Nokia IP71, User Manual

Page 1: ...IP71 User Guide version 2 0 N450794001 Rev A October 2002 ...

Page 2: ...ity and fitness for a particular purpose are disclaimed In no event shall Nokia or its affiliates subsidiaries or suppliers be liable for any direct indirect incidental special exemplary or consequential damages including but not limited to procurement of substitute goods or services loss of use data or profits or business interruption however caused and on any theory of liability whether in contr...

Page 3: ... Nokia House Summit Avenue Southwood Farnborough Hampshire GU14 ONG UK Tel 00800 5543 1816 or 1 44 0 8700 555 777 email ipsecurity emea nokia com Asia Pacific Tel 358 9 692 7156 email ipsecurity apac nokia com Web Site https support nokia com Email tac support nokia com Americas Europe Voice 1 888 361 5030 or 1 613 271 6721 Voice 44 0 125 286 8900 Fax 1 613 271 8782 Fax 44 0 125 286 5666 Asia Paci...

Page 4: ...iv Nokia IP71 User Guide ...

Page 5: ...Features 12 IP71 Package Contents 12 IP71 Externals 13 Restoring Factory Defaults 15 Before You Begin 15 Upgrading 16 Using Nokia Horizon Manager 17 Using GUI 17 Upgrading Using CLI 17 Managing the IP71 19 Secure web based GUI 19 Command line Interface 22 Console 23 SSH Client 23 SNMP Manager 23 Nokia Horizon Manager 24 Check Point Management Server 24 ...

Page 6: ...tion 32 Logging In 33 Logging Off 34 3 Configuring IP71 35 Configuring Through a Secure Web Based GUI 36 Using the Quick Setup Wizard 37 Configuring Using the GUI 40 System 40 Interface 41 Interface Options 43 Date and Time 44 Admin 44 Manage 45 Configuring Through SSH 45 Configuring Through SNMP Manager 51 Accessing CLI Through the GUI 51 Generating Security Certificates 52 Managing Through Nokia...

Page 7: ...ring Through Console 72 Configuring Static NAT 77 Configuring Network Objects 79 Configuring Security Policy 79 Configuring NAT Rules 80 Configuring Routing and ARP Entries 81 Installing the Security Policy 81 Configuring Anti Spoofing 82 4 Configuring a VPN 85 Defining Network Objects 86 Defining IP71 Platforms 86 Setting the Network 90 Building VPN Groups 91 Installing Policies 92 ...

Page 8: ... 105 Default Settings 106 Software Specifications 106 Routing 106 Management Features 107 Diagnostics 107 Hardware Specifications 107 Processor 107 Clock 107 Copyrights 108 C Compliance Information 109 Declaration of Conformity 109 Compliance Statement 110 FCC Notice US 111 D Warranty and Software License 113 Index 119 ...

Page 9: ...etwork security platform NSP including instructions for configuring the Check Point NG Firewall The Nokia IP71 version 2 0 can be remotely managed using Nokia Horizon Manager v1 2 Service Pack 1 Document Organization This guide is organized into the following chapters n Chapter 1 Overview provides basic information about IP71 and things that you need before you install the IP71 n Chapter 2 Install...

Page 10: ...pliance and regulatory information n Appendix D Warranty and Software License describes the Nokia warranty terms and conditions Document Conventions The following sections provide document conventions including notices menu items and IP address notation conventions used throughout this guide Cautionary Icons Warning Warnings advise the user that bodily injury might occur because of a physical haza...

Page 11: ...ace such as a DSL router a T1 router or a DSL modem The IP71 incorporates the Check Point NG SMB Firewall 1 that enables the IP71 to function as a security firewall and as a VPN gateway thus protecting a small office LAN from unauthorized access The IP71 Small Office license is installed on the IP71 and is managed by a Check Point management server Security policies are created at the management s...

Page 12: ...configuration n Firmware Upgrading n ARP Static NAT n Diagnostics n Managing Through Nokia Horizon Manager IP71 Package Contents The IP71 shipping box includes the following items n IP71 device n A universal power supply n A country specific power cord for the universal power supply n An Ethernet straight through cable n An Ethernet crossover cable labeled Crossover n An RS 232 console serial cabl...

Page 13: ...e IP71 hardware Figure 1 shows the front view of the IP71 Figure 1 IP71 Front View Note The WAN port operates at 10 mbps and must be set to the appropriate duplex setting with the IP71 command line interface The LAN port auto senses the appropriate speed 10 100 mbps and duplex setting SECURED BY CHECK POINT Power Status Link Tx WAN Rx 1 2 10M Amber 100M Green 10 100 Ethernet Switch 3 4 Power Statu...

Page 14: ...ic port If your computer has a 10BaseT network card connected to the Ethernet line the LED for that port is amber If your computer has a 100BaseT network card attached to the line the LED is green When there is no data activity on the Ethernet line the associated LED glows steady When there is data activity the LED blinks If the light is turned off there is no connection to the associated port WAN...

