background image

                                         

P-661HW-D Series Support Notes

 

 

Configure an Internal Server behind SUA   

 

Introduction  

If you wish, you can make internal servers (e.g., Web, ftp or mail server) 
accessible for outside users, even though SUA makes your LAN appear as a 
single machine to the outside world. A service is identified by the port number. 
Also, since you need to specify the IP address of a server behind the 
P-661HW-D, a server must have a fixed IP address and not be a DHCP client 
whose IP address potentially changes each time P-661HW-D is powered on.   

In addition to the servers for specific services, SUA supports a default server. 
A service request that does not have a server explicitly designated for is 
forwarded to the default server. If the default server is not defined, the service 
request is simply discarded.   

Configuration  

To make a server visible to the outside world, specify the port number of the 
service and the inside address of the server in Web Configurator, Advanced 

                                     

55 

All contents copyright © 2006 ZyXEL Communications Corporation. 

 

Summary of Contents for P-661HW-D Series

Page 1: ...P 661HW D Series 802 11g Wireless ADSL2 4 port Security Gateway Support Notes Version3 40 Mar 2006 ...

Page 2: ... 11 15 What are Device filters and Protocol filters 11 16 How can I protect against IP spoofing attacks 11 Product FAQ 13 1 How can I manage P 661HW D 13 2 What is the default password for Web Configurator 13 3 What s the difference between Common User Account and Administrator Account 13 4 How do I know the P 661HW D s WAN IP address assigned by the ISP 13 5 What is the micro filter or splitter u...

Page 3: ...ed a firewall when your router has packet filtering and NAT built in 23 6 What is Denials of Service DoS attack 23 7 What is Ping of Death attack 24 8 What is Teardrop attack 24 9 What is SYN Flood attack 24 10 What is LAND attack 24 11 What is Brute force attack 25 12 What is IP Spoofing attack 25 13 What are the default ACL firewall rules in P 661HW D 25 Configuration 25 1 How do I configure the...

Page 4: ...VPN support 34 4 What types of authentication does P 661HW D VPN support 34 5 I am planning my P 661HW D VPN configuration What do I need to know 34 6 Does P 661HW D support dynamic secure gateway IP 35 7 What VPN gateway has been tested with P 661HW D successfully 35 8 What VPN software has been tested with P 661HW D successfully 36 11 How do I configure P 661HW D with NAT for internal servers 37...

Page 5: ...curity mode does P 661HW D support 42 16 What Wireless standard does P 661HW D support 42 17 Does P 661HW D support MAC filtering 42 18 Does P 661HW D support auto rate adaption 42 Advanced FAQ 42 1 What is Ad Hoc mode 42 2 What is Infrastructure mode 42 3 How many Access Points are required in a given area 42 4 What is Direct Sequence Spread Spectrum Technology DSSS 43 5 What is Frequency hopping...

Page 6: ... 15 How could I configure triple play on P 661HW D 93 16 How to configure packet filter on P 661HW D 93 IPSEC VPN Application Notes 97 1 How to use P 661HW D to build VPN Tunnel with another VPN Gateway Software 97 2 How to build a VPN between Secure Gateway with Dynamic WAN IP Address 103 3 Configure NAT for internal servers 105 4 VPN Routing between Branch Office through Headquarter106 Wireless ...

Page 7: ... Notes Using TFTP command on Windows NT 141 Using TFTP command on UNIX 141 3 Using FTP to Upload the Firmware and Configuration Files 142 CI Command Reference 145 6 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 8: ...efault 4 How do I update the firmware and configuration file You can do this if you access the P 661HW D as Administrator You can upload the firmware and configuration file to Prestige from Web Condigurator or using FTP or TFTP client software You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware Please do not ...

Page 9: ... forget the system password In case you forget the system password you can erase the current configuration and restore factory defaults this way Use the RESET button on the rear panel of P 661HW D to reset the router After the router is reset the LAN IP address will be reset to 192 168 1 1 the common user password will be reset to user the Administrator password will be reset to 1234 8 How to use ...

Page 10: ... will be three options for you None SUA Only Full Feature SUA Single User Account in previous ZyNOS versions is a NAT set with 2 rules Many to One and Server With SUA visible servers had to be mapped to different ports since the servers share only one global IP The P 661HW D now has Full Feature NAT which supports five types of IP Port mapping One to One Many to One Many to Many Overload Many to M...

Page 11: ...ress 13 What IP Port mapping does Multi NAT support Multi NAT supports five types of IP port mapping One to One Many to One Many to Many Overload Many to Many No Overload and Server The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA One to One In...

Page 12: ...wanif0 to view the current active NAT sessions 15 What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group You can configure the filter rule in CLI Note In ZyNO...

