prestige Command Mod e Type the mode to test and diagnose your Prestige using specified commands Host IP Address If you typed 12 to Ping Host now type the address of the computer you want to ping 18 5 Com mand Interpreter Mode This option allows you to enter the command interpreter mode A list of valid commands can be found by typing help or at the command prompt Copyright c 1994 2002 ZYXEL ras gt Valid commands are sys exit device wan poe config ipsec ppp bridge Figure 18 10 Command Mode System Information and Diagnosis 18 9 Prestige 652 ADSL Security Router Chapter 19 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file 19 1 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the Prestige s settings they can be saved back to your computer under a filename of your choosing ZyNO
86. 52 ADSL Security Router SERVICES PORT NUMBER HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 8 4 1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT Step 1 Enter 15 in the main menu to go to Menu 15 NAT Setup Step 2 Enter 2 to display Menu 15 2 NAT Server Sets as shown next Menu 15 2 NAT Server Sets Server Set 1 Used for SUA Only Server Set 2 Server Set 3 Server Set 4 Server Set 5 Server Set 6 e Server Set 7 Server Set 8 Server Set 9 Server Set 1 1 2 3 4 5 6 7 8 9 0 1 0 Enter Set Number to Edit Figure 8 10 Menu 15 2 NAT Server Setup Step 3 Enter 1 to go to Menu 15 2 1 NAT Server Setup as follows 8 14 NAT Prestige 652 ADSL Security Router Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No Address Default Default 0 0 oooooooooooo oooooooooooo oooooooooooo oooooooooooo 0 0 0 0 0 0 0 0 0 0 oooooooooo Press ENTER to Confirm or ESC to Cancel Figure 8 11 Menu 15 2 1 NAT Server Setup Step 4 Enter a port number in an unused Start Port No field To forward only one port enter it again in the End Port No field To specify a range of ports en
87. 652 ADSL Security Router Menu 24 11 Remote Management Control TELNET Server Server Port 23 Server Access LAN only Secured Client IP FTP Server Server Port 21 Server Access LAN only Secured Client IP Web Server Server Port 80 Server Access LAN only Secured Client IP Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 21 2 Menu 24 11 Remote Management Control Table 21 1 Menu 24 11 Remote Management Control FIELD DESCRIPTION EXAMPLE TELNET Server Each of these read only labels denotes a service that you may use to FTP Server remotely manage the Prestige Web Server Server Port This field shows the port number for the remote management service You may change the port number for a service if needed but you must use the same port number to use that service for remote management Server Access Select the access interface if any by pressing SPACE BAR then LAN Only ENTER to choose from LAN only WAN only ALL or Disable default Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely 0 0 0 0 manage the Prestige Enter an IP address to restrict access to a client default with a matching IP address This field is N A when the Server Access field is set to Disable Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC to Cancel to save your configuration or press ESC to can
88. 8 3 2 Syslog and Accounting The Prestige uses the UNIX syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance UNIX Syslog as shown next Menu 24 3 2 System Maintenance UNIX Syslog UNIX Syslog Active No Syslog IP Address Log Facility Local 1 Types CDR No Packet triggered No Filter Log No PPP Log No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 18 8 Menu 24 3 2 System Maintenance Syslog and Accounting You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log 18 6 System Information and Diagnosis Prestige 652 ADSL Security Router Table 18 3 System Maintenance Menu Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog Active Use SPACE BAR and then ENTER to turn syslog on or off Syslog IP Address Type the IP address of your syslog server Log Facility Use SPACE BAR and then ENTER to select one of seven different local options The log facility lets you log the message in different server files Refer to your UNIX manual Types CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packet Triggered The first 48 bytes or octets and protocol type of the triggering packet is sent to the UNIX syslog server whe
89. AN The WAN IP is provided after the ISP verifies the MAC address host name or user ID IP address from Find out the verification method used by your ISP and configure the corresponding the ISP fields 29 2 Troubleshooting Prestige 652 ADSL Security Router 29 6 Problems with Internet Access Table 29 5 Troubleshooting Internet Access PROBLEM CORRECTIVE ACTION cannot access the Internet Make sure the Prestige is turned on and connected to the network If the DSL LED is off refer to the Problems with the DSL LED section Verify your settings in SMT menus 3 2 and 4 Make sure you use correct casing when typing entries Internet connection disconnects Check the schedule rules in SMT menu 26 If you use PPPoA or PPPoE encapsulation check the idle time out setting in SMT menu 11 1 Contact your ISP 29 7 Problems with the Password Table 29 6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION cannot access the Prestige The default password is 1234 The Password field is case sensitive If you have changed the password and have now forgotten it you will need to upload the default configuration file Refer to the Resetting the Prestige section This restores all of the factory defaults including the password Troubleshooting 29 3 Prestige 652 ADSL Security Router 29 8 Problems with the Web Configurator Table 29 7 Troublesho
90. AT Server Sets Enter Menu Selection Number Figure 8 5 Menu 15 NAT Setup 8 3 1 Address Mapping Sets Enter 1 to bring up Menu 15 1 Address Mapping Sets Menu 15 1 Address Mapping Sets LD oO JO YN N a SUA read only Enter Menu Selection Number Enter Menu Selection Number Figure 8 6 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 8 2 1 The fields in this menu cannot be changed 8 8 NAT Prestige 652 ADSL Security Router Set Name SUA Idx Local Start IP 2s EN 4 5 6 hs 8 9 0 mm Menu 15 1 255 Address Mapping Rules Local End IP Global Start IP Global End IP Press ENTER to Confirm or ESC to Cancel Server Figure 8 7 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this screen Menu 15 1 255 is read only Table 8 4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu SUA 15 1 or enter the name of a new set you want to default create default ldx This is the index or rule number 1 Local Start IP Local Start IP is the starting local IP address ILA 0 0 0 0 see Figure 8 1 Local End IP Local End IP is the ending local IP address ILA 255 255 255 255 If the rule is for all local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 Global Start IP
91. AT for Internet access in menu 4 Enter 4 from the main menu to go to Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation RFC 1483 Multiplexing LLC based VPI 0 VCI 35 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Static IP Address 0 0 0 0 Network Address Translation SUA Only L e M d N A Figure 8 3 Menu 4 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11 1 Step 1 Enter 11 from the main menu Step 2 Move the cursor to the Edit IP field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options 8 6 NAT Prestige 652 ADSL Security Router Menu 11 3 Remote Node Network Layer Options IP Options IP Address Assignment Static Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 NAT Full Feature reee Ma ppins Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Bridge Options Ethernet Addr Timeout min 0 Press ENTER to Confirm or ESC to Cancel Figure 8 4 Menu 11 3 Applying NAT to the Remote Node The following table describes the options for Network Address Translation Table 8 3 Applying NAT in Menus 4 amp 11 3 Transl
92. Corporation A PC3 PC2 NT Server 192 168 1 1 Corporation B PC2 Server in Sales Network IP 2 IGA 2 LAN2 192 168 2 X Mr S25 Network Server Sales 192 168 2 1 NT Server 192 168 2 1 PC PC Serverin R amp D Network N IP 3 IGA 3 LAN3 192 168 3 X 192 168 3 1 Network Server R amp D 192 168 3 1 WAN Addresses LAN Addresses Default IPs gt 192 1682 1 192 168 3 1 Figure 8 2 NAT Application With IP Alias 8 1 5 NAT Mapping Types NAT supports five types of IP port mapping They are One to One In One to One mode the Prestige maps one local IP address to one global IP address 2 Many to One In Many to One mode the Prestige maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers 3 Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple local IP addresses to shared global IP addresses 4 Many to Many No Overload In Many to Many No Overload mode the Prestige maps each local IP address to a unique global IP address 5 Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world 8 4 NAT Prestige 652 ADSL Security Router Port numbers do not change for One to One and Many to
93. DESCRIPTION 1 coldStart defined in RFC 1215 A trap is sent after booting power on 2 warmsStart defined in RFC 1215 A trap is sent after booting software reboot 3 linkUp defined in RFC 1215 A trap is sent with the port number 4 authenticationFailure defined in A trap is sent to the manager when receiving any SNMP RFC 1215 get or set requirements with wrong community password 6 linkDown defined in RFC 1215 A trap is sent with the port number when any of the links are down See the following table The port number is its interface index under the interface group Table 17 3 Ports and Permanent Virtual Circuits PORT PVC PERMANENT VIRTUAL CIRCUIT 1 Ethernet LAN 2 1 3 2 13 12 14 xDSL 17 4 SNMP Configuration Prestige 652 ADSL Security Router Chapter 18 System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24 1 to 24 4 These tools include updates on system status port status log and trace capabilities and upgrades for the system software This chapter describes how to use these tools in detail Type 24 in the main menu to open Menu 24 System Maintenance as shown in the following figure Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control Tim
94. DSLAM Digital Subscriber Line Access Multiplexer providers making configuration as simple as possible for you e Multiplexing The Prestige supports VC based and LLC based multiplexing Encapsulation The Prestige supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 encapsulation over ATM MAC encapsulated routing as well as PPP over Ethernet RFC 2516 Network Management Menu driven SMT System Management Terminal management Embedded Web Configurator CLI Command Line Interpreter Remote SMT session via Telnet SNMP manageable Local SMT session via console port DHCP Server Client Built in Diagnostic Tools Syslog Telnet Support Password protected telnet access to internal configuration manager TFTP FTP server firmware upgrade and configuration backup support supported Supports OAM F4 F5 loop back AIS and RDI OAM cells O Other PPPoE Features PPPoE idle time out PPPoE Dial on Demand Getting To Know Your Prestige Prestige 652 ADSL Security Router e Diagnostics Capabilities The Prestige can perform self diagnostic tests These tests check the integrity of the following circuitry FLASH memory ADSL circuitry RAM LAN port Ease of Installation Your Prestige is designed for quick intuitive and easy installation Housing Your Prestige s all new compact and ventilated housing minimizes space requirements making it easy to position anywhere
95. E 1 1 1 3 Applications for the Prestige 652 ener enne nennen nennen 1 6 Chapter 2 Hardware Installation and Initial Setup Lecce eee eee eres seen seen nete neta stu na ena 2 1 2 1 Front Panel LEDs of the P652 00 2 isses eee hide efie ie RIP 2 1 2 2 Rear Panel and Connections ENEE a 2 2 2 3 Additional Installation Requirements essere 2 3 2 45 P652 With POTS eee Hr K ERE HIPH E UE UR ODER CH Pedes 2 4 2 5 P652 ln EC E EE 2 6 2 6 Turning On Your Prestige iia id 2 7 2 7 Configuring Your Prestige For Internet Access sese 2 7 2 8 Resetting the Prestige ssi ete EENS dee i PVC E Re Pee Ted ee Enden 2 8 SCH Navigating the SMU Interface e ds 2 10 2 10 Changing the System Password ener nennen enne 2 13 Chapter REID OC TINTTIT TU R X oe ssis riro tS 3 1 ac System Name T HM 3 1 32 Dynamic DNS eerie EN ee E S EDEN rg ee 3 1 3 37 General Setup E 3 2 34o LAN Pi se 3 4 3 5 Protocol Dependent Ethernet SUPL ia 3 5 Chapter 4 Tinternet uo e ehose Sno 4 1 4 1 Factory Ethernet Defaults intem e RR RE eT EN OS EU irr Dee ef 4 1 42 ANS and WAN Sita 4 1 43 IC EE EE 4 2 GE e LO EE 4 5 AD A otto eese Deb iip Reale E 4 5 Aloe IRA MS enee ee Sabe bos ee ee unto cet os sh 4 5 Z7 Route IP Set pz ion nteetsec Dp UD meet qais aestivis edito Ie co dd ere Uds 4 8 4 8 TCP IP Ethernet Se
96. ER to Confirm or ESC to Cancel Figure 8 18 Example 3 Menu 11 3 The following figure shows how to configure the first rule Menu 15 1 1 1 Address Mapping Rule m one to one Local IP Start 192 168 1 10 End Global IP Start End MA Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 8 19 Example 3 Menu 15 1 1 1 NAT 8 21 Prestige 652 ADSL Security Router Menu 15 1 1 Address Mapping Rules Global End IP 192 168 L 0 1921681 11 0 0 0 0 255 255 255 255 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Figure 8 20 Example 3 Final Menu 15 1 1 Now configure the IGA3 to map to our web server and mail server on the LAN Step 8 Enter 15 from the main menu Step 9 Enter 2 in Menu 15 NAT Setup Step 10 Enter 1 in Menu 15 2 NAT Server Sets to see the following menu Configure it as shown 8 22 NAT Prestige 652 ADSL Security Router Menu 15 2 1 NAT Server Setup Used for SUA Only Start Port No End Port No IP Address Default Default 80 80 25 oooooooo 00 000 0 Y 0 0 0 0 0 0 0 0 0 oOooooococoocsococ oooooooodcj Oooocoooocoocoo Press ENTER to Confirm or ESC to Cancel Example 3 Menu 15 2 1 8 5 4 Example 4 NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation In this case it is better to
97. ERNAL NAME DESCRIPTION Configuration Rom 0 This is the configuration filename on the rom File Prestige Uploading the rom 0 file replaces the entire ROM file system including your Prestige configurations system related data including the default password the error log and the trace log Firmware Ras This is the generic name for the ZyNOS bin firmware on the Prestige 19 2 Backup Configuration The Prestige displays different messages explaining different ways to backup restore and upload files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration to your computer Backup is highly recommended once your Prestige is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the download upload and you don t have to rename the files Please note that terms download and upload are relative to the computer Download means to transfer from the Prestige to the computer while upload means from your computer to the Prestige 19 2 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router
98. IP Policies Set 4 1 12 256 I MENU 3 2 1 IP ALIAS SETUP SMT MENU 3 2 1 FIN FN PVA INPUT 30201001 IP Alias 1 lt 0 No 1 Yes gt 30201002 IP Address 0 0 0 0 30201003 IP Subnet Mask 30201004 RIP Direction lt 0 None 1 Both a 2 In Only 3 Out Maso Only between 30201005 Version lt 0 Rip 1 1 Rip 2B 0 ioo 2 Rip 2M gt 30201006 IP Alias 1 Incoming protocol filters 256 Set 1 30201007 IP Alias 1 Incoming protocol filters 256 Set 2 30201008 IP Alias 1 Incoming protocol filters 256 Set 3 30201009 IP Alias 1 Incoming protocol filters 256 Set 4 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 30201010 IP Alias 1 Outgoing protocol filters 256 Set 1 30201011 IP Alias 1 Outgoing protocol filters 256 Set 2 30201012 IP Alias 1 Outgoing protocol filters 256 Set 3 30201013 IP Alias 1 Outgoing protocol filters 256 Set 4 30201014 IP Alias 2 lt 0 No 1 Yes gt 30201015 IP Address 0 0 0 0 30201016 IP Subnet Mask 30201017 RIP Direction lt 0 None 1 Both 2 In Only 3 Out Only gt 30201018 Version O Rip 1 1 Rip 2B 0 2 Rip 2M gt 30201019 IP Alias 2 Incoming protocol filters 256 Set 1 30201020 IP Alias 2 Incoming protocol filters 256 Set 2 30201021 IP Alias 2 Incoming protocol filters 256 Set 3 30201022 IP Alias 2
99. Information sese 18 3 Source Address oooooocconoccconooncnocnnanononnn 12 3 12 10 Seto Informati Dino ass 18 1 Source Based Routing sss 22 1 System Maintenance 18 1 18 3 19 2 19 5 19 SPIES iin ited ann tende 2 4 13 19 14 20 1 20 2 20 4 SPTGEN Screens sese L System Management Terminal 2 10 Stateful Inspection 1 2 9 1 9 2 9 7 9 8 System Parameter Table Generator 28 1 Prestige iiie tren imer niea 9 9 System Status cei teretes 18 2 toeerst eege 9 8 System Timeout essere 21 4 JJ Index Prestige 652 ADSL Security Router T TCP Maximum Incomplete 11 7 11 8 11 10 TCP Secutity ss attese 9 10 ERR e 6 1 9 3 9 4 16 16 18 9 21 1 TCP IP Options iino ise s 6 1 TCP IP Parameters 2 42 54 esee 4 2 Kee E 9 4 Telephone Micerofblters esses 2 5 Telnet ete eo A 21 1 Telnet Configuration sss 21 1 Telnet Under NAT sees 2 1 Text File Forma buin 28 1 TFTP and FTP Over WAN 19 4 21 3 TETP File Transfer 19 12 TFTP Restrictions ocooccconononcnonancconnnnss 19 4 21 3 Three Way Handshake sssss 9 5 Threshold Values sss 11 6 Time and Date Seng 20 4 20 5 Time Zone ui ona ie pop D PRAES 20 5 Time Ud ita 12 13 12 14 To avoid damage to the Prestige 2 3 TOS Type of Se
100. KE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys 25 5 5 Perfect Forward Secrecy PFS Enabling PFS means that the key is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not require such security so DES is disabled None by default in the Prestige Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange 25 14 VPN IPSec Setup Prestige 652 ADSL Security Router Menu 27 1 1 1 IKE Setup Phase 1 Negotiation Mode Main Pre Shared Key Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 28800 ey Group DH1 Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm SHA1 SA Life Time Seconds 28800 Encapsu
101. LAN and 11 3 WAN 4 6 IP Alias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network Internet Access 4 5 Prestige 652 ADSL Security Router Prestige LAN 1 1P Address Menu 3 2 Ethernet Interface LAN 2 IP Alias 1 Menu 3 2 1 LAN 3 IP alias 2 Menu 3 2 1 Figure 4 2 Physical Network Figure 4 3 Partitioned Logical Networks Use menu 3 2 1 to configure IP Alias on your Prestige 4 6 1 IP Alias Setup Use menu 3 2 to configure the first network Move the cursor to Edit IP Alias field and press SPACEBAR to choose Yes and press ENTER to configure the second and third network Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Server Client IP Pool Starting Addres 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version N A Multicast None IP Policies el No Press ENTER to confirm or ESC to Cancel Press Space Bar to Toggle Figure 4 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 4 6 Internet Access Prestige 652 ADSL Security Router Pressing ENTER displays Menu 3 2 1 IP Alias Set
102. MAGE YOUR PRESTIGE WHEN THE RESTORE CONFIGURATION PROCESS IS COMPLETE THE PRESTIGE WILL AUTOMATICALLY RESTART 19 3 1 Restore Using FTP For details about backup using T FTP please refer to earlier sections on FTP and TFTP file upload in this chapter Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfilename rom 0 where backupfilename is the name of your backup configuration file on your workstation and rom 0 is the remote file name on the router This restores the configuration to your router 4 The system reboots automatically after a successful file transfer For details on FTP commands please consult the documentation of your FTP client program For details on backup using TFTP note that you must remain in this menu to back up using TFTP please see your router manual Press ENTER to Exit Figure 19 7 Telnet into Menu 24 6 Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your Prestige Step 3 Press ENTER when prompted for a username Step 4 Enter your password as requested the default is 1234 Step 5 Enter bin to set transfer mode to binary Step 6 F
103. Many No Overload NAT mapping types The following table summarizes these types Table 8 2 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION One to One ILA1E gt IGA1 1 1 Many to One SUA PAT ILA1E gt IGA1 M 1 ILA2 lt gt IGA1 Many to Many Overload ILA1 lt gt 5 IGA1 M M Ov ILA2 IGA2 ILA3 gt IGA1 ILA4 IGA2 Many to Many No Overload ILA1 IGA1 M M No OV ILA2 IGA2 ILA3 IGA3 Server Server 1 IP IGA1 Server Server 2 IP IGA1 Server 3 IP IGA1 8 2 Using NAT In addition to setting up SUA NAT you must create a firewall rule to allow traffic from the WAN to be forwarded through the Prestige 8 2 1 SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of NAT that supports two types of mapping Many to One and Server See section 8 3 for a detailed description of the NAT set for SUA NAT 8 5 Prestige 652 ADSL Security Router The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 8 2 1 Choose SUA Only if you have just one public WAN IP address for your Prestige 2 Choose Full Feature if you have multiple public WAN IP addresses for your Prestige 8 2 2 Applying NAT You apply NAT via menus 4 or 11 3 as displayed next The next figure shows you how to apply N
104. Menu 12 1 IP Static Route Setup o AU bs AH Enter selection number Figure 6 7 Menu 12 1 IP Static Route Setup Step 3 Now type the route number of a static route you want to configure Menu 12 1 1 Edit IP Static Route Route 1 Route Name Active No Destination IP Address IP Subnet Mask Gateway IP Address Metric 2 Private No Press ENTER to Confirm or ESC to Cancel Figure 6 8 Edit IP Static Route Remote Node TCP IP Configuration 6 7 Prestige 652 ADSL Security Router The following table describes the fields for Menu 12 1 1 Edit IP Static Route Setup Table 6 3 Edit IP Static Route Menu Fields FIELD DESCRIPTION Route This is the index number of the static route that you chose in menu 12 1 Route Name Type a descriptive name for this route This is for identification purpose only Active This field allows you to activate deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Type the subnet mask for this destination Follow the discussion on P Subnet Mask in this manual Gateway IP Address Type the IP address of the gateway The gateway i
105. My Login Type the login name assigned by your ISP when the Prestige calls this remote node My Password Type the password assigned by your ISP when the Prestige calls this remote node Authen This field sets the authentication protocol used for outgoing calls Options for this field are CHAP PAP Your Prestige will accept either CHAP or PAP when requested by this remote node CHAP accept CHAP Challenge Handshake Authentication Protocol only PAP accept PAP Password Authentication Protocol only PAP Route This field determines the protocol used in routing Options are IP and None Bridge When bridging is enabled your Prestige will forward any packet that it does not route to this remote node otherwise the packets are discarded Select Yes to enable and No to disable No Edit IP Bridge Press SPACE BAR to select Yes and press ENTER to display Menu 11 3 Remote Node Network Layer Options No Edit ATM Options Press SPACE BAR to select Yes and press ENTER to display Menu 11 6 Remote Node ATM Layer Options No Telco Option Allocated Budget min This sets a ceiling for outgoing call time for this remote node The default for this field is O meaning no budget control 0 default Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes e
106. N Additional Information Part VI ADDITIONAL INFORMATION VI Prestige 652 ADSL Security Router Chapter 29 Troubleshooting This chapter covers potential problems and the corresponding remedies 29 1 Problems Starting Up the Prestige Table 16 1 Troubleshooting the Start Up of Your Prestige PROBLEM CORRECTIVE ACTION None of the the Prestige Make sure that the Prestige s power adapter is connected to the Prestige and plugged in to LEDs turn on an appropriate power source Check that the Prestige and the power source are both turned when turn on on Turn the Prestige off and on If the error persists you may have a hardware problem In this case you should contact your vendor cannot 1 Make sure the Prestige is connected to your computer s serial port access the Prestige via the console port 2 Make sure the communications program is configured correctly The communications software should be configured as follows VT100 terminal emulation 9600 bps is the default speed on leaving the factory Try other speeds in case the speed has been changed No parity 8 data bits 1 stop bit data flow set to none 29 2 Problems with the LAN LED Table 29 1 Troubleshooting the LAN LED PROBLEM CORRECTIVE ACTION The LAN LEDs d turn on o not Check your Ethernet cable connections and type crossover when connecting to a comp
107. NOTICE String String Packet trigger Protocol xx Data XXXXXXXXXX X Protocol 1 1P 2 1PX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Jul 19 11 28 39 192 168 102 2 ZYXEL Packet Trigger Protocol 1 Data 4500003c100100001f 010004c0a86614ca849a7008004a5c020001006162636465666768696a6b6c6d6e6 70717273 74 System Information and Diagnosis 18 7 Prestige 652 ADSL Security Router Jul 19 11 28 56 192 168 102 2 ZYXEL Packet Trigger Protocol 1 Data 4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11 29 06 192 168 102 2 ZYXEL Packet Trigger Protocol 1 Data 45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000 3 Filter Log SdemdSyslogSend SYSLOG FILLOG SYSLOG NOTICE String String IP Src xx xx xx xx Dst xx XX XX XX prot spo xxxx dpo xxxx S04 gt R01mD IP is the packet header and S04 gt R01mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP Spo Source port dpo Destination port Jul 19 14 43 55 192 168 102 2 ZYXEL IP Src 202 132 154 123 Dst 255 255 255 255 UDP spo 0208 dpo 0208 S03 gt RO1mF Jul 19 14 44 00 192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03 gt RO1mF Jul 19 14 44 04 192 168 102 2 ZYXEL
108. NTER to Confirm or ESC to Cancel Figure 16 17 Filtering Ethernet Traffic 16 6 2 Remote Node Filters Go to menu 11 5 shown next and type the number s of the filter set s as appropriate You can cascade up to four filter sets by typing their numbers separated by commas For PPPoE encapsulation you have the option of specifying remote node call filter sets Insert the factory default filter set NetBIOS WAN in the protocol filters field under Call Filter Sets in menu 11 5 to block local NetBIOS traffic from triggering calls to the ISP 16 18 Filter Configuration Prestige 652 ADSL Security Router Menu 11 5 Remote Node Filter Apply filter 3 to Input Filter Sets block Tel FTP protocol filters and Web traffic device filters from the WAN Output Filter Sets protocol filters device filters Apply filter 1 to block NETBIOS traffic to the Enter here to CONFIRM or ESC to CANCEL WAN Figure 16 18 Filtering Remote Node Traffic Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 3 Device filters Output Filter Sets protocol filters 1 Apply filter 1 to Device filters Call Filter Sets eng block NETBIOS protocol filters 1 traffic from device filters triggering calls Enter here to CONFIRM or ESC to CANCEL Figure 16 19 Filtering Remote Node Traffic with PPPoE Filter Configuration 16 19 Prestige 652 ADSL Security Router
109. No Ether Address IP Address Gateway Node 1 Press ENTER to Confirm or ESC to Cancel Figure 7 2 Menu 12 3 1 Edit Bridge Static Route The following table describes the Edit Bridge Static Route menu Table 7 2 Edit Bridge Static Route Menu Fields FIELD DESCRIPTION Route This is the route index number you typed in Menu 12 3 Bridge Static Route Setup Route Name Type a name for the bridge static route for identification purposes Active Indicates whether the static route is active Yes or not No Ether Address Type the MAC address of the destination computer that you want to bridge the packets to IP Address If available type the IP address of the destination computer that you want to bridge the packets to Gateway Node Press SPACE BAR and then ENTER to select the number of the remote node one to eight that is the gateway of this static route When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen Bridging Setup 7 3 Prestige 652 ADSL Security Router Chapter Network Address Translation NAT This chapter discusses how to configure NAT on the Prestige 8 1 Introduction NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address
110. ONS Active Press SPACE BAR to toggle between Yes and No Choose Yes and Yes No press ENTER to activate the schedule set Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2036 February 5 How Often Should this schedule set recur weekly or be used just once only Press Once Weekly SPACE BAR to toggle between Once and Weekly Both these options are mutually exclusive If Once is selected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses Once If you selected Once in the How Often field above then enter the date Date the set should activate here in year month date format Weekday If you selected Weekly in the How Often field above then select the Yes D day s when the set should activate and recur by going to that day s No ay and pressing SPACE BAR to select Yes then press ENTER N A 23 2 Call Scheduling Prestige 652 ADSL Security Router Table 23 1 Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS Start Time Enter the start time when you wish the schedule set to take effect in hour minute format Duration Enter the maximum length of time this connection is allowed in hour minute format Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will p
111. ONS Address Info Mail Server Enter the IP address of your mail server in dotted decimal notation Your Internet Service Provider ISP should be able to provide this information If this field is left blank log and alert messages will not be sent via e mail Mail Subject Enter a subject that you want to appear in the subject field of your e mail here see Figure 11 3 If you leave this field blank then the default Firewall Alert From Prestige displays as your e mail subject E mail Alerts To Enter the e mail address username mydomain com of whoever is responsible for maintaining the firewall e g your system administrator If this field is left blank alert messages will not be sent via e mail Return address Enter an e mail address to identify the Prestige as the sender of the e mail messages i e a return to sender address for backup purposes Log Timer Log Schedule This pop up menu is used to configure the frequency of log messages being sent as e mail daily weekly hourly When Log is Full only when the log is full or none If the Weekly or the Hourly Daily option is selected specify a time of day when the e Daily mail should be sent If the Weekly option is selected then also specify which day of the week the e mail should Weekly be sent If the When Log is Full option is selected an None alert is sent when the log fills up If you select None no log messages are e mailed Day
112. OTS Plain Old Telephone System and one for ADSL over ISDN Integrated Synchronous Digital System Both models are discussed together in this guide The Prestige 652 is an ADSL router used for Internet LAN access via an ADSL line The P652 can run maximum upstream transmission rates of up to 832Kbps and maximum downstream transmission rates of 8Mbps The actual rate depends on the copper category of your telephone wire distance from the central office and the type of ADSL service subscribed to See the What is DSL section for more background information on DSL and ADSL The P652 s 10 100M auto negotiating LAN interface enables fast data transfer of either 10Mbps or 100Mbps in either half duplex or full duplex mode depending on your Ethernet network Your Prestige is easy to install and configure All functions of the Prestige are software configurable via the SMT System Management Terminal and web configurator Advanced users may configure the Prestige using CLI Command Line Interface commands Register your Prestige online at www zyxel com for free future product updates and information About This User s Guide This User s Guide covers all aspects of the Prestige 652 operations and shows you how to use the SMT to get the best out of its multiple advanced features It is designed to guide you through the correct configuration of your Prestige 652 for various applications Related Documentation gt Supporting Disk More detai