Page 15: ...es over 2 minutes to restore defaults After the defaults are restored and the IP71 has rebooted you will be able to connect only through the console Before You Begin For simplicity this guide assumes you are using a DSL ISP account The IP71 also works with any Internet access device that supports an Ethernet interface such as routers that use analog cable ISDN or T1 lines To set up the IP71 to con...

Page 16: ...tages Nokia recommends that you use your IP71 using version 2 0 firmware Ensure that you have both the firmwares version 1 6 and version 2 0 are with you before you proceed with the upgrade You can upgrade your IP71 with any of the following methods n Command line interface CLI n Graphic user interface GUI n Nokia Horizon Manager When you upgrade the IP71 to firmware v2 0 you need to replace your ...

Page 17: ...upgraded through both the stages Nokia recommends that you use your IP71 with v2 0 firmware To upgrade your IP71 using NHM select the devices the you want to upgrade Perform an OS Install action Select the firmware and click Start Using GUI You can upgrade your IP71 with the latest version of firmware through the GUI The procedures to upgrade using the GUI are described in Chapter 3 Upgrading To a...

Page 18: ...de Use this command to set the upgrade values like file name server address etc Syntax set upgrade file file 0 250 ipaddress ip_address protocol SCP TFTP user user 0 250 password password 0 250 command start Options File File name of the binary IP address IP address of the TFTP or SCP server Protocol TFTP or SCP User Username of SCP server If you select SCP Password Password of the SCP server for ...

Page 19: ...gure the IP71 You can configure the IP71 in two ways Figure 4 shows the main components of the GUI Using Quick Setup Wizard Configure the most common settings required for the IP71 to be up and running Using Advanced GUI Configure the various advanced features provided in the IP71 No Component Description 1 Navigation Bar Access various feature sets in the IP71 2 Tabs Bar Access and configure all ...

Page 20: ...on Bar and their features Table 1 Navigation Bar Main Tab Secondary Tabs Description System Status displays details of all current configuration Interface configure the LAN and WAN interfaces Interface Options configure advanced interface information Date Time set the device date and time Admin configure the Session Timeout HTTPS Encryption type and to change the access password ...

Page 21: ...ck Point License configure and activate Check Point NG firewall Advanced DHCP Server configure the DHCP server Routing configure routes ARP configure ARP entries Upgrade upgrade the IP71 to the latest firmware Import Export export Backup and import Restore configuration Diagnostics Tools access to Diagnostics tools Ping Trace Route and NS Look up Utilization displays utlization information of the ...

Page 22: ...s in the IP71 appears You can now configure the IP71 Enter Help or in the CLI prompt for help on IP71 CLI Console The IP71 has a console port that allows an RS 232 serial cable to connect to a computer and can be managed by a VT100 terminal emulation program on the computer This is a direct connection to the IP71 and is secure You can access the IP71 even before the bootup process is complete Howe...

Page 23: ...r You can view and configure the IP71through an SNMP manager This is not a secure method of configuration and is disabled by default To use an SNMP manager Nokia recommends that you first configure the IP71 by one of the previously explained methods Create a VPN tunnel and manage the IP71 with the SNMP manager through the VPN tunnel Security concerns require that the system running the SNMP manage...

Page 24: ... are configured through the management server The Check Point management server is on the WAN side to manage a single IP71 or multiple IP71 devices from a central location or on the LAN side to locally manage an IP71 Using a Check Point management server you can manage multiple IP71 devices in remote offices and push a single security policy to all devices or multiple security policies to multiple...

Page 25: ...your IP71 you need to plan the placement of the IP71 as well as that of the Check Point management server The management server configures and pushes a Check Point NG policy to your IP71 A Check Point NG policy is said to be pushed when it is actively applied to the IP71 Planning for your IP71 The IP71 functions as a firewall between the WAN and the LAN at a given office site As part of the networ...

Page 26: ... licenses with IP71 in two scenarios Choose the scenario that matches your requirements best and determine the IP addresses for all the components in that scenario Central Management Managing the IP71 from Check Point management server on the WAN side from a central location In this scenario a Check Point management server manages a remote IP71 from the WAN interface This is the Central option use...

Page 27: ...r in the same network as the IP71 This is the Local option used to generate the Check Point NG license from Check Point user center You need the following to manage IP71 in this scenario n A Check Point NG management server n A SmallOffice Certificate Key n A public IP address for the IP71 n An IP71 WAN LAN LAN WAN 192 168 1 2 209 221 75 213 86 78 58 24 10 10 1 1 10 10 1 2 192 168 1 1 Dynamic IP E...

Page 28: ... ways n Using Console From Hyperterminal to access the CLI n Using Ethernet From abrowser to access the web based GUI Using Console Connection Connect the IP71 to your computer using the console cable provided Figure 7 Connecting the IP71 192 168 1 1 192 168 1 2 209 221 75 213 Dynamic IP SmallOffice management server IP71 LAN WAN Internet Computer Power Supply IP71 ...

