Nortel BSR252, Configuration - Basics

Page 1: ...BSR252 Business Secure Router Document Number NN47923 500 Document Version 1 1 Date March 2007 Nortel Business Secure Router 252 Configuration Basics ...

Page 2: ...o be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are ...

Page 3: ...ialist by using an Express Routing Code 32 Getting Help through a Nortel distributor or reseller 32 Chapter 1 Getting to know your Business Secure Router 33 Introducing the Business Secure Router 33 Features 34 Physical features 34 High speed Internet access 34 ADSL standards 34 Networking compatibility 35 Multiplexing 35 Encapsulation 35 Four Port switch 35 Autonegotiating 10 100 Mb s Ethernet LA...

Page 4: ...lias 39 Central Network Management 39 SNMP 39 Network Address Translation NAT 40 Traffic Redirect 40 Port Forwarding 40 DHCP Dynamic Host Configuration Protocol 40 Full network management 40 Logging and tracing 41 Upgrade Business Secure Router Firmware 41 Embedded FTP and TFTP Servers 41 Applications for the Business Secure Router 41 Secure broadband internet access and VPN 41 Hardware Setup 42 C...

Page 5: ...ultiplexing 55 VPI and VCI 55 Wizard setup configuration first screen 55 IP address and subnet mask 57 IP address assignment 57 IP assignment with PPPoA or PPPoE encapsulation 58 IP assignment with RFC 1483 encapsulation 58 IP assignment with ENET ENCAP encapsulation 58 Private IP addresses 58 Nailed up connection only with PPP 59 NAT 59 Wizard setup configuration second screen 59 DHCP setup 65 IP...

Page 6: ...VPN Server Client Emulation 77 Allowing remote management of a LAN connected BCM50 77 Setting up the router for guest access 78 Preventing heavy data traffic from impacting telephone calls 79 Setting Up a Remote Office with a UNIStim IP Telephone 79 Inter operability With Third Party Routers 80 VPN Connections With Cisco Routers 80 Chapter 5 System screens 81 System overview 81 DNS overview 81 Pri...

Page 7: ...ing IP Alias 105 Chapter 7 WAN screens 107 WAN overview 107 TCP IP Priority metric 107 Configuring Route 108 PPPoE encapsulation 109 Configuring WAN ISP 110 Configuring WAN IP 113 Traffic redirect 117 Configuring Traffic Redirect 118 Configuring Dial Backup 119 Advanced Modem Setup 124 AT Command Strings 124 DTR Signal 124 Response Strings 124 Configuring Advanced Modem Setup 125 Chapter 8 Network...

Page 8: ... Mapping 139 Trigger Port Forwarding 143 Trigger Port Forwarding example 143 Two points to remember about Trigger Ports 144 Configuring Trigger Port Forwarding 145 Chapter 9 Static Route screens 147 Static Route overview 147 Configuring IP Static Route 148 Configuring Route entry 150 Chapter 10 Firewalls 153 Firewall overview 153 Types of firewalls 153 Packet filtering firewalls 154 Application le...

Page 9: ...ng 167 Firewall 167 When to use the firewall 167 Chapter 11 Firewall screens 169 Access methods 169 Firewall policies overview 169 Rule logic overview 171 Rule checklist 171 Security ramifications 171 Key fields for configuring rules 172 Action 172 Service 172 Source address 172 Destination address 172 Connection direction examples 172 LAN to WAN rules 173 WAN to LAN rules 173 Configuring firewall...

Page 10: ...PN 199 VPN 199 IPSec 199 Business Secure Router VPN functions 199 VPN screens overview 200 Other terminology 201 Encryption 201 Data confidentiality 202 Data integrity 202 Data origin authentication 202 VPN applications 202 IPSec architecture 202 IPSec algorithms 203 AH Authentication Header protocol 204 ESP Encapsulating Security Payload protocol 204 Key management 205 Encapsulation 206 Transport...

Page 11: ...ng an IP Policy 230 Port forwarding server 236 Configuring a port forwarding server 236 IKE phases 238 Negotiation Mode 240 Preshared key 240 Diffie Hellman DH Key Groups 241 Perfect Forward Secrecy PFS 241 Configuring advanced Branch office setup 241 SA Monitor 245 Global settings 247 VPN Client Termination 248 VPN Client Termination IP pool summary 252 VPN Client Termination IP pool edit 254 VPN...

Page 12: ...e details 290 Directory servers 294 Add or edit a directory server 295 Chapter 15 Bandwidth management 299 Bandwidth management overview 299 Bandwidth classes and filters 300 Proportional bandwidth allocation 300 Application based bandwidth management 300 Subnet based bandwidth management 300 Application and subnet based bandwidth management 301 Reserving bandwidth for nonbandwidth class traffic 3...

Page 13: ...e management overview 329 Remote management limitations 329 Remote management and NAT 330 System timeout 330 Introduction to HTTPS 331 Configuring WWW 332 HTTPS example 334 Internet Explorer warning messages 335 Netscape Navigator warning messages 335 Avoiding the browser warning messages 337 Logon screen 338 SSH overview 343 How SSH works 344 SSH implementation on the Business Secure Router 345 R...

Page 14: ...th UPnP 362 UPnP implementation 362 Configuring UPnP 362 Displaying UPnP port mapping 364 Installing UPnP in Windows example 365 Installing UPnP in Windows Me 365 Installing UPnP in Windows XP 366 Using UPnP in Windows XP example 368 Autodiscover Your UPnP enabled Network Device 368 WebGUI easy access 371 Chapter 20 Logs Screens 373 Configuring View Log 373 Configuring Log settings 375 Configuring...

Page 15: ...iguration screen 405 Back to Factory Defaults 405 Backup configuration 406 Restore configuration 407 Restart screen 408 Appendix A Troubleshooting 411 Problems Starting Up the Business Secure Router 411 Problems with the LAN LED 412 Problems with the LAN interface 412 Problems with the WAN interface 413 Problems with Internet access 413 Problems accessing an Internet Web site 414 Problems with the...

Page 16: ...2 Netscape Pop up Blockers 423 Allowing Pop ups 424 Enable Pop up Blockers with Exceptions 425 Netscape Java Permissions and JavaScript 427 Appendix B Log Descriptions 431 VPN IPSec Logs 440 VPN Responder IPSec Log 441 Log Commands 450 Configuring what you want the Business Secure Router to log 450 Displaying Logs 451 Log Command Example 452 Index 453 ...

Page 17: ...et connection with RFC 1483 61 Figure 11 Internet connection with ENET ENCAP 62 Figure 12 Internet connection with PPPoE 63 Figure 13 Wizard Screen 3 66 Figure 14 Wizard LAN configuration 67 Figure 15 Wizard Screen 4 69 Figure 16 Private DNS server example 82 Figure 17 System general setup 83 Figure 18 DDNS 86 Figure 19 Password 88 Figure 20 Time and Date 91 Figure 21 ALG 94 Figure 22 LAN IP 100 F...

Page 18: ...ess Secure Router firewall application 156 Figure 46 Three way handshake 158 Figure 47 SYN flood 159 Figure 48 Smurf attack 160 Figure 49 Stateful inspection 162 Figure 50 LAN to WAN traffic 173 Figure 51 WAN to LAN traffic 174 Figure 52 Enabling the firewall 176 Figure 53 Creating and editing a firewall rule 179 Figure 54 Adding or editing source and destination addresses 181 Figure 55 Creating o...

Page 19: ... VPN Client Termination 249 Figure 79 VPN Client Termination IP pool summary 253 Figure 80 VPN Client Termination IP pool edit 254 Figure 81 VPN Client Termination advanced 256 Figure 82 Certificate configuration overview 263 Figure 83 My Certificates 264 Figure 84 My Certificate Import 268 Figure 85 My Certificate create 270 Figure 86 My Certificate details 274 Figure 87 Trusted CAs 278 Figure 88...

Page 20: ...cape 336 Figure 114 Security Certificate 2 Netscape 337 Figure 115 Logon screen Internet Explorer 339 Figure 116 Login screen Netscape 340 Figure 117 Replace certificate 341 Figure 118 Device specific certificate 342 Figure 119 Common Business Secure Router certificate 343 Figure 120 SSH Communication Example 344 Figure 121 How SSH Works 344 Figure 122 SSH 346 Figure 123 SSH Example 1 Store Host K...

Page 21: ...8 My Network Places Local network 372 Figure 149 View Log 374 Figure 150 Log settings 376 Figure 151 Reports 379 Figure 152 Web site hits report example 381 Figure 153 Protocol Port report example 382 Figure 154 LAN IP address report example 384 Figure 155 Call schedule summary 388 Figure 156 Call schedule edit 389 Figure 157 Applying Schedule Sets to a remote node 392 Figure 158 System Status 396...

Page 22: ...re 176 Security Settings Java Scripting 421 Figure 177 Security Settings Java 422 Figure 178 Java Sun 423 Figure 179 Allow Popups from this site 424 Figure 180 Netscape Search Toolbar 424 Figure 181 Popup Windows 425 Figure 182 Popup Windows 426 Figure 183 Allowed Sites 427 Figure 184 Advanced 428 Figure 185 Scripts Plug ins 429 Figure 186 Example VPN Initiator IPSec Log 441 Figure 187 Example VPN...

Page 23: ...l setup 83 Table 9 DDNS 86 Table 10 Password 88 Table 11 Default Time Servers 90 Table 12 Time and Date 92 Table 13 ALG 95 Table 14 LAN IP 101 Table 15 Static DHCP 104 Table 16 IP Alias 106 Table 17 WAN Route 109 Table 18 WAN WAN ISP 112 Table 19 WAN IP 115 Table 20 Traffic Redirect 119 Table 21 Dial Backup Setup 121 Table 22 Advanced Setup 126 Table 23 NAT definitions 130 Table 24 NAT mapping typ...

Page 24: ... 46 VPN and NAT 208 Table 47 Summary 211 Table 48 VPN Contivity Client rule setup 215 Table 49 VPN Contivity Client advanced rule setup 217 Table 50 Local ID type and content fields 219 Table 51 Peer ID type and content fields 219 Table 52 Matching ID type and content configuration example 220 Table 53 Mismatching ID Type and Content Configuration Example 220 Table 54 VPN Branch Office rule setup ...

Page 25: ...h Management Example 301 Table 77 Bandwidth Manager Summary 302 Table 78 Bandwidth Manager Class Setup 304 Table 79 Bandwidth Manager Edit class 306 Table 80 Services and port numbers 308 Table 81 Bandwidth management statistics 309 Table 82 Bandwidth manager monitor 310 Table 83 802 1X 314 Table 84 Local User database 318 Table 85 Local User database edit 321 Table 86 Current split networks 323 T...

Page 26: ...eshooting the LAN LED 412 Table 116 Troubleshooting the LAN interface 412 Table 117 Troubleshooting the WAN Interface 413 Table 118 Troubleshooting Internet access 413 Table 119 Troubleshooting Web Site Internet Access 414 Table 120 Troubleshooting the password 414 Table 121 Troubleshooting the WebGUI 415 Table 122 Troubleshooting Remote Management 415 Table 123 System Error Logs 431 Table 124 Sys...

Page 27: ...Business Secure Router 252 Configuration Basics Table 135 PKI Logs 446 Table 136 Certificate Path Verification Failure Reason Codes 448 Table 137 IEEE 802 1X Logs 449 Table 138 Log categories and available settings 450 ...

Page 28: ...28 Tables NN47923 500 ...

Page 29: ...he following text conventions Note This guide explains how to use the WebGUI to configure your Business Secure Router See Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router Not all features can be configured through all interfaces Enter means type one or...

Page 30: ...d release notes free directly from the Internet Go to www nortel com documentation Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems Web site at www adobe...

Page 31: ...oftware documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting Help over the phone from a Nortel Solutions Center If you don t find the information you require on the Nortel Technic...