Page 13: ...dress on your local network and w x y z is your netmask For the output data filters Deny bounce back packet Allow packets that originate from us Filter rule setup Filter Type TCP IP Filter Rule Active Yes Destination IP Addr a b c d Destination IP Mask w x y z Action Matched Drop Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 12 All conte...

Page 14: ...you change it The system will lock you out if you have forgotten your password 3 What s the difference between Common User Account and Administrator Account For Common User Account it can only access the status monitor of P 661HW D and check the current system status For Administrator Account besides accessing the status monitor of P 661HW D it can also access Winzard setup Advanced setup of P 661...

Page 15: ...me and password on your computer to connect to the ISP you are probably using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the P 661HW D if the ISP uses PPPoE 8 Why does my provider use PPPoE PPPoE emulates a familiar Dial U...

Page 16: ...d to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns org and still reach your hostname Yes the P 661HW D supports DDNS wildcard that http www dyndns org supports When using wildcard you simply enter yourhost dyndns org in the Host field in Menu 1 1 Configure Dynamic DNS ...

Page 17: ...d aims at boosting the efficiency of the bandwidth If there are serveral VCs in the P 661HW D but only one VC activated at one time the P 661HW D allocates all the Bandwidth to the VC and the VC gets full bandwidth If another VCs are activated later the bandwidth is yield to other VCs after ward 15 Why do we perform traffic shaping in the P 661HW D The P 661HW D must manage traffic fairly and prov...

Page 18: ...lt PCR as 5424 cell sec 17 What do the ATM QoS Types CBR UBR VBR nRT VBR RT mean Constant bit rate CBR An ATM bandwidth allocation service that requires the user to determine a fixed bandwidth requirement at the time the connection is set up so that the data can be sent in a steady stream CBR service is often used when transmitting fixed rate uncompressed video Unspecified bit rate UBR An ATM band...

Page 19: ...ring You can also specify trusted IP Addresses on LAN for which the P 661HW D will not perform content filtering You can configure the details about it in Web Configurator Advanced setup Security Content Filter 18 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 20: ...s for many years Additionally many of the older cable networks are not capable of offering a return channel consequently such networks will need significant upgrading before they can offer high bandwidth services 2 What is the expected throughput In our test we can get about 1 6Mbps data rate on 15Kft using the 26AWG loop The shorter the loop the better the throughput is 3 What is the microfilter ...

Page 21: ...fore the VC based multiplexing is more efficient 7 How do I know the details of my ADSL line statistics You can use the following CI commands to check the ADSL line statistics CI wan adsl perfdata CI wan adsl status CI wan adsl linedata far CI wan adsl linedata near You can also do it in Web Configurator Advanced Setup Maintenance Diagnostic DSL Line DSL Status 8 What are the signaling pins of the...

Page 22: ...require different Qulity of Service The high priority is Voice VoIP data The Medium priority is Video IPTV data The low priority is internet access such as ftp etc Triple Play is a port based policy to forward packets from different LAN port to different PVCs thus you can configure each PVC separately to assign different QoS to different application 21 All contents copyright 2006 ZyXEL Communicati...

Page 23: ...te LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These headers information include the source destination addresses and port...

Page 24: ...es that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 661HW D s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 661HW D s firewall provides email service to notify you for routine reports and when alerts occur 5 Why do you n...

Page 25: ... IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 9 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN...

Page 26: ...magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or f...

Page 27: ...rator Telnet over WAN There are four reasons that WWW Telnet from WAN is blocked 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off or create a firewall rule to allow WWW Telnet connection from WAN The WAN to LAN ACL summary will look like as shown below WWW For accessing Web Configurator Sou...

Page 28: ...4 Why can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you must turn the firewall off or create a firewall rule to allow FTP connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP FTP host Destination IP P 661HW D s WAN IP ...

Page 29: ...enerated automatically with factory default setting but you can change it in Web Configurator 2 What does the log show to us The log supports up to 128 entries There are 5 columns for each entry Please see the example shown below 3 How do I view the firewall log All logs generated in P 661HW D including firewall logs IPSec logs system logs are migrated to centralized logs So you can view firewall ...

Page 30: ...b configuration Advanced Setup Maintenance Logs Log Settings 4 When does the P 661HW D generate the firewall alert The P 661HW D generates the alert when an attack is detected by the firewall and sends it via Email So to send the alert you must configure the mail server and Email address using Web Configurator Advanced Setup Maintenance Logs Log Settings You can also specify how frequently you wan...

Page 31: ...th encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Int...

Page 32: ...ces allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution 7 What secure protocols does IPSec support There a...

Page 33: ...d because you have to share it with another party before you can communicate with them over a secure connection 12 What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined For IKE VPN the key and SPIs are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys a...