113. P Routing Policy Setup To setup a routing policy perform the following procedures Step 1 Type 25 in the main menu to open Menu 25 IP Routing Policy Setup Step 2 Type the index of the policy set that you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set including the criteria and the action of a single policy and whether a policy is active or not Each policy contains two lines The former part is the criteria of the incoming packet and the latter is the action Between these two parts separator means the action is taken on criteria matched and separator means the action is taken on criteria not matched 22 2 IP Policy Routing Prestige 652 ADSL Security Router Menu 25 1 IP Routing Policy Setup Criteria Action SA 1 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 Enter Policy Rule Number 1 6 to Configure Figure 22 2 Menu 25 1 Sample IP Routing Policy Setup Table 22 1 IP Routing Policy Setup ABBREVIATION MEANING Criterion SA Source IP Address SP Source Port DA Destination IP Address DP Destination Port IP layer 4 protocol number TCP 6 UDP 17 Type of service of incoming packet PR Precedence of incoming packet Action GW Gateway IP address Outgoing Type of service Outgoing Precedence
114. Prestige 652 ADSL Security Router User s Guide Version 3 40 August 2002 ZyXEL TOTAL INTERNET ACCESS SOLUTION Prestige 652 ADSL Security Router Copyright Copyright O 2002 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners ii Copyright Prestige 652 ADSL Security Router Federal Communications Commission FCC Interference Statement This device complies with Part 15 of FCC rules Operation is su
115. Prestige 652 ADSL Security Router a Denies all sessions originating from the WAN to the LAN User A initiates a Telnet session Return traffic for User A s Telnet session is permitted Other Telnet traffic is blocked WAN Figure 9 5 Stateful Inspection The previous figure shows the Prestige s default firewall rules in action as well as demonstrates how stateful inspection works User A can initiate a Telnet session from within the LAN and responses to this request are allowed However other Telnet traffic initiated from the WAN is blocked 9 5 1 Stateful Inspection Process In this example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the packet is permitted a denied packet would simply be dropped at this point 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then The default action for packets not matching following rules field see Figure
116. RAN 16 8 Table 16 3 TCP IP Filter Rule Menu Fields A 16 10 Table 16 4 Generic Filter Rule Menu Fields cuen iii een 16 15 Tabl 16 5 Filters ets Tale sra es Mors ls o io 16 20 Table 17 1 SNMP Configuration Menu Helde 17 3 EIERE SCHO LENK EE 17 4 Table 17 3 Ports and Permanent Virtual Circuits eese enne ener nre nennen 17 4 Table 18 1 System Maintenance Status Menu Fields 18 2 Table 18 2 Fields in System Maintenance sse nere ener ER nennen nnns 18 4 Table 18 3 System Maintenance Menu Syslog Parameters 18 7 Table 18 4 System Maintenance Menu Diagnostic essssesssssesseseeeee ener nnne 18 9 Table 19 1 Eilename Conyventlohs netiis EAR DUI er le eO E Uere tne 19 2 Table 19 2 General Commands for GUI based FTP Clients 19 4 List of Diagrams xxi Prestige 652 ADSL Security Router Table 19 3 General Commands for GUI based TFTP Clients eese 19 6 Table 20 1 Budget Management 20 3 Table 20 2 Time and Date Setting Fields sse eee 20 5 Table 21 1 Menu 24 11 Remote Management Control 21 3 Table 22 1 IP Routing Policy Setup 22 3 Table 22 2 IP Routing Poli levet tue aU 22 4 Table 23 1 Schedule Set Setup Fields eee ie nece diese 23 2 Table 242 T VPNi nd NAT 3 egt eite dte e ete do e ERR 24 6 Table 252 LAH and ESP aie tans A d es 25 3 Table 25 2 Telecommuter and Headquarters Configuration Example sse 25 4 Table 25
117. Router NAT never changes the IP address either local or global of an outside host 8 1 2 What NAT Does In the simplest form NAT changes the source IP address in a packet received from a subscriber the inside local address to another the inside global address before forwarding the packet to the WAN side When the response comes back NAT translates the destination address the inside global address back to the inside local address before forwarding it to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers for Many to One and Many to Many Overload mapping see Table 2 NAT offers the additional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 8 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the
118. S ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp gt put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp gt get rom 0 config cfg This is a sample FTP session saving the current configuration to the computer file config cfg If your T FTP client does not allow you to have a destination filename different than the source you will need to rename them as the Prestige only recognizes rom 0 and ras Be sure you keep unaltered copies of both files for later use The following table is a summary Please note that the internal filename refers to the filename on the Prestige and the external filename refers to the filename not on the Prestige that is on your computer local network or FTP site and so the name but not the extension may vary After uploading new firmware see the ZyNOS F W Version field in Menu 24 2 1 System Maintenance Information to confirm that you have uploaded the correct firmware version The AT command is the command you enter after you press y when prompted in the SMT menu to go into debug mode Firmware and Configuration File Maintenance 19 1 Prestige 652 ADSL Security Router Table 19 1 Filename Conventions FILE TYPE INTERNAL NAME EXT
119. SC to Cancel to save your configuration or press ESC to cancel 20 3 1 Resetting the Time The Prestige resets the time in three instances i On leaving menu 24 10 after making changes ii When the Prestige starts up if there is a time server configured in menu 24 10 iii 24 hour intervals after starting System Maintenance and Information 20 5 Prestige 652 ADSL Security Router Chapter 21 Remote Management This chapter covers remote management found in SMT menu 24 11 21 1 About Telnet Configuration Before the Prestige is properly setup for TCP IP the only option for configuring it is through the console port Once your Prestige is configured you can use Telnet to configure it remotely as shown below User telnets into the LAN via the Prestige Figure 21 1 Telnet Configuration on a TCP IP Network 21 2 Telnet Under NAT When Network Address Translation NAT is enabled and an inside server is specified telnet connections from the outside will be forwarded to the inside server So to configure the Prestige via telnet from the outside you must first telnet to the inside server and then telnet from the server to the Prestige using its inside LAN IP address If no inside server is specified telnetting to the NAT s IP address will connect to the Prestige directly 21 3 Telnet Capabilities 21 3 1 Single Administrator To prevent confusion and discrepancy on the configuration your Prestige only allow
120. SE 12 4 EE TE KEE 12 6 12 6 Mi uisus a A lA 12 13 Chapter 13 Customized Services oocoomosssssmmsmsms e 13 1 viii Table of Contents Prestige 652 ADSL Security Router ER O E OO OS 13 1 13 2 Creating Editing A Customized Service ccccccccsseesseescesseeseeeeeeescesseeseenseceseeaeenaecaecaeeeaeeeaes 13 3 13 3 Example DHCP Negotiation and Syslog Connection from the Internet s 13 4 Chapter A O O AT 14 1 14 1 A NEE 14 1 Chapter 15 Content Filtering oomooooonoonmosoosioconsnaocanccnnconnccnnonn nono nonn cono conoconncnnncanocnnconnconocn nooo nooo coca nora sna 15 1 E TEE 15 1 AS A tenete t teen exte itte e e Ee 15 1 15 3 A eee t pente t ee ts 15 1 15 47 088 o eese Mea tee lade tet Pere A eter e tute e 15 1 Advanced Management IV Chapter 16 Filter Configuration ooooommmmsmsmsmsmssss 16 1 16 1 About EE 16 1 16 2 Configuring Filter Set iniecit WI E Rede ete ee erts 16 4 16 3 Configuring Filter Rule ettet a nei eed Deeds 16 9 16 4 Filter Types and NA Ti ree it ee HU E A e dece SEN 16 16 16 5 Example Filtet eiie ee see RE ER CH Pe he ie ced 16 16 16 6 Applying Filters and Factory Defaults 0 0 0 0 cc ccceeceesceseceesceseeeecesecesecaecaecseecaeeeaeeeeeeeeeeereees 16 19 Chapter 17 SNMP Configuration ccscssscssssssssssccssesssesssessssesensssssessessscsssesssesessscsssnsesssesssssscesesesees 17 1 17 1 oneri D A iii 17 1 172 Supported MIBS ee Seth
121. SMT uses NAT server set 1 in menu 15 2 see the NAT chapter for details Metric The metric represents the cost of transmission for routing purposes 2 IP routing uses hop count as the cost measurement with a minimum of 1 for directly connected networks Type a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This determines if the Prestige will include the route to this remote node No in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP broadcasts RIP Direction Press SPACE BAR and then ENTER to select the RIP Direction None Options are Both In Only Out Only or None Version Press SPACE BAR and then ENTER to select the RIP version RIP 1 Options are RIP 1 RIP 2B or RIP 2M Multicast IGMP v1 sets IGMP to version 1 IGMP v2 sets IGMP to version 2 and None None disables IGMP IP Policies You can apply up to four IP Policy sets from 12 by typing in their 3 4 5 6 numbers separated by commas Configure the filter sets in menu 25 first see the P Policy Routing chapter and then apply them here When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to
122. Subject You may edit the Firewall Alert From Prestige a subject title E The date format her zomr is Day Month Year user zyxel com To user zyxel com 192 168 1 1 To 192 168 1 255 default polic E Y The date format here src port 00520 dest port 00520 1 00 is Month Day Year 192 168 1 131 To 192 168 1 255 default policy The time format is Hour Minute Second Src port 00520 dest port 00520 1 00 192 168 1 6 To 10 10 10 10 match forward src port 03516 dest port 00053 lt 1 01 gt 126 192 168 1 1 To 192 168 1 255 forward 10 05 src port 00520 dest port 00520 127 Apr 7 192 168 1 131 To 192 168 1 255 End of Log message Ee hows that a complet 10 05 sre port 00520 dest port 00520 SLATES NEW COM 128 Apr 7 192 168 1 92 j log has been sent forward 0 05 30 007 port 00520 End of Firewall Figure 11 3 E mail Log 11 4 Attack Alert Attack alerts are the first defense against DoS attacks In the Attack Alert screen shown later you may choose to generate an alert whenever an attack is detected For DoS attacks the Prestige uses thresholds to determine when to drop sessions that do not become fully established These thresholds apply globally to all sessions You can use the default threshold values or you can change them to values more suitable to your security requirements 11 4 1 Threshold Values Tune these parameters when something is not working and after you have
123. This is the starting global IP address IGA If you 0 0 0 0 have a dynamic IP enter 0 0 0 0 as the Global Start IP Global End IP This is the ending global IP address IGA NAT 8 9 Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Type These are the mapping types discussed above Server see Table 8 2 Server allows us to specify multiple servers of different types behind NAT to this machine See later for some examples Once you have finished configuring a rule in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel User Defined Address Mapping Sets Now let s look at option 1 in menu 15 1 Enter 1 to bring up this menu We ll just look at the differences from the previous menu Note the extra Action and Select Rule fields mean you can configure rules in this screen Note also that the in the Set Name field means that this is a required field and you must enter a name for the set If the Set Name field is left blank the entire set will be deleted Menu 15 1 1 Address Mapping Rules Set Name NAT_SET Global Start IP Global End IP 2 Se 4 5 6 7 8 CR 0 n Actions Edit Select Rule Press ENTER to Confirm or ESC to Cancel Figure 8 8 Menu 15 1 1 First Set The Type Local and Global Start End IPs are configured in menu 15 1 1 1 described later and the v
124. UBR Peak Cell Rate PCR 5500 Sustained Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Static IP Address 0 0 0 0 etwork Address Translation SUA Only at Manning Figure 8 14 Menu 4 Internet Access amp NAT Example NAT 8 17 Prestige 652 ADSL Security Router From menu 4 choose the SUA Only option from the Network Address Translation field This is the Many to One mapping discussed in section 8 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 8 5 2 Example 2 Internet Access with an Inside Server Prestige Inside Local One Dynamic PC 3 e Addresses ILA Inside Global Addresses IGA Assigned by ISP Inside Server IP 192 168 1 10 Figure 8 15 NAT Example 2 In this case you do exactly as above use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in the next figure 8 18 NAT Prestige 652 ADSL Security Router Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start_Po oooooooooode O OO ER E E EE E El bai CO OO OO OO OO CH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Figure 8 16 Menu 15 2 1 Specifying an Inside Server 8 5 3 Example 3 Multiple Pu
125. VANCED MANAGEMENT This part discusses Filtering SNMP System Information and Diagnosis Firmware and i Configuration File Maintenance System Maintenance and Information Remote Management and IP Policy Routing Prestige 652 ADSL Security Router Chapter 16 Filter Configuration This chapter shows you how to create and apply filters 16 1 About Filtering Y our Prestige uses filters to decide whether or not to allow passage of a data packet and or to make a call There are two types of filter applications data filtering and call filtering Filters are subdivided into device and protocol filters which are discussed later Data filtering screens data to determine if the packet should be allowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is used to determine if a packet should be allowed to trigger a call Outgoing packets must undergo data filtering before they encounter call filtering Call filters are divided into two groups the built in call filters and user defined call filters Your Prestige has built in call filters that prevent administrative for example RIP packets from triggering calls These filters are always enabled and not accessible to you Your Prestige applies the built in filters first and then the user defined call filters if app
126. access instructions gt SMT System Management Terminal Access the SMT via o LAN or WAN using Telnet o Console port using terminal emulation software The remainder of this User s Guide shows you how to configure the Prestige using SMT screens 2 7 1 Initial Screen When you turn on your Prestige it performs several internal tests as well as line initialization After the initialization the Prestige asks you to press ENTER to continue as shown Copyright c 1994 2002 ZyXEL Communications Corp initialize ch 0 ethernet address 00 a0 c5 01 23 45 Wan Channel init done Loading ADSL modem F W Press ENTER to continue Figure 2 6 Power On Display 2 7 2 Entering Password The login screen appears after you press ENTER prompting you to enter the password as shown next For your first login enter the default password 1234 As you type the password the screen displays an X for each character you type Please note that if there is no activity for longer than five minutes after you log in your Prestige automatically logs you out and displays a blank screen If you see a blank screen press ENTER to display the login screen again Hardware Installation and Initial Setup 2 7 Prestige 652 ADSL Security Router Enter Password XXXX Figure 2 7 Login Screen 2 8 Resetting the Prestige If you forget your password or cannot access the Prestige you will need to reload
127. ail account specified by 11 2 Using the Prestige Web Configurator Prestige 652 ADSL Security Router you Enter the complete e mail address to which alert messages will be sent in the E mail Alerts To field and schedule times for sending alerts in the Log Timer fields in the E mail screen following screen 11 3 2 Logs A log is a detailed record that you create for packets that either match a rule don t match a rule or both when you are creating editing a firewall rule see Figure 12 4 You can also choose not to create a log for a rule in this screen An attack automatically generates a log Click Advanced Setup Firewall and then E mail to bring up the following screen ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Email Wizard Setup Address Info Mail Server 0 0 0 0 Subject Password EXE E mail Alerts To Email NAT Return Address Email Advanced Setup Dynamic DNS Time Zone Log Timer S Log Schedule when Log is Full z Content Filter Frowal Day for Sending Alerts y VPN Time for Sending Alerts jo noun 0 minute Remote Management PA Bock Apply _Reset Logout Figure 11 2 E mail Screen Using the Prestige Web Configurator 11 3 Prestige 652 ADSL Security Router The following table describes the fields in this screen Table 11 1 E mail FIELD DESCRIPTION OPTI
128. ained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultaneous VCs 4 11 Encapsulation Be sure to use the encapsulation method required by your ISP The Prestige supports the following methods 4 11 1 ENET ENCAP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment for instance it encapsulates routed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the Ethernet Encapsulation Gateway field in menu 4 and in the Rem IP Addr field in menu 11 1 You can get this information from your ISP Internet Access 4 11 Prestige 652 ADSL Security Router 4 11 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP The Prestige bridges a PPP session over Ethernet PPP over Ethernet RFC 2516 from your computer to an ATM PVC Permanent Virtual Circuit which connects to a xDSL Access Concentrator where the PPP session terminates One PVC can support any number of PPP sessions from your LAN For more information on PPPoE see the Appendices
129. aition and Syslog Connection from Console Pott 2 eet 18 3 O ei SH Content Filtering sees 15 1 SE i Da eae eet eh 15 1 Diagnostic sisse ines 18 8 E RM PN a ote 15 1 Diagnostic Tools 18 1 Log Records tati 15 1 EE EE E E eee 15 1 Re 4 10 Copyright uie rs eee ardeo il PO AS a Cost OF Sn add 5 8 6 6 6 10 Domain Name Swvstem sss 4 4 Countty Code iaa 18 4 Dos OU Load MONROE NR a A 18 3 B sic Sicuti tete eo erar tees 9 3 Custom Ports Types aces siet e ai 9 4 Crean Ed i SANA 13 3 EE e Tntr d ctio EE 13 1 DA O LANG ieee m Eed vi DSL what isit nenene nannt nnti xxvii Customized Services 13 2 RER GER D Dynamic DNS oerte 3 1 Data Filtering see 16 1 Dynamic Host Configuration Protocol 4 4 Dos DYNDNS Wildcard 111e 32 Configuration ccccesccesecsseeseeeseeeseeseeeeees 3 3 E Default Policy Log 12 5 E mail VE KEE Log Example eee 11 5 DetnaLobserviges Mail Seet n doe eoa ier aatis 11 4 Thresholds et 11 9 Mail Subject 11 4 ee e EE 113 EE e Sch E nini Kleer aseene 11 4 DD Index Prestige 652 ADSL Security Router Encapsulation seseeeseeseseeee 1 5 4 11 4 16 5 2 Filtet E0g honim 18 7 18 8 ENEBT ENCAD 43 iiccssssesstescntasternsiens 4 11 Filter Rule eR 16 10 PPP 4 12 Filter Rule Process 16 3 PPP over Ethernet sess 4 12 Filter Rule Setup iens 16 9 REC 1483 A
130. all may be referred to as the P652 or the Prestige in this User s Guide The following section offers some background information on DSL Skip it if you wish to begin working with your router right away Xxiv Preface Prestige 652 ADSL Security Router What is DSL DSL Digital Subscriber Line technology enhances the data capacity of the existing twisted pair wire that runs between the local telephone company switching offices and most homes and offices While the wire itself can handle higher frequencies the telephone switching equipment is designed to cut off signals above 4 000 Hz to filter noise off the voice line but now everybody is searching for ways to get more bandwidth to improve access to the Web hence DSL technologies There are actually seven types of DSL service ranging in speeds from 16 Kbits sec to 52 Mbits sec The services are elther symmetrical traffic flows at the same speed in both directions or asymmetrical the downstream capacity is higher than the upstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an extended download that includes graphics and text As data rates increase the carrying distance decreases That means that users who are beyond a certain distance from the telephone company s central office may not be able to obtain the higher speed
131. alues are displayed here Ordering Your Rules Ordering your rules is important because the Prestige applies the rules in the order that you specify When a rule matches the current packet the Prestige takes the corresponding action and the remaining rules are 8 10 NAT Prestige 652 ADSL Security Router ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 Table 8 5 Fields in Menu 15 1 1 FIELD DESCRIPTION EXAMPLE Set Name Enter a name for this set of rules This is a required field If this field NAT_SET is left blank the entire set will be deleted Action The default is Edit Edit means you want to edit a selected rule see Edit following field Insert Before means to insert a rule before the rule selected The rules after the selected rule will then be moved down by one rule Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule None disables the Select Rule item Select Rule When you choose Edit Insert Before or Delete in the previous
132. am 4 Opton to Enter Debug Modesto D List of Figures xviii Prestige 652 ADSL Security Router Diagram 5 Boot Module Commande alicia D teile ete E xix List of Figures Prestige 652 ADSL Security Router List of Tables Table 2 1 Front Panel LED Deserppon eene ener nnne erinnern 2 1 Table 2 2 Mam Menu Commands di iii ONERE Ee te oats 2 11 Table 2 3 Main Menu SUMMA te A A A iaa 2 12 Table 3 1 General Setup Menu Fields ccoo aiii 3 2 Table 3 2 Configure Dynamic DNS Menu Pelds essere 3 4 Table 4 1 IP Alias Setup Menu Fields 4 7 Table 4 2 DHCP Ethernet Setup Menu Fields 4 9 Table 4 3 TCP IP Ethernet Setup Menu Fields oooooniccnocnnocnconocononnconnconocnnconnconncnn nono non rro n ran n rn nn rra rn nrnn nano 4 10 Table 4 4 Internet Account Intormanon cono ennemi eren E E ATAS 4 13 Table 4 5 Internet Access Setup Menu Fields ccccccesccsseesseesseeseeeseeeceeeeeseceeeceseeeaecaecaaeeaeceaecaeceeeaeeenes 4 16 Table 5 1 Remote Node Profile Menu Fields 5 4 Table 5 2 Remote Node Network Layer Oppons nono nono nnonnronnonn ron nronnrnn nono ronnnnnnns 5 7 Table 6 1 TCP IP Related Fields in Menu 11 1 Remote Node Proble 6 3 Table 6 2 TCP IP Remote Node Configuration essere ener 6 5 Table 6 3 Edit IP Static Route Menu Fields 6 9 Table 7 1 Remote Node Bridge Options ener nennen nnne 7 2 Table 7 2 Edit Bridge Static Route Menu Fields 7 3 Table 8 EiNAT Definitions er HR t ee Rd e n
133. ance System Maintenance Menu 15 NAT Setup Menu 15 1x Address Mapping Rules Menu 15 2 Menu 15 2 x NAT Server Sets NAT Server Setup Menu 15 1 x Address Mapping Rules Menu 21 Fitter Set Configuration Menu 21 x1 Menu 21 x TCPAP Filter Rule Filter Rules Summary Menu 2422 Menu 21 31 System Maintenance Generic Filter Rule Change Console Port Speed Menu 2432 System Maintenance UNIX Syslog 2 10 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Table 2 2 Main Menu Commands previous menu OPERATION KEYSTROKE DESCRIPTION Move down to ENTER To move forward to a submenu type in the number of the desired another menu submenu and press ENTER Move up to a ESC Press ESC to move back to the previous menu menu Move to a hidden Press SPACE BAR to change No to Yes then press ENTER Fields beginning with Edit lead to hidden menus and have a default setting of No Press SPACE BAR once to change No to Yes then press ENTER to go to the hidden menu Move the cursor ENTER or Within a menu press ENTER to move to the next field You can UP DOWN arrow also use the UP DOWN arrow keys to move to the previous keys and the next field respectively Entering Typ
134. are initiation packets All packets that do not have this flag structure are called subsequent packets since they represent data that occurs later in the TCP stream If an initiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets are dropped and logged If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of the security policy as is the case with the default policy the connection will be allowed A cache entry is added which includes connection information such as IP addresses TCP ports sequence numbers etc When the Prestige receives any subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connection that is if it is a response to a connection which originated on the LAN 9 5 4 UDP ICMP Security UDP and ICMP do not themselves contain any connection information such as sequence numbers However at the very minimum they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in order to build virtual connections in the ca
135. at the receiving end will verify the integrity of the incoming packet by computing its own hash value and complain that the hash value appended to the received packet doesn t match The VPN device at the receiving end doesn t know about the NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device Transport mode ESP with authentication is not compatible with NAT Table 24 1 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y 24 6 Introduction to IPSec Prestige 652 ADSL Security Router Chapter 25 VPN IPSec Setup This chapter introduces the VPN SMT menus 25 1 VPN IPSec Setup The VPN IPSec main SMT menu has three main submenus 1 Defi
136. ation FIELD DESCRIPTION OPTIONS NAT Press SPACE BAR and then ENTER to select Full Feature if you Full Feature Network have multiple public WAN IP addresses for your Prestige The SMT Address uses the address mapping set that you configure and enter in the Address Mapping Set field menu 15 1 see section 8 3 1 Select None to disable NAT None When you select SUA Only the SMT uses Address Mapping Set 255 SUA Only menu 15 1 see section 8 3 1 Choose SUA Only if you have just one public WAN IP address for your Prestige 8 3 NAT Setup Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN You can see two NAT Address Mapping sets in menu 15 1 You can only configure Set 1 Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 the SMT will use Set 1 which supports all mapping types as outlined in Table 8 2 When you select SUA Only the SMT will use the pre configured Set 255 read only The Server Set is a list of LAN side servers mapped to external ports To use this set one set for the Prestige a server rule must be set up inside the NAT Address Mapping set Please see section 8 4 for NAT 8 7 Prestige 652 ADSL Security Router further information on these menus To configure NAT enter 15 from the main menu to bring up the following screen Menu 15 NAT Setup Address Mapping Sets N
137. ation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations gt Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation VPN IPSec Setup 25 13 Prestige 652 ADSL Security Router gt Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication phase 1 However the trade off is that faster speed limits its negotiating power and it also does not provide identity protection It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre shared key authentication 25 5 3 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection 25 5 4 Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within I
138. be blocked After each period the total budget is reset The default for the total budget is 0 minutes and the period is 0 hours meaning no budget control You can reset the accumulated connection time in this menu by entering the index of a remote node Enter 0 to update the screen The budget and the reset period can be configured in menu 11 1 for the remote node when PPPoE encapsulation is selected Table 20 1 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have lapsed Elapsed Time Total Period The period is the time cycle in hours that the allocation budget is reset see menu 11 1 The elapsed time is the time used up within this period 0 5 1 means that 30 minutes out of the 1 hour time period has lapsed Enter 0 to update the screen or press ESC to return to the previous screen System Maintenance and Information 20 3 Prestige 652 ADSL Security Router 20 3 Time and Date Setting The Prestige keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on y
139. bject to the following two conditions e This device may not cause harmful interference e This device must accept any interference received including interference that may cause undesired operations This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Certifications Refer to the product page at www zyxel com FCC Statement iii Prestige 652 ADSL Security Router
140. blic IP Addresses With Inside Servers In this example there are 3 IGAs from our ISP There are many departments but two have their own FTP servers All departments share the same router The example will reserve one IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two unidirectional as follows Rule 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping Rule 4 You also map your third IGA to the web server and mail server on the LAN Type Server allows you to specify multiple servers of different types to other computers behind NAT on the LAN The example situation looks somewhat like this NAT 8 19 Prestige 652 ADSL Security Router Other Computers on the LAN Web Server 192 168 1 21 Mapping Rules 1 FTP 1 lt gt IGA 1 Type 1 1 2 FTP 2 lt gt IGA 2 Type 1 1 3 Other LAN traffic gt IGA 3 Type M 1 Outgoing Traffic e gt Internal web server and ma
141. ce over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the Prestige by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can configure up to twelve schedule sets and apply up to four schedule sets for a remote node To delete a schedule set enter the set number and press SPACE BAR or DELETE in the Edit Name field Call Scheduling 23 1 Prestige 652 ADSL Security Router To set up a schedule set select the schedule set you want to setup from menu 26 1 12 and press ENTER to see Menu 26 1 Schedule Set Setup as shown next Menu 26 1 Schedule Set Setup Active Yes Start Date yyyy mm dd 2000 01 01 How Often Once Once Date yyyy mm dd 2000 01 01 Weekdays Sunday N A Monday N A Tuesday N A Wednesday N A Thursday N A Friday N A Saturday N A Start Time hh mm 00 00 Duration hh mm 00 00 Action Forced On Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 23 2 Schedule Set Setup If a connection has already been established your Prestige will not drop it Once the connection is dropped manually or it times out then that remote node can t be triggered up until the end of the Duration Table 23 1 Schedule Set Setup Fields FIELD DESCRIPTION OPTI
142. cel 21 6 1 Remote Management Limitations Remote management from the LAN or WAN will not work when Remote Management 21 3 Prestige 652 ADSL Security Router 1 A filter in menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not match the client IP address If 1t does not match the Prestige will disconnect the session immediately 4 There is an SMT console session running 5 There is already another remote management session of the same type web FTP or Telnet running You may only have one remote management session of the same type running at one time 6 There is a web remote management session running with a Telnet session A Telnet session will be disconnected if you begin a web session it will not begin if there is already a web session 7 When enabled the firewall allows remote management from the LAN but blocks remote management from the WAN unless you configure a firewall rule to allow it 21 7 Remote Management and NAT When NAT is enabled gt Use the Prestige s WAN IP address when configuring from the WAN gt Use the Prestige s LAN IP address when configuring from the LAN 21 8 System Timeout There is a system timeout of five minutes three hundred seconds for either the console port or telnet web FTP connections Your Prestige will automaticall
143. che For instance any UDP packet that originates on the LAN will create a cache entry Its IP address and port pairs will be stored For a short period of time UDP packets from the WAN that have matching IP and UDP information will be allowed back in through the firewall A similar situation exists for ICMP except that the Prestige is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too 9 10 Firewalls Prestige 652 ADSL Security Router little tracking information For instance ICMP redirect packets are never allowed in since they could be used to reroute traffic through attacking machines 9 5 5 Upper Layer Protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is used for sending commands between endpoints and then data connections which are used for transmitting bulk information Consider the FTP protocol A user on the LAN opens a control connection to a server on the Internet and requests a file At this point the remote server will open a data connection from the Internet For FTP to work properly this con