Page 32: ...RC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to www nortel com erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller ...

Page 33: ... a high speed Asymmetrical Digital Subscriber Line Plus ADSL2 port into a single package The Business Secure Router is ideal for high speed Internet browsing and making LAN to LAN connections to remote networks By integrating Digital Subscriber Line DSL and Network Address Translation NAT the Business Secure Router provides easy installation and Internet access By integrating firewall and Virtual ...

Page 34: ...of the International Telecommunications Union G 992 1 ADSL2 G dmt bis G 992 3 ADSL2 G 992 5 Table 1 Feature specifications Feature Specification Number of static routes 12 Number of NAT sessions 4096 Number of SUA Single User Account servers 12 Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels Client and or Branch Office 10 Maximum number of conc...

Page 35: ...t I 610 F4 F5 OAM Networking compatibility Your Business Secure Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer DSLAM providers making configuration as simple as possible Multiplexing The Business Secure Router supports VC based and LLC based multiplexing Encapsulation The Business Secure Router supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 en...

Page 36: ... can get the current time and date from an external server when you turn on your Business Secure Router You can also set the time manually Reset button The Business Secure Router reset button is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to setup IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server enabl...

Page 37: ...tocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up to 32 user profiles without a ne...

Page 38: ...Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other UPnP enabled devices can dynami...

Page 39: ... Ethernet interface The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network Central Network Management With Central Network Management CNM an enterprise or service provider network administrator can manage your Business Secure Router The enterprise or service provi...

Page 40: ...tocol With DHCP Dynamic Host Configuration Protocol individual client computers can obtain the TCP IP configuration at start up from a centralized DHCP server The Business Secure Router has built in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to all systems that support the DHCP client The Business Secure Router can also ac...

Page 41: ... The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Applications for the Business Secure Router Secure broadband internet access and VPN The Business Secure Router provides broadband Internet access through ADSL The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic managemen...

Page 42: ...ess Secure Router continue with the rest of this guide for configuration instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment Caution Electro static Discharge can disrupt the router Use appropriate handling precautions to avoid ESD Avoid touching the connector...

Page 43: ...Chapter 1 Getting to know your Business Secure Router 43 Nortel Business Secure Router 252 Configuration Basics Note Please use only No 26 AWG American Wire Gauge or larger telecommunication line cord ...

Page 44: ...44 Chapter 1 Getting to know your Business Secure Router NN47923 500 ...

Page 45: ... resolution is 1 024 by 768 pixels In order to use the WebGUI you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Allowing Pop up Windows JavaScript and Java Permissions on page 416 if you want to make sure these functions are allowed in Interne...

Page 46: ...lt and the password PlsChgMe is the default and click Login Click Reset to clear any information you have entered in the Username and Password fields Figure 2 Login screen 4 A screen asking you to change your password highly recommended appears and is shown in Figure 3 Type a new password and retype it to confirm and click Apply or click Ignore ...

Page 47: ...ecure Router 252 Configuration Basics Figure 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Figure 4 Replace certificate screen ...

Page 48: ...ith 8 data bit no parity one stop bit and flow control set to none The password will be reset to PlsChgMe also Procedure to use the reset button Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults 6 Reset Button on the Router LineFeed Press the RESET button for longer than three seconds to return the Business Secure Router to...

Page 49: ...tivating Xmodem upload on your terminal Figure 5 is an example of an Xmodem configuration upload using HyperTerminal 6 Click Transfer then Send File to display the screen illustrated in Figure 5 Figure 5 Example Xmodem Upload 7 After the firmware uploads successfully enter atgo to restart the router Navigating the Business Secure Router WebGUI Follow the instructions in the MAIN MENU screen or cli...

Page 50: ...50 Chapter 2 Introducing the WebGUI NN47923 500 Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information Figure 7 is a sample of what displays ...

Page 51: ...Chapter 2 Introducing the WebGUI 51 Nortel Business Secure Router 252 Configuration Basics Figure 7 Contact Support ...

Page 52: ...52 Chapter 2 Introducing the WebGUI NN47923 500 ...

Page 53: ...u do not have the required information Encapsulation Be sure to use the encapsulation method required by your ISP The Business Secure Router supports the following methods ENET ENCAP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be ...

Page 54: ... functions like a dial up Internet connection The Business Secure Router encapsulates the PPP session based on RFC 1483 and sends it through an ATM PVC Permanent Virtual Circuit to the Internet Service Provider ISP DSLAM Digital Subscriber Line Access Multiplexer For more information about PPPoA refer to RFC 2364 For more information about PPP refer to RFC 1661 RFC 1483 RFC 1483 describes two meth...

Page 55: ...ng information being contained in each packet header Despite the extra bandwidth and processing overhead this method can be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultaneous VCs VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers assigned...

Page 56: ...If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit VPI Enter the V...

Page 57: ...ch covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 0 and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network After you select the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your Business Secure Router Make sure that no other device on...

Page 58: ...r a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Business Secure Router acts as a DHCP client on the WAN and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the Business Secure Router Private IP addresses Every machine on the Internet must have a unique addr...

Page 59: ...d whenever the connection is down A nailed up connection can be expensive if you are billed by your Internet connection usage time Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern NAT Network Address Translation NAT is the translation of the IP address of a host in a packet For example the s...

Page 60: ...s This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Click Obtain an IP Address Automatically if you have a dynamic IP address otherw...

Page 61: ...er tries to bring up the connection automatically if it is disconnected The schedule rules in SMT menu 26 has priority over your Connection settings Network Address Translation This option is available if you select Routing in the Mode field Select None SUA Only or Full Feature from the drop down list box For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click...

Page 62: ...s A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP addre...

Page 63: ...NET ENCAP in the Encapsulation field in the previous screen Network Address Translation Select None SUA Only or Full Feature from the drop down list box For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen Table 5 Internet connection with ENET ENCAP continued La...

Page 64: ... you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand if you do not want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on Demand with 0 as the idle time out which means the Internet sessi...

Page 65: ...u turn DHCP service off you must have another DHCP server on your LAN or else the computer must be manually configured DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 IP pool setup The Business Secure Router is preconfigured with a pool of IP addresses for the client machines Wizard setup configuration third screen 1 Verify the settings in the following screen To change the LAN info...

Page 66: ...izard Screen 3 2 To change your Business Secure Router LAN settings click Change LAN Configuration to display the following screen Note If you change the Business Secure Router LAN IP address you must use the new IP address to access the WebGUI again ...

Page 67: ...nfiguration Table 7 describes the fields in Figure 14 Table 7 Wizard LAN configuration Label Description LAN IP Address Enter the IP address of your Business Secure Router in dotted decimal notation for example 192 168 1 1 factory default LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP ...

Page 68: ...nd DNS Server Third DNS Server Select Obtained From ISP if your ISP dynamically assigns DNS server information and the Business Secure Router WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns Select UserDefined if you have the IP address of a DNS server Enter the DNS server IP address in the field to the right Select DNS Relay to have the Busin...

Page 69: ...nnected LAN devices click Start Diagnose Otherwise click Finish to go back to the site map screen Figure 15 Wizard Screen 4 Test your Internet connection Launch your Web browser and navigate to www nortel com Internet access is just the beginning For more detailed information on the complete range of features for the Business Secure Router see the rest of this guide If you cannot access the Intern...

Page 70: ...70 Chapter 3 Wizard setup NN47923 500 ...

Page 71: ...he rules can be deleted 2 Response to Invalid User ID or Password When the wrong user ID or password is entered into the router login screen no error message is displayed Instead the login screen is simply displayed again 3 First DHCP Address Reserved for BCM50 The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet and will not be assigned to any other equipment Once assi...

Page 72: ... higher than the first If this type of address range is entered the range is ignored 2 Automatic Firewall Programming Configurations to various areas of the router such as remote management or adding a SUA Server do not automatically add the appropriate rules to the Firewall to enable the traffic to pass through the router These need to be added separately Note Firewall rules do not apply to IPSec...

Page 73: ...or a VPN Client user cannot contain the single or double quote characters 4 IP Pool Address Overlap When defining multiple VPN Client Termination IP pools the router uses the IP Subnet mask and not the pool size to determine if the pools are overlapping The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool 5 VPN Client Termination Failure In Specific...

Page 74: ...hanges Apply must then be clicked on the VPN Client Termination main page Security 1 Exporting or Saving Self Signed Certificate To export or save a self signed certificate click details the icon that looks like a paper note then click Export or copy the PEM text into the clipboard and paste into a file Routing 1 RIP Version Advertisement Control To change the version of generated RIP advertisemen...

Page 75: ...IREWALL add a WAN to LAN rule c If the service is not in the list of available services add it as a Custom Port d Add the rule selecting the service and entering the server IP address as the destination IP address Connecting two sites to establish a virtual private network The recommended method to do this is through a branch to branch IPSec tunnel 1 In VPN Summary add a new tunnel by editing an u...

Page 76: ... as per BCM50 installation guide 3 Create a tunnel to the remote site as described above 4 In the remote site set the S1 and S2 addresses to the IP address of the BCM50 which is identified in the router DHCP table or in the BCM50 This is done with a CLI command TELNET or SSH to the router This needs TELNET or SSH enabled on that router Select menu 24 select menu 8 and enter the commands ip dhcp en...

Page 77: ...P addresses from a pool define the pool and enable it 2 Assuming a Local User Database is used for authentication a Add user name and password to the local user database as an IPSec user and activate it If the hosts will be assigned a static IP address enter the address that will be assigned to the user Configuring the router to connect to a Nortel VPN Server Client Emulation 1 Go to VPN Summary a...

Page 78: ...for guest access The recommended approach to provide guest access is by creating an IP Alias and using static addressing for the corporate equipment to make it a member of the defined Alias subnet Then use firewall rules to restrict access of the guest equipment NOTE if a BCM50 is used it will also need to be assigned a static IP address 1 Go to LAN IP Alias and Enable IP Alias 1 2 Define a subnet...

Page 79: ...l server documentation for calculation details 3 Set up a similar LAN subclass Setting Up a Remote Office with a UNIStim IP Telephone For a remote office with a PC and a UNIStim IP telephone behind a Business Secure Router Client Emulation is the recommended method to connect to the main office 1 At the main office Contivity Client Server establish two user accounts one for the telephone and one f...

Page 80: ...tware and configure it with the PC user account information Inter operability With Third Party Routers VPN Connections With Cisco Routers When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router the following configuration rules should be followed 1 Ensure that the WAN IP of the BSR222 252 router and the Cisco router are not in the same su...

Page 81: ...domain names for Business Secure Router system features like VPN DDNS and the time server Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries Private DNS server In cases where you want to use domain names...

Page 82: ... access computers that use private domain names on the HQ network the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters Figure 16 Private DNS server example Configuring General Setup Click SYSTEM to open the General screen Note If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on t...

Page 83: ...re If you leave this field blank the ISP assigns a domain name through DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either through the WebGUI or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again ...

Page 84: ... can be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right A User Defined entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate User Defined entry changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a system DNS server you must use IP address...

Page 85: ...all you even if they don t know your IP address First of all you must register a dynamic DNS account with for example www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name The Dynamic DNS service provider gives you a password or key DYNDNS wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the ...

Page 86: ...ynamic DNS Service Provider Select the name of your Dynamic DNS service provider DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma User Enter your username up to 31 characters ...

Page 87: ... line IP Address Update Policy DDNS Server Auto Detect IP Address Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server not be able to detect the proper IP address if there is an HTTP proxy s...

Page 88: ... can access and configure all of the Business Secure Router s features Old Password Type your existing system administrator password PlsChgMe is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays a for each character you type Retype to Confirm Retype your new system password for confirmation ...

