ZyXEL Communications 200 Series Network Router User Manual
Contents
1. Press ENTER to Confirm or ESC to Cancel 3 The Menu 26 1 Schedule Set Setup is as follows Menu 26 1 Schedule Set Setup Active Yes Start Date yyyy mm dd 2004 01 01 How Often Once Once Date yyyy mm dd 2004 01 01 Weekdays Sunday N A Monday N A Tuesday N A Wednesday N A Thursday N A Friday N A Saturday N A Start Time hh mm 12 00 Duration hh mm 16 00 Action Enable Dial on demand Press ENTER to Confirm or ESC to Cancel Key Settings All contents copyright c 2005 ZyXEL Communications Corporation 79 ZyXEL Prestige 2602H 6xC Support Notes Start date of this schedule rule It can be unmatched with weekday setting For Start Date example if Start Date is 2004 10 02 Monday but Monday setting in weekday can be No If once is selected all weekday settings will ne marked as N A After the rule is How Often ate completely it will be deleted automatically The node will always keep up during the setting period It is equivalent to diable the Forced On idel timeout The node will always keep doen during the setting period The connected remote node Forced Down will be dropped Enable The remote node accepts Dial on demand during this period Dial On Demand Disable The remote node denies any demand dial during the period For the existing connected Dial On Demand nodes it will be dropped after idle timeout and no triggered up Start Time f f Start Time2. Enter the SIP server s listening port for SIP in this field Leave this field set to the default if your VoIP service provider did not give you a local port number for SIP A SIP register server maintains a database of SIP identity to IP address or domain name mapping The register server checks your user name and password when you register Enter the SIP register server s address in this field If you were not given a register server address then enter the address from the SIP Server Address field again here Enter the SIP register server s listening port for SIP in this field If you were not given a register server port then enter the port from the SIP Server Port field again here A SIP service domain is the domain name that comes after the symbol in a full SIP URI Enter the SIP service domain name in this field You can use up to 127 ASCII Extended set characters This is the user name for registering this SIP account with the SIP register server Type the user name exactly as it was given to you Use ASCII characters Type the password associated with the user name above Use ASCII Extended set characters Select this check box to not show identification information when you make VoIP calls Clear this check box to show identification information when you make VoIP calls Phone 1 and Phone 2 correspond to the Prestige s physical PHONE 1 and 2 ports respectively Select whether you want to receive calls for this
3. 0x4D713D8A 1299266954 20 OSR ART 0x00C8C015 13156373 All contents copyright c 2005 ZyXEL Communications Corporation 145 ZyXEL Prestige 2602H 6xC Support Notes Window Size 0x2238 8760 Checksum 0xAB57 43863 Urgent Ptr 0x0000 0 TCP Data Length 193 Captured 42 0000 48 54 54 50 2F 31 2E 31 20 33 30 34 20 4E 6F 74 HTTP 1 1 304 Not 0010 20 4D 6F 64 69 66 69 65 64 OD OA 44 61 74 65 3A Modified Date 0020 20 57 65 64 2C 20 30 37 20 4A Wed 07 J RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 59 12 84 08 00 45 00 ene E 0010 00 E5 E9 3B 40 00 FO 06 6E 15 CC D9 00 02 CA 84 5 n 0020 9B 61 00 50 28 26 4D 71 3D 8A 00 C8 CO 15 50 18 a P amp Mg Py 0030 22 38 AB 57 00 00 48 54 54 50 2F 31 2E 31 20 33 8 W HTTP 1 1 3 0040 30 34 20 4E 6F 74 20 4D 6F 64 69 66 69 65 64 OD 04 Not Modified 0050 OA 44 61 74 65 3A 20 57 65 64 2C 20 30 37 20 4A Date Wed 07 J lt 0004 gt LAN Frame ENET1 XMIT Size 411 96 Time 12865 130 sec Frame Type TCP 202 132 155 97 10278 gt 204 217 0 2 80 T Ethernet Header Destination MAC Addr 00A0C5591284 Source MAC Addr 00A0C5921312 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length A ype ol SCrVICC 0x00 0 Total Length 0x018D 397 Idetification OxF20C 61964 Flags 0x02 Fragment Offset 0x00 Time to Live Ox7F 127 Pro
4. All contents copyright c 2005 ZyXEL Communications Corporation 95 ZyXEL Prestige 2602H 6xC Support Notes SIP account on Phone 1 Phone 2 or both If you select both you will not know which SIP account a call is coming in on Advanced Click Settings to open a screen where you can configure the Prestige s Settings advanced VoIP settings like SIP server settings the RTP port range and the coding type Apply Click Apply to save your changes back to the Prestige Reset Click Reset to begin configuring this screen afresh Phone port settings Prestige allow you to configure the volume and echo cancellation setting for each individual phone port SITE MAP HELP Voice Phone Phone Port Settings Phonel Voice Volume Control Speaking Volume I 0 M Listening Volume 0 v Outgoing Call use SIP1 O sip2 Echo Cancellation G 168 Active Voice Active Detector VAD Support Dialing Interval 3 96 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes To configure the phone port setting please follow the below step Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige The default management IP of Prestige is 192 168 1 1 Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 Step 3 On the left column click on Voice to bring
5. Drop Packet Figure Filter Rule Process e Filter Types and SUA Conceptually there are two categories of filter rules device and protocol The Generic filter rules belong to the device category they act on the raw data from to LAN and WAN The IP and IPX filter rules belong to the protocol category they act on the IP and IPX packets 41 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections the TCP IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets But at the same time the Generic filter rules must be applied at the point when the Prestige is receiving and sending the packets 1 e the ISDN interface So the execution sequence has to be changed The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN is e LAN device and protocol input filter sets e WAN protocol call and output filter sets e If SUA is enabled SUA converts the source IP address from 192 168 1 33 to 203 205 115 6 and port number from 1023 to 4034 e WAN device output and call filter sets The sequence of the logic flow for the packet from WAN to LAN is e WAN device input filter sets e If SUA is enabled SUA converts the destination IP address from 203 2
6. Enter Filter Set Number to Configure 1 Edit Comment s Press ENTER to Confirm or ESC to Cancel Configure the first filter set NetBIOS_WAN by selecting the Filter Set number 1 e Rule 1 Destination port number 137 with protocol number 6 TCP Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 56 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Rule 2 Destination port number 137 with protocol number 17 UDP Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type 1cP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Press ENTER to Confirm or Menu 21 1 3 TCP IP Filter 1 3 Next Rule ESC to Cancel Rule 3 Destination port number 138 with protocol number 6 TCP Filter Rule Bulter Iype TCE TERI liter Rule Active Yes 57 Al
7. Ethe rnet Version II Address 00 80 C8 4C EA 63 Source MAC gt 00 A0 C5 23 45 Destination MAC Ethernet I Protocol Type IP 51 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Internet Protocol Version MSB 4 bits 4 Header length LSB 4 bits 5 Service type Precd Routine Delay Normal Thrput Normal Reli Normal Total length 60 Octets Fragment ID 60172 Flags May be fragmented Last fragment Offset 0 0x00 Time to live 32 seconds hops IP protocol type ICMP 0x01 Checksum OxE3EA IP address 202 132 155 93 Source IP address gt 202 132 155 99 Destination IP address No option Internet Control Message Protocol Type 8 Echo Request Code 0 Checksum 0x455C Identifier 768 Sequence Number 1280 Optional Data 32 bytes Configurations From the above first trace we know a client 1s trying to ping request the Prestige router And from the second trace we know the Prestige router will send a reply to the client accordingly The following sample filter will utilize the Generic Filter Rule to block the MAC address 00 80 c8 4c ea 63 1 First from the incoming LAN packet we know the uninteresting source MAC address starts at the 7th Octet TIME 37c060 enetQ RECV len 74 call 0 0000 45 00 80 c8 4c ea 63 08 00 45 00 0010 00 3c eb Oc 00 00 20 O01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 0
8. 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Action Matched Enter the action you want if the masked packet matches the Value In this case we will drop it Action Not Matched Enter the action you want if the masked packet does not match the Value In this case we will forward it If you want to configure more rules please select Check Next Rule to start configuring the next new rule However please note that the Filter Type must be also Generic Filter Rule but not others Because the Generic and TCPIP IPX filter rules must be in different filter sets Menu 21 1 2 Generic Filter Rule Bolten Heo 1 2 Filter Dype Generic Filter Rule Active Yes Offset 6 Length 6 Mask ffffffffffff Value 0080c810234a More No Log None Action Matched Drop Action Not Matched Forward You can now apply it to the General Ethernet Setup in Menu 3 1 Please note that the Generic Filter can only be applied to the Device Filter but not the Protocol Filter that is used for configuring the TCPIP and IPX filters Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters device Ii lters Output Filter Sets protocol filters device tiliters 54 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes A filter for blocking the NetBIOS packets e Introduction The NETBIOS protocol is u
9. 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes How do I setup my Prestige for routing IPsec packets over SUA For outgoing Psec tunnels no extra setting 1s required For forwarding the inbound IPsec ESP tunnel A Default server set in menu 15 is required It is because SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this server in Menu 15 Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the Prestige s WAN IP address So we have to configure the internal IPsec as a default server unspecified service port in menu 15 when it acts a server gateway VoIP FAQ What is Voice over IP Voice over IP is an emerging technology based on open standards of IEEE fundamentally the Internet Protocol that allows voice data to travel across the Internet There are many method to used this technology the most common and well known are SIP and H 323 How does Voice over IP work Basically VoIP is a technic to send voice information in digital form in discrete packets over digital network rather than by using traditional circuit switch PSTN To do so we will need an analog to digital converter on sender side to translate the voice analog signal to digital than transmit it a
10. F r4 0xE3F045C4 r5 0xE5BDBFEC r6 0x0001C468 r8 0x00000000 r9 0xE3550000 r10 0xE3550000 r12 0x56FF54FF sp 0x0001EDBC lr 0x00004F64 00 01 02 03 04 05 06 07 08 09 OA OB OC OD OE OF e5bdbfe0 e2 8f 00 06 e5 d5 20 06 e5 d5 20 0a e5 d5 20 e5bdbff0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc000 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc010 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc020 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc050 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc060 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc070 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc080 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc090 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc0a0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc0b0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc0c0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc0d0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed e5bdc0e0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed Bootbase Version V1 10 12 02 2004 14 00 00 RAM Size 16384 Kbytes FLASH Intel 16M 1 ZyNOS Version V3 40 RE 0 01 27 2005 15 00 00 Enter Debug Mode atgo Compressed Version RAS P2602R start bfc58030 Length 3DB3EC Checksum 9AA9 Compressed Length 12AC58 Checksum DC06 Copyright e 1994 2004 ZyXI EL Comm
11. Press ENTER to Confirm or ESC to Cancel Key Settings DHCP Setup three networks If the Prestige s DHCP server is enabled the IP pool for the clients can be any of the Enter the first LAN IP address for the Prestige This will create the first route in the TCP IP Setup bo enifO interface 76 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Edit IP Alias Toggle to Yes to enter menu 3 2 1 for setting up the second and third networks 2 Edit the second and third networks in menu 3 2 1 by configuring the Prestige s second and third LAN IP addresses Menu 3 2 1 IP Alias Setup IP Alias l Yes IP Address 192 168 2 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version RIP 1 Incoming protocol filters Outgoing protocol filters IP Alias 2 Yes IP Address 192 163 3 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version RIP 1 Incoming protocol filters Outgoing protocol filters Enter here to CONFIRM or ESC to CANCEL Key Settings IP Alias 1 Toggle to Yes and enter the second LAN IP address for the Prestige This will create the ias second route in the enif0 0 interface Toggle to Yes and enter the third LAN IP address for the Prestige This will create the IP Alias 2 third route in the enif0 1 interface Using Call Scheduling 1 What is Call Scheduling 77 All contents copyright c 2005 ZyXEL Commun
12. Press ENTER to Confirm or ESC to Cancel e Port numbers for some services Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Configure a PPTP server Behind SUA e Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself In order to run the Windows 9x PPTP client you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the Internet 34 eto 34 ete RAS NTRAS WAN f Client Modem a Server Window98 PPTP Client Internet NT RAS Server Protocol Stack PPTP appears as new modem type Virtual Private Networking Adapter that can be selected when setting up a connection in the Dial Up Networking folder The VPN Adapter type does not appear elsewhere in the system Since PPTP e
13. etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The Prestige supports Network Address Translation NAT which translates the private local addresses to one or multiple public addresses This adds a level of security since the clients on the private LAN are invisible to the Internet 117 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These header information include the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance Stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make ac
14. the Messages that have been sent and received Block Font 8 Emoticons Send Last message received on 10 22 2002 at 8 04 PM a 5 Finally your video conversation is achieved All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Pe evalee hotmail com Conversation File Edit view Actions Help Stop Camera CR EVOIPRE AY UTALO Nos GLE pte YUU request to have a video and voice conversation A 48 The video and voice conversation with evalee hotmail com has ended 48 You have asked to have a video and voice conversation with evalee hotmail com Please wait for a response or Cancel Alt Q the pending invitation Speakers 4 Microphone i want to Invite Someone to this Conversation 48 evalee hotmail com has accepted your request to have a video and voice conversation WW WI Block A Font 8 Emoticons gt gt More Connection established VoIP Application Notes Setup SIP Account VoIP is the sending of voice signals over the Internet Protocol This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit switched telephone network The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia
15. will appear on the Telnet screen 102 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes c The default filter rule 3 Telnet_FTP_WAN is applied in the Input Protocol field in menu 11 5 What should do if forget the system password In case you forget the system password You can reset the unit back to factory default You can reset the unit by using a sharp pointed object such as a pen and press and hold down the reset button for 5 second or until the power LED starts to blink than release The unit is than reset back to factory default The reset button is located near by the power jack on the unit back panel Note By reset the unit back to factory default you will lost all your previous settings What is SUA When should I use SUA SUA Single User Account is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account When Prestige acting as SUA receives a packet from a local client destined for the outside Internet it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool It then recomputed the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP When reply packets from the external Interne
16. 0x002C 44 Idetification 0x5 1F3 22515 Flags 0x02 Fragment Offset 0x00 Mme to Live 0xXED 237 Protocol 0x06 TCP Header Checksum OxAC8C 44172 Source IP OxCOUR0782 192731 7130 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Destination IP 0xC0A80102 192 168 1 2 CE Header Source Pori 0x0050 80 Destination Port 0x045C 1116 Sequence Number Ox4ADIB57F 1255257471 Ack Number Ox00BD15A8 12391848 Header Length 24 Flags O aC Aeon Window Size OxFAFO 64240 Checksum OxF877 63607 Uncent Pir 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 AO C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C CO IF 07 82 CO A8 W 0020 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 P J p 0030 FA FO F8 77 00 00 02 04 05 B4 N S lt 0002 gt LAN Frame FNETO RECV Size 60 60 Time 12090 210 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length Type of Service 0x00 0 Total Length 0x0028 40 Idetification 0x3 508 1579 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2
17. 1 ILAI 192 168 1 10 Prestige User 2 ILA2 192 168 1 11 User 3 ILA3 192 168 1 12 3 ILAs lt gt 3 IGAS 3 ILAs map to 3 IGAs using Many to Many No Overload or One to One One rule configured for using Many to Many No Overload mapping type is shown below Menu 15 1 1 1 Rule 1 Type Many to Many No Overload Local IP Start 192 168 1 10 End 102 10 L12 Global IP Start Enter IGAL End Enter IGA3 Press ENTER to Confirm or ESC to Cancel The three rules configured for using One to One mapping type is shown below Menu 15 1 1 1 Rule 1 Type One to One 37 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Local IP Start 192 168 1 10 End N A Global IP Start Enter IGAL End N A Press ENTER to Confirm or ESC to Cancel Menu sale Rule 2 Type One to One Eocall Ps Start 192 108 1 1 End N A Global IP Start Enter IGA2 End N A Press ENTER to Confirm or ESC to Cancel Menus Salle kile 3 Type One to One Local IP Start 192 168 0012 End N A Global IP Start Enter IGA3 End N A 38 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Press ENTER to Confirm or ESC to Cancel Prestige supports multiple type of NAT mapping rules Prestige ISP ILA Inside Local Addresses ILA IGA TIGA Inside Global Addresses Figure1
18. 137 Destination port number 53 with protocol number 6 TCP Menu 21 22 TCR IP Filter Rule Filter 2 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Ront G55 Port Comp Equal source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP Menu 22 2 TCP IP Filter Rule Filter 2 2 Filter Type P P Filter Rule Active Yes 61 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel 1 After the first filter set is finished you will get the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules Mmn SC Weiter SSO 0 OO Sieve IDSC 0 0 BPs IN 1D In 2 YOR Pri SA 0 00 Ose SP 13i 6 DA 080C000 DP 53 aN Dar 1 Apply the filter set NetBIOS_LAN in the Input protocol filters in the Menu 3 for blocking th
19. 2602H 6xC Support Notes Label Redirect Active Metric Backup Gateway Back Apply Cancel Description Select this check box to have the Prestige use traffic redirect if the normal WAN connection goes down If you activate traffic redirect you must configure at least one Check WAN IP Address This field sets this route s priority among the routes the Prestige uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Type the IP address of your backup gateway in dotted decimal notation The Prestige automatically forwards traffic to this IP address if the Prestige s Internet connection terminates Click Back to return to the previous screen Click Apply to save the changes Click Cancel to begin configuring this screen afresh You can also configure traffic redirect via web configuration The configuration page is in WAN WAN Backup WAN WAN Backup Setup Backup Type DSL Link Check WAN IP Addresst 0 0 0 0 Check WAN IP Address 0 0 0 0 Check WAN IP Address3 0 0 0 0 Fail Tolerance 5 Z Recovery Interval 60 sec Timeout 3 sec Traffic Redirect H Active Metric 15 Backup
20. All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes J Control Point Device Device IW DEVICE ra ig L DEVICE Se UPnP Operations e Addressing UPnPv1 devices MAY support IPv4 IPv6 or both For IPv4 each devices should have DHCP client when the device gets connected to the network it will discover DHCP server on network to get an IP address If not then Auto IP mechanism should be supported so that the device can give itself an IP address 169 254 0 0 16 e Discovery Whenever a device is added on the network it will advertise it s service over the network Control point can also discover services provided by devices e Description Control points can get more detailed service information from devices description in XML format The description may include product name model name serial number vendor ID and embedded services etc e Control Devices can be manipulated by control points through Control message e Eventing Devices can send event message to notify control points if there is any update on services provided e Presentation Each device can provide their own control interface by URL link So that users can go to the device s presentation web page by the URL to control this device e 2 Using UPnP in ZyXEL devices In this example we will introduce how to enable UPnP function in ZyXEL devices Currently Microsoft MSN