Page 34: ...choosen you can still use a random string as the content such as this_is_Prestige It s not neccessary to follow the format exactly By default the device takes IP as phase 1 ID type for itself and it s remote peer But if it s remote peer is using DNS or E mail you have to ajust the settings to pass phase 1 ID checking 15 When should I use FQDN If your VPN connection is Preatige to Prestige and both...

Page 35: ...de authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality 5 I am planning ...

Page 36: ... the Secure Gateway IP Address in P 661HW D In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side If both gateways use dynamic IP addresses we can use DDNS on one side For example Both sides are dynamic IP address Router A DDNS enabled Router B Secure GW DNS name With DDNS support through the Router A s WAN IP chan...

Page 37: ... SecGo IPSec for Windows F Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN v 6 90 FreeS WAN for Linux SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test Windows 2000 IPSec 9 What is the difference between the My IP Address and Secure Gateway IP Address in VPN Setup Web Page My IP Adderss is the Internet IP address of the local P 661HW D The ...

Page 38: ... know Suppose host P 661HW D NAT Router Internet Secure host Some tips for the configuration 1 The NAT router must support to pass through IPSec protocol Only ESP tunnel mode is possible to work in NAT case Default port UDP Port 500 and the P 661HW D s WAN IP must be configured in NAT Router s SUA NAT Server Table 2 On the Secure host side WAN IP of the NAT router is the tunneling endpoint for thi...

Page 39: ...or NAT Firewall If the VPN connection is initiated from the security gateway outside of P 661HW D NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to Web Configurator Network NAT Port Forwarding put the secure gateway s IP address in default server To configure Firewall forwarding please go to Web Configurator Security Firewall Rules select Packe...

Page 40: ... and can eliminate the need to pull cable through walls and ceilings Installation Flexibility Wireless technology allows the network to go where wire cannot go Reduced Cost of Ownership While the initial investment required for wireless LAN hardware can be higher than the cost of wired LAN hardware overall installation expenses and life cycle costs can be significantly lower Long term cost benefit...

Page 41: ...sh Time Frequency Band GHZ Data Rate Mbps Compatibility IEEE802 11a 1999 UNII Band 5 15 5 825 6 9 12 18 24 36 48 54 Only work with 802 11a devices IEEE802 11b 1999 ISM Band 2 4 2 4835 1 2 5 5 11 IEEE802 11g 2001 ISM Band 2 4 2 4835 6 9 12 18 24 36 48 54 Backward compatible with 802 11b devices 7 Is it possible to use wireless products from a variety of vendors Yes As long as the products comply to...

Page 42: ...ll Transmitting through a wall is possible depending upon the material used in its construction In general metals and substances with a high water content do not allow radio waves to pass through Metals reflect radio waves and concrete attenuates radio waves The amount of attenuation suffered in passing through concrete will be a function of its thickness and amount of metal re enforcement used 12...

Page 43: ...ate adaption Yes it means that the AP on P 661HW D will automatically decelerate when devices move beyond the optimal range or other interference is present If the device moves back within the range of a higher speed transmission the connection will automatically speed up again Rate shifting is a physical layer mechanism transparent to the user and the upper layers of the protocol stack Advanced F...

Page 44: ...11 may use FHSS or DSSS 6 Do I need the same kind of antenna on both sides of a link No Provided the antenna is optimally designed for 2 4GHz or 5GHz operation WLAN NICs often include an internal antenna which may provide sufficient reception 7 Why the 2 4 GHZ Frequency range This frequency range has been set aside by the FCC and is generally labeled the ISM band A few years ago Apple and several ...

Page 45: ...A is a subset of the IEEE 802 11i security specification draft Key differences between WAP and WEP are user authentication and improved data encryption WAP applies IEEE 802 1x Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database You can not use the P 661HW D s local user database for WPA authentication purpose since the local user database uses ...

Page 46: ...ing 802 11 wireless traffic 8 By turning off the broadcast of SSID can someone still sniff the SSID Many APs by default have broadcasting the SSID turned on Sniffers typically will find the SSID in the broadcast beacon packets Turning off the broadcast of SSID in the beacon message a common practice does not prevent getting the SSID since the SSID is sent in the clear in the probe message when a c...

Page 47: ...rity mode automatically with just one touch at the reset button on rear panel To use this function on P 661HW D you could press the reset button on P 661HW D for 1 5 seconds the OTIST is actived The P 661HW D will enhance the Wireless Security Level to WPA PSK automatically if no WLAN security has been set The default setup key for OTIST is 01234567 46 All contents copyright 2006 ZyXEL Communicati...