Page 89: ...figure the WAN ISP and IP screens Configure the VPN Contivity Client settings except the Advanced screen exclusive use mode for client tunnel and MAC address allowed settings View the SA monitor Configure the VPN Global Setting screen View logs View the Maintenance Status screen Use the Maintenance F W Upload and Restart screens User Name Type a username for the client user up to 31 characters New...

Page 90: ...successful or all the predefined NTP time servers have been tried Configuring Time and Date To change the time and date of your Business Secure Router click SYSTEM and then Time and Date The screen in Figure 20 appears Use this screen to configure the time based on your local time zone Table 11 Default Time Servers a ntp alphazed net ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu tock usno n...

Page 91: ...Chapter 5 System screens 91 Nortel Business Secure Router 252 Configuration Basics Figure 20 Time and Date ...

Page 92: ...s the last updated date from the time server or the last date configured manually After you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the Business Secure Router get the time and date from the time server that you specified Time Protocol Select the time service protocol that your time server sends wh...

Page 93: ... Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you select Enable Daylight Saving The o clock field uses the...

Page 94: ...so configure NAT and firewall rules depending upon the type of access you want to allow Configuring ALG To change the ALG settings of your Business Secure Router click SYSTEM and then ALG The screen appears as shown in Figure 21 Figure 21 ALG Note You must enable the FTP H 323 or SIP ALG in order to use bandwidth management on that application ...

Page 95: ...ending of voice signals over the Internet Protocol The H 323 ALG does not support H 323 Gatekeeper Enable SIP ALG Select this check box to allow SIP Session Initiation Protocol applications to go through the Business Secure Router The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sess...

Page 96: ...96 Chapter 5 System screens NN47923 500 ...

Page 97: ...P Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients can obtain TCP IP configuration at start up from a server You can configure the Business Secure Router as a DHCP server or disable it When configured as a server the Business Secure Router provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else ...

Page 98: ...es you explicit DNS server addresses read the embedded WebGUI help regarding which fields need to be configured RIP setup RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers RIP Direction controls the sending and receiving of RIP packets When set to Both or Out Only the Business Secure Router broadcasts its routing table periodi...

Page 99: ...s an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned...

Page 100: ...100 Chapter 6 LAN screens NN47923 500 Configuring IP Click LAN to open the IP screen Figure 22 LAN IP ...

Page 101: ...Router from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool The default is 192 168 1 2 Pool Size This field specifies the size or count of the IP address pool The default is 126 DHCP Server Address Ty...

Page 102: ...he three servers Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it LAN TCP IP IP Address Type the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 factory default IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your Business...

Page 103: ... on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is st...

Page 104: ...the fields in Figure 23 Table 15 Static DHCP Label Description This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the size or count of the IP address pool Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh ...

Page 105: ...ace The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet interface with the Business Secure Router itself as the gateway for each LAN network To change the IP Alias settings of your Business Secure Router click LAN then the IP Alias tab The screen appears as shown in Figure 24 Figure 24 IP Alias Note Make sure that the subnets of the logical network...

Page 106: ... to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more infor...

Page 107: ...mber greater than 15 means the link is down The smaller the number the lower the cost 1 The metric sets the priority for the routes of the Business Secure Router to the Internet Each route must have a unique metric 2 The priority of the WAN port route must always be higher than the dial backup and traffic redirect route priorities If the WAN port route has a metric of 1 and the traffic redirect ro...

Page 108: ...108 Chapter 7 WAN screens NN47923 500 The dial backup or traffic redirect routes cannot take priority over the WAN routes Configuring Route Click WAN to open the Route screen Figure 25 WAN Route ...

Page 109: ...ervices a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carrier as it requires no specific configuration of the broadband modem at the customer site Table 17 WAN Route Label Description WAN Traffic Redirect Dial Backup The default WAN c...

Page 110: ...ters on the LAN do not need PPPoE software installed since the Business Secure Router does that part of the task Furthermore with NAT all of the LAN computers will have access Configuring WAN ISP To configure the WAN ISP settings for your Business Secure Router click WAN then the WAN ISP tab The screen differs depending on the encapsulation ...

Page 111: ...Chapter 7 WAN screens 111 Nortel Business Secure Router 252 Configuration Basics Figure 26 WAN WAN ISP ...

Page 112: ...VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65 535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you Login Information PPPoA and PPPoE encapsulation only Service Name PPPoE only Type the name of your PPPoE...

Page 113: ...through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP using the Business Secure Router Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client softw...

Page 114: ...114 Chapter 7 WAN screens NN47923 500 Figure 27 WAN IP ...

Page 115: ... Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server After you select Full Feature you must configure at least one address mapping set Metric This field sets this route s priority among the r...

Page 116: ...ulticasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Multicast Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Pro...

Page 117: ... the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you must also create a WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN This field does the same as the Allow between LAN and WAN field in the LAN IP scre...

Page 118: ...teway for each LAN network Put the protected LAN in one subnet Subnet 1 in Figure 29 and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN Business Secure Router firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 29 Traffic Redirect LAN Setup Configuring Traffic Redirect To change the traffic redirect settings click WAN then...

Page 119: ...t Label Description Active Select this check box to have the Business Secure Router use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router s Internet connection terminates Apply Click Apply to...

Page 120: ...120 Chapter 7 WAN screens NN47923 500 Figure 31 Dial Backup Setup ...

Page 121: ...sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9 600 19 200 38 400 57 600 115 200 or 230 400 b s AT Command Initial String Type the AT command string to initialize the WAN devic...

Page 122: ...n one network to a different IP address known within another network SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server When you select this option the Business Secure Router uses Address Mapping Set 255 Clear this option to disable NAT Enable RIP Select this check box to turn on RIP Routing Information Protocol which allows a router to exchange ro...

Page 123: ...RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial backup connection on during the time that you select Allocated Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time perio...

Page 124: ...ng up the current call when the DTR Data Terminal Ready signal is dropped by the DTE If the Drop DTR When Hang Up check box is selected the Business Secure Router uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Response Strings The response strings tell the Business Secure Router the tags or labels immediately preceding the various call para...

Page 125: ...Basics Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 32 Figure 32 Advanced Setup Note Consult the manual of your WAN device connected to your dial backup port for specific AT commands Note ...

Page 126: ...evice CLID is required for CLID authentication NMBR Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed CONNECT Call Control Dial Timeout sec Type a number of seconds for the Business Secure Router to try to set up an outgoing call before timing out stopping 60 Retry Count Type a number of times for the Business Secure Router to retry a busy...

Page 127: ...rtel Business Secure Router 252 Configuration Basics Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Table 22 Advanced Setup Label Description Example ...

Page 128: ...128 Chapter 7 WAN screens NN47923 500 ...

Page 129: ...o a different IP address known within another network NAT definitions Inside outside denotes where a host is located relative to the Business Secure Router For example the computers of your subscribers are the inside hosts while the Web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router For example the local addr...

Page 130: ...is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a Telnet server on your local network and make them accessible to the outside world You can make designated servers on the LAN accessible to the outside world If you do not define any servers for Many to One and Man...

Page 131: ...ces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Business Secure Router keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored as illustrated in Figure 33 Figure 33 How NAT works Port restricted cone NAT...

Page 132: ... cannot send packets with source IP address e f g h and port 10101 to A because A has not sent a packet to IP address e f g h and port 10101 Figure 34 Port Restricted Cone NAT NAT application Figure 35 illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Business Secure Router can communicate with three distinct WAN networks More examples follow at ...

Page 133: ...l IP address This is equivalent to SUA for example PAT port address translation the Single User Account feature the SUA Only option Many to Many Overload In Many to Many Overload mode the Business Secure Router maps the multiple local IP addresses to shared global IP addresses Many One to One In Many One to One mode the Business Secure Router maps each local IP address to a unique global IP addres...

Page 134: ...resses of clients or servers using mapping types Select either SUA Only or Full Feature in WAN IP Table 24 NAT mapping type Type IP Mapping SMT Abbreviations One to One ILA1ÅÆ IGA1 1 1 Many to One SUA PAT ILA1ÅÆ IGA1 ILA2ÅÆ IGA1 M 1 Many to Many Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA1 ILA4ÅÆ IGA2 M M Ov Many One to One ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA3 M 1 1 Server Server 1 IPÅÆ IGA1 Server...

Page 135: ...than one service for example both FTP and web service it is better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports With many residential broadband ISP accounts you cannot run any server processes such as a Web or FTP server from your location Your ISP periodically checks for servers and can suspend your account if it discovers ...

Page 136: ...n ports 22 25 to one server port 80 to another and assign a default server IP address of 192 168 1 35 as shown in Figure 36 Table 25 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Pro...

Page 137: ...figuring SUA Server Click SUA NAT to open the SUA Server screen Refer to Chapter 10 Firewalls on page 153 and Chapter 11 Firewall screens on page 169 for port numbers commonly used for particular services Note If you do not assign a Default Server IP Address then all packets received for ports not specified in this screen are discarded Business Secure Router ...

Page 138: ...el Description Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen are discarded Number of an individual SUA server entry ...

Page 139: ... 9 If you delete rule 4 rules 5 to 7 are pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change the NAT address mapping settings click SUA NAT then the Address Mapping tab The screen appears as shown in Figure 38 Active Select this check box to enable the SUA server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delet...

Page 140: ...is is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This refers to the Inside Global IP Address IGA 0 0 0 0 is for a dynamic IP address from your ISP with Many to One and Server mapping types Global End IP This is th...

Page 141: ...one global IP address This is equivalent to SUA that is PAT port address translation the Single User Account feature 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server permits you to specify inside servers of different services behind the NAT to be accessible to the out...

Page 142: ...ny to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are...

Page 143: ...Business Secure Router records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the WAN port on the Business Secure Router receives a response with a specific port number and protocol incoming port the Business Secure Router forwards the traffic to the LAN IP address of the computer that sent the reques...

Page 144: ...etween 6970 7170 4 The Business Secure Router forwards the traffic to Jane s computer IP address 5 Only Jane can connect to the Real Audio server until the connection is closed or times out The Business Secure Router times out in three minutes with UDP User Datagram Protocol or two hours with TCP IP Transfer Control Protocol Internet Protocol Two points to remember about Trigger Ports Trigger even...

Page 145: ... Configuration Basics Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router click SUA NAT and the Trigger Port tab The screen appears as shown in Figure 41 Figure 41 Trigger Port Note Only one LAN computer can use a trigger port range at a time ...

Page 146: ...the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the Business Secure Router to record the IP address of the LAN computer that sent the traffic to ...

Page 147: ...nnected and the Business Secure Router has no knowledge of the networks beyond For instance the Business Secure Router knows about network N2 in Figure 42 through remote node Router 1 However the Business Secure Router is unable to route a packet to network N3 because it does not know that there is a route through the same remote node Router 1 through gateway Router 2 The static routes are for you...

Page 148: ...42 Example of Static Routing topology Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen Note The first static route entry is for the default WAN route You cannot modify or delete this static default route Business Secure Router ...

Page 149: ... field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the Business Secure Router LAN or WAN port The gateway helps forward packets to their destinations ...

Page 150: ...tive This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter t...

Page 151: ...recise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the Business Secure Router includes this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate this route to other hosts through RIP broadcasts Apply Click Apply to save y...

Page 152: ...152 Chapter 9 Static Route screens NN47923 500 ...

Page 153: ...mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It must never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires in...

Page 154: ...eauthenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than if the router needed to filter application traffic and direct it to a number of specific systems The router need only allow application traffic destined for the appli...

Page 155: ...Router also has packet filtering capabilities The Business Secure Router is installed between the LAN and a broadband modem connecting to the Internet so that it can allow it to act as a secure gateway for all data passing between the Internet and the LAN The Business Secure Router has one ADSL WAN port and four Ethernet LAN ports which are used to physically separate the network into two areas Th...

Page 156: ...to network resources The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP ...