144. checked the firewall counters These default values should work fine for normal small offices with ADSL bandwidth Factors influencing choices for threshold values are 1 The maximum number of opened sessions 11 6 Using the Prestige Web Configurator Prestige 652 ADSL Security Router 2 The minimum capacity of server backlog in your LAN network 3 The CPU power of servers in your LAN network 4 Network bandwidth 5 Type of traffic for certain servers If your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy then the default values should be reduced You should make any changes to the threshold values before you continue configuring firewall rules 11 4 2 Half Open Sessions An unusually high number of half open sessions either an absolute number or measured as the arrival rate could indicate that a Denial of Service attack is occurring For TCP half open means that the session has not reached the established state the TCP three way handshake has not yet been completed see Figure 9 2 For UDP half open means that the firewall has detected no return traffic The Prestige measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of exi
145. ckup Confirmation Screen eese nennen 19 7 Figure 19 7 Telnet into Menu 24 06 ENEE deed 19 8 Figure 19 8 Restore Using FTP Session Example eee eene nennen 19 9 Figure 19 9 System Maintenance Restore Configuration essent 19 9 Figure 19 10 System Maintenance Starting Xmodem Download Sereen sss 19 9 Figure 19 11 Restore Configuration Example sse eene eren enne nnn nnne 19 10 Figure 19 12 Successful Restoration Confirmation Screen ccooooccnoccconocanononncononncononononannnonnonnonnc eene 19 10 Figure 19 13 Telnet Into Menu 24 7 1 Upload System Firmware esses 19 11 List of Figures xvi Prestige 652 ADSL Security Router Figure 19 14 Telnet Into Menu 24 7 2 System Maintenance eese 19 11 Figure 19 15 FTP Session Example of Firmware File Upload 19 12 Figure 19 16 Menu 24 7 1 as seen using the Console Port 19 14 Figure 19 17 Example Xmodem Upload 19 14 Figure 19 18 Menu 24 7 2 as seen using the Console Pot 19 15 Figure 19 19 Example Xmodem Upload 19 16 Figure 20 1 Command Mode in Menu 24 seen teen nennen nennen trennen nennen enne 20 1 Figure 20 2 Valid Commands aedem e eedem PUE efe ee hs 20 2 Figure 20 3 Call Control ee ee CE e ete d 20 2 Figure 20 4 B dget Management EE 20 3 Figure 20 5 Menu 24 System Maintenance essere enne eene rennen enne innen enne 20 4 Figure 20 6 Men
146. coming into the Prestige from the WAN Speed CPU Load Specifies the percentage of CPU utilization 18 2 System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds To get to the System Information and Console Port Speed Step 1 Step 2 Step 3 Enter 24 to go to Menu 24 System Maintenance Enter 2 to open Menu 24 2 System Information and Console Port Speed From this menu you have two choices as shown in the next figure Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Please enter selection Figure 18 3 Menu 24 2 System Information and Console Port Speed 18 2 1 System Information Enter 1 in menu 24 2 to display the screen shown next System Information and Diagnosis 18 3 Prestige 652 ADSL Security Router Menu 24 2 1 System Maintenance Information Name Routing IP ZyNOS F W Version V3 40 FN 0 b13 4 22 2002 ADSL Chipset Vendor Alcatel Version 3 8 163 Standard Multi Mode LAN Ethernet Address 00 a0 c5 01 23 45 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Figure 18 4 Menu 24 2 1 System Maintenance Information Table 18 2 Fields in System Maintenance FIELD DESCRIPTION Name Displays the system name of your Prestige This information can be changed in Menu 1 General Setu
147. ctive connection allowed exceeded The Prestige limits the number of simultaneous Phase 2 SA negotiations The IKE key exchange process fails if this limit is exceeded IKE Packet Retransmit The Prestige did not receive a response from the peer and so retransmits the last packet sent Failed to send IKE Packet The Prestige cannot send IKE packets due to a network error Too many errors Deleting SA The Prestige deletes an SA when too many errors occur IPSec Log 27 3 Prestige 652 ADSL Security Router The following table shows sample log messages during packet transmission Table 27 2 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION WAN IP changed to IP If the Prestige s WAN IP changes all configured My IP Addr are changed to b 0 0 0 0 If this field is configured as 0 0 0 0 then the Prestige will use the current Prestige WAN IP address static or dynamic to set up the VPN tunnel Cannot find Phase 2 SA The Prestige cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Discard REPLAY packet If the Prestige receives a packet with the wrong sequence number it will discard it Inbound packet decryption The decryption configuration settings are incorrect Please check failed them Inbound packet The authentication configuration settings are incorrect Please authent
148. d press ENTER Step 4 Enter a descriptive name or comment in the Edit Comments field and press ENTER Step 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 9 Filter Rules Summary Step 6 Enter 1 to configure the first filter rule the only filter rule of this set Make the entries in this menu as shown in the following figure Filter Configuration 16 15 Prestige 652 ADSL Security Router Menu 21 1 9 1 TCP IP Filter Rule Filter 9 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 Destination P Source Route No Press SPACE BAR to choose this filter rule type The first filter rule type determines all subsequent filter types within a set Select Yes to make the rule active Source IP Addr 0 0 0 0 Port Port Comp TCP Estab No 6 is the TCP protocol The port number for the telnet service TCP protocol is 23 There are no See RFC 1060 for port more rules to Select Equal numbers of well known check here as we are services looking for packets going to Select Drop here so that port 23 only the packet will be dropped if its destination is the telnet port Select Forward here so that the packet will be forwarded if its destination is not the telnet port and there are no more rules in this filter set to check Select Next if there are more rules to check Figure 16 15 Sample Filter Menu 21 1 9 1 Step 5 Type 1 to configure the first f
149. data passing between the Internet and the LAN The Prestige has one ADSL port and one Ethernet LAN port which physically separate the network into two areas Q The ADSL port connects to the Internet Q The LAN Local Area Network port attaches to a network of computers which needs security from the outside world These computers will have access to Internet services such as e mail FTP and the World Wide Web However inbound access will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service 9 2 Firewalls Prestige 652 ADSL Security Router Denial of Service Attacks WAN Figure 9 1 Prestige Firewall Application 9 4 Denial of Service Denials of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources The Prestige is pre configured to automatically detect and thwart all known DoS attacks 9 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80
150. dule Setup 99 Exit Enter Menu Selection Number Figure 2 9 SMT Main Menu 2 9 1 System Management Terminal Interface Summary Table 2 3 Main Menu Summary MENU TITLE DESCRIPTION 1 General Setup Use this menu to set up your general information LAN Setup Use this menu to set up your LAN connection 4 Internet Access Setup A quick and easy way to set up an Internet connection 11 Remote Node Setup Use this menu to set up the Remote Node for LAN to LAN connection including Internet connection 12 Static Routing Setup Use this menu to set up static routes 15 NAT Setup Use this menu to specify inside servers when NAT is enabled 21 Filter and Firewall Setup Use this menu to configure filters activate deactivate the firewall and view the firewall log 22 SNMP Configuration Use this menu to set up SNMP related parameters 23 System Password Use this menu to change your password 24 System Maintenance This menu provides system status diagnostics software upload etc 25 IP Routing Policy Setup Use this menu to configure your IP routing policy 2 12 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router MENU TITLE DESCRIPTION 26 Schedule Setup Use this menu to schedule outgoing calls 27 VPN IPSec Setup Use this menu to configure VPN connections 99 Exit Use this to exit from SMT and return to a blank screen 2 10 C
151. e Port Number Enter a single port number or the range of port numbers that define your customized service Click Back to return to the previous screen When you have finished click Apply to save your customized settings and exit this screen Reset to return to the previously saved settings Delete to remove this customized service Click the Help icon for field descriptions 13 3 Example DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the Prestige and allow a syslog connection from the Internet Follow the procedure shown next to first configure a custom port Step 1 Step 2 Step 3 Step 4 Click Rule Summary under Internet to Local Network Set Click a rule number to open the edit rule screen Click Any in the Source Address box and then click SerDelete Click SerAdd to open the Rule IP Config screen Configure it as follows and click Apply 13 4 Customized Services Prestige 652 ADSL Security Router ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall WAN to LAN Rule IP Config Wizard Setup Address Type Range Address A EE Start IP Address 10 0 010 Password End IP Address fi 0 0 0 15 LAN eae m Subnet Mask 0 0 0 0 Dynamic DNS H Time Zone Firewall e P YPN H Remote Management Maintenance Log
152. e Step 3 Enter command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete Step 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP client see the example below to transfer files between the Prestige and the computer The file name for the configuration file is rom 0 rom zero not capital o Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the Prestige to the computer and binary to set binary transfer mode 19 2 7 TFTP Command Example The following is an example TFTP command tftp i host get rom 0 config rom Firmware and Configuration File Maintenance 19 5 Prestige 652 ADSL Security Router where i specifies binary image transfer mode use this mode when transferring binary files host is the Prestige IP address get transfers the file source on the Prestige rom 0 name of the configuration file on the Prestige to the file destination on the computer and renames it config rom 19 2 8 GUI based TFTP Clients The following
153. e Splitters also eliminate the destructive interference conditions caused by telephone sets The purchase of a POTS splitter is optional Noise generated from a telephone in the same frequency range as the ADSL signal can be disruptive to the ADSL signal In addition the impedance of a telephone when off hook may be so low that it shunts the strength of the ADSL signal When a POTS splitter is installed at the entry point where the line comes into the home it will filter the telephone signals before combining the ADSL and telephone signals transmitted and received The issues of noise and impedance are eliminated with a single POTS splitter installation A telephone splitter is easy to install as shown in the following figure 2 4 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router Wall Jack POTS Splitter Figure 2 3 Connecting a POTS Splitter Step 1 Connect the side labeled Phone to your telephone Step 2 Connect the side labeled Modem to your Prestige Step 3 Connect the side labeled Line to the telephone wall jack 2 4 2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4K Hz while ADSL transmissions take place in the higher bandwidth range above 4KHz A microfilter acts as a low pass filter for your telephone to ensure that ADSL transmissions do not interfere with your telephone voice transmissions The purchase of a telep
154. e DHCP clients along with the IP address and the subnet mask Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here Follow the instructions in the following table to configure TCP IP parameters for the Ethernet port Table 4 3 TCP IP Ethernet Setup Menu Fields IP Subnet Mask FIELD DESCRIPTION EXAMPLE TCP IP Setup IP Address Enter the LAN IP address of your Prestige in dotted decimal 192 168 1 1 notation Your Prestige will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige 255 255 255 0 RIP Direction Press SPACE BAR to select the RIP direction Choices are Both Both In Only Out Only or None default Version Press SPACE BAR to select the RIP version Choices are RIP 1 RIP 1 RIP 2B or RIP 2M default Multicast GMP Internet Group Multicast Protocol is a session layer protocol None used to establish membership in a Multicast group The Prestige default supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or select None to disable it IP Policies Create policies using SMT menu 25 see the P Policy Routing 2 4 7 9 chapter and apply them on the Prestige LAN interface here You can apply up to four IP Policy sets from twelve by entering
155. e and Date Setting Remote Management oo AO bs AH FO Figure 18 1 Menu 24 System Maintenance 18 1 System Status The first selection System Status gives you information on the status and statistics of the ports as shown next System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your G SHDSL telephone line status number of packets sent and received To get to System Status type 24 to go to Menu 24 System Maintenance From this menu type 1 System Status There are two commands in Menu 24 1 System Maintenance Status Typing 1 resets the counters ESC takes you back to the previous screen The following table describes the fields present in Menu 24 1 System Maintenance Status which are READ ONLY and meant for diagnostic purposes System Information and Diagnosis 18 1 Prestige 652 ADSL Security Router Menu 24 1 System Maintenance Status hh mm ss Sat Jan 01 2000 Node Lnk Status TxPkts RxPkts Errors Tx B s Rx B s Up Time 1 ENET Up 211 0 0 0 0 0 26 20 2 N A 0 0 0 0 0 0 00 00 3 N A 0 0 0 0 0 0 00 00 4 N A 0 0 0 0 0 0 00 00 5 N A 0 0 0 0 0 0 00 00 6 N A 0 0 0 0 0 0 00 00 d N A 0 0 0 0 0 0 00 00 8 N A 0 0 0 0 0 0 00 00 My WAN IP from ISP Ethernet WAN Status 10M Half Duplex Tx Pkts 53 Line Status Up Collisions 0 Rx Pkts 36 Upstream Speed 0 kbps CPU Load 3 8 Downstream Speed 0 kbps Press Command COMMANDS
156. e ftp prompt 19 2 3 Example of FTP Commands from the Command Line Firmware and Configuration File Maintenance 19 3 Prestige 652 ADSL Security Router 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Figure 19 2 FTP Session Example 19 2 4 GUI based FTP Clients The following table describes some of the commands that you may see in GUI based FTP clients Table 19 2 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service administrator has enabled this option Normal The server requires a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Specify the default remote directory path Directory Initial Local Directory Specify the default local directory path 19 2 5 Remote Management Limitations TFTP FTP and Telnet from the LAN or WAN will not work when 1 A filter in menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web se
157. e in or press You need to fill in two types of fields The first requires you to type information SPACE BAR then in the appropriate information The second allows you to cycle press ENTER through the available choices by pressing SPACE BAR Required fields lt gt All fields with the symbol lt gt must be filled in order to be able to save the new configuration N A fields lt N A gt Some of the fields in the SMT will show a lt N A gt This symbol refers to an option that is Not Applicable Save your ENTER Save your configuration by pressing ENTER at the message configuration Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to the previous menu Exit the SMT Type 99 then press Type 99 at the main menu prompt and press ENTER to exit the ENTER SMT interface After you enter the password the SMT displays the main menu as shown next Hardware Installation and Initial Setup 2 11 Prestige 652 ADSL Security Router Copyright Getting Started 1 General Setup 3 LAN Setup Advanced Applications 15 NAT Setup 4 Internet Access Setup 23 11 Remote Node Setup 26 12 Static Routing Setup 27 VPN IPSec Setup c 1994 2002 ZyXEL Communications Corp Prestige 652 Main Menu Advanced Management 21 Filter and Firewall Setup 22 SNMP Configuration System Password 24 System Maintenance 25 IP Routing Policy Setup Sche
158. e previous field This field is N A when 0 is configured in the Port Start field Enable Replay As a VPN setup is processing intensive the system is vulnerable to Denial No Detection of Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Enable replay detection by setting this field to Yes Press SPACE BAR to select Yes or No Choose Yes and press ENTER to enable replay detection Key Press SPACE BAR to choose either IKE or Manual and then press IKE Management ENTER Manual is useful for troubleshooting if you have problems using IKE key management Edit Key Press SPACE BAR to change the default No to Yes and then press No Management ENTER to go to a key management menu for configuring your key Setup management setup described later If you set the Key Management field When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 25 5 IKE Setup To edit this menu the Key Management field Menu 27 1 1 IPSec Setup must be set to IKE Move the cursor to the Edit Key Management Setup field in Menu 27 1 1 IPSec Setup press SPACE BAR to select Yes and then press ENTER to display Menu 27 1 1 1 IKE Setup 25 5 1 IKE Phases There are two phases to every IKE Internet Key Exchange negotiation phase Authentication and phase 2 Key E
159. e problem and the steps you took to solve it METHOD E MAIL TELEPHONE FAX WEB SITE FTP SITE REGULAR MAIL SUPPORT SALES LOCATION WORLDWIDE support zyxel com tw 886 3 578 3942 www zyxel com ZyXEL Communications Corp 6 Innovation Road Il www europe zyxel com Science Based Industrial Park Hsinchu Taiwan 300 sales zyxel com tw 886 3 578 2439 ftp europe zyxel com R O C NORTH AMERICA support zyxel com 1 714 632 0882 www zyxel com ZyXEL Communications Inc 800 255 4101 1650 Miraloma Avenue Placentia CA 92870 U S A sales zyxel com 1 714 632 0858 ftp zyxel com SCANDINAVIA support zyxel dk 45 3955 0700 www zyxel dk ZyXEL Communications A S Columbusvej 5 2860 sales zyxel dk 45 3955 0707 ftp zyxel dk Soeborg Denmark GERMANY support zyxel de 49 2405 6909 0 www zyxel de ZyXEL Deutschland GmbH Adenauerstr 20 A4 D 52146 sales zyxel de 49 2405 6909 99 Wuerselen Germany MALAYSIA support zyxel com my 603 795 44 688 www zyxel com my Lot B2 06 PJ Industrial Park Section 13 Jalan Kemajuan sales zyxel com my 603 795 34 407 46200 Petaling Jaya Selangor Darul Ehasn Malaysia vi Customer Support Prestige 652 ADSL Security Router Table of Contents GEETING STARTED So EE I Chapter 1 Getting To Know Your Prestige ssssccsscssssscssccesseecssecescessssscsscessssccescesssseescessscsseseeseeees 1 1 1 1 Prestige 652 ADSL Security Router essen enne enne nnne nenne nennen nennen 1 1 1X
160. ecords the IP address of the telnet client and accepts TFTP requests only from this address Step 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance Step 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute console timeout default when the file transfer is complete Step 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP client see the example below to transfer files between the Prestige and the computer The file name for the firmware is ras Note that the telnet connection must be active and the Prestige in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the Prestige to the computer put the other way around and binary to set binary transfer mode 19 4 6 TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras 11327 where i specifies binary image transfer mode use this mode when transferring binary files host is the Prestige s IP address and put transfers the file source on the computer firmware bin name of the fir
161. ecurity Router You can configure most features of the Prestige via SMT but we recommend you configure the firewall and content filters using the Prestige Web Configurator e Content Filtering The Prestige can block specific URLs by using the keyword blocking feature e Internal SPTGEN Internal SPTGEN System Parameter Table Generator lets you configure save and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige e Dynamic DNS Support With Dynamic DNS support you can have a static hostname alias for a dynamic IP address allowing the host to be more easily accessible from various locations on the Internet You must register for this service with a Dynamic DNS client to use this service e Packet Filtering The Packet Filtering mechanism blocks unwanted traffic from entering leaving your network PPPoE Support RFC2516 PPPoE Point to Point Protocol over Ethernet emulates a dial up connection It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL The PPPoE driver on the Prestige is transparent to the computers on the LAN which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers Network Address Translation NAT NAT Network Address Translation NAT RFC 1631 allows the translation o
162. ed Starting XMODEM download CRC mode CCCCCCCCC Figure 19 10 System Maintenance Starting Xmodem Download Screen Step 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen Firmware and Configuration File Maintenance 19 9 Prestige 652 ADSL Security Router Send File Type the configuration file s location or click Browse to Folder C Product search for it Filename C Product contig rom Protocol Choose the Xmodem protocol modem Send Ese tar ret Then click Send Figure 19 11 Restore Configuration Example Step 4 After a successful restoration you will see the following screen Press any key to restart the Prestige and return to the SMT menu Save to ROM Hit any key to start system reboot Figure 19 12 Successful Restoration Confirmation Screen 19 4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure in the previous Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE 19 4 1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration To use this feature you
163. el to save your configuration or press ESC to cancel and go back to the previous screen 6 1 2 IP Static Route Setup Static routes tell the Prestige routing information that it cannot learn automatically through other means This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the following figure through remote node Router 1 However the Prestige is unable to route a packet to Remote Node TCP IP Configuration 6 5 Prestige 652 ADSL Security Router network N3 because it does not know that there is a route through remote node Router 1 via Router 2 The static routes allow you to tell the Prestige about the networks beyond the remote nodes Ni N2 N3 PRESTIGE Figure 6 5 Sample Static Routing Topology Configuration Step 1 To configure an IP static route use Menu 12 Static Route Setup shown next 6 6 Remote Node TCP IP Configuration Prestige 652 ADSL Security Router Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Figure 6 6 Menu 12 Static Route Setup Step 2 From menu 12 select 1 to open Menu 12 1 IP Static Route Setup shown next
164. emote Node Traffic sss ener nnne 16 22 Figure 16 19 Filtering Remote Node Traffic with PPPOE AAA 16 22 Figure 17 1 SNMP Management Model 17 1 Figure 17 2 Menu 22 SNMP Configuration esses eene eene nennen enne ener enne nen 17 3 Figure 18 1 Menu 24 System Maintenance essere re ennt trennen innen 18 1 Figure 18 2 Menu 24 1 System Maintenance Status essent 18 2 Figure 18 3 Menu 24 2 System Information and Console Port Speed 18 3 Figure 18 4 Menu 24 2 1 System Maintenance Information esee 18 4 Figure 18 5 Menu 24 2 2 System Maintenance Change Console Port Speed 18 5 Figure 18 6 Menu 24 3 System Maintenance Log and Trace sese 18 5 Figure 18 7 Sample Error and Information Messages 18 6 Figure 18 8 Menu 24 3 2 System Maintenance Syslog and Accounting sess 18 6 Figure 18 9 Menu 24 4 System Maintenance Diagnostic essere 18 8 Figure 18 10 Command Mode 5 4 5 5 poene eU td 18 9 Figure 1921 Telnet Meni 24 5 cox e eh 19 3 Figure 19 2 ETP Session Example cionado Gu ope e Eeer ctr teen eode 19 4 Figure 19 3 System Maintenance Backup Configuration eese eere 19 6 Figure 19 4 System Maintenance Starting Xmodem Download Screen esses 19 7 Figure 19 5 Backup Configuration Example esee nee nennen nre nennen tnn 19 7 Figure 19 6 Successful Ba
165. en discussed earlier Table 25 6 Active Protocol Encapsulation and Security Protocol MODE SECURITY PROTOCOL Tunnel ESP Transport 25 6 2 Security Parameter Index SPI An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol This data allows for the multiplexing of SAs to a single gateway The SPI Security Parameter Index along with a destination IP address uniquely identify a particular Security Association SA The SPI Is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and key values that the administrator associated with the SPI to establish the tunnel Current ZyXEL implementation assumes identical outgoing and incoming SPls To edit this menu move the cursor to the Edit Manual Setup field in Menu 27 1 1 IPSec Setup press SPACE BAR to select Yes and then press ENTER to go to Menu 27 1 1 2 Manual Setup VPN IPSec Setup 25 17 Prestige 652 ADSL Security Router Menu 27 1 1 2 Manual Setup Active Protocol ESP Tunnel ESP Setup SPI Decimal Encryption Algorithm DES Keyl Key2 N A Key3 N A Authentication Algorithm Key AH Setup SPI Decimal N A Authentication Algorithm N A Key Press ENTER to Confirm or ESC to Cancel Figure 25 10 Menu 27 1 1 2 Manual Setup Table 25 7 Menu 27 1 1 2 Manual Setup FIELD DESCRIPTION EXAMPLE
166. ength Type the byte count of the data portion in the packet that you want to 0 compare The range for this field is O to 8 default Mask Type the mask in Hexadecimal to apply to the data portion before comparison Value Type the value in Hexadecimal to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action No is taken or else the packet is disposed of according to the action fields default If More is Yes then Action Matched and Action Not Matched will be N A Log Select the logging option from the following None No packets will be logged None Action Matched Only matching packets and rules will be logged Action Not Matched Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Select the action for a matching packet Choices are Check Next Rule Check Next Matched Forward or Drop Rule default Action Not Select the action for a packet not matching the rule Choices are Check Check Next Matched Next Rule Forward or Drop Rule default When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen Filter Configuration 16 13 Prestige 652 ADSL Security Router 16 4 Filter Types and NAT There are two classes of filter rules Generic Filter Device rules and Prot
167. er Blinking The Prestige is performing a self test Off The Prestige is not receiving power SYS Green On The Prestige is functioning properly Blinking The Prestige is rebooting Off The Prestige is not ready or has malfunctioned Red On The Prestige is not receiving enough power PPPoE Green On The Prestige is connected to the PPPoE server Off There is no connection to the PPPoE server Hardware Installation and Initial Setup 2 1 Prestige 652 ADSL Security Router LED COLOR STATUS DESCRIPTION LAN 10M Green On The Prestige has a successful 10Mb Ethernet connection Blinking The Prestige is sending receiving data Off The Prestige does not have a 10Mb Ethernet connection LAN 100M Orange On The Prestige has a successful 100Mb Ethernet connection Blinking The Prestige is sending receiving data Off The Prestige does not have a 100Mb Ethernet connection AUX This LED is reserved for a feature to be available in the future xDSL Green On The Prestige is linked successfully to a DSLAM Blinking The Prestige is initializing or sending receiving data Off The DSL link is down ACT Green On The Prestige has a successful Ethernet connection Blinking The Prestige is sending receiving data Off The system is not ready or has malfunctioned 2 2 Rear Panel and Connections The following figure shows the rea
168. er IP address Bridging allows the Prestige to transport packets of network layer protocols that it does not route for example SNA from one network to another The caveat is that compared to routing bridging generates more traffic for the same network layer protocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you need it do not bridge what the Prestige can route 7 2 Bridge Ethernet Setup Basically all non local packets are bridged to the WAN Your Prestige does not support IPX 7 2 1 Remote Node Bridging Setup Follow the procedure in another section to configure the protocol independent parameters in Menu 11 1 Remote Node Profile For bridging related parameters you need to configure Menu 11 3 Remote Node Network Layer Options To setup Menu 11 3 Remote Node Network Layer Options shown in the next figure follow these steps Step 1 In menu 11 1 make sure the Bridge field is set to Yes Step 2 Move the cursor to the Edit IP Bridge field then press SPACE BAR to set the value to Yes and press ENTER to edit Menu 11 3 Remote Node Network Layer Options Bridging Setup 7 1 Prestige 652 ADSL Security Router Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0
169. ers Set 1 1 12 Type 7 256 if you 30100006 Input device filters Set 2 do OW 30100007 Input device filters Set 3 ud ai a 30100008 Input device filters Set 4 30100009 Output protocol filters Set 1 256 30100010 Output protocol filters Set 2 256 30100011 Output protocol filters Set 3 256 30100012 Output protocol filters Set 4 256 30100013 Output device filters Set 1 256 30100014 Output device filters Set 2 256 30100015 Output device filters Set 3 256 30100016 Output device filters Set 4 256 I MENU 3 2 TCP IP AND DHCP ETHERNET SETUP SMT MENU 3 2 FIN FN PVA 30200001 DHCP lt 0 None 1 Server This E Se 30200002 Client IP Pool Starting Address ees 30200003 Size of Client IP Pool 30200004 Primary DNS Server 30200005 Secondary DNS Server 30200006 Remote DHCP Server Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 30200008 IP Address 172 21 2 200 30200009 IP Subnet Mask This 30200010 RIP Direction lt 0 None 1 Both value 2 In Only 3 Out must be Only gt between 0 32 30200011 Version O Rip 1 1 Rip 2B 2 Rip 2M gt 30200012 Multicast lt 0 IGMP v2 2 1 IGMP v1 2 None gt 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12 256 30200016
170. ersist for the time period Forced On specified in the Duration field Forced Down means that the connection is blocked whether or not Forced Down there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand Enable Dial call on the line On Demand Disable Dial On Demand means that this schedule prevents a Disable Dial demand call on the line On Demand When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Once your schedule sets are configured you must then apply them to the desired remote node s Enter 11 from the Main Menu and then enter the target remote node index Using SPACE BAR select PPPoE in the Encapsulation field to make the schedule sets field available as shown next Call Scheduling 23 3 Prestige 652 ADSL Security Router Menu Rem Node Name ChangeMe Active Yes Encapsulation PPPoE Multiplexing LLC based Service Name Incoming Rem Login Rem Password Outgoing My Login My Password Authen CHAP PAP Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 11 1 Remote Node Profile Route IP Bridge No Edit IP Bridge No Edit ATM Options No Telco Option Allocated Budget min 0 Period hr 0 Schedule Sets 2 4 6 8 Nailed Up Connection Session Options Edit Filter Sets No Idle Timeout