21. Gateway 192 168 1 150 Back Cancel 86 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Using Universal Plug n Play UPnP e 1 What is UPnP UPnP Universal Plug and Play makes connecting PCs of all form factors intelligent appliances and wireless devices in the home office and everywhere in between easier and even automatic by leveraging TCP IP and Web technologies UPnP can be supported on essentially any operating system and works with essentially any type of physical networking media wired or wireless UPnP also supports NAT Traversal which can automatically solve many NAT unfriendly problems By UPnP applications assign the dynamic port mappings to Internet gateway and delete the mappings when the connections are complete The key components in UPnP are devices services and control points e Devices Network devices such as networking gateways TV refrigerators printers etc which provides services e Services Services are provided by devices such as time services provided by alarm clocks In UPnP services are described in XML format Control points can set get services information from devices e Control points Control points can manipulate network devices When you add a new control point in this case a laptop to a network the device may ask the network to find UPnP enabled devices These devices respond with their URLs and device descriptions 87
22. Serial gt Secure Gateway Address If I have NAT router between two VPN gateways and I would like to use IP type as Phase 1 ID what should I know We presume your environment may look like this 130 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes _ _ a IPSec Tunnel i Prestige VPN client 10 1 33 33 NAT router WAN IP 202 132 154 2 Prestige WAN 202 132 154 3 Since the VPN client is behind a NAT router it must have a private IP address in most case This may cause the VPN client to send it s private IP address as the content of it s phase 1 ID So you have to configure Prestige s secure gateway s phase ID as the private IP address of the VPN client How can keep a tunnel alive To keep a tunnel alive you can check keep alive option when configuring your VPN tunnel With this option whenever phase 2 SA lifetime is due IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay But to reduce the consumption of system resource if VPN tunnels get disconnected either manually by idle timer or because of power cycle packet triggering is still necessary to make the tunnel up Single Range Subnet which types of IP address do Prestige 10 1011 10W 50 100 support in VPN IPSec The mentioned Prestige series support all of the types In other words you can specify a single PC a range of PC
23. VPN connections does Prestige support Prestige 1 supports 1 VPN connection Prestige 10 supports 10 VPN connections Prestige 50 supports 50 tunnels Prestige 100 supports 100 tunnels What VPN protocols are supported by Prestige All Prestige series support ESP protocol number 50 and AH protocol number 51 What types of encryption does Prestige VPN support Prestige supports 56 bit DES and 168 bit 3DES and AES What types of authentication does Prestige VPN support VPN vendors support a number of different authentication methods Prestige VPN supports both SHA1 and MDS AH provides authentication integrity and replay protection but not confidentiality Its main difference with ESP is that AH also secures parts of the IP header of the packet like the source destination addresses but ESP does not ESP can provide authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality I am planning my Prestige to Prestige VPN configuration What do need to know First of all both Prestige must have VPN capabilities Please check the firmware version V3 50 or later has the VPN capability 127 All content
24. What is Brute force attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall What are the default ACL firewall rules in Prestige There are two default ACLs pre configured in the Prestige one allo
25. devices NMSs read variables that are maintained by the devices 7 Writes Write is used to control the managed devices NMSs write variables that are stored in the managed devices 8 Traversal operations NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables such as IP routing table in managed devices 9 Traps The managed devices to asynchronously report certain events to NMSs use trap 66 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes User Interface Managed Managed Managed device device device Figure 1 SNMP Management Model 2 SNMPv1 Operations SNMP itself is a simple request response protocol 4 SNMPv1 operations are defined as below e Get Allows the NMS to retrieve an object variable from the agent e GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations e Set Allows the NMS to set values for object variables within an agent e Trap Used by the agent to inform the NMS of some events The SNMPv1 messages contains two part The first part contains a version and a community name The second part contains the actual SNMP protocol data unit PDU specifying th
26. distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Internet access and 2 frame relay ISDN Primary Rate Interface or T1 lines to carry data A VPN may allow a company to carry the data traffic over its Internet access lines thus reducing the need for some installed lines What are most common VPN protocols There are currently three major tunneling protocols for VPNs They are Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Internet Protocol Security IPSec What is PPTP PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself The 123 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade What is L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engin
27. example to reset a node a counter variable named time to reset could be set to a value causing the node to reset after the time had elapsed SNMP variables are defined using the OSI Abstract Syntax Notation One ASN 1 ASN 1 specifies how a variable is encoded in a transmitted data frame it is very powerful because the encoded data is self defining For example the encoding of a text string includes an indication that the data unit is a string along with its length and value ASN 1 is a flexible way of defining protocols especially for network management protocols where nodes may support different sets of manageable variables The net of variables that each node supports 1s called the Management Information Base MIB The MIB is made up of several parts including the Standard MIB specified as part of SNMP and Enterprise Specific MIB which are defined by different manufacturer for hardware specific management 65 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The current Internet standard MIB MIB II is defined in RFC 1213 and contains 171 objects These objects are grouped by protocol including TCP IP UDP SNMP and other categories including system and interface The Internet Management Model is as shown in figure 1 Interactions between the NMS and managed devices can be any of four different types of commands 6 Reads Read is used to monitor the managed
28. none Prestige gt sys trcp channel enetO bothway Prestige gt sys trcp sw on Prestige gt sys trcl sw on Prestige gt sys trep sw off Prestige gt sys trol sw off Prestige gt sys trcp brief 0 10855 790 ENETO T 0141 TCP 192 31 7 130 80 gt 192 168 1 2 1102 10855 800 ENETO R 0060 TCP 192 168 1 2 1102 gt 192 31 7 130 80 2 10855 810 ENETO R 0062 TCP 192 168 1 2 1103 gt 192 31 7 130 80 10855 840 ENETO R 0062 TCP 192 168 1 2 1104 gt 192 31 7 130 80 4 10856 020 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1102 05 tti 142 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 5 10856 030 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1103 6 10856 040 ENETO R 0060 TCP 192 168 1 2 1103 gt 192 31 7 130 80 Prestige gt sys trcp parse 5 5 lt 0005 gt LAN Frame ENETO XMIT Size 58 58 Time 10856 030 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1103 Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IE Header IP Version 4 Header Length A hype Ol Service 0x00 0 Total Length 0x002C 44 Idetification 0x7F02 32514 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum 0x857D 34173 Source IP 0xC01F0782 192 31 7 13
29. oS amp amp SoS 2 eS ae 0 Press ENTER to Confirm or ESC to Cancel i eal ea 168 1 36 0 0 The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service FTP Telnet SMTP DNS Domain Name Server www http Web PPTP Protocol Point to Point 1 Internet Access Only Tunneling 1723 Port Number 21 23 25 53 80 In our Internet Access example we only need one rule where all our ILAs map to one IGA assigned by the ISP See the following figure All contents copyright c 2005 ZyXEL Communications Corporation 29 ZyXEL Prestige 2602H 6xC Support Notes Client 1 ILA1 Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP Client 4 ILA4 Internet Access Using NAT Many to One Mappin Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation PPPoE Multiplexing LLC based VPI 0 Om mse ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login cso zyxel My Password Idle Timeout sec 0 IP Address Assignment Dynamic IP Address N A Network Address Translation SUA Only Address Mapping Set 1 Press ENTER to Confirm or ESC to Cancel All contents copyright c 2005 ZyXEL Communications Corporation 30 ZyXEL Prestige 2602H 6xC Support Notes From Menu 4 shown above simply choose the SUA Only option from
30. over WAN as well it is not recommended because of the potential data corruption problems How fast can the data go The speed of the ADSL 1s only one part of the equation There are a combination of factors starting with how fast your PC can handle IP traffic then how fast your PC to cable modem interface is then how fast the cable modem system runs and how much congestion there is on the cable network then how big a pipe there is at the head end to the rest of the Internet Different models of PCs and Macs are able to handle IP traffic at varying speeds Very few can handle it at 30 Mbps Ethernet 10baseT is the most popular cable modem interface standard for the PC This automatically limits the speed of the connection to under 10 Mbps even if the cable modem can receive at 30 Mbps Most Local Area Networks use 10baseT Ethernet and although they are 10 Mbps networks it takes a LOT longer than one second to transmit 10 megabits or 1 25 megabytes of data from one terminal to another Cable modems on the same node share bandwidth which means that congestion is created when too many people are on simultaneously One user downloading large graphic or video files can use a significant portion of shared bandwidth slowing down access for other users in the same neighborhood Most independent Internet Service Providers today connect to the Internet using a single 1 5 Mbps T1 telephone line All of their subscribers share that 1 5 Mbps pipe
31. packet header and SO04 gt RO1mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address 73 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes A S CPESTIEE COV EEESOXN Support NOTES _ prot Protocol TCP UDP ICMP spo Source port dpo Destination port Example Jul 19 14 44 09 192 168 1 1 ZyXEL Communications Corp spo 0035 dpo 05d4 S03 gt RO1mF Jul 19 14 44 13 192 168 1 1 ZyXEL Communications Corp ICMP SO3 gt RO1mF e PPP Log Format TP Sre 202 1822 IBA Dst 192 6s le 33 UDP IP Src 192 168 1 33 Dst 202 132 154 1 sdemdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Example Jul 19 11 43 25 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 29 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 34 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 38 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 43 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 51 192 168 1 1 ZyXEL Communications Corp Jul 19 11 43 55 192 168 1 1 ZyXEL Communications Corp Jul 19 11 44 00 192 168 1 1 ZyXEL Communications Corp Jul 19 11 44 05 192 168 1 1 ZyXEL Communications Corp Jul 19 11 44 09 192 168 1 1 ZyXEL Communications Corp Jul 19 11
32. server to one unique IGA please use the One to One mode 20 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The following table summarizes these types i Mapping NAT Type IP Mapping ie Direction One to One ILA1I lt gt IGA1 Both ILA 1 gt IGA1 Many to One SUA PAT ILA2 gt IGA1 Outgoing ILA 1 gt IGA1 ILA2 gt IGA2 Many to Many Overload LA3 gt IGA1 Outgoing ILA4 gt IGA2 ILA 1 gt IGA1 Many to Many No ILA2 gt IGA3 Overload ILA3 gt IGA2 Outgoing Allocate by Connections LA4 gt IGA4 Server P lt IGA1 Server Incoming Server 2 IP lt IGA1 e SUA Versus NAT SUA Single User Account in previous ZyNOS versions 1s a NAT set with 2 rules Many to One and Server The Prestige now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowed on the LAN for outside access In previous ZyNOS versions that supported SUA visible servers had to be of different types The Prestige supports NAT sets on a remote node basis They are reusable but only one set 1s allowed for each remote node The Prestige 2602HW supports 8 sets since there are 8 remote node The default SUA Read Only Set in menu 15 1 is a convenient pre configured read only Many to One mapping set sufficient for most purposes an
33. sw on Prestige gt sys trel sw on Prestige gt sys tred brief 0 12367 680 ENET1 R 0070 UDP 202 132 155 95 520 gt 202 132 155 255 520 1 12370 980 ENET1 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 2 12373 940 ENET1 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 3 12374 930 FNET1 R 0064 TCP 192 31 7 130 80 gt 202 132 155 97 10261 4 12374 940 FNET1 T 0054 TCP 202 132 155 97 10261 gt 192 31 7 130 80 5 12374 940 ENET1 T 0438 TCP 202 132 155 97 10261 gt 192 31 7 130 80 6 12375 320 ENET1 R 0064 TCP 192 31 7 130 80 gt 202 132 155 97 10261 7 12375 360 ENET1 R 0090 UDP 202 132 155 95 520 gt 202 132 155 255 520 Prestige gt sys trcd parse lt 0000 gt LAN Frame ENET1 RECV Size 1181 96 Time 12387 260 sec Frame Type TCP 192 31 7 130 80 gt 202 132 155 97 10270 Ethernet Header Destination MAC Addr 00A0C5921312 Source MAC Addr 00A0C5012345 Network Type 0x0800 TCP IP IPiHeader IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x048B 1163 Idetification 0xB139 45369 Flags 0x02 Fragment Offset 0x00 Time to Live OxEE 238 Protocol 0x06 TCP Header Checksum OxA9AB 43435 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Source IP OXCO
34. the Prestige menu 1 The DDNS servers the Prestige supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to e Setup the DDNS e Before configuring the DDNS settings in the Prestige you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server e Toggle Configure Dynamic DNS option to Yes and press ENTER for configuring the settings of the DDNS in menu 1 1 63 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Menu 1 General Setup System Name Prestige Locat ion Contact Person s Name Domain Name Edi Rou Dynamic DNS Yes e IP Yes Bridge No Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active Yes EMAIL USER aS WO rda sam a Enable Wildcard No Host the local server s host name Key Settings for using DDNS function Option Service Provider Active Host EMAIL User Description Enter the DDNS server in this field Currently we support WWW DYNDNS ORG Toggle to Yes Enter the hostname you subscribe from the above DDNS server For example zyxel com tw Enter the email address you give to the DDNS server Enter the user name that 64 All contents copyright c 2005 ZyXEL Communications Corporatio
35. the entries from the speed dial phonebook What is ZyNOS ZYNOS is ZyXEL s proprietary Network Operating System It is the platform on all Prestige routers that delivers network services and applications It is designed in a modular fashion so it 1s easy for developers to add new features New ZyNOS software upgrades can be easily downloaded from our FTP sites and public Web download site as they become available How do I access the embedded web configurator 100 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The Web configurator a user friendly configuration interface via user s web browser which can be access by typing in the LAN IP address of the Prestige in users web browser To access the Prestige s web configurator via web browser the configuration PC must be in the same IP segment of Prestige and Prestige must be reachable to the configuration station By default the Prestige LAN IP is 192 168 1 1 What is the default LAN IP address and Password Moreover how do I change it The default LAN IP address is 192 168 1 1 and you can change the LAN IP in web configuration menu under LAN gt LAN TCP IP the default password 1s 1234 You can change the password once you enter the web configuration menu under SYSTEM and press the Password tab At the password screen type in the old password and the new password and retype to confirm than press Apply button to save the c
36. the format exactly By default Prestige takes IP as phase 1 ID type for itself and it s remote peer But if it s remote peer is using DNS or E mail you have to ajust the settings to pass phase ID checking When should I use FQDN If yoour VPN connection is Prestige to Prestige and both of them have static IP address and there is no NAT router in between you can ignore this option Just leave Local Peer ID type as IP then skip this option If either side of VPN tunneling end point is using dynamic IP address you may need to configure ID for the one with dynamic IP address And in this case Aggressive mode is recommended to be applied in phase 1 negotiation Is my Prestige ready for IPSec VPN IPSec VPN is available for Prestige since ZyNOS V3 50 It is free upgrade no registration is needed By upgrading the firmware and also configurations romfile to ZyNOS V3 50 the IPSec VPN capability 126 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes is ready in your Prestige You then can configure VPN via web configurator Please download the firmware from our web site NOTE For updating from ZyNOS V3 2x to V3 5x please use console or TFTP update This is because the memory allocation difference between these two versions How do configure Prestige VPN You can configure Prestige for VPN using SMT or Web configurator Prestige 1 supports Web only How many
37. you to voice function menu While in the Voice menu click on Phone to enter phone port configuration page Step 4 By using the phone port selector located on upper right of the phone port configuration page select the phone port you wish to configure Step 5 Change the phone port parameter as you desired and click Apply when you are finish to save and let the setting to take effect To configure the 2nd phone port use the phone port selector and select phone2 and follow the step 1 to 5 to complete the 2nd phone port setup Each field s detail description rs listed below Phone Port Use this field to select the phone port that you want to configure Settings Speaking Volume Listening Volume Outgoing Call use G 168 Active VAD Support Use this field to set the loudness that the Prestige uses for the speech signal that it sends to the peer device 1 is the quietest and 1 is the loudest Use this field to set the loudness that the Prestige uses for the speech signal that it receives from the peer device and sends to your phone 1 is the quietest and 1 is the loudest SIP 1 and SIP 2 correspond to the Prestige s SIP accounts Select whether you want the phone s attached to this phone port to use SIP account 1 2 or both when you make a call If you select both SIP accounts the Prestige will first try to use SIP account 2 and then SIP account 1 when you make a call Select this check box to cancel the echo caus
38. 0 Destination IP 0xC0A80102 192 168 1 2 ER Header Source Port 0x0050 80 Destination Port 0x044F 1103 Sequence Number 0xD91B1826 3642431526 Ack Number 0x00AA405F 11157599 143 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Header Length 24 Flags 0x12 A S Window Size OxFAFO 64240 Checksum OxDCEF 56559 Urcent Rir 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C FA 63 00 A0 C5 92 13 11 08 00 45 00 L c Ek 0010 00 2C 7F 02 40 00 ED 06 85 7D CO 1F 07 82 CO A8 Ore aha ae 0020 01 02 00 50 04 4F DO 1B 18 26 00 AA 40 SF 60 12 P 0 amp 0 0030 FA FO DC EF 00 00 02 04 05 B4 ea Prestige gt 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0 none 1 2 Enable to capture the WAN packet by entering sys trcp channel enetl bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trel sw on 1 4 Wait for packet passing through Prestige over WAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcel sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packets by using sys trcp parse lt from_index gt lt to_index gt Example Prestige gt sys trep channel enet0O none Prestige gt sys trcp channel enetl bothway Prestige gt sys trel sw on Prestige gt sys trcp sw on Prestige gt
39. 0 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 2 We are now ready to configure the Generic Filter Rule as below 52 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Menu 2102 Generic Eiliter Rule Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 6 Length 6 Mask ffffffffffff Value 0080c84cea63 More No Log None Action Matched Drop Action Not Matched Forward Key Settings e Generic Filter Ruls Set the Filter Type to Generic Filter Rule e Active Turn Active to Yes e Offset in bytes Set to 6 since the source MAC address starts at 7th octets we need to skip the first octets of the destination MAC address e Length in bytes Set to 6 since MAC address has 6 octets e Mask in hexadecimal Specify the value that the Prestige will logically qualify logical AND the data in the packet Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers In this case we intent to set to ffffffffffff to mask the incoming source MAC address 00 80 c8 4c ea 63 e Value in hexadecimal Specify the MAC address 00 80 c8 4c ea 63 that the Prestige should use to compare with the masked packet If the result from the masked packet matches the Value then the packet is considered matched 53 All contents copyright c
40. 05 115 6 to 92 168 1 33 and port number from 4034 to 1023 e WAN protocol input filter sets e LAN device and protocol output filter sets Protocol Filter Device Filter Sets LAN Filer Sets 203 205 115 6 4034 f 192 168 1 331023 203 205 115 6 403 oD 192 163 1 334023 Figure 1 Packet Logic Flow in ZyNOS Generic and TCP IP and IPX filter rules are in different filter sets The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21 In the following example you will receive an error message Protocol and device filter rules cannot be active together if you try to activate a TCP IP or IPX filter rule in a filter set that has already had one or more active Generic filter rules You will receive the 42 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP IP or IPX filter rules Menu 21 1 1 Menu 21 1 2 Menu 21 1 1 Generic Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Menu 21 1 2 TCR IP Filiter Rule Filter 2 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Ma
