background image

                                         

P-661H-D Series Support Notes

 

must be configured. (You can configure it in Web Configurator, Advanced 
Setup, 

Network -> NAT -> Port Forwarding

).  

12. When do I need select Full Feature NAT

?

   

 

Make multiple local servers on the LAN accessible from outside with 
multiple global IP addresses 

With SUA, 'visible' servers had to be mapped to different ports, since the 
servers share only one global IP. But when you select

 Full Feature

, you can 

make multiple local servers (mapping the same port or not) on the LAN 
accessible from outside with multiple global IP addresses. 

 

Support Non-NAT Friendly Applications   

Some servers providing Internet applications such as some MIRC servers do 
not allow users to login using the same IP address. Thus, users on the same 
network can not login to the same server simultaneously. In this case it is 
better to use Many-to-Many No Overload or One-to-One NAT mapping types, 
thus each user login to the server using a unique global IP address.   

13. What IP/Port mapping does Multi-NAT support?

Multi-NAT supports five types of IP/port mapping: One to One, Many to One, 
Many to Many Overload, Many to Many No Overload and Server. The details 
of the mapping between ILA and IGA are described as below. Here we define 
the local IP addresses as the Internal Local Addresses (ILA) and the global IP 
addresses as the Inside Global Address (IGA),   

 

One to One

: In One-to-One mode, the P-661H-D maps one ILA to one 

IGA.  

 

Many to One: 

In Many-to-One mode, the P-661H-D maps multiple ILA 

to one IGA. This is equivalent to SUA (i.e., PAT, port address 
translation), ZyXEL's Single User Account feature that previous ZyNOS 
routers supported (the SUA is optional in today's Prestige routers).   

 

Many to Many Overload: 

In Many-to-Many Overload mode, the 

P-661H-D maps the multiple ILA to shared IGA.   

 

Many One-to-One: 

In Many One-to-One mode, the P-661H-D maps 

each ILA to unique IGA.   

 

Server: 

In Server mode, the P-661H-D maps multiple inside servers to 

one global IP address. This allows us to specify multiple servers of 
different types behind the NAT for outside access. Note, if you want to 
map each server to one unique IGA please use the One-to-One mode. 

                                     

All contents copyright © 2006 ZyXEL Communications Corporation. 

 

Summary of Contents for P-661H-D Series

Page 1: ...P 661H D Series ADSL2 4 port Security Gateway Support Notes Version3 40 Mar 2006 ...

Page 2: ...rt 9 15 What are Device filters and Protocol filters 9 16 How can I protect against IP spoofing attacks 9 Product FAQ 11 1 How can I manage P 661H D 11 2 What is the default password for Web Configurator 11 3 What s the difference between Common User Account and Administrator Account 11 4 How do I know the P 661H D s WAN IP address assigned by the ISP 11 5 What is the micro filter or splitter used...

Page 3: ...ed a firewall when your router has packet filtering and NAT built in 21 6 What is Denials of Service DoS attack 21 7 What is Ping of Death attack 22 8 What is Teardrop attack 22 9 What is SYN Flood attack 22 10 What is LAND attack 22 11 What is Brute force attack 23 12 What is IP Spoofing attack 23 13 What are the default ACL firewall rules in P 661H D 23 Configuration 23 1 How do I configure the ...

Page 4: ...VPN support 32 5 I am planning my P 661H D VPN configuration What do I need to know 32 6 Does P 661H D support dynamic secure gateway IP 33 7 What VPN gateway has been tested with P 661H D successfully 33 8 What VPN software has been tested with P 661H D successfully 34 11 How do I configure P 661H D with NAT for internal servers 35 12 I am planning my P 661H D behind a NAT router What do I need t...

Page 5: ... 1 How to use P 661H D to build VPN Tunnel with another VPN Gateway Software 87 2 How to build a VPN between Secure Gateway with Dynamic WAN IP Address 93 3 Configure NAT for internal servers 95 4 VPN Routing between Branch Office through Headquarter 96 Support Tool 101 1 LAN WAN Packet Trace 101 Online Trace 101 Offline Trace 103 Capture the detailed logs by Hyper Terminal 104 2 Firmware Configur...