Page 29: ...3 Connect the receptacle end of the power supply cord to the 12 VDC power socket on the IP71 Connect the other end of the power supply cord to an existing power source You are now ready to link your computer to the IP71 Using Hyperterminal With the IP71 physically installed the next task is to link your computer to the IP71 The following example uses Windows HypterTerminal To link your computer to...

Page 30: ...connection name in the Name field and click on the twin phone icon at the far left of the Icon bar Click OK 3 The Connect To screen appears In the Connect using menu select COM1 Direct to Com1 or COM2 Direct to Com2 to connect the console cable to the COM1 or COM2 port respectively on the computer Click OK ...

Page 31: ...1 The COM1 or COM2 Properties screen appears 4 Enter the following values in the appropriate fields n Bits per second 9600 n Data bits 8 n Parity None n Stop bits 1 n Flow Control None 5 Click OK The COM Properties screen disappears Press Enter ...

Page 32: ...onnect to the IP71 from your computer using a browser 1 Connect one of the LAN port of IP71 to the network port Ensure your computer is using an ethernet cable Copyright c Nokia Corporation 2001 IP71 V 1 0 2 07 11 2001 A S R 80 96 24 133 1 8 WB LAN MAC address 00 a0 2a 03 4a 34 WAN MAC address 00 a0 2a 03 4a 35 Enter SPACE key to invoke Nokia software upgrade 0 1 2 3 4 Image valid 1 2 3 4 5 6 7 8 ...

Page 33: ... access by default Enter https for secure access Note Nokia recommends that you access the IP71 from the LAN interface the first time When you attempt to access the IP71 from the WAN Interface using https the server running in the IP71 issues a self signed certificate using SSL to the browser that the browser cannot recognize This is to ensure a secure first time access of the IP71 4 Enter the def...

Page 34: ...ss Enter A pop up security alert screen appears The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate is valid The name on the security certificate does not match the name of the site 3 Click Yes to access the IP71 GUI Click View Certificate to check certificate det...

Page 35: ...71 Configuring Through SNMP Manager Using an SNMP Manager to configure the IP71 Configuring Through the CLI Using a Console connection Managing through Nokia Horizon Manager For managing remotely This chapter also describes the following features and functions in the IP71 n SSH n SNMP n Secured access to GUI using security certificates n Event logging n Check Point Firewall configuration n DHCP se...

Page 36: ...onfiguration Note Before configuring the IP71 obtain a Check Point NG SmallOffice license On successful login the Quick Setup Wizard appears as shown in Figure 8 1 Click OK to use Setup Wizard 2 Click Cancel to go directly to the Status page Figure 8 Quick Setup Wizard Note Check Do not start with Quick Setup Wizard the next time to go directly to the Status page when you log in next time ...

Page 37: ...want to set and confirm the new password Enter the default password password Enter the new password you want to set and confirm the new password Date and Time Sync Date Time GMT Offset Click Sync to synchronize with the date and time of the browser Enter Date in the Month Date Year order Enter Time in Hours Minutes order If you are in America select to adjust the clock for Daylight savings Select ...

Page 38: ...confirm the key This is a one time password used to authenticate between IP71 and the management server Enter Activation Key whether you choose Local License or Automatic Fetch DAIP Select Enable to enable Automatic Fetch DAIP If you know the IP address of the Management server select Pull Certificate and enter the IP address of the management server If you do not know the IP address of the manage...

Page 39: ...e 39 Figure 9 Wizard Summary 4 Click Back to modify settings 5 Click Submit for all the configuration settings to take effect 6 Click Cancel to nullify the Wizard configuration The IP71 Status page appears 7 Click Finish The IP71 is configured to be up and running ...

Page 40: ...hrough the navigation tabs n System n Manage n Logging n Check Point n Advanced Features n Diagnostics System The default Status page that appears displays the existing configuration of your IP71 If you have used Quick Setup Wizard to perform an initial setup configuration the configuration settings will be displayed on this page Figure 10 Device Status ...

Page 41: ...ddress and the corresponding subnet mask of the LAN Interface 3 The interface information is based on the external WAN mode a To set the manual WAN mode Enter the WAN IP Address and the corresponding Subnet Mask of your IP71 This is given by your service provider Enter the Gateway IP Address Click Submit for the settings to take effect b To set the DHCP WAN mode The IP address assigned by the ISP ...

Page 42: ...effect after you have entered the Interface information Note Dynamic WAN Status is a Read Only field and displays information c To set the PPPoE WAN mode Enter the Username and Password for the PPPoE server This information is provided by your service provider Enter the External WAN IP You need this information to configure the static WAN interface of IP71 and ensure that every time you connect th...

Page 43: ...ice MAC address PPPoE Settings Server Name Enter the name of the specific PPPoE server that the PPPoE client should connect to Always On Always On is enabled by default It allows the IP71 to be always connected to Internet If you unselect Always On you need to restart the PPPoE Client each time the PPPoE connection terminates Retry Timeout Enter the Retry Timeout If the PPPoE connection terminates...