41. 1 As an example see the following figure if you have a Web server at 192 168 1 36 and a FIP server at 192 168 1 33 then you need to specify for port 80 Web the server at IP address 192 168 1 36 and for port 21 FTP another at IP address 192 168 1 33 FTP Server 192 168 1 33 Web Server Prestige 192 168 1 36 Global IP assigned by the ISP Figure Configure Multiple Servers behind NAT Please note that a server can support more than one service e g a server can provide both FTP and Mail service while another provides only Web service The following procedures show how to configure a server behind NAT Step 1 Enter 15 in the Main Menu to go to Menu 15 NAT Setup Step 2 Enter 2 to go to Menu 15 2 1 NAT Server Setup Step 3 Enter the service port number in the Port field and the inside IP address of the server in the IP Address field Step 4 Press SPACEBAR at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address ile Defaul Default 0 0 0 0 28 All contents copyright c 2005 ZyXEL Communications Corporation XEL Oo 00 nN HD OH FP W WH e e EI H o N O m e SSS aS S 0 ao N O e SSeS aS as SS 0 Zy Prestige 2602H 6xC Support Notes 192 192 o SS O O O O O O O aes Ss Ss ono e ae SS Ss
42. 107 Is it possible to access a server running behind SUA from the outside Tntermmet If possible NOW 7 vcsisvsssescazacagackesuoscaonshesaonenudnecpl quests tecedaregeadeenese 107 What DHCP capability does the Prestige support eee eeeteeeeeteeeeteees 107 How do I used the reset button more over what field of parameter will be res t DY reset DUMONT acs feces eve Ba eee E ote Ba eed edie tee 107 What network interface does the new Prestige series support 108 How does the Prestige support TFT P eee eeececesceeeneeesseeeeeneeeenaeeres 108 Can the Prestige support TFTP over WAN 0 0 ceeceeeeeereceseeeeeeeeaeeeeaeees 108 How fast c n the data GO sisson doc nein dln aa a 108 Wihiat 1S Multi NAT ei arcs leeft nie i n gue tga n e aasi 109 When do I need Multi NAT sssseeeseseeeseseessesssesseseresressessrssressersrerresseesresees 109 What IP Port mapping does Multi NAT support ssecsscsesseseeerereereeree 110 What is the difference between SUA and Multi NAT ooo eee 111 Whats BOOTP DHCP reroror cats ary sauce avant ns tate 111 Whats DONS artesa T eE EEI S A EPEE 111 When do I need DDNS service sssssesesesesessessiseresressrrsrssrersersrerressersresres 112 3 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What DDNS servers does the Prestige SUPPOTt eee eeeeeeeeeteeeeeteeeennees 112 What is DDNS wildcard eonceo Tenere ieee eee ules
43. 112 Does the Prestige support DDNS wildcard cee eeeeeeeeeeesseeeeeseeeenaeeees 112 Can the Prestige SUA handle IPsec packets sent by the VPN gateway behind Prestige menntun ninnan a A E te desdiaca A 112 How do I setup my Prestige for routing IPsec packets over SUA 113 VoIP FAQ nennir n e eiai ieiet 113 What is V ice oyver IP ersin raea asai e EE EER SEESE 113 How does Voice over IP work esssessseseseeressersresreeseesreseresresseseresressesee 113 Why use WO goien ii E O N nc e E a Riad 113 What is the relationship between codec and VoIP nseesseeesseesseesseessee 114 What advantage does Voice over IP can provide eceescceeeseceesteeeeneees 114 What is the difference between H 323 and SIP eee eee eeseeeseeeeeeeeees 114 Can H 323 and SIP interoperate with one another ceecceeeseeeeeteeeees 114 Whatis voice guality kes tsiere oe e e a a gees sonedeungess seers 114 How are voice quality normally rated eee ee eeeeeeeeeeeeeeecseeeeceeeeeeseeeees 114 Whatis COdGC iess iinis iinne eel EA i weiss 115 What is the relation of codec and VOIP sseeeeeeeseeeesersererserereerersersreses 115 What codec does Prestige SUDPOLl ss0c c2sjeesixendcagacetacgateasansondedeeavasaeseogetads 115 Which codec should I choose 4 4 2 420 cei eae ee ees 115 What do I need in order to use SIP oo eee eeeeeceseeeeeeeeaeecnaeenseeeseeeeneees 115 Unable to register with the SIP server ncniaaien cietekioataet
44. 1F0782 192 317 130 Destination IP 0xCA849B61 202 132 155 97 TOP Header Source Port 0x0050 80 Destination Port Ox281E 10270 Sequence Number 0xD3E95985 3555285381 Ack Number 0x00C18F63 12685155 Header Length 20 Flags OII ARE Window Size OxFAFO 64240 Checksum 0x57 35 TABS Urgent Ptr 0x0000 0 TCP Data Length 1127 Captured 42 0000 DF 33 AF 62 58 37 52 3D 79 99 A5 3C 2B 59 E2 78 3 bX7R y lt Y x 0010 A7 98 8F 3F A9 09 E4 OF 26 14 9C 58 3E 95 3E E7 amp X gt gt 0020 FC 2A 4C 2F FB BE 2F FE EF DO Ble linear ee L RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 01 23 45 08 00 45 00 E E 0010 04 8B Bl 39 40 00 EE 06 A9 AB CO IF 07 82 CA 84 9 0020 98160110050128 1E D3 E9 59185 00 CIF 63 50 19 Maleate ance 0030 FA FO 37 55 00700 DE 33 AF 62 58 37 532 3D 79 99 755 3 BXIREY 0040 A5 3C 2B 59 E2 78 A7 98 8F 3F A9 09 E4 OF 26 14 lt Y x amp 0050 9C 58 3E 95 3E E7 FC 2A 4C 2F FB BE 2F FE EF DO X gt gt L lt 0001 gt LAN Frame ENET1 XMIT Size 54 54 Time 12387 490 sec Frame Type TCP 202 132 155 97 10270 gt 192 31 7 130 80 Me Ethernet Header Destination MAC Addr 00A0C5012345 Source MAC Addr 00A0C5921312 Network Type 0x0800 TCP IP All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Su
45. 2090 020 sec All contents copyright c 2005 ZyXEL Communications Corporation 153 ZyXEL Prestige 2602H 6xC Support Notes Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1116 Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Idetification OxS7F3 22515 Flags 0x02 Fragment Offset 0x00 Time to Live 0XED 237 Protocol 0x06 TCP Header Checksum OxAC8C 44172 Source IP OxCO1FO782 192 31 7 130 Destination IP 0xC0A80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x045C 1116 Sequence Number Ox4ADIBS7F 1255257471 Ack Number 0x00BD15A8 12391848 Header Length 24 Flags OKD oer Se Window Size OxFAFO 2602HW40 Checksum OxF877 63607 Uncen Rin 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 154 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL 0000 0010 0020 0030 lt 0002 gt LAN Frame ENETO RECV Ethernet Header Destination MAC Addr Source MAC Addr Network Type IP Header IP Version Header Length Type of Service Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TGR Header Source Port Destination Port Sequence Number Ack Number Hea
46. 4 1 Current Time 00 I1 38 New Time hh mm ss 00 11 36 Current Date 2004 01 01 New Date yyyy mm dd 2004 01 01 Time Zone GMT 0800 Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 81 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Press ENTER to Confirm or ESC to Cancel Using IP Multicast e What is IP Multicast Traditionally IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP hosts group and 224 0 0 2 is assigned to the multicast routers group IGMP Internet Group Management Protocol is the protocol used to support multicast groups The latest version 1s version 2 see RFC2236 IP hosts use IGMP to report their multicast group membership to any immediate neighbor multicast routers so the multicast routers can decide if a multicast packet needs to be forwarded At start up the Prestige queries all directly connected networks to gather group membership After that the Prestige updates the information by periodic queries The Prestige implementation of IGMP is also compatible with version 1 The mult
47. 44 14 192 168 1 1 ZyXEL Communications Corp p p p p p p p p p p p pp LCP Starti pp IPCP Start pp CCP Starii pp BACP pp IPCP pp CCR pp BACP Openi pp LOR pp IPCP Closi pp COP pp BACP Closi Start Openi Opening Closing Closing ng ing ng ing ng ng ng ng 74 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Using IP Alias e What is IP Alias In a typical environment a LAN router is required to connect two local networks The Prestige can connect three local networks to the ISP or a remote node we call this function as TP Alias In this case an internal router is not required For example the network manager can divide the local network into three networks and connect them to the Internet using Prestige s single user account See the figure below LANI 192 168 1 0 24 LAN2 192 168 2 0 24 ISP LAN3 192 168 3 0 24 The Prestige s IP Alias connects three local networks to the Internet The Prestige supports three virtual LAN interfaces via its single physical Ethernet interface The first network can be configured in menu 3 2 as usual The second and third networks that we call IP Alias 1 and IP Alias 2 can be configured in menu 3 2 1 IP Alias Setup There are three internal virtual LAN interfaces for the Prestige to route the packets from to the three ne
48. 5 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel mpoa00 none 1 2 Enable to capture the LAN packet by entering sys trep channel enet0O bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trel sw on 1 4 Display the brief trace online by entering sys tred brief or 1 5 Display the detailed trace online by entering sys tred parse Example ras gt sys trcp channel mpoa00 none ras gt sys trcp channel enetO bothway ras gt sys trcp sw on ras gt sys trcl sw on ras gt sys tred brief 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 100 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 2 11883 330 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1108 3 11883 340 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 4 11883 340 ENETO R 0339 TCP 192 168 1 2 1108 gt 192 31 7 130 80 5 11883 610 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 6 11883 620 ENETO T 0102 TCP 192 31 7 130 80 gt 192 168 1 2 1108 7 11883 630 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 8 11883 630 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 9 11883 2602HW ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 10 11883 2602HW ENETO R 0062 TCP 192 168 1 2 1109 gt 192 31 7 130 80 ras gt sys trced parse l
49. 50 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes This configuration example shows you how to use a Generic Filter to block a specific MAC address of the LAN Before you Begin Before you configure the filter you need to know the MAC address of the client first The MAC address can be provided by the NICs If there is the LAN packet passing through the Prestige you can identify the uninteresting MAC address from the Prestige s LAN packet trace Please have a look at the following example to know the trace of the LAN packets La as gt sys trcp channel enetO bothway ras gt sys trcp sw on Now a client Le TIME 0000 0010 0020 0030 0040 TIME 0000 0010 0020 0030 0040 ras gt sys trep sw off as gt sys trcp disp 37c060 enet0 RECV len 74 cal1 0 00 a0 c5 01 23 45 00 80 c8 4c 00 3c eb Oc 00 00 20 01 e3 ea ca 9b 63 08 00 45 5c 03 00 05 00 61 67 68 69 6a 6b 6c 6d 6e 6f 70 71 77 61 62 63 64 65 66 67 68 69 37c060 enetO XMIT len 74 call 0 00 80 c8 4c ea 63 00 a0 c5 0l 00 3c 00 07 00 00 fe 01 fO ef ca 9b 5d 00 00 4d 5c 03 00 05 00 61 67 68 69 6a 6b 6c 6d 6e 6f 70 71 77 61 62 63 64 65 66 67 68 69 on the LAN is trying to ping Prestige ea 63 08 00 45 00 84 9b 5d ca 84 62 63 64 65 66 72 73 74 75 76 23 45 08 00 45 00 84 9b 63 ca 84 62 63 64 65 66 72 73 74 75 76 The detailed format of the Ethernet Version I
50. 602H 6xC Support Notes Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3C79 15481 Source IP OxCOA80102 192 168 1 2 Destination IP OxCOUEO782 192231272 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number 0x00BD15A8 12391848 Ack Number Ox4AD1B580 1255257472 Header Length 20 Flags OIO CA Window Size 0x2238 8760 Checksum OxE8ED 59629 Urgent Pir 0x0000 0 TCP Data Length 6 Captured 6 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 ere 0010 00 28 35 0B 40 00 80 06 3C 79 CO A8 01 02 CO IF 5 lt y 0020 07 82 04 5C 00 50 00 BD 15 A8 4A DI BS 80 50 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 NO 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0 none 1 2 Enable to capture the WAN packet by entering sys trcp channel enetl bothway 1 3 Enable the trace log by entering sys trep sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys tred brief or 1 5 Display the detailed trace online by entering sys trcd parse 137 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Example Prestige gt sys trcp channel enetO none Prestige gt sys trcp channel enetl bothway Prestige gt sys trcp
51. 8 ZyXEL Prestige 2602H 6xC Support Notes putPoeHdr ver 1 type 1 code x09 sess id 0 len 12 x000C bdcastSendInit ll pktTx failed pch poeO ch enet0 poePutiSrvcName len 0 host unig 31303030 len 4 putPoeHdr ver 1 type 1 code x09 sess id 0 len 12 x000C Hit any key to continue SSS DIALING dev 6 ch 0 poel C ver 1 type 1 code x07 sessId x0000 len 274 x0112 poeCtrlI C pkt len 274 poeGetTags service name service name telstra service name bpa service name iprimus service name pacificinternet service name integrationisp service name bpa dev service name bpa sif service name telstrarna service name gpmsystems service name cmux service name launceston broadband service name vivanet service name n1234567k00 service name bigpond service name n7 061992k service name n3068223k service name n2155202k service name n7061995k AC name vetl exhibition bsn 1 host unig 31303030 len 4 PADO recv d chann enetl procPADO for poe chann poe0 Chann poe0 sending request poePutiSrvcName len 0 host unig 31303030 len 4 putPoeHdr ver 1 type 1 code x19 sess id 0 len 12 x000C 149 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Undefined Address Undefined Data Ox Ox56FF54FF r0O OxE3F045C4 E3F045C4 rl 0x0001FFCO Prestige 2602H 6xC Support Notes r2 0x000000 ES
52. Connected xxxx means connected speed xxxxx means Remote Call ID C02 CLID call refused 72 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes L02 Call Terminated C02 Call Terminated Example Feb 14 16 57 17 192 168 1 1 ZyXEL Communications Corp board O line O channel 0 call 18 COL Incoming Call OK Feb 14 17 07 18 192 168 1 1 ZyXEL Communications Corp board 0 line 0 channel 0 call 18 C02 Call Terminated e Packet triggered log Format sdemdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Tul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol l Dat a 4500003c100100001 010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6 7071 727374 Jul 19 11 28 56 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol l Dat a 4500002c1b0140001 f06b50ec0a86614ca849a7b0427001 700195b3e00000000600220008cd40000020405b4 e Filter log This message is available when the Log is enabled in the filter rule setting The message consists of the packet header and the log of the filter rules Format sdemdSyslogSend S YSLOG_FILLOG SYSLOG_NOTICE String String IP Src xx xx xx xx Dst Xx XX XX XX prot spo xxxx dpo xxxx S04 gt RO1mD IP is the
53. LA4 lt gt IGA2 ILA 1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA3 ILA4 lt gt IGA4 Many to Many No Overload Server 1 IP lt gt IGA1 Server 2 IP lt gt IGA1 What is the difference between SUA and Multi NAT Server SUA Single User Account in previous ZyNOS versions 1s a NAT set with 2 rules Many to One and Server The Prestige now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowed on the LAN for outside access In previous ZyNOS versions that supported SUA visible servers had to be of different types The Prestige supports NAT sets on a remote node basis They are reusable but only one set 1s allowed for each remote node The Prestige supports 2 sets since there is only one remote node The default SUA Read Only Set in menu 15 1 is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions What is BOOTP DHCP BOOTP stands for Bootstrap Protocol DHCP stands for Dynamic Host Configuration Protocol Both are mechanisms to dynamically assign an IP address for a TCP IP client by the server In this case the Prestige Internet Access Sharing Router is a BOOTP DHCP server Win95 and WinNT clients use DHCP to request an internal IP address while WFW and Wi
54. Local Global IP Addresses e SUA e One to One e Many to One e Many to Many overload e Many One to One e Server The following table summarizes these types NAT Type IP Mapping One to One ILA 1 lt gt IGA1 ILA1 lt gt IGA1 Many to One ILA2 lt gt IGA1 SUA PAT ILA 1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA1 ILA4 lt gt IGA2 Many to Many Overload ILA 1 lt gt IGA1 Many to Many No ILA2 lt gt IGA2 Overload ILA3 lt gt IGA3 ILA4 lt gt IGA4 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Server Server 1 IP lt gt IGA1 SUA Server 2 IP lt gt IGA 1 About Filter amp Filter Examples How does ZyXEL filter work e Filter Structure The Prestige allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port The following diagram illustrates the logic flow when executing a filter rule 40 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Filter Set Fetch Next Fitter Set ext Filter Se Fosailable Available Execute Filter Rule Forward Fecept Packet Drop
55. MIRC PPTP ICQ Cu SeeMe NetMeeting IP TV RealPlayer VDOLive Quake Quakel Quakelll StarCraft amp Quick Time How can configure the Prestige a Telnet remote management Menu driven user interface for easy remote management b Web browser web server embedded for easy configurations What network interface does the Prestige support The Prestige supports 10 100M Ethernet to connect to the LAN computer or hub switch and 10 100M ADSL interface to the ISP What can we do with Prestige Browse the World Wide Web WWW send and receive individual e mail and download software These are just a few of many benefits you can enjoy when you put the whole office on line with the Prestige Internet Access Sharing Router Does Prestige support dynamic IP addressing The Prestige supports either a static or dynamic IP address from ISP What is the difference between the internal IP and the real IP from my ISP Internal IPs is sometimes referred to as virtual IPs They are a group of up to 255 IPs that are used and recognized internally on the local area network They are not intended to be recognized on the Internet The real IP from ISP instead can be recognized or pinged by another real IP The Prestige Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP 106 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes How d
56. Many to Many Overload Many to Many No Overload and Server The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA 1 One to One In One to One mode the Prestige maps one ILA to one IGA 2 Many to One In Many to One mode the Prestige maps multiple ILA to one IGA This is equivalent to SUA e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA only option in today s routers 3 Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple ILA to shared IGA 4 Many to Many No Overload In Many to Many No Overload mode the Prestige maps each ILA to unique IGA 5 Server In Server mode the Prestige maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types NAT Type IP Mapping One to One ILA1 lt gt IGA1 ILA 1 lt gt IGA1 Many to One ILA2 lt gt IGA1 SUA PAT Many to Many ILA1I lt gt IGA1 110 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Overload ILA2 lt gt IGA2 ILA3 lt gt IGA 1 I
57. P Address for the workstation you want to block See the procedure for configuring this filter below o Create a filter set in Menu 21 e g set 1 o Create three filter rules in Menu 21 1 1 Menu 21 1 2 Menu 21 1 3 Rule 1 block the HTTP packet TCP 06 protocol with port number 80 Rule 2 block the DNS packet TCP 06 protocol with port number 53 Rule 3 block the DNS packet UDP 17 protocol with port number 53 o Apply the filter set in menu 4 1 Create a filter set in Menu 21 Menu 21 Filter Set Configuration Filter Fullter Set Comment s Set Comment s Web Request i 11 12 1 2 3 4 10 5 6 Enter Filter Set Number to Configure 1 Edit Comment s Press ENTER to Confirm or ESC to Cancel 46 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 2 Rule one for a http packet TCP 06 Port number 80 Menu 21 1 1 TCP IP Filter Rule Falter 2 Tel Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 80 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 3 Rule 2 for b DNS request TCP 06 Port number 53 Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Typ
58. Prestige 2602H 6xC ADSL VoIP IAD Support Notes Version 3 40 March 2005 ZyXEL Prestige 2602H 6xC Support Notes INDEX Application NOLES i sesctdiccsiewasceitudasesisieedeoussciceeslenascusdhesdisucdaucnsatsecdsencsdaaueinuesceanscaitacuaiesce 8 General Application Notes scsi esciGes saeayees econ sesuecssunnsecey ccd gatdeystu esas ocpaccaseeodtaoteceusans 8 Internet Connections sisisi idee ae ae eee 8 Setup the Prestige as a DHCP Relay sccecwieiees sia ten et ciadol ania etre teeias 11 Configure an Internal Server Behind SUA 1 0 eee eeeeeeeseceeeeeeeseneeeeneeeenes 13 Configure a PPTP server Behind SUA 2 csi ccscst 2s so ccocanscteanarsoeasetneaioeeees LS Using NAT Multi NAT oi saccscissivscasscpscdiseseoccntunszsnisagenieasscveanabaderatsaensaevatie 19 About Filter amp Filter Examples sci gens ss chendevdsdechuy dpasusasince eatade sa nnescaten eee 40 Using the Dynamic DNS DDNS cee ceeececesececeeececeeececseeeenaeeeenaeeenes 63 Network Management Using SNMP ou ceeeceeeeececeecceceeeeeceseeesseeeenaeeenes 65 Using SYSLOG ac issccceawieesicads nunana an ei a a sashad a cadena LS 71 Usmo TP Ala Sae Metboti eres Guarentee E 75 Using all Schedler rosne i A Reodsaygaattentyasaleyches atanastas tase 77 Usimg IP M lticaSt tcc stesccastecetatenarncuualanccascececetied a E aa 82 Using Prestige traffic redirect sissssacisssavccsasecveesaavcacciieacausansesaasesevnaceeansieete tte 84 Using Universal Plug n Play UPnP ee eee ees
59. Sets protocol filters device Mi literns SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3 1 11 5 or entering a device filter set to the protocol filters field Even though SMT will prevent the inconsistency from being entered in ZyNOS it is unable to resolve the intermixing problems existing in the filter sets that were configured before Instead when ZyNOS translates the old configuration into the new format it will verify the filter rules and log the inconsistencies Please check the system log Menu 24 3 1 before putting your device into use In order to avoid operational problems later the Prestige will disable its routing bridging functions if there is an inconsistency among its filter rules filter for blocking the web service e Configuration Before configuring a filter you need to know the following information 45 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 1 The outbound packet type protocol amp port number 2 The source IP address Generally the outbound packets for Web service could be as following a HTTP packet TCP 06 protocol with port number 80 b DNS packet TCP 06 protocol with port number 53 or c DNS packet UDP 17 protocol with port number 53 For all workstation on the LAN the source IP address will be 0 0 0 0 Otherwise you have to enter an I