Page 6: ...are and configuration file You can do this if you access the P 661H D as Administrator You can upload the firmware and configuration file to Prestige from Web Condigurator or using FTP or TFTP client software You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware Please do not power off the router right after th...

Page 7: ...ore factory defaults this way Use the RESET button on the rear panel of P 661H D to reset the router After the router is reset the LAN IP address will be reset to 192 168 1 1 the common user password will be reset to user the Administrator password will be reset to 1234 8 How to use the Reset button a Turn your P 661H D on Make sure the POWER led is on not blinking b Press the RESET button for lon...

Page 8: ...t with 2 rules Many to One and Server With SUA visible servers had to be mapped to different ports since the servers share only one global IP The P 661H D now has Full Feature NAT which supports five types of IP Port mapping One to One Many to One Many to Many Overload Many to Many No Overload and Server You can make special application when you select Full Feature NAT For example With multiple gl...

Page 9: ...T support Multi NAT supports five types of IP port mapping One to One Many to One Many to Many Overload Many to Many No Overload and Server The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA One to One In One to One mode the P 661H D maps one ILA...

Page 10: ...wanif0 to view the current active NAT sessions 15 What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group You can configure the filter rule in CLI Note In ZyNO...

Page 11: ...dress on your local network and w x y z is your netmask For the output data filters Deny bounce back packet Allow packets that originate from us Filter rule setup Filter Type TCP IP Filter Rule Active Yes Destination IP Addr a b c d Destination IP Mask w x y z Action Matched Drop Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 10 All conte...

Page 12: ... out if you have forgotten your password 3 What s the difference between Common User Account and Administrator Account For Common User Account it can only access the status monitor of P 661H D and check the current system status For Administrator Account besides accessing the status monitor of P 661H D it can also access Winzard setup Advanced setup of P 661H D Moreover only with Administrator Pas...

Page 13: ...using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the P 661H D if the ISP uses PPPoE 8 Why does my provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing ...

Page 14: ...t dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns org and still reach your hostname Yes the P 661H D supports DDNS wildcard that http www dyndns org supports When using wildcard you simply enter yourhost dyndns org in the Host field in Menu 1 1 Configure Dynamic DNS 12 Can the P 661H D s SUA handle IPS...

Page 15: ...and aims at boosting the efficiency of the bandwidth If there are serveral VCs in the P 661H D but only one VC activated at one time the P 661H D allocates all the Bandwidth to the VC and the VC gets full bandwidth If another VCs are activated later the bandwidth is yield to other VCs after ward 15 Why do we perform traffic shaping in the P 661H D The P 661H D must manage traffic fairly and provid...

Page 16: ...t PCR as 5424 cell sec 17 What do the ATM QoS Types CBR UBR VBR nRT VBR RT mean Constant bit rate CBR An ATM bandwidth allocation service that requires the user to determine a fixed bandwidth requirement at the time the connection is set up so that the data can be sent in a steady stream CBR service is often used when transmitting fixed rate uncompressed video Unspecified bit rate UBR An ATM bandw...

Page 17: ...ing You can also specify trusted IP Addresses on LAN for which the P 661H D will not perform content filtering You can configure the details about it in Web Configurator Advanced setup Security Content Filter 16 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 18: ...es for many years Additionally many of the older cable networks are not capable of offering a return channel consequently such networks will need significant upgrading before they can offer high bandwidth services 2 What is the expected throughput In our test we can get about 1 6Mbps data rate on 15Kft using the 26AWG loop The shorter the loop the better the throughput is 3 What is the microfilter...

Page 19: ...fore the VC based multiplexing is more efficient 7 How do I know the details of my ADSL line statistics You can use the following CI commands to check the ADSL line statistics CI wan adsl perfdata CI wan adsl status CI wan adsl linedata far CI wan adsl linedata near You can also do it in Web Configurator Advanced Setup Maintenance Diagnostic DSL Line DSL Status 8 What are the signaling pins of the...