Page 157: ... of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system and can cause systems to crash hang or reboot Teardrop attack exploits weaknesses in the reasse...

Page 158: ... the initiator responds with an ACK acknowledgment After this handshake a connection is established SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are mov...

Page 159: ...work with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router broadcasts the ICMP echo request packet to all hosts on the network If there are numerous hosts this creates a large amount of ICMP echo request and response traffic If a hacke...

Page 160: ...CMP types trigger an alert Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are shown in Table 34 all others are illegal Table 33 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 34 Legal NetBIOS commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Page 161: ...hat the packets originate from a trusted host and is allowed through the router or firewall The Business Secure Router blocks all IP Spoofing attempts Stateful inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access an outside service the proxy server remembers things about your original request like the port ...

Page 162: ...owing example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list an...

Page 163: ...nd the connection s state table entry is updated as necessary You can modify the inbound extended access list temporary entries based on the updated state information in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the tempora...

Page 164: ...rnet into the LAN Except in a few special cases see Upper layer protocols on page 165 these packets are dropped and logged If an initiation packet originates on the LAN someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of the security policy as is the case with the default policy the connection is allowed A cache entry is added which inclu...

Page 165: ...ply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they can be used to reroute traffic through attacking machines Upper layer protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is use...

Page 166: ...n find creative ways to misuse the enabled services to access the firewall or the network 5 For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces 6 Protect against IP spoofing by making sure the firewall is active 7 Keep the fire...

Page 167: ...work layer IP headers up to the application layer The firewall performs stateful inspection It takes into account the state of the connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses s...

Page 168: ... The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur 6 The firewall can block any specific URL traffic that occurs in the future The URL can be saved in an Access Control List ACL database ...

Page 169: ...options and are only recommended for advanced users refer to Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for firewall CLI commands Firewall policies overview Firewall rules are grouped based on the direction of travel of packets to which they apply By default Business Secure Router stateful packet inspection allows packets traveling in the following directions LAN to LAN B...

Page 170: ...at from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and...

Page 171: ...llow only certain machines on the Internet to access the LAN Security ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be mo...

Page 172: ...ddress What is the source address of the connection is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Destination address What is the destination address of the connection is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Connection direction examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN L...

Page 173: ...ess Secure Router WAN interface itself By default the Business Secure Router stops WAN computers from using the Business Secure Router as a gateway to communicate with other computers on the WAN You can configure one of these rules to allow a WAN computer to manage the Business Secure Router LAN to WAN rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed unrestric...

Page 174: ...he rule and stops checking the firewall rules For example you have one general rule that blocks all LAN to WAN IRC Internet Relay Chat And you have another rule that allows IRC traffic from your company president s LAN IP address to go to the WAN In order for the president s IRC traffic to get through the rule for the president s IP address must come before the rule that blocks all LAN to WAN IRC ...

Page 175: ...s the Business Secure Router LAN IP address return traffic does not go through the Business Secure Router This is called an asymmetrical or triangle route and causes the Business Secure Router to reset the connection as the connection has not been acknowledged Note Allowing asymmetrical routes can let traffic from the WAN go directly to the LAN without passing through the Business Secure Router A ...

Page 176: ...2 Table 36 Firewall rules summary First screen Label Description Enable Firewall Select this check box to activate the firewall The Business Secure Router performs access control and protects against Denial of Service DoS attacks when the firewall is activated The firewall allows traffic to go through your VPN tunnels ...

Page 177: ...ure summarized below take priority over the general firewall action settings above This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field allows you to reorder your rules Status This field displays whether a firewall is turned on Active or not Inactive Rules that have not been configured display Empty Source Address This drop down list...

Page 178: ...the screen where you configure a firewall rule Move Select the Index option button of a rule and type a number for where you want to put that rule Click Move to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Rule to Rule Number Click a rule s option button and type the number for where you want to put that rule Edi...

Page 179: ...53 Table 37 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it Packet Direction Use the drop down list to select the direction of packet travel to which you want to apply this firewall rule ...

Page 180: ...remove a service highlight it in the Selected Services box on the right then click Custom Port Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custom service denoted by an from the Available Services list and click this button to edit the service Delete Select a custom service denoted by an fro...

Page 181: ... Table 38 Adding or editing source and destination addresses Label Description Address Type Select an option from the drop down list that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here Use a numerical IP address in dotted decimal notation for example 192 168 1 10 End IP Address Enter the e...

Page 182: ...a custom port Table 39 describes the fields in Figure 55 Table 39 Creating Editing A Custom Port Label Description Service Name Enter a unique name to identify the service a service that is not predefined in the Business Secure Router Service Type Choose the IP port TCP UDP or Both that defines your customized port from the drop down list Port Configuration Type Click Single to specify one port on...

Page 183: ...nk and then the Summary tab 2 In the Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen Figure 56 Firewall edit rule screen example 4 Select WAN to LAN as the Packet Direction 5 Select Any in the Destin...

Page 184: ...Custom Port screen Configure it as shown in Figure 58 and click Apply Figure 58 Edit custom port example 8 The firewall rule configuration screen displays Use the arrows between Available Services and Selected Services to configure it as shown in Figure 59 Click Apply after you are done Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Clic...

Page 185: ...the configuration procedure for this Internet firewall rule the Rule Summary screen will look like the on illustrated in Figure 60 Rule 1 Allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router ...

Page 186: ...Rule screen see Figure 53 displays all predefined services that the Business Secure Router already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there can be more than one IP protocol ...

Page 187: ...9 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program is a program to enable fast transfer of files including large files that cannot be sent by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol is a client server protocol for the World Wide Web HTTPS TCP 443 HTTPS is a secur...

Page 188: ... Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Logon RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTS...

Page 189: ...n of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SSH TCP UDP 22 Secure Shell Remote Logon Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Using syslog you can send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELN...

Page 190: ...influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LAN network Network bandwidth Type of traffic for certain servers If your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy then the d...

Page 191: ...ons as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period TCP maximum incomplete and blocking period An unusually high number of half open sessions with the same destination host address indicates that a Denial of Service attack is being launched against the host Whene...

Page 192: ... the fields in Figure 61 Table 41 Attack alert Label Description Generate alert when attack detected A detected attack automatically generates a log entry Check this box to generate an alert as well as a log whenever an attack is detected Denial of Service Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Business ...

Page 193: ...ns as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the Business Secure Router to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions ...

Page 194: ...194 Chapter 11 Firewall screens NN47923 500 ...

Page 195: ...the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering through SMT menu 21 1 To access these functions from the Main Menu click Content Filter to expand the Content Filter menus Restrict web features The Business Secure Router can block web features such as ActiveX controls Java applets and cookies and disable web proxies Days and Times W...

Page 196: ...196 Chapter 12 Content filtering NN47923 500 Configure Content Filtering Click Content Filter on the navigation panel to open the screen show in Figure 62 Figure 62 Content filter ...

Page 197: ...his proxy server Enable URL Keyword Blocking The Business Secure Router can block Web sites with URLs that contain certain keywords in the domain name or IP address For example if the keyword bad was enabled all sites containing this keyword in the domain name or IP address will be blocked for example URL http www website com bad html is blocked Select this check box to enable this feature Keyword...

Page 198: ...ict web server data such as ActiveX Java Cookies and Web Proxy are not affected Enter the time period in 24 hour format during which content filtering will be enforced Select the All Day check box to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced Apply Click Apply to save your changes Reset Click Reset to begin configuring this s...

Page 199: ...services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the I...

Page 200: ...able 43 VPN Screens overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Business Secure Router operate as a VPN client Branch Office Rule Setup Use these screens to manually configure VPN rules that have the Business Secure Router operate as a VPN router SA Monitor Use this screen to ...

Page 201: ...tion secure Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key Figure 63 Encryption and decryption Table 44 VPN Screens Overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Business Secure Route...

Page 202: ...works Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled between the WAN and the LAN remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protoc...

Page 203: ...ty Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms ...

Page 204: ...ence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but can be used for verification of the integrity of the ...

Page 205: ...fectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data during phase 1 You can configure the device to use a 128 bit 192 bit or 256 bit key for phase 2 AES is faster than 3DES Select NULL to set up a phase 2 tunnel without encryption Authentica...

Page 206: ... the original IP header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the ...

Page 207: ...ess Secure Router The security protocol appears after the outer IP header and before the inside IP header IPSec and NAT Read this section if you are running IPSec on a host computer behind the Business Secure Router NAT is incompatible with the AH protocol in both Transport and Tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a h...

Page 208: ...ation of the original header plus original payload which is unchanged by a NAT device Transport mode ESP with authentication is not compatible with NAT although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints see NAT Traversal on page 213 for details Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of t...

Page 209: ...c Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the address of the remote secure gateway In this case only the remote secure gateway can initiate SAs This is useful for telecommuters initiating a VPN tunnel to the company network Summary screen Figure 66 helps explain the main fields in the WebGUI Figure 66 IPSec summary fie...

Page 210: ...210 Chapter 13 VPN NN47923 500 Figure 67 Summary IP Policies ...

Page 211: ... are indicated by the starting and ending IP addresses separated by a dash You configure these IP addresses in the VPN Branch Office IP Policy screen This field is empty if you do not configure the VPN branch office rule to use an IP policy Private IP addresses are IP addresses of computers on your Business Secure Router s local network for which you have configured the IP policy to use NAT for th...

Page 212: ... Business Secure Router because the Business Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic Nailed up The nailed up feature is similar to the keep alive feature When you initiate an IPSec tunnel with nailed up enabled the Business Secure Router automatically renegotiates the tunnel when the IPSec SA lifetime period expire...

Page 213: ...ss Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the Business Secure Router and the remote IPSec router Figure 68 NAT router between IPSec routers Normally you cannot set up a VPN connection with a NAT router between the ...

Page 214: ...1 on page 222 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A Preshared key A preshared key identifies a communicating party during a phase 1 IKE negotiation see IKE phases on page 238 for more information It is called preshared because you have to share it with another party before you can communicate with them over a secure c...

Page 215: ...PN client Active Select this check box to turn on this rule Clear this check box if you do not want to use this rule after you apply it If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive To set a Contivity Client rule to active all of the other VPN rules must be disabled Keep Alive Select this check box to turn on the Keep Alive feature for this SA ...

Page 216: ...ve characters of the remote IPSec router You can use alphanumeric characters the underscore dash period and the symbol in a domain name No spaces are allowed User Name Enter the username exactly as the IPSec router administrator gives it to you Password Enter the password exactly as the IPSec router administrator gives it to you Advanced Click Advanced to configure group authentication and on dema...

Page 217: ... ID and Group Password fields when you enable Group Authentication After Group Authentication is not enabled the remote IPSec router uses the User Name and Password to authenticate the Business Secure Router Group ID Enter the group ID exactly as the IPSec router administrator gives it to you This field only applies when you enable Group Authentication Group Password Enter the group password exact...

Page 218: ... addresses The Business Secure Router can distinguish up to 12 incoming SAs because you can select between two encryption algorithms DES and 3DES two authentication algorithms MD5 and SHA1 and three key groups DH1 DH2 and DH5 when you configure a VPN rule see Configuring advanced Branch office setup on page 241 The ID type and content act as an extra level of identification for incoming SAs Apply ...

Page 219: ...rs by which to identify this Business Secure Router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 51 Peer ID type and content fields Peer ID type Content IP Type the IP address of the computer with which you make the VPN connection or leave the field blank to have the B...

Page 220: ...he following applies if this field is configured as 0 0 0 0 The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel Table 52 Matching ID type and content configuration example Business Secure Router A Business Secure Router B Local ID type E mail Local ID type IP Local ID content tom yourcompany com Local ID content 1 1 1 2 Peer ...