60. Size OxFAFO 2602HW40 Checksum 0x3735 14133 Uncent Pir 0x0000 0 TCP Data Leneth 1127 Captured 42 0000 DF 33 AF 62 58 37 52 3D 79 99 A5 3C 2B 59 E2 78 3 bX7R y lt Y x 0010 A7 98 8F 3F A9 09 E4 OF 26 14 9C 58 3E 95 BE EV 2 amp X gt gt 0020 FC 2A 4C 2F FB BE 2F FE EF DO milly eae brome RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 01 23 45 08 00 45 00 Fidel gle 157 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 0010 04 8B B1 39 40 00 EE 06 A9 AB CO TE SOU S28 CA BA aet OO Maas oa OU202 9B ol 00750 25 TIE DIENE S9 ss OOF Sh 63 50019 Sa Re ve nce 0030 FA ROTT 35 00 00 De SS2AP 62 58 37 52 3D 19 99 gt 2 S OXIR 0040 A5 3C 2B 59 F2 78 A7 98 8F 3F A9 09 E4 OF 26 14 lt amp Y x amp 0050 9G 58 3E 95 3E E7 FC 2A 4C 2F FB BE 2F FE EP DO X gt L I Offline Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable the capture of the WAN packet by entering sys trcp channel mpoa00 none 1 2 Enable the capture of the LAN packet by entering sys trep channel enet0 bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trel sw on 1 4 Wait for packet passing through the Prestige over LAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcel sw off 1 6 Display the trace briefly by entering sys trep brief 1 7 Display specific packets by using sys trc
61. XEL Prestige 2602H 6xC Support Notes The Prestige supports traces when there is problem to connect your ISP using PPPoE protocol Please follow the procedure below to collect the trace for our troubleshooting 1 Remove the LAN cable attached on the Prestige 2 Enter SMT using console port 3 Enter Menu 24 8 CI command mode 4 Type the following commands sys trcp sw on turn on packet trace ys errctl 3 save crash information and make system enter debug mode after the crash poe debug 1 turn on pppoe debug dev dial 1 dial remote node 1 After all if the Prestige crashes and you can do nothing please send the above log back to us If the Prestige crashes and you are able to enter commands please type atds in debug mode to dump the log and send the log to us 7 Ifthe Prestige does not crash but just can not dial out please capture the following further log and send us the log sys trcp sw off turn off packet trace sys log disp i capture system error log sys trcp parse parse the trace in detail Example A trace with system crashes ras gt sys trcp sw on ras gt sys errctl 3 ras gt poe debug 1 ras gt dev dial 1 Start dialing for node lt GPMI gt poeNetCmdExe chann poe0 event x420 poeChannDial start session peer lt GPMI gt bdcastInit pch poe0 poePut1SrvcName len 0 host uniq 31303030 len 4 All contents copyright c 2005 ZyXEL Communications Corporation 14
62. ack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original packet except that it contains an offset field The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the 119 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself
63. address IGA N A Type This is the NAT mapping types Many to One and Server Please note that the fields in this menu are read only However the settings of the server set 1 can be modified in menu 15 1 1 Now let s look at Option 1 in Menu 15 1 1 Enter 1 to bring up this menu Menu 15 1 1 Address Mapping Rules Set Name Idx Local Start IP Local End IP Global Start IP Global End IP Type on WD On FP WY 25 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 10 Action Edit Oele t niles Press ENTER to Confirm or ESC to Cancel We will just look at the differences from the previous menu Note that this screen is not read only so we have extra Action and Select Rule fields Not also that the in the Set Name field means that this is a required field and you must enter a name for the set The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu 15 1 1 described later and the values are displayed here Field Description Option Enter a name for this set of rules This is a required field Please note Set Name ET i Rulel that if this field is left blank the entire set will be deleted They are 4 actions The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a new rule before the rule selected The rule after the selected rule will the
64. aieaiens 116 I can register but can not establish a call eee eeeeeceeeeeeeeeeeeeteeeenteeeee 116 I can make a call but the voice only goes one way not bothway 116 I can receive a call but the voice only goes one way not bothway 116 If all the about have been tried but register still fail what should I do 117 I suspect there is a hardware problem with my Prestige what should I do 117 PAG Wall ARAN ies EEN LA EILEEN RL NET SEN AE A IASI BRS 117 What is a network firewall icc cccsttdiceantiei annudianiieecs 117 What makes Prestige firewall secure is jcc ss cetudreianst aac ceveeeadsonniersbevecnees 117 What are the basic types of firewalls 0 eee eeeeeceeseeceeseeceeteceeteeeeeeeees 118 What kind of firewall is the Prestige i ccsstspccasccescshesi oecaeoqeeuicacnvers 118 Why do you need a firewall when your router has packet filtering and NAT OU acca etd 0 tide ae tae ec tvd e E noe pe dt ace Beco 119 What is Denials of Service DoS attack 0 0 ecccccsscccccececeesensececeeeeeeeeees 119 What is Ping of Death AUACK 2 oo cecacasecuccsvecssavastcbioessaztneenseicseosmemmonseianccds 119 What is Teardrop attack nirin nnes ai 119 4 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What is SYN Flood attack c2c0 sstsci inet din eerie ae teiels 119 Whatis LAND attack i ts oia iie E EE eka ua eden 120 What is Brute force attack iissc ccectetoest res au
65. ample One to One Many to One Press SPACEBAR to toggle through a total of 5 types These Many to Many Overload are the mapping types discussed above plus a server type Some f Many to Many No examples follow to clarify these a little more Overload Server This is the starting local IP address ILA 0 0 0 0 This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 255 255 255 255 This field is N A for One to One type This is the starting global IP address IGA If you have aT dynamic IP enter 0 0 0 0 as the Global Start IP This is the ending global IP address IGA This field is N A for 200 1 1 64 One to One Many to One and Server types Note For all Local and Global IPs the End IP address must begin after the IP Start address 1 e you cannot have an End IP address beginning before the Start IP address e NAT Server Sets 27 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish you can make inside servers for different services e g Web or FTP visible to the outside users even though NAT makes your network appears as a single machine to the outside world A server is identified by the port number e g Web service is on port 80 and FTP on port 2
66. and Duration of this schedule Duration e Apply the schedule to the Remote node Multiple scheduling rules can program in a Remote node and they have priority For example if we program the sets as 1 2 3 4 in remote node then the set 1 will override set 2 3 4 set 2 will override 3 4 and so on Menu 11 1 Remote Node Profile Rem Node Name MyISP Route IP Active Yes Encapsulation PPPoE Edit IP No Service Type Standard Telco Option Service Name Allocated Budget min 0 Outgoing Period hr 0 My Login cso zyxel schedules 1 2 34 My Password Nailed Up Connection No Retype to Confirm Authen CHAP PAP 80 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Session Options Edit Filter Sets No Idle Timeout sec 100 Edit Traffic Redirect No Press ENTER to Confirm or ESC to Cancel e Time Service in Prestige There 1s no RTC Real Time Clock chip so the Prestige should launch a mechanism to get current time and date from external server in boot time Time service is implemented by the Daytime protocol RFC 867 Time protocol RFC 868 and NTP protocol RFC 1305 You have to assign an IP address of a time server and then the Prestige will get the date time and time zone information from this server Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup Daytime RFC 867 Time Server IP Address 202 132 135
67. and IGA3 from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Rule 3 Many to One type to map the other clients to IGA3 Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN Oa oN 32 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Step 1 In this case we need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11 3 and assign IGA3 to Prestige WAN IP Address Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation PPPoE Service Type N A My Login cso zyxel My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Static IP Address IGA3 IP Subnet Mask N A Gateway IP Address N A Network Address Translation Full Feature Press ENTER to Confirm or ESC to Cancel Step 2 Go to menu 15 1 and choose 1 not 255 SUA this time to begin configuring this new set E
68. ay cause many unexpected problem If you have an NAT router before it we suggest to use a VoIP ATA VoIP Analog Telephone Adapter such as Prestige ATA series can register but can not establish a call If you can register to server but can not make a call very likely there is NAT router or firewall before it which is blocking it We do not suggest to have an NAT router before it as it may cause many unexpected problem If you have an NAT router before it we suggest to use a VoIP ATA VoIP Analog Telephone Adapter such as Prestige ATA series If the problem is a firewall before it Please check with the firewall manager make sure the SIP protocol is allow to pass through firewall and the range of RTP port is allowed through firewall can make a call but the voice only goes one way not bothway If you can register to server and I can make a call signal establishment but the voice only goes one way In this case it is very likely there are NAT router or firewall before it please see NAT firewall related question above can receive a call but the voice only goes one way not bothway If you can register to server but can only make out going call but can not receive incoming calls or the incoming call signal establishment can be made but voice only goes one way very likely there is NAT firewall router before it please see NAT firewall related question above for tips to troubleshoot 116 All contents copyright c 2005 ZyXEL Communication
69. can someone still sniff the SSID 7892 ARER EI What are Insertion Attacks ccccccecseesceseesceeees Gua HI ERE What is Wireless Sniffer o on Gea fa ERE What is the difference between Open System and Shared Key of Authentication Type csseccessssssstsasdecvassesseervesees geste fe ER Whatis 802 IX oe nen ina tient ane et ea es Gua HI ERE What is the difference between No authentication required No access allowed and Authentication required 00 gua fa ERE What 1g AAA ats aleve eh ota aa nuia s SERR RERE What is RADIUS ssssssesssesssoosrresssonosrrssssnesrresssns ER RERE WDS WPA e e E hn ER RERE What is W PAs PSK Yn soc oth rasaGneis tana RR MARERE Trouble SHOOCi Gales ga csdeciecacencececace es vaca as docidensucutseysdeschvndedsivesicescocsdaterveupeasenvadeneatss 132 Using Embedded Packet Traces ia a aR tends 132 Debug PPPOE Comme ct OMe sxc sdacgensueeasedevedaeaskbassaveguesnsnenghonagvansdedadavad eavsaeaiases 147 CLI Command Vis bis seecsccasscnssscncsucescdswiesssnsevsecsesenssseisdvdcoseocerssvunssecsosensdeasscvdsoedsoued s 159 7 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Application Notes General Application Notes Internet Connection A typical Internet access application of the Prestige is shown below For a small office there are some components needs to be checked before accessing the Internet e B
70. cess control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency however they may lack the granular application level access control or caching that some proxies support What kind of firewall is the Prestige 1 The Prestige s firewall inspects packets contents and IP headers It is applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The Prestige s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The Prestige s firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The Prestige s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The Prestige s firewall provides email service to notify you for routine reports and when alerts occur 118 All contents copy
71. d helpful to people already familiar with SUA in previous ZyNOS versions e SMT Menus 1 Applying NAT in the SMT Menus 21 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes You apply NAT via menus 4 and 11 3 as displayed next The next figure how you apply NAT for Internet access in menu 4 Enter 4 from the Main Menu to go to Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation PPPoE Multiplexing LLC based VPI 0 VOIT ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login cso zyxel My Eassword seantans Idle Timeout sec 0 IP Address Assignment Dynamic IP Address N A Network Address Translation Full Feature Address Mapping Set 1 Press ENTER to Confirm or ESC to Cancel The following table describes the options for Network Address Translation Field Options Full Feature Network Address Translation None SUA Only Description When you select this option the SMT will use Address Mapping Set 1 Menu 15 1 see later for further discussion NAT is disabled when you select this option When you select this option the SMT will use Address Mapping Set 255 Menu 15 l see later for further discussion This option use basically Many to One 22 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Supp
72. ddress of the Prestige router in the URL location to retrieve the web screen from the Prestige The default LAN IP of the Prestige is 192 168 1 1 See the example below Note that you can either use http 192 168 1 1 2 Login first The default password is the default SMT password 1234 Prestige 2602HW 61 Enter Password and click Login 3 Configure Prestige for Internet access by using WIZARD SETUP The Web screen shown below takes PPPoE as the example ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup ISP Parameters for internet Access Main Menu Mode Routing _Wizard Setup Encapsulation PPPoE v Logout Multiplex LLC v Virtual Circuit ID VPI 0 Vl 33 10 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Select Dynamic if the ISP provides the IP dynamically otherwise select Use Fixed IP address and enter the static IP given by ISP in the box following MY WAN IP Address field ZyXEL TOTAL INTERNET ACCESS SOLUTION Wizard Setup ISP Parameters for internet Access u Service Name Any Wizard Setup User Name test zyxel Password eoccccce Logout IP Address Obtain an IP Address Automatically O Static IP Address Connection a eeen Connect on Demand Max Idle Timeout 0 sect Nailed Up Connection Network Address Translation SUA Only Setup the Prestige a
73. der Length Flags Window Size Prestige 2602H 6xC Support Notes 00 80 C8 4C EA 63 00 AO C5 92 13 11 08 00 45 00 00 2C 57 F3 40 00 ED 06 AC 8C CO 1F 07 82 CO A8 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 FA FO F8 77 00 00 02 04 05 B4 ole E ETE Ee SWE O ES m E Nhe heee z 60 60 Time 12090 210 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 00A0C5921311 0080C84CEA63 0x0800 TCP IP 4 0x00 0 0x0028 40 0x350B 13579 0x02 0x00 0x80 128 0x06 TCP 0x3C79 15481 OxCOA80102 192 168 1 2 OxCOlFO782 192 31 7 130 0x045C 1116 0x0050 80 0x00BD15A8 12391848 Ox4AD1B580 1255257472 20 Ox ORCA See 0x2238 8760 All contents copyright c 2005 ZyXEL Communications Corporation 155 ZyXEL Prestige 2602H 6xC Support Notes Checksum OxE8ED 59629 Urgent Pir 0x0000 0 TCP Data Length 6 Captured 6 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 Leta E 0010 00 28 35 0B 40 00 80 06 3C 79 CO A8 01 02 CO IF 5 lt y 0020 07 82 04 SC 00 50 00 BD 15 A8 4A D1 BS 80 50 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 e E 2 Trace WAN packet 1 1 Disable the capture of the LAN packet by entering sys trcp channel enetO none 1 2 Enable to capture the WAN packet by entering sys trcp channel mpoa00 bothway 1 3 Enable the trace log by entering sys trcp sw on a
74. dress in Prestige In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all What VPN gateway that has been tested with Prestige successfully We have tested Prestige successfully with the following third party VPN gateways Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES NetScreen 5 ScreenOS 2 6 0r6 SonicWALL SOHO 2 WatchGuard Firebox II ZyXEL Prestige 100 Avaya VPN Netopia VPN Il VPN 128 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What VPN software that has been tested with Prestige successfully We have tested Prestige successfully with the following third party VPN software e SafeNet Soft PK 3DES edition e Checkpoint Software e SSH Sentinel 1 4 e SecGo IPSec for Windows e F Secure IPSec for Windows e KAME IPSec for UNIX e Nortel IPSec for UNIX e Intel VPN v 6 90 e FreeS WAN for Linux e SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test e Windows 2000 Windows XP IPSec Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently Does Prestige VPN support NetBIOS broadcast The current 3 50 firmware release does not support it But it is in our wish list Is th
75. e TCE IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 4 Rule 3 for c DNS packet UDP 17 Port number 53 Menu 21 1 2 TCP IP Filter Rule Bolter 122 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel 5 After the three rules are completed you will see the rule summary in Menu 21 All contents copyright c 2005 ZyXEL Communications Corporation 48 ZyXEL Prestige 2602H 6xC Support Notes Menu 21 1 Filter Rules Summary Filter Rules mn 1 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 80 NDN 2Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 53 NDN SY Rs RE 5 SA 02 020208 DA O202020 DES NDF 6 Apply the filter set to the Output Protocol Filter Set in the remote node setup A filter for blocking a specific cli
76. e VPN ceesccecssececesececeseeeeseeeeeseeeenaeeees 127 How many VPN connections does Prestige support ssesssesseeseseeeeseee 127 What VPN protocols are supported by Prestige ceescceesseeeeeseeeeteees 127 What types of encryption does Prestige VPN support eeeeeeeeeeeteees 127 What types of authentication does Prestige VPN support cee 127 I am planning my Prestige to Prestige VPN configuration What do I need DTI OW Areses Ge oo Bat ae oaaae Ge PG Paes lal Sain a te ote Pade isa tS 127 Does Prestige support dynamic secure gateway IP oo eee eeeeeeeeeereees 128 What VPN gateway that has been tested with Prestige successfully 128 What VPN software that has been tested with Prestige successfully 129 Will ZyXEL support Secure Remote Management ese eeeeeeeeeeneees 129 Does Prestige VPN support NetBIOS broadcast eesse 129 Is the host behind NAT allowed to use IPSec noeneen 129 5 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Why does VPN throughput decrease when staying in SMT menu 24 1 129 Where can I configure Phase 1 ID in Prestige oe eeeeeeeeeeneeeneeees 130 If I have NAT router between two VPN gateways and I would like to use IP type as Phase 1 ID what should I Know 0 ee eee eeseceseeeeeeeeeeeenneees 130 How can I keep a tunnel alive ciicit sicasudccees sccsasct lassantassseanerasasaetsneneacc
77. e current circuit switching PSTN can not What is the difference between H 323 and SIP H 323 and SIP are proposed by different group Session Initiation Protocol SIP is a standard introduced by the Internet Engineering Task Force in 1999 to carry voice over IP Since it was created by the IETF it approaches voice and multimedia from the Internet or IP perspective of view Where as H 323 emerged around 1996 and as an International Telecommunication Union standard it was designed from a telecommunications perspective Both standards have the same objective to enable voice and multimedia convergence with IP protocols Can H 323 and SIP interoperate with one another In interoperability between the two the industry 1s making slow but sure progress Interoperability must first happen between vendor implementations of the same protocol SIP to SIP and H 323 to H 323 and then between protocols Currently in order for SIP client to talk to H 323 client the ITSP must have a trunking gateway act as a translator between the two protocols without the truncking gateway the two protocols are not able to communicate to one another What is voice quality Voice quality is how well an person can hear the voice on the opposite end How are voice quality normally rated Voice quality is most commonly rated through a voice quality metric called the Mean Opinion Score MOS which is recommendation by ITU T The MOS is a5 point scale where 5 represent excel
78. e host behind NAT allowed to use IPSec VPN Gateway embedded NAT AH tunnel mode ESP tunnel mode VPN client gateway behind NAT ESP tunnel mode NAT in Transport mode None The NAT router must support IPSec pass through For example for Prestige SUA NAT routers IPSec pass through is supported since ZyNOS 3 21 The default port and the client IP have to be specified in menu 15 SUA Server Setup Why does VPN throughput decrease when staying in SMT menu 24 1 If Prestige stays in menu 24 1 24 8 and 27 3 a certain of memory is allocated to generate the required statistics So we do not suggest to stay in menu 24 1 27 3 and 24 8 when VPN is in use 129 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Where can configure Phase 1 ID in Prestige Phase 1 ID can be configured in VPN setup menu as following Note that you can make such configuration in either web configurator or SMT menu IPSec Key Mode IKE i Negotiation Mode Aggressive xjl Encapsulation Mode Tanal vl DNS Server for IPSec VPN 0000 Local Local Address Type Subnet P IP Address Start lt Prestige LAN gt End Subnet Mask 255 255 255 0 Remote l E Remote Address Type Subnet IP Address Start lt PeerLAN gt End Subnet Mask 255 255 255 0 Address Information Local ID Type P Content My IP Address Peer ID Type E mail Content lt Sonicwall
79. e of Service 0x00 0 Total Length 0x0030 48 Idetification 0x330B 13067 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3E71 15985 Source IP OxCOA80102 192 168 1 2 Destination IP 0xC01F0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number Ox00BD15A7 12391847 All contents copyright c 2005 ZyXEL Communications Corporation 0 80 lees 2 O8 1 2 1108 7 130 80 7 130 80 7 130 80 134 ZyXEL Prestige 2602H 6xC Support Notes Ack Number 0x00000000 0 Header Length 2g Flags O02 CaS Window Size 0x2000 8192 Checksum OxBEC3 48835 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 ICa E 0010 00 30 33 0B 40 00 80 06 3E 71 CO A8 01 02 CO IF 03 gt q 0020 07 82 04 5C 00 50 00 BD 15 A7 00 00 00 00 70 02 P p 0030 20 00 BE C3 00 00 02 04 05 B4 01 010402 Lee eee lt Q001 gt LAN Frame ENETO XMIT Size 58 58 Time 12090 020 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1116 Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length