Page 20: ...require different Qulity of Service The high priority is Voice VoIP data The Medium priority is Video IPTV data The low priority is internet access such as ftp etc Triple Play is a port based policy to forward packets from different LAN port to different PVCs thus you can configure each PVC separately to assign different QoS to different application 19 All contents copyright 2006 ZyXEL Communicati...

Page 21: ... LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These headers information include the source destination addresses and ports ...

Page 22: ... that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 661H D s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 661H D s firewall provides email service to notify you for routine reports and when alerts occur 5 Why do you need ...

Page 23: ...IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 9 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ...

Page 24: ... magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or ...

Page 25: ...or Telnet over WAN There are four reasons that WWW Telnet from WAN is blocked 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off or create a firewall rule to allow WWW Telnet connection from WAN The WAN to LAN ACL summary will look like as shown below WWW For accessing Web Configurator Source...

Page 26: ...4 Why can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you must turn the firewall off or create a firewall rule to allow FTP connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP FTP host Destination IP P 661H D s WAN IP S...

Page 27: ...nerated automatically with factory default setting but you can change it in Web Configurator 2 What does the log show to us The log supports up to 128 entries There are 5 columns for each entry Please see the example shown below 3 How do I view the firewall log All logs generated in P 661H D including firewall logs IPSec logs system logs are migrated to centralized logs So you can view firewall lo...

Page 28: ...eb configuration Advanced Setup Maintenance Logs Log Settings 4 When does the P 661H D generate the firewall alert The P 661H D generates the alert when an attack is detected by the firewall and sends it via Email So to send the alert you must configure the mail server and Email address using Web Configurator Advanced Setup Maintenance Logs Log Settings You can also specify how frequently you want...

Page 29: ...th encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Int...

Page 30: ...ces allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution 7 What secure protocols does IPSec support There a...

Page 31: ... because you have to share it with another party before you can communicate with them over a secure connection 12 What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined For IKE VPN the key and SPIs are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys an...

Page 32: ...hoosen you can still use a random string as the content such as this_is_Prestige It s not neccessary to follow the format exactly By default the device takes IP as phase 1 ID type for itself and it s remote peer But if it s remote peer is using DNS or E mail you have to ajust the settings to pass phase 1 ID checking 15 When should I use FQDN If your VPN connection is Preatige to Prestige and both ...

Page 33: ...authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality 5 I am planning my ...

Page 34: ...the Secure Gateway IP Address in P 661H D In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side If both gateways use dynamic IP addresses we can use DDNS on one side For example Both sides are dynamic IP address Router A DDNS enabled Router B Secure GW DNS name With DDNS support through the Router A s WAN IP change...

Page 35: ...s F Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN v 6 90 FreeS WAN for Linux SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test Windows 2000 IPSec 9 What is the difference between the My IP Address and Secure Gateway IP Address in VPN Setup Web Page My IP Adderss is the Internet IP address of the local P 661H D The Secure Gateway IP Addres...

Page 36: ...661H D NAT Router Internet Secure host Some tips for the configuration 1 The NAT router must support to pass through IPSec protocol Only ESP tunnel mode is possible to work in NAT case Default port UDP Port 500 and the P 661H D s WAN IP must be configured in NAT Router s SUA NAT Server Table 2 On the Secure host side WAN IP of the NAT router is the tunneling endpoint for this case not the WAN IP o...

Page 37: ...r NAT Firewall If the VPN connection is initiated from the security gateway outside of P 661H D NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to Web Configurator Network NAT Port Forwarding put the secure gateway s IP address in default server To configure Firewall forwarding please go to Web Configurator Security Firewall Rules select Packet ...

Page 38: ...nnection To connect your computer to the P 661H D s LAN port the computer must have an Ethernet adapter card installed For connecting a single computer to the P 661H D we use a Ethernet cable 2 TCP IP configuration In most cases the IP address of the computer is assigned by the ISP dynamically so you have to configure the computer as a DHCP client which obtains the IP from the ISP using DHCP proto...