Page 221: ...the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See Chapter 7 WAN screens on page 107 for details about dial backup and traffic redirect Configuring Branch Office VPN Rule Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule The VPN Branch Office Rule Setup screen is shown in Figure 71 ...

Page 222: ...222 Chapter 13 VPN NN47923 500 Figure 71 VPN Branch Office rule setup ...

Page 223: ...iates the SA when it restarts NAT Traversal Select this check box to enable NAT traversal With NAT traversal you can set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol In order for a IPSec router behind a NAT ...

Page 224: ...rivate IP Address This field displays the IP address or a range of IP addresses of the computers on your Business Secure Router s local network for which you have configured this VPN rule For a range of addresses the starting and ending IP addresses are displayed separated by a dash This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy...

Page 225: ...esses of a range of computers when the policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to Many One to one in the IP Policy screen This field displays the policy s local IP address or range of addresses when you disable branch tunnel NAT address mapping in the IP Policy screen This field displays a single static IP address when the IP policy s Local Address Type field is co...

Page 226: ...olicy and then click Edit to edit that IP policy Delete Select the radio button next to an IP policy that you want to remove and then click Delete Authentication Method Select the Pre Shared Key radio button to use a preshared secret key to identify the Business Secure Router Select the Certificate radio button to identify the Business Secure Router by a certificate Pre Shared Key Type your presha...

Page 227: ...ield type an IP address or leave the field blank to have the Business Secure Router automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which to identify this Business Secure Router When you select E mail in the Local ID Type field type an e mail address up to 31 characters by which to identify this Business Secure Router Th...

Page 228: ...lt if this IP address changes The following applies if this field is configured as 0 0 0 0 the default The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the Business Secure Router uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffi...

Page 229: ...e and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is faster than 3DES Select N...

Page 230: ...13 VPN NN47923 500 Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy The Branch Office IP Policy setup screen is shown in Figure 72 ...

Page 231: ...Chapter 13 VPN 231 Nortel Business Secure Router 252 Configuration Basics Figure 72 VPN Branch Office IP Policy ...

Page 232: ...e Business Secure Router starts the IPSec connection idle timeout timer when it sends the ping packet If there is no traffic from the remote IPSec router by the time the timeout period expires the Business Secure Router disconnects the VPN tunnel Control Ping IP Address If you select Enable Control Ping enter the IP address of a computer at the branch office The computer s IP address must be in th...

Page 233: ...at are to use the VPN tunnel Private Ending IP Address When the Type field is configured to One to one this field is N A When the Type field is configured to Many to One or Many One to one enter the ending static IP address of the range of computers on your Business Secure Router s LAN that are to use the VPN tunnel Virtual Starting IP Address Virtual addresses must be static and correspond to the...

Page 234: ...ith the Secure Gateway Address field set to 0 0 0 0 Address Type Use the drop down menu to choose Single Address Range Address or Subnet Address Select Single Address for a single IP address Select Range Address for a specific range of IP addresses Select Subnet Address to specify IP addresses on a network by their subnet mask Starting IP Address When the Address Type field is configured to Single...

Page 235: ...the Protocol field and 21 FTP in the Port field Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields do not apply when the Secure Gateway Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN Two active SAs cannot have the local and remote IP addresses both the same You ...

Page 236: ...e Type select Many to One enter the private and virtual IP addresses and click the Port Forwarding Server button to display the screen shown in Figure 73 Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ...

Page 237: ...er In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address all packets received for ports not specified in this screen are discarded Number of an individual port forwarding server entry Active Select this check box to activate the port forwardi...

Page 238: ... Port Type a port number in this field To forward only one port type the port number in the Start Port field above and then type it again in this field To forward a series of ports type the last port number in a series that begins with the port number in the Start Port field above Server IP Address Type your server IP address in this field Apply Click this button to save these settings and return ...

Page 239: ...ield you can determine how long an IKE SA will stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected In Phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Choose whether to enabl...

Page 240: ... communicating parties are negotiating authentication phase 1 It uses six messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are neg...

Page 241: ...lman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This can be unnecessary for data that does not require such security so PFS is disabled None by default in the Business Sec...

Page 242: ...etup Label Description Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Enable replay detection by setting this field to YES Phase 1 A phase 1 exchange establishes an IKE SA Security Association ...

Page 243: ...more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm Select SHA1 or MD5 from the drop down list The Business Secure Router s authentication algorithm must be identical to the remote IPSec router MD5 Message Digest 5 and SHA1 Secure Hash Algor...

Page 244: ...message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is fast...

Page 245: ...er DH2 refers to Diffie Hellman Group 2 a 1 024 bit 1Kb random number more secure yet slower DH5 refers to Diffie Hellman Group 5 a 1 536 bit random number Apply Click Apply to temporarily save the settings and return to the VPN Branch Office Rule Setup screen The advanced settings are saved to the Business Secure Router if you click Apply in the VPN Branch Office Rule Setup screen Cancel Click Ca...

Page 246: ...ddress in a range of computers on the remote network behind the remote IPSec router Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase Business Secure Router processing requirements and communications latency delay Refresh Click Refresh to display the current active VPN connections This butto...

Page 247: ...Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa Allow Through IPSec Tunnel Select this check box to send NetBIOS packets through the VPN connection Exclusive Use Mode for Cl...

Page 248: ...client to establish a VPN connection to a backup IPSec router when the default remote IPSec router specified in the Destination field is not accessible The VPN fail over feature must also be set up in the remote IPSec router First Gateway Second Gateway Third Gateway These read only fields display the IP addresses of the backup IPSec routers The Business Secure Router automatically gets this infor...

Page 249: ...Chapter 13 VPN 249 Nortel Business Secure Router 252 Configuration Basics Figure 78 VPN Client Termination ...

Page 250: ...iations RADIUS Server Select this option to have the Business Secure Router use an external RADIUS server to identify the Contivity VPN clients during phase 1 IKE negotiations Click Configure RADIUS Server to specify the associated external RADIUS server Group ID The Contivity VPN clients send the group ID and group password to the Business Secure Router for or initial authentication After a succe...

Page 251: ...t You can select a 128 bit key implementation of AES AES is faster than 3DES SHA1 Secure Hash Algorithm and MD5 Message Digest 5 are hash algorithms used to authenticate packet data SHA1 algorithm is generally considered stronger than MD5 but is slower IKE Encryption and Diffie Hellman Group Select the combinations of encryption algorithm and Diffie Hellman key group that the Business Secure Route...

Page 252: ...Enable Perfect Forward Secrecy Perfect Forward Secrecy PFS is disabled by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Turn on PFS to use the Diffie Hellman exchange to create a new key for each IPSec SA setup Rekey Timeout Set the allowed lifetime for an individual key used for data encryption before negotiating a new key A setting of 00 00 00 disables the...

Page 253: ...This field displays the label that you configure for the IP address pool Active This field displays whether or not the IP address pool is turned on Starting Address This field displays the first IP address in the IP address pool Subnet mask This field displays the subnet mask that you specified to define the IP address pool Pool size This field displays how many IP addresses you set the Business S...

Page 254: ... you can configure the entry Use this screen to configure a range of IP addresses to assign to the Contivity VPN clients Figure 80 VPN Client Termination IP pool edit Table 62 describes the fields in Figure 80 Table 62 VPN Client Termination IP pool edit Label Description Active Turn on the IP pool if you want the Business Secure Router to use it in assigning IP addresses to the Contivity VPN clie...

Page 255: ...en Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels Pool Size Specify how many IP addresses the Business Secure Router is to give out from the pool created by the starting address and subnet mask 256 is the maximum Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the IP Pool Summary screen witho...

Page 256: ...256 Chapter 13 VPN NN47923 500 Figure 81 VPN Client Termination advanced ...

Page 257: ...is UDP port to the VPN Contivity client behind the NAT router Fail Over The fail over feature allows a Contivity VPN client to establish a VPN connection to a backup IPSec router when the Business Secure Router is not accessible The VPN fail over feature must also be set up in the Contivity VPN clients First Gateway Second Gateway Third Gateway Enter the IP addresses of the backup IPSec routers Wh...

Page 258: ...ies what the Business Secure Router does when it detects a noncompliant version of Contivity VPN client software Select None to allow the VPN tunnel without displaying any messages to tell the user where to download the required version of the Contivity VPN client software Select Send Message to allow the VPN tunnel but display a message to tell the user where to download the required version of t...

Page 259: ...s to have both numbers and letters Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed 0 means that a password never expires Minimum Password Length Enter the minimum number of characters that can be used for a Contivity VPN client password Apply Click Apply to save your changes to the Business Secure Router Reset Click R...

Page 260: ...260 Chapter 13 VPN NN47923 500 ...

Page 261: ...tion authorities You can use the Business Secure Router to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption i...

Page 262: ...es maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The Business Secure Router can check a peer s certificate against a list of revoked certificates on a directory server The framework of servers software procedures and policies that handles keys...

Page 263: ...gned certificates Use the Trusted CA screens to save CA certificates to the Business Secure Router Use the Trusted Remote Hosts screens to import self signed certificates Use the Directory Servers screen to configure a list of addresses of directory servers that contain lists of valid and revoked certificates My Certificates Click CERTIFICATES My Certificates to open summary list of certificates a...

Page 264: ...264 Chapter 14 Certificates NN47923 500 Figure 83 My Certificates ...

Page 265: ...nd a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the Business Secure Router uses to sign imported trusted remote host certificates CERT represents a certificate issued by a c...

Page 266: ...o other features such as HTTPS VPN or SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My C...

Page 267: ... convert a binary PKCS 7 certificate into a printable form Importing a certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions on the screen shown in Figure 84 to save an existing certificate to the Business Secure Router Note 1 You can only import a certificate that matches a corresponding certification request generated by t...

Page 268: ...e Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate to the Business Secure Router Cancel Click Cancel to quit and return to the My Certificates screen ...

Page 269: ...cate Click CERTIFICATES My Certificates and then Create to open the My Certificate Create screen Use this screen to have the Business Secure Router create a self signed certificate enroll a certificate with a certification authority or generate a certification request For more information see Figure 85 ...

Page 270: ...270 Chapter 14 Certificates NN47923 500 Figure 85 My Certificate create ...

Page 271: ...and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You can use any character including spaces but the Business Secure Router drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You can use any character including ...

Page 272: ...requires it Enrollment Protocol Select the certification authority enrollment protocol from the drop down list Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineerin...

Page 273: ...eturn and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Business Secure Router to enroll a certificate online My Certificate details Click CERTIFICATES and then My Certificates to open the My Certificates screen see Figure 83 Click the details icon to...

Page 274: ...274 Chapter 14 Certificates NN47923 500 Figure 86 My Certificate details ...

Page 275: ...tificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it can be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The Business Secure Router does not trust the certificate and displays Not trusted in this...

Page 276: ...as already expired Key Algorithm This field displays the type of algorithm that was used to generate the key pair the Business Secure Router uses RSA encryption of the certificate and the length of the key set in bits 1 024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for wh...

Page 277: ...copy and paste a certification request into a certification authority Web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management ...

Page 278: ...hen the bar is red consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the owner of the such as CN Common Name OU Organizational Unit or depa...

Page 279: ...cation authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate details screen to have the Business Secure Router check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a scree...

Page 280: ... a trusted certification authority certificate to the Business Secure Router Figure 88 Trusted CA import Table 69 describes the labels in Figure 88 Note You must remove any spaces from the certificate filename before you can import the certificate Table 69 Trusted CA import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Brow...

Page 281: ...o view in depth information about the certification authority certificate change the certificate name and set whether or not you want the Business Secure Router to check a certification authority list of revoked certificates before trusting a certificate issued by the certification authority Apply Click Apply to save the certificate on the Business Secure Router Cancel Click Cancel to quit and ret...

Page 282: ...282 Chapter 14 Certificates NN47923 500 Figure 89 Trusted CA details ...