80. e operation to be performed Get Set and 67 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes so on and the object values involved in the operation The following figure shows the SNMPv1 message format lt 4 SNMP Message ______ Error Object 1 Object 3 Index Value 1 2 Value 3 Variable Bindings Figure 2 SNMPv1 Message Format The SNMP PDU contains the following fields e PDU type Specifies the type of PDU e Request ID Associates requests with responses e Error status Indicates an error and an error type e Errorindex Associates the error with a particular object variable e Variable bindings Associates particular object with their value 3 ZYXEL SNMP Implementation ZyXEL currently includes SNMP support in some Prestige routers It is implemented based on the SNMPv1 so it will be able to communicate with SNMPvl NMSs For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps are sent to the SNMP manager when anyone of the following events happens e coldStart defined in RFC 1215 If the machine coldstarts the trap will be sent after booting 68 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e warmStart defined in RFC 1215 If the machine warmstarts the tra
81. e packets from LAN Menu 3 1 General Ethernet Setup aowi JE Ie SESS 62 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes x protocol filters 2 rE device filters Output Filter Sets protocol filters 4 ters device iil Using the Dynamic DNS DDNS 1 What is DDNS The DDNS service an IP Registry provides a public central database where information such as email addresses hostnames IPs etc can be stored and retrieved This solves the problems if your DNS server uses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the Prestige to access the internal server It is inconvenient for the users 1f this IP is dynamic With DDNS supported by the Prestige you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the Prestige When the ISP assigns the Prestige a new IP the Prestige must inform the DDNS server the change of this IP so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable The DDNS server stores password protected email addresses with IPs and hostnames and accepts queries based on email addresses So there must be an email entry in
82. eceseeeeeeeeaeecaeceseeeseeeeeees 87 VOIPPAPPliCaiOn Note geurin e tava nena donssues E E E 92 Tei oe l eara LeO Ei 1 aie ce os ee Gall soca E E E E 92 PHONE port setting Scerni iiaa aia 96 Phone book Speed dial misg ha n na oe aE eee eee AS 98 Y O PEE E T T E 100 DEV INNS FAQs Cea a o a E a A E a Coates Bee 100 Whiatis ZYNOS ciascuno r iei riis aa 100 How do I access the embedded web configurator sssssessesessseseseeeessee 100 What is the default LAN IP address and Password Moreover how do I oE S1 cs S EE EE EE EA A A EE 101 How do I upload the ZyNOS firmware code via embeded web COn SUr anai e ede E E E N A E a 101 How do I upgrade backup the ZyNOS firmware by using FTP client program via LAN senine R E EE 101 How do I upload or backup ROMFILE via web configurator 102 How do I backup restore configurations by using FTP client program via PAN oaea a a T E E ata amet sty 102 Why can t I make Telnet to Prestige from WAN eeseccsreessereereereerese 102 What should I do if I forget the system password ceeceeeseeeeeteeeeneees 103 2 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What is SUA When should I use SUA oo eeeeseeceeeceneeceseeeeneeeneees 103 What is the difference between NAT and SUA ow eeeeeseeeeeeeereeeeeees 103 How many network users can the SUA NAT support cee eeeeeeeeteeees 104 What are Device filters and Protoc
83. ed Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 6 Destination port number 139 with protocol number 17 UDP Menu 21 1 6 TCP IP Filter Rule Filter 1 6 59 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel e After the first filter set is finished you will get the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules Mmn WE WE Pro SNS OOOO IDSC O00 DEIS NDN 2 YIP Prl SA 070202 05 DA 0 202020 DP 137 NDN 3 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 NDN 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 NDN 5 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 NDN 6 YIP Pri SA 070 02 05 DA 0202 0505 DP 139 NDF All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e Apply the first filter set NetBIOS_WAN to the Output Protocol Filter in the remote node setup Configure the second filter set NetBIOS_LAN by selecting the Filter Set number 2 e Rule 1 Source port number
84. ed by the sound of your voice reverberating in the telephone receiver while you talk Select this check box to use Voice Activity Detection VAD to reduce the bandwidth that a call uses The Prestige will generate and send comfort noise when you are not talking All contents copyright c 2005 ZyXEL Communications Corporation 97 ZyXEL Prestige 2602H 6xC Support Notes When you are dialing a telephone number the Prestige waits this long after Dialing you stop pressing the buttons before initiating the call Select how many Interval seconds you want the Prestige to wait after the last input on the telephone s keypad before dialing making a call Apply Click Apply to save your changes back to the Prestige Reset Click Reset to begin configuring this screen afresh Phone book Speed dial Prestige allows you to configure up to 10 SIP numbers in the phone book for speed dial SITE MAP HELP Voice Speed Dial Add New Entry Speed Dial SIP Number Name Type Use Proxy 01 x test zyxel O Non Proxy Use IP or URL Add Speed Dial Phone Book Speed Dial SIP Number Name Destination 01 test zyxel To configure phone book for speed dial please follow the below step Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige The default management IP of Prestige is 192 168 1 1 98 All contents copyright c 2005 ZyXEL Communications Corpo
85. eering Task Force to provide security services compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryptographic security services These services allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution What secure protocols does IPSec support There are two protocols provided by IPSec they are AH Authentication Header protocol number 51 and ESP Encapsulated Security Payload protocol number 50 What are the differences between Transport mode and Tunnel mode The IPSec protocols AH and ESP can be used to protect either an entire IP payload or only the upper layer protocols of an IP payload Transport mode is mainly for an IP host to protect the data generated locally while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability In this case Transport mode only protects the upper layer protocols of IP payload user data Tunneling mode protects the entire IP payload including user data There is no restriction that the IPSec host
86. efore you begin e Setting up the Windows e Setting up the Prestige router e Troubleshooting SOHO Network Prestige Internet Figure Internet Access e Before you begin The Prestige is shipped with the following factory default 1 IP address 192 168 1 1 subnet mask 255 255 255 0 24 bits 2 DHCP server enabled with IP pool starting from 192 168 1 33 3 Default SMT menu password 1234 e Setting up the PC Windows OS 1 Ethernet connection All PCs must have an Ethernet adapter card installed All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e If you only have one PC connect the PC s Ethernet adapter to the Prestige s LAN port with a crossover red one Ethernet cable e If you have more than one PC both the PC s Ethernet adapters and the Prestige s LAN port must be connected to an external hub with straight Ethernet cable 2 TCP IP Installation You must first install TCP IP software on each PC before you can use it for Internet access If you have already installed TCP IP go to the next section to configure it otherwise follow these steps to install e Inthe Control Panel Network window click Add button e Inthe Select Network Component Type windows select Protocol and click Add e In the Select Network Protocol windows select Microsoft from the manufacturers then select TCP IP from the Network Protocols and click OK 3 TCP IP Configuration Foll
87. ent Configuration 1 Create a filter set in Menu 21 e g set 1 Filter Set Menu 21 Filter Set Configuration Rulter Comment s Set Comment s Block a client 7 10 11 lD Enter Filter Set Number to Configure 0 Edit Comment s Press ENTER to Confirm or ESC to Cancel 49 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 2 One rule for blocking all packets from this client Menu 21 1 1 TCP IP Filter Rule Filter 2 11 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None Source IP Addr 192 168 1 5 IP Mask 255 255 255 255 Port Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Key Settings Source IP Addr ssvvavsasass Enter the client IP in this field TP Mask here the IP mask is used to mask the bits of the IP address given in the Source IP Addr field for one workstation it is 255 255 255 255 Action Matched 0 Set to Drop to drop all the packets from this client Action Not Matched Set to Forward to allow the packets from other clients 3 Apply the filter set number 1 to the Output Protocol Filter Set field in the remote node setup A filter for blocking a specific MAC address
88. ernet LAN port 1 ADSL WAN port It is the most simple and affordable solution for multiple and instant broadband Internet access router Virtually all popular applications over Internet such as Web E Mail FTP Telnet Gopher are supported Prestige 1s designed for SOHO branch offices workgroups and educational users 104 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Will the Prestige work with my Internet connection The Prestige is designed to be compatible major ISP utilize ADSL as a broadband service Prestige IAD offers an Ethernet port to connect to your computer so the Prestige is placed in the line between the computer and your ISP If your ISP supports PPPoE PPPoA you can also use the Prestige because PPPoE PPPoA had been supported in the Prestige What do I need to use the Prestige You need an ADSL modem router to use with ADSL line Prestige is an idea device for such application The Prestige has one Ethernet ports LAN port and one ADSL WAN port You should connect the computer to the LAN port and connect the ADSL line to the WAN port If the ISP uses PPPoE or PPPoA you need the user account to enter in the Prestige What is PPPoE PPPoE stands for Point to Point Protocol over Ethernet that is an IETF draft standard specifying how a computer interacts with a broadband modem i e xDSL cable wireless etc to achieve access to the high speed data networks
89. estige support The Prestige supports DHCP client Ethernet encap on the WAN port and DHCP server on the LAN port The Prestige s DHCP client allows it to get the Internet IP address from ISP automatically if your ISP use DHCP as a method to assign IP address The Prestige s internal DHCP server allows it to automatically assign IP and DNS addresses to the clients on the local LAN How do used the reset button more over what field of parameter will be reset by reset button You can used a sharp pointed object insert it into the little reset hole beside the power connector Press down the reset button and hold down for approx 5 second the unit will be reset When the reset button is pressed the devices all parameter will be reset back to factory default include password and IP address The default IP address is 192 168 1 1 Password 1234 107 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What network interface does the new Prestige series support The new Prestige series support auto MDX MDIX 10 100M Ethernet LAN port to connect to the computer or Switch on LAN and ADSL port on WAN How does the Prestige support TFTP In addition to the direct console port connection the Prestige supports the uploading download of the firmware and configuration file using TFTP Trivial File Transfer Protocol over LAN Can the Prestige support TFTP over WAN Although TFTP should work
90. et 0x00 Time to Live Ox7F 127 Protocol 0x06 TCP Header Checksum 0x533C 21308 Source IP OxCA849B61 202 132 155 97 Destination IP OxCO1FO782 192 31 7 130 ICE Header Source Port Ox281E 10270 Destination Port 0x0050 80 Sequence Number 0x00C18F63 12685155 Ack Number OxD3E9SDE9 3555286505 Header Length 20 Flags 0c A F Window Size OxIDDS 7637 Checksum 0x7A11 31249 Urgent Ptr 0x0000 0 RAW DATA 0000 00 AO C5 01 23 45 00 AO C5 92 13 12 08 00 45 00 E B 0010 00 28 7B OC 40 00 7F 06 53 3C CA 84 9B 61 CO IF S lt a 0020 107 62 28 1E 00 50100 CESR 63 D3 bo 5D E9 S0 ma E eR 141 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 0030 1D D5 7A 11 00 00 kolesa IPrestige gt I Offline Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel enetl none 1 2 Enable to capture the LAN packet by entering sys trep channel enet0O bothway 1 3 Enable the trace log by entering sys trep sw on amp sys trcl sw on 1 4 Wait for packet passing through Prestige over LAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trel sw off 1 6 Display the trace briefly by entering sys trep brief 1 7 Display specific packets by using sys trcp parse lt from_index gt lt to_index gt Prestige gt sys trcp channel enet
91. etwork is designated the inside network and the other is the outsrde Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the Prestige thus preventing intruders from probing your network The SUA feature that the Prestige supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The Prestige with ZyNOS V3 40 supports the most of the features of the NAT based on RFC 1631 and we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 Zhe IP Network Address Translator NA T e How NAT works If we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA see the following figure The term inside refers to the set of networks that are subject to translation NAT operates by mapping the ILA to the IGA required for communication with
92. ftp or mail server accessible for outside users even though SUA makes your LAN appear as a single machine to the outside world A service 1s identified by the port number Also since you need to specify the IP address of a server in the Prestige a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request is simply discarded e Configuration To make a server visible to the outside world specify the port number of the service and the inside address of the server in Menu 15 2 1 Multiple Server Configuration The outside users can access the local server using the Prestige s WAN IP address which can be obtained from menu 24 1 13 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e For example Configuring an internal Web server for outside access Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address le Default Default 0 0 0 0 SoS Oo woHy DH NN FP W PD oO ic 0 9 E O N O oe e esee e eee ee Fea eS S S ee Sas Ss SS SS SS aS SS O ea SS SS Sea aS as ea eS SSS See SS aO SSS SS Sat as SS m bo
93. hange How do I upload the ZyNOS firmware code via embeded web configurator The procedure for uploading ZyNOS via embeded web configurator is as follows Log on into the web configurator Press MAINTENANCE from the left menu Press F W Upload tab Press browse button and point to the directory where the firmware you want to upload is kept and a9 FP press Upload button e It will prompt you the firmware is upload successful and Prestige will reboot How do upgrade backup the ZyNOS firmware by using FTP client program via LAN The Prestige allows you to transfer the firmware from to Prestige by using FTP program via LAN The procedure for uploading ZyNOS via FTP is as follows a To upgrade firmware use FTP client program to put firmware in file ras in the Prestige After data transfer is finished the Prestige will program the upgraded firmware into FLASH ROM and reboot itself Note Do not power off the unit after upload the file via ftp until the system LED have become steady light up Fail to due so may result in update fail and require RMA b To backup your firmware use the FTP client program to get file ras from the Prestige 101 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes How do I upload or backup ROMFILE via web configurator In some situations you may need to upload the ROMFILE restore to previous saved configuration orthe need of rese
94. hen a dial up connection to ISP is established a default gateway is assigned to the router traffic through that connection Therefore the output below shows the default gateway of the Win9x client after the dial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to Prestige router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or SMT Menu 24 1 If the Internet IP address is a fixed IP address provided by ISP in SUA mode then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Server dialog box for reaching the PPTP server After the VPN link is established you can start the network protocol application such as IP IPX and NetBEUI Connect To 24x User name prtp Password Titeseessensentansenssessesensensen VPN server 140 113 1 225 coc 18 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Using NAT Multi NAT e What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One n
95. hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers and then forwards each packet to the Internet ISP thus making them appear as if they had come from the NAT system itself e g the Prestige router The Prestige keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored 19 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Prestige ISP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses Figure1 Local Global IP Addresses 1 NAT Mapping Types NAT supports five types of IP port mapping They are 2 One to One In One to One mode the Prestige maps one ILA to one IGA 3 Many to One In Many to One mode the Prestige maps multiple ILA to one IGA This is equivalent to SUA e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA only option in today s routers 4 Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple ILA to shared IGA 5 Many to Many No Overload In Many to Many No Overload mode the Prestige maps each ILA to unique IGA e Server In Server mode the Prestige maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each
96. icast setting can be turned on or off on Ethernet and remote nodes e IP Multicast Setup Enable IGMP in Prestige s LAN in menu 3 2 Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size ot Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 82 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Rolmcies Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Enable IGMP in Prestige s remote node in menu 11 3 Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Dynamic Ethernet Addr Timeout min N A Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 ly WAN Addr N A NAT SUA Only Address Mapping Set N A Enric 2 Private No RIP Direction None Version RIP 2B fulticast IGMP v2 IP Policies Enter here to CONFIRM or ESC to CANCEL Key Settings Multicast IGMP v1 for IGMP version 1 IGMP v2 for IGMP version 2 83 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Using Prestige traffic redirect e What is Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when Prestige cannot connect to the In
97. ications Corporation ZyXEL Prestige 2602H 6xC Support Notes Call scheduling enables the mechanisim for the Prestige to run the remote node connection according to the pre defined schedule This feature is just like the scheduler ina video recorder which records the program according to the specified time Users can apply at most 4 schedule sets in Menu 11 Remote Node Setup and configure each schedule in Menu 26 Schedule Setup The remote node configured with the schedule set could be Forced On Forced Down Enable Dial On Demand or Disable Dial On Demand on specified date and time e SMT Menu for Call Scheduling 1 Edit the Schedule sets in menu 26 Prestige 2602HW 61 Main Menu Getting Started Advanced Management l General Setup 21 Filter and Firewall Setup 2 WAN Backup Setup 22 SNMP Configuration 3 LAN Setup 23 System Password 4 Internet Access Setup 24 System Maintenance 25 IP Routing Policy Setup Advanced Applications 26 Schedule Setup 11 Remote Node Setup 12 Static Routing Setup 15 NAT Setup 99 Exit Enter Menu Selection Number 2 Select a Schedule Set number and give it a name Menu 26 Schedule Setup Schedule Schedule Set Name Set Name ZyXEL i 2 8 3 9 78 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 4 10 5 11 6 2 Enter Schedule Set Number to Configure 1 Edit Name ZyXEL
98. is the most popular application exploiting UPnP so we take Microsoft MSN application as an example in this support note You can learn how MSN benefit from NAT traversal feature in UPnP in this application note 88 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes In the diagram suppose PC1 and PC2 both sign in MSN server and they would like to establish a video conference PC1 is behind PPPoE dial up router which supports UPnP Since the router supports UPnP we don t need to setup NAT mapping for PC1 As long as we enable UPnP function on the router PC1 will assign the mapping to the router dynamically Note that since PC1 must support UPnP we presume that it s OS is Microsoft WinME or WinXP UPEP Enabled Dynseme NAT port Mapping Device Prestige Router Service NAT function provided by Prestige Router Control Point PC1 1 Enable UPnP function in ZyXEL device Go to Advanced gt UPnP check two boxes Enable UPnP service and Allow users to make configuration changes through UPnP The first check box enables UPnP function in this device The second check box allow users application to change configuration in this device For instance if you enable this item then user s MSN application can assign dynamic port mapping to the router So that network administrator don t need to setup SUA port mapping in the router 89 All contents copyright c 2005 ZyXEL C
99. itional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the Prestige thus preventing intruders from probing your network The SUA feature that the Prestige supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The Prestige with ZyNOS V3 00 supports the most of the features of the NAT based on RFC 1631 and we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 Zhe IP Network Address Translator NA T When do I need Multi NAT a Make local server accessible from outside Internet When NAT is enabled the local computers are not accessible from outside You can use Multi NAT to make an internal server accessible from outside a Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address Thus users on the same network can not login to the same server simultaneously In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address 109 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What IP Port mapping does Multi NAT support NAT supports five types of IP port mapping They are One to One Many to One