Page 39: ...u how to configure your P 661H D as bridge mode We will use Web Configurator to guide you through the related menu 1 Configure P 661H D as bridge mode and configure Internet setup parameters in Web Configurator Advanced Setup Network WAN 38 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 40: ...P 661H D in Web Configurator Advanced Setup Network LAN We use 192 168 1 1 as the LAN IP for P 661H D in this case Step 1 Disactive DHCP Server and apply it Step 2 Assign an IP to the LAN Interface of P 661H D e g 192 168 1 1 2 Internet Access Using P 661H D under Routing mode For most Internet users having multiple computers want to share an Internet account for Internet access they have to insta...

Page 41: ... the clients via DHCP if it is available For this setup in Windows we check the option Obtain an IP address automatically in its TCP IP setup Please see the example shown below Set up your P 661H D under routing mode The following procedure shows you how to configure your P 661H D as Routing mode for routing traffic We will use Web Configurator to guide you through the related menu 1 Configure P 6...

Page 42: ...nd the DHCP settings in Web Configurator Advanced Setup Network LAN 3 Setup the P 661H D as a DHCP Relay What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P 661H D supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it is configured as DHCP relay it is responsible f...

Page 43: ...r are configured in Web Configurator Advanced Setup Network NAT Port Forwarding the internal server or client applications can be accessed by using the P 661H D s WAN IP Address SUA Supporting Table The following are the required Web Configurator Advanced Setup Network NAT Port Forwarding for the various applications running SUA mode ZyXEL SUA Supporting Table1 Required Settings in Port Forwarding...

Page 44: ...032 client IP Default client IP Microsoft NetMeeting 2 1 3 013 None 1720 client IP 1503 client IP Cisco IP TV 2 0 0 None RealPlayer G2 None VDOLive None Quake1 064 None Default client IP QuakeII2 305 None Default client IP QuakeIII1 05 beta None StartCraft 6112 client IP Quick Time 4 0 None pcAnywhere 8 0 None 5631 client IP 5632 client IP 22 client IP IPsec ESP tunneling mode None one client only...

Page 45: ...et IP 4 Certain Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 661H D will not be able to provide information of that server on the internet 5 Quake II has the same limitations as that of Quake I 6 P 661H D supports MSN Messenger 4 6 4 7 5 0 video voice pass thro...

Page 46: ...fixed IP address and not be a DHCP client whose IP address potentially changes each time P 661H D is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for is forwarded to the default server If the default server is not defined the service request is simply discarded Configuration To make a s...

Page 47: ... 10 1 Fill in the service name and server IP Address press button Add 2 If add successfully the Web Configurator will display message Configuration updated successfully at the bottom You can see the port forwarding rule on the same page the default port for Web Server is 80 3 If you want to change the port for Web Server you could press button Modify on corresponding rule then modify and apply it ...

Page 48: ...ent you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols ...

Page 49: ... the first dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade Configuration This application note explains how to establish a PPTP connection with a remote private network in the P 661H D SUA case In ZyNOS all PPTP packets can be forwarded to t...

Page 50: ...k protocols from RAS such as IPX TCP IP NetBEUI Set the Internet gateway to P 661H D 2 PPTP client setup Win9x Add one VPN connection from Dial Up Networking by entering the correct username password and the IP address of the P 661H D s Internet IP address for logging to NT RAS server Set the Internet gateway to the router that is connecting to ISP 3 P 661H D setup Before making a VPN connection f...

Page 51: ...ial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 661H D router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or S Web Configurator Status WAN Information If the Internet IP address is a fix...

Page 52: ...ll down menu on the right None NAT is disabled when you select this option Network Address Translation SUA Only When you select this option this remote node will use default SUA Address Mapping Set You can see it in CLI by command ip nat lookup 255 It s a read only sets with two rules Many to One and server mapping Select Full Feature when you require other mapping types Configuring NAT Address Ma...

Page 53: ...pply it When you select SUA Only the P 661H D will use a default SUA Address Mapping set for it It has two rules Many to One and Server You can see it in CLI by command ip nat lookup 255 Please note that the fields in this menu are read only However the settings of the rule set 2 can be modified in Web Configurator Advanced Setup Network NAT Port Forwarding The following table explains the fields ...