Page 283: ...y certification authority in the list along with the certificate of the end entity The Business Secure Router does not trust the end entity certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate Information These read only fields display detailed information about the certific...

Page 284: ...e Key Usage This field displays for what functions the certificate key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority certificate and P...

Page 285: ...ertificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution through floppy disk for examp...

Page 286: ...fault Self signed Certificate This field displays identifying information about the default self signed certificate on the Business Secure Router that the Business Secure Router uses to sign the trusted remote host certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subje...

Page 287: ...splays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to ope...

Page 288: ...st certificates 3 Double click the certificate icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 92 Certificate details Verify over the phone for example that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields ...

Page 289: ... Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host certificate to the Business Secure Router see Figure 93 Figure 93 Trusted remote host import Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its file name before you can import it ...

Page 290: ... this screen to view in depth information about the trusted remote host certificate and change the certificate name Table 72 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the Business S...

Page 291: ...Chapter 14 Certificates 291 Nortel Business Secure Router 252 Configuration Basics Figure 94 Trusted remote host details ...

Page 292: ...t the certificate Type This field displays general information about the certificate With trusted remote host certificates this field always displays CA signed The Business Secure Router is the Certification Authority that signed the certificate X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates ...

Page 293: ... value to verify that this is the remote host s actual certificate because the Business Secure Router has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Verifying a certificate of a trusted remote host on page 287 for how to verify a remote host s certificate SHA1 Fingerprint This is the message digest of the certificate that th...

Page 294: ...fication authority s list of revoked certificates the Business Secure Router first checks the servers listed in the CRL Distribution Points field of the incoming certificate If the certificate does not list a server or the listed server is not available the Business Secure Router checks the servers listed here Figure 95 Directory servers Apply Click Apply to save your changes to the Business Secur...

Page 295: ...rtificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the protocol that the directory server uses Mod...

Page 296: ...s spaces are not permitted to identify this directory server Access Protocol Use the drop down list to select the access protocol used by the directory server LDAP Lightweight Directory Access Protocol is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates 1 Server Address Type the IP address in dotted decimal notation or the domain name...

Page 297: ...r must authenticate itself in order to assess the directory server Type the logon name up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Apply Click Apply to save your changes to the Business Secure Router...

Page 298: ...298 Chapter 14 Certificates NN47923 500 ...

Page 299: ... use of real time applications such as Voice over IP VoIP increasing the requirement for bandwidth allocation is also increasing Bandwidth management addresses questions such as Who gets how much access to specific applications Which traffic must have guaranteed delivery How much bandwidth is allotted to guarantee delivery With bandwidth management you can configure the allowed output for an inter...

Page 300: ...bclass View your configured bandwidth subclasses for a given interface in the Class Setup tab see Configuring class setup on page 303 for details The total of the configured bandwidth budgets cannot exceed the configured bandwidth budget for the interface as specified in Configuring summary on page 302 Proportional bandwidth allocation With bandwidth management you can define how much bandwidth ea...

Page 301: ...an application Table 76 shows bandwidth allocations for application specific traffic from separate LAN subnets Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter leave some of the bandwidth on the interface unbudgeted Table 76 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A Fro...

Page 302: ...mmary Label Description WAN LAN These read only labels represent the physical interfaces Select the check box next to an interface to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic source Traffic redirect or IP alias can cause LAN to LAN traffic to pass through the Business Secure R...

Page 303: ...or the root class To add or delete child classes on an interface click BW MGMT then the Class Setup tab The screen appears as shown in Figure 99 Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface root class see Configuring class setup on page 303 Nortel recommends that you set this s...

Page 304: ...ses Bandwidth Management This field displays whether bandwidth management on the interface you selected in the field above is enabled Active or not Inactive Add Sub Class Click Add Sub Class to add a subclass Edit Click Edit to go to a screen where you can configure the selected subclass You cannot edit the root class Delete Click Delete to remove the selected subclass You cannot delete the root c...

Page 305: ... 0 0 0 0 0 means all Destination Port This field displays the port number of the destination 0 means all ports Source IP Address This field displays the source IP address in dotted decimal notation followed by the subnet mask The IP 0 0 0 0 0 means all Source Port This field displays the port number of the source The 0 means all ports Protocol ID This field displays the protocol ID service type nu...

Page 306: ...se the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters including spaces Bandwidth Budget kbps Specify the maximum bandwidth allowed for the class in kb s The recommendation is a setting between 20 kbps and 20 000 kbps for an individual class The bandwidth you specify cannot cause the total allocated bandwidths of this and all other subclasses to exceed the bandwi...

Page 307: ...ic If you select H 323 make sure you also turn on the H 323 ALG For more information about ALG see ALG on page 94 SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging events notification and conferencing The Business Secure Router supports SIP traffic pass through Select SIP from the drop down list to configure this bandwidth filter for SIP traffic T...

Page 308: ... See Table 80 for some common services and port numbers Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving Table 80 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer ...

Page 309: ...transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in b s for the past one to eight seconds For example t 1 means one second ago Update Period Seconds Enter the time interval in seconds to define how...

Page 310: ...abels in Figure 102 Table 82 Bandwidth manager monitor Label Description Interface Select an interface from the drop down list to view the bandwidth usage of its bandwidth classes Class This field displays the name of the class Budget kbps This field displays the amount of bandwidth allocated to the class Current Usage kbps This field displays the amount of bandwidth that each class is using Refre...

Page 311: ...IUS RADIUS is based on a client sever model that supports authentication and accounting where users are the clients and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your Business Secure Router acts as ...

Page 312: ...ting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the Business Secure Router and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized acces...

Page 313: ...cription of how IEEE 802 1x EAP authentication works 1 The user sends a start message to the Business Secure Router 2 The Business Secure Router sends a request identity message to the user for identity information 3 The user replies with identity information including username and password 4 The RADIUS server checks the user information against its user profile database and determines whether or ...

Page 314: ...ion Required to allow all users to access your network without authentication Select No Access to deny all users access to your wired network Reauthentication Period Specifies the time interval between the RADIUS server authentication checks of users connected to the network This field is active only when you select Authentication Required in the Authentication Type field Idle Timeout Seconds The ...

Page 315: ...ver for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the username is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Router first check the u...

Page 316: ...316 Chapter 16 IEEE 802 1x NN47923 500 ...

Page 317: ...limited number of users Introduction to Local User database By storing user profiles locally on the Business Secure Router your Business Secure Router is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you can authenticate in this way Local User database To see the local user list click AUTH SERVER The Local User Database ...

Page 318: ...ption User ID This field displays the logon name for the user account Active This field displays Yes if the user account is enabled or No if it is disabled User type This field displays whether the user account can be used for a IEEE 802 1X or IPSec logon or both Last Name This field displays the user s last name First Name This field displays the user s first name ...

Page 319: ...ounts A dash appears for all other accounts Valid displays if an IPSec user can use the account to logon Expired displays if an IPSec user can no longer use the account to logon This happens when you have enabled Password Management in the VPN Client Termination Advanced screen and the account password has exceeded the time that you configured as the Maximum Password Age Edit Select a user account...

Page 320: ...320 Chapter 17 Authentication server NN47923 500 Figure 106 Local User database edit ...

Page 321: ... or 802 1X IPSec in the User Type field First Name Enter the user s first name Last Name Enter the user s last name Static IP Address Enter the IP address of the remote user in dotted decimal notation Static Subnet Mask Enter the subnet mask of the remote user Split Tunneling Enable or disable split tunneling or inverse split tunneling Select Disable to force all traffic to be encrypted and go thr...

Page 322: ...This field applies when you select Enabled in the Split Tunneling field Select the network for which you force traffic to be encrypted and go through the VPN tunnel Inverse Split Tunnel Network This field applies when you select Enabled Inverse or Enabled Inverse locally connected in the Split Tunneling field Select the network for which you do not force traffic to be encrypted and go through the ...

Page 323: ...o use with split or inverse split VPN tunnels Table 86 Current split networks Label Description Return to Local User Database User Edit Page Click this link to return to the screen where you configure a local user database entry Current Split Networks This is the list of names of split or inverse split networks Add Click Add to open another screen where you can specify split or inverse split netwo...

Page 324: ...escribes the labels in Figure 108 Table 87 Current split networks edit Label Description Network Name Enter a name to identify the split network IP Address Enter the IP address for the split network in dotted decimal notation Netmask Enter the netmask for the split network in dotted decimal notation ...

Page 325: ...gure 109 Current Subnets for Network This box displays the subnets that belong to this split network Add Click Add to save your split network configuration Delete Select a network subset and click Delete to remove it Clear Click Clear to remove all of the configuration field and subnet settings Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this sc...

Page 326: ...ption Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user authentication using the local user profile on the Business Secure Router Server IP Address Enter the IP address of the external authentication server in dotted decimal notation ...

Page 327: ...e check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 a...

Page 328: ...328 Chapter 17 Authentication server NN47923 500 ...

Page 329: ...can manage your Business Secure Router from a remote location through Internet WAN only LAN only ALL LAN and WAN Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Remote management limitations Remote management over LAN or WAN does not work if Note When you configure remote management to allow management from the WAN you still need to...

Page 330: ...n is running with a Telnet session A web session is disconnected if you begin a Telnet session nor does it begin if a Telnet session is already running 7 A firewall rule blocks access to device Remote management and NAT When NAT is enabled Use the Business Secure Router WAN IP address when configuring from the WAN Use the Business Secure Router LAN IP address when configuring from the LAN System t...

Page 331: ...ess the Business Secure Router using the WebGUI The SSL protocol specifies that the SSL server the Business Secure Router must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router whereas the SSL client only authenticates itself when the SSL server requires it to do so select Authenticate Client Certificates in the REMOTE MGMT...

Page 332: ...TTPS implementation Configuring WWW To change your Business Secure Router Web settings click REMOTE MGMT to open the WWW screen Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen the Business Secure Router blocks all HTTP connection attempts ...

Page 333: ...r and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the Business Secure Router by sending the Business Secure Router a certificate To do that the SSL client must have a CA signed cer...

Page 334: ...nt is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service HTTP Server Port You can change the server port number for a service...

Page 335: ...12 appears in Internet Explorer Select Yes to proceed to the WebGUI logon screen if you select No then WebGUI access is blocked Figure 112 Security Alert dialog box Internet Explorer Netscape Navigator warning messages When you attempt to access the Business Secure Router HTTPS server a Website Certified by an Unknown Authority screen shown in Figure 113 appears asking if you trust the server cert...

Page 336: ...er 18 Remote management screens NN47923 500 Select Accept this certificate permanently to import the Business Secure Router certificate into the SSL client Figure 113 Figure 18 4 Security Certificate 1 Netscape ...

Page 337: ...ctory default certificate is the Business Secure Router itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating syst...

Page 338: ... use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address a Create a new certificate for the Business Secure Router that uses the IP address of the Business Secure Router port that you are trying to access as the common name of the certificate For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 ...

Page 339: ...Chapter 18 Remote management screens 339 Nortel Business Secure Router 252 Configuration Basics Figure 115 Logon screen Internet Explorer ...

Page 340: ...nagement screens NN47923 500 Figure 116 Login screen Netscape Click Login to proceed The screen shown in Figure 117 appears The factory default certificate is a common default certificate for all Business Secure Router models ...

Page 341: ...sics Figure 117 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Click CERTIFICATES to open the My Certificates screen You see information similar to that shown in Figure 118 ...

Page 342: ...ote management screens NN47923 500 Figure 118 Device specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate The My Certificates screen appears Figure 119 ...

Page 343: ...e 119 Common Business Secure Router certificate SSH overview Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network ...

Page 344: ...a secure connection is established between two remote hosts Figure 121 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result to the server ...

