Home

ZyXEL Communications 1600 Network Router User Manual

1. Wireless LAN MAC Filter Active No Action Allow Association MAC Address 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 mono mom ko 0 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 0 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fo0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Apply Cancel Figure 15 Wireless LAN MAC Address Filter The following table describes the fields in this screen Table 4 Wireless LAN MAC Address Filter LABEL DESCRIPTION Active Select Yes from the drop down list box to enable MAC address filtering 17 Prestige 652H HW Table 4 Wireless LAN MAC Address Filter LABEL DESCRIPTION Define the filter action for the list of MAC addresses in the MAC Address table Select Deny Association to block access to the router MAC addresses not listed will be allowed Action to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router M
2. The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address The domain name also does not have to match the remote router s IP address or what you configure in the Secure Gateway IP Address field below Secure Gateway IP Address Type the WAN IP address or the URL up to 31 characters of the IPSec router with which you re making the VPN connection Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address the Key Management field must be set to IKE Encapsulation Mode Select Tunnel mode or Transport mode from the drop down list box VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields described below Select AH if you want to use AH Authentication Header Protocol The AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field described below Pre shared Key Type your pre shared key in this field A pre shared key identifies a communic
3. policy is active No signifies that this VPN policy is not active Local Address This is the IP address es of computer s on your local network behind your Prestige The same static IP address is displayed twice when the Local Address Type field in the Configure IKE or Manual screen is configured to Single Address The beginning and ending static IP addresses in a range of computers are displayed when the Local Address Type field in the Configure IKE or Manual screen is configured to Range Address A static IP address and a subnet mask are displayed when the Local Address Type field in the Configure IKE or Manual screen is configured to Subnet Address 27 Prestige 652H HW Table 9 VPN Summary LABEL DESCRIPTION Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway IP Address field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when the Remote Address Type field in the Configure IKE or Manual screen is configured to Single Address The beginning and ending static IP addresses in a range of computers are displayed when the Remote Address Type field in the Configure IKE or Manual screen is configured to Range Address A static IP address and a subnet mask are displayed when the Remote Addres
4. on when you turn on the Prestige Make sure that you have the correct power adapter connected to the Prestige and plugged in to an appropriate power source Check all cable connections If the LEDs still do not turn on you may have a hardware problem In this case you should contact your local vendor Cannot access the Prestige from the LAN Check the cable connection between the Prestige and your computer or hub Refer to the Rear Panel Connections section for details Ping the Prestige from a LAN computer Make sure your computer Ethernet adapter is installed and functioning properly Cannot ping any computer on the LAN If the LAN LEDs are all off check the cable connections between the Prestige and your LAN computers Verify that the IP address subnet mask of the Prestige and the LAN computers are in the same IP address range Cannot ping any computer on the WLAN Make sure the wireless card is properly inserted in the Prestige and the WLAN LED is on Make sure the wireless card on the wireless client is working properly Check that both the Prestige and wireless client s are using the same ESSID channel and WEP keys if WEP encryption is activated Cannot get a WAN IP address from the ISP Check your Encapsulation Multiplex and VPI VCI settings refer to section 4 3 You need a user name and password if you re using PPPoE or PPPoA encapsulation Make sure that you have entered the corre
5. CTS handshake Fragmentation Fragmentation Threshold is the maximum data fragment size that can be sent Threshold WEP WEP Wired Equivalent Privacy encrypts data frames before transmitting them over the Encryption wireless network Select Disable allows all wireless computers to communicate with the access points without any data encryption Select 64 bit WEP or 128 bit WEP and then configure the keys in the fields provided to activate data encryption Key 1 to Key 4 The WEP keys are used to encrypt data Both the Prestige and the wireless clients must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F Select only one key to be activated at any one time The wireless clients and Prestige must use the same ESSID channel ID and WEP encryption key if WEP is enabled for wireless communication 5 2 Wireless LAN Security Setup For added security set your Prestige to check the MAC address of the wireless client device against a list of allowed or denied MAC addresses To set up the MAC address list for wireless LAN click Advanced Setup in the navigation panel Wireless and then click the MAC Filter link 16 Prestige 652H HW