171. erver sends when you turn on the Prestige Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main differences between them are the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 NTP RFC 1305 is similar to Time RFC 868 None The default enter the time manually Time Server Address Enter the IP address or domain name of your time server Check with your ISP network administrator if you are unsure of this information Current Time New Time This field displays an updated time only when you reenter this menu Enter the new time in hour minute and second format Current Date New Date This field displays an updated date only when you re enter this menu Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Time GMT Daylight Saving Start Date End Date If you use daylight savings time then choose Yes If using daylight savings time enter the month and day that it starts on If using daylight savings time enter the month and day that it ends on Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or E
172. es gt 1 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 210105003 IP Filter Set 1 Rule 5 Protocol 17 210105004 IP Filter Set 1 Rule 5 Dest IP address 0 0 0 0 210105005 IP Filter Set 1 Rule 5 Dest Subnet Mask 210105006 IP Filter Set 1 Rule 5 Dest Port 138 210105007 IP Filter Set 1 Rule 5 Dest Port Comp O none 1 equal 2 1 not equal 3 less 4 great er gt 210105008 IP Filter Set 1 Rule 5 Src IP Address 0 0 0 0 210105009 IP Filter Set 1 Rule 5 Src Subnet Mask 210105010 IP Filter Set 1 Rule 5 Src Port 0 210105011 IP Filter Set 1 Rule 5 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er gt 210105013 IP Filter Set 1 Rule 5 Act Match lt 1 check 3 next 2 forward 3 dr op gt 210105014 IP Filter Set 1 Rule 5 Act Not Match lt 1 Check Next 1 2 Forward 3 Drop gt I MENU 21 1 6 SET 1 RULE 6 SMT MENU 21 1 6 FIN FN PVA INPUT 210106001 IP Filter Set 1 Rule 6 Type 2 TCP IP 210106002 IP Filter Set 1 Rule 6 Active lt 0 No 1 Yes gt 1 210106003 IP Filter Set 1 Rule 6 Protocol 17 210106004 IP Filter Set 1 Rule 6 Dest IP address 0 0 0 0 210106005 IP Filter Set 1 Rule 6 Dest Subnet Mask 210106006 IP Filter Set 1 Rule 6 Dest Port 139 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 210106007
173. ess ENTER You must select a rule in the next field when you choose the Edit Delete or Go To commands Select None and then press ENTER to go to the Press ENTER to Confirm prompt Use Edit to create or edit a rule Use Delete to remove a rule To edit or delete a rule first make sure you are on the correct page When a VPN rule is deleted subsequent rules do not move up in the page list None Select Rule Type the VPN rule index number you wish to edit or delete and then press ENTER When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 25 4 IPSec Setup Select Edit in the Select Command field type the index number of a rule in the Select Rule field and press ENTER to edit the VPN using the menu shown next 25 8 VPN IPSec Setup Prestige 652 ADSL Security Router Menu 27 1 1 IPSec Setup Index 1 Name Taiwan Active Yes My IP Addr 0 0 0 0 Secure Gateway Addr zw50test zyxel com tw Protocol 0 Local Addr Type SINGLE IP Addr Start 1 1 1 1 End N A Port Start 0 End N A Remote Addr Type SUBNET IP Addr Start 4 4 4 4 End 255 255 0 0 Port Start 0 End N A Enable Replay Detection No ey Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel Figure 25 7 Menu 27 1 1 IPSec Setup You must also configure menu 27
174. estart your computer if prompted Verifying TCP IP Properties Check your TCP IP properties in the TCP IP Control Panel TCP IP Prestige 652 ADSL Security Router Appendix F Example Internal SPTGEN Screens Abbreviations Used in the Example Internal SPTGEN Screens Table This appendix covers Prestige Internal SPTGEN screens ABBREVIATION MEANING FIN Field Identification Number not seen in SMT screens FN Field Name PVA Parameter Values Allowed INPUT This is an example of what you may enter The following are Internal SPTGEN screens associated with the SMT screens of your Prestige Example Internal SPTGEN Screens Table I MENU 1 GENERAL SETUP SMT MENU 1 FIN FN PVA INPUT 10000000 Configured lt 0 No 1 Yes gt 0 10000001 System Name lt Str gt Prestige 10000002 Location lt Str gt 10000003 Contact Person s Name lt Str gt 10000004 Route IP lt 0 No 1 Yes gt 1 10000006 Bridge lt 0 No 1 Yes gt 0 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router MENU 3 1 GENERAL ETHERNET SETUP SMT MENU 3 1 FIN FN PVA 30100001 Input Protocol filters Set 1 30100002 Input Protocol filters Set 2 30100003 Input Protocol filters Set 3 The valid 30100004 Input Protocol filters Set 4 parameters for a set are 30100005 Input device filt
175. estination IP 0 subnetmask 120107005 IP Static Route set 7 Gateway 0 0 0 0 120107006 IP Static Route set 7 Metric 120107007 IP Static Route set 7 Private lt 0 No 1 Yes gt I MENU 12 1 8 IP STATIC ROUTE SETUP SMT MENU 12 1 8 FIN FN PVA INPUT 120108001 IP Static Route set 8 Name lt Str gt 120108002 IP Static Route set 8 Active lt 0 No 1 Yes gt 0 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 120108003 IP Static Route set 8 Destination IP 0 0 0 0 address 120108004 IP Static Route set 8 Destination IP 0 subnetmask 120108005 IP Static Route set 8 Gateway 0 0 0 0 120108006 IP Static Route set 8 Metric 120108007 IP Static Route set 8 Private lt 0 No 1 Yes gt I MENU 15 SUA SERVER SETUP SMT MENU 15 FIN FN PVA INPUT 150000001 SUA Server IP address for default 0 0 0 0 port 150000002 SUA Server 2 Port Start 150000003 SUA Server 2 Port End 150000004 SUA Server 2 Local IP Address 0 0 0 0 150000005 SUA Server 3 Port Start 150000006 SUA Server 3 Port End 150000007 SUA Server 3 Local IP address 0 0 0 0 150000008 SUA Server 4 Port Start 150000009 SUA Server 4 Port End 150000010 SUA Server 4 Local IP address 0 0 0 0 150000011 SUA Server 5 Port Start 150000012 SUA Server 5 Port End 150000013 SUA Serve
176. et will be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it 1s better to allow only certain machines on the Internet to access the LAN 12 2 2 Security Ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers 4 Does this rule conflict with any existing rules Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the Rules screen in the web configurator 12 2 3 Key Fields For Configuring Rules Action Should the action be to Block or Forward Block means the firewall silently discards the packet Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See
177. eted 9 5 2 Stateful Inspection and the Prestige Additional rules may be defined to extend or override the default rules For example a rule may be created which will 1 Block all traffic of a certain type such as IRC Internet Relay Chat from the LAN to the Internet ii Allow certain types of traffic from the Internet to specific hosts on the LAN ii Allow access to a Web server to everyone but competitors iv Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator Firewalls 9 9 Prestige 652 ADSL Security Router The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test changes after creating them to make sure they work correctly Below is a brief technical description of how these connections are tracked Connections may either be defined by the upper protocols for instance TCP or by the Prestige itself as with the virtual connections created for UDP and ICMP 9 5 3 TCP Security The Prestige uses state information embedded in TCP packets The first packet of any new connection has its SYN flag set and its ACK flag cleared these
178. f multiple IP addresses used within one network to different IP addresses known within another network This feature allows multiple user Internet access for the cost of a single IP account NAT supports popular Internet applications such as MS traceroute CuSeeMe IRC RealPlayer VDOLive Quake and PPTP No configuration is needed to support these applications 10 100M Auto negotiation Ethernet Fast Ethernet Interface This auto negotiation feature allows the Prestige to detect the speed of incoming transmissions and adjust appropriately without manual intervention It allows data transfer of either 10 Mbps or 100 Mbps in either half duplex or full duplex mode depending on your Ethernet network Multiple PVC Permanent Virtual Circuits Support Your Prestige supports up to 8 PVCs 1 2 Getting To Know Your Prestige Prestige 652 ADSL Security Router e ADSL Transmission Rate Standards Full Rate ANSI T1 413 Issue 2 G dmt G 992 1 with line rate support of up to 8 Mbps downstream and 832 Kbps upstream G lite G 992 2 with line rate support of up to 1 5Mbps downstream and 512Kbps upstream Supports Multi Mode standard ANSI T1 413 Issue 2 G dmt G 992 1 G lite G992 2 TCP IP Transmission Control Protocol Internet Protocol network layer protocol ATM Forum UNI 3 1 PVC Supports up to 8 PVCs UBR CBR Multiple Protocol over AALS RFC 1483 PPP over AALS RFC 2364 PPP over Ethernet over AALS RFC 2516
179. fault and signifies any protocol Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Select RANGE for a specific range of IP addresses Select SUBNET to specify IP addresses on a network by their subnet mask SINGLE IP Addr Start When the Addr Type field is configured to Single enter a static IP address on the LAN behind your Prestige When the Addr Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your Prestige When the Addr Type is configured to SUBNET this is a static IP address on the LAN behind your Prestige 192 168 1 35 End When the Addr Type field is configured to Single this field is N A When the Addr Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your Prestige When the Addr Type field is configured to SUBNET this is a subnet mask on the LAN behind your Prestige 192 168 1 38 Port Start
180. field 1 the cursor jumps to this field to allow you to select the rule to apply the action in question You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting a rule No changes to the set take place until this action is taken Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs An End IP address must be numerically greater than its corresponding IP Start address NAT 8 11 Prestige 652 ADSL Security Router Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start End N A Global IP Start End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 8 9 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set Table 8 6 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press SPACE BAR and then ENTER to select from a total of five types These are the mapping types discussed in Table 8 2 Server allows you to specify multiple servers of different types behind NAT to this computer See section 8 5 3 for an example One to One Local IP Only local IP fields are N A for server Globa
181. firm or ESC to Cancel Figure 6 1 Menu 11 6 for RFC 1483 or ENET ENCAP with VC based Multiplexing Remote Node TCP IP Configuration 6 1 Prestige 652 ADSL Security Router LLC based Multiplexing or PPPoA or PPPoE Encapsulation For LLC based multiplexing or PPP or PPPoE encapsulation one VC carries multiple protocols with protocol identifying information being contained in each packet header Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation Only one set of VPI and VCI numbers needs to vil Rate PCR 5400 be specified Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 ENTER here to CONFIRM or ESC to CANCEL Figure 6 2 Menu 11 6 for LLC based Multiplexing or PPPoA or PPPoE Encapsulation In this case only one set of VPI and VCI numbers need be specified for all protocols The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 1 to 31 is reserved for local management of ATM traffic The following figure uses sample IP addresses to help you understand the field of My Wan Addr in menu 11 3 Refer to the previous figure LAN and WAN IPs for a brief review of what a WAN IP is My WAN Addr indicates the local Prestige WAN IP while Rem IP Addr indicates the peer WAN IP 6 2 Remote Node TCP IP Configuration Prestige 652 ADSL Security Router Remote Network Local Network 192 168 1 0 192 168 1 1 172 16 0 2 RI
182. gement 20 2 20 3 ADSL Over ISDN EE 2 6 C ADSL what ie xxvii Call e EE 20 2 Alert Schedule ees 11 4 Call Filtering eene 16 1 Application level Firewalls 9 1 Call Filters AT command use eR OI 19 1 Bulli vatican waa ens 16 1 Attack User Defined A 16 1 A tete etie 14 2 Call Schedulmg 23 1 Attack Alert 11 6 11 8 Maximum Number of Schedule Sets 23 1 Attack Types eieiei att ettet 9 6 PPPOE murcia een 23 3 UE 10 3 Precedence sie scienter cie 23 1 Authentication nseni 5 5 5 6 Precedence Example See Precedence auto negotiation sessssseeeessesesstsressesersreseeseesee 1 3 CDR iniciada 18 7 B CDR Call Detail Record 18 6 Back Panel CHAP EE 5 5 Connections Descrpton 2 3 ColliSIOn eoi ni it EA 18 3 BackUD eiii eem 19 2 Command Interpreter Mode 20 1 Blocking Time 11 7 11 8 11 10 Command Mode 18 9 Bridging cai 3 5 COMMUNILY 5 cepere ien ens 17 2 Ether Address ree eese 7 3 Connecting a POTS Spltter eee 2 4 Ethernet esee eere 7 1 Connecting the Prestige ssssssss 2 3 Ethernet Addr Timeout 7 2 Connections Remote Nod ese eed 7 1 Additional Rooumrements 2 3 Static Route Setup 7 2 ADSL Le ct een teet 2 3 Index CC Prestige 652 ADSL Security Router Power Adapter 2 3 DHGCDB3 eno diuisione edo ds 1 4 18 4 Rear Panel cin 2 2 DHCP Negot
183. gh a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP Traps for use with the SNMP RFC 1215 TRAPS TCP UDP 162 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol 12 8 Creating Custom Rules Prestige 652 ADSL Security Router Table 12 2 Predefined Services SERVICE DESCRIPTION TACACS UDP 49 Login Host Protoco
184. gorithm Press SPACE BAR to choose from SHA1 or MD5 and then press ENTER SHA1 SA Life Time Seconds Define the length of time before an IKE Security Association automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days 28800 default Encapsulation Press SPACE BAR to choose from Tunnel mode or Transport mode and then press ENTER See earlier for a discussion of these Tunnel Perfect Forward Secrecy PFS Perfect Forward Secrecy PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Press SPACE BAR and choose from DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower None When you have completed this menu press ENTER at the prompt Press ENTER to Confirm your configuration or press ESC at any time to cancel to save 25 16 VPN IPSec Setup Prestige 652 ADSL Security Router 25 6 Manual Setup You only configure Menu 27 1 1 2 Manual Setup when you select Manual in the Key Management field in Menu 27 1 1 IPSec Setup Manual key management is useful if you have problems with IKE key management 25 6 1 Active Protocol This field is a combination of mode and security protocols used for the VPN These parameters have be
185. hanging the System Password Change the Prestige default password by following the steps shown next Step 1 Enter 23 in the main menu to display Menu 23 System Password as shown next Step 2 Type your existing system password in the Old Password field for example 1234 and press ENTER Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL Figure 2 10 Menu 23 System Password Step 3 Type your new system password in the New Password field up to 30 characters and press ENTER Step 4 Re type your new system password in the Retype to confirm field for confirmation and press ENTER Note that as you type a password the screen displays an X for each character you type Hardware Installation and Initial Setup 2 13 Prestige 652 ADSL Security Router Chapter 3 General Setup Menu 1 General Setup contains administrative and system related information 3 1 System Name System Name is for identification purposes ZyXEL recommends you enter your computer s Computer name e In Windows 95 98 click Start gt Settings gt Control Panel and then double click Network Click the Identification tab note the entry for the Computer name field and enter it as the Prestige System Name e In Windows 2000 click Start gt Settings gt Control Panel and then double click System Click the Network Identification tab and t
186. he protocol dependent filter rules abbreviation are listed as follows Table 16 2 Rule Abbreviations Used FILTER TYPE DESCRIPTION IP Pr Protocol SA Source Address SP Source Port Number DA Destination Address DP Destination Port Number GEN Off Offset Len Length Filter Configuration 16 7 Prestige 652 ADSL Security Router 16 3 Configuring a Filter Rule To configure a filter rule type its number in Menu 21 1 1 Filter Rules Summary and press ENTER to open menu 21 1 1 1 for the rule There are two types of filter rules TCP IP and Generic Depending on the type of rule the parameters for each type will be different Use SPACE BAR to select the type of rule that you want to create in the Filter Type field and press ENTER to open the respective menu To speed up filtering all rules in a filter set must be of the same class for instance protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filters field or vice versa the Prestige will warn you and will not allow you to save 16 3 1 TCP IP Filter Rule This section shows you how to configure a TCP IP filter rule TCP IP rules allow you to base the rule on the fields in the IP and the upper layer protocol
187. hen the Properties button Note the entry for the Computer name field and enter it as the Prestige System Name e In Windows XP click start gt My Computer gt View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the Prestige System Name The Domain Name entry is what is propagated to the DHCP clients on the LAN If you leave this field blank the domain name obtained by DHCP from the ISP is used While you must enter the host name System Name on each individual computer the domain name can be assigned from the Prestige via DHCP 3 2 Dynamic DNS Dynamic DNS Domain Name System allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you in NetMeeting CU SeeMe or other services Y ou can also access your FTP server or Web site on your own computer using a DNS like address for example myhost dhs org where myhost is a name of your choice that will never change instead of using an IP address that changes each time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name General Setup 3 1 Prestige 652 ADSL Security Router To use this service
188. hone microfilter is optional Step 1 Connect a phone cable from the wall jack to the single jack end of the Y Connector Step 2 Connect a cable from the double jack end of the Y Connector to the wall side of the microfilter Step 3 Connect another cable from the double jack end of the Y Connector to the Prestige Step 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Hardware Installation and Initial Setup 2 5 Prestige 652 ADSL Security Router Wall Jack Y connector Microfilter Wall Side Phone Side Figure 2 4 Connecting a Microfilter 2 5 P652 with ISDN This section relates to people who use their P652 with ADSL over ISDN digital telephone service only The following is an example installation for the P652 with ISDN ISDN NT Ethernet Prestige Figure 2 5 P652 with ISDN 2 6 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router 2 6 Turning On Your Prestige At this point you should have connected the DSL LAN 10 100M console and power ports to the appropriate devices Make sure the power adapter is plugged into an appropriate power source and the power button located on the back of your Prestige is on pushed in 2 7 Configuring Your Prestige For Internet Access Configure your Prestige for Internet access using gt Web configurator refer to the Read Me First for
189. hoose from MD5 or SHA and then press ENTER SHA1 Key Enter the authentication key to be used by IPSec if applicable The key must be unique Enter 16 characters for MD5 authentication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated 123456789abcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal The SPI must be from one to four unique decimal characters 0 to 9 long N A Authentication Algorithm Press SPACE BAR to choose from MD5 or SHA1 and then press ENTER N A Key Enter the authentication key to be used by IPSec if applicable The key must be unique Enter 16 characters for MD5 authentication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated N A When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel VPN IPSec Setup 25 19 Prestige 652 ADSL Security Router Chapter 26 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27 2 1 1 Introduction A Security Association SA is the group of security settings related to a specific VPN tunnel This menu shown next displays active VPN connections An SA times out au
190. hoose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field min and all old incomplete sessions will be cleared during this period If you want strong security it is better to block the traffic for a short time as it will give the server some time to digest the loading minutes default min Enter the length of Blocking Time in minutes Click Back to return to the previous screen Click Apply to save your customized settings and exit this screen Click Reset to return to the previous configuration Use the Help icon to view field descriptions 11 10 Using the Prestige Web Configurator Prestige 652 ADSL Security Router Chapter 12 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules 12 1 Rules Overview Firewall rules are subdivided into Local Network and Internet By default the Prestige s stateful packet inspection allows all communications to the Internet that originate from the local network and blocks all traffic to the LAN that originates from the Internet You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so You might inadvertently introduce security risks to the firewall and to the protected network if you try to configure rules without a good u
191. ication 1 6 Getting To Know Your Prestige Prestige 652 ADSL Security Router 1 3 3 LAN to LAN Application You can use the Prestige to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application for your Prestige 1s shown as follows 10 100M Ethernet Home Office Home Office LAN LAN 10 100M Ethernet Prestige Prestige Figure 1 3 LAN to LAN Application 1 3 4 VPN Application The Prestige s VPN feature makes it an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for leased lines between sites VPN ensures the privacy and integrity of your data transmissions Getting To Know Your Prestige 1 7 Prestige 652 ADSL Security Router Head Office Private LAN Firewall Prestige BES e e mmm VPN Firewall Prestige Telecommuter Remote Private Network Figure 1 4 VPN Application 1 8 Getting To Know Your Prestige Prestige 652 ADSL Security Router Chapter 2 Hardware Installation and Initial Setup This chapter describes the physical features of the Prestige and how to make cable connections 2 1 Front Panel LEDs of the P652 The LEDs on the front panel indicate the operational status of your Prestige Figure 2 1 Front Panel Table 2 1 Front Panel LED Description LED COLOR STATUS DESCRIPTION PWR Green On The Prestige is receiving pow
192. ication failed check them Rule lt d gt idle time out If an SA has no packets transmitted for a period of time disconnect configurable via Cl command the Prestige drops the connection The following table shows RFC 2408 ISAKMP payload types that the log displays Please refer to the RFC for detailed information on each type Table 27 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER REQ Certificate Request HASH Hash SIG Signature 27 4 IPSec Log Prestige 652 ADSL Security Router Table 27 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID IPSec Log 27 5 Prestige 652 ADSL Security Router Chapter 28 Internal SPTGEN Internal SPTGEN System Parameter Table Generator is a configuration text file useful for efficient configuration of multiple Prestiges Internal SPTGEN lets you configure save and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige 28 1 The Configuration Text File Format All Internal SPTGEN text files conform to the following format lt field identification number field name parameter values allo
193. il server Incoming Traffic Mail Server 3 IGAS 192 168 1 20 PS 10 132 50 1 IGA 1 10 132 50 2 2 IGA 2 10 132 50 3 IGA 3 FTP Server 1 192 168 1 10 FTP Server 2 192 168 1 11 Figure 8 17 NAT Example 3 Step 1 In this case you need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 8 18 Step 2 Then enter 15 from the main menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENTER to confirm Step 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as 10 132 50 1 our first IGA See Figure 8 19 Step 6 Repeat the previous step for rules 2 to 4 as outlined above Step 7 When finished menu 15 1 1 should look like as shown in Figure 8 20 8 20 NAT Prestige 652 ADSL Security Router Menu 11 3 Remote Node Network Layer Options IP Options IP Address Assignment Static Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Bridge Options Ethernet Addr Timeout min 0 Press ENT
194. ilter Rules Summary Menu 21 1 5 Filter Rules Summary Filter Rules NOB WHE I 3k Enter Filter Rule Number 1 6 to Configure Figure 16 9 TEL_FTP_WEB_SNM Filter Rules Summary 16 2 1 Filter Rules Summary Menus The following tables briefly describe the abbreviations used in the previous menus 16 6 Filter Configuration Prestige 652 ADSL Security Router Table 16 1 Filter Rules Summary Menu Abbreviations FIELD DESCRIPTION The filter rule number 1 to 6 A Active Y means the rule is active N means the rule is inactive Type The type of filter rule GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here M More Y means there are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken for instance forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule n Action Not Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check the next rule T
195. ilter Set 1 Rule 3 Act Match lt 1 check 3 next 2 forward 3 dr op Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 210103014 IP Filter Set 1 Rule 3 Act Not Match lt 1 check 1 next 2 forward 3 dr op I MENU 21 1 4 SET 1 RULE 4 SMT MENU 21 1 4 FIN FN PVA INPUT 210104001 IP Filter Set 1 Rule 4 Type 2 TCP IP 210104002 IP Filter Set 1 Rule 4 Active lt 0 No 1 Yes gt 1 210104003 IP Filter Set 1 Rule 4 Protocol 17 210104004 IP Filter Set 1 Rule 4 Dest IP address 0 0 0 0 210104005 IP Filter Set 1 Rule 4 Dest Subnet Mask 210104006 IP Filter Set 1 Rule 4 Dest Port 137 210104007 IP Filter Set 1 Rule 4 Dest Port Comp O none 1 equal 2 1 not equal 3 less 4 great er gt 210104008 IP Filter Set 1 Rule 4 Src IP address 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er 210104013 IP Filter Set 1 Rule 4 Act Match lt 1 check next 2 3 forward 3 drop 210104014 IP Filter Set 1 Rule 4 Act Not Match lt 1 check 1 next 2 forward 3 dr op I MENU 21 1 5 SET 1 RULE 5 SMT MENU 21 1 5 FIN FN PVA INPUT 210105001 IP Filter Set 1 Rule 5 Type 2 TCP IP 210105002 IP Filter Set 1 Rule 5 Active lt 0 No 1 Y
196. ilter rule Make the entries in this menu as shown next When you press ENTER to confirm the following screen appears Note that there is only one filter rule in this set 16 16 Filter Configuration Prestige 652 ADSL Security Router Menu 21 1 9 Filter Rules Summary Filter Rules J SA 0 0 0 0 DA 0 0 0 0 Enter Filter B le Number 1 6 to Configure 1 This shows you that you have M N means an action can be taken configured and activated A immediately The action is to drop the Y a TCP IP filter rule Type packet m D if the action is matched and IP Pr 6 for destination to forward the packet immediately n F if telnet ports DP 23 the action is not matched no matter whether there are more rules to be checked there aren t in this example Figure 16 16 Sample Filter Rules Summary Menu 21 1 9 After you have created the filter set you must apply it Step 1 Type 11 in the main menu to go to menu 11 and type the remote node number to edit Step 2 Go to the Edit Filter Sets field press SPACE BAR to choose Yes and press ENTER Step 3 This brings you to menu 11 5 Apply the example filter set for example filter set 3 in this menu as shown in the next section 16 6 Applying Filters and Factory Defaults This section shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in menu 21 but have not been applied to fil
197. in DHCP Setup are not specified for instance left as 0 0 0 0 the Prestige tells the DHCP clients that it itself is the DNS server When a computer sends a DNS query to the Prestige the Prestige forwards the query to the real DNS server learned through IPCP and relays the response back to the computer Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances If your ISP gives you explicit DNS servers make sure that you enter their IP addresses in the DHCP Setup menu This way the Prestige can pass the DNS servers to the computers and the computers can query the DNS server directly without the Prestige s intervention 4 4 Internet Access Prestige 652 ADSL Security Router 44 IP Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast is a third way to deliver IP packets to a group of hosts on the network not everybody IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1
198. in your busy office 1 3 Applications for the Prestige 652 1 3 1 Internet Access The Prestige 1s the ideal high speed Internet access solution Your Prestige supports the TCP IP protocol which the Internet uses exclusively It is compatible with all major ADSL DSLAM Digital Subscriber Line Access Multiplexer providers A DSLAM is a rack of ADSL line cards with data multiplexed into a backbone network interface connection for example T1 OCH DS3 ATM or Frame Relay Think of it as the equivalent of a modem rack for ADSL A typical Internet Access application is shown below Getting To Know Your Prestige 1 5 Prestige 652 ADSL Security Router 10 100M Ethernet INTERNET EB gt Prestige ISP Figure 1 1 Internet Access Application Internet Single User Account For a SOHO Small Office Home Office environment your Prestige offers the Network Address Translation NAT feature that allows multiple users on the LAN Local Area Network to access the Internet concurrently for the cost of a single IP address 1 3 2 Firewall for Secure Broadband Internet Access The Prestige provides protection from attacks by Internet hackers By default the firewall blocks all incoming traffic from the WAN The firewall supports TCP UDP inspection and DoS Denial of Services detection and prevention as well as real time alerts reports and logs Private LAN Firewall Prestige Figure 1 2 Firewall Appl
199. ind the rom file on your computer that you want to restore to your Prestige 19 8 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router Step 7 Use put to transfer files from the Prestige to the computer for example put config rom rom 0 transfers the configuration file config rom on your computer to the Prestige See earlier in this chapter for more information on filename conventions Step 8 Enter quit to exit the ftp prompt The Prestige will automatically restart after a successful restore process 19 3 2 Restore Using FTP Session Example ftp gt put config rom rom 0 200 Port command okay 150 Opening data connection for STOR rom 0 226 File received OK 221 Goodbye for writing flash ftp 16384 bytes sent in 0 06Seconds 273 07Kbytes sec ftp gt quit Figure 19 8 Restore Using FTP Session Example Refer to section 19 2 5 to read about configurations that disallow TFTP and FTP from the WAN 19 3 3 Restore Via Console Port Restore configuration via console port by following the HyperTerminal procedure shown next Procedures using other serial communications programs should be similar Step 1 Display menu 24 6 and enter y at the following screen Ready to restore Configuration via Xmodem Do you want to continue y n Figure 19 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has start
200. ing policies are used as part of the overall IPPR process A policy defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria includes the source address and port IP protocol ICMP UDP TCP etc destination address and port TOS and precedence fields in the IP header and length The inclusion of length criterion 1s to differentiate between interactive and bulk traffic Interactive applications for example telnet tend to have short packets while bulk traffic for example file transfer tends to have large packets The actions that can be taken include e routing the packet to a different gateway and hence the outgoing interface e setting the TOS and precedence fields in the IP header IP Policy Routing 22 1 Prestige 652 ADSL Security Router IPPR follows the existing packet filtering facility of RAS in style and in implementation The policies are divided into sets where related policies are grouped together A user defines the policies before applying them to an interface or a remote node in the same fashion as the filters There are 12 policy sets with six policies in each set 22 4 IP Routing Policy Setup Menu 25 lists all the policies that are defined Menu 25 IP Routing Policy Setup Policy Policy Enter Policy Set Number to Configure 0 Edit Name N A Press ENTER to Confirm or ESC to Cancel Figure 22 1 I