Page 48: ...onnection To connect your computer to the P 661HW D s LAN port the computer must have an Ethernet adapter card installed For connecting a single computer to the P 661HW D we use a Ethernet cable 2 TCP IP configuration In most cases the IP address of the computer is assigned by the ISP dynamically so you have to configure the computer as a DHCP client which obtains the IP from the ISP using DHCP pr...

Page 49: ...u how to configure your P 661HW D as bridge mode We will use Web Configurator to guide you through the related menu 1 Configure P 661HW D as bridge mode and configure Internet setup parameters in Web Configurator Advanced Setup Network WAN 48 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 50: ...661HW D in Web Configurator Advanced Setup Network LAN We use 192 168 1 1 as the LAN IP for P 661HW D in this case Step 1 Disactive DHCP Server and apply it Step 2 Assign an IP to the LAN Interface of P 661HW D e g 192 168 1 1 2 Internet Access Using P 661HW D under Routing mode For most Internet users having multiple computers want to share an Internet account for Internet access they have to ins...

Page 51: ...o the clients via DHCP if it is available For this setup in Windows we check the option Obtain an IP address automatically in its TCP IP setup Please see the example shown below Set up your P 661HW D under routing mode The following procedure shows you how to configure your P 661HW D as Routing mode for routing traffic We will use Web Configurator to guide you through the related menu 1 Configure ...

Page 52: ...d the DHCP settings in Web Configurator Advanced Setup Network LAN 3 Setup the P 661HW D as a DHCP Relay What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P 661HW D supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it is configured as DHCP relay it is responsible ...

Page 53: ...er are configured in Web Configurator Advanced Setup Network NAT Port Forwarding the internal server or client applications can be accessed by using the P 661HW D s WAN IP Address SUA Supporting Table The following are the required Web Configurator Advanced Setup Network NAT Port Forwarding for the various applications running SUA mode ZyXEL SUA Supporting Table1 Required Settings in Port Forwardi...

Page 54: ...4032 client IP Default client IP Microsoft NetMeeting 2 1 3 013 None 1720 client IP 1503 client IP Cisco IP TV 2 0 0 None RealPlayer G2 None VDOLive None Quake1 064 None Default client IP QuakeII2 305 None Default client IP QuakeIII1 05 beta None StartCraft 6112 client IP Quick Time 4 0 None pcAnywhere 8 0 None 5631 client IP 5632 client IP 22 client IP IPsec ESP tunneling mode None one client onl...

Page 55: ... IP 4 Certain Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 661HW D will not be able to provide information of that server on the internet 5 Quake II has the same limitations as that of Quake I 6 P 661HW D supports MSN Messenger 4 6 4 7 5 0 video voice pass thro...

Page 56: ... fixed IP address and not be a DHCP client whose IP address potentially changes each time P 661HW D is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for is forwarded to the default server If the default server is not defined the service request is simply discarded Configuration To make a...

Page 57: ...1 10 1 Fill in the service name and server IP Address press button Add 2 If add successfully the Web Configurator will display message Configuration updated successfully at the bottom You can see the port forwarding rule on the same page the default port for Web Server is 80 3 If you want to change the port for Web Server you could press button Modify on corresponding rule then modify and apply it...

Page 58: ...ent you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols ...

Page 59: ... the first dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade Configuration This application note explains how to establish a PPTP connection with a remote private network in the P 661HW D SUA case In ZyNOS all PPTP packets can be forwarded to ...

Page 60: ... protocols from RAS such as IPX TCP IP NetBEUI Set the Internet gateway to P 661HW D 2 PPTP client setup Win9x Add one VPN connection from Dial Up Networking by entering the correct username password and the IP address of the P 661HW D s Internet IP address for logging to NT RAS server Set the Internet gateway to the router that is connecting to ISP 3 P 661HW D setup Before making a VPN connection...

Page 61: ...ial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 661HW D router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or S Web Configurator Status WAN Information If the Internet IP address is a fi...

Page 62: ...ull down menu on the right None NAT is disabled when you select this option Network Address Translation SUA Only When you select this option this remote node will use default SUA Address Mapping Set You can see it in CLI by command ip nat lookup 255 It s a read only sets with two rules Many to One and server mapping Select Full Feature when you require other mapping types Configuring NAT Address M...

Page 63: ...apply it When you select SUA Only the P 661HW D will use a default SUA Address Mapping set for it It has two rules Many to One and Server You can see it in CLI by command ip nat lookup 255 Please note that the fields in this menu are read only However the settings of the rule set 2 can be modified in Web Configurator Advanced Setup Network NAT Port Forwarding The following table explains the field...

Page 64: ...2 8 can only be configured in CLI Now let s begin with Web Configurator Firstly let s come to Web Configurator Advanced Setup Network NAT Address Mapping This menu is for Address Mapping Set 1 you can edit 10 Address Mapping Rules for Set 1 You can edit or remove a rule by clicking the two buttons on the rule table Click the Edit Button on the rule 1 then you can enter the window in which you can ...