6. Configurations Otherwise click Save Settings to save the configuration and skip to step 5 12 Prestige 652H HW Wizard Setup ISP Parameters for internet Access WAN Information Mode Routing Encapsulation PPPoE Mutiplexing LLC VPINVCL 8 35 Service Name User Name u Password IP Address Obtain an IP Address Automatically NAT SUA Only Connect on Demand Max Idle Timeout 1500 Secs LAN Information IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP ON Client IP Pool Stating Address 192 168 1 33 Size of Client IP Pool 32 Change LAN Configuration Save Settings Figure 11 Wizard Screen 3 Step 4 If you want to change your Prestige LAN settings click Change LAN Configuration to display the screen as shown next Enter the IP address of your Prestige in dotted decimal notation in the LAN IP Address field For example 192 168 1 1 factory default Wizard Setup ISP Parameters for internet Access LAN IP Addrass 192 168 1 1 LAN Subnet Mask If you change the Prestige s LAN IP address you must use DHCP the new IP address if you want nr ee a to access the web configurator address a aan again Size of Clant IP Pool Bo PrimayONSSever oao Enter a subnet mask in dotted decimal notation in the _ a LAN Subnet Mask field Secondary ONS Server pooo From the DHCP Server drop down list box select On to allow your Prestige to assign IP addresses an IP defa
7. File Edit View Favorites Tools Help Back A A Qsearch Gravai Address es 192 168 1 1 Step 2 An Enter Network Password window displays Enter the user name admin is the default password 1234 is the default and click OK Prestige 652H HW 2x ye Please type your user name and password Site 192 168 1 1 Realm Prestige 652HW 31 Default user name User Name admin Password a I Save this password in your password list cn Figure 4 Web Configurator Password Screen Step 3 You should now see the web configurator SITE MAP screen gt Click Wizard Setup to begin a series of screens to configure your Prestige for the first time gt Click a link under Advanced Setup to configure advanced Prestige features gt Click a link under Maintenance to see Prestige performance statistics upload firmware and back up restore or upload a configuration file gt Click Logout in the navigation panel when you have finished a Prestige management session Wizard Setup ee Advanced Setup Advanced Setup Wizard Setu Password System Status LAN DHCP Table a Wireless LAN Wireless LAN Maintenance WAN Diagnostic fF Navigation panel NAT Firmware Dynamic DNS Logout Firewall Content Filter VPN Remote Management Logout UPnP Logs Figure 5 Web Configurator SITE MAP Screen Prestige 652H HW The Prestige automatically logs you out if it i
8. Prestige Prestige 652H HW Refer to your User s Guide for detailed IP address configuration for other Windows and Macintosh computer operating systems 3 3 Testing the Connection to the Prestige 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ping followed by a space and the IP address of the Prestige 192 168 1 1 is the default 3 Press ENTER and the following screen displays C gt ping 192 168 1 1 Pinging 192 168 1 1 with 32 bytes of data Reply from 192 168 1 1 bytes 32 time 10ms TTL 254 Reply from 192 168 1 1 bytes 32 time lt 10ms TTL 254 Reply from 192 168 1 1 bytes 32 time lt 10ms TTL 254 Reply from 192 168 1 1 bytes 32 time lt 10ms TTL 254 Ping statistics for 192 168 1 1 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum Oms Maximum 10ms Average 2ms Your computer can now communicate with the Prestige using the LAN port 4 Configuring Your Prestige This Compact Guide shows you how to use the web configurator only See your User s Guide for background information on all Prestige features and SMT System Management Terminal configuration 4 1 Accessing Your Prestige Via Web Configurator Step 1 Launch your web browser Enter 192 168 1 1 as the web site address Web site address Figure 3 Entering Prestige LAN IP Address in Internet Explorer
9. converter with the console cable to connect the CON AUX port to your modem or TA You only need to use this button if you ve forgotten the Prestige s password It returns the Prestige to the factory defaults password is 1234 LAN IP address 192 168 1 1 etc see your User s Guide for details 2 2 Inserting a PCMCIA Wireless LAN Card Use a ZyAIR series wireless LAN PCMCIA card to add optional wireless LAN capabilities Step 1 Turn off the Prestige Never insert or remove a wireless LAN card when the Prestige is turned on Step 2 Locate the slot labeled Wireless LAN on the Prestige Step 3 With its pin connector facing the slot and the LED side facing upwards slide the ZyAIR wireless LAN card into the slot Never force bend or twist the wireless LAN card into the slot Step 4 Turn on the Prestige The WLAN LED should turn on 2 3 The Front Panel LEDs Prestige 652H HW Figure 2 Prestige Front Panel Refer to the following table for more detailed LED descriptions Table 2 Front Panel LED Description LED COLOR STATUS DESCRIPTION PWR Green On The Prestige is receiving power Off The Prestige is not receiving power SYS Green On The Prestige is functioning properly Blinking The Prestige is restarting Off The system is not ready or has malfunctioned Red On Power to the Prestige is too low LAN Green On The Prestige has a successful 10Mb Ethe
10. 5 12 Viewing SA Monitor A Security Association SA is the group of security settings related to a specific VPN tunnel This screen displays active VPN connections Use Refresh to display active VPN connections This screen is read only From the main screen click Advanced Setup and Monitor to view Security Associations When there is outbound traffic but no inbound traffic the SA times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not timeout until the SA lifetime period expires 5 13 UPnP Overview Universal Plug and Play UPnP is a distributed open networking standard that uses TCP IP for simple peer to peer network connectivity between devices A UPnP device can dynamically join a network obtain an IP address convey its capabilities and learn about other devices on the network In turn a device can leave a network smoothly and automatically when it is no longer in use All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention Windows ME and Windows XP support UPnP See the Microsoft website for information about other Microsoft operating systems Make sure you apply Microsofts UPnP security patch before enabling the UPnP feature Refer to the Microsoft website 5 14 Configuring UPnP Click Advanced Setup and then UPnP to open the UPnP screen 33 Prestige 652H HW