Page 54: ... 8 can only be configured in CLI Now let s begin with Web Configurator Firstly let s come to Web Configurator Advanced Setup Network NAT Address Mapping This menu is for Address Mapping Set 1 you can edit 10 Address Mapping Rules for Set 1 You can edit or remove a rule by clicking the two buttons on the rule table Click the Edit Button on the rule 1 then you can enter the window in which you can e...

Page 55: ...rt This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global IP End This is the ending global IP address IGA This field is N A for One to One Many to One and Server types 200 1 1 64 Note For all Local and Global IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start ...

Page 56: ...ect NAT address mapping set and set mapping set name but set name is optional Example ip nat addrmap map 2 Test ip nat addrmap rule rule insert edit type local start IP local end IP global start IP global end IP server set Set NAT address mapping rule If the type is not inside server then the type field will still need a dummy value like 0 Type is 0 4 one to one many to one many to many overload m...

Page 57: ...ave it to be default value if you don t want this command ip nat server edit rule forwardip IP address Configure the LAN IP address to be forwarded ip nat server edit rule protocol TCP UDP ALL Configure the protocol to be used TCP UDP or ALL it must be capital NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish...

Page 58: ...on Add to save it Step 3 You could click the button Edit on the rule to modify the Service name Server IP Address Start End Port The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 PPTP Point to Point Tunneling Protocol 1723 Examples ...

Page 59: ...e NAT and select an Address Mapping Set with a Many to One Rule See the following figure 2 Internet Access with an Internal Server In this case we do exactly as the figure use the convenient pre configured SUA Only set and also go to Web Configurator Advanced Setup Network NAT Port Forwarding to specify the Internet Server behind the NAT as 58 All contents copyright 2006 ZyXEL Communications Corpo...

Page 60: ...y the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 200 0 0 2 Rule 3 Many to One type to map the other clients to IGA3 200 0 0 3 Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify ...

Page 61: ...nced Setup Network NAT Address Mapping to begin configuring Address Mapping Set 1 We can see there are 10 blank rule table that could be configured See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 20...

Page 62: ... to map the other clients to IGA3 200 0 0 3 Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 Menu Network NAT Address Mapping should look as follows now 61 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 63: ...Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this 62 All contents copyright 2006 ZyXEL Communications Corpo...

Page 64: ... and retrieved This solves the problems if your DNS server uses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the P 661H D to access the internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 661H D you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users...

Page 65: ...Before configuring the DDNS settings in the P 661H D you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server 2 Login Web Configurator Advanced Setup Advanced Dynamic DNS Select Active Dynamic DNS option Key Settings Option Description Service Provider ...

Page 66: ...gure 3 For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps are sent to the SNMP manager when anyone of the following events happens 1 coldStart defined in RFC 1215 If the machine coldstarts the trap will be sent after booting 2 warmStart defined in RFC 1215 If the machine ...

Page 67: ...n of restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 2 For fatal error System has to reboot for some fatal errors And traps with the message of the fatal code will be sent Downloading ZyXEL s private MIB Configure the P 661H D for SNMP 66 All contents ...

Page 68: ...rom the NMS The default is public Set Community Enter the correct Set Community This Set Community must match the Set community requested from the NMS The default is public Trusted Host Enter the IP address of the NMS The P 661H DHW DX will only respond to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 661H DHW DX will respond to all NMS managers Trap Community Enter the com...

Page 69: ...t you wish to send the syslog Log Facility Select from the 7 different local options The log facility lets you log the message in different server files Refer to your UNIX manual 9 Using IP Alias What is IP Alias In a typical environment a LAN router is required to connect two local networks The P 661H D can connect three local networks to the ISP or a remote node we call this function as IP Alias...

Page 70: ... Network LAN IP Alias There are three internal virtual LAN interfaces for the P 661H D to route the packets from to the three networks correctly They are enif0 for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the P 661H D as shown below when the three networks are configured If the P 661H D s DHCP is also enabled the IP pool for ...

Page 71: ... IP Alias by configuring the P 661H D s second and third LAN IP addresses Key Settings IP Alias 1 Active it and enter the second LAN IP address for the P 661H D This will create the second route in the enif0 0 interface IP Alias 2 Active it and enter the third LAN IP address for the P 661H D This will create the third route in the enif0 1 interface 10 Using IP Policy Routing What is IP Policy Rout...