Page 44: ...isco select GMT 08 00 Pacific Standard Time 5 Click Submit for the settings to take effect 6 Click Reset to display the previous settings Admin You can configure the following n Session Timeout Enter the GUI Session Timeout time If the browser is idle for the specified time the GUI session will time out You need to relogin to access the GUI once a session times out n HTTPS Encryption Type Select t...

Page 45: ...nter the Old Password n Enter the New Password Enter the New Password to confirm n Click Submit Note Nokia recommends that you change the default password password to avoid unauthorized access to the IP71 Manage This section covers the following methods by which to manage your IP71 n Configuring Through SSH n Configuring Through SNMP Manager n Accessing CLI Through the GUI n Generating Security Ce...

Page 46: ...ou need the following to configure using SSH n LAN and WAN IP addresses are defined using the Wizard setup n The IP71 has an active connection to the computer with the SSH client Note SSH is enabled by default from the LAN and WAN SSH Authentication To connect to the IP71 from a remote computer using SSH first authenticate the SSH connection You can authenticate an SSH connection using n Password ...

Page 47: ... Modify To delete a user select the user in the User Table and click Delete c Click Submit Initiate a SSH session from the SSH client to access the IP71 You can also use the IP71 as an SSH server and initiate an SSH connection with a remote SSH client To initiate an SSH connection d In the SSH Host Table enter the Fingerprint and IP Address of the SSH Host in the SSH Host Table e Click Add to add ...

Page 48: ...71 fingerprint enter show ssh in the CLI If the two fingerprints match it is safe to accept the connection Key Based Authentication To connect to the IP71 using SSH more securely use Key Based Authentication This requires you to generate a public key on the SSH client The key must have the following attributes to work with the IP71 The key must be exchanged with the IP71 to authenticate The key is...

Page 49: ...Enter the SSH fingerprint For example type set ssh usertable index 1 comment JohnsPC fingerprint Type or paste the fingerprint This pastes your fingerprint after the equals character Add status active after this and press Enter The entire command should look something like the following set ssh usertable index 1 comment John PC1 fingerprint 23 23 34 85 61 47 53 49 74 status active 9 To test the SS...

Page 50: ...nnections Set SSH SSH configuration of the IP71 involves two parameters and two subcommands Show SSH You can type show ssh at any time to view the current SSH configuration Table 4 SSH Authentication Command Description Parameters sshauthmethod authentication method used by SSH Any Password and key based connections are accepted Default Password Only password based connections are accepted Publick...

Page 51: ...You can specify the fingerprint as well as additional information with this command Index Allows you to specify the client connection to configure in the IP71 Comment Make a comment that identifies the client system Fingerprint Enter the fingerprint generated by the fpgen exe tool Status Allow or remove specific client connections hosttable specify host systems such as SCP servers with which the I...

Page 52: ...12 Configuring Through SNMP Accessing CLI Through the GUI To access the CLI from the GUI click Manage CLI A secure Web based GUI also allows you to execute CLI commands within the GUI The CLI screen appears as in Figure 13 Figure 13 Using CLI in the GUI ...

Page 53: ... Point NG Firewall might not produce an output Generating Security Certificates To access the Certificate Tool feature click Manage Certificate Tool You can create a Secure Socket Layer SSL certificate to set up a secure Web access HTTPS to your device To do this first generate a certificate using the Certificate Tool Figure 14 Generating Security Certificate You can generate a certificate in two ...

Page 54: ...the following information n Country Name n State Province Name n Locality Town Name n Organization Name n Organizational Unit n Common Name FQDN or the IP address of the IP71 n Email 3 Click Submit You will be prompted to close the browser and open after a few minutes 4 Click Reset to reset A certificate is automatically generated and stored in the device To Generate Certificate Signing Request fr...

Page 55: ...he RSA Private Key generated by the Certificate Tool in the Private Key text field 8 Enter Passphrase the same as what you enter in the Certificate Tool below 9 Click Submit Managing Through Nokia Horizon Manager You can access and manage the IP71 remotely using Nokia Horizon Manager NHM NHM identifies a device with the help of the IP address However the IP71 uses dynamic WAN IP where an IP addres...

Page 56: ...ed for NHM by default 3 Enter the Retry Timeout Make sure you have configured the Host ID in the IP71 Interface Options Logging The IP71 supports a standard system logging feature syslog that allows system event logging locally on the IP71 and to a remote server n Log n Syslog Log To access Log click Logging You can configure various parameters for logging A log filter allows you to display critic...

Page 57: ...Syslog You can enable or disable logging on your IP71 using the Syslog To access Syslog click Logging Syslog Figure 17 Syslog To configure Syslog 1 Select Enable or Disable 2 Select the logging type All or Critical 3 Enter the Syslog server IP address 4 Click Submit ...

Page 58: ...agement server To access the Check Point click Check Point Figure 18 Check Point Details You can configure the Check Point enforcement module in two ways n Non DAIP using Local License n DAIP using Central License Non DAIP You can configure the IP71 using a Local license To do this disable Automatic Fetch and use the Check Point License settings Automatic Fetch is disabled by default ...