11. AC Address Enter the list of MAC addresses in this table 5 3 Network Address Translation Overview NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet For example the source address of an outgoing packet used within one network is changed to a different IP address known within another network If you have a single public IP address then select SUA Only in the NAT Mode screen see Figure 16 If you have multiple public IP addresses then you may use full feature mapping types see the User s Guide for more details NAT supports five types of IP port mapping They are 1 One to One One to one mode maps one local IP address to one global IP address Note that port numbers do not change for One to one NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global IP address 3 Many to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses 5 Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world 5 4 Configuring SUA Server An SUA server set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the outside world even though SUA makes your wh
12. E EAR 33 o EAE Eonfigurng B ea a AAE er En E AE E ee 33 6 Troubleshooting scussosssnsssnsssssssnsssnssonssonsnnnsnnssnnssnnesnnssnnssnnsnunssusssnsssnssonsnnnsnnnsnnssnnssnnsnnnssnnssnnnne 35 1 Introducing the Prestige The Prestige 652H HW ADSL router is the ideal all in one device for small networks connecting to the Internet via ADSL Key features of the Prestige include firewall VPN wireless LAN NAT Remote Management and UPnP See your User s Guide for more details on all Prestige features Prestige 652H HW You should have an Internet account already set up and have been given most of the following information INTERNET ACCOUNT INFORMATION Your device s WAN IP Address if given DNS Server IP Address if given Primary Secondary Virtual Path Identifier VPI Virtual Channel Identifier VCI Multiplexing VC based or LLC based Ove O LLC Encapsulation Q RFC 1483 O ENET ENCAP Ethernet Encapsulation Gateway IP Address O PPPoA User Name Password O PPPoE Service Name User Name Password 2 Hardware Prestige 652H HW 2 1 Rear Panel Connections WALL PHONE JACK Computer WALL OUTLET j 4 TA MODEM 3 Computer Computer Figure 1 Prestige Hardware Connections Table 1 Prestige Rear Panel Description LABEL DESCRIPTION 1 DSL Connect to a telephone jack using the included phone wire 2 LAN Connect to a compute
13. Enabled The firewall protects against Denial of Service DOS attacks when itis active The default Policy sets 1 allow all sessions originating from theLocal Network to the Internet and 2 deny all sessions originating from the Internet to the Local Network You may define addtional Policy rules or modify existing ones but please exercise extreme caution in doing so 1 Local Network to Internet Set 2 Internet to Local Network Set CAUTION If Firewall Enabled is not checked all the existing firewall security policies and firewall functions will be disabled Back Cancel Figure 19 Enabling the Firewall 21 Prestige 652H HW 5 7 Procedure for Configuring Firewall Rules From the main screen click Advanced Setup Firewall and then Rule Summary for either local network to Internet rules or Internet to local network rules to open the Summary screen The following table describes the fields in this screen Firewall LAN to WAN Rule Summary The default action for packets not matching following rules Forward M Default Permit Log No Source IP _Destination IP _ Service Action Log i 8 MM 2 I 3 E a IM al rl l 5 E s E E E z E E i JE E o E E 10 2 E Rules Reorder Move rule number t ial to rule number 1 i _Move Back Apply Cancel Table 6 Summary Screen LABEL DESCRIP
14. Enter the inside IP address of the server here 5 5 Firewall Overview The Prestige firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated The Prestige s purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The Prestige can be used to prevent theft destruction and modification of data as well as log events which may be important to the security of your network The Prestige also has packet filtering capabilities When activated the firewall allows all traffic to the Internet that originates from the LAN and blocks all traffic to the LAN that originates from the Internet In other words the Prestige will Allow all sessions originating from the LAN to the WAN Deny all sessions originating from the WAN to the LAN LAN to WAN rules are local network to Internet firewall rules The default is to forward all traffic from your local network to the Internet The following figure illustrates a Prestige firewall application 20 Prestige 652H HW Denial of Service Attacks WAN Figure 18 Prestige Firewall Application 5 6 Enabling the Firewall From the main screen click Advanced Setup Firewall and then Config to open the Configuration screen Enable or activate the firewall by selecting the Enable Firewall check box as seen in the following screen Firewall Configuration Config M Firewall