Page 65: ...rt This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global IP End This is the ending global IP address IGA This field is N A for One to One Many to One and Server types 200 1 1 64 Note For all Local and Global IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start ...

Page 66: ...ect NAT address mapping set and set mapping set name but set name is optional Example ip nat addrmap map 2 Test ip nat addrmap rule rule insert edit type local start IP local end IP global start IP global end IP server set Set NAT address mapping rule If the type is not inside server then the type field will still need a dummy value like 0 Type is 0 4 one to one many to one many to many overload m...

Page 67: ...eave it to be default value if you don t want this command ip nat server edit rule forwardip IP address Configure the LAN IP address to be forwarded ip nat server edit rule protocol TCP UDP ALL Configure the protocol to be used TCP UDP or ALL it must be capital NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wis...

Page 68: ...ton Add to save it Step 3 You could click the button Edit on the rule to modify the Service name Server IP Address Start End Port The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 PPTP Point to Point Tunneling Protocol 1723 Examples...

Page 69: ...re NAT and select an Address Mapping Set with a Many to One Rule See the following figure 2 Internet Access with an Internal Server In this case we do exactly as the figure use the convenient pre configured SUA Only set and also go to Web Configurator Advanced Setup Network NAT Port Forwarding to specify the Internet Server behind the NAT as 68 All contents copyright 2006 ZyXEL Communications Corp...

Page 70: ...by the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 200 0 0 2 Rule 3 Many to One type to map the other clients to IGA3 200 0 0 3 Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify...

Page 71: ...anced Setup Network NAT Address Mapping to begin configuring Address Mapping Set 1 We can see there are 10 blank rule table that could be configured See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 2...

Page 72: ... to map the other clients to IGA3 200 0 0 3 Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 Menu Network NAT Address Mapping should look as follows now 71 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 73: ...Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this 72 All contents copyright 2006 ZyXEL Communications Corpo...

Page 74: ...and retrieved This solves the problems if your DNS server uses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the P 661HW D to access the internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 661HW D you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside user...

Page 75: ...up the DDNS 1 Before configuring the DDNS settings in the P 661HW D you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server 2 Login Web Configurator Advanced Setup Advanced Dynamic DNS Select Active Dynamic DNS option Key Settings Option Description Se...

Page 76: ...is shown in figure 3 For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps are sent to the SNMP manager when anyone of the following events happens 1 coldStart defined in RFC 1215 If the machine coldstarts the trap will be sent after booting 2 warmStart defined in RFC 1215 I...

Page 77: ...n of restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 2 For fatal error System has to reboot for some fatal errors And traps with the message of the fatal code will be sent Downloading ZyXEL s private MIB Configure the P 661HW D for SNMP 76 All contents...

Page 78: ...rom the NMS The default is public Set Community Enter the correct Set Community This Set Community must match the Set community requested from the NMS The default is public Trusted Host Enter the IP address of the NMS The P 661HW DHW DX will only respond to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 661HW DHW DX will respond to all NMS managers Trap Community Enter the c...

Page 79: ...t you wish to send the syslog Log Facility Select from the 7 different local options The log facility lets you log the message in different server files Refer to your UNIX manual 9 Using IP Alias What is IP Alias In a typical environment a LAN router is required to connect two local networks The P 661HW D can connect three local networks to the ISP or a remote node we call this function as IP Alia...

Page 80: ... Network LAN IP Alias There are three internal virtual LAN interfaces for the P 661HW D to route the packets from to the three networks correctly They are enif0 for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the P 661HW D as shown below when the three networks are configured If the P 661HW D s DHCP is also enabled the IP pool f...

Page 81: ...econd and third networks in Network LAN IP Alias by configuring the P 661HW D s second and third LAN IP addresses Key Settings IP Alias 1 Active it and enter the second LAN IP address for the P 661HW D This will create the second route in the enif0 0 interface IP Alias 2 Active it and enter the third LAN IP address for the P 661HW D This will create the third route in the enif0 1 interface 10 Usin...

Page 82: ...e to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost path while using low path for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths How does the IPPR work A policy defines the matching criteria and the action to take when a packet meets the criteria The action is taken o...

Page 83: ...ample Step 2 Suppose we d like to edit the rule like this Policy Set Name Test Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 0 Precedence Don t Care Len Comp N A Source addr start 192 168 1 2 end 192 168 1 20 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 192 168 1 254 Log No Type of Service No Change Preced...

Page 84: ...t action gatewaytype 0 Set gateway type for the rule Gateway Address ip policyrouting set action gatewayaddr 192 168 1 254 Set the gateway address for the rule 192 168 1 254 ip policyrouting set criteria serviceType 0 Set the action type of service as don t care for this rule ip policyrouting set criteria precedence 8 Set the action precedence as don t care for this rule ip policyrouting set actio...

Page 85: ...uppose we want to edit a call schedule set like this Call Schedule Set 1 Set name Test Active Yes Start Date yyyy mm dd 2005 12 27 How Often Once Once Date yyyy mm dd 2005 12 27 Start Time hh mm 12 00 Duration hh mm 16 00 Action Enable Dial on demand This schedule example permits a demand call on the line on 12 00 a m 2005 12 27 The maximum length of time this connection is allowed is 16 hours To ...

Page 86: ... remote node will be dropped Enable Dial On Demand The remote node accepts Dial on demand during this period Disable Dial On Demand The remote node denies any demand dial during the period For the existing connected nodes it will be dropped after idle timeout and no triggered up Start Time Duration Start Time and Duration of this schedule Apply the schedule to the Remote node Multiple scheduling r...

Page 87: ...IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP hosts group and 224 0 0 2 is assig...

Page 88: ... Some other traffic may not require high bandwidth but they require stable supply of bandwidth such as VoIP traffic The VoIP quality would not be good if all of the outgoing bandwidth is occupied via FTP Additionally chances are that you would like to grant higher bandwidth for some body specially who is using specific IP address in your network All of these are reasons why we need bandwidth manag...

Page 89: ...e s root Scheduler Choose the principle to allocate bandwidth on this interface Priority Based allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Maximize Bandwidth Usage Check this box if you would like to give residuary bandwidth from Interface to the classes who need more bandwidth than configured amount Do not select this if you want to reserve bandwidth for traffic t...

Page 90: ...l Managed Bandwidth Check this box if you would like to let this class to borrow bandwidth from it s parents when the required bandwidth is higher than the configured amount Do not check this if you want to limit the bandwidth of this class at the configured value Please note that you should also disable Maximize Bandwidth Usage on the interface to meet the condition Service Select User defined SI...

Page 91: ...ut some probing patterns system will analyze the packets returned from ISP and decide which services the ISP may provide Because ADSL is based on a ATM network so system have to pre configured a VPI VCI hunting pool before Auto Configure function begins to work The Zero Configuration feature can hunt the encapsulation and VPI VCI value and system will automatically configure itself if the hunting ...

Page 92: ... vpi vci service bit hex wan atm vchunt save Note remote node input the remote node index 1 8 vpi vpi value vci vci value service it s a hex value bit0 PPPoE VC 1 bit1 PPPoE LLC 2 bit2 PPPoA VC 4 bit3 PPPoA LLC 8 bit4 Enet VC 16 bit5 Enet LLC 32 For example 1 If you need service PPPoE LLC and Enet LLC then the service bits will be 2 32 34 decimal 22 hex you must input 22 2 If you want to enable al...

Page 93: ...o the device LAN Ethernet port with the DSL sync up 2 Open your web browser to access a Web site It should prompt and request for your username password of your ISP account if your ISP provide PPPoE or PPPoA service 3 After key in the correct info it will than test the connection If it is successful it will than close the browser and you can open a new browser to surf the Internet If the connectio...

Page 94: ...hernet port 1 must be forwarded to PVC1 vice versa The traffic from Ethernet port 2 must be forwarded to PVC2 vice versa The traffic from Ethernet Port3 must be forwarded to PVC3 vice versa 16 How to configure packet filter on P 661HW D The P 661HW D allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You can apply up to four fil...

Page 95: ...them by command sys filter set index set rule Usage set 1 12 rule 1 6 Commonly the preconfigured filter sets are as follows set 2 rule 1 6 set 3 rule 1 set 4 rule 1 sys filter set display For example This could satisfy mostly requirement You could select any of them to apply to the WAN node or LAN Interface on demand The command is as follows Apply to WAN node wan node index node Usage node 1 8 co...

Page 96: ...ys filter set You could configure a filter rule on demand the newest command is available on release note sys filter set save Usage Don t forget to save the rule everytime you ve configured it Reference Commands sys filter set index set rule Set the index of filter set rule you must apply this command first before you begin to configure the filter rules sys filter set name set name Set the name of...

Page 97: ... log type 0 3 none match notmatch both Set the log type it could be 0 3 none match not match both sys filter set actmatch type 0 2 checknext forward drop Set the action for match sys filter set actnomatch type 0 2 checknext forward drop Set the action for not match sys filter set offset Set offset for the generic rule sys filter set length Set the length for generic rule sys filter set mask Set th...