Page 59: ...y fetches a security policy from the management server and updates the security policy on the IP71 The DAIP module can be set to periodically fetch the security policy The duration of the fetch can be configured on the management server To configure Check Point 1 Select Enable to enable the Check Point Firewall The Check Point firewall is Enabled by default 2 If you choose to use a local license e...

Page 60: ...Password 4 In the DAIP Configuration enter the following information n Select to enable Automatic Periodic Fetch It is enabled by default n Select to Pull Certificate if you wish n Enter the IP address of the Management Server n Enter the name of the Network Object that you have defined for your IP71 5 Click Submit Note Check Point settings can take several minutes to complete Advanced The Advance...

Page 61: ...upports the following mechanisms for IP address allocation n DHCP assigns an IP address dynamically defined in the range table to a host for a limited period of time on lease n The network administrator can reserve an IP address for a host The DHCP server is used to convey the assigned address to the host n If the DHCP server detects another DHCP server on the LAN it disables itself to avoid confl...

Page 62: ...Enter the Domain name of your IP71 This is usually the Domain Name assigned to the computer within the network c Set the Expiry Time for IP Address lease 3 DNS Settings for DHCP a Choose the DNS Configuration as Manual or Dynamic Dynamic is selected by default b If you have chosen Manual enter the IP Addresses of DNS Servers c If you have chosen Dynamic the IP addresses of the DNS Servers are auto...

Page 63: ...dress ranges 6 If the DHCP Server is used to assign a specific IP Address to a specific host computer do the following a Enter the MAC Address of the computer b Enter the IP Address that you want to assign to the computer This IP address should not be in the IP address ranges configured c Click Add to add the entry to the table 7 Click Submit Routing To access Routing click Advanced Routing The Ro...

Page 64: ...sting Route Entry select the entry in the Routing Table Click Delete ARP To access ARP click Advanced ARP ARP Static NAT enables your LAN to use a set of private IP addresses for internal traffic and a second set of public IP addresses for external traffic ARP allows the IP71 to maintain a public IP address mapped to a private IP address when communicating with computers or devices outside your LA...

Page 65: ...able and Click Modify or Delete 5 Click Submit Upgrading To access Upgrade click Advanced Upgrade The Upgrade feature enables you to upgrade your IP71 with new firmware It displays the current firmware information Figure 22 Firmware Upgrade To upgrade 1 Select the Mode TFTP or SCP to use to upgrade the firmware Nokia recommends SCP Secure Copy Protocol for a secure upgrade 2 Enter the filename of ...

Page 66: ...he IP71 configuration to your computer will help reconfigure the device later You can export backup the IP71 configuration using the Export function The backed up configuration can be restored with the Import function Note If you export the existing configuration from IP71 v1 5 or earlier and try to import the same configuration into an IP71 upgraded to v2 0 all the device configuration is restore...

Page 67: ...ou want to use TFTP SCP or HTTP 3 Browse and select the configuration file 4 Enter the IP address of the computer where you want to backup or restore the configuration file 5 Enter the username and password of the computer only for SCP 6 Click Submit Note When you import a configuration file the existing configuration on the IP71 is overwritten with the new configuration ...

Page 68: ...tics Tools provide you the following information n Ping checks for reachability of a device installed in a remote location If you select Ping as in Figure 24 n Enter the number of times you want to ping n Enter the IP Address of the of the device you are trying to reach n Trace Route gives the number of hops required to reach a remote host or network If you select Trace Route n Enter the Interface...

Page 69: ...ation click Diagnostics Utilization Figure 25 Diagnostics Utilization The Utilization page displays the performance statistics of the IP71 The following statistics are displayed n LAN Interface Statistics Receive n LAN Interface Statistics Transmit n WAN Interface Statistics Receive n WAN Interface Statistics Transmit n Memory Information n CPU Statistics n Process Statistics n Interrupt Statistic...

Page 70: ... to the factory settings n Quick Setup Wizard Click the Quick Setup Wizard to go to Wizard configuration n Restart Device Click Restart Device to restart your IP71 n Technical Support Dump Click Technical Support Dump to save the complete configuration details of your IP71 as well as the log of all actions performed on the device Save the dump file to send it to Customer Support when you report a ...

Page 71: ...e following options are supported in IP71 Console To access Console click Diagnostics Console The Console feature allows you to establish an SSH Session to your IP71 installed in a remote location d Dump the application layer data when displaying packets D Run Snort in daemon mode e Display log the Ethernet packet headers i interface l log dir n packet count q quiet operation v be verbose V Show t...

Page 72: ...SSH connection 1 Select Console A pop up window prompts you for your Username and Password same as your device username and password 2 Enter your Username and Password Click OK You can now configure the IP71 using CLI commands from the Console Note Enter Exit or the SSH session remains open ...