Page 345: ...r The client then sends its authentication information username and password to the server to log on to the server SSH implementation on the Business Secure Router Your Business Secure Router supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the Business Secure Router for remote SMT management and file transfer on ...

Page 346: ...owever you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to ac...

Page 347: ...e Example 1 Microsoft Windows This section describes how to access the Business Secure Router using the Secure Shell Client program 1 Launch the SSH client and specify the connection information IP address port number or device name for the Business Secure Router 2 Configure the SSH client to accept connection using SSH version 1 3 A window appears prompting you to store the host key in you comput...

Page 348: ...ult IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the Business Secure Router Figure 124 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the Business Secure Router using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message appears prompting you to save...

Page 349: ...ecure Router for secure file transfer using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message displays prompting you to save the host information of the Business Secure Router Type yes and press ENTER 2 Enter the password to log on to the Business Secure Router 3 Use the put command to upload a new firmware to the Business Secure Router ss...

Page 350: ...ing to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras Uploading firmware bin to ras Read from remote hos...

Page 351: ...t Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the com...

Page 352: ...ings click REMOTE MANAGEMENT and then the FTP tab The screen appears as shown in Figure 129 Figure 129 FTP Table 92 describes the fields in Figure 129 Table 92 FTP Label Description Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through ...

Page 353: ...rates an SNMP management operation SNMP is only available if TCP IP is configured The default get and set communities are public Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the c...

Page 354: ...etwork management functions It executes applications that control and monitor managed devices The managed devices contain object variables and managed objects that define each piece of information to be collected about a device Examples of variables include number of packets received and node port status A Management Information Base MIB is a collection of managed objects SNMP allows a manager and...

Page 355: ... data and monitor status and performance SNMP Traps The Business Secure Router sends traps to the SNMP manager when any one of the following events occurs Table 93 SNMP traps Trap Trap Name Description 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap ...

Page 356: ... 131 Figure 131 SNMP Table 94 describes the fields in Figure 131 Table 94 SNMP Label Description SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is PlsChgMe RO Set Community Enter the Set community which is the password for incoming Set requests from the management station The default i...

Page 357: ...r The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interfaces If any through which a computer can access the Business Secure Router us...

Page 358: ...ver Access Select the interfaces if any through which a computer can send DNS queries to the Business Secure Router Secured Client IP Address A secured client is a trusted computer that is allowed to send DNS queries to the Business Secure Router Select All to allow any computer to send DNS queries to the Business Secure Router Choose Selected to just allow the computer with the IP address that yo...

Page 359: ...s in Figure 133 Note In order to allow Ping on the WAN you must also configure a WAN to WAN Business Secure Router rule that allows PING ICMP 0 traffic Table 96 Security Label Description ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed...

Page 360: ...rt requests for unused ports thus leaving the unused ports and the Business Secure Router unseen If the firewall blocks a packet from the WAN the Business Secure Router sends a TCP reset packet Use the sys firewall tcprst rst off command in the command interpreter if you want to stop the Business Secure Router from sending TCP reset packets Apply Click Apply to save your customized settings and ex...

Page 361: ... in use How do I know if I am using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network appears as a separate icon By selecting the icon of a UPnP device you can access the information and properties of that device NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate t...

Page 362: ... enabled devices can communicate freely with each other without additional configuration If this is not your intention disable UPnP UPnP implementation The device has UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC This UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing the UPnP implementation supports Windows Messenger ...

Page 363: ...ugh UPnP Select this check box to allow UPnP enabled applications to automatically configure the Business Secure Router so that they can communicate through the Business Secure Router For example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device eliminating the need to manually configure port forwarding for...

Page 364: ...fers the Business Secure Router can keep a record when your computer uses UPnP to create a NAT forwarding rule for that service The following read only table displays information about the UPnP created NAT mapping rule entries in the NAT routing table This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP p...

Page 365: ...e unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the Business Secure Router forwards incoming connection requests Internal Client This field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultan...

Page 366: ...ow select the Universal Plug and Play check box in the Components selection box 4 Click OK to return to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Figure 137 Communications Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP ...

Page 367: ...s 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window appears Figure 138 Network connections 4 Select Networking Service in the Components selection box and click Details Figure 139 Windows optional networking components wizard ...

Page 368: ... Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the device Make sure the computer is connected to a LAN port of the device Turn on your computer and the Business Secure Router Autodiscover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network C...

Page 369: ...nfiguration Basics 2 Right click the icon and select Properties Figure 141 Internet gateway icon 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created Figure 142 Internet connection properties ...

Page 370: ...the port mappings or click Add to manually add port mappings Figure 143 Internet connection properties advanced setup Figure 144 Service settings Note When the UPnP enabled device is disconnected from your computer all port mappings are deleted automatically ...

Page 371: ...nection icon 6 Double click the icon to display your current Internet connection status Figure 146 Internet connection status WebGUI easy access With UPnP you can access the WebGUI without first finding out its IP address This is helpful if you do not know the IP address of your Business Secure Router Follow the steps below to access the WebGUI 1 Click Start and then Control Panel 2 Double click N...

Page 372: ...laces Figure 147 Network connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your Business Secure Router and select Invoke The WebGUI logon screen displays Figure 148 My Network Places Local network ...

Page 373: ...on Click LOGS to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Configuring Log settings on page 375 Options include logs about system maintenance system errors access control allowed or blocked Web sites blocked Web features such as ActiveX controls Java and cookies attacks such as DoS and IPSec Log entries in r...

Page 374: ...og was recorded Refer to Configuring Time and Date on page 90 for information about configuring the time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information a...

Page 375: ...re serious attention including system errors attacks access control and attempted access to blocked Web sites or Web sites with restricted Web features such as cookies or Active X Some categories such as System Errors consist of both logs and alerts You can differentiate between logs and alerts by their color in the View Log screen Alerts display in red and logs display in black Refresh Click Refr...

Page 376: ...376 Chapter 20 Logs Screens NN47923 500 Figure 150 Log settings ...

Page 377: ...nt through e mail Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that logs the selected categories of logs Log Facility Select a location from the drop down list In the log facility you can log the messages to different files in t...

Page 378: ...Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 p m to send the logs Log Select the categories of the logs that you want to record Logs include alerts Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e mail alerts to the e mail address specified in the Send Alerts To field Log Consolidation Active Some lo...

Page 379: ... HTTP GET packets Many Web sites include HTTP GET references to other Web sites and the Business Secure Router can count these as hits thus the Web hit count is not yet 100 accurate Figure 151 Reports Note The Web site hit count not be 100 accurate because sometimes when an individual Web page loads it can contain references to other Web sites that also get counted as hits Note Enabling the report...

Page 380: ...een Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list to select the type of reports to display Web Site Hits displays the Web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays the protocols or service ports that have...

Page 381: ...he domain names of the Web sites visited most often from computers on the LAN The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first The Business Secure Router counts each page viewed in a Web site as another hit on the Web site Hits This column lists how many times each Web site has been visited The count starts ove...

Page 382: ...een select Protocol Port from the Report Type drop down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Figure 153 Protocol Port report example ...

Page 383: ...tocol or service port listed first Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed Incoming refers to traffic that is coming into the Business Secure Router LAN from the WAN Outgoing refers to traffic that is going out from the Business Secure Router LAN to the WAN Amount This column lists how much traffic has been sent and recei...

Page 384: ... IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kilobytes Megabytes or Gigabytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traf...

Page 385: ...ature Table 105 Report Specifications Label Description Number of Web sites protocols or ports IP addresses listed 20 Hit count limit Up to 232 hits can be counted per Web site The count starts over at 0 if it passes four billion Bytes count limit Up to 264 bytes can be counted per protocol port or LAN IP address The count starts over at 0 if it passes 264 bytes ...

Page 386: ...386 Chapter 20 Logs Screens NN47923 500 ...

Page 387: ...in a video cassette recorder you can specify a time period for the VCR to record Apply schedule sets in the WAN IP screen or the WAN Dial Backup screen Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node set 1 takes precedence over set 2 3 and 4 as the Business Secure Router by default ap...

Page 388: ...Description This is the call schedule set number Name This field displays the name of the call schedule set Active This field shows whether the call schedule set is turned on Yes or off No Start Date This is the date in year month day format that the call schedule set takes effect Duration Date This is the date in year month day format that the call schedule set ends ...

Page 389: ...he Action field Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means tha...

Page 390: ...t will activate in year month day format If you selected Weekly in the How Often field then select the day or days of the week when the set will activate Start Time 24 Hour Format Enter the start time in hour minute format when you want the schedule set to take effect Duration Time 24 Hour Format Enter the maximum length of time in hour minute format that the schedule set is to apply the action co...

Page 391: ...Once your schedule sets are configured you must then apply them Apply schedule sets in the WAN IP screen You can apply schedule sets for the dial backup connection refer to Configuring Dial Backup on page 119 Click WAN Dial Backup to display the Dial Backup screen as shown in Figure 157 Use the screen to apply up to four schedule sets ...

Page 392: ...392 Chapter 21 Call scheduling screens NN47923 500 Figure 157 Applying Schedule Sets to a remote node ...

Page 393: ...Chapter 21 Call scheduling screens 393 Nortel Business Secure Router 252 Configuration Basics ...

Page 394: ...394 Chapter 21 Call scheduling screens NN47923 500 ...

Page 395: ...t traffic statistics Maintenance overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Business Secure Router Status screen Click MAINTENANCE to open the Status screen where you can monitor your Business Secure Router Note that these fields are READ ONLY and only used for diagnostic purposes ...

Page 396: ...u chose in the first Internet Access Wizard screen It is for identification purposes Nortel Firmware Version The release of firmware currently on the Business Secure Router and the date the release was created DSL FW Version This is the DSL firmware version currently on the Business Secure Router Standard This is the ADSL standard that your Business Secure Router is using WAN Information ...

Page 397: ...rtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control or Ethernet address unique to your Business Secure Router IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the LAN port DHCP role Server Relay or None DHCP Start IP This is the first of the contiguous address...

Page 398: ...eld specifies the percentage of CPU utilization LAN or WAN Port Statistics This is the WAN or LAN port Link Status This is the status of your WAN link Upstream Speed This is the upstream speed of your Business Secure Router DownstreamSpeed This is the downstream speed of your Business Secure Router Node Link This field displays the remote node index number and link type Link types are PPPoA ENET R...

Page 399: ... duplex setting if you re using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you re using PPPoE encapsulation For a LAN port this shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors...

Page 400: ...t name MAC Address This field shows the MAC address of the computer with the name in the Host Name field Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Reserve Select the check box to have the Business Secure Router always assign the displayed IP address...

Page 401: ...re Router 252 Configuration Basics Figure 161 Diagnostic Table 111 describes the fields in Figure 161 Table 111 Diagnostic Label Description General TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection ...

Page 402: ... this button to reinitialize the ADSL line The large text box above then displays the progress and results of this operation for example Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully ATM Status Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before ...

Page 403: ... device again Table 112 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process can take up to two minutes Note Do n...

Page 404: ...Shown in Figure 164 on your desktop Figure 164 Network Temporarily Disconnected After two minutes log on again and check your new firmware version in the System Status screen If the upload was not successful the screen shown in Figure 165 appears Uploading the wrong firmware file or a corrupted firmware file can cause this error Click Return to return to the F W Upload screen Figure 165 Firmware u...

Page 405: ...ion related to factory defaults backup configuration and restoring configuration appears as shown in Figure 166 Figure 166 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the Business Secure Router to its factory defaults The warning screen will appear see Figure 167 ...

Page 406: ... reverts to PlsChgMe Backup configuration With backup configuration you can back up and save the current device configuration to a 104 KB file on your computer After your device is configured and functioning properly Nortel recommends that you back up your configuration file before making configuration changes The backup configuration file is useful in case you need to return to your previous sett...

Page 407: ...one minute before logging on to the device again Figure 168 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect In some operating systems you see the icon shown in Figure 169 on your desktop Table 113 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse t...