100. ke to configure the 2nd SIP account please select SIP2 by using the SIP account selector than follow step 1 to 8 to complete the 2nd account setup Note If more than both SIP number are associated both phone port you will not be able to identify which account 1s bering called for the incoming call Each field s detail description on this page 1s listed below SIP Account You can configure the Prestige to use multiple SIP accounts Select one to configure its settings on the Prestige SIP Number A SIP account s Uniform Resource Identifier URI identifies the SIP account in a way similar to the way an e mail address identifies an e mail account It is also known as a SIP identity or address The format of a SIP identity is SIP Number SIP Srevice Domain A SIP number is the part of the SIP URI that comes before the symbol Enter your SIP number in this field You can use up to 31 ASCII characters 94 All contents copyright c 2005 ZyXEL Communications Corporation XEL Zy Prestige 2602H 6xC Support Notes SIP Local Port SIP Server Address SIP Server Port REGISTER Server Address REGISTER Server Port SIP Service Domain Authentication User ID Authentication Password Block Caller ID Apply to Use this field to configure the Prestige s listening port for SIP Leave this field set to the default if you were not given a local port number for SIP Type the IP address of the SIP server in this field
101. l contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 4 Destination port number 138 with protocol number 17 UDP Menu 21 1 4 TCP IP Filter Rule Filter 1 4 Piliter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port Comp Equal source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None All contents copyright c 2005 ZyXEL Communications Corporation 58 ZyXEL Prestige 2602H 6xC Support Notes Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 5 Destination port number 139 with protocol number 6 TCP Menu 21 1 5 TCP IP Filter Rule Filter 1 5 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Match
102. ld to test your Prestige s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address If you select ICMP in the Backup Type field you must configure at least one IP address here When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response Type the number of times 2 recommended that your Prestige may ping the IP addresses configured in the Check WAN IP Address fields without getting a response before switching to a WAN backup connection or a different WAN backup connection When the Prestige is using a lower priority connection usually a WAN backup connection it periodically checks to whether or not it can use a higher priority connection Type the number of seconds 80 recommended for the Prestige to wait between checks Allow more time if your destination IP address handles lots of traffic Type the number of seconds 3 recommended for your Prestige to wait for a ping response from one of the IP addresses in the Check WAN IP Address fields before timing out the request The WAN connection is considered down after the Prestige times out the number of times specified in the Fail Tolerance field Use a higher value in this field if your network is busy or congested 85 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige
103. lent voice quality and 1 represent bad voice quality 114 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What is codec Codec is a algorithm which converts analog signal into digital signal and vice versa There are three main type of waveform codec source codec and hybrid codec Each consume different amount of bandwidth and provide different voice quality level What is the relation of codec and VoIP As VolP is a general term send voice information in digital form in discrete packets over digital network and this digital network is public network thus there maybe other packet such data packet uses network at the same time The codec choose is related to how much bandwidth voice packet will consume In bandwidthwise aspect the smaller amount of bandwidth used the better But in voice aspect the higher quality the better What codec does Prestige support Prestige supports the following commonly used codec e G 729 voice codec e G 711lu law voice codec e G 71la law voice codec Note G 711 u law or G 711 a law is country specific thus ZyXEL device is shipped preconfigured to use u law or a law according to specific country If for special reason this setting needed to be changed It can be modify through device CI command through telnet For the command please refer to the CI command list in the firmware release note Which codec should I choose As which codec choose i
104. line Cable head ends connecting to the Internet backbone using a T1 limit their subscribers to an absolute maximum of 1 5 Mbps 108 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes To create the appearance of faster network access service companies plan to store or cache frequently requested web sites and Usenet newsgroups on a server at their head end Storing data locally will remove some of the bottleneck at the backbone connection How fast can they go In a perfect world or lab they can receive data at speeds up to 30 Mbps In the real world with cost conscious cable companies running the systems the speed will probably fall to about 1 5 Mbps What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the add
105. mp sys trcl sw on 1 4 Display the brief trace online by entering sys tred brief or 1 5 Display the detailed trace online by entering sys tred parse Example ras gt sys trep channel enet0O none ras gt sys trcep channel mpoa00 bothway ras gt sys trcp sw on ras gt sys trcl sw on ras gt sys trod brief 0 12367 680 MPOAOO R 0070 UDP 202 132 155 95 520 gt 202 132 155 255 520 1 12370 980 MPOA00 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 ras gt sys trcd parse lt 0000 gt LAN Frame MPOAOO RECV Size 1181 96 Time 12387 260 sec Frame Type TCP 192 31 7 130 80 gt 202 132 155 97 10270 Ethernet Header Destination MAC Addr 00A0C5921312 156 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Source MAC Addr 00A0C5012345 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type Ol Service 0x00 0 Total Length 0x048B 1163 Idetification 0xB139 45369 Flags 0x02 Fragment Offset 0x00 Mime to Live OxEE 238 Protocol 0x06 TCP Header Checksum OxA9AB 43435 Source IP OxCO1FO782 192 31 7 130 Destination IP OxCA849B61 202 132 155 97 TCP Header Source Port 0x0050 80 Destination Port 0x281E 10270 Sequence Number 0xD3E95985 3555285381 Ack Number 0x00C18F63 12685155 Header Length 720 Flags TOII CARTE Window
106. n ZyXEL Prestige 2602H 6xC Support Notes Password Enter the password that the DDNS server gives to you Enter the hostname for the wildcard function that the WWW DYNDNS ORG Enable Wildcard supports Note that Wildcard option is available only when the provider is WWW DYNDNS ORG Network Management Using SNMP 1 SNMP Overview The Szmple Network Management Protocol SNMP is an applications layer protocol used to exchange the management information between network devices e g routers By using SNMP network administrators can more easily manage network performance find and solve network problems The SNMP is a member of the TCP IP protocol suite it uses the UDP to exchange messages between a management Client and an Agent residing in a network node There are two versions of SNMP Version 1 and Version 2 ZyXEL supports SNMPv1 Most of the changes introduced in Version 2 increase SNMP s security capabilities SNMP encompasses three main areas 1 Asmall set of management operations 2 Definitions of management variables 3 Data representation The operations allowed are Get GetNext Set and Trap These functions operates on variables that exist in network nodes Examples of variables include statistic counters node port status and so on All of the SNMP management functions are carried out through these simple operations No action operations are available but these can be simulated by the setting of flag variables For
107. n be Insert Before Action moved down by one rule Delete means to delete the selected rule and Delet elete then all the rules after the selected one will be advanced one rule Save s Sa ave Se Set means to save the whole set note when you choose this action the Select Rule item will be disabled When you choose Edit Insert Before or Save Set in the previous field Select Rule the cursor jumps to this field to allow you to select the rule to apply the 1 action in question Note Save Set in the Action field means to save the whole set You must do this if you make any changes to the set including deleting a rule No changes to the set take place until this action is taken Be careful when ordering your rules as each rule is executed in turn beginning from the first rule Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs displayed in Menu 15 1 1 Menu 15 1 1 1 Rule 1 Type One to One 26 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Local IP Start 0 0 0 0 End N A Global IP Start 0 0 0 0 End N A Press ENTER to Confirm or ESC to Cancel The following table describes the fields in this screen Field Type Start Local IP End Start Global IP End Description Option Ex
108. n sa eieiratet cnet jstane ak curt ecu 120 Whats P Spoofing attaek Posonii eitean aa E ieee tase ean 120 What are the default ACL firewall rules in Prestige ceeeeeeeeeeeeeeee 120 How can I protect against IP spoofing attacks eee eeeceeeeseeeeteeeenteeees 121 Content Filter FAQ f sesss svsscsescoessas aa a aaa aaee 122 IPSec FA O sc crete a tus cSt A AE E saaemaueumtiaetamracineoetes 122 Whatis VPN ssssicsccessevesccusyscesetsanvadeavsavaaeidarveccavnaeaceisdpeateaspeteasi TEES 122 Why do Eneed VPN iiciin a ean edd a a as 123 What are most common VPN protocols ssessessseessesesseessseessesssesesesesseee 123 AA aE ER A a D E E E E AT 123 Whatis L2 TP traniem naan e RRN Ea 124 What 15 IPSec inen tnn ate a em ea ses T A REN 124 What secure protocols does IPSec support sssssesssesssessesseessresseessesssees 124 What are the differences between Transport mode and Tunnel mode 124 What is SA isssaeciscavvineienddeareiwreetsoiciae A AEAEE TE E E E 125 What is IRE ina ar a a a E E cae ee ee 125 Whatis Pre Shared K Cy cueurosinnasean in Ea 125 What are the differences between IKE and manual key VPN 125 What is Phase ID Tor i tscsaiedieeind tiie inen 125 What are Local ID and Peer U0 2 ilps net nde antenieingteknaioeiess 126 When should I use FODN neseniem a a eisai 126 Is my Prestige ready for IPSec VPN oes sccticisescsus saecesssespecancteancdeciboesasagnges 126 How do I configure Prestig
109. nSock clients use BOOTP TCP IP clients may specify their own IP or utilize BOOTP DHCP to request an IP address What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your computer to be more easily accessed from various locations on the Internet To use the service you must first apply an account from several free Web servers such aa WWW DYNDNS ORG Without DDNS we always tell the users to use the WAN IP of the 312 to reach our internal server It is inconvenient for the users 1f this IP is dynamic With DDNS supported by the Prestige you apply a DNS name 111 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the 312 When the ISP assigns the Prestige a new IP the Prestige updates this IP to DDNS server so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e Www zyxel com tw is still usable When do I need DDNS service When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service The DDNS server allows to alias a dynamic IP address to a static hostname Whenever the ISP assign
110. ncapsulates its data stream in the PPP protocol the VPN requires a second dial up adapter This second dial up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial up adapter that provides PPP support for the analog or ISDN modem 15 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade e Configuration This application note explains how to establish a PPTP connection with a remote private network in the Prestige SUA case In ZyNOS all PPTP packets can be forwarded to the internal PPTP Server WinNT server behind SUA The port number of the PPTP has to be entered in the SMT Menu 15 for Prestige to forward to the appropriate private IP address of Windows NT server Prestige ty PPTP Client PPTP Server e Example The following example shows how to dial to an ISP via the Prestige and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PPTP server WinNT PPTP client Win9x and the Prestige o PPTP server setup WinNT Add the VPN service from Control Panel gt Network Add an user account for PPTP logged on user Enable RAS port Select the network protocols from RAS such as IPX TCP IP NetBEUI Set the Internet ga
111. nd on the receiver end it will also need an analog to digital converter to covert the digital signal back to analog to the person being called can heard the voice Why use VoIP Traditionally telephony carrier use circuit switching for carrying voice traffic As circuit switching is designed to carry voice and it does it very well Than why use IP for voice As broadband booms and technology evolve People now want to communicate through various way not just voice such as email instant messaging video and so on Traditional telephony can not evolve as quickly as the demand and develop new feature on circuit switch takes much time and money IP is an already exist standard and many type of service already runs on IP by using IP as a platform integrate service is now possible and low cost where traditional circuit may take long time to achieve 113 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What is the relationship between codec and VoIP In order to transfer voice analog signal over IP it first need to be digitized Codec is a technic to digitize analog signal to digital and vice versa There are various speech codec available and can be used with VoIP each with it s advantage and disadvantage What advantage does Voice over IP can provide The advantage of VoIP is it can provide advance services such as joining e mail instant messaging video voice mail all together Wher
112. nistrator when configuring the security association IKE is more secure than manual key because IKE negotiation can generate new keys and SPIs randomly for the VPN connection What is Phase 1 ID for In IKE phase 1 negotiation IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request However in some application remote VPN box or client software is using an IP address dynamically assigned from ISP so Prestige needs additional information to make the decision Such additional information is what we call phase 1 ID In the IKE payload there are local and peer ID field to achieve this 125 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What are Local ID and Peer ID Local ID and Peer ID are used in IKE phase 1 negotiation It s in FQDN Fully Qualified Domain Name format IKE standard takes it as one type of Phase 1 ID Phase 1 ID is an identification for each VPN peer The type of Phase 1 ID may be IP FQDN DNS Ueser FQDN E mail The content of Phase 1 ID depends on the Phase 1 ID type The following is an example for how to configure phase 1 ID ID type Content IP 202 132 154 1 DNS www zyxel com E mail support zyxel com tw Please note that in Prestige if DNS or E mail type is choosen you can still use a random string as the content such as this_is_Prestige It s not neccessary to follow
113. nter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 Menu 15 LIT Rules i Type One to One Local IP 33 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Start 192 168 1 10 End N A Global IP Start Enter IGA1 End N A Press ENTER to Confirm or ESC to Cancel Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Menus lela Rule 2 Type One to One local IP Start 192 168 1 11 End N A Global IP Start Eater IGA2 End N A Press ENTER to Confirm or ESC to Cancel Rule 3 Setup Select Many to One type to map the other clients to IGA3 Menu Sale ie oS Rue S Type Many to One Local IP Start 0 0 0 0 End 253 253 233 253 Global IP Start Enter IGA3 End N A 34 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Press ENTER to Confirm or ESC to Cancel Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 Menu 15 1 1 4 Rule 4 Type Server Loca AIR Start N A End N A Global IP Start Enter IGA3 End N A Press ENTER to Confirm or ESC to Cancel When we ha
114. oee 131 Single Range Subnet which types of IP address do Prestige 10 100 10W 50 100 support in VPN IPSec 00 0 eeeeeceeeseceeseeeeenteeeenaeeees 131 Can Prestige support IPSec passthrough ceeeeeeeseeceeeeeeseeeeceteeeeeteeeee 131 Can Prestige behave as a NAT router supporting IPSec passthrough and an IPSec gateway SUT GANS GUS ya susan se acs ads oe syeslpsats seas shoe sas neie coos 132 Wircless HA s oxen cash batons eect oe a GuaR FR ESR What is a Wireless LAN vuo eececccececssscessceesseessees gua fa ERE What are the advantages of Wireless LANs gua fa ERE What are the disadvantages of Wireless LANs e DORER EIR Where can you find wireless 802 11 networks EPR fQRTERES What is an Access Point sesser R HIRES What is IEEE S02 1152 ceeds sscccrudstteactrateuaciaegs SR REREN Whatis 802 Mb Pornot aa ER RERE How fast is 802 11b Pusussssessississseessisessrsosissrssssrsrses Gaia RERE Whats 802 01 al secal vat a A fii RERE What is 802 118 Mocs caters ER ARERR Is it possible to use products from a variety of vendors 63R ARER EI WAC IS Wie 7a tates acs sont pant aheneee HER PARE REE What types of devices use the 2 4GHz Band gua fa ERE Does the 802 11 interfere with Bluetooth devices 22 FAR TRE Can radio signals pass through walls 00 Gua HIRE RES What a
115. oes e mail work through the Prestige It depends on what kind of IP you have Static or Dynamic If your company has a domain name it means that you have a static IP address Suppose your company s e mail address is xxx mycompany com Joe and Debbie will be able to send e mail through Prestige Internet Access Device using jane mycompany com and debbie mycompany com respectively as their e mail addresses They will be able to retrieve their individual private and secure e mail if they have been assigned the proper access right If your company does not have a domain name it means that your ISP provides you with a dynamic IP address Suppose your company s e mail address is mycompany ispname com Jane and John will be able to send e mail through Prestige Internet Access Sharing Router using jane lt mycompany ispname com gt and john lt mycompany ispname com gt respectively as their e mail addresses Again they will be able to retrieve their individual private and secured e mail 1f they have been assigned the proper access right Is it possible to access a server running behind SUA from the outside Internet If possible how Yes it is possible because Prestige delivers the packet to the local server by looking up to a SUA server table Therefore to make a local server accessible to the outside users the port number and the inside IP address of the server must be configured in Menu 15 SUA Server Setup What DHCP capability does the Pr
116. og Active Yes Syslog IP Address 192 168 1 33 Log Facility Local 1 71 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Configuration 1 Active use the space bar to turn on the syslog option 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility use the space bar to toggle between the 7 different local options e UNIX Setup 1 Make sure that your syslogd starts with rargument r this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services The default setting is not enabled 2 Edit the file etc syslog conf by adding the following line at the end of the etc syslog conf file locall var log zyxel log Where var log zyxel log is the full path of the log file 3 Restart syslogd e CDR log call messages Format sdemdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID ina board channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str CO1 Outgoing Call dev xx ch xx dev device No ch channel No CO1 Incoming Call xxxxBps xxxxx L2TP xxxxx means Remote Call ID C01 Incoming Call xxxx means connected speed xxxxx means Remote Call ID L02 Tunnel Connected L2TP C02 OutCall
117. ol filters 0 0 ee eee eeeeceseeeeeeeeeeenneees 104 Why can t I configure device filters or protocol filters 0 eee 104 Pr duct FAQ 33 cxabicat tak penon a E E E saad E AG 104 What is the Prestige Integrated Access Device eesereserereresrreree 104 Will the Prestige work with my Internet connection seeseecseseereeeree 105 What do I need to use the Prestige cece eeeeceessceessecessneeeeseeeeteeeeaees 105 Whatis PPPOE nate athea Seascale e ude Sacto a e austen ve Meenas due deans 105 Does the Prestige support PPPOE wics sajsesdeesstccs antengecnces aidaaednsedeeasGesenctons 105 How do I know I am using PPPOE cceecccecescceeeseeeceeeeecseeeeneeeenaeeees 105 Why does my provider use PPPOE cece eeseceseceeeeeeeeeeseecnaeceeeeseeeeneees 106 Which Internet Applications can I use with the Prestige 0 eee 106 How can I configure the Prestige j 2525 3ic0ec tek aed Gulelanieantuis A fathcced es 106 What network interface does the Prestige support eee eeeeeeeeteeeeteees 106 What can we do with Prestige iscsi ccestasvenstesabcenasetegnncenavisceeeseceecteavesncdes 106 Does Prestige support dynamic IP addressing eeeesseesseeeseeeeeeeeeeees 106 What is the difference between the internal IP and the real IP from my ISP de ieeatescah oases vai tatecidgc nce pseu stressed athe eis ctic naar N a a A a 106 How does e mail work through the Prestige cee eeeeeeseceeeeeeeeeeteeeees
118. ommunications Corporation ZyXEL Prestige 2602H 6xC Support Notes SITE MAP HELP UPnP V Enable the Universal Plug and Play UPnP Service M Allow users to make configuration changes through UPnP M Allow UPnP to pass through Firewall 2 After getting IP address you can go to open MSN application on PC and sign in MSN server F Windows Messenger E My Status yy Laker Be Right Back Et J Go to my e mail inbox amp Online 1 amp Not Online 1 Make a Phone Gall Adda Contact Sendan Instant Copy Contact to E3 Send a File or PH Mave Contact to A Make a Phone C Remove Contact from Group Go to Chat Roon More 3 Start a Video conversation with one online user 4 On the opposite side your partner select Accept to accept your conversation request All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes rtw2 hotmal m to Accept Alt T or Decline Alt D the AUEASUSUE SUT invitation _ Invite Someone to amp You have accepted the request from this Conversation Laker to have a video and voice 2G Send a File or Photo conversation J Send E mail o Ask for Remote 48 The video and voice conversation with Assistance Laker2 has ended amp Make a Phone Call Start Application 48 Laker2 would like to have avideo and Sharing voice conversation with you Do you want Start Whiteboard 8 Alt T or Decline Alt D