15. I and VCI fields These fields may already be configured Next Click Next Figure 6 Wizard Screen 1 Step 2 The second wizard screen varies depending on what mode and encapsulation type you use All screens shown are with routing mode Configure the fields and click Next to continue 10 Prestige 652H HW If your ISP provides the name of your PPPoE service provider enter it in the Service Name field Wizard Setup ISP Parameters for Internet Access Service Name Enter the user name and password exactly User Name as your ISP assigned them Password z Select Obtain an IP Address Automatically if you have a dynamic IP IP Address Obtain an IP Address Automtically address otherwise select Static IP Address C Static IP Address and type your ISP assigned IP address in tooo the text box below Connection Select Connect on Demand when you don t Connect on Demand Max Idle Timeout Secs want the connection up all the time and C Nailed Up Connection specify an idle time out period in seconds in the Max Idle Timeout field Network Address Translation u E SUAOny F Select Nailed Up Connection when you want your connection up all the time The 7 Prestige will try to bring up the connection Nex automatically if it is disconnected Figure 7 Internet Connection with PPPoE From the Network Address Translation drop down list box select SUA Only Full Feature or None Re
16. Prestige 652H HW ADSL Security Wireless LAN Router Compact Guide May 2003 ZyXEL Unleash Networking Power Prestige 652H HW Table of Contents 1 Introducing the Prestige sssccsscssscssssessccsssssssssessscsssessssesssssssesensesecesesssesssssscssecssonsesesesssees 1 PA HaTrdware jessssscissavss socsssccesssessssesesecsetduessosssencessesseseesd sonsscucasovesssedsesoussbedas sbbssecees dbessbecsdSuasbesaadsonssosecs e 2 2 Re rPanel Gonniections 2re er hace EOE EA EEE eats oot 3 2 2 Inserting a PCMCIA Wireless LAN Card cccccccsessseeseeesceeeceeecesecesecaecaaecaeecaeecaeesaeeneseneeeneeess 4 2 3 The Front Panel WE Ds 2 2 Si cic canes ae nie sin gealtert 4 3 Setting Up Your Computer s IP Address eussoossssnnssnnnsesnnssnnnsesnnssnnnnssnnnsnnnnssnnssnnnsssnnnsnnnsennnnen 6 3 1 Windows 2000 N T XP 22 225 2 esse sn Ba ner ern seen 6 3 2 Checking Updating Your Computer s IP Address cccsceesseessesseeescesseeseceseceseeesecneecneeeneeenes 7 3 3 Testing the Connection to the Prestige cccceseesecesecsceeseeeseeeseeeeeeeeneeneeceseeaeceaeeaeeeeeaeeeaes 8 4 Configuring Your Prestige cscccsscssssccsscescsesssscscessssssssscesssseesceesssssssceesscssesceessssesscessseseoes 8 4 1 Accessing Your Prestige Via Web Configurator ueeesseessesseesneesnensnennnennenneennennnennsn nennen 8 4 2 Common Screen Command Buttons uuseesssnssenssnesnesnnnnennennee
17. RIPTION Active Select this check box to activate this VPN tunnel This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select Yes to have the Prestige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work Name Type up to 32 characters to identify this VPN policy You may use any character including spaces but the Prestige drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box IKE provides more protection so it is generally recommended Manual is a useful option for troubleshooting Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Local Address Type Use the drop down menu to choose Single Range or Subnet Select Single for a single IP address Select Range for a specific range of IP addresses Select Subnet to specif
18. TH TCP 113 Any TCP BGPITCP 179 gt BOOTP_CLIENT UDP 68 BOOTP_SERVER UDP 67 xl Edit Available Service Action for Matched Packets Forward gt Log None ba I Alert Apply Cancel Delete Figure 20 Creating Editing A Firewall Rule The following table describes the fields in this screen Table 7 Creating Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new address SrcEdit to edit an existing one or SrcDelete to delete one Please see the next section for more information on adding and editing source addresses Destination Click DestAdd to add a new address DestEdit to edit an existing one or DestDelete to Address delete one Please see the following section on adding and editing destination addresses Services Highlight a service from the Available Services box on the left then click gt gt to add it to Available the Selected Services box on the right To remove a service highlight it in the Selected vai Selected Services Services box on the right then click lt lt 24 Prestige 652H HW Table 7 Creating Editing A Firewall Rule LABEL DESCRIPTION Edit Available Click this button to go to the list of available custom services Service Action for Matched Packets Should packets that match this rule be blocked or forwarded Make your choice from the drop down list box Note that Block means the firewall silently discards th
19. TION The default action Should packets that do not match the following rules be blocked or forwarded Make your for packets not choice from the drop down list box Note that block means the firewall silently discards matching following the packet rules Default Permit Log Click this check box to log all matched rules in the ACL default set The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings above No This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field below allows you to reorder your rules 22 Prestige 652H HW Table 6 Summary Screen LABEL DESCRIPTION Source IP This drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Destination IP This drop down list box displays the destination addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Service This drop down list box displays the services to which this firewall rule applies Please note that a blank service type is equivalent to Any Action