201. ion and VC based multiplexing Nailed Up Connection PPPoA A nailed up connection is a dial up line where the connection is always up regardless of traffic demand The Prestige does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the Prestige will try to bring up the connection when tured on and whenever the connection is down A nailed up connection can be very expensive Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern 5 2 Remote Node Configuration Prestige 652 ADSL Security Router Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Active Yes Encapsulation PPP Multiplexing LLC based Service Name N A Incoming Rem Login Rem Password Outgoing My Login My Password x x Authen CHAP PAP Route IP Bridge No Edit IP Bridge No Edit ATM Options No Telco Option Allocated Budget min 0 Period hr 0 Schedule Sets N A Nailed Up Connection N A Session Options Edit Filter Sets No Idle Timeout sec 0 Press ENTER to Confirm or ESC to Cancel Figure 5 2 Menu 11 1 Remote Node Profile In Menu 11 1 Remote Node Profile fill in the fields as described in the following table Table 5 1 Remote Node Profile Menu Fields FIELD DESCRIPTION EXAMPLE node Rem Node Name Type a un
202. ique descriptive name of up to eight characters for this ChangeMe minus sign Active Press SPACE BAR and then ENTER to select Yes to activate or Yes No to deactivate this node Inactive nodes are displayed with a Encapsulation Layer 5 RFC 1483 is the default configuration press SPACE BAR and PPPoA then ENTER to select either PPPoE PPPoA RFC 2364 PPP Encapsulation over ATM Adaptation Layer 5 or ENET ENCAP PPPOA refers to RFC 2364 PPP Encapsulation over ATM Adaptation PPPoE refers to RFC 2364 Point to Point Protocol over Ethernet If RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 or ENET ENCAP is selected then the Rem Login Rem Password My Login My Password Telco Options and Idle Timeout fields are not applicable N A Multiplexing Press SPACE BAR and then ENTER to select the method of multiplexing that your ISP uses either VC based or LLC based LLC based Remote Node Configuration 5 3 Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Service Name When using PPPoE encapsulation type the name of your PPPoE service here N A Incoming Rem Login Type the login name that this remote node will use to call your Prestige The login name and the Rem Password will be used to authenticate this node Rem Password Type the password used when this remote node calls your Prestige Outgoing
203. it Timeout 60 sec Idle Timeout 3600 sec UDP Idle Timeout 60 sec ICMP Timeout 60 sec Back Apply Reset Figure 12 6 Timeout Screen Creating Custom Rules 12 13 Prestige 652 ADSL Security Router Table 12 5 Timeout Menu FIELD DESCRIPTION DEFAULT VALUE TCP Timeout Values Connection Timeout This is the length of time the Prestige waits for a TCP 30 seconds session to reach the established state before dropping the session FIN Wait Timeout This is the length of time a TCP session remains open 60 seconds after the firewall detects a FIN exchange indicating the end of the TCP session Idle Timeout This is the length of time of inactivity a TCP connection 3600 seconds remains open before the Prestige considers the 1 hour connection closed UDP Idle Timeout This is the length of time of inactivity a UDP connection 60 seconds remains open before the Prestige considers the connection closed ICMP Timeout This is the length of time an ICMP session waits for the 60 seconds ICMP response Click Back to return to the previous screen Click Apply to save your customized settings and exit this screen Click Reset to return to the previous configuration Use the Help icon to view field descriptions 12 14 Creating Custom Rules Prestige 652 ADSL Security Router Chapter 13 Customized Services This chapter covers creating viewing and editing custom
204. king Ni jii Prestige d I d ISP 1 Access Concentrator Diagram 1 Single PC per Router Hardware Configuration PPPoE A Prestige 652 ADSL Security Router How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it while the modem bridges the Ethernet frames to the Access Concentrator AC Between the AC and an ISP the AC is acting as a L2TP Layer 2 Tunneling Protocol LAC L2TP Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Prestige as a PPPoE Client When using the Prestige as a PPPoE client the PCs on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on the individual PCs ISP 2 Prestige Access Concentrator Ethernet Diagram 2 Prestige as a PPPoE Client B PPPoE Prestige 652 ADSL Security Router Appendix B Virtual Circuit Topology ATM is a connection oriented technology meaning that it sets up virtual circuits over which end systems communicate The terminology for virtual circuits is as follows e Virtual Channel Logical connections between ATM switches e Vir
205. l IP fields MUST be set for Server Start This is the starting local IP address ILA End This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One and Server types 0 0 0 0 N A Global IP Start This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server End This is the ending global IP address IGA This field is N A for One to One Many to One and Server types 0 0 0 0 N A Server Only available when Type is set to Server Type a number Mapping from 1 to 10 to choose a server set from menu 15 2 8 12 NAT Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Set Once you have finished configuring a rule in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel 8 4 NAT Server Sets Port Forwarding A NAT server set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world Use Menu 15 NAT Setup to forward incoming service requests to the server s on
206. l used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks lts primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution 12 5 1 Creating Editing Firewall Rules To create a new rule click a number No in the last screen shown to display the following screen Creating Custom Rules 12 9 Prestige 652 ADSL Security Router ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup Advanced Setup Password LAN NAT Dynamic DNS Time Zone Content Filter Firewall YPN Remote Management Maintenance Logout Firewall LAN to WAN Edit Rule 1 Source Address PERSE Source IP Address 44444 Any SrcAdd SrcEdit SrcDelete Destination Address Destination IP Address 4444 Any DestAdd DestEdit DestDelete Service Available Services Selected Services Syslog UDP 51 4 AIM TCP 5190 BGP TCP 179 BOOTP_CLIENT UDP 68 BOOTP_SERYER UDP 67 ble Serv Action for Matched Packets Forward Log None y
207. l x to terminate operation any time Starting XMODEM download Figure 19 4 System Maintenance Starting Xmodem Download Screen Step 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Receive File Type a location for storing the configuration file or click Place received file in the followwe EE c Product Use receiving protocol Choose the Xmodem protocol Xmodem he Receiv Then click Receive Figure 19 5 Backup Configuration Example Step 4 After a successful backup you will see the following screen Press any key to return to the SMT menu Backup Configuration completed OK Hit any key to continue Figure 19 6 Successful Backup Confirmation Screen 19 3 Restore Configuration This section shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring a previously saved configuration to your Prestige since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Firmware and Configuration File Maintenance 19 7 Prestige 652 ADSL Security Router WARNING DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DA
208. lation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Figure 25 9 Menu 27 1 1 1 IKE Setup Table 25 5 Menu 27 1 1 1 IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Mode Press SPACE BAR to choose from Main or Aggressive and then press ENTER See earlier for a discussion of these modes Multiple SAs connecting through a secure gateway must have the same negotiation mode Main Pre Shared Key Prestige gateways authenticate an IKE VPN session by matching pre shared keys Pre shared keys are best for small networks with fewer than ten nodes Enter your pre shared key here Enter up to 31 characters Any character may be used including spaces but trailing spaces are truncated Multiple SAs connecting through a secure gateway must have the same pre shared key Encryption Algorithm When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code Prestige DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in slightly increased latency and decreased throughput DES VPN IPSec Setup 25 15 Prestige 652 ADSL Security Router
209. led information and examples can be found in our included disk as well as on the zyxel com web site This disk contains information on configuring your Prestige for Internet Access general and advanced FAQs Application Notes Troubleshooting a reference for CI Commands and bundled software gt Read Me First Our Read Me First is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and configuring for Internet access gt ZyXEL Web Site and Glossary Preface xxiii Prestige 652 ADSL Security Router Please refer to www zyxel com for an online glossary of networking terms and additional support documentation Syntax Conventions e Enter means for you to type one or more characters and press the carriage return Select or Choose means for you to select one from the predefined choices e The SMT menu titles and labels are in Bold Times New Roman font Predefined field choices are in Bold Arial font Command and arrow keys are enclosed in square brackets ENTER means the Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar e For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in other words throughout this manual e The Prestige 652 ADSL Router with VPN and Firew
210. leshooting A log index number the date and time the log was created and a log message are displayed Double exclamation marks denote an error or warning message The following table shows sample log messages during IKE key exchange Table 27 1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Cannot find outbound SA for rule lt d gt The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Send Main Mode request to lt IP gt The Prestige has started negotiation with the peer Send Aggressive Mode request to lt IP gt Recv Main Mode request from lt IP gt The Prestige has received an IKE negotiation request l from the peer Recv Aggressive Mode request from lt IP gt H Send lt Symbol gt lt Symbol gt IKE uses the ISAKMP protocol refer to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Table 27 3 Recv lt Symbol gt lt Symbol gt Phase 1 IKE SA process done Phase 1 negotiation is finished 27 2 IPSec Log Prestige 652 ADSL Security Router Table 27 1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Start Phase 2 Quick Mode Phase 2 negotiation is beginning using Quick Mode IKE Negotiation is in process The Prestige has begun negotiation with the peer for the
211. licable as shown next Send packet Call Filtering A ee i d No i Active Data No i m match 1 i Built in User defined TH Outgoing Data match default Call Filters Initiate call Packet Filtering Call Filters if applicable if line not up I y and reset Match Match Match Idle Timer Drop Drop packet Drop packet packet if line not up if line not up Or Or Send packet Send packet but do not reset but do not reset Idle Timer Idle Timer Figure 16 1 Outgoing Packet Filtering Process Filter Configuration 16 1 Prestige 652 ADSL Security Router Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls A summary of their filter rules is shown in the figures that follow The following figure illustrates the logic flow when executing a filter rule Start Es A Packet intoFilter L Fetch First r Filter Set Filter Set i Al A Fetch Next Fetch First Filter Set i Filter Rule Fetch Next Filter Rule Yes Yes A Yes Next filter de e nus No Available Yes D Execute N Filter Rule Check Next Rule MEC coU Forward voy Drop i N FK UN d Drop Packet Saul Mid
212. lly assigned IP address or Static if it is using a static fixed IP address You will only be able to configure this in the ISP node the first node all other nodes are set to Static Rem IP Addr This is the IP address of the remote gateway Type the remote 0 0 0 0 Prestige s WAN IP address here 172 16 02 in the example Figure 6 3 default shown previously If the remote Prestige s WAN IP address is 0 0 0 0 then type 192 168 1 1 its LAN IP address here Rem Subnet Type the subnet mask assigned to the remote node 0 0 0 0 Mask default My WAN Addr Some implementations especially UNIX derivatives require separate IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number In that case type the IP address assigned to the WAN port of your Prestige NOTE Refers to local Prestige address not the remote router address NAT Press SPACE BAR and then ENTER to select Full Feature if you Full have multiple public WAN IP addresses for your Prestige Feature Remote Node TCP IP Configuration Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Network Select SUA Only if you have just one public WAN IP address for your Address Prestige The SMT uses Address Mapping Set 255 menu 15 1 see Translation section 8 3 f Select None to disable NAT Address When Full Feature is selected in the NAT field configure address 2 Map
213. lood of broadcast traffic consumes all available bandwidth making communications impossible Ping Responses Every host on the packets with a spoofed source Intermediary network Attacker broadcasts ping responds by sending responses to every host on the victim network Figure 9 4 Smurf Attack address to every host on the intermediary network Q ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Table 9 2 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY a Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal 9 6 Firewalls Prestige 652 ADSL Security Router Table 9 3 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE All SMTP commands are illegal except for those displayed in the following tables Table 9 4 Legal SMTP Commands jour Jeer mer sam Jee sow Jas vary a Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall 4 Often many DoS attacks also employ a technique known as IP Spoofing as part of their attack IP Spoofing may
214. mation that it receives 2 In Only the Prestige will not send any RIP packets but will accept all RIP packets received 3 Out Only the Prestige will send out RIP packets but will not accept any RIP packets received 4 None the Prestige will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broadcasting method of the RIP packets that the Prestige sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Internet Access 4 3 Prestige 652 ADSL Security Router 4 3 4 DHCP Configuration DHCP Dynamic Host Configuration Protocol allows the individual clients computers to obtain the TCP IP configuration at start up from a centralized DHCP server The Prestige has built in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client The Prestige can also act as a surrogate DHCP server where it relays IP address assignment from the actual DHCP server to the clients IP Pool Setup The Prestige is pre configured with a pool of 32 IP addresse
215. mber you want to move the rule to Move Click Move to move the rule descriptions Click Back to return to the previous screen Click Apply to save your customized settings and exit this screen Click Reset to return to the previous configuration Click the Help icon for field 12 5 Predefined Services The Available Services list box in the Edit Rule screen see Figure 12 4 displays all predefined services that the Prestige already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Up to 128 entries are supported Custom services may also be configured using the Custom Ports function discussed later 12 6 Creating Custom Rules Prestige 652 ADSL Security Router Table 12 2 Predefined Services CU SEEME TCP UDP 7648 A popular videoconferencing solution from White Pines Software 24032 DNS UDP TCP 53 Domain Name Server a service that matches web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer
216. mbered from 0 to 127 Once they are all used the log will wrap around and the old logs will be lost Time This is the time the log was recorded in this dd mm yy eg Jan 10 format You must configure menu 24 10 for real 77 time otherwise the time shown in these examples Ph mm ss e g 00 00 00 is displayed Packet This field lists packet information such as From and To IP addresses Information A eo a protocol and port numbers Reason This field states the reason for the log i e was not match the rule matched not matched or was there an attack The set and rule coordinates lt X Y gt lt 1 01 gt dest IP where X 1 2 Y 00 10 follow with a simple This means this packet explanation There are two policy sets set 1 X does not match the 1 is for LAN to WAN rules and set 2 X 2 for destination IP address in WAN to LAN rules Y represents the rule in the set 1 rule 1 Other reasons set You can configure up to 10 rules in any set Y instead of dest IP are src 01 to 10 Rule number 00 is the default rule IP dest port src port and protocol This is a log for a DoS attack attack land ip spoofing icmp echo icmp vulnerability NetBIOS smtp illegal command traceroute teardrop or syn flood Chapter 9 has more detailed discussion of what these attacks mean Action This field displays whether the packet was blocked i e silently discarded forwarded or neither Block Forward or None None means that no
217. merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended that the unit be insured when shipped Any returned products without proof of purchase or those with an out dated warranty will be repaired or replaced at the discretion of ZyXEL and the customer will be billed for parts and labor All repaired or replaced products will be shipped by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Safety Warnings 1 To reduce the risk of fire use only No 26 AWG or larger telephone wire 2 Do not use this product near water for example in a wet basement or near a swimming pool 3 Avoid using this product during an electrical storm There may be a remote risk of electric shock from lightening ZyXEL Limited Waranty V Prestige 652 ADSL Security Router Customer Support Please have the following information ready when you contact customer support Product model and serial number Information in Menu 24 2 1 System Information Warranty Information Date that you received your device Brief description of th
218. mmunity public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Figure 17 2 Menu 22 SNMP Configuration The following table describes the SNMP configuration parameters Table 17 1 SNMP Configuration Menu Fields FIELD DESCRIPTION EXAMPLE SNMP Get Community Type the Get Community which is the password for the incoming public Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set public requests from the management station Trusted Host If you enter a trusted host your Prestige will only respond to SNMP 0 0 0 0 messages from this address A blank default field means your Prestige will respond to all SNMP messages it receives regardless of source Trap Community Destination public Type the trap community which is the password sent with each trap to the SNMP manager Type the IP address of the station to send your SNMP traps to 0 0 0 0 When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen SNMP Configuration 17 3 Prestige 652 ADSL Security Router 17 4 SNMP Traps The Prestige will send traps to the SNMP manager when any one of the following events occurs Table 17 2 SNMP Traps TRAP TRAP NAME
219. mp echo icmp vulnerability NetBIOS smtp illegal command traceroute teardrop or syn flood Action This field displays whether the packet was blocked or block forward forwarded None means that no action is dictated by this rule SE After viewing the firewall log ENTER y to clear the log or n to retain it With either option you will be returned to Menu 21 Filter and Firewall Setup Introducing the Prestige Firewall 10 3 Prestige 652 ADSL Security Router Chapter 11 Using the Prestige Web Configurator This chapter shows you how to configure your firewall with the web configurator 11 1 Web Configurator Login and Main Menu Screens Use the Prestige web configurator to configure your firewall To get started follow the steps shown next Step 1 Launch your web browser and enter 192 168 1 1 as the URL Step 2 Enter admin as the user name and 1234 default as the password and click Login Step 3 The Site Map screen displays Use the help icon located in the upper right portion of most screens for explanations of fields and choices If you forget your password refer to the Resetting the Prestige section to see how to reset the default configuration file Using the Prestige Web Configurator Prestige 652 ADSL Security Router 11 2 Enabling the Firewall Click Advanced Setup Firewall and then Config to display the following screen Click the Firewall Enabled check box to enable or acti
220. mware on the computer to the file destination on the remote host ras name of the firmware on the Prestige Commands that you may see in GUI based TFTP clients are listed earlier in this chapter 19 4 7 Uploading Via Console Port FTP or TFTP are the preferred methods for uploading firmware to your Prestige However in the event of your network being down uploading files is only possible with a direct connection to your Prestige via the console port Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster Any serial communications program should work fine however you must use the Xmodem protocol to perform the download upload Firmware and Configuration File Maintenance 19 13 Prestige 652 ADSL Security Router 19 4 8 Uploading Firmware File Via Console Port Step 1 Select 1 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 1 System Maintenance Upload System Firmware then follow the instructions as shown in the following screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter y at the prompt below to go into debug mode 2 Enter atur after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the router Warning Proceeding with the upload will erase the
221. n This chapter leads you through SMT menus 24 8 to 24 10 20 1 Command Interpreter Mode The Command Interpreter CI is a part of the main system firmware The CI provides much of the same functionality as the SMT while adding some low level setup and diagnostic functions Enter the CI from the SMT by selecting menu 24 8 Access can be by Telnet or by a serial connection to the console port although some commands are only available with a serial connection See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Menu 24 System Maintenance System Status System Information and Console Port Speed 1 2 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 8 9 1 1 Fipmuaco yes s ommand Interpreter Mode Call Time and Date Setting 0 1 Remote Management Enter Menu Selection Number Figure 20 1 Command Mode in Menu 24 System Maintenance and Information 20 1 Prestige 652 ADSL Security Router Copyright c 1994 2002 ZyXEL Communications Corp ras gt Valid commands are sys exit device ether wan poe config ip ipsec ppp bridge hdap ras gt Figure 20 2 Valid Commands 20 2 Call Control Support The Prestige provides two call contr
222. n IPSec This field displays the security protocols used for an SA ESP provides ESP DES MD5 ALgorithm confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet This provides an additional level of security AH choices are MD5 default 128 bits and SHA 1 160 bits Both AH and ESP increase Prestige processing requirements and communications latency delay Select Press SPACE BAR to choose from Refresh Disconnect or None and Refresh Command then press ENTER You must select a connection in the next field when you choose the Disconnect command Refresh displays current active VPN connections None allows you to jump to the Press ENTER to Confirm prompt Select Type the VPN connection index number that you want to disconnect and 1 Connection then press ENTER When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 26 2 SA Monitor Prestige 652 ADSL Security Router Chapter 27
223. n The Prestige 652 combines an ADSL router with a robust firewall and VPN capability The web browser based Graphical User Interface provides easy management and is totally independent of the operating system platform you use 1 2 Features Y our Prestige is packed with a number of features that give it the flexibility to provide a complete networking solution for almost any user e High Speed Internet Access Y our Prestige can support downstream transmission rates of up to 8Mbps and upstream transmission rates of 832 Kbps Your Prestige also supports rate management rate management allows ADSL subscribers to select an Internet access speed that best suits their needs and budgets e IPSec VPN Capability Establish a Virtual Private Network VPN to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site to site lines The Prestige s VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products eo Firewall The Prestige is a stateful inspection firewall with DoS Denial of Service protection By default when the firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN The Prestige firewall supports TCP UDP inspection DoS detection and prevention real time alerts reports and logs Getting To Know Your Prestige 1 1 Prestige 652 ADSL S
224. n click another link to exit Click Back to return to the previous screen 13 2 Customized Services Prestige 652 ADSL Security Router 13 2 Creating Editing A Customized Service Click a rule number in the previous screen to create a new custom port or edit an existing one This action displays the following screen ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup Advanced Setup Password LAN NAT Dynamic DNS Time Zone Content Filter Firewall YPN Remote Management Maintenance Logout Firewall Customized Services Config Service Name Service Type TCP UDP Port Configuration Type Single Range Port Number fo x fo Back Apply Reset Delete Figure 13 2 Creating Editing A Customized Service The next table describes the fields in this screen Table 13 2 Creating Editing A Custom Port FIELD DESCRIPTION OPTIONS Service Name Enter a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that TCP defines your customized port from the drop down UDP list box TCP UDP Customized Services Prestige 652 ADSL Security Router Table 13 2 Creating Editing A Custom Port FIELD DESCRIPTION OPTIONS Port Configuration Type Click Single to specify one port only or Range to Single specify a span of ports that define your customized service Rang
225. n WAN users services access to your LAN o WAN Prestige Figure 12 2 WAN to LAN Traffic 12 4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet so the discussion below refers to both Click on Firewall then Local Network to bring up the following screen This screen is a summary of the existing rules Note the order in which the rules are listed The ordering of your rules is very important as rules are applied in turn 12 4 Creating Custom Rules Prestige 652 ADSL Security Router ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup Advanced Setup Password Firewall LAN to WAN Rule Summary The default action for packets not matching following rules Forward J M Default Permit Log TUS No Source IP Destination IP Service Action Log ai s s Dynamic DNS ml i IR Time Zone 3 E EI EI Content Fitter E E s Firewall E E E sum Management AS E H Maintenance 9 3 EI E s s E Logot RE E E Rules Reorder Move rule number 1 D to rule number 1 Move Back Apply Reset Figure 12 3 Firewall Rules Summary First Screen The following table describes the fields in this screen Table 12 1 Firewall Rules Summary First Screen FIELD DESCRIPTION OPTIONS The default action for Should packets that d
226. n this field is set to Yes Filter Log No filters are logged when this field is set to No Filters with the individual filter Log Filter field set to Yes are logged when this field is set to Yes PPP Log PPP events are logged when this field is set to Yes The following are examples of the four types of syslog messages sent by the Prestige 1 CDR SdcmdSyslogSend SYSLOG CDR SYSLOG INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C01 Outgoing Call dev xx ch xx dev device No ch channel No C01 Incoming Call xxxxBps xxxxx L2TP xxxxx Remote Call ID C01 Incoming Call xxxx connected speed xxxxx Remote Call ID L02 Tunnel Connected L2TP C02 OutCall Connected xxxx connected speed xxxxx Remote Call ID C02 CLID call refused L02 Call Terminated C02 Call Terminated Jul 19 11 19 27 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 Call Terminated 2 Packet Triggered SdemdSyslogSend SYSLOG PKTTRI SYSLOG
227. nd direct it to a number of specific systems The router need only allow application traffic destined for the application gateway and reject the rest 9 2 3 Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access control or caching that some proxies support See section 9 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 9 3 Introduction to ZyXEL s Firewall The Prestige firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the web configurator The Prestige s purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The Prestige can be used to prevent theft destruction and modification of data as well as log events which may be important to the security of your network The Prestige also has packet filtering capabilities The Prestige is installed between the LAN and the Internet This allows it to act as a secure gateway for all
228. nderstanding of how rules work Make sure you test your rules after you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing network traffic s Source IP address Destination IP address IP protocol type to rules set by the administrator Your customized rules take precedence and may override the Prestige s default rules 12 2 Rule Logic Overview Study these points carefully before configuring rules 12 2 1 Rule Checklist 1 State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server 2 Is the intent of the rule to forward or block traffic Creating Custom Rules 12 1 Prestige 652 ADSL Security Router What is the direction connection from the LAN to the Internet or from the Internet to the LAN What IP services will be affected What computers on the LAN are to be affected if any Six VEN coU What computers on the Intern
229. ne 1 equal 2 1 not equal 3 less 4 great er gt 210102008 IP Filter Set 1 Rule 2 Src IP address 0 0 0 0 210102009 IP Filter Set 1 Rule 2 Src Subnet Mask 210102010 IP Filter Set 1 Rule 2 Src Port 0 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 210102011 IP Filter Set 1 Rule 2 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er gt 210102013 IP Filter Set 1 Rule 2 Act Match lt 1 check 3 next 2 forward 3 dr op gt 210102014 IP Filter Set 1 Rule 2 Act Not Match lt 1 check 1 next 2 forward 3 dr op gt I MENU 21 1 3 SET 1 RULE 3 SMT MENU 21 1 3 FIN FN PVA INPUT 210103001 IP Filter Set 1 Rule 3 Type 2 TCP IP 210103002 IP Filter Set 1 Rule 3 Active lt 0 No 1 Yes gt 1 210103003 IP Filter Set 1 Rule 3 Protocol 210103004 IP Filter Set 1 Rule 3 Dest IP address 0 0 0 0 210103005 IP Filter Set 1 Rule 3 Dest Subnet Mask 210103006 IP Filter Set 1 Rule 3 Dest Port 139 210103007 IP Filter Set 1 Rule 3 Dest Port Comp lt O none 1 equal 2 1 not equal 3 less 4 great er gt 210103008 IP Filter Set 1 Rule 3 Src IP address 0 0 0 0 210103009 IP Filter Set 1 Rule 3 Src Subnet Mask 210103010 IP Filter Set 1 Rule 3 Src Port 0 210103011 IP Filter Set 1 Rule 3 Src Port Comp O none 1 equal 2 0 not equal 3 less 4 great er gt 210103013 IP F