Page 73: ...pears Select the File you want to modify The details of the selected file are displayed in the File Details 2 Make the changes to the configuration information in the file 3 Click Modify for the configuration changes to take effect Warning Editing or Deleting configuration files could affect the functioning performance and configuration of the device On deleting a configuration file reconfigure th...

Page 74: ...erminal Table 5 gives the list of available configuration commands in the IP71 CLI Table 5 CLI Commands The following example shows an example CLI configuration CLI Commands Purpose set Configure the IP71 show Display existing configuration wizard Enable quick setup of IP71 password Enable quick setup of IP71 ping Ping diagnostic test fw firewall commands arp arp commands mesg verbose mdoe selecti...

Page 75: ...71 prompt appears and you can begin the system configuration set ipinterface table This command is used to set the IP Address of the LAN WAN port of IP71 Syntax set ipinterface table index LAN WAN ipaddress ip_address mask ip_address mtu n 0 1500 status up down Options index LAN WAN ipaddress IP Address of the LAN WAN port mask Netmask of the LAN WAN port Status down up mtu To set the mtu value of...

Page 76: ... is shown in a pair of brackets To maintain the current value press the Enter key without entering new data Although quotes are required for any other values that contain spaces in the CLI values that contain spaces in the wizard do not require quotes Copyright c Nokia Corporation 2001 IP71 V 1 0 2 07 11 2001 A S R 80 96 24 133 1 8 WB LAN MAC address 00 a0 2a 03 4a 34 WAN MAC address 00 a0 2a 03 4...

Page 77: ...ment server Enter Activation Key and confirm the Activation Key IP71 set checkpoint set checkpoint state Disable Enable expdate expdate 1 12 hostid hostid 1 250 features features 1 250 signature signature 1 250 command none PutLicense DelLicense ReStart PullCert Configure the license parameters and set command to PutLicense to install license After installing license set command to restart to acti...

Page 78: ... Point or Do you wish to restart Check Point Press the Y key and then press Enter to accept When the license processes the Adding Check Point License message appears It takes a minute to add a Check Point License Similarly you can execute all the actions explained in the GUI using respective CLI commands Configuring Static NAT Network Address Translation NAT is as much a part of the security polic...

Page 79: ...all Perform the following tasks to configure Static NAT n Configuring Network Objects n Configuring Security Policy n Configuring NAT Rules n Configuring Routing and ARP Entries n Installing the Security Policy n Configuring Anti Spoofing Table 6 Static NAT Configuration Network IP Address Internal Network RFC 1918 network 192 168 1 class C External Network 204 32 38 0 Default Route 204 32 38 254 ...

Page 80: ...e 7 Network Objects Object Name Description Internal_ Network The 192 168 1 1 0 24 network Internal_ Network_ Range A range object that covers all IP addresses from 192 168 1 2 to 192 168 1 254 www_server The real IP address 192 168 1 10 of the WWW server WWW_Server_ External The legal IP address 204 32 38 10 of the WWW server IP71 The workstation object for the IP71 defined as an internal gateway...

Page 81: ...f how the firewall will detect the traffic before NAT is applied Therefore you must create an external version of the WWW server object and use it in the rulebase Configuring NAT Rules The NAT Rules would look in the GUI Figure 34 NAT Rules The rules perform the following functions 1 If a connection is initiated to the WWW server s legal IP address e g 204 32 38 10 it will be translated to the ser...

Page 82: ...nfiguring Routing and ARP Entries Configure the Routing and ARP entries in your IP71 To configure routing and ARP entries 1 Set up a proxy ARP for the legal IP address This ensures that on the data link level the traffic arrives at the firewall 2 Set up a route on the firewall itself for the static address translation This ensures that the traffic eventually is delivered from the correct interface...

Page 83: ...es even if you currently do not use the anti spoofing configuration This aids in debugging particularly if you configure it Before NAT was set up the anti spoofing was set up as shown in Table 8 However this set up is not sufficient when using NAT to devices on your internal network Include those legal IP addresses that are statically translated to your internal network In this case it means addin...

Page 84: ...alid addresses for eth1 the internal interface to eth1 valid Now install your firewall security policy on the IP71 Table 9 Configuring Valid Addresses Interface IP Address Valid Address Setting eth0 204 32 38 1 Others eth1 192 168 1 1 Specific eth1 valid ...

Page 85: ...1 or any other VPN gateway In this guide a VPN refers to secure communication between an IP71 with a SmallOffice Check Point NG license and another similarly configured element such as another IP71 or Check Point VPN gateway Figure 35 VPN Configuration Enterprise management server IP71 and Network B IP71 and Network A 10 10 1 1 10 10 1 10 200 20 1 1 200 20 1 50 10 10 4 1 10 10 4 10 VPN Tunnel Inte...

Page 86: ...ctions describe defining one gateway and one network Defining Network Objects You need to define network objects to configure a VPN connection between two gateways Defining IP71 Platforms Use the following procedure to define your Network Objects This example assumes that two IP71 devices IP71A and IP71B are configured on two different networks However two connecting units can be on the same or di...