119. on or basic trouble shooting please refer to the device user s guide Using Embedded Packet Trace Embedded Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 132 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 index timer second channel receive transmit length protocol sourcelP port destIP port There are two ways to dump the trace 1 Online Trace display the trace real time on screen 2 Offline Trace capture the trace first and display later The details for capturing the trace in SMT menu 24 8 are as follows Online Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel enetl none 1 2 Enable to capture the LAN packet by entering sys trcp channel enetO bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys tred brief or 1 5 Dis
120. on your local network and w x y z is your netmask Content Filter FAQ What types of content filter does Prestige provide Can I have different policies in effect for different times of the day or week Yes but only one blocking period of time is supported currently on ZyXEL appliance Can I override block or allow certain URLs by wording Yes you can use key word blocking to achieve this How many URL keywords does Prestige support 64 keywords are supported IPSec FAQ What is VPN A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication 122 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Why do I need VPN There are some reasons to use a VPN The most common reasons are because of security and cost Security 1 Authentication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long
121. or go directly to the callee s VoIP phone IP to IP Enter the SIP servers or the party s IP address or domain name up to 127 ASCII Extended set characters Click this button to save the entry in the speed dial phone book The speed dial entry displays in the Speed Dial Phone Book section of the screen Speed Dial This section of the screen displays the currently saved speed dial entries Phone Book You can configure up to 10 entries and use them to make calls All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Speed Dial Name SIP Number Type Delete Edit Clear FAQ ZyNOS FAQ This is the entry s speed dial key combination Press this key combination on a telephone attached to the Prestige in order to call the party named in this entry This is the descriptive name of the party that you will use this speed dial entry to call This is the SIP number of the party that you will call This field displays Use Proxy if calls to this party use one of your SIP accounts This field displays the SIP server s or the party s IP address or domain name if calls to this party do not use one of your SIP accounts Click this button to remove an entry from the speed dial phonebook Click this button to change the speed dial entry The speed dial entry displays in the Add New Entry section of the screen where you can edit it Click this button to remove all of
122. ort Notes Overload mapping Select Full Feature when you require other mapping types It is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions Note that there is also a Server type whose IGA is 0 0 0 0 in this set Table Applying NAT in Menu 4 and Menu 11 3 2 Configuring NAT To configure NAT enter 15 from the Main Menu to bring up the following screen Menu 15 NAT Setup 1 Address Mapping Sets 2 NAT Server Sets 3 Address Mapping Sets and NAT Server Sets Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients Each remote node must specify which NAT Address Mapping Set to use The P2602HW has 8 remote nodes and so allows you to configure 8 NAT Address Mapping Set You can see nine NAT Address Mapping sets in Menu 15 1 You can only configure from Set 1 to Set 8 Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 When you select SUA Only the SMT will use Set 15 2 The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the Prestige a server rule must be set up inside the NAT Address Mapping set Please see NAT Server Sets for further information on these menus Enter 1 to bring up Menu 15 1 Address Mapping Sets 23 All contents copyright c 2005 ZyXEL Communications Cor
123. ow these steps to configure Windows TCP IP e In the Control Panel Network window click the TCP IP entry to select it and click Properties button e Inthe TCP IP Properties window select obtain an IP address automatically Note Do not assign arbitrary IP address and subnet mask to your PCs otherwise you will not be able to access the Internet e Click the WINS configuration tab and select Disable WINS Resolution e Click the Gateway tab Highlight any installed gateways and click the Remove button until there are none listed e Click the DNS Configuration tab and select Disable DNS e Click OK to save and close the TCP IP properties window e Click OK to close the Network window You will be prompted to insert your Windows CD or disk When the drivers are updated you will be asked if you want to restart the PC Make sure your Prestige is powered on before answering Yes to the prompt Repeat the above steps for each Windows PC on your network e Setting up the Prestige router All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The following procedure is for the most typical usage of the Prestige where you have a single user account SUA The Prestige supports embedded web server that allows you to use Web browser to configure it Before configuring the router using Browser please be sure there is no Telnet or Console login 1 Retrieve Prestige Web Please enter the LAN IP a
124. p parse lt from_index gt lt to_index gt 2 Trace WAN packet 1 1 Disable the capture of the LAN packet by entering sys trcp channel enet0 none 1 2 Enable the capture of the WAN packet by entering sys trcp channel mpoa00 bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcel sw on 1 4 Wait for packet passing through the Prestige over WAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packets by using sys trcp parse lt from_index gt lt to_index gt 158 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes CLI Command List The latest CI command list is available in release notes of every ZyXEL firmware release Please go to ZyXEL public WEB site _http www zyxel com support download php to download firmware package zip you should unzip the package to get the release note in PDF format 159 All contents copyright c 2005 ZyXEL Communications Corporation
125. p will be sent after booting e linkDown defined in RFC 1215 If any link of IDSL or WAN is down the trap will be sent with the port number The port number is its interface index under the interface group e linkUp defined in RFC 1215 If any link of IDSL or WAN is up the trap will be sent with the port number The port number is its interface index under the interface group e authenticationFailure defined in RFC 1215 When receiving any SNMP get or set requirement with wrong community this trap 1s sent to the manager 1 whyReboot defined in ZY XEL MIB When the system is going to restart warmstart the trap will be sent with the reason of restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 11 For fatal error System has to reboot for some fatal errors And traps with the message of the fatal code will be sent 69 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Products 1 pSysVariables Group pBRIVariables Group plPXVariables Group pAPTVariables Group pBR6Variable Group pDialInVariables Group pRemoteNodeVariables Group pRemoteUserVariables Group Zyxel Traps Figure 3 ZyXEL Private MIB Tree 4 Configure the Prestige for SNMP The SNMP related settings in Pres
126. play the detailed trace online by entering sys tred parse Example Prestige gt sys trcp channel enetl none Prestige gt sys trcp channel enetO bothway Prestige gt sys trcp sw on Prestige gt sys trcl sw on Prestige gt sys tred brief 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 100 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 2 11883 330 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 340 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 ies All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 4 11883 340 ENETO R 0339 TCP 192 168 1 2 1108 gt 192 31 5 11883 610 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 6 11883 620 ENETO T 0102 TCP 192 31 7 130 80 gt 192 168 7 11883 630 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 8 11883 630 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 9 11883 650 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 10 11883 650 ENETO R 0062 TCP 192 168 1 2 1109 gt 192 31 Prestige gt sys trod parse lt Q000 gt LAN Frame ENETO RECV Size 62 62 Time 12089 790 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 2 Typ
127. poration ZyXEL Prestige 2602H 6xC Support Notes Menu 15 1 Address Mapping Sets ANY HN ON FP WW YN l 255 SUA read only Enter Set Number to Edit Let s first look at Option 255 Option 255 is equivalent to SUA in previous ZyXEL routers The fields in this menu cannot be changed Entering 255 brings up this screen Menu 15 1 1 Address Mapping Rules Set Name SUA Idx Local Start 1E Local End TP Global Start IP Global End IP Type 1 0 0 00 259255 295 255 OOTOLO M 1 2 0 0 0 0 Server 3 4 Sa 6 Te 8 oF 10 Press ENTER to Confirm or ESC to Cancel 24 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The following table explains the fields in this screen Please note that the fields in this menu are read only Field Description Option Example This is the name of the set you selected in Menu 15 1 or enter Set Name SUA the name of a new set you want to create Idx This is the index or rule number 1 0 0 0 0 for the Many to One type This is the starting local IP address ILA If the rule is for all Local End IP local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 255 255 255 255 Global Start This is the starting global IP address IGA If you have a Local Start IP This is the starting local IP address ILA 0 0 0 0 IP dynamic IP enter 0 0 0 0 as the Global Start IP Global End IP This is the ending global IP
128. pport Notes IE Header IP Version 4 Header Length 20 Type Ol Service 0x00 0 Total Length 0x0028 40 Idetification Ox7A0C 31244 Flags 0x02 Fragment Offset 0x00 hime to Live Ox 127 Protocol 0x06 TCP Header Checksum 0x543C 21564 Source IP OxCA849B61 202 132 155 97 Destination IP OxCOUROT82 192 317 130 TCP Header Source Port Ox281E 10270 Destination Port 0x0050 80 Sequence Number 0x00C18F63 12685155 Ack Number OxD3E9SDE9 3555286505 Header Length 20 Flags Ox koa s a Window Size Ox DIS 7637 Checksum Ox Al 31250 Urgent Ptr 0x0000 0 RAW DATA 0000 00 AO C5 01 23 45 00 A0 C5 92 13 12 08 00 45 00 0010 00 28 7A OC 40 00 7F 06 54 3C CA 84 9B 61 CO IF 0020 07 82 28 1E 00 50 00 C1 8F 63 D3 E9 5D E9 50 10 0030 1D D5 7A 12 00 00 lt Q002 gt re E O OEE yomals amp WG R E e E LAN Frame ENET1 XMIT Size 54 54 Time 12387 490 sec Prame Type TCP 202 132 155 97 10270 gt 192 31 7 130 80 All contents copyright c 2005 ZyXEL Communications Corporation 140 ZyXEL Prestige 2602H 6xC Support Notes Ethernet Header Destination MAC Addr 00A0C5012345 Source MAC Addr 00A0C5921312 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length lype ol Service 0x00 0 Total Length 0x0028 40 Idetification 0x7BOC 31500 Flags 0x02 Fragment Offs
129. ration XEL Zy Prestige 2602H 6xC Support Notes Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 Step 3 On the left column click on Speed Dial to bring you to Speed Dial page to enter speed dial configuration page Step 4 Select the entry number you wish to add to the phone book by the entry selector located under add new entry category on the speed dial field Step 5 Fill in the SIP number of the remote party and a descriptive name and click on the radio button to select either to use proxy or entering static IP or URL remote peer Step 6 Click on Add button when you are finish to add the entry to the phone book Each field s detail description of the page 1s listed below Add New Use this section of the screen to edit and save new or existing speed dial Entry Speed Dial SIP Number Name Type Add phone book entries Select a speed dial key combination from the drop down list box Enter the SIP number of the party that you will call use the number or text that comes before the symbol in a full SIP URI You can use up to 127 ASCII characters Enter a descriptive name to identify the party that you will use this entry to call You can use up to 127 ASCII characters Select Use Proxy if calls to this party use your SIP account configured in the VoIP screen Select Non Proxy Use IP or URL if calls to this party use a different SIP server
130. re potential factors that may causes interference among WLAN products he A tae uae Manin d geet R HIRES What s the difference between a WLAN and a WWAN 4228 fA EER What is Ad Hoc mode ccccccccsssssssscssscsssssseseses Gua HIRES What is Infrastructure mode ccceeeeeseesceseeseeeees fae IRE EK How many Access Points are required in a given area 822 fA TRE FEE What is Direct Sequence Spread Spectrum Technology DSSS 2 fa AREER What is Frequency hopping Spread Spectrum Technology FHSS 5R DORER EIR Do I need the same kind of antenna on both sides of a link 772 fa ESE Why the 2 4 Ghz Frequency range ccceseeeee R HIRES What is Server Set ID SSID necces R REE 6 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes CESS LOULTA OXL SUPPOFT NOTES What isan BESSID Pasit mucin fae RERE How do I secure the data across an Access Point s radio link 7432 fo EER o Whats WEP su sateamoncm A Shia ARERR What is the difference between 40 bit and 64 bit WEP 7557h ARER EIR What is a WEP key 2 eeinwase ate R HIRES A WEP key is a user defined string of characters used to encrypt and decrypt data 1 ge oe as gua HI ERS Can the SSID be encrypted 2 scssissiessseesssnsoeeo sees gua PIES By turning off the broadcast of SSID
131. right c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although packet filter and NAT restrict access to particular computers and networks however for the other companies this security may be insufficient because packets filters typically cannot maintain session state Thus for greater security a firewall is considered What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks 1 Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 3 Brute force attacks that flood a network with useless data such as Smurf attack 4 IP Spoofing What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot What is Teardrop att
132. s Corporation ZyXEL Prestige 2602H 6xC Support Notes If all the about have been tried but register still fail what should do In such case please contact your local vendor for support If they can t help out the problem they will escalate your problem to ZyXEL tech center To report a problem please prepared below info 1 Serial number of the device 2 SIP Call server type and vendor 3 Your device firmware version and romfile with password 4 Detail information what you have tried to resolve the problem suspect there is a hardware problem with my Prestige what should I do Please follow the troubleshooting section in the user s guide for brief hardware troubleshooting and diagnostic tips If you are sure there is a hardware problem after following the hardware diagnostic tips in the user s guide Please contact your ZyXEL local vendor to send the device in for RMA service Firewall FAQ What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic What makes Prestige firewall secure The Prestige firewall is pre configured to automatically detect and thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing
133. s a DHCP Relay e What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P2602 supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it is configured as DHCP relay it is reponsable for forwarding the requests and responses negotiating between the DHCP clients and the server See figure 1 11 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes DHCP Server Prestige DHCP Client ea Figure1 Prestige as a DHCP Relay e Setup the Prestige as a DHCP Client 1 Toggle the DHCP to Relay in menu 3 2 and enter the IP address of the DHCP server in the Relay Server Address field Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Relay Client IP Pool Starting Address N A Size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A Remote DHCP Server 192 168 1 2 TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 295 299 0 RIP Direction None Version N A Multicast None IP Policies Edit IP Alias No 12 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Press ENTER to Confirm or ESC to Cancel Configure an Internal Server Behind SUA Prestige Remote client Web Server e Introduction If you wish you can make internal servers e g Web
134. s and the security gateway must be separate machines Both IPSec protocols AH and ESP can operate in either transport mode and tunnel mode 124 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes What is SA A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use What is IKE IKE is short for Internet Key Exchange Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration to set up a VPN There are two phases in every IKE negotiation phase Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec What is Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called Pre shared because you have to share it with another party before you can communicate with them over a secure connection What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined e For IKE VPN the key and SPIs are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys and SPIs to send packets between two networks e For manual key VPN the encryption key authentication key if needed and SPIs are predetermined by the admi
135. s copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes If your Prestige is capable of VPN you can find the VPN options in Advanced gt VPN tab For configuring a box to box VPN there are some tips 1 If there is a NAT router running in the front of Prestige please make sure the NAT router supports to pass through IPSec In NAT case either run on the frond end router or in Prestige VPN box only IPSec ESP tunneling mode is supported since NAT againsts AH mode Source IP Destination IP Please do not number the LANs local and remote using the same exact range of private IP addresses This will make VPN destination addresses and the local LAN addresses are indistinguishable and VPN will not work Secure Gateway IP Address This must be a public routable IP address private IP is not allowed That means it can not be in the 10 x x x subnet the 192 168 x x subnet nor in the range 172 16 0 0 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices It is usually a static IP so that we can pre configure it in Prestige for making VPN connections If it is a dynamic IP given by ISP you still can configure this IP address after the remote Prestige is on line and its WAN IP is available from ISP Does Prestige support dynamic secure gateway IP If the remote VPN gateways uses dynamic IP we enter 0 0 0 0 as the Secure Gateway IP Ad
136. s depending on what codec is supported on both end of the VoIP host Generally a codec with low bandwidth consumption and high voice quality is a good codec What do I need in order to use SIP The minimum required to use VoIP 1s as follow 1 A high speed Internet connection This can be a cable modem or a high speed network services such as ISDN DSL or a T 1 link The need of the bandwidth required will depend on the amount of telephone traffic will be in your network 115 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 2 A PC with VoIP software installed or a hardware VoIP box such as ATA or device like Prestige 2602 VoIP station router 3 An account with a VoIP provider such as an ITSP The account can be configured to recognize your calls automatically or you can require the users to enter their unique account numbers issued Unable to register with the SIP server If you are unable to register with SIP server 1 Make sure the Internet is reachable and the SIP register server is reachable If your register server uses domain name make sure DNS name can be resolved If you are using static WAN IP make sure DNS server is configured correctly on your Prestige 2 Make sure the SIP account is correct and the password is key in correctly 3 Check if there is NAT router before it Prestige is a VoIP station gateway We do not suggest to have an NAT router before it as it m
137. s or even a network of PCs to utilize the VPN IPSec service Can Prestige support IPSec passthrough Yes Prestige can support IPSec passthrough Prestige series don t only support IPSec VPN gateway it can also be a NAT router supporting IPSec passthrough 131 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes If the VPN connection is initiated from the security gateway behind Prestige no configuration is necessary for NAT nor Firewall If the VPN connection is initiated from the security gateway outside of Prestige NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to WEB interface Setup SUA NAT put the secure gateway s IP address in default server To configure Firewall forwarding please go to WEB interface Setup Firewall select Packet Direction to WAN to LAN and create a firewall rule the forwards IKE UDP 500 Can Prestige behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously No Prestige can t support them simultaneously You need to choose either one If Prestige is to support IPSec passthrough you have to disable the VPN function on Prestige To disable it you can either deactivate each VPN rule or issue a Cl command ipsec switch off from SMT menu 24 8 You can get into SMT menu via either telnet or console connection Trouble Shooting For general device installati
138. s you a new IP the Prestige sends this IP to the DDNS server for its updates What DDNS servers does the Prestige support The DDNS servers the Prestige supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to What is DDNS wildcard Some DDNS servers support the wildcard feature which allows the hostname yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns org and still reach your hostname Does the Prestige support DDNS wildcard Yes the Prestige supports DDNS wildcard that WWW DynDNS ORG supports When using wildcard you simply enter yourhost dyndns org in the Host field in Menu 1 1 Can the Prestige SUA handle IPsec packets sent by the VPN gateway behind Prestige Yes the Prestige s SUA can handle IPsec ESP Tunneling mode We know when packets go through SUA SUA will change the source IP address and source port for the host To pass IPsec packets SUA must understand the ESP packet with protocol number 50 replace the source IP address of the IPsec gateway to the router s WAN IP address However SUA should not change the source port of the UDP packets which are used for key managements Because the remote gateway checks this source port during connections the port thus is not allowed to be changed 112 All contents copyright c