20. This is the specified action for that rule either Block or Forward Note that Block means the firewall silently discards the packet Log This field shows you if a log is created for packets that match the rule Match don t match the rule Not Match both Both or no log is created None Rules Reorder You may reorder your rules using this function Select the rule you want to move The ordering of your rules is important as rules are applied in turn To Rule Number Select the number you want to move the rule to Move Click Move to move the rule Follow these directions to create a new rule Step 1 In the Summary screen click a rule s index number The Edit Rule screen opens Step 2 In the Available Services text box select the services you want Configure customized ports for services not predefined by the Prestige by clicking the Add or Edit buttons under Custom Port For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority web site Step 3 Configure the Source Address and Destination Address for the rule 23 Prestige 652H HW Firewall LAN to WAN Edit Rule 1 Source Address Source IP Address HH Any SrcAdd SrcEdit SrcDelete Destination Address Destination IP Address HH Any DestAdd DestEdit DestDelete Service Available Services Selected Services AIM NEW ICQ TCP 51 90 Any UDP AU
21. UPNP 7 Enable the Universal Plug and Play UPnP Service IT Allow users to make configuration changes through UPnP I Allow UPnP to pass through Firewall Apply Cancel Figure 25 UPnP The following table describes the fields in this screen Table 11 UPnP FIELD DESCRIPTION Enable the Universal Plug and Play UPnP Service Select this checkbox to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the Prestige s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applications to automatically configure the Prestige so that they can communicate through the Prestige for example by using NAT Traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets 34 Prestige 652H HW 6 Troubleshooting Table 12 Troubleshooting PROBLEM CORRECTIVE ACTION None of the LEDs turn
22. ating party during a phase 1 IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Multiple SAs connecting through a secure gateway must have the same pre shared key VPN Setup Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key 32 Prestige 652H HW Table 10 VPN IKE LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Algorithm Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security Advanced Click Advanced to configure more detailed settings of your IKE key management Delete Click Delete to remove this rule
23. ct Service Name PPPoE encapsulation only User Name and Password the username and password are case sensitive Refer to section 4 3 for more information Cannot access the Internet Verify the Internet connection settings in the WAN screen Make sure you entered the correct user name and password For wireless clients check that both the Prestige and wireless client s are using the same ESSID channel and WEP keys if WEP encryption is activated 35
24. ddress Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable 5 9 VPN Overview A VPN Virtual Private Network provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication The following figure provides an example of a VPN application nnnnnn VPN Broadband IPSec Router Figure 22 VPN Application 5 10 Summary Screen Local and remote IP addresses must be static 26 Prestige 652H HW From the main screen click Advanced Setup VPN and Setup to open the Summary screen This is a read only menu of your IPSec rules tunnels VPN Summary No Name Active Local Address kema Encap PS soris Address Algorithm Gateway IP 2 fio ji fis fiu ru fio fion ji 1 gt fio fico Back Figure 23 VPN Summary The following table describes the fields in this screen Table 9 VPN Summary LABEL DESCRIPTION No The VPN policy index number Name This field displays the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Yes signifies that this VPN
25. ded Service Set IDentity The ESSID is a unique name to identify the Prestige in the wireless LAN Wireless clients associating to an Access Point the Prestige must have the same ESSID Enter a descriptive name up to 32 printable 7 bit ASCII characters Hide ESSID Select Yes to hide the ESSID so a wireless client cannot obtain the ESSID through passive scanning Select No to make the ESSID visible so a wireless client can obtain the ESSID through passive scanning Channel ID The range of radio frequencies used by IEEE 802 11b wireless devices is called a channel Set the operating frequency channel depending on your particular region Select a channel from the drop down list box Adjacent APs with overlapping coverage areas should use different channels to reduce crosstalk Crosstalk occurs when the radio signals from access points overlap and interfere with one another degrading performance 15 Prestige 652H HW Table 3 Wireless LAN Wireless LABEL DESCRIPTION RTS CTS Select this option to enable the RTS Request To Send CTS Clear To Send threshold to Threshold minimize collisions Enter a value between 0 and 2432 The default is 2432 Request To Send is the threshold number of bytes for enabling the RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC Service Data Unit size turns off the RTS
26. e packet Log This field determines if a log is created for packets that match the rule don t match the rule both or no log is created Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched Delete Click Delete to remove this rule 5 8 Configuring Source and Destination Addresses To add a new source or destination address click SreAdd or DestAdd from the previous screen To edit an existing source or destination address select it from the box and click SreEdit or DestEdit from the previous screen Either action displays the following screen Firewall LAN to WAN Rule IP Config Address Type SubnetAddress x Start IP Address pooo End IP Address booo Subnet Mask booo 7 Apply Cancel Figure 21 Adding Editing Source and Destination Addresses The following table describes the fields in this screen Table 8 Adding Editing Source and Destination Addresses LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular single IP address a range of IP addresses e g 192 168 1 10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range here 25 Prestige 652H HW Table 8 Adding Editing Source and Destination Addresses LABEL DESCRIPTION End IP A