Page 408: ... Nortel Business Secure Router 252 Fundamentals NN47923 301 guide for details about how to set up your computer IP address If the upload was not successful click Return to return to the Configuration screen Restart screen With system restart you can reboot the Business Secure Router without turning the power off Click MAINTENANCE and then Restart Click Restart to have the Business Secure Router re...

Page 409: ...Chapter 22 Maintenance 409 Nortel Business Secure Router 252 Configuration Basics Figure 170 Restart screen ...

Page 410: ...410 Chapter 22 Maintenance NN47923 500 ...

Page 411: ...te power source Check that the Business Secure Router and the power source are both turned on Turn the Business Secure Router off and on If the error persists you likely have a hardware problem In this case contact your vendor I cannot access the Business Secure Router through the console port 1 Make sure the Business Secure Router is connected to your computer s serial port 2 Make sure the commun...

Page 412: ...e Action I cannot access the Business Secure Router from the LAN Check your Ethernet cable type and connections For LAN connection instructions see Nortel Business Secure Router 252 Fundamentals NN47923 301 Make sure the Ethernet adapter is installed in the computer and functioning properly I cannot ping any computer on the LAN Check the 10M 100M LAN LEDs on the front panel If they are all off che...

Page 413: ...sword if you are using PPPoE or PPPoA encapsulation Make sure that you have entered the correct service type username and password the username and password are case sensitive Use the WAN screens in the WebGUI If your ISP requires host name authentication configure your computer name as the system name of the Business Secure Router use the System General screen to configure the system name Table 1...

Page 414: ...et access settings Your username and password can be case sensitive If device connections and Internet access settings are correct contact your ISP Table 120 Troubleshooting the password Problem Corrective Action I cannot access the Business Secure Router The administrator username is nnadmin The default password is PlsChgMe The Password and Username fields are case sensitive Make sure that you en...

Page 415: ...siness Secure Router must be on the same subnet for LAN access If you changed the Business Secure Router LAN IP address then enter the new one as the URL Remove any filters in SMT menu 3 1 LAN or menu 11 1 4 WAN that block Web service Table 122 Troubleshooting Remote Management Problem Corrective Action I cannot remotely manage the Business Secure Router from the LAN or the WAN Check your remote m...

Page 416: ... necessary Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or enable pop up blocking and create an exception for your device IP address Allowing Pop ups 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 171 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy t...

Page 417: ...ear the Block pop ups check box in the Pop up Blocker section of the screen Figure 172 Internet Options 3 Click Apply to save this setting Enabling Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab ...

Page 418: ...47923 500 2 Select Settings to open the Pop up Blocker Settings screen Figure 173 Internet options 3 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Page 419: ... address to the list of Allowed sites Figure 174 Pop up Blocker settings 5 Click Close to return to the Internet Options screen 6 Click Apply to save this setting Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer check that JavaScript and Java permissions are enabled ...

Page 420: ...Internet Options and then the Security tab Figure 175 Internet options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default ...

Page 421: ...lose the window Figure 176 Security Settings Java Scripting Internet Explorer Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected ...

Page 422: ...lick OK to close the window Figure 177 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 423: ...n and open a new browser Figure 178 Java Sun Netscape Pop up Blockers Either disable the blocking of unrequested pop up windows enabled by default in Netscape or allow pop ups from Web sites by creating an exception for your device IP address Note Netscape 7 2 screens are used here Screens for other Netscape versions vary ...

Page 424: ...s from this site 2 In the Netscape search toolbar you can enable and disable pop up blockers for Web sites Figure 180 Netscape Search Toolbar You can also check if pop up blocking is disabled in the Popup Windows screen in the Privacy Security directory 1 In Netscape click Edit and then Preferences 2 Click the Privacy Security directory and then select Popup Windows ...

Page 425: ...1 Popup Windows 4 Click OK to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device follow these steps 1 In Netscape click Edit and then Preferences 2 In the Privacy Security directory select Popup Windows 3 Make sure the Block unrequested popup windows check box is selected ...

Page 426: ...ubleshooting NN47923 500 4 Click the Allowed Sites button Figure 182 Popup Windows 5 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Page 427: ... to return to the Popup Windows screen 8 Click OK to save this setting Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape check that JavaScript and Java permissions are enabled 1 In Netscape click Edit and then Preferences 2 Click the Advanced directory 3 In the Advanced screen make sure the Enable Java check box is selected ...

Page 428: ...ubleshooting NN47923 500 4 Click OK to close the window Figure 184 Advanced 5 Click the Advanced directory and then select Scripts Plug ins 6 Make sure the Navigator check box is selected in the enable JavaScript section ...

Page 429: ...Appendix A Troubleshooting 429 Nortel Business Secure Router 252 Configuration Basics 7 Click OK to close the window Figure 185 Scripts Plug ins ...

Page 430: ...430 Appendix A Troubleshooting NN47923 500 ...

Page 431: ...n information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interfac...

Page 432: ...The Business Secure Router allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All Web traffic is disabled except for trusted domains untrusted domains or the cybernot list JAVBLK IP Domain Name The Business Secure...

Page 433: ...d code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an IGMP IP spoofing attack on the WAN port ip spoofing WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port ip spoofing WAN GRE The firewall detected a GRE ...

Page 434: ...routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ICMP type d code d The firewall detected an ICMP IP spoofing attack while the Business Secure Route...

Page 435: ...uter blocked or forwarded it according to the configuration of the ACL set Firewall rule match TCP set d rule d TCP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match UDP set d rule d UDP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according ...

Page 436: ...ed firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match set d rule d Access did not match the listed fire...

Page 437: ...ule d UDP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d ICMP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d Access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter matc...

Page 438: ...ent a TCP packets in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out of order ICMP The Business Secure Ro...

Page 439: ...packets traveling from the WAN to the WAN or the Business Secure Router Table 130 ICMP Notes Type Code Description 0 Echo reply 0 Echo reply message 3 Destination unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because the packet was set to Don t Fragment DF 5 Source route failed 4 Source quench 0 A gateway...

Page 440: ... in transit 1 Fragment reassembly time exceeded 12 Parameter problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp reply 0 Timestamp reply message 15 Information request 0 Information request message 16 Information reply 0 Information reply message Table 131 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg no...

Page 441: ... Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA N...

Page 442: ...Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH SA NONCE ID ID 012 01 Jan 08 08 10 Recv HASH Clea...

Page 443: ... the connection but the IKE key exchange has not completed Duplicate requests with the same cookie The Business Secure Router received multiple requests from the same peer but is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party us...

Page 444: ...h the local s peer ID type Phase 1 ID content mismatch The ID content of an incoming packet does not match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type Peer ID IP address type IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loca...

Page 445: ...address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The Business Secure Router cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPL...

Page 446: ...e certificate enrollment succeeded The Destination field records the certification authority server IP address and port Enrollment failed The SCEP online certificate enrollment failed The Destination field records the certification authority server IP address and port Failed to resolve SCEP CA server url The SCEP online certificate enrollment failed because the certification authority server addre...

Page 447: ...the LDAP server whose address and port are recorded in the Source field Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field Failed to decode the received CRL The router received a corrupted CRL Certificate Revocation List from the LDAP server whose address and port are recorded in the ...

Page 448: ...oding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CR...

Page 449: ... to use another authentication method and was not authenticated User logout because of session timeout expired The router logged off a user whose session expired User logout because of user deassociation The router logged off a user who ended the session User logout because of no authentication response from user The router logged off a user from which there was no authentication response User log...

Page 450: ...ategory followed by a log category and a parameter to decide what to record No Server to authenticate user There is no authentication server to authenticate a user Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database Table 138 Log categories and available settings Log Categories Availab...

Page 451: ...ommand to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual Business Secure Router log category Use the sys logs clear command to erase all of the Business Secure Router logs urlforward 0 1 Use 0 to record no logs for a selected category 1 to record only logs a selected category 2 to record only alerts for a selected...

Page 452: ... 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 4 11 11 2002 15 10 10 192 ...

Page 453: ...ck Alert 190 192 Attack Types 160 Authentication databases 315 Authentication Header 204 Authentication Type 121 Autonegotiating 10 100 Mb s Ethernet LAN 36 Autosensing 10 100 Mb s Ethernet LAN 36 Auxiliary 36 B Backup 406 Bandwidth Class 300 Bandwidth Filter 300 307 Bandwidth Management 299 Bandwidth Management Statistics 308 Bandwidth Manager Class Configuration 305 Bandwidth Manager Class Setup...

Page 454: ... Ports Creating Editing 182 D Data Terminal Ready 124 DDNS Type 86 Default 405 Default Policy Log 177 Default Server 138 Default Server IP Address 137 Denial of Service 155 156 190 191 DES 205 Destination Address 172 180 DHCP 65 85 97 98 399 DHCP Dynamic Host Configuration Protocol 40 DHCP Server 101 diagnostic 400 Dial 126 Dial Backup 119 Dial Backup Port Speed 121 Dial Timeout 126 DNS 81 357 DNS...

Page 455: ...ines For Enhancing Security 166 Introduction 155 LAN to WAN Rules 173 Policies 169 Rule Checklist 171 Rule Logic 171 Rule Security Ramifications 171 Services 186 Types 153 When To Use 167 Firmware Version 396 396 First DNS Server 84 FTP 85 135 136 329 352 FTP Restrictions 329 FTP Server 41 Full Feature 115 Full Network Management 40 G General Setup 82 Global 130 Global End IP 140 143 Global Start ...

Page 456: ...ng 157 161 IP Static Route 148 IPSec VPN Capability 36 37 ISAKMP Initial Contact Payload 258 J Java 197 K Key Fields For Configuring Rules 172 L LAN IP Address 380 383 LAN Setup 97 107 LAN TCP IP 98 LAN to WAN Rules 173 LAND 158 159 Local 130 Local End IP 140 142 Local Start IP 140 142 Log 177 Logging 41 Logs 373 M MAC Addresses 103 MAC Encapsulated Routing Link Protocol 53 MAIN MENU 50 Management...

Page 457: ...nel 217 One Minute High 193 One Minute Low 192 One to One 133 One Minute High 191 One to One 142 Outside 130 P Packet Direction 177 179 Packet Filtering 38 166 Packet Filtering Firewalls 154 PAP 121 Password 46 87 321 327 Password Management 259 PAT 142 Permanent Virtual Circuit 54 Phone Number 121 ping 402 Ping of Death 157 Point to Point Protocol over ATM Adaptation Layer 5 54 Point to Point Pro...

Page 458: ...lass 303 Routing Information Protocol 98 Rule Summary 185 Rules 169 173 Checklist 171 Creating Custom 169 Key Fields 172 LAN to WAN 173 Logic 171 Predefined Services 186 Source and Destination Addresses 181 S SA Monitor 245 Saving the State 161 Schedule Sets Duration 390 Second DNS Server 84 Secondary Phone Number 121 Secure FTP Using SSH Example 349 Secure Telnet Using SSH Example 347 Security Ra...

Page 459: ... 156 157 158 350 Teardrop 157 technical publications 30 Telnet 350 Telnet Configuration 350 text conventions 29 TFTP Restrictions 329 Third DNS Server 84 Threshold Values 190 Time and Date 36 Time Setting 90 Traceroute 161 Tracing 41 trademarks 2 Traffic Redirect 40 117 118 Trigger Port Forwarding Process 143 U UDP ICMP Security 165 Universal Plug and Play 38 Universal Plug and Play UPnP 361 363 U...

Page 460: ...460 Index NN47923 500 VPN Client Termination 248 W WAN to LAN Rules 173 Web Proxy 197 Web Site Hits 380 WebGUI 45 49 155 166 172 Windows Networking 116 247 Wizard Setup 53 WWW 332 X Xmodem Upload 49 ...