230. ne VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connections 3 View the IPSec connection log in menu 27 4 This menu is also useful for troubleshooting This is an overview of the VPN menu tree Main Menu Menu 27 VPN PSec IPSec Configuration Algorithms i Menu 27 1 1 1 IKE Setup Menu 27 1 1 Menu 27 1 IPSec Summary IPSec Setup Menu 27 1 1 2 Manual Setup Ma nag e Menu 27 2 Key VPN SAs Mete Management Log Menu 27 3 VP N SAS View IPSec Log Figure 25 1 VPN SMT Menu Tree From the main menu enter 27 to display the first VPN menu shown next VPN IPSec Setup 25 1 Prestige 652 ADSL Security Router Menu 27 VPN IPSec Setup 1 IPSec Summary 2 SA Monitor 3 View IPSec Log Enter Menu Selection Number Figure 25 2 Menu 27 VPN IPSec Setup 25 2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association SA the foundation of an IPSec VPN An SA is built from the authentication provided by the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transport of data may commence 25 2 1 AH Authentication Header Protocol AH protocol RFC 2402 was designed for integrity authentication sequence integ
231. nection must be allowed to pass through even though a connection from the Internet would normally be rejected In order to achieve this the Prestige inspects the application level FTP data Specifically 1t searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipated data connection This can be done safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protocol that operates in this way must be supported on a case by case basis You can use the web configurator s Custom Ports feature to do this 9 6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web configurator 2 Think about access control before you connect a console port to the network in any way including attaching a modem to the port Be aware that a break on the console port might give unauthorized individuals total control of the firewall even with access control configured 3 Limit who can telnet into your router 4 Don t enable any local service such as SNMP or NTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network 5 For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and
232. net Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Type IP Multicast IGMP v2 M HE Policy sets IP Policies 2 4 7 9 here Press ENTER to Confirm or ESC to Cancel Figure 22 5 Menu 11 3 Remote Node Network Layer Options 22 6 IP Policy Routing Prestige 652 ADSL Security Router 22 6 IP Policy Routing Example If a network has both Internet and remote node connections you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy See the next figure Web Prestige 192 168 1 1 LAN Remote Network a ef WAN Router 192 168 1 100 Default IP Route Configured IP Route Figure 22 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige follow the steps as shown next IP Policy Routing 22 7 Prestige 652 ADSL Security Router Step 1 Create a routing policy set in menu 25 Step 2 Create a rule for this set in Menu 25 1 1 IP Routing Policy as shown next Menu 25 1 1 IP Routing Policy Policy Set Name setl Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Don t Care Len Comp N A addr start 192 168 1 2 end
233. ng traffic between this node and the Prestige When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Internet Access 4 7 Prestige 652 ADSL Security Router 4 7 Route IP Setup The first step is to enable the IP routing in Menu 1 General Setup To edit menu 1 type in 1 in the main menu and press ENTER Set the Route IP field to Yes by pressing SPACE BAR Menu 1 General Setup System Name Location Contact Person s Name Domain Name Edit Dynamic DNS No Route IP Yes Bridge No Press ENTER to Confirm or ESC to Cancel Figure 4 6 Menu 1 General Setup 4 8 TCP IP Ethernet Setup and DHCP Use menu 3 2 to configure your Prestige for TCP IP To edit menu 3 2 enter 3 from the main menu to display Menu 3 Ethernet Setup When menu 3 appears enter 2 to display Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next 4 8 Internet Access Prestige 652 ADSL Security Router Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup First address DHCP Server in the IP Pool Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server Secondary DNS Server 0 0 0 0 Remote DHCP Server N A Size of the IP TCP IP Setup IP Address 192 168 1 1 Pool IP Subnet Mask 255 2 RIP Direction Both Version
234. nternal timer which is set at relatively long intervals terminates the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users Client Server SYN ACK SYN ACK SS Figure 9 3 SYN Flood Firewalls 9 5 Prestige 652 ADSL Security Router 2 b In a LAND Attack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 3 A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This f
235. o 30 characters of the person in charge of this JohnDoe Name optional Prestige 3 2 General Setup Prestige 652 ADSL Security Router Domain Name Enter your domain name here if you have one If you leave this field blank the ISP may assign a domain name via DHCP You can go to menu 24 8 and type sys domain name to see the current domain name used by your router If you want to clear this field just press SPACE BAR and then ENTER The domain name entered by you is given priority over the ISP assigned domain name zyxel com tw Edit Dynamic DNS Press SPACE BAR and then ENTER to select Yes or No default No Select Yes to configure Menu 1 1 Configure Dynamic DNS default discussed next Route IP Set this field to Yes to enable or No to disable IP routing You must Yes enable IP routing for Internet access Bridge Turn on off bridging for protocols not supported for example SNA or No not turned on in the previous Route IP field Select Yes to turn bridging on select No to turn bridging off 3 3 1 Configuring Dynamic DNS To configure Dynamic DNS go to Menu 1 General Setup and press SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS shown next Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active Yes Host EMAIL USER Password kckckckckckck k Enable Wildcard No Pre
236. o TR e a a e de 8 1 Table 8 2 NAT Mapping Types cccccessessscsseceecesecnecseecaeeeseeeneeaeeseesseenseceseceaecnaecnaecaeecaeeeaeeeseseeeseeeeeresetens 8 5 Table 8 3 Applying NAT in Menus 4 amp II 8 8 Table 8 4 SUA Address Mapping Rules esses 8 11 Table 8 3 Fields in Menu lili ad A edet 8 13 Table 8 6 Menu 15 1 1 1 Editing Configuring an Individual Rule in a Set 8 15 Tabl 8 7 Services Ur 8 16 Table 9 1 Common IP Botte 9 4 Table 9 2 ICMP Commands That Trigger Alerts esessseseeeeeeeeeeeenen enne nnne 9 6 XX List of Tables Prestige 652 ADSL Security Router Table 9 3 Legal NetBIOS Commands cte eet eter e a lee ti da 9 7 Table 9 4 Legal SMTP Commandes 9 7 Table 10 1 View Firewall Log 4 eee iii 10 3 NC O ee EE EA 11 4 Table 11 2 SMTP Error Messages 11 5 Table 11 3 TE EE 11 9 Table 12 1 Firewall Rules Summary First Sereen nennen enne 12 5 Table 12 2 Predefined Services oed ete RERO Es 12 7 Table 12 3 Creating Editing A Firewall Rule 12 10 Table 12 4 Adding Editing Source and Destination Adresses 12 12 Table 12 5 Timeout Menu idee dd Ide e T ER ces 12 14 Table 13 1 Customized Services on iet oem dete mee eo ee etes 13 2 Table 13 2 Creating Editing A Custom Port 13 3 Table 14 Log Seteen a ono Saee RE Eee ta elas whine idein 14 2 Table 16 1 Filter Rules Summary Menu Abbreviations nennen enne 16 8 Table 16 2 Rule Abbreviations Used nerenin nerie aa ERE EAEAN E
237. o apply to packets with a particular Single Address single IP address a range of IP addresses e g 192 168 1 10 R Add to 192 169 1 50 a subnet or any IP address Select an option ange reS from the drop down list box Subnet Address Any Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable Click Apply to save your customized settings and exit this screen Click Reset to return to the previous configuration Use the Help icon to view field descriptions 12 12 Creating Custom Rules Prestige 652 ADSL Security Router 12 6 Timeout The fields in the Timeout screens are the same for Local and Internet networks so the discussion below refers to both 12 6 1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values see section 11 4 1 Click Timeout for either Local Network or Internet ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup Advanced Setup Password LAN A Dynamic DNS Time Zone Content Filter Firewall VPN Remote Management Maintenance Logout EH Firewall LAN to WAN Timeout TCP Timeout Values Connection Timeout 0 sec FIN Wa
238. o not match the following rules be Block packets not matching blocked or forwarded Make your choice from the drop Forward following rules down list box Note that block means the firewall silently discards the packet Default Permit Log Click this check box to log all matched rules in the ACL Creating Custom Rules 12 5 Prestige 652 ADSL Security Router Table 12 1 Firewall Rules Summary First Screen FIELD DESCRIPTION OPTIONS default set The following fields summarize the rules you have created Note that these fields are read only Click the tab at the top of the box to order the rules according to that tab No This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field below allows you to reorder your rules Click a rule s number to edit the rule Source IP This is the source address of the packet Destination IP This is the destination address of the packet clicking on the rule you want to move The ordering of your rules is important as rules are applied in turn Service This is the service to which the rule applies See Table 12 2 for more information Action This is the specified action for that rule Note that Block Block means the firewall silently discards the packet Forward Move Rule You may reorder your rules using this function Select by To Rule Number Select the nu
239. oan tete EL ee Resse 17 2 17 37 SNMP Configuration s ix orti ete rh Hawi ent la E Aen 17 2 IR SNMP Traps ne iere o ette A ces hot Rte Perse re codes 17 4 Chapter 18 System Information and Diagnosis eerie esee eene eee eee eese nennen natns tn seta setas etna ann 18 1 18 1 Systemi Staus iin eiecti eter rete tetro eee te e eei eee hebes vo ets AE E 18 1 18 2 System Information and Console Port Speed 18 3 IER Ee AR e ote tee Node i Ie ERI RR EE e Ie detta 18 5 18 4 DiagnostiQus suae ee HERE S e co tpe e e e e e hae RU T OR C RET Gs 18 8 18 5 Command Interpreter Mode 18 9 Chapter 19 Firmware and Configuration File Maintenance eese eee eee eene eene tenete natns tna n 19 1 19 1 Filename Conventions sos tert er toe ee A eR tar tee und 19 1 19 2 Backup Configuration Re d tee eR eR NO e dete e ER RR Ne eee agde det 19 2 19 3 Restore Configuration isis A Aen woes 19 7 19 4 Uploading Firmware and Configuration Files 19 10 Chapter 20 System Maintenance and Information scccssssscsccecessscsccesscscesceesscscescesessesccceseseseeees 20 1 20 1 Command Interpreter Mode 20 1 20 2 Call Control Support 20 2 20 3 Time and Date Setting eene 20 4 Chapter 21 Remote Management eeeeee esee eee seen eere etn seta setas tons setas toss setas stone setas stone setas etos setas seno 21 1 21 1 About Telnet Configuration esses ener enne nnne eren enne 21 1 21 2 Telnet
240. ocol Filter TCP IP rules Generic Filter rules act on the raw data from to LAN and WAN Protocol Filter rules act on IP packets When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applied at the point where the Prestige is receiving and sending the packets for instance the interface The interface can be an Ethernet or any other hardware port The following figure illustrates this Figure 16 13 Protocol and Device Filter Sets 16 5 Example Filter Let s look at an example to block outside users from telnetting into the Prestige See the included disk for example filters 16 14 Filter Configuration Prestige 652 ADSL Security Router Your LAN Prestige User trying to telnet lt into the Prestige Incoming Traffic Filter Figure 16 14 Sample Telnet Filter Step 1 Enter 21 from the main menu to open Menu 21 Filter and Firewall Setup Step 2 Enter 1 to open Menu 21 1 Filter Set Configuration Step 3 Enter the index of the filter set you wish to configure say 4 an
241. of an outgoing packet used within one network to a different IP address known within another network 8 1 1 NAT Definitions Inside outside denotes where a host is located relative to the Prestige for example the computers of your subscribers are the inside hosts while the web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router for example the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is travelling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the local network while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 8 1 NAT Definitions TERM DESCRIPTION Inside This refers to the host on the LAN Outside This refers to the host on the WAN Local This refers to the packet address source or destination as the packet travels on the LAN Global This refers to the packet address source or destination as the packet travels on the WAN NAT 8 1 Prestige 652 ADSL Security
242. ol functions budget management and call history Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11 1 The budget management function allows you to set a limit on the total outgoing call time of the Prestige within certain times When the total outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Menu 24 9 System Maintenance Call Control 1 Budget Management Enter Menu Selection Number Figure 20 3 Call Control 20 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up the following menu 20 2 System Maintenance and Information Prestige 652 ADSL Security Router Remote Node 1 ChangeMe Menu 24 9 1 Budget Management Connection Time Total Budget No Budget Reset Node 0 to update screen Elapsed Time Total Period No Budget Figure 20 4 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node When this limit is reached the call will be dropped and further outgoing calls to that remote node will
243. om 0 to 7 or Don t Care Packet Length Type the length of incoming packets in bytes The operators in the Len Comp next field apply to packets of this length Len Comp Press SPACE BAR and then ENTER to choose from Equal Not Equal Less Greater Less or Equal or Greater or Equal 22 4 IP Policy Routing Prestige 652 ADSL Security Router FIELD DESCRIPTION Source addr start end Source IP address range from start to end port start end Source port number range from start to end applicable only for TCP UDP Destination addr start end Destination IP address range from start to end port start end Destination port number range from start to end applicable only for TCP UDP Action Specifies whether action should be taken on criteria Matched or Not Matched Gateway addr Defines the outgoing gateway address The gateway must be on the same subnet as the Prestige if itis on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing No Change Normal Min Delay Max Thruput Max Reliable or Min Cost Precedence Set the new outgoing packet precedence value Values are 0 to 7 or No Change Log Press SPACE BAR and then ENTER to select Yes to make an entry in the system
244. operties window opens If your IP address is dynamic click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields 4 In the Internet Protocol TCP IP Properties window Click Obtain DNS server automatically if you do not know your DNS server IP address es If you know your DNS server IP address es type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 5 Click Advanced If you do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK 6 Click OK to save and close the Internet Protocol TCP IP Properties window 7 Click OK to close the Local Area Connection Properties window 8 Turn on your Prestige and restart your computer 1f prompted Verifying TCP IP Properties Click Start Programs Accessories and then Command Prompt In the Command Prompt window type ipconfig and then press ENTER The window will display information about your connection specific DNS suffix IP Address Subnet Mask and Default Gateway Setting up Your Windows XP Computer Configuring TCP IP 1 Click start Control Panel Network and Internet Connections and then Network Connections 2 Right click the network connection you want to configure and then click Prope
245. or a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Prestige acts as a 4 12 Internet Access Prestige 652 ADSL Security Router DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as they are assigned to the Prestige by the DHCP server 4 13 Internet Access Configuration Menu 4 allows you to enter the Internet Access information in one screen Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11 Before you configure your Prestige for Internet access you need to collect your Internet account information from your ISP and telephone company Use the following table to record your Internet Account Information Note that if you are using PPPoA or PPPoE encapsulation then the only ISP information you need is a login name and password You only need to know the Ethernet Encapsulation Gateway IP address if you are using ENET ENCAP encapsulation Table 4 4 Internet Account Information FIELD DESCRIPTION YOUR INFO System Name Name of the Prestige optional Service Name Enter the PPPoE service name if the ISP supplies one PPPoE Enter any 1f the ISP does not assign you one Encapsulation Encapsulation PPPoE RFC1483 PPPoA or ENET ENCAP Multiplexing LLC based or VC based If this information is not given
246. oting the Web Configurator PROBLEM CORRECTIVE ACTION cannot access the web configurator Type admin in the User Name field The default password is 1234 Both fields are case sensitive If you have changed the password and have now forgotten it you will need to upload the default configuration file Refer to the Resetting the Prestige section This restores all of the factory defaults including the password Make sure that there is not an SMT console session running Check that you have enabled web service access in SMT Menu 24 11 Remote Management Control If you have configured an IP address in the Secured Client IP field your computer s IP address must match it For WAN access you must configure the Server Access field to WAN only or ALL Otherwise the firewall when activated blocks all WAN to LAN traffic by default Your computer s and the Prestige s IP addresses must be on the same subnet for LAN access If you changed the Prestige s LAN IP address then enter the new one as the URL Remove any filters in menu 3 1 LAN or menu 11 5 WAN that block web service 29 9 Problems with Remote Management Table 29 8 Troubleshooting Remote Management PROBLEM CORRECTIVE ACTION cannot remotely Refer to the Remote Management Limitations section for scenarios when remote manage the management may not be possible Prestige from the LNS NAN When NAT is enabled gt Use the Pres
247. our Prestige Menu 24 10 allows you to update the time and date settings of your Prestige The real time is then displayed in the Prestige error logs and firewall logs Select menu 24 in the main menu to open Menu 24 System Maintenance as shown next Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode ontro je jo o 300 na Enter Menu Selection Number Figure 20 5 Menu 24 System Maintenance Then enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup None Time Server Address N A Current Time 00 3 x00 3 New Time hh mm ss l4 3 22 30 Current Date 2000 01 New Date yyyy mm dd 2001 03 Time Zone GMT Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 20 6 Menu 24 10 System Maintenance Time and Date Setting 20 4 System Maintenance and Information Prestige 652 ADSL Security Router Table 20 2 Time and Date Setting Fields FIELD DESCRIPTION Use Time Server when Bootup Enter the time service protocol that your time s
248. out Figure 13 3 Configure Source IP Customized Services 13 5 Prestige 652 ADSL Security Router Step 5 Click Edit Available Service in the edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Customized Services Config Wizard Setup Service Name Syslog n Service Type UDP y Password LAN Port Configuration NAT Type Single C Range Dynamic DNS Port Number 514 P Time Zone Content Filter Firewall Back Reset Delete VPN Remote Management Maintenance Logout Figure 13 4 Customized Service for Syslog Customized services show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your customized service 13 6 Customized Services Prestige 652 ADSL Security Router Step 5 Follow the procedures outlined earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall WAN to LAN Edit Rule 1 Wizard Setup Source Address HERR Source P address feti 10 0 0 10 10 0 0 15 Advanced Setup Password LAN thle SrcEdit SroDelete Dynamic DNS Time Zone Desfination Address
249. outer Menu 3 Ethernet Setup 1 LAN Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Figure 3 3 Menu 3 Ethernet Setup 3 4 1 LAN Port Filter Setup This menu allows you to specify filter set s that you wish to apply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Figure 3 4 Menu 3 1 LAN Port Filter Setup If you need to define filters please read the Filter Set Configuration chapter first then return to this menu to define the filter sets 3 5 Protocol Dependent Ethernet Setup Depending on the protocols for your applications you need to configure the respective Ethernet Setup as outlined next O For TCP IP Ethernet setup refer to Internet Access Application For bridging Ethernet setup refer to Bridging Setup General Setup 3 5 Prestige 652 ADSL Security Router Chapter 4 Internet Access This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access 4 1 Factory Ethernet Defaults The Ethernet parameters of the Prestige are preset in the factory with the following values 1 IP address of 192 168 1 1 with
250. ow to get started with the Prestige firewall 10 1 Remote Management and the Firewall When SMT menu 24 11 is configured to allow management see the Remote Management chapter and the firewall is enabled e The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it e The firewall allows remote management from the LAN 10 2 Access Methods The web configurator is by far the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters for instructions SMT screens allow you to activate the firewall and view firewall logs 10 3 Using Prestige SMT Menus From the main menu enter 21 to go to Menu 21 Filter Set and Firewall Configuration to display the screen shown next Menu 21 Filter and Firewall Setup l Eee ee Firewall Setup S irewall Log Figure 10 1 Menu 21 Filter and Firewall Setup Introducing the Prestige Firewall 10 1 Prestige 652 ADSL Security Router 10 3 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Additional rules may be configured using the web configurator Menu 21 2 Firewall Setup The firewall
251. owser Internet Explorer 3 02 or better or Netscape 3 0 or better If a web site uses a secure connection it is safe to submit information Secure web transactions are quite difficult to crack Never reveal your IP address or other system networking information to people outside your company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Also use passwords that are not easy to figure out The most difficult passwords to crack are those with upper and lower case letters numbers and a symbol such as or f Upgrade your software regularly Many older versions of software especially web browsers have well known security deficiencies When you upgrade to the latest versions you get the latest patches and fixes If you use chat rooms or IRC sessions be careful with any information you reveal to strangers If your system starts exhibiting odd behavior contact your ISP Some hackers will set off hacks that cause your system to slowly become unstable or unusable Always shred confidential information particularly about your computer before throwing it away Some hackers dig through the trash of companies or individuals for information that might help them in an attack 9 7 Packet Filtering Vs Firewall Below are some comparisons between the Prestige s filtering and firewall functions 9
252. p Routing Refers to the routing protocol used ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version Standard This refers to the operational protocol the Prestige and the DSLAM Digital Subscriber Line Access Multiplexer are using LAN Ethernet Address Refers to the Ethernet MAC Media Access Control of your Prestige IP Address This is the IP address of the Prestige in dotted decimal notation IP Mask This shows the subnet mask of the Prestige DHCP This field shows the DHCP setting None Relay or Server of the Prestige 18 4 System Information and Diagnosis Prestige 652 ADSL Security Router 18 2 2 Console Port Speed You can set up different port speeds for the console port through Menu 24 2 2 System Maintenance Console Port Speed Your Prestige supports 9600 default 19200 38400 57600 and 115200bps Use SPACE BAR and then ENTER to select the desired speed in menu 24 2 2 as shown in the following figure Menu 24 2 2 System Maintenance Change Console Port Speed Console Port Speed 9600 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Figure 18 5 Menu 24 2 2 System Maintenance Change Console Port Speed 18 3 Log and Trace
253. peed of 832 Kbps gives a maximum PCR of 1962 cells sec This rate is not guaranteed because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of a bursty on off traffic source that can be sent at the peak rate and a parameter for burst type traffic SCR may not be greater than the PCR the system default is 0 cells sec Maximum Burst Size MBS is the maximum number of cells that can be sent at the PCR After MBS is reached cell rates fall below SCR until cell rate averages to the SCR again At this time more cells up to the MBS can be sent at the PCR again If the PCR SCR or MBS is set to the default of 0 the system will assign a maximum value that correlates to your upstream line rate The following figure illustrates the relationship between PCR SCR and MBS 4 14 Internet Access Prestige 652 ADSL Security Router g oO a Y O PCR SCR i R lt gt Time MBS MBS Figure 4 8 Example of Traffic Shaping From the main menu enter 4 to display Menu 4 Internet Access Setup shown next Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation RFC 1483 Multiplexing VC based VPI 8 VCI 35 ATM QoS Typ CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Static IP Address 0 0 0 0 Network Address Translation SUA Only Addre
254. ping Set mapping sets in menu 15 1 Select one of the NAT server sets 2 10 in menu 15 2 see the NAT chapter for details and type that number here When SUA Only is selected in the NAT field the SMT uses NAT server set 1 in menu 15 2 see the NAT chapter for details Metric The metric represents the cost of transmission for routing purposes 2 IP routing uses hop count as the cost measurement with a minimum of 1 for directly connected networks Type a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This determines if the Prestige will include the route to this remote node Yes in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP broadcasts RIP Direction Press SPACE BAR and then ENTER to select the RIP Direction Both Options are Both In Only Out Only or None Version Press SPACE BAR and then ENTER to select the RIP version RIP 2B Options are RIP 1 RIP 2B or RIP 2M Multicast IGMP v1 sets IGMP to version 1 IGMP v2 sets IGMP to version 2 and IGMP v2 None disables IGMP IP Policies You can apply up to four IP Policy sets from 12 by typing in their 3 4 5 6 numbers separated by commas When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to canc
255. policy In addition specific policies must be implemented within the firewall itself 9 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 9 2 1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source destination computer network address of a packet and the type of application 9 2 2 Application level Firewalls Application level firewalls restrict access by serving as proxies for external servers Since they use programs written for specific Internet services such as HTTP FTP and telnet they can evaluate network packets for valid application specific data Application level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts Firewalls 9 1 Prestige 652 ADSL Security Router i Information hiding prevents the names of internal systems from being made known via DNS to outside systems since the application gateway is the only host whose name must be made known to outside systems ii Robust authentication and logging pre authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic a
256. pplies a 56 bit key to each 64 bit block of data 3DES SHA1 Triple DES 3DES is a variant of DES which iterates SHA1 Secure Hash Algorithm produces a three times with three separate keys 3 x 56 168 bits 160 bit digest to authenticate packet data effectively doubling the strength of DES 25 3 IPSec Summary Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your IPSec rules tunnels Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus The following figure helps explain the main fields in menu 27 1 Local Network Remote Network Local IP Addresses Remote IP Addresses Prestige Prestige VPN Tunnel Secure Gateway IP Address Figure 25 3 IPSec Summary Fields Local and remote IP addresses must be static The VPN initiator local IP address range should be identical to the peer remote IP address range Similarly the VPN initiator remote IP address range should be identical to the peer local IP address range If they are not the connection will fail and this will display in the IPSec log as a local or remote ID failure My IP Address VPN IPSec Setup 25 3 Prestige 652 ADSL Security Router 25 3 1 My IP Address My IP A ddr is the WAN IP address of the Prestige If this field is configured as 0 0 0 0 then the Prestige will use the current Prestige WAN IP address
257. quests as necessary until the number of existing half open sessions drops below this number 80 existing half open sessions Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open sessions rises above this number the Prestige 100 half open sessions per minute The above values causes the Prestige to start deleting half open sessions when the number of existing Using the Prestige Web Configurator Prestige 652 ADSL Security Router Table 11 3 Attack Alert FIELD DESCRIPTION DEFAULT VALUES deletes half open sessions as required to half open sessions rises above accommodate new connection requests 100 and to stop deleting half Do not set Maximum Incomplete High to open sessions with the number lower than the current Maximum of existing half open sessions Incomplete Low number drops below 80 TCP Maximum This is the number of existing half open 10 existing half open TCP Incomplete TCP sessions with the same destination sessions host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 250 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth Blocking Time When TCP Maximum Incomplete is 10 reached you can c
258. r 5 1 2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP Consult your telephone company for information on encapsulation and multiplexing methods for LAN to LAN applications for example between a branch office and corporate headquarters There must be prior agreement on encapsulation and multiplexing methods because they cannot be automatically determined What method s you use also depends on how many VCs you have and how many different network protocols you need The extra overhead that ENET ENCAP encapsulation entails makes it a poor choice in a LAN to LAN application Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combination because no extra protocol identifying headers are needed The PPP protocol already contains this information Scenario 2 One VC One Protocol IP Selecting RFC 1483 encapsulation with VC based multiplexing requires the least amount of overhead 0 octets However if there is a potential need for multiple protocol support in the future it may be safer to select PPPoA encapsulation instead of RFC 1483 so you do not need to reconfigure either computer later Scenario 3 Multiple VCs If you have an equal number or more of VCs than the number of protocols then select RFC 1483 encapsulat
259. r 5 Local IP address 0 0 0 0 150000014 SUA Server 6 Port Start 150000015 SUA Server 6 Port End 150000016 SUA Server 6 Local IP address 0 0 0 0 150000017 SUA Server 7 Port Start 150000018 SUA Server 7 Port End 150000019 SUA Server 7 Local IP address 0 0 0 0 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router 150000020 SUA Server 8 Port Start 150000021 SUA Server 8 Port End 150000022 SUA Server 8 Local IP address 0 0 0 0 150000023 SUA Server 9 Port Start 150000024 SUA Server 9 Port End 150000025 SUA Server 9 Local IP address 0 0 0 0 150000026 SUA Server 10 Port Start 150000027 SUA Server 10 Port End 150000028 SUA Server 10 Local IP address 0 0 0 0 150000029 SUA Server 11 Port Start 150000030 SUA Server 11 Port End 150000031 SUA Server 11 Local IP address 0 0 0 0 150000032 SUA Server 12 Port Start 150000033 SUA Server 12 Port End 150000034 SUA Server 12 Local IP address 0 0 0 0 MENU 21 FILTER SET 1 SMT MENU 21 FIN FN PVA You may 210100001 Filter Set 1 Name lt Str gt e filter sets with SMT MENU 21 1 1 FILTER SET 1 RULE 1 SMT MENU 21 1 1 Ee FIN FN PVA INPUT EN 210101001 IP Filter Set 1 Rule 1 Type lt 2 TCP IP gt gt 2101010