Page 72: ...PR allows organizations to distribute interactive traffic on high bandwidth high cost path while using low path for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths How does the IPPR work A policy defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The c...

Page 73: ...mple Step 2 Suppose we d like to edit the rule like this Policy Set Name Test Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 0 Precedence Don t Care Len Comp N A Source addr start 192 168 1 2 end 192 168 1 20 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 192 168 1 254 Log No Type of Service No Change Precede...

Page 74: ... action gatewaytype 0 Set gateway type for the rule Gateway Address ip policyrouting set action gatewayaddr 192 168 1 254 Set the gateway address for the rule 192 168 1 254 ip policyrouting set criteria serviceType 0 Set the action type of service as don t care for this rule ip policyrouting set criteria precedence 8 Set the action precedence as don t care for this rule ip policyrouting set action...

Page 75: ...ppose we want to edit a call schedule set like this Call Schedule Set 1 Set name Test Active Yes Start Date yyyy mm dd 2005 12 27 How Often Once Once Date yyyy mm dd 2005 12 27 Start Time hh mm 12 00 Duration hh mm 16 00 Action Enable Dial on demand This schedule example permits a demand call on the line on 12 00 a m 2005 12 27 The maximum length of time this connection is allowed is 16 hours To i...

Page 76: ...remote node will be dropped Enable Dial On Demand The remote node accepts Dial on demand during this period Disable Dial On Demand The remote node denies any demand dial during the period For the existing connected nodes it will be dropped after idle timeout and no triggered up Start Time Duration Start Time and Duration of this schedule Apply the schedule to the Remote node Multiple scheduling ru...

Page 77: ... packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP hosts group and 224 0 0 2 is assigne...

Page 78: ...me other traffic may not require high bandwidth but they require stable supply of bandwidth such as VoIP traffic The VoIP quality would not be good if all of the outgoing bandwidth is occupied via FTP Additionally chances are that you would like to grant higher bandwidth for some body specially who is using specific IP address in your network All of these are reasons why we need bandwidth manageme...

Page 79: ...e s root Scheduler Choose the principle to allocate bandwidth on this interface Priority Based allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Maximize Bandwidth Usage Check this box if you would like to give residuary bandwidth from Interface to the classes who need more bandwidth than configured amount Do not select this if you want to reserve bandwidth for traffic t...

Page 80: ...l Managed Bandwidth Check this box if you would like to let this class to borrow bandwidth from it s parents when the required bandwidth is higher than the configured amount Do not check this if you want to limit the bandwidth of this class at the configured value Please note that you should also disable Maximize Bandwidth Usage on the interface to meet the condition Service Select User defined SI...

Page 81: ...ut some probing patterns system will analyze the packets returned from ISP and decide which services the ISP may provide Because ADSL is based on a ATM network so system have to pre configured a VPI VCI hunting pool before Auto Configure function begins to work The Zero Configuration feature can hunt the encapsulation and VPI VCI value and system will automatically configure itself if the hunting ...

Page 82: ... vpi vci service bit hex wan atm vchunt save Note remote node input the remote node index 1 8 vpi vpi value vci vci value service it s a hex value bit0 PPPoE VC 1 bit1 PPPoE LLC 2 bit2 PPPoA VC 4 bit3 PPPoA LLC 8 bit4 Enet VC 16 bit5 Enet LLC 32 For example 1 If you need service PPPoE LLC and Enet LLC then the service bits will be 2 32 34 decimal 22 hex you must input 22 2 If you want to enable al...

Page 83: ... the device LAN Ethernet port with the DSL sync up 2 Open your web browser to access a Web site It should prompt and request for your username password of your ISP account if your ISP provide PPPoE or PPPoA service 3 After key in the correct info it will than test the connection If it is successful it will than close the browser and you can open a new browser to surf the Internet If the connection...

Page 84: ...ernet port 1 must be forwarded to PVC1 vice versa The traffic from Ethernet port 2 must be forwarded to PVC2 vice versa The traffic from Ethernet Port3 must be forwarded to PVC3 vice versa 16 How to configure packet filter on P 661H D The P 661H D allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You can apply up to four filter...