27. fer to the Network Address Translation section for more information Wizard Setup ISP Parameters for Internet Access Enter the IP address given by your ISP in the IP Address field Sn ae The IP Address field is Network Address Translation not available for bridge SUA Only mode Refer to Figure 7 for description of the ae GE Network Address Translation field Figure 8 Internet Connection with RFC 1483 11 Prestige 652H HW Wizard Setup ISP Parameters for Internet Access In the ENET ENCAP Gateway field enter the gateway IP address given by your ISP IP Address Obtain an IP Address Automtically Static IP Address Refer to Figure 7 for other field descriptions IP Address 1 0 0 Subnet Mask 0 0 0 0 ENET ENCAP Gateway 0 0 0 0 Network Address Translation SUA Only gt Figure 9 Internet Connection with ENET ENCAP Wei Ei REP ronie or iii Aee Refer to Figure 7 for field descriptions The IP Address and Seaugans Network Address Reseword Translation fields are not IP Address available for bridge Obtain an IP Address Automtically mode Static IP Address Connection Connect on Demand Max Idle Timeout 0 Secs Nailed Up Connection Network Address Translation SUA Only 7 Figure 10 Internet Connection with PPPoA Step 3 Verify the settings in the screen shown next To change the LAN information on the Prestige click Change LAN
28. in name up to 31 characters by which to identify this Prestige When you select E mail in the Local ID Type field type an e mail address up to 31 characters by which to identify this Prestige The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address My IP Address Enter the WAN IP address of your Prestige The Prestige uses its current WAN IP address static or dynamic in setting up the VPN tunnel if you leave this field as 0 0 0 0 The VPN tunnel has to be rebuilt if this IP address changes Peer ID Type Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain name Select E mail to identify the remote IPSec router by an e mail address 31 Prestige 652H HW Table 10 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway IP Address field When you select DNS in the Peer ID Type field type a domain name up to 31 characters by which to identify the remote IPSec router When you select E mail in the Peer ID Type field type an e mail address up to 31 characters by which to identify the remote IPSec router
29. nnennnennsnnnenenn seen 10 4 3 Wizard Internet Access Configuration eeseeessessssneesnesnnnnnnnennnonneennennnennnnnnnnnenenennnnnnnenene 10 4 4 Test Your Internet Connection sauce fiihgekartisiien han inet 14 5 Advanced Configuration cssrsssosssosssonsssnnnsnonsssnnnsnonnnsnnnsnnnnnsnnnsnnnnssnnnsnnnnssnnnssnnnssnnnsnsnnssnnnssnnne 14 3 1 Wireless EAN Setups nesenas E e ass een 14 5 2 Wireless LAN Security Set n uuesassoasussenkslenisen else uses 16 5 3 Network Address Translation Overview eenseesseessnenenennsnesnennennennennennnenneennennse nennen 18 5 4 Configuring SUA OEV E a a Eaa EE a S aaa E TESE SENERS 18 5o Firewall OVEM Wome nadaanan a Sans a A A E 20 5 6 Enabling the Firewall 02 2 220s0ececes cade ceogegesancscascecsdesscasssdiosnesdedsaseudiassdsedenssuaccccduss Chessusseseieuiseees 21 5 7 Procedure for Configuring Firewall Rules usenseesseensessensnesneenneennennenneennennne nennen 22 5 8 Configuring Source and Destination Addresses cceccesseeseeesecesecseceseceneceecseeeseeeneeneeeeeenes 25 39 VEN ON CEVIG Writes A E ET ERE EER ts casts ipcadoegeas tn 26 3 10 Summary Screens sche dees sa cess igeces deca sccestce vues ensoddesens Shee siahts sashes thes dea EEEE 26 5 11 Configuring VPN Policies ccccescsesecssecsseeeeeseeseeeseeeseeeeeseeseecesecsaecnaecaaecaeecaeeeseeeaeeeeeeeneaes 28 5 12 Viewing SA Monitor A AE E E E A E E A 33 fone DI ral aO A DA TAN AR se E EEEE RA
30. ole inside network appear as a single computer to the outside world 18 Prestige 652H HW Step 1 From the main screen click Advanced Setup and then NAT to open the NAT Mode screen Select SUA Only NAT Mode Network Address Translation None SUA Only Edit Details Full Feature Edit Details Figure 16 NAT Mode Step 2 Click Edit Details NAT Edit SUA NAT Server Set Start Port No End Port No IP Address 4 All ports All ports pooo 2 b Po pooo 3 fo R pooo 4 Po bp pooo 5 fo fo pooo 6 fo a pooo 7 Po Po pooo 8 fo fo pooo 9 fo fo pooo 10 fo p pooo bo Po pooo 12 fo fo pooo Figure 17 SUA NAT Server The following table describes the fields in this screen 19 Prestige 652H HW Table 5 SUA NAT Server LABEL DESCRIPTION Start Port Type a port number in this field To forward only one port type the port number again in the No End Port field To forward a series of ports type the start port number here and the end port number in the End Port field End Port Type a port number in this field To forward only one port type the port number in the Start No Port field above and then type it again in this field To forward a series of ports type the last port number in a series that begins with the port number in the Start Port field above IP Address
31. onfirm that the Internet settings you configured in the Wizard Setup are correct 5 Advanced Configuration This section shows how to configure some of the advanced features of the Prestige 5 1 Wireless LAN Setup A wireless LAN WLAN provides a flexible data communications system that you can use to access various services the Internet email printer services etc on the wired network without additional expensive network cabling infrastructure In effect a wireless LAN environment provides you the freedom to stay connected to the wired network while moving in the coverage area The WLAN screens are only available when a WLAN card is installed To configure wireless settings click Advanced Setup Wireless and then click Wireless 14 Prestige 652H HW Wireless LAN Wireless ESSID Wireless Hide ESSID No x Channel ID Channel 01 2412MHz z I RTS CTS Threshold 2432 0 2432 I Fragmentation Threshold 2432 256 2432 WEP Encryption Disable 64 bit WEP Enter 5 characters or 10 hexadecimal digits 0 9 A F preceded by Ox for each Key 1 4 128 bit WEP Enter 13 characters or 26 hexadecimal digits 0 9 A F preceded by Ox for each Key 1 4 Key1 Doo E Key2 l_ 000 Key3 0 C Keya E Back Cancel Figure 14 Wireless LAN Wireless The following table describes the fields in this screen Table 3 Wireless LAN Wireless LABEL DESCRIPTION ESSID Exten