139. sed to share a Microsoft comupter of a workgroup For the security concern the NetBIOS connection to a outside host is blocked by Prestige router as factory defaults Users can remove the filter sets applied to menu 3 1 and menu 4 1 for activating the NetBIOS services The details of the filter settings are described as follows e Configuration The packets need to be blocked are as follows Please configure two filter sets with 4 and 2 rules respectively based on the following packets in SMT menu 21 Filter Set 1 o Rule 1 Destination port number 137 with protocol number 6 TCP o Rule 2 Destination port number 137 with protocol number 17 UDP o Rule 3 Destination port number 138 with protocol number 6 TCP o Rule 4 Destination port number 138 with protocol number 17 UDP o Rule 5 Destination port number 139 with protocol number 6 TCP o Rule 6 Destination port number 139 with protocol number 17 UDP Filter Set 2 o Rule 1 Source port number 137 Destination port number 53 with protocol number 6 TCP o Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP Before starting to set the filter rules please enter a name for each filter set in the Comments field first Menu 21 Filter Set Configuration Filter Filter 55 All contents copyright c 2005 ZyXEL Communications Corporation Prestige 2602H 6xC Support Notes Ne tBIOS_WAN 7 Ne tBIOS_LAN 8 9 10 11 I2
140. sessions over the Internet SIP signaling is separate from the media for which it handles sessions The media that is exchanged during the session can use a different path from that of the signaling SIP handles telephone calls and can interface with traditional circuit switched telephone networks The Prestige can hold up to two SIP account simultaneously please follow the below instruction to configure the SIP account properly 92 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Note You should have a voice account already set up and have VolP information from your VolP service provider prior to configure STP account on to the unit SITE MAP HELP Voice SIP Settings SIP Account SIP1 SIP Settings Active SIP SIP Number ChangeMe SIP Local Port 5060 1925 65535 SIP Server Address server sip net SIP Server Port 5060 4 65695 REGISTER Server Address server sip net REGISTER Server Port 5060 1 65535 SIP Serice Domain server sip net Authentication User ID ChangeMe Password eeesecsece Caller ID Send Caller ID Incoming Call apply to Phone Phone2 Advanced Settings With the account information your ITSP provider provided now you may start Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige LAN IP address The defaul
141. single IP address to represent the multiple hosts inside It does more than IP address translation so that multiple hosts on the LAN can access the Internet at the same time How many network users can the SUA NAT support The Prestige does not limit the number of the users but the number of the sessions The Prestige supports 1024 sessions that you can use the 1p nat iface enif0 disp command in menu 24 8 to view the current active sessions What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group Why can t I configure device filters or protocol filters In ZyNOS you can not mix different filter groups in the same filter set Product FAQ What is the Prestige Integrated Access Device The Prestige series fulfills a range of application environments from small and medium businesses SOHO or Telecommuters to home user or education applications Prestige s design helps users to save expenses minimize maintenance and simultaneously provide a high quality networking environment The Prestige series is a robust solution complete with everything needed for providing Internet access to multiple workstations through ADSL The IAD is equipped with 1 auto MDI MDIX 10 100Mbps Eth
142. sk 0 0 0 0 Port 0 Port Comp None source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A All contents copyright c 2005 ZyXEL Communications Corporation 43 ZyXEL Prestige 2602H 6xC Support Notes More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Saving to ROM Please wait Protocol and device rule cannot be active together To separate the device and protocol filter categories two new menus Menu 11 5 and Menu 13 1 have been added as well as some changes made to the Menu 3 1 Menu 11 1 and Menu 13 The new fields are shown Menu 3 1 General Ethernet Setup below Menu 3 1 Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Menu 11 1 Menu 11 1 Remote Node Profile Rem Node Name LAN Active Yes Encapsulation PPP Incoming Rem Login test Rem Password Route IP Bridge No Edit PPP Options No Rem IP Addr Edit IP IPX Bridge No 44 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Outgoing Session Options My Login testt Rott EMME Sets Wes My Password Authen CHAP PAP Press ENTER to Confirm or ESC to Cancel Menu 11 5 Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Falter
143. sys trel sw off Prestige gt sys trcp sw off Prestige gt sys trcp brief 0 12864 800 ENETI T 0411 TCP 202 132 155 97 10278 gt 204 217 0 2 80 l 12864 890 ENET1 R 0247 TCP 204 217 0 2 80 gt 202 132 155 97 10282 144 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 2 12864 900 ENETI T 0416 TCP 202 132 155 97 10282 gt 204 217 0 2 80 3 12865 120 ENET1 R 0247 TCP 204 217 0 2 80 gt 202 132 155 97 10278 4 12865 130 ENET1 T 0411 TCP 202 132 155 97 10278 gt 204 217 0 2 80 5 12865 220 ENET1 R 0247 TCP 204 217 0 2 80 gt 202 132 155 97 10282 Prestige gt sys trcp parse 3 4 lt 0003 gt LAN Frame ENET1 RECV Size 247 96 Time 12865 120 sec Frame Type TCP 204 217 0 2 80 gt 202 132 155 97 10278 Ethernet Header Destination MAC Addr 00A0C5921312 Source MAC Addr Network Type 00A0C5591284 0x0800 TCP IP IP Header IP Version 4 Header Length 20 ype ol Service 0x00 0 Total Length Idetification Header Checksum Source IP Destination IP TCP Header source Port Destination Port Sequence Number Ack Number Header Length Flags OxO0ES 229 OxE93B 59707 Flags 0x02 Fragment Offset 0x00 Time to Live OxFO 240 Protocol 0x06 TCP Ox6E15 28181 OxCCD90002 204 217 0 2 OxCA849B61 202 132 155 97 0x0050 80 0x2826 10278
144. t Q000 gt LAN Frame ENETO RECV Size 62 62 Time 12089 790 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP 152 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes IE Header IP Version Header Length Type of Service Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCE Header Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000 02 04 05 B4 01 RAW DATA 0000 0010 0020 0030 lt 0001 gt LAN Frame ENETO XMIT 00 AO C5 92 13 11 00 00 30 33 OB 40 00 80 07 82 04 5C 00 50 00 20 00 BE C3 00 00 02 Size 24 20 0x00 0 0x0030 48 0x330B 13067 0x02 0x00 0x80 128 0x06 TCP OOB il Cl5985 OxCOA80102 192 168 1 2 OxCOlPO782 1922 31 7 130 0x045C 1116 0x0050 80 0x00BD15A7 12391847 0x00000000 0 Ue Ox021C3 Sn 0x2004 8192 OxBEC3 48835 0x0000 0 01 04 02 80 C8 4C EA 63 08 00 45 00 063E 7 CO As 01 02 CO IP BD 15 A7 00 00 00 00 70 02 04 05 B4 01 01 04 02 58 38 Time ET TEETE Wera E 103 Oair e ENAN L pi 1
145. t are received by Prestige the original IP source address and TCP UDP source port numbers are written into the destination fields of the packet since it is now moving in the opposite direction the checksums are recomputed and the packet is delivered to its true destination This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it What is the difference between NAT and SUA NAT is a generic name defined in RFC 1631 The IP Network Address Translator NAT SUA Internet Single User Account is ZyXEL s implementation and trade name for functioning PAT which is a specific type of NAT SUA or PAT for NAT translates address into port mapping The primary motivation for RFC 1631 is that there is not enough IP address to go around In addition many corporations simply did not bother to obtain legal globally unique IP addresses for their networks and now finding themselves unable to connect to the Internet Basically NAT is a process of translating one address to another A NAT implementation can be as simple as substituting an IP address with another This allows a network to rectify the illegal address problem mentioned above without going through each and every host 103 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes The design goal of ZyXEL s SUA 1s to minimize the Internet access cost in a small office environment by using a
146. t management IP of Prestige is 192 168 1 1 Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 93 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Step 3 On the left column click on Voice to bring you to Voice configuration menu than click on SIP Settings While in the SIP Settings page use the account selector on upper right of the page to select the SIP account you will like to configure Step 4 Check active sip box if you like to use this account and fill in the account information the ITSP provided you in the SIP setting category Which will normally include you SIP number SIP local port SIP server address SIP server port Register server port Register server address SIP service domain Step 5 In the Authentication category fill in the User ID and authentication password your ITSP provided to you Step 6 If you wish to send caller ID check the check box in the Caller ID category if you do not wish to send out caller ID leave the check box uncheck Step 7 Check phone port 1 or phone port 2 you will like to associate this account to for incoming call Prestige allows you to associate either one or both phone port to single SIP account So you can designate which phone to ring or both to ring when a call is received on specific SIP account Step 8 Click on Apply to save the setting and take effect If you would li
147. ternet through it s normal gateway Thus make your backup gateway as an auxiliary backup of your WAN connection Once Prestige detects it s WAN connectivity is broken Prestige will try to forward outgoing traffic to backup gateway that users specify in traffic redirect configuration menu e How to deploy backup gateway You can deploy the backup gateway on LAN of Prestige Prestige Backup gateway Traffic Redirect on LAN port e Traffic Redirect Setup Configure parameters that determine when Prestige will forward WAN traffic to the backup gateway using SMT Menu 2 WAN Backup Setup Menu 2 Wan Backup Setup Menu 2 Wan Backup Setup 84 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Key Settings Label Backup Type Check WAN IP Address1 3 Fail Tolerance Recovery Interval Timeout Traffic Check Mechanism DSL Link Check WAN IP Addressl 0 0 0 0 Check WAN IP Address2 0 0 0 0 Check WAN IP Address3 0 0 0 0 KeepAlive Fail Tolerance 5 Recovery Interval sec 60 ICMP Timeout sec 0 Traffic Redirect Yes Description Select the method that the Prestige uses to check the DSL connection Select DSL Link to have the Prestige check if the connection to the DSLAM is up Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields Configure this fie
148. teway to Prestige o PPTP client setup Win9x Add one VPN connection from Dial Up Networking by entering the correct username amp password and the IP address of the Prestige s Internet IP address for logging to NT RAS server 16 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Set the Internet gateway to the router that is connecting to ISP o Prestige router setup e Before making a VPN connection from Win9x to WinNT server you need to connect Prestige router to your ISP first e Enter the IP address of the PPTP server WinNT server and the port number for PPTP as shown below Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address li Default Default 0 0 0 0 2 1723 1723 192 168 1 10 3 0 0 0 0 0 0 4 0 0 0 0 0 0 DE 0 0 0 0 0 0 6 0 0 0 0 0 0 T 0 0 0 0 0 0 8 0 0 0 0 0 0 OF 0 0 0 0 0 0 10 0 0 0 0 0 0 1s 0 0 0 0 0 0 Dy 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel When you have finished the above settings you can ping to the remote Win9x client from WinNT This ping command is used to demonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achieve you can place a VPN call from the remote Win9x client For example 17 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes C ping 203 66 113 2 W
149. the NAT field This is the Many to One mapping discussed earlier The SUA read only option from the NAT field in menu 4 and 11 3 is specifically pre configured to handle this case 2 Internet Access with an Internal Server Client 1 ILA1 Client 2 ILA2 Prestige Client 3 ILA3 ON IGA Assigned by ISP FTP Server ILA4 Internet Access using NAT Many to One plus a Server Set In this case we do exactly as above use the convenient pre configured SUA Only set and also go to Menu 15 2 NAT Server Setup Used for SUA Only to specify the Internet Server behind the NAT as shown in the NAT as shown below Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address Ie Defaul Default 0 0 0 0 2 21 21 192 168 133 35 0 0 0 0 0 0 4 0 0 0 0 0 0 S 0 0 0 0 0 0 on 0 0 0 0 0 0 T 0 0 0 0 0 0 31 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes 8 0 0 0 0 0 0 OF 0 0 0 0 0 0 10 0 0 0 0 0 0 IDEs 0 0 OROR ORY We 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types are used General Server 192 168 1 20 Other Clients 192 168 1 X Prestige FTP Server 1 192 168 1 10 3 IGAs Assigned by ISP FTP Server 2 192 168 1 11 Mapping Multiple IGAs for clients and servers In this case we have 3 IGAs IGA1 IGA2
150. tige are configured in menu 22 SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings Menu 22 SNMP Configuration SNMP Get Community public Set Communi ty public Trusted Host 192 168 1 33 70 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Trap Community public Destination 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Key Settings Option Descriptions __ Enter the correct Get Community This Get Community must match the Get and Get Community GetNext community requested from the NMS The default is public Enter the correct Set Community This Set Community must match the Set Community Set community requested from the NMS The default is public Enter the IP address of the NMS The Prestige will only respond to SNMP messages Trusted Host coming from this IP address If 0 0 0 0 is entered the Prestige will respond to all NMS managers Trap Enter the community name in each sent trap to the NMS This Trap Community must Community match what the NMS is expecting The default is public Enter the IP address of the NMS that you wish to send the traps to If 0 0 0 0 is Trap Destination entered the Prestige will not send trap any NMS manager Using syslog 4 Prestige Setup Menu 24 3 2 System Maintenance UNIX Syslog and Accounting UNIX Sysl
151. tocol 0x06 TCP 146 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Header Checksum Source IP Destination IP TCP Header Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr 0xD59C 54684 Prestige 2602H 6xC Support Notes OxCA849B61 202 132 155 97 OxCCD90002 204 217 0 2 0x2826 10278 0x0050 80 0x00C8C015 13156373 20 TOKS Glee og 0x1E87 7815 0x4374 17268 0x0000 0 TCP Data Length 357 Captured 42 0000 47 45 54 20 2F 70 69 63 74 75 72 65 7 3 0010 67 61 7A 69 6E 65 SF 6C 6F 67 OF 2F 62 0020 6F 66 74 69 6D 65 73 2E 67 69 RAW DATA 0000 00 AO C5 59 12 84 00 A0 C5 92 13 12 08 0010 01 8D F2 0C 40 00 7F 06 D5 9C CA 84 9 0020 00 02 28 26 00 50 00 C8 CO 15 4 0030 1E 87 43 74 00 00 47 45 54 20 2 0040 72 65 73 2F 6D 61 67 61 7A 69 6E 65 5F 0050 6F 2F 62 65 73 74 6F 66 74 69 6 Prestige gt Dees 70 6 gs B R DG 9 Ox4D713E47 1299267143 2F 6D 61 65 73 74 00 45 00 61 CC D9 47 50 18 63 74 75 D 65 7 Debug PPPoE Connection Debug PPPoE Connection All contents copyright c 2005 ZyXEL Communications Corporation au 3 6C 6F 67 2E 67 69 GET pictures ma gazine_logo best oftimes gi Toe ee eee E fate cies cant aloes Dal cane gees MOPE C GET piciu res magazine_log o bestoftimes gi 147 Zy
152. tting SMT to factory default The procedure for uploading ROMFILE via the web configurator is as follows ap oS Log on into the web configurator Press MAINTENANCE from the left menu Press Configuration tab Press Restore tab and press browse button point to the directory where the romfile you want to upload is stored Press Upload button The procedure for backup ROMFILE via the web configurator is as follow mono oF Log on into the web configurator Press MAINTENANCE from the left menu Press Configuration tab Press Backup button a pop up windows will ask you where to store the back up romfile Press Save file and browse to where you want the file be save Press Save button How do backup restore configurations by using FTP client program via LAN a b Use the a FTP client program in your PC such as cuteftp wsftp client to login to your Prestige To backup the configurations use FTP client program to get file rom 0 from the Prestige To restore the configurations use the FTP client program to put your configuration in file ROM O in the Prestige Why can t I make Telnet to Prestige from WAN There are three possible reasons that Telnet from WAN is blocked a b You have not enable Telnet service on WAN interface in Menu 24 11 Telnet service is enabled but your host IP is not the secured host entered in Menu 24 11 In this case the error message Client IP is not allowed
153. tworks correctly They are enifO for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the Prestige as shown below when the three networks are configured If the Prestige s DHCP is also enabled the IP pool for the clients can be any of the three networks Copyright c 1994 2004 ZyXEL Communications Corp ras gt ip ro st Dest FF Len Interface Gateway Metric stat Timer Use 192 168 3 0 00 24 enif0 1 192 168 31 1 041b 0 0 192 168 2 0 00 24 enif0 0 LTOS i 041b 0 0 192 168 1 0 00 24 enifO 192 168 1 1 l 041b 0 0 ras gt 75 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Two new protocol filter interfaces in menu 3 2 1 allow you to accept or deny LAN packets from to the IP alias 1 and IP alias 2 go through the Prestige The filter set in menu 3 1 is used for main network configured in menu 3 2 IP Alias Setup 1 Edit the first network in menu 3 2 by configuring the Prestige s first LAN IP address Menu 3 2 TCP IP and DHCP Se DHCP up Server Client IP Pool Starting Size ot Client IP Pool y DNS Server 0 0 Secondary DNS Server 0 Remote DHCP Server N A TGP IE Set IP Address 192 168 1 1 IP Subnet Mask 255 255 RIP Direction None Version N A Primar Multicast None PP aPolierves Edit IP Alias Yes DHCP Setup Address 192 168 1 33 32 1020 0 0 0 emt
154. unications Corp Oe 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b r3 0x56FF54FF r7 0x60000093 fp 0x00000000 pc 0x00013954 e o co UR o cc lo Ri cia cA cM om oie coc E n J All contents copyright c 2005 ZyXEL Communications Corporation 150 ZyXEL Prestige 2602H 6xC Support Notes initialize ch 0 ethernet address 00 a0 c5 d1 78 e9 Wan Channel init done vc5402 Init OK Press ENTER to continue Enter Password XXXX LAN WAN Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 index timer second channel receive transmit length protocol sourcelP port destIP port There are two ways to dump the trace 1 Online Trace display the trace real time on screen 2 Offline Trace capture the trace first and display later The details for capturing the trace in SMT menu 24 8 are as follows Online Trace 1 Trace LAN packet 2 Trace WAN packet 151 All contents copyright c 200
155. ve configured all four rules Menu 15 1 1 should look as follows Set Name Example3 Idx ile on A Wn A W N Local Star 192 168 11 0 0 0 0 IP Local End IP Global Start IP Global End IP Type Menu 15 1 1 Address Mapping Rules IGA 1 1 IGA2 1 1 253 259 253239 IGA3 M 1 IGA3 Server 35 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Press ESC or RETURN to Exit Step 3 Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15 2 NAT Server Setup not Set 1 Set 1 is used for SUA Only case Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address Ls Defaul Default 0 0 0 0 2 80 80 192 168 1 20 She 2a 25 192 166 1520 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 T 0 0 0 0 0 0 8 0 0 0 0 0 0 OF 0 0 0 0 0 0 10 0 0 0 0 0 0 ie 0 0 0 0 0 0 De 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel 4 Support Non NAT Friendly Applications 36 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this User
156. via a familiar PPP dialer such as Dial Up Networking user interface PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management There are some service providers running of PPPoE today Before configuring PPPoE in the Prestige please make sure your ISP supports PPPoE Does the Prestige support PPPoE Yes The Prestige supports PPPoE since ZyNOS 2 50 How do I know I am using PPPoE PPPoE requires a user account to login to the provider s server If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the Prestige if the ISP uses PPPoE 105 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Why does my provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Besides PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management Which Internet Applications can I use with the Prestige Most common applications include
157. ws all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets 120 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes Internet i Prestige T Forward LAN to WAN Connections Default ACLs Block WAN to LAN Connections How can protect against IP spoofing attacks The Prestige s firewall will automatically detect the IP spoofing and drop it if the firewall is turned on If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks The basic scheme is as follows For the input data filter e Deny packets from the outside that claim to be from the inside e Allow everything that is not spoofing us Filter rule setup e Filter type TCP IP Filter Rule e Active Yes e Source IP Addr a b c d e Source IP Mask w x y z e Action Matched Drop e Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the output data filters e Deny bounceback packet e Allow packets that originate from us Filter rule setup e Filter Type TCP IP Filter Rule 121 All contents copyright c 2005 ZyXEL Communications Corporation ZyXEL Prestige 2602H 6xC Support Notes e Active Yes e Destination IP Addr a b c d e Destination IP Mask w x y z e Action Matched Drop e Action No Matched Forward Where a b c d is an IP address
Download Pdf Manuals
Related Search