260. r computer must have an FTP client When you telnet into the Prestige you will see the following screens for uploading firmware and the configuration file using FTP 19 10 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router Menu 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below Launch the FTP client on your workstation Type open and the IP address of your system Then type root and SMT password as requested Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on the system The system reboots automatically after a successful firmware upload For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Figure 19 13 Telnet Into Menu 24 7 1 Upload System Firmware 19 4 2 Configuration File Upload You see the following screen when you telnet into menu 24 7 2 Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below Launch the FTP client on your workstation Type open and the IP address of your system Then type root and SMT password as
261. r panel of your Prestige ON Jm OF POWER p LAN 70 100M RESET CONSOLE A UPLINK Sem am am Figure 2 2 Rear Panel 2 2 Hardware Installation and Initial Setup Prestige 652 ADSL Security Router 2 2 1 xDSL Port Connect the Prestige directly to the wall jack using a DSL cable telephone wire Connect a microfilter s between the wall jack and your telephone s A microfilter acts as low pass filter voice transmission takes place in the 0 to 4KHz bandwidth and is an optional purchase 2 2 2 Console Port Use terminal emulator software on a computer for configuring your Prestige via console port Connect the 9 pin end of the console cable to the console port of the Prestige and the other end choice of 9 pin or 25 pin depending on your computer end to a serial port COM1 COM2 or other COM port of your computer You can use an extension RS 232 cable if the enclosed one is too short After the initial setup you can modify the configuration remotely through telnet connections 2 2 3 LAN 10 100M Port For a single computer connect the 10 100M LAN port on the Prestige to the Network Adapter on the computer using a crossover Ethernet cable with the UPLINK button off out Use a straight through cable if the UPLINK button is on in If you have more than one computer then you must use an external hub Connect the 10 100M LAN port on the Prestige to a port on the hub using a straight through Ethe
262. re you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 ignoring the trailing zero and you must enable the Single User Account feature of the Prestige The Internet Assigned Number Authority LANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network The subnet mask specifies the network number portion of an IP address Your Prestige will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the Prestige unless you are instructed to do otherwise 4 2 Internet Access Prestige 652 ADSL Security Router 4 3 2 Private IP Addresse
263. request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering 1 e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur When To Use The Firewall l 2 To prevent DoS attacks and prevent hackers cracking your network A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required Firewalls 9 13 Prestige 652 ADSL Security Router 3 To selectively block allow inbound or outbound traffic between inside host networks and outside host networks Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address 4 The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur 6 The firewall can block specific URL traffic that might occur in the future The URL can be saved in an Access Control List ACL database 9 14 Firewalls Prestige 652 ADSL Security Router Chapter 10 Introducing the Prestige Firewall This chapter shows you h
264. requested Type put configurationfilename rom 0 where configurationfilename is the name of your system configuration file on your workstation which will be transferred to the rom 0 file on the system The system reboots automatically after the upload system configuration file process is complete For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Figure 19 14 Telnet Into Menu 24 7 2 System Maintenance Firmware and Configuration File Maintenance 19 11 Prestige 652 ADSL Security Router To upload the firmware and the configuration file follow these examples 19 4 3 FTP File Upload Command from the DOS Prompt Example Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your Prestige Step 3 Press ENTER when prompted for a username Step 4 Enter your password as requested the default is 1234 Step 5 Enter bin to set transfer mode to binary Step 6 Use put to transfer files from the computer to the Prestige for example put firmware bin ras transfers the firmware on your computer firmware bin to the Prestige and renames it ras Similarly put config rom rom 0 transfers the configuration file on yo
265. rify the integrity of the entire packet by use of portions of the original IP header in the hashing process 24 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communications have two sets of IP headers gt Outside header The outside IP header contains the destination IP address of the VPN gateway gt Inside header The inside IP header contains the destination IP address of the final system behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 24 4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the Prestige NAT is incompatible with the AH protocol in both Transport and Tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a hash value appended to the packet When using AH protocol packet contents the data payload are not encrypted Introduction to IPSec 24 5 Prestige 652 ADSL Security Router A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing The VPN device
266. rity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator 25 2 2 ESP Encapsulating Security Payload Protocol The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH ESP authenticating properties are limited compared to the AH due to the non inclusion of the IP header information during the authentication process However ESP is sufficient if only the upper layer protocols need to be authenticated An added feature of the ESP is payload padding which further protects communications by concealing the size of the packet being transmitted 25 2 VPN IPSec Setup Prestige 652 ADSL Security Router Table 25 1 AH and ESP ESP AH Select DES for minimal security and 3DES for maximum Select MD5 for minimal security and SHA 1 for Select NULL to set up a tunnel without encryption maximum security DES default MD5 default Data Encryption Standard DES is a widely used method MD5 Message Digest 5 produces a 128 bit of data encryption using a private secret key DES digest to authenticate packet data a
267. rk behind the remote IPSec router When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a static IP address on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 VPN IPSec Setup 25 7 Prestige 652 ADSL Security Router Table 25 3 Menu 27 1 IPSec Summary FIELD DESCRIPTION EXAMPLE Remote Addr End When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Remote Addr Start field When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the end static IP address in a range of computers on the network behind the remote IPSec router When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 172 16 2 46 Secure GW Addr This is the WAN IP address or the domain name up to the first 15 characters are displayed of the IPSec router with which you are making the VPN connection This field displays 0 0 0 0 when you configure the Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 193 81 13 2 Select Command Press SPACE BAR to choose from None Edit or Delete and then pr
268. rnet cable and make sure the Uplink button is on The corresponding LAN LED on the front panel turns on when the Prestige is on and properly connected to a computer or hub 2 2 4 Power Port Connect the power adapter to the port labeled POWER on the rear panel of your Prestige Make sure you use the correct power adapter to avoid damage to the Prestige Refer to the Power Adapter Specification Appendix for this information 2 2 5 Reset Button Refer to section 2 8 for information on the RESET button 2 3 Additional Installation Requirements A computer with an Ethernet 10Base T 100Base T NIC Network Interface Card Hardware Installation and Initial Setup 2 3 Prestige 652 ADSL Security Router A computer equipped with communications software for example Hyper Terminal in Windows 95 configured to the following parameters gt VT100 terminal emulation gt 9600 baud rate gt Parity set to none 8 data bits 1 stop bit gt Flow control set to none After the Prestige has been successfully connected to your network you can make future changes to the configuration via Telnet 2 4 P652 with POTS 2 4 1 Connecting a POTS Splitter One major difference between Full Rate G dmt ADSL and dial up modems is the optional telephone splitter This device keeps the telephone and ADSL signals separated giving them the capability to provide simultaneous Internet access and telephone service on the same lin
269. rties 3 Under the General tab select Internet Protocol TCP IP you may need to scroll down and click Properties 4 The Internet Protocol TCP IP Properties window opens If you have a dynamic IP address click Obtain an IP address automatically TCP IP Prestige 652 ADSL Security Router If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields To configure advanced static address settings for a local area connection click Advanced and do one or more of the following to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished 5 In the Internet Protocol TCP IP Properties window s General tab Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS ser
270. rvice 2 You have disabled that service in menu 24 11 19 4 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 3 The IP address in the Secured Client IP field menu 24 11 does not match the client IP address If 1t does not match the Prestige will disconnect the session immediately 4 There is an SMT console session running 5 There is already another remote management session of the same type web FTP or Telnet running You may only have one remote management session of the same type running at one time 6 There is a web remote management session running with a Telnet session A Telnet session will be disconnected if you begin a web session it will not begin if there is already a web session 19 2 6 Backup Configuration Using TFTP The Prestige supports the up downloading of the firmware and the configuration file using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To backup the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to the Prestige and log in Because TFTP does not have any security checks the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address Step 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenanc
271. rvice 22 1 Trace Records i oe ERR RR Rep 18 5 beni ER 9 7 Transfer Rate 18 3 Transmission Rate xxiv 1 1 Type of Service 22 1 22 3 22 4 22 5 U UDP ICMP Security cocooocoonocconnciononnnonononnnnnnono 9 10 UNIX Syslog AA 18 5 18 7 UNIX syslog parameterg seee 18 6 Upload Firmware sse 19 10 Upper Layer Protocols 9 10 9 11 V VC based Multiplexing 5 2 6 1 Virtual Private Network esses 1 1 NPT SON Chis ien nme 4 11 W WAN to LAN Rules eee 12 4 Webs tease tu geo tss 212 Web Configurator 9 2 9 11 10 2 11 1 12 2 DOglfo asd e aee e ee ee Rs 11 1 EAS tette 11 1 X SMODEM protocol 19 2 XMODEM upload esssssesss 2 8 Z LY NOS eine un RE 19 1 19 2 ZyNOS F W Version 19 1 ZyXEL Limited Warranty RU M V ZyXEL s Firewall A ecient erie 9 2 Index KK
272. s Boot Module Commands Prestige 652 ADSL Security Router Appendix D Power Adapter Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model DV 1215A Input Power AC120Volts 60Hz 30W Output Power AC12Volts 1 25A Power Consumption 11W Safety Standards UL CUL CSA UL 1310 CSA C22 2 No 223 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA 121A25 Input Power AC120Volts 60Hz 19W Output Power AC12Volts 1 25A Power Consumption 11W Safety Standards UL CUL UL 1310 CSA C22 2 No 223 EUROPEAN PLUG STANDARDS AC Power Adapter Model AA 121A3BN Input Power AC230Volts 50Hz 140mA Output Power AC12Volts 1 3A Power Consumption 11W Safety Standards TUV CE EN 60950 Power Adapter Specifications Prestige 652 ADSL Security Router Appendix E TCP IP All computers must have a 10M or 100M Ethernet adapter card and TCP IP installed Windows 95 98 Me NT 2000 XP Macintosh OS 7 and later operating systems and all versions of UNIX LINUX include the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communica
273. s A DSL connection is a point to point dedicated circuit meaning that the link is always up and there is no dialing required What is ADSL It is an asymmetrical technology meaning that the downstream data rate is much higher than the upstream data rate As mentioned this works well for a typical Internet session in which more information is downloaded for example from Web servers than is uploaded ADSL operates in a frequency range that is above the frequency range of voice services so the two systems can operate over the same cable What is DSL XXV Getting Started Part I GETTING STARTED This part is structured as a step by step guide to help you connect install and set up your Prestige to operate on your network and to access the Internet Described are Key Features and Applications Hardware Installation Initial Setup and Internet Access i Prestige 652 ADSL Security Router Chapter 1 Getting To Know Your Prestige This chapter describes the key features and applications of your Prestige 1 1 Prestige 652 ADSL Security Router Y our Prestige integrates a high speed 10 100Mbps auto negotiating LAN interface and a high speed ADSL port into a single package The Prestige is ideal for high speed Internet browsing and making LAN to LAN connections to remote networks The Prestige provides not only ease of installation and high speed Internet access but also a complete security solutio
274. s Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks 10 0 0 0 10 255 255 255 172 16 0 0 ILL LIO 259 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 4 3 3 RIP Setup RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to 1 Both the Prestige will broadcast its routing table periodically and incorporate the RIP infor
275. s Figure 1 1 Internet Access Appltcaton nennen eren emere enne nennen nennen nns 1 7 Eigure 1 2 Firewall Application site A e ti eo 1 8 Figure 1 3 LAN to LAN Appltceaton enne enne ener ener nennen nennen 1 8 Figure 1 4 VPN Application sess s t Rte rete ie e YR ees 1 9 Figure 2 1 Front Panel ence ERU UR E E UTR E e ER EE oe 2 1 Figure 2 2 Rear P nel AEE iieio o eU git 2 2 Figure 2 3 Connecting POTS Splitter icine eka eh ak te ea eb aee de 2 5 Figure 2 4 Connecting a Mictofilter u ente ende e ri 2 6 Figute 2 5 P652 with ISDN eneen thee ra hte e hie i hie ee di 2 6 Figure 2 6 Power On Display 5 csset rete fee e sede ree eee eee hie ede dne 2 7 Eiguie 2 7 Log SCIeell i ee tte o ct t ee 2 8 Figure 2 8 SM D Meri OVerVIeWiasno diis bct ande mau e de Eeer 2 10 Figure 2 9 SMT Matti MEU gu e deti iu 2 12 Figure 2 10 Menu 23 System Password ooooococnnocnonocanononnonanananccnonnecononnonarnnanacne nara no nete teen enne tn tnnt nn tnn nens 2 13 Figure 3 1 Menu 1 General Setup ANEREN 3 2 Figure 3 2 Contfigure Dynamic DNS ia AA ee 3 3 Figure 3 3 Menu 3 Ethemet Set p nne ce Teen iei AAE Portus 3 5 Figure 3 4 Menu 3 1 LAN Port Filter Semi 3 5 Figute 4 1 LAN amp WAN IPs eee teen inter haee e ee de Ue eerte 4 2 Figure 4 2 Physical Network rr e e eds 4 6 Figure 4 3 Partitioned Logical Networks A 4 6 Figure 4 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 4 6 Figure 4 5 Menu 3 2 1
276. s an immediate neighbor of your Prestige that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must be the IP address of one of the remote nodes Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Type a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and is not included in RIP broadcasts If No the route to this remote node will be propagated to other hosts through RIP broadcasts When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 6 8 Remote Node TCP IP Configuration Prestige 652 ADSL Security Router Chapter 7 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige 7 1 Bridging in General Bridging bases the forwarding decision on the MAC Media Access Control or hardware address while routing does it on the network lay
277. s configured to Range enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Addr Type field is configured to SUBNET enter a static IP address on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Addr field to 0 0 0 0 4 4 4 4 End When the Addr Type field is configured to Single this field is N A When the Addr Type field is configured to Range enter the end static IP address in a range of computers on the network behind the remote IPSec router When the Addr Type field is configured to SUBNET enter a subnet mask on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Addr field to 0 0 0 0 255 255 0 0 Port Start 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POPS VPN IPSec Setup 25 11 Prestige 652 ADSL Security Router Table 25 4 Menu 27 1 1 IPSec Setup to IKE this will take you to Menu 27 1 1 1 IKE Setup If you set the Key Management field to Manual this will take you to Menu 27 1 1 2 Manual Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range This port number must be greater than that specified in th
278. s one administrator to log in at any time Your Prestige also gives priority to the console port over telnet If you have already connected to your Prestige via telnet you will be logged out if another user logs in to the Prestige via the console port Remote Management 21 1 Prestige 652 ADSL Security Router 21 4 FTP You can upload and download the Prestige s firmware and configuration files using FTP please see the Firmware and Configuration File Maintenance chapter for details To use this feature your computer must have an FTP client 21 5 Web You can use the Prestige s embedded web configurator for configuration and file management See the Using the Prestige Web Configurator chapter for an introduction to the web configurator 21 6 Remote Management Remote management control is for managing Telnet Web and FTP services You can customize the service port access interface and the secured client IP address to enhance security and flexibility You may manage your Prestige from a remote location via gt Internet WAN only gt ALL LAN and WAN gt LAN only gt Neither Disable Choosing WAN only or ALL LAN 8 WAN automatically creates a hole in the firewall for the server type specified To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to bring up Menu 24 11 Remote Management Control 21 2 Remote Management Prestige
279. s starting from 192 168 1 33 to 192 168 1 64 for the client machines This leaves 31 IP addresses 192 168 1 2 to 192 168 1 32 excluding the Prestige itself which has a default IP of 192 168 1 1 for other server machines for example server for mail FTP telnet web etc that you may have DNS Server Address DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa for example the IP address of www zyxel com 1s 204 217 0 2 The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask There are two ways that an ISP disseminates the DNS server addresses The first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP does give you the DNS server addresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the connection is up If your ISP did not give you explicit DNS servers chances are the DNS servers are conveyed through IPCP negotiation The Prestige supports the IPCP DNS server extensions through the DNS proxy feature If the Primary and Secondary DNS Server fields
280. s the upper layer protocol for example TCP is 6 UDP is 17 0 to 255 and ICMP is 1 The value must be between 0 and 255 A value of O matches ANY protocol IP Source IP Source Route is an optional header that dictates the route an IP No Route packet takes from its source to its destination If Yes the rule default applies to any packet with an IP source route The majority of IP packets do not have source route Destination Type the destination IP address of the packet you want to filter This IP address IP Addr field is ignored if it is 0 0 0 0 IP Mask Type the IP mask to apply to the Destination IP Addr field IP mask Port Type the destination port of the packets you want to filter The field 0 to 65535 range is 0 to 65535 A 0 field is ignored Port Comp Select the comparison to apply to the destination port in the packet None against the value given in Destination Port Choices are None Less Greater Equal or Not Equal Source Type the source IP Address of the packet you want to filter A IP address IP Addr 0 0 0 0 field is ignored IP Mask Type the IP mask to apply to the Source IP Addr field IP mask Port Type the source port of the packets you want to filter The range of 0 to 65535 this field is 0 to 65535 A 0 field is ignored Port Comp Select the comparison to apply to the source port in the packet None against the value given in Source Port field Choices are None Less Greater Equal or Not Equal TCP E
281. services 13 1 Introduction Configure customized services and port numbers not predefined by the Prestige see Figure 12 4 Fora comprehensive list of port numbers and services visit the ANA Internet Assigned Number Authority website For further information on these services please read section 12 5 To configure a custom service click Edit Available Service in an edit rule screen to bring up the following screen ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Customized Services Wizard Setup No Name Protocol Port Advanced Setup Password LAN NAT 1 Dynamic DNS Time Zone Content Filter Firewall VPN 0 Remote Management Maintenance Back Logout een Figure 13 1 Customized Services The next table describes the fields in this screen Customized Services 13 1 Prestige 652 ADSL Security Router Table 13 1 Customized Services FIELD DESCRIPTION Customized Services No This is the number of your customized port Click a rule s number to edit the rule Name This is the name of your customized port Protocol This shows the IP protocol TCP UDP or Both that defines your customized port Port This is the port number or range that defines your customized port Use the Help icon for field descriptions When you have finished viewing this scree
282. ss ENTER to confirm or ESC to cancel Figure 3 2 Configure Dynamic DNS General Setup 3 3 Prestige 652 ADSL Security Router Follow the instructions in the next table to configure Dynamic DNS parameters Table 3 2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider WWW DynDNS ORG default Active Press SPACE BAR to select Yes and then press ENTER to Yes enable dynamic DNS Host Enter the domain name assigned to your Prestige by your me dyndns org Dynamic DNS provider EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password assigned to you Enable Wildcard Your Prestige supports DYNDNS Wildcard Press SPACE BAR No and then ENTER to select Yes or No This field is N A when you choose DDNS client as your service provider When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel The IP address will be updated when you reconfigure menu 1 or perform DHCP client renewal If you have a private WAN IP address then you cannot use Dynamic DNS 3 4 LAN Setup This section describes how to configure the Ethernet using Menu 3 LAN Setup From the main menu enter 3 to display menu 3 3 4 General Setup Prestige 652 ADSL Security R
283. ss Mapping Set N A Press ENTER to Confirm or ESC to Cancel Figure 4 9 Internet Access Setup The following table contains instructions on how to configure your Prestige for Internet access Internet Access 4 15 Prestige 652 ADSL Security Router Table 4 5 Internet Access Setup Menu Fields FIELD DESCRIPTION EXAMPLE ISP s Name Enter the name of your Internet Service Provider This information is for identification purposes only ChangeMe Encapsulation Press SPACE BAR to select the method of encapsulation used by your ISP Choices are PPPoE PPPoA RFC 1483 or ENET ENCAP RFC 1483 Multiplexing Press SPACE BAR to select the method of multiplexing used by your ISP Choices are VC based or LLC based VC based VPI Enter the Virtual Path Identifier VPI that the telephone company gives you VCI Enter the Virtual Channel Identifier VCI that the telephone company gives you 35 ATM QoS Type Press SPACE BAR and select CBR Continuous Bit Rate to specify fixed always on bandwidth Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail UBR Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR Sustain Cell Rate SCR 0 Sustained Cell Rate is the mean cell rate of a bursty on off traffic source that can be sent at the peak rate and a parameter for burst
284. stab This applies only when the IP Protocol field is 6 TCP If Yes the No rule matches packets that want to establish TCP connection s default SYN 1 and ACK 0 else it is ignored Filter Configuration 16 9 Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE More If Yes a matching packet is passed to the next filter rule before an No action is taken or else the packet is disposed of according to the default action fields If More is Yes then Action Matched and Action Not Matched will be N A Log Select the logging option from the following None No packets will be logged None Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Select the action for a matching packet Choices are Check Next Check Next Matched Rule Forward or Drop Rule default Action Not Select the action for a packet not matching the rule Choices are Check Next Matched Check Next Rule Forward or Drop Rule default When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen The following figure illustrates the logic flow of an IP filter 16 10 Filter Configuration Prestige 652 ADSL Security Router
285. static or dynamic to set up the VPN tunnel If the My IP Addr changes after setup then the VPN tunnel will have to be rebuilt 25 3 2 Secure Gateway Address Secure Gateway Addr is the WAN IP address or domain name of the remote IPSec router secure gateway If the remote secure gateway has a static public IP address enter it in the Secure Gateway Addr field You may alternatively enter the remote secure gateway s domain name in the Secure Gateway Addr field This also works when the remote secure gateway uses DDNS This way your Prestige can find the remote secure gateway even if it has a dynamic WAN IP address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 in the Secure Gateway Addr field In this case only the remote secure gateway can initiate SAs This may be useful for telecommuters initiating a VPN tunnel to the company network See the following table for an example configuration You can configure multiple SAs to simultaneously connect through the same secure gateway In this case you must configure the SAs to have the same Negotiation Mode and Pre Shared Key Menu 27 1 1 1 IKE Setup Table 25 2 Telecommuter and Headquarters Configuration Example TELECOMMUTER HEADQUARTERS My IP 0 0 0 0 dynamic IP address Public static IP address address assigned by the ISP Secure Public static IP address or 0 0 0 0 E domain name With this IP address only the Address d ur
286. stination IP 0 0 0 0 address This NR value 120102004 IP Static Route set 2 Destination IP must be 7 subnetmask een d 120102005 IP Static Route set 2 Gateway Es must be between 120102006 IP Static Route set 2 Metric 0 32 120102007 IP Static Route set 2 Private lt 0 No 1 Yes gt Example Internal SPTGEN Screens Prestige 652 ADSL Security Router MENU 12 1 3 IP STATIC ROUTE SETUP SMT MENU 12 1 3 FIN FN PVA INPUT 120103001 IP Static Route set 3 Name lt Str gt 120103002 IP Static Route set 3 Active lt 0 No 1 Yes gt 120103003 IP Static Route set 3 Destination IP 0 0 0 0 address 120103004 IP Static Route set 3 Destination IP 0 subnetmask 120103005 IP Static Route set 3 Gateway 0 0 0 0 120103006 IP Static Route set 3 Metric 120103007 IP Static Route set 3 Private lt 0 No 1 Yes gt I MENU 12 1 4 IP STATIC ROUTE SETUP SMT MENU 12 1 4 FIN FN PVA INPUT 120104001 IP Static Route set 4 Name lt Str gt 120104002 IP Static Route set 4 Active lt 0 No 1 Yes gt 120104003 IP Static Route set 4 Destination IP 0 0 0 0 address 120104004 IP Static Route set 4 Destination IP 0 subnetmask 120104005 IP Static Route set 4 Gateway 0 0 0 0 120104006 IP Static Route set 4 Metric 120104007 IP Static Route set 4 Private lt 0 No 1 Yes gt
287. sting half open sessions rises above a threshold max incomplete high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open requests as necessary until the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period TCP Maximum Incomplete and Blocking Time An unusually high number of half open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host Whenever the number of half open sessions with the same destination host address rises above a threshold TCP Maximum Incomplete the Prestige starts deleting half open sessions according to one of the following methods 1 Ifthe Blocking Time timeout is 0 the default then the Prestige deletes the oldest existing half open session for the host for every new connection request to the host This ensures that the number of half open sessions to a given host will never exceed the threshold
288. subnet mask of 255 255 255 0 24 bits 2 DHCP server enabled with 32 client IP addresses starting from 192 168 1 33 These parameters should work for the majority of installations Ifthe parameters are satisfactory you can skip to TCP IP Ethernet Setup and DHCP to enter the DNS server address es if your ISP gives you explicit DNS server address es Please read on if you wish to change the factory defaults or to learn more about TCP IP 4 2 LANs and WANs A LAN Local Area Network is a computer network limited to the immediate area usually the same building or floor of a building A WAN Wide Area Network on the other hand is an outside connection to another network or the Internet 4 2 1 LANs WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two separate IP networks one inside the LAN network the other outside the WAN network as shown next Internet Access 4 1 Prestige 652 ADSL Security Router N P IS pc The interface to e LAN is Ethernet blog adii ird tu WAN Internet Prestige The interfaca to the Internet or a remote no A de is the ADSL port 7 Figure 4 1 LAN amp WAN IPs MX 4 3 TCP IP Parameters 4 3 1 IP Address and Subnet Mask Like houses on a street that share a common street name the computers on a LAN share one common network number Whe
289. table describes some of the fields that you may see in GUI based TFTP clients Table 19 3 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige 192 168 1 1 is the Prestige s default IP address when shipped Send Fetch Use Send to upload the file to the Prestige and Fetch to back up the file on your computer Local File Enter the path and name of the firmware file bin extension or configuration file rom extension on your computer Remote This is the filename on the Prestige The filename for the firmware is ras and File for the configuration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to section 19 2 5 to read about configurations that disallow TFTP and FTP from the WAN 19 2 9 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next Procedures using other serial communications programs should be similar ee 99 Step 1 Display menu 24 5 and enter y at the following screen Ready to backup Configuration via Xmodem Do you want to continue y n Figure 19 3 System Maintenance Backup Configuration 19 6 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router Step 2 The following screen indicates that the Xmodem download has started You can enter ctr