32. or most new computers The Prestige is already set up to assign your computer an IP address Use this section to set up your computer to receive an IP address or assign it a static IP address in the 192 168 1 2 to 192 168 1 254 range with a subnet mask of 255 255 255 0 This is necessary to ensure that your computer can communicate with your Prestige Your computer must have an Ethernet card and TCP IP installed TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems 3 1 Windows 2000 NT XP 1 In Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 In Windows XP click Network Connections In Windows 2000 NT click Network and Dial up Connections 3 Right click Local Area Connection and then click Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Prestige 652H HW 5 The Internet Protocol TCP IP Properties screen opens the Internet Protocol TCP IP Properties General tab in Windows XP General Alternate Configuration To have your computer assigned a dynamic IP address click You can get IP settings assigned automatically if your network supports Obtai nan IP address automatical ly m eye need to ask your network administrator for If you know your DNS sever IP address es type them in the Obtain an IP address automatically Preferred DNS ser
33. pe Use the drop down menu to choose Single Range or Subnet Select Single with a single IP address Select Range for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask IP Address Start When the Address Type field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Address Type field is configured to Range enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Address Type field is configured to Single this field is N A When the Address Type field is configured to Range enter the end static IP address ina range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet enter a subnet mask on the network behind the remote IPSec router Local ID Type Select IP to identify this Prestige by its IP address Select DNS to identify this Prestige by a domain name Select E mail to identify this Prestige by an e mail address Content When you select IP in the Local ID Type field type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address When you select DNS in the Local ID Type field type a doma
34. r external hub using an Ethernet cable Connect the DMZ port to servers 1 DMZ 4 that you want visible to the outside world 3 POWER Connect to a power source using the power adaptor for your region see your User s Guide After you ve made the connections connect the power adaptor to a power supply and push in the power button to turn on the Prestige The PWR LED turns on The SYS LED blinks while performing system testing and then turns steady on if the testing is successful A LAN LED turns on if a LAN port is properly connected Prestige 652H HW Table 1 Prestige Rear Panel Description LABEL DESCRIPTION CON AUX Only connect this port if you want to configure the Prestige using the SMT via console port or switch set up a backup WAN connection see your User s Guide for details CON AUX port Ba i Set this switch to the CON side to use the CON AUX port as a console port for local device configuration and management Connect the 9 pin male end of the console cable to the console port of the Prestige and the other end to a serial port COM1 COM2 or other COM port on your computer Your computer should have a terminal emulation communications program such as HyperTerminal set to VT100 terminal emulation no parity 8 data bits 1 stop bit no flow control and 9600 bps port speed Set this switch to the AUX side to use the CON AUX port as an auxiliary dial up WAN connection Use the included CON AUX
35. rnet connection en Blinking The Prestige is sending receiving data Off The Prestige does not have 10Mb Ethernet connection Orange On The Prestige has a successful 100Mb Ethernet connection Blinking The Prestige is sending receiving data Off The Prestige does not have 100Mb Ethernet connection WLAN Green On Wireless link is ready Off Wireless link is not ready or has failed Blinking The Prestige is sending receiving data through the WLAN Red On There has been an error with the wireless LAN PCMCIA card 5 Prestige 652H HW Table 2 Front Panel LED Description LED COLOR STATUS DESCRIPTION AUX Orange On The CON AUX port has a dial up connection Off The CON AUX port does not have a dial up connection Green On The CON AUX port has a console connection Off The CON AUX port does not have a console connection DSL Green On The Prestige is linked successfully to a DSLAM Blinking The Prestige is initializing the DSL line Off The DSL link is down ACT PPP Orange On The Prestige has aPPP PPPoA or PPPoE connection Blinking The Prestige is sending receiving PPPoA or PPPOE traffic Off The system is ready but is not sending receiving data Green Blinking The Prestige is sending receiving non PPP traffic 3 Setting Up Your Computer s IP Address Skip this section if your computer is already set up to accept a dynamic IP address This is the default f