Page 85: ...hem by command sys filter set index set rule Usage set 1 12 rule 1 6 Commonly the preconfigured filter sets are as follows set 2 rule 1 6 set 3 rule 1 set 4 rule 1 sys filter set display For example This could satisfy mostly requirement You could select any of them to apply to the WAN node or LAN Interface on demand The command is as follows Apply to WAN node wan node index node Usage node 1 8 cor...

Page 86: ...ys filter set You could configure a filter rule on demand the newest command is available on release note sys filter set save Usage Don t forget to save the rule everytime you ve configured it Reference Commands sys filter set index set rule Set the index of filter set rule you must apply this command first before you begin to configure the filter rules sys filter set name set name Set the name of...

Page 87: ...log type 0 3 none match notmatch both Set the log type it could be 0 3 none match not match both sys filter set actmatch type 0 2 checknext forward drop Set the action for match sys filter set actnomatch type 0 2 checknext forward drop Set the action for not match sys filter set offset Set offset for the generic rule sys filter set length Set the length for generic rule sys filter set mask Set the...

Page 88: ...box II ZyXEL VPN solution Avaya VPN Netopia VPN III VPN The tested VPN softwares are shown below Checkpoint VPN software WIN2K VPN software Soft PK VPN software Linux FreeS WAN VPN SSH Sentinel Intel VPN client software Let s focus on the how to configure VPN tunnel on Prestige now Prestige to Prestige Tunnel As the figure shown below the tunnel between Prestige 1 and Prestige 2 ensures the packet...

Page 89: ... update its dynamic IP to the fixed side If both of VPN gateways use dynamic IP we need DDNS service to implement it You can finish the configuration via Web Configurator on Prestige Step 1 Set up Prestige A 1 Using a web browser login Prestige Web Configurator by giving the LAN IP address of Prestige in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Not...

Page 90: ...t in the example to this policy Select IPSec Key Mode to IKE Negotiation Mode to Main and Encapsulation Mode to Tunnel just the same as we will configure in Prestige B 5 Fill in the Local and Remote secure hosts information in the Local and Remote field Local Address Type is Single and IP Address Start is PC 1 s IP 192 168 1 33 in the example Remote Address Type is Single and IP Address Start is P...

Page 91: ... VPN secure gateways As in the example we ve finished this field on Prestige A then when we configure Prestige B we should make it fit the following table Prestgie A Prestige B Local ID Type IP IP Content 0 0 0 0 0 0 0 1 Peer ID Type IP IP Content 0 0 0 1 0 0 0 0 7 Fill in VPN Protocol Pre Shared Key Encryption Algorithm Authentication Algorithm in the Security Protocol field Select one VPN Protoc...

Page 92: ...you need to configure the same on Prestige B We don t do any anvanced setup in the example Then we have finished the configuration on Preatige A Step 2 Setup Prestige B Similar to the settings for Prestige A Prestige B is configured in the same way except that 1 Local Address Type is Single and IP Address Start is PC 2 s IP 192 168 2 33 in the example Remote Address Type is Single and IP Address S...

Page 93: ...Monitor On P 661H D Web Configurator Security VPN Monitor you can check every active IPSec connections The VPN Name Encapsulation and IPSec Algorithm will be shown in the Monitor Table If you can t see the name of your IPSec rule it means that the SA establishment fails You need to go to the VPN Setup Page to check your settings Use CI command ipsec debug on If the Monitor shows that the VPN tunne...

Page 94: ...w IPSec Log We can also view the log for IPSec and IKE connections for trouble shooting On P 661H D we can check the logs via Web Configurator or CLI The log menu is also useful for troubleshooting please capture to us if necessary For example Select IPSec and IKE in Web Configurator Maintenance Logs Log Settings Then after a successful or failed VPN connection we could view the relevant informati...

Page 95: ...case W2K won t capture the dynamic IP address automatically for you You have to obtain your dynamic IP address and then go back to IPSec configuration to setup your current IP address Prestige dynamic WAN IP v s peer side static IP We need to note 1 In VPN settings of Prestige please specify the IP address of My IP as 0 0 0 0 Prestige will automatically bind it s current WAN IP address to IPSec 2 ...