290. te with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addresses that place them in the same subnet as the Prestige s LAN port Setting up Your Windows 95 98 Me Computer Installing TCP IP Components 1 Click Start Settings Control Panel and double click the Network icon The Network window Configuration tab displays a list of installed components You need a network adapter the TCP IP protocol and Client for Microsoft Networks If you need the adapter a In the Network window click Add b Select Adapter and then click Add c Select the manufacturer and model of your network adapter and then click OK If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add TCP IP G Prestige 652 ADSL Security Router b Select Client and then click Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from the list of network clients and then click OK e Restart your computer so the changes you made take effect Configuring TCP IP 1 In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is d
291. te that Block means the firewall silently orwar discards the packet Log This field determines if a log is created for packets Match that match the rule don t match the rule both or no Not Match log is created SES Both None Alert Check the Alert check box to determine that this descriptions Click Back to return to the previous screen Click Apply to save your customized settings and exit this screen Click Cancel to exit this screen without saving Use the Help icon to view field 12 5 2 Source and Destination Addresses To add a new source or destination address click SrcAdd or DestAdd from the previous screen To edit an existing source or destination address select it from the box and click SrcEdit or DestEdit from the previous screen Either action displays the following screen Creating Custom Rules 12 11 Prestige 652 ADSL Security Router ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall LAN to WAN Rule IP Config Wizard Setup Address Type Subnet Address y lacio A Start IP Address 0 0 0 0 P d SENE End IP Address 0 0 0 0 LAN mE Subnet Mask 0 0 0 0 Dynamic DNS Time Zone Content Filter Apply Reset Firewall E VPN Remote Management Maintenance Logout E Figure 12 5 Adding Editing Source and Destination Addresses Table 12 4 Adding Editing Source and Destination Addresses FIELD DESCRIPTION OPTIONS Address Type Do you want your rule t
292. teens ennn trennen 9 3 Fieure 9 2 Three Way Handshlake 55 20 RECEN ner he req dh Nee Ee 9 5 Figure 9 3 CR EE 9 5 Figure 9 4 Smurf Attack oec ede en hero ee e eri e eene be eda 9 6 Figure 9 5 Stateful Inspection iier eiie eed aii 9 8 Figure 10 1 Menu 21 Filter and Firewall Sep 10 1 Figure 10 2 Menu 21 2 Firewall Setup siete Rte or e ie e p eren 10 2 Figure 10 3 Example Firewall Log inire teet ade 10 2 Figure 11 1 Enabling the Firewall essei teer EEE dete heus 11 2 Figure 11 2 E mall Scroll o ets 11 3 Figure 113 EM E e oR Ri e e I e o 11 6 Figure 11 24 Attack Al ft iusso nee ER deren diel a ee Rea dent 11 8 Figure 12 I LAN to WAN Traffic eicere i 12 3 Figure 12 2 WAN to LAN Traffic eee eec eee Hee e e e Teide eee 12 4 List of Figures xiv Prestige 652 ADSL Security Router Figure 12 3 Firewall Rules Summary First Screen cooonccnccnonoccnononncnncnncononononcnn conan conc cono nn none nn non nonncnnannons 12 5 Figure 12 4 Creating Editing A Firewall Rule 12 10 Figure 12 5 Adding Editing Source and Destination Addresses sene 12 12 Figure 12 6 Timeout rc A eer rae 12 13 Figure 1321 Customized Services zi eno aerem Ee PO HE E e ped eer pt tones n a 13 1 Figure 13 2 Creating Editing A Customized Service 13 3 Figure 13 3 Configure Source TP onec ce e eene ee eine eed tide curs 13 5 Figure 13 4 Customized Service for Svslog ener 13 6 Figure 13 5 Syslog Rule Config
293. ter the last port to be forwarded in the End Port No field Step 5 Enter the inside IP address of the server in the IP Address field In the following figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel NAT 8 15 Prestige 652 ADSL Security Router The NAT network appears as a single host on the Internet 192 168 1 1 FTP TELNET SMTP server IP Address 192 168 1 33 Prestige Computer IP Address A 192 168 1 34 Computer IP Address 192 168 1 35 Priavte network IP addresses assigned by user Computer IP Address IP ADDRESS ASSIGNED 192 168 1 36 BY ISP Figure 8 12 Multiple Servers Behind NAT Example 8 16 NAT Prestige 652 ADSL Security Router 8 5 General NAT Examples 8 5 1 Example 1 Internet Access Only In the following Internet access example you only need one rule where your ILAs Inside Local addresses all map to one dynamic IGA Inside Global Address assigned by your ISP Inside Local One Dynamic PC3 El o Addresses ILA Inside Global Addresses IGA Assigned by ISP Figure 8 13 NAT Example 1 Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation RFC 1483 Multiplexing LLC based VPI 1 VCI 1 ATM QoS Type
294. ter traffic Filter Configuration 16 17 Prestige 652 ADSL Security Router Table 16 5 Filter Sets Table FILTER SETS DESCRIPTION Input Filter Sets Apply filters for incoming traffic You may apply protocol or device filter rules See earlier in this chapter for information on filters Output Filter Sets Apply filters for traffic leaving the Prestige You may apply filter rules for protocol or device filters See earlier in this section for information on types of filters Call Filter Sets Apply filters to decide if a packet should be allowed to trigger a call 16 6 1 Ethernet Traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 3 1 shown next and type the number s of the filter set s that you want to apply as appropriate You can choose up to four filter sets from twelve by typing their numbers separated by commas for example 3 4 6 11 The factory default filter set NetBIOS_LAN is inserted in the protocol filters field under Input Filter Sets in menu 3 1 in order to prevent local NetBIOS messages from triggering calls to the DNS server Menu 3 1 LAN Port Filter Setup Apply filter 2 to Input Filter Sets EM eege block NETBIOS protocol filters 2 traffic from the device filters LAN Output Filter Sets protocol filters device filters Press E
295. text using a key The key and clear text are processed by the encryption operation which leads to the data scrambling that makes encryption secure Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key Introduction to IPSec 24 1 Prestige 652 ADSL Security Router Plaintext Encryption Ciphertex Key Ciphertext Decryption Plintext Key Figure 24 1 Encryption and Decryption gt Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network gt Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission gt Data Origin Authentication The IPSec receiver can verify the source of IPSec packets This service depends on the data integrity service 24 1 5 VPN Applications The Prestige supports two active Security Associations SAs at a time Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites gt Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protocol Since the VPN tunnel terminates inside the LAN remote
296. the factory default configuration file Uploading this configuration file replaces the current configuration file with the factory default configuration file This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit no parity one stop bit and flow control set to none The password will be reset to 1234 and the LAN IP address to 192 168 1 1also To obtain the default configuration file download it from the ZyXEL FTP site unzip it and save it in a folder Turn the Prestige off and then on to begin a session When you turn on the Prestige again you will see the initial screen When you see the message Press any key to enter Debug Mode within 3 seconds press any key to enter debug mode To upload the configuration file do the following 1 Typeatlcafterthe Enter Debug Mode message 2 Wait forthe Starting XMODEM upload message before activating XMODEM upload on your terminal 3 After a successful firmware upload type atgo to restart the Prestige The Prestige is now reinitialized with a default configuration file including the default password of 1234 2 8 1 Methods of Restoring Factory Defaults You can erase the current configuration and restore factory defaults in three ways a Upload the default configuration file via the console port as described above See later in this User s Guide for more information
297. tige s WAN IP address when configuring from the WAN gt Use the Prestige s LAN IP address when configuring from the LAN Refer to the Problems with the LAN Interface section for instructions on checking your LAN connection Refer to the Problems with the WAN Interface section for instructions on checking your WAN connection 29 4 Troubleshooting Prestige 652 ADSL Security Router Appendix A PPPoE PPPOE in Action An ADSL modem bridges a PPP session over Ethernet PPP over Ethernet RFC 2516 from your PC to an ATM PVC Permanent Virtual Circuit which connects to a xDSL Access Concentrator where the PPP session terminates see the next figure One PVC can support any number of PPP sessions from your LAN PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place 3 It allows the ISP to use the existing dial up model to authenticate and optionally to provide differentiated services Traditional Dial up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial up networ
298. tion 5 8 Remote Node Configuration Prestige 652 ADSL Security Router Chapter 6 Remote Node TCP IP Configuration This chapter shows a sample LAN to LAN application and how to configure TCP IP remote node 6 1 TCP IP Configuration The following sections describe how to configure the TCP IP parameters of a remote node 6 1 1 Editing TCP IP Options Follow the steps shown next to edit Menu 11 6 Remote Node ATM Layer Options In menu 11 1 move the cursor to the Edit ATM Options field and then press SPACE BAR to select Yes Press ENTER to display Menu 11 6 Remote Node ATM Layer Options There are two versions of menu 11 6 for the Prestige depending on which encapsulation type you use and whether you chose VC based or LLC based multiplexing in menu 11 1 VC based Multiplexing For RFC 1483 or ENET ENCAP encapsulation with VC based multiplexing by prior agreement a protocol is assigned a specific virtual circuit for example VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Menu 11 6 Remote Node ATM Layer Options VPI VCI VC Multiplexing VC i or IP VC for Bridge Ger 4 8 Oe sy Separate VPI and VCI 35 VCI 35 VCI numbers G UBR ype 0 must be specified Peak Cell Rate PCR 0 Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Sustain Cell Rate SCR 0 for each protocol Maximum Burst Size MBS 0 Maximum Burst Size MBR 0 Press ENTER to Con
299. tomatically after one minute if there is no traffic 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections Type 2 in Menu 27 VPN IPSec Setup and then press ENTER to go to Menu 27 2 SA Monitor Menu 27 2 SA Monitor Encap IPSec ALgorithm Taiwan 3 3 3 1 3 3 3 3 100 Tunnel ESP DES MD5 1 2 3 4 5 6 d 8 9 1 Select Command Refresh Select Connection N A Press ENTER to Confirm or ESC to Cancel Figure 26 1 Menu 27 2 SA Monitor Table 26 1 Menu 27 2 SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number 1 Name This field displays the identification name for this VPN policy This name is Taiwan unique for each connection where the secure gateway IP address is a SA Monitor 26 1 Prestige 652 ADSL Security Router Table 26 1 Menu 27 2 SA Monitor FIELD DESCRIPTION EXAMPLE public static IP address When the secure gateway IP address is 0 0 0 0 as discussed in the last chapter there may be different connections using this same VPN rule In this case the name is followed by the remote IP address as configured in Menu 27 1 1 IPSec Setup Individual connections using the same VPN rule may be terminated without affecting other connections using the same rule Encap This field displays Tunnel mode or Transport mode See previous for Tunnel discussio
300. tual Path A bundle of virtual channels e Virtual Circuit A series of virtual paths between circuit end points virtual circuit Diagram 3 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide individual circuits between the two points In an ATM cell header a VPI Virtual Path Identifier identifies a link formed by a virtual path a VCI Virtual Channel Identifier identifies a channel within a virtual path The VPI and VCI identify a virtual path that is termination points between ATM switches A series of virtual paths make up a virtual circuit Y our service provider should supply you with VPI VCI numbers Virtual Circuit Topology C Prestige 652 ADSL Security Router Appendix C Boot Module Commands When you reboot your Prestige you will be given a choice to go into debug mode by pressing a key at the prompt shown in the following screen In debug mode you have access to a series of boot module commands for example ATUR for uploading firmware and ATLC for uploading the configuration file already discussed in a previous section Bootbase Version V1 02 10 11 2001 13 36 19 RAM Size 8192 Kbytes DRAM POST Testing 8192K OR FLASH Intel 16M 1 ZyNOS Version V3 40 ES 0 b8 12 4 2001 12 54 08 Press any key to enter debug mode within 3 seconds Diagram 4 Option to Enter Debug Mode Type
301. tup and DCH 4 8 4 05 VPLDarnd VCI s A d te teres qe ple er eges 4 11 AMO Mu ltiplexing eerte erect tee dederis s nire GRE 4 11 SN DS EE EE 4 11 4 12 NI A 4 12 4 13 Internet Access Confgeuraton nooo eere en rennen enne 4 13 Advanced Applications A rate t o tse E C LO PR RUN Ed deL II Table of Contents vii Prestige 652 ADSL Security Router Chapter 5 Remote Node Configuration ooomooooooncoonnnoonncnonacoonncnonaconnncoon seios isopor sses sooo sesso ases teens sena 5 1 Sch Remote Node Setup s suits em ete leede e ebe dla delta dis 5 1 52 Remote Node Setups titles 5 6 5 35 Remote Node A EE 5 8 Chapter 6 Remote Node TCP IP Configuration eee ee eene eese e eene eren eee n netta netus ets seen sse ns stans tnu 6 1 ls TOPP Configuration d e ace epe t eO EE UI e EROS 6 1 Chapter 7 Bridging Setup iier ORTA 7 1 LTL qB udgmg n Generale eee eee dea a ear Se RS 7 1 72 Bridge Etherhet Setup it ld ates hate 7 1 Chapter 8 Network Address Translation NAT scssscssssscsssssssescssscssssecssesescescsecesscessccesesssscseeessseeees 8 1 Bil O sees egal deele ee 8 1 82 Using NAT one A A A A o t ES 8 6 83 NATLSetJup Rue reme ee dei nene 8 8 8 4 NAT Server Sets Port Forwarding esee ener 8 16 8 amp 5 General NAT Examples atado deter d 8 20 FIREWALL AND CONTENT FILTERS use ENEE ENEE ENEE ENEE ENEE ENEE III Chapter 9 e 9 1 91 What Isa Firewall oii erem e ER die
302. u 24 10 System Maintenance Time and Date Setting 20 4 Figure 21 1 Telnet Configuration on a TCP IP Network sess 21 1 Figure 21 2 Menu 24 11 Remote Management Control HES Figure 22 1 IP Routing Policy Setup eese cnn n cnn n nn nn corn corr en rennen ener enne 22 2 Figure 22 2 Menu 25 1 Sample IP Routing Policy Setup 22 3 Figure 22 3 IP Routing Policy iii SEENEN NENNEN edes 22 4 Figure 22 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 22 6 Figure 22 5 Menu 11 3 Remote Node Network Layer Options 0ooooooocnocnooncoonconnconconnconncnnnonnnonnonnnonnnonnos 22 6 Figure 22 6 Example of IP Policy Routing cooonoccocnnonononocononononononnnonnnnonono nono crono nn corno emere enne enne nns 22 7 Figute 22 7 IP Routing Policy Example ec E Date AE E ee 22 8 Figure 22 8 IP Routing Policy esee uenti aia 22 9 Figure 22 9 Applying IP Policies iei e dE UR re edt eoe eb pet re E ARS 22 9 Figure23 1 Menu 26 Schedule Setup sepan Pepe nd MR kee bete d 23 1 Figure 23 2 Schedule Set Setup iiu ue aesti eco e EE deteriore 23 2 Figure 23 3 Applying Schedule Set s to a Remote Node PPPOoE eee 23 4 Figure 24 1 Encryption and DecryptiOM sse enne eren ener enne nnn nennen 24 2 xvii List of Figures Prestige 652 ADSL Security Router Figure 24 2 VPN A pplication a da utens 24 3 Figure 24 3 IPSec Architecture ibn 24 4 Figure 24 4 Transport and Tunnel Mode IPSec Encapsulation
303. up as shown next Menu 3 2 1 IP Alias Setup IP Alias 1 No P Address N A P Subnet Mask N A RIP Direction N A Version N A ncoming protocol filters N A Outgoing protocol filters N A Alias 2 No P Address N A P Subnet Mask N A RIP Direction N A Version N A ncoming protocol filters N A Outgoing protocol filters N A IP Enter here to CONFIRM or ESC to CANCEL Press Space Bar to Toggle Figure 4 5 Menu 3 2 1 IP Alias Setup Follow the instructions in the following table to configure IP Alias parameters Table 4 1 IP Alias Setup Menu Fields Protocol Filters between this node and the Prestige FIELD DESCRIPTION EXAMPLE IP Alias 1 or 2 Choose Yes to configure the LAN network for the Prestige Yes IP Address Enter the IP address of your Prestige in dotted decimal notation 192 168 2 1 IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on 255 255 255 0 the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige RIP Direction Press SPACE BAR to select the RIP direction Choices are None None Both In Only or Out Only Version Press SPACE BAR to select the RIP version Choices are RIP 1 RIP 1 RIP 2B or RIP 2M Incoming Enter the filter set s you wish to apply to the incoming traffic Outgoing Protocol Filters Enter the filter set s you wish to apply to the outgoi
304. ur computer config rom to the Prestige and renames it rom 0 Likewise get rom 0 config rom transfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt 19 4 4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put firmware bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 1103936 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Figure 19 15 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to section 19 2 5 to read about configurations that disallow TFTP and FTP over WAN 19 4 5 TFTP File Upload The Prestige also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended 19 12 Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router To use TFTP your computer must have both telnet and TFTP clients To transfer the firmware and the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to the Prestige and log in Because TFTP does not have any security checks the Prestige r
305. uration sese enne nennen ener enne nre trennen 13 7 Figure 13 6 Example Rule Summat ainnean aaar e tn ea terne nhan trennen nenne trenes 13 8 Figure T4 I E og Scteeti 5 dte etu taeda mr vate nested m atta etin e ates 14 1 Figure 16 1 Outgoing Packet Filtering Process oononccnnnncnoccnonononononncnnonnconononononnnonon nennen nennen nennen 16 2 Figure 16 2 Filter Rule Process oen eR eo ORE HR TELE OR RP HEP ER ERROR Ee dea 16 3 Figure 16 4 Menu 21 Filter and Firewall Setup 16 4 Figure 16 5 Menu 21 1 Filter Set Configuration essere 16 5 Figure 16 6 NetBIOS_WAN Filter Rules Summary eese eene nennen 16 6 Figure 16 7 NetBIOS LAN Filter Rules Summary eese eene enne ennt 16 6 Figure 16 8 PPPoE Filter Rules Summary eese nennen enne nn non enne tnen rennen enne 16 7 Figure 16 9 TEL FTP WEB SNM Filter Rules Summary eese eere 16 7 Figure 16 10 Menu 21 1 7 1 TCP IP Filter Rule 16 10 Figure 16 11 Executing an IP Filter sebas 16 13 Figure 16 12 Menu 21 1 5 1 Generic Filter Rule 16 14 Figure 16 13 Protocol and Device Filter Setz 16 16 Figure 16 14 Sample Telnet Elter 16 17 Figure 16 15 Sample Filter Menu 21 1 9 1 1 nennen nono nono enne nrenne teens 16 18 Figure 16 16 Sample Filter Rules Summary Menu 21 1 9 sess 16 19 Figure 16 17 Filtering Ethernet Traffic 16 20 XV List of Figures Prestige 652 ADSL Security Router Figure 16 18 Filtering R
306. ure Dynamic DNS General Ethernet Setup Menu 321 Menu 32 IP Alias Setup TCP IP and DHCP Bhemet Setup Menu 11 6 Remote Node AT M Layer Options Menu 26 Schedule Setup Menu 26 1 Schedule Set Setup Menu 2411 Menu 243 1 Remote Management Budget Management Menu 24 10 Menu 249 Time and Date Gall Control Setting Menu 24 7 2 Menu 24 71 System Maintenance System Maintenance Upload System Firmware Upload System Configuration File Menu 11 1 Menu 12 1 Menu 121 1 Menu 15 1 Remote Node Profile IP Static Route Setup Edit IP Static Route Address Mapping Sets Menu 113 Remote Node Network Layer Options Menu 115 Remote Node Filter Menu 25 IP Routing Policy Setup Menu 25 1 IP Routing Policy Setup Menu 251 1 IP Routing Policy Menu 24 8 Command Interpreter Mode Menu 247 System Maintenance Upload Firmware Menu 24 6 System Maintenance Restore Configurati Menu 12 3 Bridge Static Route Setup Menu 24 Menu 23 Menu 22 System Maintenance System Password SNMP Configuration Menu 241 System Maintenance Status Menu 242 System Information and Console Port Speed Menu 243 System Maintenance Log and Trace Menu 24 4 System Maintenance Diagnostic Menu 245 System Maintenance Backup Configuration Figure 2 8 SMT Menu Overview 2 9 Navigating the SMT Interface The SMT System Management Terminal is the interface that you use to configure your Prestige System Mainten
307. users will be able to access all computers that use private IP addresses on the LAN gt Unsupported IP Applications A VPN tunnel may be created to add support for unsupported emerging IP applications 24 2 Introduction to IPSec Prestige 652 ADSL Security Router VPN client VPN client for for secure L remote access remote management Private r al R LAN Prestige mmmmmmmm VPN Remote IPSec Router Remote Private Network ES Figure 24 2 VPN Application 24 2 IPSec Architecture The overall IPSec architecture is shown as follows Introduction to IPSec 24 3 Prestige 652 ADSL Security Router IPSec Algorithms N Pd S Ba SH ESP Protocol AH Protocol RFC 2406 RFC 2402 Pe ed PS Ges Encryption Authentication RFC 2403 3DES mid Algorithm peace s IPSec IKE M gt Key RSR Management Manual gt Figure 24 3 IPSec Architecture 24 2 1 IPSec Algorithms The ESP Encapsulating Security Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5
308. uter or straight through when connecting to a hub Check for faulty Ethernet cables Make sure your computer NIC Network Interface Card is working properly Troubleshooting 29 1 Prestige 652 ADSL Security Router 29 3 Problems with the DSL LED Table 29 2 Troubleshooting the DSL LED PROBLEM CORRECTIVE ACTION The xDSL LED is off Check the telephone wire and connections between the Prestige DSL port and the wall jack Make sure that the telephone company has checked your phoneline and set it up for DSL service Reset your xDSL line in SMT menu 24 4 to reinitialize your link to the DSLAM 29 4 Problems with the LAN Interface Table 29 3 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION cannot access the Prestige from the LAN If the 10M 100M LEDs on the front panel are both off refer to the Problems with the LAN LED section Make sure that the IP address and the subnet mask of the Prestige and your computer s are on the same subnet cannot ping any computer on the LAN If the 10M 100M LEDs on the front panel are both off refer to the Problems with the LAN LED section Make sure that the IP address and the subnet mask of the Prestige and the computers are on the same subnet 29 5 Problems with the WAN Interface Table 29 4 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION I cannot get a W
309. vate the firewall ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Configuration Config E T Firewall Enabled Advanced Setup The firewall protects against Denial of Service DOS attacks when itis active The default Policy sets Password 1 allow all sessions originating from theLocal Network to the Internet and TAN 2 deny all sessions originating from the Internet to the Local Network NAT You may define addtional Policy rules or modify existing ones but please exercise extreme caution in Dynamic DNS doing so wn 1 Local Network to Internet Set Ne 2 Internet to Local Network Set Content Filter Firewall CAUTION If Firewall Enabled is not checked all the existing firewall security policies and firewall EU UE functions will be disabled osa s Remote Management Bock App _Reset Maintenance Logout Figure 11 1 Enabling the Firewall 11 3 E mail The E mail screen allows you to specify your mail server where e mail alerts should be sent as well as when and how often they should be sent 11 3 1 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when an attack is detected in the Attack Alert screen Figure 11 4 check the Generate alert when attack detected checkbox or when a rule is matched in the Rule Config screen see Figure 12 4 When an event generates an alert a message is immediately sent to an e m
310. ve Back Apply Reset This rule allows a syslog connection from the WAN Click Apply to save your settings back to the Prestige Figure 13 6 Example Rule Summary 13 8 Customized Services Prestige 652 ADSL Security Router Chapter 14 Logs This chapter contains information about using the log screen to view the results of the rules you have configured 14 1 Log Screen When you configure a new rule you also have the option to log events that match don t match or both this rule see Figure 12 4 Click Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 10 3 or via syslog SMT Menu 24 3 2 System Maintenance UNIX Syslog Syslog is an industry standard protocol used for capturing log information for devices on a network 128 entries are available numbered from 0 to 127 Once they are all used the log wraps around and the old logs are lost ZyXEL TOTAL INTERNET ACCESS SOLUTION Firewall Log Wizard Setup Page 0 0 Advanced Setup Password LAN NAT Dynamic DNS Time Zone Content Filter Firewall VPN Remote Management q Maintenance Logout Back Previous Page Refresh Clear Next Page Figure 14 1 Log Screen Logs 14 1 Prestige 652 ADSL Security Router Table 14 1 Log Screen FIELD DESCRIPTION EXAMPLES No This is the index number of the firewall log 128 entries are available nu
311. ver IP address es click Use the following DNS server addresses type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 6 Click OK to close the Internet Protocol TCP IP Properties window 7 Click OK to close the Local Area Connection Properties window 8 Turnon your Prestige and restart your computer if prompted Verifying TCP IP Properties 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Setting up Your Macintosh Computer Configuring TCP IP Properties Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel 2 Select Ethernet from the Connect via list J TCP IP Prestige 652 ADSL Security Router 5 6 7 For dynamically assigned settings select Using DHCP Server from the Configure list For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box Close the TCP IP Control Panel Click Save if prompted to save changes to your configuration Turn on your Prestige and r
312. very hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour 0 default 5 4 Remote Node Configuration Prestige 652 ADSL Security Router FIELD DESCRIPTION EXAMPLE Schedule Sets You can apply up to four schedule sets here For more details please refer to the Call Schedule Setup chapter Nailed up This field specifies if you want to make the connection to this Connection remote node a nailed up connection More details are given earlier in this section Session Options Use SPACE BAR to choose Yes and press ENTER to open No Edit Filter Set menu 11 5 to edit the filter sets See the Remote Node Filter default REMOS section for more details Idle Timeout sec Type the number of seconds 0 9999 that can elapse when the 0 Prestige is idle there is no traffic going to the remote node before default the Prestige automatically disconnects the remote node 0 means that the session will not timeout When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 5 1 3 Outgoing Authentication Protocol For obvious reasons you should employ the strongest authentication protocol possible However some vendors implementation includes specific authentication protocol in the user profile It will disconnect if the
313. ves but should contact the appropriate electrical inspection authority or electrician as appropriate Note This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of Industry Canada iv Information for Canadian Users Prestige 652 ADSL Security Router ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product is modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of
314. wed input gt where lt input gt is your input conforming to lt parameter values allowed gt The figure shown next is an example of an Internal SPTGEN text file Internal SPTGEN 28 1 Prestige 652 ADSL Security Router This is the name of the menu 10000000 10000001 10000002 10000003 10000004 10000005 10000006 This is the Field Identification Number This is the Field Name column This is the name of the field as seen in the corresponding SMT screen Example Configured Configured System Name Location Contact Person s Name Route IP Route IPX Bridge This is the Parameter Values Allowed column column This column numerically identifies the Field Name column entries Example 10000000 This column defines acceptable parameters Parameters are usually numbers but can sometimes be strings lt Str gt indicates a string All parameters should be entered in the Input column Example lt 0 No 1 Yes gt One sign followed by one space must precede everything you input 1 Prestige The Input column Input values to the right of the sign Make sure one equal sign followed by one space precedes your input Figure 28 1 Configuration Text File Format Column Descriptions DO NOT alter or delete any field except parameters in the Input column For more text file examples refer to the Example Internal SPTGEN Screens Appendix
315. xchange A phase exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec 25 12 VPN IPSec Setup Prestige 652 ADSL Security Router C Phase 2 IKE SA Figure 25 8 Two Phases to set up the IPSec SA In phase 1 you must VVVVVV Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Choose an authentication algorithm Choose a Diffie Hellman public key cryptography key group DH1 or DH2 Set the IKE SA lifetime This field allows you to determine how long IKE SA negotiation should proceed before it times out A value of 0 means IKE SA negotiation never times out If IKE SA negotiation times out then both IKE SA and IPSec SA must be renegotiated In phase 2 you must VV VVVWV Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see section 25 5 5 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long IPSec SA setup should proceed before it times out A value of 0 means IPSec SA never times out If IPSec SA negotiation times out then the IPSec SA must be renegotiated but not the IKE SA 25 5 2 Negotiation Mode The phase 1 Negoti
316. y log you out if you do nothing in this timeout period except when it is continuously updating the status in menu 24 1 or when sys stdio has been changed on the command line 21 4 Remote Management Prestige 652 ADSL Security Router Chapter 22 IP Policy Routing This chapter covers setting and applying policies used for IP routing 22 1 Introduction Traditionally routing is based on the destination address only and the Prestige takes the shortest path to forward a packet IP Routing Policy IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing 22 2 Benefits e Source Based Routing Network administrators can use policy based routing to direct traffic from different users through different connections e Quality of Service QoS Organizations can differentiate traffic by setting the precedence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic e Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic e Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 22 3 Routing Policy Individual rout
317. ynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in 4 Click the Gateway tab If you do not know your gateway s IP address remove previously installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying TCP IP Properties 1 Click Start and then Run 2 Inthe Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gateway Setting up Your Windows NT 2000 Computer Configuring TCP IP H TCP IP Prestige 652 ADSL Security Router 1 Click Start Settings Network and Dial up Connections and right click Local Area Connection or the connection you want to configure and click Properties 2 Select Internet Protocol TCP IP you may need to scroll down and click Properties 3 The Internet Protocol TCP IP Pr
318. your local network You may enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service 1t might be better to specify a range of port numbers In addition to the servers for specified services NAT supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default is not defined the service request is simply discarded Many residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the included disk for more examples and details on NAT Table 8 7 Services amp Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 Telnet 23 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 NAT 8 13 Prestige 6
Download Pdf Manuals
Related Search