36. s Type field in the Configure IKE or Manual screen is configured to Subnet Address Encap This field displays Tunnel or Transport mode Tunnel is the default selection IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase Prestige processing requirements and communications latency delay Secure Gateway IP This is the static WAN IP address or URL of the remote IPSec router This field displays 0 0 0 0 when you configure the Secure Gateway IP Address field in the Configure IKE screen to 0 0 0 0 5 11 Configuring VPN Policies Click an IPSec rule s index number to open the VPN IKE screen where you can configure the IPSec rule 28 Prestige 652H HW VPN IKE IPSec Setup M Active Name IPSec Key Mode Negotiation Mode Local LocalAddress Type IP Address Start End Subnet Mask Remote RemoteAddress Type IP Address Start End Subnet Mask Local ID Type Content My IP Address Peer ID Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol VPN Protocol Pre Shared Key VPN Setup Authentication Algorithm I Keep Alive 0 0 0 0 Tunnel gt ESP 7 DES gt SHAI gt Advanced Back Apply Cancel Delete Figure 24 VPN IKE The following table describes the fields in this screen Prestige 652H HW Table 10 VPN IKE LABEL DESC
37. s left idle for five minutes press ENTER to log back in again 4 2 Common Screen Command Buttons The following table shows common command buttons found on many web configurator screens Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Reset Cancel Click Reset or Cancel to begin configuring this screen afresh 4 3 Wizard Internet Access Configuration Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table Your ISP may have already configured some of the fields in the wizard screens for you Step 1 In the SITE MAP screen click Wizard Setup to display the first wizard screen a z From the Mode drop down list box select Routing ARROUND 3125 CR EROLOES SOE LINDE ACC ISS default if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Mod Routing ode aung Select the encapsulation type your ISP uses from the PPPA Encapsulation drop down list box Choices vary Encapsulation k g depending on what you select in the Mode field Multipl LLC a Select the multiplexing method used by your ISP from Virtual Circuit ID the Multiplex drop down list box VPI 8 er T Enter the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers supplied by your ISP in the VP
38. ult gateway and DNS servers to computer systems Back Finish that support the DHCP client Select Off to disable DHCP server Figure 12 Wizard LAN Configuration When DHCP server is used set the following items Specify the first of the contiguous addresses in the IP address pool in the Client IP Pool Starting Address field Specify the size or count of the IP address pool in the Size of Client IP Pool field Enter the IP address es of the DNS server s in the Primary DNS Server and or Secondary DNS Server fields 13 Prestige 652H HW Step 5 The Prestige automatically tests the connection to the computer s connected to the LAN ports To test the connection from the Prestige to the ISP click Start Diagnose Otherwise click Return to Main Menu to go back to the Site Map screen Wizard Setup ISP Parameters for Internet Access LAN connections Test your Ethernet Connection PASS WAN connections Test ADSL synchronization PASS Test ADSL ATM OAM loopback test PASS Test PPP PPPoE server connection PASS Ping default gateway Pass Start Diagnose Retum to Main Menu Figure 13 Wizard Screen 4 4 4 Test Your Internet Connection Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the User s Guide for more detailed information on the complete range of Prestige features If you cannot access the Internet open the web configurator again to c
39. ver and or Alternate DNS server fields Use the following IP address To configure a static IP address click Use the following IP Address and fill in the IP address choose one from192 168 1 2 to 192 168 1 254 Subnet mask 255 255 255 0 and Default gateway 192 168 1 1 fields Obtain DNS server address automatically Use the following DNS server addresses Then enter your DNS server IP address es in the Preferred DNS server and or Alternate DNS server fields If you have more than two DNS servers click Advanced the DNS tab and then configure them using Add 6 Click Advanced Remove any previously installed gateways in Advanced TCP IP Settings the IP Settings tab and click OK to go back to the Internet i IP Settings DNS WINS Options Protocol TCP IP Properties screen IP addresses IP address Subnet mask DHCP Enabled Default gateways Gateway 7 Click OK to close the Internet Protocol TCP IP Properties window Automatic metric 8 Click OK to close the Local Area Connection Properties window 3 2 Checking Updating Your Computer s IP Address 1 In the computer click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER to verify that your computer s IP address is in the correct range 192 168 1 2 to 192 168 1 254 with subnet mask 255 255 255 0 This is necessary in order to communicate with the
40. y IP addresses on a network by their subnet mask IP Address Start When the Address Type field is configured to Single enter a static IP address on the LAN behind your Prestige When the Address Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your Prestige When the Address Type field is configured to Subnet this is a static IP address on the LAN behind your Prestige End Subnet Mask When the Address Type field is configured to Single this field is N A When the Address Type field is configured to Range enter the end static IP address ina range of computers on the LAN behind your Prestige When the Address Type field is configured to Subnet this is a subnet mask on the LAN behind your Prestige Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields do not apply when the Secure Gateway IP Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time 30 Prestige 652H HW Table 10 VPN IKE LABEL DESCRIPTION Remote Address Ty

ZyXEL Communications 1600 Network Router User Manual

Contents

Download Pdf Manuals

Related Search

Related Contents