Page 98: ...ebox II ZyXEL VPN solution Avaya VPN Netopia VPN III VPN The tested VPN softwares are shown below Checkpoint VPN software WIN2K VPN software Soft PK VPN software Linux FreeS WAN VPN SSH Sentinel Intel VPN client software Let s focus on the how to configure VPN tunnel on Prestige now Prestige to Prestige Tunnel As the figure shown below the tunnel between Prestige 1 and Prestige 2 ensures the packe...

Page 99: ...update its dynamic IP to the fixed side If both of VPN gateways use dynamic IP we need DDNS service to implement it You can finish the configuration via Web Configurator on Prestige Step 1 Set up Prestige A 1 Using a web browser login Prestige Web Configurator by giving the LAN IP address of Prestige in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Note...

Page 100: ...st in the example to this policy Select IPSec Key Mode to IKE Negotiation Mode to Main and Encapsulation Mode to Tunnel just the same as we will configure in Prestige B 5 Fill in the Local and Remote secure hosts information in the Local and Remote field Local Address Type is Single and IP Address Start is PC 1 s IP 192 168 1 33 in the example Remote Address Type is Single and IP Address Start is ...

Page 101: ... VPN secure gateways As in the example we ve finished this field on Prestige A then when we configure Prestige B we should make it fit the following table Prestgie A Prestige B Local ID Type IP IP Content 0 0 0 0 0 0 0 1 Peer ID Type IP IP Content 0 0 0 1 0 0 0 0 7 Fill in VPN Protocol Pre Shared Key Encryption Algorithm Authentication Algorithm in the Security Protocol field Select one VPN Protoc...

Page 102: ...you need to configure the same on Prestige B We don t do any anvanced setup in the example Then we have finished the configuration on Preatige A Step 2 Setup Prestige B Similar to the settings for Prestige A Prestige B is configured in the same way except that 1 Local Address Type is Single and IP Address Start is PC 2 s IP 192 168 2 33 in the example Remote Address Type is Single and IP Address S...

Page 103: ...Monitor On P 661HW D Web Configurator Security VPN Monitor you can check every active IPSec connections The VPN Name Encapsulation and IPSec Algorithm will be shown in the Monitor Table If you can t see the name of your IPSec rule it means that the SA establishment fails You need to go to the VPN Setup Page to check your settings Use CI command ipsec debug on If the Monitor shows that the VPN tunn...

Page 104: ... IPSec Log We can also view the log for IPSec and IKE connections for trouble shooting On P 661HW D we can check the logs via Web Configurator or CLI The log menu is also useful for troubleshooting please capture to us if necessary For example Select IPSec and IKE in Web Configurator Maintenance Logs Log Settings Then after a successful or failed VPN connection we could view the relevant informati...

Page 105: ...case W2K won t capture the dynamic IP address automatically for you You have to obtain your dynamic IP address and then go back to IPSec configuration to setup your current IP address Prestige dynamic WAN IP v s peer side static IP We need to note 1 In VPN settings of Prestige please specify the IP address of My IP as 0 0 0 0 Prestige will automatically bind it s current WAN IP address to IPSec 2 ...

Page 106: ...tigeA configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeB Step 3 In PrestigeB configure My IP as 0 0 0 0 and Secure Gateway as the dynamic domain name of PrestigeA Step 4 You can initiate VPN tunnel from PrestigeA or PrestigeB by this solution 2 Prestige v s 3rd Party This is highly dependent on which kind of 3rd party you use Generally speaking this 3rd party VPN...

Page 107: ...between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter plays as a VPN relay Users can gain benefit from such application when the scale of branch offices is very large because no additional VPN tunnels between branch offices are needed In this support note we skip the detailed configuration steps for Internet access and presume that...

Page 108: ...with name Branch_A The configuration is the same as Prestige to Prestige Tunnel just the IP Address is a little different 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 1 0 IP Address End is 192 168 2 255 This section...

Page 109: ...ess End is 192 168 1 255 This section covers the LAN segment of headquarter office 2 My IP Address is the WAN IP of Prestige in Branch_B 202 2 1 1 in the example Secure Gateway Address is IP address of Headquarter 202 1 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the same key in the corresponding rule in Headquarter VPN Gateway 4 You can setup IKE phase 1 and ph...

Page 110: ...Headquarter office Remote Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A 2 My IP Address is the IP Address of Headquarter 202 1 1 1 in the example Secure Gateway Address is WAN IP of Prestige in Branch_A 202 3 1 1 in the example 3 Suppose the pre shared key is 01234567 we should configure the ...

Page 111: ...for Branch_B_2 in headquarter 1 Local Address Type is Range Address and IP Address Start is 192 168 3 0 IP Address End is 192 168 3 255 This section covers the LAN segment of branch office A Remote Address Type is Range Address and IP Address Start is 192 168 2 0 IP Address End is 192 168 2 255 This section covers the LAN segment of branch office B 2 My IP Address is the IP Address of Headquarter ...