Page 87: ... address of the IP71 Select Dynamic Address if DAIP is enabled 5 Select Check Point products information n Version Select NG FP2 n Select either VPN 1 Pro or VPN 1 Net On selecting VPN 1 Pro Firewall 1 is selected by default n Click Secure Internal Communication The Communication window appears ...

Page 88: ... you on the IP71 b Click Initialize The Trust State will change to Established once both the objects are configured 6 Click Topology The Topology screen appears 7 If you have established Trust then click Get Topology or click Add The Interface Properties window appears You have defined the first network object in your VPN ...

Page 89: ...bove steps 1 through 9 Once you have defined both the network objects you need to configure the encryption and authentication methods to use on the VPN 8 On the Topology page select the VPN Domain 9 Click VPN in General Properties a Select IKE and click Edit The IKE Properties appear b Select the Key Exchange encryption ...

Page 90: ...ck OK The IKE Properties page appears i Click OK Setting the Network Once you have defined the two IP71 platforms as Network Objects that will act as gateways for their respective networks you need to set the networks To configure the network behind which one of the IP71 is located 1 On the Check Point Policy Editor choose Manage and select Network Objects The Network Objects window appears 2 Clic...

Page 91: ...d n Select Hide Behind the Interface of the Install on Gateway n Select the gateway that you want to hide behind the network 6 You have set the first network Perform step 3 through 5 for the second Network Building VPN Groups You can build a VPN group with two or more VPNs configured by you This will simplify the VPN configuration To build a VPN group 1 On the Check Point Policy Editor choose Mana...

Page 92: ... members The available options are the entries you made in step 1 Click OK Installing Policies You have now configured a VPN The rule base appears You must apply values policies to the various column entries in the rule base a sample of a completed rule base is shown in Figure 38 Figure 36 Rule Base To initiate policy installation 1 Choose the Install policies icon or click Policy Install The inst...

Page 93: ...ets 3 Select the Installation Mode 4 Click OK The Install Policy status display runs When the policy is installed click OK To confirm the integrity of the configured VPN ping from one IP71 computer to another You can view the status of the VPN on the log viewer Figure 37 Log Viewer ...

Page 94: ...4 Configuring a VPN 94 Nokia IP71 User Guide ...

Page 95: ...in a Check Point NG Firewall License You can obtain the License with the help of the certificate key given to you when you purchase the device and the Check Point license To obtain a Check Point License open a Web browser either Internet Explorer or Netscape Navigator and enter https usercenter checkpoint com You should see the screen as shown ...

Page 96: ...ress and confirm the e mail address n Enter the password and confirm the password n Click Create Enter the required information Items against which asterisks are marked indicate information required field On successfully creating a User Account log on using your email ID and the password you used to create your account The Products List page appears There are no products shown in your User Account...

Page 97: ... the Check Point reseller Based on the certificate key the product is identified Click Continue The Key entered will be added to your User Account Click the Products List on the right top corner of the screen shown in the Figure The product for which you want the license is displayed ...

Page 98: ...A Obtaining a Check Point License 98 Nokia IP71 User Guide Check the product displayed Click the product link CPMPEVAL BANK NG to enter the product details ...

Page 99: ...Nokia IP71 User Guide 99 Click License Select the licensing scheme central or local licensing Click Continue with Software Details ...

Page 100: ...cense is created Note The management server IP address can be the same as the VPN 1 FireWall 1 module IP address In this case you can simply leave the management host information empty If the management host information is supplied two licenses will be generated one for the management console and one for the enforcement point In cases where SmallOffice enforcement point is managed by an Enterprise...

Page 101: ...Nokia IP71 User Guide 101 Click Download these Licenses The License Download Notice appears Click Download License Copy the screen output text or E mail text to a text file and save it for reference ...

Page 102: ...A Obtaining a Check Point License 102 Nokia IP71 User Guide ...

Page 103: ...ntal Table 10 Physical Dminesions Dimension US Metric Height 1 4in 3 5cm Width 10 0in 25 4cm Depth 7 0in 17 5cm Weight 1 82lb 830g Table 11 Environmental Specifications System Dimension Range Temperature Operating 40 F to 105 F 0 C to 40 C Humidity Non Condensing 10 to 90 ...

Page 104: ... 11 Environmental Specifications System Dimension Range Table 12 Default Settings LAN IP address 192 168 1 1 LAN Subnet Mask 255 255 255 0 WAN IP Address 192 168 2 1 WAN Subnet Mask 255 255 255 0 Gateway IP address 0 0 0 0 WAN Duplex Half GMT Offset 8 00 Daylight Savings Disabled Login Admin DHCP Server Enabled DHCP server range 192 168 1 2 254 DHCP server lease time 10 minutes ...

Page 105: ... Minutes SSH Fingerprint Enabled SSH Auth Method Any Log Type All Log Server IP 0 0 0 0 Log View 10 events SNMP Read public SNMP Write public SNMP Trap 10 0 0 0 SNMP Trap 20 0 0 0 SNMP Access Deny Password password WAN Mode Manual Check Point Automatic Fetch Disabled Check Point default policy Default filter Allows HTTPS and SSH to IP71 Table 12 Default Settings ...