Page 96: ...igeA configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeB Step 3 In PrestigeB configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeA Step 4 You can initiate VPN tunnel from PrestigeA or PrestigeB by this solution 2 Prestige v s 3rd Party This is highly dependent on which kind of 3rd party you use Generally speaking this 3rd party VPN ...

Page 97: ...between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter plays as a VPN relay Users can gain benefit from such application when the scale of branch offices is very large because no additional VPN tunnels between branch offices are needed In this support note we skip the detailed configuration steps for Internet access and presume that...

Page 98: ...with name Branch_A The configuration is the same as Prestige to Prestige Tunnel just the IP Address is a little different 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 2 255 This section...

Page 99: ...ess End is 192 168 1 255 This section covers the LAN segment of headquarter office 2 My IP Address is the WAN IP of Prestige in Branch_B 202 2 1 1 in the example Secure Gateway Address is IP address of Headquarter 202 1 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and ph...

Page 100: ...Headquarter office Remote Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A 2 My IP Address is the IP Address of Headquarter 202 1 1 1 in the example Secure Gateway Address is WAN IP of Prestige in Branch_A 202 3 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the ...

Page 101: ...for Branch_B_2 in headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B 2 My IP Address is the IP Address of Headquarter ...

Page 102: ...ceIP port destIP port There are two ways to dump the trace Online Trace display the trace real time on screen Offline Trace capture the trace first and display later The details for capturing the trace in CLI as follows First of all you need to telnet to the P 661H D firstly The password is Administrator passwords admin by default Online Trace 1 Trace LAN packet Disable to capture the WAN packet b...

Page 103: ...nable to capture the WAN packet by entering sys trcp channel mpoa00 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Display the brief trace online by entering sys trcd brief Display the detailed trace online by entering sys trcd parse Example 102 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 104: ...nel enet0 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Wait for packet passing through the Prestige over LAN Disable the trace log by entering sys trcp sw off sys trcl sw off Display the trace briefly by entering sys trcp brief Display specific packets by using sys trcp parse from_index to_index 103 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 105: ...per Terminal Step 1 Initiate a hyper terminal connection from your PC suppose you connected to the LAN port of P 661H D Step 2 Click the properties to configure parameters to telnet to the P 661H D 104 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 106: ...P 661H D Series Support Notes Step 3 So that after you invoke the relevant commands you could save the logs you ve captured 105 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 107: ...t before running the TFTP software Step 2 Type the CI command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 Enter the IP address of the Prestige Step 5 To upload the firmware please save the remote file as ras to Prestige After the transfer is complete the Prestige will program the upgraded firmware into FLASH ROM and reboot it...

Page 108: ...2 Using TFTP to upload download SMT configurations via LAN Step 1 TELNET to your Prestige first before running the TFTP software Step 2 Type the command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 To download the P 661H D configuration please get the remote file rom 0 from the Prestige Step 5 To upload the P 661H D configurat...

Page 109: ...igurations via LAN c tftp i PrestigeIP put localfile rom 0 Step 5 Download P 661H D configurations via LAN c tftp i PrestigeIP get rom 0 localfile Using TFTP command on UNIX Before you begin 1 TELNET to your Prestige first before using TFTP command 2 Type the CI command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Example cppwu faelinux cppwu telnet 192 168 1 1 Trying ...

Page 110: ...me for the firmware is ras and the configuration file is rom 0 Step 1 Use FTP client from your workstation to connect to the Prestige by entering the IP address of the Prestige Step2 Press Enter key to ignore the username because the Prestige does not check the username Step 3 Enter the CLI password as the FTP login password the default is admin Step 4 Enter command bin to set the transfer type to...

Page 111: ...rname prompt Step 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file 110 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 112: ... Series Support Notes Step 4 The Prestige reboots automatically after the uploading is finished Please do not power off the router at this moment 111 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 113: ...ce 1 Shows the following commands and all major sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL public WEB site http www zyxel com support download_index php to download firmware package zip you should unzip the package to get the release note in PDF format 112 All conten...

Reviews: