Planet Networking & Communication MH-5001, User Manual

Page 1: ...Multi Homing UTM Security Gateway User s Manual I Multi Homing UTM Security Gateway MH 5001 User s Manual ...

Page 2: ...ility for any inaccuracies that may be contained in this User s Manual PLANET makes no commitment to update or keep current the information in this User s Manual and reserves the right to make improvements to this User s Manual and or to the products described in this User s Manual at any time without notice If you find information in this manual that is incorrect misleading or incomplete we would...

Page 3: ...d MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own Revision User s Manual for PLANET Multi Homing Security Gateway Model MH 5001 Rev 4 0 July 2006 Part No EM MH5Kv4 2081 B90070 000 ...

Page 4: ...w 25 2 1 Typical Example Topology 25 2 2 Changing the LAN1 IP Address 26 2 2 1 From LAN1 to configure MH 5001 LAN1 network settings 26 2 2 2 From CLI command line interface to configure MH 5001 LAN1 network settings 27 2 2 3 Web GUI design principle 27 2 2 4 Rule principle 28 Chapter 3 Basic Setup 31 3 1 Demands 31 3 2 Objectives 31 3 3 Methods 31 3 4 Steps 32 3 4 1 Setup WAN1 IP 32 3 4 2 Setup DM...

Page 5: ... 6 3 6 Exempt Host 58 Chapter 7 NAT 59 7 1 Demands 59 7 2 Objectives 60 7 3 Methods 60 7 4 Steps 61 7 4 1 Setup Many to one NAT rules 61 7 4 2 Setup Virtual Server for the FtpServer1 64 7 5 NAT modes introduction 67 7 5 1 Many to One type 67 7 5 2 Many to Many type 68 7 5 3 One to One type 69 7 5 4 NAT modes types 69 Chapter 8 Routing 71 8 1 Demands 71 8 2 Objectives 72 8 3 Methods 72 8 4 Steps 72...

Page 6: ... VPN 95 12 2 2 IPSec 95 12 2 3 Security Association 95 12 2 4 IPSec Algorithms 95 12 2 5 Key Management 96 12 2 6 Encapsulation 97 12 2 7 IPSec Protocols 97 12 3 Make VPN packets pass through MH 5001 98 Chapter 13 Virtual Private Network IPSec 99 13 1 Demands 99 13 2 Objectives 99 13 3 Methods 99 13 4 Steps 100 DES MD5 IPSec tunnel the IKE way 100 DES MD5 IPSec tunnel the Manual Key way 109 Chapte...

Page 7: ... Add a filter rule from WinXP to MH 5001 148 18 4 5 Add a filter rule from MH 5001 to WinXP 151 18 4 6 Configure a rule for WinXP client to MH 5001 153 18 4 7 Configure a rule for MH 5001 to WinXP client 157 18 4 8 Enable the security settings 159 Chapter 19 Content Filtering Web Filters 160 19 1 Demands 160 19 2 Objectives 161 19 3 Methods 161 19 4 Steps 162 19 5 Setting priorities 167 Chapter 20...

Page 8: ...5 3 Methods 196 25 4 Steps 197 25 4 1 Outbound Load Balancer 197 Chapter 26 High Availability 199 26 1 Demands 199 26 2 Objectives 200 26 3 Methods 200 26 4 Steps 200 26 4 1 Setup High Availability 200 Chapter 27 System Status 202 27 1 Demands 202 27 2 Objectives 202 27 3 Methods 202 27 4 Steps 202 Chapter 28 Log System 205 28 1 Demands 205 28 2 Objectives 205 28 3 Methods 205 28 4 Steps 205 28 4 ...

Page 9: ...211 29 6 Save the current configuration 212 29 7 Steps for Backup Restore Configurations 212 29 8 Steps for Reset password 213 Appendix A Command Line Interface CLI 214 A 1 Enable the port of MH 5001 214 A 2 CLI commands list Normal Mode 214 A 3 CLI commands list Rescue Mode 216 Appendix B Trouble Shooting 219 Appendix C System Log Syntax 225 Appendix D Glossary of Terms 231 ...

Page 10: ...for evidence of intrusion attempts and inappropriate transmission of regulated information The WBI is a versatile configurable monitoring platform For you to understand and use its functionality you must understand the WBI and its capabilities All the examples after Chapter 2 in this manual which instruct you how to configure the Multi Homing Security Gateway are taken from MH 5001 The hardware an...

Page 11: ...dule Address All rules require source and destination addresses You have to add the addresses to each interface while inserting a new firewall rule These addresses must be valid addresses for the network connected to that interface You can also organize related addresses into address groups to make it easier to add rules See Section 9 4 1 for details Service Use service to control the types of com...

Page 12: ... checkbox if you would like to require data encryption Transparent Mode Transparent mode provides the same basic firewall protection as NAT mode Packets received by the MH 5001 are intelligently forwarded or blocked according to the firewall rules The MH 5001 can be inserted into your network without changing your network or any of its components See Section 1 7 2 for details WAN Backup When WAN B...

Page 13: ... Power Cord x 1 5 Rack mount x 1 6 RS 232 cable x 1 1 2 Five steps to configure MH 5001 quickly Let s look at the common network topology without MH 5001 applying like Figure 1 This is a topology which is almost used by all the small medium business or SOHO use as their Internet connectivity Although that your topology is not necessarily the same diagram below but it still can give you a guideline...

Page 14: ...1 5 for more information 2 LAN Configure the LAN1 port of MH 5001 You can refer to section 1 4 for the default network configurations of MH 5001 Note If you were connected from LAN1 port and changed the LAN1 IP address settings of MH 5001 The network will be disconnected since the IP address is different between your pc and MH 5001 LAN1 port 3 WAN Configure the WAN1 port of MH 5001 You can refer t...

Page 15: ...end of the cable to the WAN port on the front panel of the MH 5001 and the other end of the cable to a DSL or Cable modem as in Figure 1 C Computers with an Ethernet adapter can be directly connected to any of the LAN ports using a cross over Ethernet cable as in Figure 1 D Computers that act as servers to provide Internet services should be connected to the DMZ port using an Ethernet Cable as in ...

Page 16: ...bnet Mask ____ ____ ____ ____ Gateway IP ____ ____ ____ ____ Primary DNS ____ ____ ____ ____ Fixed IP Secondary DNS ____ ____ ____ ____ PPPoE Username ____ ____ ____ ____ PPPoE PPPoE Password ____ ____ ____ ____ WAN2 Port 2 DHCP Not initialized IP Address 10 1 1 254 ____ ____ ____ ____ DMZ1 Port 3 IP Subnet Mask 255 255 255 0 ____ ____ ____ ____ IP Address 192 168 1 254 ____ ____ ____ ____ LAN1 Po...

Page 17: ...n IP address and Subnet Mask from the same range as the IP address and Subnet Mask assigned to the MH 5001 in order to be able to make an HTTPS connection using a web browser The MH 5001 is assigned an IP address of 192 168 1 254 with a Subnet Mask of 255 255 255 0 by default The computer that will be used to configure the MH 5001 must be assigned an IP address between 192 168 1 1 and 192 168 1 25...

Page 18: ...in Name followed by clicking the Next BASIC SETUP Wizard Step 4 Operation Mode MH 5001 Multi Homing Security Gateway can operate in NAT Router mode or Transparent mode Choose which operation Mode for this device to use BASIC SETUP Wizard Next NAT Route mode In NAT Route mode you can create NAT mode rules and Route mode rules For the related information please refer to Chapter 7 and Chapter 8 y NAT...

Page 19: ...the PCs under LAN1 LAN2 DMZ interfaces may be blocked 2 If you would like to change the operation mode from NAT Route mode to Transparent mode you have to backup the configuration file and then do the factory reset first Table 1 2 The operation mode Step 5 WAN Connectivity Choose the type of IP Address Assignment provided by your ISP to access the Internet Here we have four types to select This wi...

Page 20: ...t Fixed IP Step 5 c PPPoE client If PPP over Ethernet is selected enter the ISP given User Name Password and the optional Service Name Click Next to proceed BASIC SETUP Wizard Next PPPoE 9 Warning Message Please Note that an alert message box When changing to none fixed ip mode system will delete all ip alias will appear while you change Get IP Automatically DHCP or PPP over Ethernet but not Fixed...

Page 21: ...ntly we introduce WAN1 to DMZ1 Connectivity to explain how the servers under DMZ1 can be accessed by the LAN1 users and other Internet users on the WAN1 side You MUST press Apply to proceed to the next page Once applying any changes the settings are immediately updated into the flash memory 1 6 1 LAN1 to WAN1 Connectivity The LAN Settings page allows you to modify the IP address and Subnet Mask th...

Page 22: ...After completing Step 3 the NAT is automatically configured related rules to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP ADVANCED SETTINGS NAT Status Step 5 Check NAT Rules The MH 5001 has added the NAT rules as the right diagram The rule Basic LAN1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP ...

Page 23: ...es to let all private IP LAN DMZ to WAN requests to be translated with the public IP assigned by the ISP ADVANCED SETTINGS NAT Status Step 5 Check NAT Rules The MH 5001 has added the NAT rules as the right diagram The rule Basic DMZ1 number 1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 10 1 1 254 255 255 255 0 the request w...

Page 24: ... For passive FTP clients the server at DMZ will return them the private IP address 10 1 1 5 and the port number for the clients to connect back for data transmissions Since the FTP clients at the WAN side cannot connect to a private IP ex 10 1 1 5 through the Internet The data connections would be fail After enabling this feature the MH 5001 will translate the private IP port into an IP port of it...

Page 25: ...ckup your configuration first otherwise the original configuration will be deleted inclusive of all rules policies addresses etc After system reboots MH 5001 will return to the factory default In this document we will introduce you how to setup NAT Router Mode firewall in the most examples You can learn the settings of each feature by them For more information of how to choose NAT or Route mode in...

Page 26: ...tly forwarded or blocked according to the firewall rules However some advanced firewall features are only available in NAT Route mode Transparent mode will not support the following features currently 1 WAN PPPoE link 2 Authentication 3 VPN IPSec PPTP L2TP 4 NAT 5 Routing 6 IP MAC Binding 7 DDNS DNS Proxy DHCP Relay 8 Interface change 9 Show IPSec sessions 10 VPN Logs ...

Page 27: ......

Page 28: ...s is a branch office of Organization_1 In this architecture all the users under Organization can access sever reside in the Internet or DMZ region smoothly Besides Organization_1 communicates with Organization_2 with a VPN tunnel established by the two MH 5001 Multi Homing Security Gateways The VPN tunnel secures communications between Organizations more safely We will focus on how to build up the...

Page 29: ...cing Users may want to subscribe multiple WAN links and make their outbound traffic load balanced among the WAN links MH 5001 now supports outbound WAN load balancing Inbound load balancing will be supported in a very near future 8 Chapter 24 Chapter 29 System Maintenance In this part we provide some useful skills to help you to justify MH 5001 more securely and steadily 2 2 Changing the LAN1 IP A...

Page 30: ...1 network settings Step 1 Use Console port to configure MH 5001 Use the supplied console line to connect the PC to the Diagnostic RS 232 socket of the MH 5001 Start a new connection using the HyperTerminal with parameters No Parity 8 Data bits 1 stop bit and baud rate 9600 Enter admin for user name and admin for password to login After logging into MH 5001 enter the commands en to enter the privil...

Page 31: ... configuration is divided into three parts as Figure 2 3 illustrated You just need to enter the necessary information onto each part according to your requirement As for the definitions of the three part configuration please refer to the following description 1 Status Describe the status and name of this rule 2 Condition What kind of characteristics does packet hold And it will be captured by this...

Page 32: ...Before button Figure 2 4 The rules in the page of the rule edition are also divided into three parts Status field Describe the status and name of this rule Condition field What kind of characteristics does packet hold And it will be captured by this rule Action field If the packet is captured by this rule What action will this rule do If you are not satisfied with the current rule sequence the rul...

Page 33: ......

Page 34: ...k settings of the MH 5001 DMZ1 and LAN1 ports 3 We hope to assign another IP address to the same WAN port that we have configured before 4 Ping the public Internet Server IP addresses with a sequence of every specified Timeout to check the connection of the current default WAN link When the specified WAN link is disconnected MH 5001 will try to make the ping action to the first Public Internet Ser...

Page 35: ... information from DHCP Server DNS IP Address Æ manually specify these Primary and Secondary DNS Server information Get DNS Automatically DNS IP Address Get DNS Automatically Routing Protocol Determine to enable the dynamic routing protocol to receive RIP message to send out the RIP message if the RIP message is received or not None RIPv1 In RIPv1 In Out RIPv2 In RIPv2 In Out OSPF None Get IP Autom...

Page 36: ...ble Disable Enabled Service Name ISP vendor Optional text string So Net User Name The user name of PPPoE account text string Hey Password The password of PPPoE account text string G54688 PPP over Ethernet Get DNS Automatically DNS IP Address Get DNS Automatically Æ Get DNS related information from PPPoE ISP DNS IP Address Æ manually specify these Primary and Secondary DNS Server information Get DN...

Page 37: ...me sec Specify DHCP information lease time greater than 0 7200 Routing Protocol Determine to enable the dynamic routing protocol RIP to receive RIP message to send out RIP message if the message is received or not None RIPv1In RIPv1In out RIPv2In RIPv2In out OSPF None OSPF Area ID Specify OSPF area ID number IPv4 format or digit string Max 9 bits N A Table 3 2 Configure DMZ network settings Step 2...

Page 38: ...RIPv2In RIPv2In out OSPF None OSPF Area ID Specify OSPF area ID number IPv4 format or digit string Max 9 bits N A Table 3 3 Configure LAN network settings 3 4 3 Setup WAN1 IP alias Step 1 Add WAN1 IP alias Suppose you apply 8 IP addresses from ISP The range of the ISP given IP address is from 61 2 1 0 to 61 2 1 7 Now you would like to add three WAN1 IP aliases Select WAN1 in the Interface field En...

Page 39: ...t 10 records Table 3 5 IP alias limitation of each port Step 3 See the IP alias setting in the WAN1 IP page After entering the IP alias address it will show the result in the WAN1 IP page Warning If you select Fixed IP Address as your WAN link type and set any IP alias When you try to exchange the WAN link type to other type such as DHCP PPPoE The previous setting IP aliases will disappear after y...

Page 40: ...able WAN Fail Over When enabled the system will ping the specified public server IP addresses through the default route link Enable Disable Enable Check public Internet server IP1 The first Internet public IP address used to check the connection of the current default WAN link IPv4 Format 140 114 69 9 Check public Internet server IP2 The second Internet public IP address used to check the connecti...

Page 41: ......

Page 42: ... ISP links to the MH 5001 4 2 Objectives 1 Configure the general properties such as domain name password system time and connection timeout correctly Besides we can configure the prefered service name as the service name numeric mapping list 2 DDNS By using the DDNS Dynamic DNS the MH 5001 will send the request for modification of the corresponding DNS record to the DDNS server after the IP is cha...

Page 43: ...e possible duplicate DNS lookups As the following Figure 4 2 described WALL 1 redirects the DNS request from PC1_1 to the real DNS server 140 113 1 1 Figure 4 2 DNS Proxy mechanism chart 4 DHCP Relay Activate the DHCP relay mode of MH 5001 so that the MH 5001 will become the relay agent and relay the DHCP broadcast to the configured DHCP server As the following Figure 4 3 described MH 5001 redirec...

Page 44: ... 41 Figure 4 3 DHCP Relay mechanism chart 5 As the following Figure 4 4 demonstrated there is an embedded snmp agent in the MH 5001 So you can use SNMP manager to monitor the MH 5001 system status network status etc from either LAN or Internet ...

Page 45: ...01 interface in the SYSTEM TOOLS Admin Settings Interface in according to our preference and requirement 3 WAN 1 DMZ 1 LAN As the following Figure 4 5 demonstrated there are three ISP connected onto MH 5001 So we must adjust the interface up to 3 WAN ports to fit the current condition Figure 4 5 Adjust MH 5001 interface to fit current condition ...

Page 46: ...ll in the domain name of company planet com tw Table 4 1 System Tools General Setup menu Step 2 Change Password Enter the current password in the Old Password field Enter the new password in the New Password and retype it in the Confirm Password field Click Apply SYSTEM TOOLS Admin Settings Password FIELD DESCRIPTION EXAMPLE Old Password The original password of administrator admin New Password Th...

Page 47: ...IPTION EXAMPLE Time zone the time zone of your area N A NTP time server address Use NTP time server to auto update date time value tock usno navy mil Continuously every 3 min update system clock System will update system date time value every 3 minutes to NTP time sever Enabled Update system clock using the time server at boot time System will update system date time value to the NTP time server a...

Page 48: ...ace Assign which public IP address of interface to the DDNS server WAN1 Service Provide The domain address of DDNS server In the MH 5001 we provide some websites for your choice If you choose WWW ORAY NET as DDNS service provider It would register the source IP address which is connected to the DDNS server It means that the WAN1 IP address must be public address WWW ORAY NET Hostname The registere...

Page 49: ...located And click the Apply button finally Notice the DHCP Server can not be located with the subnet range of Relay Domain SYSTEM TOOLS Admin Settings DHCP Relay FIELD DESCRIPTION EXAMPLE Enable DHCP Relay When the host of the LAN DMZ in the MH 5001 internal network sends a DHCP request MH 5001 will forward it automatically to the specified DHCP server different subnet from the network segment of ...

Page 50: ... and one LAN port existing in the MH 5001 You are not allowed to casually change the interface to the state which has no LAN port or WAN port SYSTEM TOOLS Admin Settings Interface FIELD DESCRIPTION EXAMPLE Enable SNMP Enable the SNMP function or not Enabled System Name The device name of MH 5001 MH 5001 planet com tw System Location The settled location of MH 5001 Office Contact Info The person wh...

Page 51: ...PTION EXAMPLE Port1 Port5 You can specify WAN LAN DMZ for each port by your preference However there must be one WAN and one LAN interface existing in the MH 5001 Port1 WAN Port2 WAN Port3 WAN Port4 DMZ Port5 LAN Table 4 9 Change the MH 5001 interface setting ...

Page 52: ......

Page 53: ...in MH 5001 devices is implemented by hidden Firewall rules 5 2 Methods 1 Only allow management by WAN_PC 140 2 5 1 at the WAN1 side 2 Administrators can use browsers to connect to http 192 168 40 254 8080 for management 3 Allow SNMP monitoring by PC1_1 192 168 40 1 at the LAN1 side 4 Do not respond to ICMP ECHO packets at the WAN1 side Figure 5 1 Some management methods of MH 5001 5 3 Remote Manag...

Page 54: ...ing a digital certificate and passwords are protected by being encrypted SSH uses RSA public key cryptography for both connection and authentication Encryption algorithms include Blowfish DES and IDEA IDEA is the default WWW World Wide Web Two meanings First loosely used the whole constellation of resources that can be accessed using Gopher FTP HTTP telnet USENET WAIS and some other tools Second t...

Page 55: ...WWW Step 1 Setup WWW Check the LAN1 checkbox and enter the new Server Port 8080 that will be accessed by the user s browser http 192 168 40 254 8080 Here we click All for all no IP range limitation of clients And click the Apply button SYSTEM TOOLS Remote Mgt WWW Step 2 Message alert If you select Selected and enter the IP address in the Secure Client IP Address field After you apply the WWW there...

Page 56: ...SNMP Check the LAN1 checkbox In the Secure Client Address field If you prefer indicated specified IP address Just click the Selected and enter the valid IP address for reading the SNMP MIBs at the MH 5001 Finally click the Apply button SYSTEM TOOLS Remote Mgt SNMP 5 4 6 ICMP Step 1 Setup ICMP Uncheck the WAN1 checkbox and make others checked Then click the Apply button For example WAN1 IP is 61 2 ...

Page 57: ... there are two options a to route a service through DMZ interface which is designed for this or b to add a chosen PC IP address to the Exempt Host list For instance i If PCs under LAN interfaces cannot pass the authentication they will not be allowed to access WAN LAN and DMZ resources ii If PCs like servers are located under DMZ the authentication is not necessary iii If you put a server under LA...

Page 58: ... would like to connect to the Internet And then click Login Step 5 Show the time left When you pass the authentication a message box will appear to tell you how long the connection will remain 6 3 2 Pop3 s Setting Step 6 Configure Pop3 s Settings Click Authentication Type as Pop3 s Enter Server IP and Server Port Check the Encryption as SSL if the server port is 995 PoP3s Click Apply to store the ...

Page 59: ...address of the IMAP s server 10 1 1 1 Server Port The port which the data goes into or out of the IMAP s server For instance IMAP service uses port 143 and IMAPs service uses port 993 993 Encryption Encryption is the process of changing data into a form that can be read only by the intended receiver Secured Sockets Layer SSL is a protocol that transmits your communications over the Internet in an ...

Page 60: ...nter the distinguished name Base DN used to look up entries on the LDAP server For example you can use the Base DN like ou people dc yourcompany dc com dc tw where ou is organization unit and dc is domain component Enter the common name identifier in the UID field Note that UID it may be named as cn is the field name in LDAP server Please refer to Table 6 4 for details Basic Setup Authentication A...

Page 61: ...58 6 3 6 Exempt Host Step 10 Configuring the Exempt Host Enter the exempt host IP Address and click Add to add an IP address When enabling authentication the chosen PC IP address will pass the authentication Basic Setup Authentication Exempt Host ...

Page 62: ...c IP hosts are directly exposed to the Internet and have more chances to be cracked by intruders As the Figure 7 1 illustrated you hope all the pcs located at LAN1 and DMZ1 can connect Internet through limited IP address 61 2 1 1 Figure 7 1 All the internal PCs can connect Internet through limited WAN IP address by using NAT technology 2 Internet servers provided by your company may open many port...

Page 63: ...ill forward the packet to the real server So FTPServer1 10 1 1 5 will be accessed by other Internet users 7 3 Methods 1 Assign private IP addresses to the PC1_1 PC1_5 Setup NAT at MH 5001 to map those assigned private hosts under LAN1 to the public IP address WAN_IP at the WAN1 side 2 Assign a private IP address to the FTPServer1 Setup Virtual Server at MH 5001 to redirect any connections towards ...

Page 64: ... the Internet users will just connect the 61 2 1 1 44444 to get ftp service 7 4 Steps 7 4 1 Setup Many to one NAT rules Step 1 Enable NAT Select the Basic from the list of Network Address Translation Mode Click Apply Now the MH 5001 will automatically set the NAT rules for LAN DMZ zones Namely all internal networks can establish connections to the outside world if the WAN settings are correct ADVA...

Page 65: ...chosen public IP address When the WAN interfaces change the IP these rules do not require any manual modifications for the changed public IP addresses The rules will reload the new settings automatically Besides you cannot insert edit any rules under the Basic mode ADVANCED SETTINGS NAT NAT Rules Step 3 Switch the NAT Mode Select the Full Feature from the list of Network Address Translation Mode C...

Page 66: ...c IP address for being translated into You can check the Auto choose IP from WAN ports The MH 5001 will automatically determine which WAN IP is to be translated into ADVANCED SETTINGS NAT NAT Rules Insert FIELD DESCRIPTION Range Format EXAMPLE Activate this rule The NAT rule is enabled or not Enabled Disabled Enabled Status Rule name The NAT rule name text string Max 200 entries Rule Condition Sou...

Page 67: ...from the Type and enter the private public IP address pair in the Source IP and the Translated Source IP fields ADVANCED SETTINGS NAT NAT Rules Insert Step 5 d Insert a One to One Bidirectional Rule The above three modes allow LAN DMZ to WAN sessions establishment but do not allow WAN to LAN DMZ sessions WAN to LAN DMZ sessions are allowed by Virtual Server rules You can make the One to One NAT in...

Page 68: ...d with the public IP assigned by the ISP ADVANCED SETTINGS NAT Status Step 5 Check NAT Rules The MH 5001 has added the NAT rules automatically as right diagram described The rule Basic DMZ1 number 1 means that when matching the condition requests of LAN DMZ to WAN direction with its source IP falling in the range of 10 1 1 254 255 255 255 0 the request will be translated into a public source IP re...

Page 69: ... enabling this feature the MH 5001 will translate the private IP port into an IP port of its own Thus the problem is gracefully solved Click Apply to proceed ADVANCED SETTINGS NAT Virtual Servers Insert FIELD DESCRIPTION Range Format EXAMPLE Activate this rule The Virtual Server rule is enabled or not Enabled Disabled Enabled Status Rule name The Virtual Server rule name text string Max 200 entrie...

Page 70: ...hat the real connected port is the same as the translated destination port 0 65534 21 Table 7 3 Add a Virtual Server rule Step 9 View the Result Now any request towards the MH 5001 s WAN1 IP 61 2 1 1 with port 44444 will be translated into a request towards 10 1 1 5 with port 21 and then be forwarded to the 10 1 1 5 The FTP server listening at port 21 in 10 1 1 5 will pick up the request After add...

Page 71: ...type Figure 7 5 NAT Many to Many type As the above Figure 7 5 illustrated NAT Many to Many type means that many local PCs are translated into multiple public IP addresses when the packets are forwarded out through the MH 5001 Take Connection1 for example Its IP address and port are translated from 192 168 40 1 2933 to 61 2 1 1 2933 Until MH 5001 uses out of all source ports of the public 61 2 1 1 ...

Page 72: ...ddress translation Basic The MH 5001 automatically performs Many to One NAT for all LAN DMZ subnets Full Feature The MH 5001 can be manually configured with Many to One and Many to Many One to One and bidirectional One to One rules to do policy based NAT Table 7 4 NAT modes overview If you choose Full Feature mode of NAT at Table 7 4 you may need to edit the rule by yourself Then you must determin...

Page 73: ...seful when you have multiple public IPs in the WAN ports And you intended to map each local server to a unique public IP on the WAN port If you wish to specify a unique internal IP address to transfer a fixed external IP address You can specify the One to One type One to One bidirectional An internal host is fully mapped to a WAN IP address Notice that you must add a firewall rule to forward WAN t...

Page 74: ...50 0 24 in the Figure 8 1 The financial area is connected with a router which is inside the LAN1 port of MH 5001 So we need to add the configurations for the financial department 2 Refer to the Figure 8 1 description The bandwidth subscribed from ISP1 is insufficient so that some important traffic say the traffic from PCs belonging to the General Manager Room department 192 168 40 192 255 255 255 ...

Page 75: ...r the packets coming from General Manager Room department 192 168 40 192 255 255 255 192 through the ISP2 link 8 4 Steps 8 4 1 Add a static routing entry Step 1 Add a static routing rule Click the Add button to the next process Advanced Settings Routing Static Route Step 2 Fill out the related field Fill in the Destination and the Netmask field with 192 168 50 0 and 255 255 255 0 Assign the next h...

Page 76: ...able 8 1Add a static routing entry Step 3 View the result The static route has been stored After filling data completely view the static routing entries which have been set Advanced Settings Routing Static Route Step 4 View the routing table You can notice there is an extra routing entry in the routing table The indicated routing entry as right diagram is produced by static routing rule Device Sta...

Page 77: ...7 Fill out the related field For the General Manager Room department we need to set an extra policy routing entry for them So in the Status region make sure the Activate this rule is enabled and then fill in GenlManaRoom in the Rule name field In the Condition region we fill 192 168 40 192 in Source IP field Fill 255 255 255 192 in the Netmask field In the Action region fill forward to WAN1 with n...

Page 78: ...o configure source port Enabled Disabled No Type If we decide to configure source port we must choose the port to be single or range Single Range N A Src Port If we select single at above field we just have to fill a port in the first blank space If we select range at above field we need to fill the range of the ports 1 65534 N A Configure dest port Type Dest port If the service is TCP or UDP we c...

Page 79: ... 2 WAN static RIP route Default route Static route that is explicitly configured and entered into the routing table Static routes take precedence over routes chosen by dynamic routing protocols Routing information protocol RIP teaches routers on a wide area network which routers have access to which addresses This information is kept in a routing table on each router As routers communicate with ea...

Page 80: ...dit the firewall rule manually 3 Suppose the MSN policy cannot be used in your company from Monday to Friday 9 00 12 00 13 00 17 30 but user can use it any time after work The administrator needs to create the schedules to meet the policy requirement 9 3 Methods 1 You can configure the function under Basic Setup Books Address to group mutiple IP addresses into the an unigue group 2 You can configu...

Page 81: ...Address name The name of the address object Note that address name should be an alphanumeric value including dash and underscore _ can start with a letter only and please note it is case sensitive Spaces and other special characters are not allowed text string PC1_1 Address Type The address type of the object Subnet Range Host Host 192 168 40 1 Table 9 2 The field of the Address object Step 12 Vie...

Page 82: ...add them to the Members list To remove addresses from address group please select addresses from the Members list and then click left arrow You can add address groups to any interface The address group can only contain addresses from that interface Address group cannot have the same names as individual addresses If an address group is included in a firewall rule it cannot be deleted unless it is f...

Page 83: ...001 User Manual Chapter 9 IP Services grouping 80 Step 15 view the address group result According to our setting as previous steps the address group is shown as right diagram BASIC SETUP Books Address Group ...

Page 84: ...e MH 5001 predefined firewall services are listed as right diagram You can add these services to any firewall rule or you can add a service if you need to create a firewall rule for a service that is not in the predefined service list Select Insert to add a new service BASIC SETUP Books Service Objects ...

Page 85: ...col Type The protocol type of the service object TCP UDP ICMP TCP Configure Source Port Configure the source port if yes Enable Disable Enable Port type The service port type Single Range Single Port number The service port number text sting 1701 Configure Destination port Configure the destination port if any Enable Disable N A Table 9 5 The field of the Service objects Step 18 Add a service grou...

Page 86: ...ct Enter the Schedule name Select the Day you would like to active or inactive a firewall rule and then select the Start Stop time Click Apply to add the schedule object Suppose using MSN is forbidden in your company from 08 30 12 00 13 00 17 30 during Monday to Friday you have to add two schedule ranges 08 30 12 00 and 13 00 17 30 and then group them together in order for your company to make a f...

Page 87: ...es from the available schedules list and click right arrow to copy them to the Members list If you would like to remove the schedules from the members list just select the schedules and then click left arrow to remove them BASIC SETUP Books Schedule Groups Insert FIELD DESCRIPTION Range Format EXAMPLE Group Name The schedule group name Note that group name should be an alphanumeric value including...

Page 88: ...instantly block his traffic towards the Internet 5 A DMZ server was attacked by SYN Flooding attack and requires the MH 5001 to protect it 10 2 Objectives 1 Block the traffic from PC1_1 in LAN1 to the Internet in WAN1 2 Start the SYN Flooding protection Figure 10 1 Setting up the firewall rule 10 3 Methods 1 Add a LAN1 to WAN1 Firewall rule to block PC1_1 2 Start the SYN Flooding protection by det...

Page 89: ...eature will block the fragmented packets by the firewall of MH 5001 Warning Enable this feature will cause problem in some applications Enabled Disabled Disabled BUTTON DESCRIPTION Reset Rules Reset Firewall rules to the default status Apply Apply the settings which have been configured Table 10 1 Configure Firewall status Step 2 Add a Firewall Rule Select LAN1 to WAN1 traffic direction The defaul...

Page 90: ... packets whether Source IP is matched or not All the defined address objects and groups PC1_1 Dest IP Compared with the incoming packets whether Dest IP is matched or not All the defined address objects and groups WAN1_ALL Condition Service Verified the service of incoming packet is belong to each TCP UDP ICMP All the defined service objects and groups ANY Forward Block the matched session If pack...

Page 91: ...e indicated log event is bound for Action The status of indicated firewall log is Block or Forward Rule The log is produced by which firewall rule Default means the default rule of the selected firewall direction RM XXX means the log is produced by remote management function Almost it is the illegal user who wants to use the Non Opened remote management functions Other condition it will be marked ...

Page 92: ...of UDP packets that arrive at the same interface will block the further arriving UDP packets 500 ICMP Flooding The number of ICMP packets that arrive at the same interface will block the further arriving ICMP packets 10 Block all fragmented packets When enabled the firewall will drop any packets that have the fragment bit set in the IP header This will protect the internal network from fragmented ...

Page 93: ......

Page 94: ...ds at the factory and cannot easily be changed b Unregistered user accessing Through the MAC addresses registering administrator can prohibit those unregistered addresses passing through MH 5001 11 2 Objectives Use this mechanism to permit some specified MAC address passing through MH 5001 Other MAC addresses without permission will be blocked by MH 5001 11 3 Methods Binding the specified IP addre...

Page 95: ...erfaces LAN1 Table 11 2 Select the IP MAC Binding configured interface Step 9 Add a new IP MAC binding rule Add an IP MAC binding rule to allow our PC passing through the MH 5001 Otherwise our PC will be blocked by MH 5001 in the further steps Here the IP address 192 168 40 5 is the MAC address of our login PC Advanced Setting IP MAC binding Edit Rules Insert FIELD DESCRIPTION Range Format EXAMPLE...

Page 96: ...ough MH 5001 This rule type is useful for local PC using DHCP feature specially Suppose DHCP IP range of LAN1 interface is 192 168 40 100 to 192 168 40 119 Check Activate this rule checkbox Enter Rule name as LAN1_DHCP Select Allow Range in the Rule Type field and enter the Start IP as 192 168 40 100 and End IP as 192 168 40 119 Click Apply to store this setting Advanced Setting IP MAC binding Edi...

Page 97: ...for allowing passing through MH 5001 In this step we will change the IP MAC binding status to Block to prohibit invalid IP address to pass through MH 5001 Advanced Settings IP MAC Binding Edit Rules Step 13 Show the IP MAC binding rule After finishing the setting you can view the result as the right diagram shown Advanced Setting IP MAC binding Show Rules ...

Page 98: ...ated Terminology Explanation 12 2 1 VPN A VPN Virtual Private Network logically provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of encryption tunneling authentication and access control used to transport traffic over the Internet or any insecure TCP IP networks 12 2 2 IPSec Internet Protocol Security IPSec is a standard ba...

Page 99: ... IKE SA Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a no...

Page 100: ...to internal system Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communication have two sets of IP headers Outside header The outside IP header contains the destination IP address of the VPN gateway Inside header The inside IP header...

Page 101: ...ec PPTP L2TP connections We need to open up the Firewall blocking port of MH 5001 in advance Here we provide a simple way You can through enable the IPSec PPTP L2TP pass through checkbox on this page Then the VPN connections of IPSec PPTP L2TP will pass through MH 5001 As well as MH 5001 will play the middle forwarding device role ADVANCED SETTINGS VPN Settings Pass Through ...

Page 102: ...d of the expensive private leased lines VPN can provide encryption and authentication to secure the tunnel that connects these two LANs Figure 13 1 Organization_1 LAN_1 is making VPN tunnel with Organization_2 LAN_2 13 2 Objectives 1 Let the users in LAN_1 and LAN_2 share the resources through a secure channel established using the public Internet 13 3 Methods 1 Separately configure WALL 1 and WAL...

Page 103: ... Encryption and Authenticate must be set the same on both MH 5001s However the Outgoing SPI at WALL 1 must equal to Incoming SPI at WALL 2 and the Outgoing SPI at WALL 2 must equal to Incoming SPI at WALL 1 Table 13 1 Compared IKE and Manual Key methods 13 4 Steps In the following we will separately explain the ways to set up a secure DES MD5 tunnel with IKE and Manual key DES MD5 IPSec tunnel the...

Page 104: ...RIPTION EXAMPLE IKE Use the IKE Internet Key Exchange method to negotiate the key used in building IPSec tunnel Selected Manual Key Use the key which you have been designated to build IPSec tunnel in peer VPN device Non selected BUTTON DESCRIPTION Prev Page If there are more than one action pages you can press Prev Page to back to the previous page Next Page If there are more than one action pages...

Page 105: ...d FIELD DESCRIPTION Range Format EXAMPLE Active This field will activate this IPSec policy rule Enable Disable Enabled Status IKE Rule Name The name of this IPSec policy text string Max 256 entries IKErule Local Address Type Determine the method to connect to the remote side of VPN by using the local subnet or the local single host Subnet Address Single Address Subnet Address IP Address The local ...

Page 106: ...y the items of the Encryption and Authentication Algorithms or execute separately We can select below items the Encryption and Authentication Algorithm combination or the below item Authentication Algorithm singly Here Encryption Algorithms include DES 64 bits 3DES 192 bits and AES 128 192 256 bits Authentication Algorithms include MD5 128 bits and SHA1 160 bits Encrypt and Authenticate DES MD5 En...

Page 107: ...nnels ANY TCP UDP TCP Enable Replay Detection Whether is the Replay Detection enabled NO YES NO Phase1 Negotiation Mode View only it is set previously and can not be edited again Can not be edited Main Pre Shared Key View only it is set previously and can not be edited again Can not be edited 1234567890 Encryption Algorithm Choose a type of encryption and authentication algorithm combination Encry...

Page 108: ...e AES MD5 Encrypt and Authenticate AES SHA1 Encrypt only DES Encrypt only 3DES Encrypt only AES Authenticate only MD5 Authenticate only SHA1 Encrypt and Authenticate DES MD5 SA Life Time Set the IPSec SA lifetime A value of 0 means IKE SA negotiation never times out See Chapter 12 for details 0 86400000 sec 0 1440000 min 0 24000 hour 28800 sec Perfect Forward Secrecy PFS Enabling PFS means that th...

Page 109: ...ze the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPN Source IP as WAN1_VPNA 192 168 88 0 and Dest IP as LAN1_VPNA 192 168 40 0 Click Apply to store this rule ADVANCED SETTINGS Firewall Edit Rules Insert Step 8 View the result Here we have a new rule before the default firewall rule This rule will allow packets from 192 168 88 0 255 255 255 0 pass through MH 5001 And ac...

Page 110: ...Local IP Address 192 168 88 0 255 255 255 0 and the Remote IP Address 192 168 40 0 255 255 255 0 Select the Outgoing interface of this Multi Homing Security Gateway Enter the public IP of the opposite side VPN gateway 61 2 1 1 in the Peer s IP Address Click the ESP Algorithm and select Encrypt and Authenticate DES MD5 Enter the Pre Shared Key as 1234567890 Click the Apply button to store the setti...

Page 111: ...NGS VPN Settings IPSec IKE Add Step 5 Add a Firewall rule Same as at WALL 1 We need to add an extra firewall rule to allow IPSec packets to come from Internet So here we select WAN1 to LAN1 direction and click Insert button ADVANCED SETTINGS Firewall Edit Rules Step 6 Customize the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPN Source IP as WAN1_VPNB 192 168 40 0 and De...

Page 112: ...les DES MD5 IPSec tunnel the Manual Key way In the previous section we have introduced IKE method Here we will introduce another method using Manual Key way instead of IKE to install WALL 1 At WALL 1 At the first we will use the Manual Key way to install the IPSec properties of WALL 1 Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply ADVANCED SETTINGS VPN Settings IPSec Step 2 Ad...

Page 113: ... field will activate this IPSec policy rule Enable Disable Enabled Status Manual Key Rule Name The name of this IPSec policy text string Max 2000 entries ManualKeyrule Local Address Type Determine the method to connect to the remote side of VPN by using the local subnet or the local single host Subnet Address Single Address Subnet Address IP Address The local IP address IPv4 format 192 168 40 0 Pr...

Page 114: ...ce You can not select both Encryption and Authentication NULL type Encryption DES 64bits 3DES 192bits AES 128 192 256bits NULL Authentication MD5 128bits SHA1 160bits NULL Input format hex 0 9 a f A F str text string ESP Encryption DES Authentication MD5 Action AH Authentication Use the Authentication method only And enter the key either hex or string form MD5 128bits SHA1 160bits Input format hex...

Page 115: ...PSec Manual Key Add Step 6 Add a Firewall rule Same as that in IKE method Please make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule ADVANCED SETT...

Page 116: ...accomplish the VPN tunnel establishment ADVANCED SETTINGS Firewall Edit Rules At WALL 2 Second we will use the Manual Key way to install the IPSec properties of WALL 1 Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply ADVANCED SETTINGS VPN Settings IPSec Step 2 Add a Manual Key rule Click the Manual Key hyperlink and click Add to add a new IPSec VPN tunnel endpoint ADVANCED SETTI...

Page 117: ... with the Incoming SPI in the Action part Besides set the Peer s IP Address with the WAN1 IP address of WALL 1 ADVANCED SETTINGS VPN Settings IPSec Manual Key Add Step 4 Remind to add a Firewall rule After finishing IPSec rule settings we need to add a firewall rule Here system shows a window message to remind you of adding a firewall rule Just press the OK button to add a firewall rule ADVANCED S...

Page 118: ...l rule before the default rule ADVANCED SETTINGS Firewall Edit Rules Step 6 Customize the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPN Source IP as WAN1_VPNB 192 168 40 0 and Dest IP as LAN1_VPNB 192 168 88 0 Click Apply to store this rule ADVANCED SETTINGS Firewall Edit Rules Insert Step 7 View the result Now we have inserted a new rule before the default firewall ru...

Page 119: ...ch office subnet LAN_2 through the public Internet instead of the expensive private leased lines VPN can provide encryption and authentication to secure the tunnel that connects these two LANs If the remote VPN peer has a dynamically assigned IP address DHCP or PPPoE like Organization_2 we have to use the Dynamic IPSec for the tunnel connection Figure 14 1 Organization_1 LAN_1 is making dynamic VP...

Page 120: ...P address type At WALL 1 At the first we will install the IPSec properties of WALL 1 For the related explanation please refer to Chapter 12 and Chapter 10 Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply ADVANCED SETTINGS VPN Settings IPSec Step 2 Add an IKE rule Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint ADVANCED SETTINGS VPN Settings IPSec IKE...

Page 121: ...ply button to store the settings Note In the Action region It should choose either ESP Algorithm or AH Algorithm or system will show error message If you hope to set the detailed item of IKE parameter Click the Advanced button in this page Otherwise it is ok to just leave the value default Note that Peers Identifier must NOT be IP Address type in the Dynamic IP type So you have to select FQDN doma...

Page 122: ... make sure that the Firewall is enabled Select WAN1 to LAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule ADVANCED SETTINGS Firewall Edit Rules Step 7 Customize the Firewall rule Check the Activate t...

Page 123: ... ADVANCED SETTINGS Firewall Edit Rules At WALL 2 Here we will install the IPSec properties of WALL 2 Note that the Local Address and Remote address field are opposite to the WALL 1 and so are My IP Address and Peer s IP Address field Step 1 Enable IPSec Check the Enable IPSec checkbox and click Apply ADVANCED SETTINGS VPN Settings IPSec Step 2 Add an IKE rule Click the IKE hyperlink and click Add ...

Page 124: ...1234567890 Select User FQDN mailbox and enter planet com tw in My Identifier field Click the Apply button to store the settings Note in the Action region you should choose either ESP Algorithm or AH Algorithm or system will show error message Note that one of the Peer s IP Addresses is Static IP and the other must be the Dynamic IP while using Dynamic IPSec VPN type to establish the VPN tunnel ADV...

Page 125: ...ze the Firewall rule Check the Activate this rule Enter the Rule Name as AllowVPN Source IP as WAN1_VPNB 192 168 40 0 and Dest IP as LAN1_VPNB 192 168 88 0 Click Apply to store this rule ADVANCED SETTINGS Firewall Edit Rules Insert Step 7 View the result Now we have inserted a new rule before the default firewall rule Any packets from 192 168 40 0 24 to 192 168 88 0 24 will be allowed to pass thro...

Page 126: ...es which communicates using a hub and spoke VPN configuration The main office is the hub where the VPN tunnels terminate while Branch_1 and Branch_2 are the spokes The Main office has a VPN tunnel to each branch office Branch_1 and Branch_2 has its own VPN tunnel to the hub Figure 15 1 The Topology of the VPN Hub Main Office and VPN Spoke Branch offices 15 2 Objectives 1 Using the VPN hub we can c...

Page 127: ...on Status Active Enable Enable Enable Enable IKE Rule Name IKEVpnA IKEVpnB IKEMainVPN IKEMainVPN Condition Local Address Type Subnet Address Subnet Address Subnet Address Subnet Address IP Address 192 168 1 0 192 168 1 0 192 168 40 0 192 168 88 0 PrefixLen Subnet Mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Remote Address Type Subnet Address Subnet Address Subnet Address Subnet Add...

Page 128: ...e sure to add the addresses first Please make sure that the Firewall is enabled Select WAN1 to WAN1 to display the rules of this direction The default action of this direction is Block with Logs We have to allow the VPN traffic from the WAN1 side to enter another WAN1 side So we click the Insert button to add a Firewall rule before the default rule ADVANCED SETTINGS Firewall Edit Rules Step 9 Cust...

Page 129: ...l is the IPSec tunnel which you have finished setting before Please refer the Table 15 1 IPSec tunnel information ADVANCED SETTINGS VPN Settings VPN Hub Add Configuring the VPN Spoke for the Branch_1 Step 12 Add a Firewall rule Suppose Brach_1 Office has already added a VPN tunnel to communicate with the Main Office Now the Branch_1 has to add a firewall rule to allow IPSec packets to come from Ma...

Page 130: ...oke in Branch_1 Select Add to add a VPN Spoke Enter a name in the Spoke Name field Enter the Local IP Address Subnet Mask and Remote Address IP Address Subnet Mask Select the VPN tunnel which is established to connect Branch_1 and Main Office Note the Tunnel of Action is the IPSec tunnel which you have finished setting before Please refer the Table 15 1 IPSec tunnel information ADVANCED SETTINGS V...

Page 131: ...side to enter our LAN1 side So we click the Insert button to add a Firewall rule before the default rule ADVANCED SETTINGS Firewall Edit Rules Step 17 Customize a Firewall rule Enter the Rule Name as AllowVPN Source IP as Hub Spoke1 Hub 192 168 1 0 Spoke_1 192 168 40 0 and Dest IP as Spoke_2 192 168 88 0 Click Apply to store this rule ADVANCED SETTINGS Firewall Edit Rules Insert Step 18 Add a VPN ...

Page 132: ...MH 5001 User Manual Chapter 15 Virtual Private Network Hub and Spoke VPN 129 Step 19 View the added VPN Spoke You can view the added VPN spoke here ADVANCED SETTINGS VPN Settings IPSec IKE Add Advanced ...

Page 133: ......

Page 134: ... inconvenience for the employee to work remotely 2 In our branch office we need to provide PPTP connection methods to connect back to headquater for the internal company employees 16 2 Objectives 1 With PPTP tunneling emulate the mobile employee as a member in LAN1 after he dials in the corporate network Then he can access all computers in LAN_1 just as if he stays in the office covered by LAN1 2 ...

Page 135: ...P of the WALL 1 192 168 40 254 in the Local IP and enter the IP range that will be assigned to the PPTP clients in the Start IP and the End IP fields Enter the Username and Password that will be used by the employees during dial up Click the Apply to finish configurations ADVANCED SETTINGS VPN Settings PPTP FIELD DESCRIPTION EXAMPLE Enable PPTP Server Enable PPTP feature of the MH 5001 Enabled Loc...

Page 136: ... from the Data Encryption and click Apply 4 Select the Properties Networking tab 5 Select PPTP VPN from the VPN Type Make sure the following are selected TCP IP QoS Packet Scheduler 6 Select Apply Step 2 Setup Windows XP 2000 PPTP clients Note that in the MH 5001 release II version both PPTP and L2TP can support MPPE In other words you can choose Require data encryption while a client computer run...

Page 137: ... Enabled Server IP The IP address of PPTP server 61 2 1 1 Username The designed account which allows PPTP client to dial in PptpUsers Password The designed password which allows PPTP client to dial in Dif3wk Assigned IP The allocated IP address when PPTP client connects to the PPTP server 192 168 40 180 Table 16 2 Setup PPTP Client settings ...

Page 138: ...e to work remotely 17 2 Objectives 1 With L2TP tunneling emulate the mobile employee as a member in LAN_1 after he dials in the corporate network Then he can access all computers in LAN_1 just as if he stays in the office covered by LAN_1 Figure 17 1 L2TP method connection 17 3 Methods 1 Setup the L2TP server at WALL 1 the MH 5001 LNS L2TP Network Server After dialing up to MH 5001 MH 5001 will as...

Page 139: ... EXAMPLE Enable L2TP LNS Enable L2TP LNS feature of MH 5001 Enabled Local IP The Local IP is the allocated IP address in the internal network after default gateway of L2TP client dials in the MH 5001 192 168 40 254 Start IP The Start IP is the allocated starting IP address in the internal network after L2TP client dials in the MH 5001 192 168 40 200 End IP The End IP is the allocated ending IP add...

Page 140: ...elease II version both PPTP and L2TP can support MPPE In other words you can choose Require data encryption while a client computer running Windows XP 2000 However this release II version will not support MS CHAP you have to check MS CHAPv2 checkbox if you would like to require data encryption Editing Windows Registry The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without...

Page 141: ...al Chapter 17 Remote Access VPN L2TP 138 Connecting to the L2TP VPN 1 Connect to your ISP 2 Start the dial up connection configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect ...

Page 142: ...MH 5001 User Manual Chapter 17 Remote Access VPN L2TP 139 ...

Page 143: ...thod to achieve this target In the previous chapter we have introduced the DS 601 client method In this chapter we will provide another method to use Windows client solution 18 3 Methods As the Figure 18 1 illustrated we need to setup the IPSec feature of WALL 1 the MH 5001 at company first On the other hand we have to setup the related IPSec setting in the Windows client at employee s side so tha...

Page 144: ...nt to MH 5001 please refer 18 4 6 description 6 Configure a rule for MH 5001 to WinXP client please refer 18 4 7 description 7 Enable the security settings please refer 18 4 8 description 18 4 Steps 18 4 1 MH 5001 Setup Step 20 Add an IPSec rule At the MH 5001 side we need to add an IPSec policy to establish IPSec tunnel with WinXP client Enter the related IPSec parameter in the suitable field Not...

Page 145: ...TTINGS VPN Settings IPSec IKE Add Advanced Step 22 Warning message Here appears a warning message to remind you to add a firewall rule which can allow IPSec traffic into the MH 5001 because the WAN to LAN traffic of the MH 5001 by default is blocked ADVANCED SETTINGS VPN Settings IPSec IKE Add Apply Step 23 Finish adding an IPSec rule Finally we have added an IPSec rule shown as the right diagram ...

Page 146: ...llow the local area of remote side to pass through the device Please refer 錯誤 找不到參 照來源 for the full description and examples N A 18 4 2 Create a custom MMC console Step 25 Run mmc From Windows desktop go to Start Run and in the Open textbox type mmc click OK Step 26 Add Snap in On the Console window click Add Remove Snap In Step 27 Add a Standalone Snap in In the Add Remove Snap In dialog box clic...

Page 147: ...dd Step 29 Verify the Local Computer is selected Verify that Local Computer default setting is selected and click Finish Step 30 Add Group Policy snap in In the Add Standalone Snap in dialog box click Group Policy and then click Add Step 31 Verify the Local Computer is selected Verify that Local Computer default setting is selected in the Group Policy Object dialog box and then click Finish ...

Page 148: ...ick Add Step 33 Select Computer account In the Certificates snap in dialog box select Computer account and click Next Step 34 Verify the Local Computer is selected Verify that Local Computer default setting is selected and click Finish Step 35 Close the Add Remove Snap in windows Close the Add Standalone Snap in dialog box And then close the Add Remove Snap in dialog box ...

Page 149: ...mponents in the mmc console 18 4 3 Create an IPSec policy Step 37 Run secpol msc From Windows desktop go to Start Run and in the Open textbox type secpol msc And then click OK Step 38 Create IP Security policy Select Action Create IP Security policy to add security policy Step 39 Enter policy name Click Next and type a name for your policy For example WinXP to MH 5001 tunnel ...

Page 150: ...xt Step 41 Finish the IP Security policy creation Keep the Edit properties check box selected and click Finish Step 42 Edit policy properties A dialog window will bring up for you to configure two filter rules for this policy Click General tab and click Advanced button to setup IPSec phase1 parameters Step 43 Key Exchange Settings Click Methods to proceed ...

Page 151: ... Section 18 4 1 therefore we delete the extra 3 items and only remain the item that matches our IPSec settings of the MH 5001 Step 45 Remain the corresponding item For this example we remain the item of DES MD5 and DH1 combinations 18 4 4 Add a filter rule from WinXP to MH 5001 Step 46 Add a new filter rule In the tunnel properties uncheck Use Add Wizard check box and click Add to create a new rul...

Page 152: ...lter list e g WinXP to MH 5001 uncheck Use Add Wizard check box and click Add Step 49 Edit the address of filter properties In the Source address choose A specific IP Address and enter the IP address of WinXP ex 211 54 27 6 In the Destination address choose A specific IP Subnet and enter the IP address and Subnet mask of the local subnet ex 192 168 40 0 255 255 255 0 Uncheck Mirror check box Click...

Page 153: ...k the Protocol tab Leave the protocol type to Any Step 51 Edit the description of filter properties Click the Description tab You can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active Step 52 Finish the creation of IP filter list Click OK and Close these windows ...

Page 154: ...r list Type a name for the filter list e g MH 5001 to WinXP uncheck Use Add Wizard check box and click Add Step 55 Edit the address of filter properties In the Source address choose A specific IP Subnet and enter the IP address and Subnet mask of the local subnet ex 192 168 40 0 255 255 255 0 In the Destination address choose A specific IP Address and enter the IP address of WinXP ex 211 54 27 6 U...

Page 155: ...ick the Protocol tab Leave the protocol type to Any Step 57 Edit the description of filter properties Click the Description tab You can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active Step 58 Finish the creation of IP filter list Click OK to close the window ...

Page 156: ...two IP filter lists for the WinXP IPSec use Select the first filter list you have created above from the IP Filter List such as WinXP to MH 5001 Step 60 Tunnel Settings Click Tunnel Setting tab enter the remote endpoint For this filter list the remote IPSec endpoint is MH 5001 61 2 1 1 Step 61 Connection Type Click Connection Type tab and then click All network connections ...

Page 157: ...f Security Methods Leave Negotiate security as checked and uncheck Accept unsecured communication but always respond using IPSec check box You must do this to ensure secure connections Click Add to proceed Step 64 Setting the Security Method Select Custom for expert users if you want to define specific algorithms and session key lifetimes Please make sure the settings match whatever we had configu...

Page 158: ... algorithms and DES encryption algorithm Fill the new key generation rate ex 28800 sec Note that the settings of this page must match the settings of IPSec phase2 at MH 5001 Step 66 New Filter Action Properties Click the General tab Give a name to the filter action For example DES MD5 and click OK Step 67 Filter Action Select the filter action DES MD5 you just created ...

Page 159: ...s tab and then click Add Step 69 Select the authentication methods Select Use this string pre shared key option And enter the string 1234567890 in the text box Step 70 Delete Kerberos method Delete the original Kerberos method Just select the Preshared Key we defined before Click Close to finish the WinXP to MH 5001 Rule settings ...

Page 160: ...onfigure the rule of MH 5001 to WinXP client Click Add to add a new IP filter rule Step 72 Select IP filter list Click the IP Filter List tab Select the filter list you created above from the IP Filter List MH 5001 to WinXP Step 73 Tunnel Settings Click Tunnel Setting tab and then enter the remote endpoint For this filter list the remote IPSec endpoint is WinXP 211 54 27 6 ...

Page 161: ...ection Type tab and then click All network connections Step 75 Filter Action Click Filter Action tab and then select the filter action DES MD5 you just created Step 76 Authentication Methods Click Authentication Methods tab select the Preshared Key we defined before Click OK to finish the rule creation ...

Page 162: ...etely as the figure listing Click Close to finish the settings 18 4 8 Enable the security settings Step 78 Assign the security policy Use the pop up menu to assign the security rule which we have configured Step 79 Finish all the settings of WinXP After the above configurations now you can use WinXP to connect back to the local company behind the MH 5001 device ...

Page 163: ... 1 Use web filter functionality to avoid users browsing the forbidden web site 1 As the above Figure 19 1 illustrates someone PC1_1 is browsing the web pages at the WebServer3 The contents of the web pages may include cookies Java applets Java scripts or ActiveX objects that may contain malicious program of users information So we wish to prohibit the user PC1_1 from downloading the forbidden comp...

Page 164: ...link while degrading the efficiency of normal working hours So we wish to prohibit the user PC1_1 from viewing the page on the forbidden web site 19 2 Objectives 1 Remove the cookies Java applet Java scripts ActiveX objects from the web pages 2 Prevent users from connecting to the forbidden sites 19 3 Methods 1 Setup content filtering for web objects such as cookies and Java applets 2 Setup conten...

Page 165: ...ess control is shift to the Web Filter Namely if you block someone to access the web at the WAN side after enabling the web filter he can resume accessing the web until you set a content filter rule to block it ADVANCED SETTINGS Content Filters Web Filter Web Step 3 Further Customize the local zones You can configure to what range the filters will apply to the local zones By default the web filter...

Page 166: ...N Apply Apply the above selected Exempt Computers radius button Add Add the specified IP range which filled in the above Range From field Reset Clean the filled data and restore the original one Delete Delete the specified IP range which filled in the above Range From field Table 19 2 Web Filter Exempt Zone setting page Step 4 Customize the specified sites Check the Enable Filter List Customizatio...

Page 167: ...rusted Domains Domain Here we can specify the Trusted Domains for the above item using You can enter either domain name or IP address Note if the domain name can not be resolved by the DNS server the domain name entry will be ignored Another issue is that if there are a lot of domain names in Customize area name resolving will take longer time on Web Filter starting up Max 256 entries www planet c...

Page 168: ...e contents about the URL will be block text string Max 256 entries sex BUTTON DESCRIPTION Apply Apply the setting which configured on the checkbox Add Add the Keyword to the list Delete Delete the selected keyword from the list Table 19 4 Web Filter URL Filter setting page Step 6 Customize Categories With the built in URL database MH 5001 can block web sessions towards several pre defined Categori...

Page 169: ...eatures to block the objects Click the Apply button at the bottom of this page Use PC1_1 to browse the web page to see if the objects are blocked If the objects still exist the objects may be cached by the browser Please clear the cache in the web browser close the browser reopen the browser and connect to the web page again ADVANCED SETTINGS Content Filters Web Filter Features FIELD DESCRIPTION E...

Page 170: ...n the pages Limit at 3 matches means that the webpages will be blocked as long as any of the added keywords appear equal or more than three times Enable Disable Integer Enabled 3 matches Keyword Specify the keyword that you want to block test string Max 256 entries sex violence blood BUTTON DESCRIPTION Apply Apply the settings which have been configured Add Add the Keyword to the list Delete Delet...

Page 171: ... choose enforce all computers include specified computers and exclude specified computers LAN 5 Web Filter Customize We can use the Customize domain to indicate the Trusted Forbidden destination There are two items for your choice We can specify which URL domain names are trusted and which ones are forbidden separately Warning Customize will not work on the proxy connections Internet web server 6 ...

Page 172: ...eyword If the web page contains the components included activex java javascript cookie which indicated in Web Filter Web or the keywords indicated in Web Filter Keyword The forbidden components will be taken off from the web page by web filter Web page contents Table 19 8 web filter features priority ...

Page 173: ......

Page 174: ...AN1 towards the mail server in DMZ1 or in WAN1 to block the suspicious attachments like vbs exe etc extension files 2 Setup POP3 filters for incoming emails from a mail server in WAN1 or in DMZ1 to PC_1 in LAN1 to append a bin to all suspicious attachments like vbs exe etc extension files 3 Setup IMAP filters for incoming emails from a mail server in WAN1 or in DMZ1 to PC_1 in LAN1 to append a bin...

Page 175: ... Click the Anti Virus hyperlink Check Enable SMTP POP3 IMAP checkbox and then click Apply button ADVANCED SETTINGS Content Filters Mail Filters Anti Virus Step 2 Message alert After applying Anti Virus there will be a message SMTP Anti Virus enabled Please setup SMTP Relay to do access control of the target mail server to notify you to setup SMTP Relay ADVANCED SETTINGS Content Filters Mail Filter...

Page 176: ...sing built in virus patterns Note that the filename to block cannot contain the marks such as 20 5 Steps for Anti Spam Step 1 Enable Anti Spam Click the Anti Spam hyperlink Check Enable SMTP POP3 IMAP checkbox and then click Apply button ADVANCED SETTINGS Content Filters Mail Filters Anti Spam Step 2 Message alert After applying Anti Spam there will be a message SMTP Anti Spam enabled Please setup...

Page 177: ...zzy intelligence Note that you cannot duplicate the email addresses in the black list or white list For example if you have already added the email sex abc com in the black list you can repeat it neither in the black list nor in the white list 20 6 Steps for SMTP Relay Step 1 SMTP Relay When enabled SMTP Relay function MH 5001 will do relay with the following two steps Step 1 Relaying all emails m...

Page 178: ...nt Filtering Mail Filters 175 Step 2 Apply SMTP Relay When you apply the SMTP Relay the IP addresses of the LAN and DMZ interfaces will be shown on the IP Subnet List automatically ADVANCED SETTINGS Content Filters Mail Filters Anti Spam ...

Page 179: ...download big MP3 files and cause waste of bandwidth 21 2 Objectives 1 Forbid PC1_1 from downloading MP3 files with FTP 21 3 Methods 1 Setup the filename extension of the forbidden types of file that are not allowed to be transmitted using standard FTP port 2 Let PC1_1 download a MP3 file from the FTPServer3 to see if the session is blocked Figure 21 1 Use FTP filter functionality to avoid user dow...

Page 180: ...on Name in the Blocked Type field Click the Add button to apply the change Now users in LANs can never download any mp3 files Note that the filename to block cannot contain the marks such as ADVANCED SETTINGS Content Filters FTP Filter FTP Add FIELD DESCRIPTION Range Format EXAMPLE Name Fill in the file extension or exact filename text string Max 40 entries mp3 Blocked Type Extension Name When the...

Page 181: ...mpt Zone Add a new Exempt Zone record It s IP address range is between 192 168 40 10 to 192 168 40 30 ADVANCED SETTINGS Content Filters FTP Filter FTP Exempt Zone Add FIELD DESCRIPTION Range Format EXAMPLE From Address Exempt zone record IP address from Max 20 entries 192 168 40 10 To Address Exempt zone record IP address to Max 20 entries 192 168 40 30 Table 21 3 FTP Filter add an exempt zone ent...

Page 182: ...r Manual Chapter 21 Content Filtering FTP Filtering 179 Step 5 Show the Exempt Zones Here we can discover that new added Exempt Zone record is appeared ADVANCED SETTINGS Content Filters FTP Filter FTP Exempt Zone ...

Page 183: ...ic Block Yes No Normalized port Block No Yes Figure 22 1 IM Management design principle As Figure 22 1 illustrates L7 Firewall is designed to manage IM P2P Remote Access applications Whatever the TCP protocol or a proxy server such as HTTP SOCKS may be used by a certain application to attempt to deceive administrator it will be recognized by MH 5001 22 3 Methods The L7 firewall can be enabled by c...

Page 184: ...irewall Select Allow Block Allow only at port in the Action field for the applications If you will not manage a certain application please select or leave it as That will make MH 5001 keep its good performance Click Apply button to apply the settings Note the MH 5001 screen displays the manageable applications according to the updatable database frequently ADVANCED SETTINGS L7 Firewall Status ...

Page 185: ...an manage currently IM P2P applications Chat MSN Chat Yahoo Chat ICQ Chat AOL Action The action for MH 5001 to do when user implements the chosen applications If you select it means that MH 5001 will skip the chosen protocol Allow Block Allow only at port Allow only at port 1863 Allow only at port 5050 Allow only at port 5190 Allow only at port 5190 Table 22 1 The IM Users 22 4 1 View L7 Firewall ...

Page 186: ...h as SNMP Web and FTP services in your DMZ 23 2 Objectives 1 Detect any attacks towards your DMZ servers 2 Instantly notify your network administrators what attacks have been detected Figure 23 1 Some crackers in the Internet would try to hack your company 23 3 Methods 1 Specify where to put Web server and let the IPS on the MH 5001 prevent the network from the attacks 2 Setup logs to send mails t...

Page 187: ...cks will only trigger alerts ADVANCED SETTINGS IPS IPS Status Step 3 Consult Signature based IPS You can consult signature based attack shown as right diagram The signature based IPS can be sorted by groups Select DOS to list all DOS category attacks See Table 23 1 for the details ADVANCED SETTINGS IPS Signature Step 4 Consult Anomaly based IPS You can consult anomaly based attacks shown as right ...

Page 188: ...ID systems represent signatures in different ways It uses a database table to store the state of the finite state machines representing possible attacks in progress MH 5001 has a complete attack database to provide you a corporate wide real time protection Anomaly based IPS Anomaly based IPS captures all the headers of the IP packets running towards the network From this it filters out all known a...

Page 189: ...t and explains how to implement it 24 1 Demands Figure 24 1 Use bandwidth management mechanism to shape the data flow on the downlink direction 1 As the above Figure 24 1 illustrated we hope LAN_1 users can watch the Video Stream Server smoothly Besides we hope LAN_1 users can access the web server located at DMZ region more faster ...

Page 190: ...net This occupies the bandwidth of PCs who are watching the video provided by the Video Stream Server 140 113 179 4 causing the video to be blocked and to have poor quality So we hope to guarantee the video quality of the LAN_1 PCs which are accessing Video Stream Server The total bandwidth of ANY to LAN1 direction is 100 Mbps The bandwidth of LAN1 interface is 100 Mbps Here we will make sure that...

Page 191: ... 1000kbps 1 1000kbps Enabled Web from DMZ guaranteed bandwidth At least 50Mbps 50 50Mbps Enabled Table 24 1 Bandwidth management action assignment from ANY to LAN1 2 As the following Table 24 2 listed Partition the outbound bandwidth total 1 544Mbps into two classes the LAN_1 to LAN_2 40 617 kbps and the E commerce 20 308kbps classes Besides set the E Commerce to be able to borrow from other bandw...

Page 192: ...ls such as ICMP TCP ACKs The default class is the default action of non matched packets The default class can be recursively partitioned into more classes The classes are organized as a tree Click Create Sub Class to partition the default class ADVANCED SETTINGS Bandwidth Mgt Edit Actions FIELD DESCRIPTION Range Format EXAMPLE Edit __ to __ classes Select the direction of action which you are goin...

Page 193: ... Mgt Edit Actions Create Sub class FIELD DESCRIPTION Range Format EXAMPLE Activate this class Enable the bandwidth management class for later using Enable Disable Enabled Class name Bandwidth management class name text string web from WAN Bandwidth How many percentage does this class occupy higher class 0 1 Max Value as red text described 0 3 Borrow When the bandwidth of other class is idle it wil...

Page 194: ...AN queue and scheduled out at 300kbps bandwidth Click Apply to store the changes Repeat the same procedure for the video from WAN class ADVANCED SETTINGS Firewall Edit Rules Insert Forward Block the matched session If packet is matched the rule condition Forward or Block this matched packet Forward Block Forward Don t log Log the matched session If packet is matched the rule condition Log or Don t...

Page 195: ...lable bandwidth ADVANCED SETTINGS Firewall Edit Rules Step 8 Add DMZ to LAN1 rule Here we will add another rule web from DMZ Select DMZ1 to LAN1 direction ADVANCED SETTINGS Firewall Edit Rules Step 9 Customize the rule Setup the web from DMZ rule Select the defined Source IP Dest IP It means that if the packets come from DMZ and targeted LAN1 region we do not need to care about its source dest IP ...

Page 196: ...h Management Check the Enable Bandwidth Management checkbox click the Apply ADVANCED SETTINGS Bandwidth Mgt Status Step 2 Setup the WAN1 Link Select ANY to WAN1 to setup traffic that will be transmitted by the WAN1 interface Enter the WAN1 interface bandwidth as 1544kbps Click the Apply button to enforce the WAN1 link bandwidth to be 1544kbps Then click Create Sub Class to partition the default cl...

Page 197: ...agram ADVANCED SETTINGS Bandwidth Mgt Edit Actions Create Sub Class Step 4 Setup LAN1 to WAN1 Rules Select LAN1 to WAN1 to display the rules There is a pre defined rule that matches all traffic into the default class Click Insert to insert a rule before the default rule ADVANCED SETTINGS Firewall Edit Rules Step 5 Customize the Rules Enter a rule name such as outVPN select the defined Source IP as...

Page 198: ... packets into the E Commerce queue 308 kbps outVPN matched packets into the LAN_1 to LAN_2 queue 617 kbps Here we reserve 40 WAN1 bandwidth for the LAN_1 to LAN_2 VPN data to guarantee the data communication between VPN The other traffic will be put into the def_class queue any available bandwidth ADVANCED SETTINGS Firewall Edit Rules ...

Page 199: ...MH 5001 now supports outbound WAN load balancing Inbound load balancing will be supported in a very near future 25 2 Objectives The traffic from LAN_1 and LAN_2 towards the Internet are intelligently outbound load balanced between the WAN links However traffic from DMZ_1 towards the Internet will be decided by the inbound load balancing module 25 3 Methods The outbound WAN load balancer module wil...

Page 200: ... WAN1 and LAN2 to WAN2 rules Otherwise the traffic may be blocked by the firewall rules accidentally due to the load balancing decision ADVANCED SETTINGS Firewall Edit Rules Step 2 Enable outbound WAN load balancer Check the Enable Outbound WAN Load Balancer checkbox click the Apply ADVANCED SETTINGS Load Balancer Outbound Note that the priority among the policy route static route and WAN load bal...

Page 201: ......

Page 202: ...t 26 1 Demands Figure 26 1 Use High Availability mechanism to let network connection continually 1 As the above Figure 22 1 illustrates your company is afraid that the firewall may be crashed someday so it needs a backup system to let the network connection continually High Availability makes it possible to let the network in your company operate smoothly ...

Page 203: ...vices crashed simultaneously the one which reboots faster will action as Active mode and the other will be in Standby mode 26 4 Steps 26 4 1 Setup High Availability Step 1 Enable High Availability Check the Enable High Availability checkbox Select the Action Mode as Active if it is the primary device and Standby for the secondary device And then configure the other HA device Select which interface...

Page 204: ...onfiguration file successfully the device will rebooting now and stay in standby mode ADVANCED SETTINGS High Availability Status Step 3 Show the message in Console When Primary device crashed the messages like the right diagram will appear to tell you that this device will be in Standby mode after rebooting Step 4 Check the Device status You can see the status of the device in Standby mode here ...

Page 205: ...tegrated interface 27 3 Methods 1 Through DEVICE STATUS System Status path we can get the needed information 27 4 Steps Step 1 System Status Here we can see the system information include system name firmware version and the full list of each port settings DEVICE STATUS System Status System Status Step 2 Network Status We can know the port status here whether the port is up or down and view the am...

Page 206: ...tform ex windows After installing JRE properly you will see the CPU Memory graphic as right side DEVICE STATUS System Status CPU Memory Step 4 DHCP Table Through the DHCP Table we can recognize which IP has been allocated by the DHCP server And know which pc MAC address has been leased this IP address DEVICE STATUS System Status DHCP Table Step 5 Routing Table Click the Routing Table to see the ro...

Page 207: ...ns of transmitted bytes amount These front 20 sessions were sorted by the amount of transmitted bytes DEVICE STATUS System Status Top20 Sessions Step 8 IPSec Sessions If we use the IPSec to establish VPN with other device then we can view the IPSec tunnel information in this page DEVICE STATUS System Status IPSec Sessions ...

Page 208: ...port of MH 5001 28 3 Methods 1 Through tracking the system logs you can distinguish which administrated action is valid or not 2 Use the syslog server to receive mail or edit the Mail Logs page of MH 5001 Make the log mailed out automatically every periodic time 28 4 Steps 28 4 1 System Logs Step 1 View System Logs All the system administrated actions will be log in this page For the detailed info...

Page 209: ... Mail Log method Fill in the IP address of the Mail Server and Mail Subject Also fill your E Mail address for receiving logs Select the preferred Log Schedule to mail out logs Click the Apply button to finish the settings Notice If the logs were sent out to the mail server they will be deleted by the MH 5001 DEVICE STATUS Log Config Mail Logs FIELD DESCRIPTION EXAMPLE Enable Mail Logs Enable the M...

Page 210: ...MH 5001 User Manual Chapter 28 Log System 207 Test test the mail logs configuration in this page Table 28 3 Setup the Mail Logs ...

Page 211: ...ne may want to reset the firmware to factory default due to loss of password firmware corrupted configuration corrupted Since MH 5001 does not have a reset button to prevent careless pressing of it factory default has to be set with web GUI or console terminal Of course when you loss the password you have to use CLI only because you can never enter the web GUI with the lost password 3 Anthoer issu...

Page 212: ...55 0 MH 5001 Step 2 Upgrade firmware Enter IP tftp upgrade image 192 168 1 x MH 5001 ver bin After this procedure MH 5001 device will reboot automatically Notice if you want to preserve the previous configuration add the preserve keyword to the end Refer Appendix A for the details MH 5001 ip tftp upgrade image MH 5001 1 602 ALL bin 192 168 1 170 preserve Fetching from 192 168 1 170 for MH 5001 1 6...

Page 213: ... Steps for Database Update from Web GUI Step 1 Update database manually If a new firmware issued we can download it by clicking the Update button Then we will see the database version shown on the left side Step 2 Auto Update We can also update database automatically Fill the database server s IP address in the Update Center field Choose what date time we would like to update the database and then...

Page 214: ...I mode Enter sys resetconf now to reset the firmware to factory default Then the system will reboot automatically NetOS i386 MH 5001 tty00 login admin Password Welcome to MH 5001 Multi Homing Security Gateway MH 5001 en MH 5001 sys resetconf now Resetting Configuration to default DONE System will reboot now syncing disks done rebooting 29 5 3 Steps for EMERGENT factory reset Step 1 Enter the boot ...

Page 215: ... Press the Save button in this page to keep the running configuration SYSTEM TOOLS System Utilities Save Configuration 29 7 Steps for Backup Restore Configurations Step 1 Backup the current configuration Before backup your current configuration make sure you have saved your current configurations as described in Section 29 6 Then select page in the page of System Tools System Utilities Backup Conf...

Page 216: ... 10 25 11 CST 2004 Press TAB to prompt starting in 0 Type boot rescue to load safe mode kernel to 1 rescue corrupted firmware 2 reset password for admin type or help for help Step 2 Get the Initial Key Enter boot I command as right side When screen shows Enter Initial Key you can consult with your local technical supporter to get the Initial Key You will need to tell the local technical supporter ...

Page 217: ...rt Step 1 Enable remote management TELNET Check the selected port located in the telnet function And customize the server port which is listened by telnet service SYSTEM Tools Remote Mgt TELNET Step 2 Enable remote management SSH Check the selected port located in the ssh function And customize the server port which is listened by ssh service SYSTEM Tools Remote Mgt SSH A 2 CLI commands list Norma...

Page 218: ...00 255 255 255 0 Configure the IP address of each port ping ip ping 202 11 22 33 Send ICMP echo request messages tftp upgrade backup ip tftp upgrade image FILENAME 192 168 1 170 Upgrade Backup firmware configuration from to tftp server About the full description please refer to Section A 3 traceroute ip traceroute 202 11 22 33 Trace route to destination address or hostname sys Configure system par...

Page 219: ...s FILENAME Upgrade configuration file image name preserve string preserve this is optional A 3 CLI commands list Rescue Mode If the original firmware was damaged by some accidents you may need to recover it with the factory reset process in the rescue mode Boot the MH 5001 and press tab or space during the 2 second countdown process You may refer Section 29 5 3 for details Non privileged mode Main...

Page 220: ...ww yam com tw ifconfig ip ifconfig INTF1 192 168 1 100 255 255 255 0 Configure the ip address of each port ping ip ping 202 11 22 33 Send ICMP echo request messages tftp ip tftp upgrade image FILENAME 192 168 1 170 Upgrade firmware from tftp server sys Configure system parameters halt sys halt now Shutdown system reboot sys reboot now Reboot system resetconf sys resetconf now Reset system configur...

Page 221: ......

Page 222: ...dress port 1 65535 exists or not If existing any virtual server rule like this type it will make all the connections from WAN1 port outside relay to another server Actually what you have pinged is another server not MH 5001 e Check whether NAT One to One bidirectional rule Translated Src IP WAN1 IP address port 1 65535 exists or not If existing any virtual server rule like this type it will make a...

Page 223: ... LAN policy in the Advanced Settings Firewall to let the IPSec packets pass through the MH 5001 The default value from WAN to LAN is block When you add a Firewall rule the Source IP and Netmask are the IP address PrefixLen Subnet Mask in the pages of the Remote Address Type And the Dest IP and Netmask are the IP Address PrefixLen Subnet Mask in the pages of the Local Address Type ...

Page 224: ...e opposite side WALL_B IPSec and Firewall setting When you configure an IPSec policy please be sure to add a rule to let the packets of the IPSec pass from WAN to LAN For the IP address of firewall rules please refer to the Figure B 2 Figure B 4 Figure B 1 WALL_A Inset a new IPSec policy Figure B 2 WALL_A Insert a new firewall rule in WAN to LAN The Local Address of WALL_B ...

Page 225: ...f System Logs 8 When I ping the Internet host from LAN DMZ I can t always finish the ping successfully Sometimes it is work But sometimes it fails to ping the outside host Ans This may cause there are more than one host in the LAN DMZ pinging the same host at the same time If one host Lan A is pinging Internet host A ex 140 106 100 1 and at the same time Lan B is also pinging 140 106 100 1 Then th...

Page 226: ... as Section 29 5 About restoring configuration procedure please refer to Section 29 7 11 While finishing the Content Filters Web Filter settings if I try to use browser to test why does not the web page result match with the web filter configuration Ans Be sure that you have cleaned all the file cache in the browser and try to connect the Internet web server If the web page result still does not m...

Page 227: ......

Page 228: ... if you apply any button while setting MH 5001 every time an Event will occur immediately And the Event will be displayed in the System log Figure D 1 All the system log descriptions are following the same format as above In the following table we list all the system logs for reference Component type Log ID Log description Example AUTH A01 admin login success 192 168 17 102 443 AUTH A01 admin logi...

Page 229: ... 192 168 17 100 443 EID 13 C11 Disable web filter url matching CONTENT C11 Disable web filter url matching by admin 192 168 17 100 443 EID 14 C12 Updated web filter exempt zone configuration CONTENT C12 Updated web filter exempt zone configuration by admin 192 168 17 100 443 EID 15 C13 Web filter exempt zone added range CONTENT C13 web filter exempt zone added range from 140 126 1 1 to 140 126 100...

Page 230: ...r by admin 192 168 17 100 443 EID 33 C31 SMTP Filter blocking list updated CONTENT C31 SMTP Filter blocking list updated by admin 192 168 17 100 443 EID 34 C32 Enable SMTP AntiVirus CONTENT C32 Enable SMTP AntiVirus by admin 192 168 17 100 443 EID 35 C33 Disable SMTP AntiVirus CONTENT C33 Disable SMTP AntiVirus by admin 192 168 17 100 443 EID 36 C34 AntiVirus module cannot download signatures CONT...

Page 231: ...anging Routing Protocol ROUTING R03 OSPF Area ID ROUTING R3 WAN1 OSPF Area ID 15 EventID 15 Routing Protocol OSPF ROUTING R3 WAN1 Routing Protocol OSPF EventID 15 Routing Protocol RIPv2 In Out ROUTING R3 WAN1 Routing Protocol RIPv2 In Out EventID 15 Routing Protocol RIPv1 In Out ROUTING R3 WAN1 Routing Protocol RIPv1 In Out EventID 15 Routing Protocol RIPv2 In ROTUING R3 WAN1 Routing Protocol RIPv...

Page 232: ...WAN1 by admin 192 168 17 102 443 SYSTEM S12 Disable Dynamic DNS on WAN1 by admin 192 168 17 102 443 S13 Enable Disable DNS Proxy SYSTEM S13 Enable DNS proxy by admin 192 168 17 102 443 SYSTEM S13 Disable DNS proxy by admin 192 168 17 102 443 S14 Enable Disable DHCP Relay SYSTEM S14 Enable DHCP relay by admin 192 168 17 102 443 SYSTEM S14 Disable DHCP relay by admin 192 168 17 102 443 S15 Set Date ...

Page 233: ...ear DNS IP Address SYSTEM S33 WAN1 DNS IP Address 168 95 1 1 SYSTEM S33 WAN1 Get DNS Automatically S34 Syslog Reload SYSTEM S34 Syslogd stop SYSTEM S34 Syslogd start SYSTEM S34 Syslogd restart S35 Enable Disable Ipmon SYSTEM S35 Enable Ipmon SYSTEM S35 Disable Ipmon S36 System Checksum Update SYSTEM S37 Disable Multicast on interface WAN1 SYSTEM S37 Update Multicast on interface WAN1 to xxx S37 Di...

Page 234: ...ity IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet IPSec acts at the network layer protecting and authenticating IP packets between participating IPSec devices peers L2TP Layer 2 Tunneling Protocol Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet Service Provider ISP...

Page 235: ... receiving e mail However since it s limited in its ability to queue messages at the receiving end it s usually used with one of two other protocols POP3 or Internet Message Access Protocol that let the user save messages in a server mailbox and download them periodically from the server VPN Virtual Private Network The key feature of a VPN however is its ability to use public networks like the Int...