Page 106: ... sharing through Ethernet LAN n TCP IP n Static routing on both LAN and WAN Management Features n HTTPS based GUI n Command line interface CLI n SNMP management features n Export and Import configuration n Firmware Upgrade n Reset to factory defaults Diagnostics n Ping test n Trace Route n NS Lookup ...

Page 107: ...1998 1999 The Internet Software Consortium All rights reserved Copyright 1996 2000 Matthias L Jugel and Marcus Meibner Copyright 1989 1991 Free Software Foundation Inc Copyright 1989 Carnegie Mellon University All rights reserved Copyright 2000 The Apache Software Foundation All rights reserved Copyright 1998 2001 The OpenSSL Project All rights reserved Copyright 1995 1998 Eric Young All rights re...

Page 108: ...B Technical Specifications 108 Document Title Variable ...

Page 109: ... Fairchild Drive Mountain View CA 94043 2215 USA declares that the product Product name IP71 Model number IP71 Product options All Serial number 6CYYWK5N Date first applied 2000 conforms to the following standards Safety EN60950 1992 A1 A2 1993 A3 1995 A4 1997 A11 1998 with Japanese National Deviations EMC EN50024 EN55022A 1998 CISPR 22 Class B 1985 EN61000 3 2 EN61000 3 3 ...

Page 110: ...ct Greg Shortell Nokia Telecommunications 2 Heathrow Blvd 284 Bath Road Heathrow Middlesex UB7 ODQ England Compliance Statement This hardware complies with the following standards Emissions FCC Part 15 Subpart B Class B US and Canada EN55022A CISPR 22 Class B European Community CE EN6100 3 2 European Community CE EN6100 3 3 European Community CE Immunity EN50024 European Community CE EN61000 4 2 E...

Page 111: ... uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio or television reception the user is encouraged to try to correct the interference by on...

Page 112: ...C Compliance Information 112 Nokia IP71 User Guide Caution Any changes or modifications not expressly approved by the grantee of this device could void the user s authority to operate the equipment ...

Page 113: ... BE BOUND BY THE TERMS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT PLEASE IMMEDIATELY RETURN THE SOFTWARE IN THE PRODUCT PACKAGE TO THE PLACE YOU PURCHASED IT FOR FULL REFUND 1 SOFTWARE LICENSE Unless Customer is an approved Managed Service Provider Nokia grants to Customer a personal nonexclusive and nontransferable license to use the Software in object code form solely a...

Page 114: ...OPRIETARY RIGHTS All right title and interest in and to the Software and documentation and any copies thereof provided by Nokia or which may be made by Customer are and shall remain the exclusive property of Nokia or Nokia s licensors Nokia and its licensors are collectively referred to as Software Owners Each Software Owner shall have the right to enforce this Agreement against the Customer as to...

Page 115: ...mer will be able to operate it without problems or service interruptions d DISCLAIMER THE WARRANTY ABOVE IS IN LIEU OF AND NOKIA DISCLAIMS ALL OTHER WARRANTIES AND CONDITIONS EXPRESSED OR IMPLIED INCLUDING THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE QUALITY NON INFRINGEMENT NON INTERRUPTION OF USE FREEDOM FROM BUGS OR OTHERWISE NO DEALER OR RESELLER IS AUTHORIZED TO MAKE ANY MODIFICA...

Page 116: ...not to export or allow the export or reexport of any goods in violation of any such restrictions laws or regulations Customer will indemnify and hold harmless Nokia for any violation or alleged violation by Customer of such laws rules policies procedures restrictions or regulations 6 CONFIDENTIAL INFORMATION Customer agrees that aspects of the Software and documentation including the specific desi...

Page 117: ...State of California and the United States without regard to conflicts of laws provisions thereof and without regard to the United Nations Convention on Contracts for the International Sale of Goods To the extent permitted by law the parties waive any and all rights privileges and obligations which may derive from any codification of the body of law generally referred to as the Uniform Commercial C...

Page 118: ...nsistent with the Federal Acquisition Guidelines and related laws any use modification reproduction release performance display or disclosure of such commercial software or commercial software documentation by the US Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement ...

Page 119: ...ument conventions 10 cautions and warnings 10 E emissions 116 Encryption Type 44 Externals 13 F Factory Defaults 15 FCC Notice 117 Features 12 H hardware specifications 113 height 111 Hyperterminal 29 I immunity 116 N Network Planning 25 P Package Contents 12 Password Authentication 49 Planning Your Network 25 S safety 117 Session Timeout 44 Setting the Network 90 SNMP v2 23 Snort 70 software spec...

Page 120: ...Nokia IP71 Version 2 0 width 111 safety 117 SSH Authentication 46 SSH Client 23 Static NAT Configuration 77 U Upgrade 64 Upgrading 16 V VPN defining IP71 platforms 86 installing policies 92 W warning 10 width 111 ...