Page 112: ...cting 2 host together via a NIC card for direct connection when configured in Ad hoc mode without an access point being present Ad hoc operation is ideal for small networks of no more than 2 4 computers Larger networks would require the use of one or perhaps several access points Configuration for Wireless Station A To configure Ad hoc mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please ...

Page 113: ...lect a channel you want to use than press OK to apply Step 4 Since there is no DHCP server to give the host IP you must first designate a static IP for your station From Windows Start select Control Panel Network Connection Wireless Network Connection 112 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 114: ... finish Configuration for Wireless Station B To configure Ad hoc mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please follow the following step Step1 Double click on the utility icon in your windows task bar the utility will pop up on your windows screen Step 2 Select configuration tab 113 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 115: ...lect a channel you want to use than press OK to apply Step 4 Since there is no DHCP server to give the host IP you must first designate a static IP for your station From Windows Start select Control Panel Network Connection Wireless Network Connection 114 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 116: ...on B 2 Configuring Infrastructure mode Infrastructure Introduction For Infrastructure WLANs multiple Access Points APs like the WLAN to the wired network and allow users to efficiently share network resources The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood 115 All contents copyright 2006 ZyXEL Communica...

Page 117: ...re mode of your P 661HW D wireless AP please follow the steps below Step 1 Login Web Configurator Advanced Setup Network Wireless LAN General Configure the basic parameters for Wireless LAN Step 2 You could click the button Advanced Setup for more detailed configuration 116 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 118: ...astructure mode on your ZyAIR G 200 Wireless Network Adapter please follow the following steps Step 1 Double click on the utility icon in your windows task bar the utility will pop up on your windows screen Step 2 Select configuration tab 117 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 119: ... an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect Step 4 Click on Site Survey tab and press search all the available AP will be listed Step 5 Double click on the AP you want to associated with 118 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 120: ... Filter MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs ZyXEL s APs provide the capability for checking MAC address of the station before allowing it to connect to the network This provides an additional layer of control layer in that only stations with registered MAC addresses can connect This approach requires that the list of MAC...

Page 121: ...configure the MAC filter you need to know the MAC address of the client first If not knowing what your MAC address is please enter a command ipconfig all after DOS prompt to get the MAC physical address of your wireless client Step 1 Login Web Configurator Advanced Setup Network Wireless LAN MAC Filter active MAC Filter Step 2 Enter the MAC Addresses of wireless cards in the filter set to allow or...

Page 122: ...obile station e g a laptop with a wireless Ethernet card and an access point i e a base station The secret key is used to encrypt packets before they are transmitted and an integrity check is used to ensure that packages are not modified during the transition The standard does not discuss how the shared key is established In practice most installations use a single key that is shared between all m...

Page 123: ... 10 hexadecimal digits o 128 bit WEP key secret key with 13 characters o 128 bit WEP key secret key with 26 hexadecimal digits o 256 bit WEP key secret key with 29 characters o 256 bit WEP key secret key with 58 hexadecimal digits There are two ways you can configure the WEP Key 1 You can put in a special WEP key in the WEP Key menu directly 122 All contents copyright 2006 ZyXEL Communications Cor...

Page 124: ...sphrase and then press button Generate to let the P 661HW D generate WEP Key for you Setting up the Station Step 1 Double click on the utility icon in your windows task bar or right click the utility icon then select Show Config Utility 123 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 125: ...f the utility icon doesn t exist in your task bar click Start Programs to start the utility Step 2 Select the Configuration tab Select Set Security to configure encryption type and parameters correspond with access point 124 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 126: ... the P 661HW D is supposed to use Key 1 by default Key settings The WEP Encryption type of station has to equal to the access point Check ASCII field for characters WEP key or uncheck ASCII field for Hexadecimal digits WEP key 125 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 127: ...ps to complete a simple site survey with simple tools 1 First you will need to obtain a facility diagram such as blueprints This is for you to mark and take record on 2 Visually inspect the facility walk through the facility to verify the accuracy of the diagram and mark down any large obstacle you see that may effect the RF signal such as metal shelf metal desk etc on the diagram 3 Identify user ...

Page 128: ...sociated rate link quality signal strength and etc information as shown in utility below Step 4 It s always a good idea to start with putting the access point at the corner of the room and walk away from the access point in a systematic manner Record down the changes at point where transfer rate drop and the link quality and signal strength information on the diagram as you go alone 127 All conten...

Page 129: ... corner of the room Step 6 Repeat step 1 5 and now you should be able to mark an RF coverage area as illustrated in above picutre Step 7 You may need more than one access point is the RF coverage area have not cover all the wireless service area you needed Step 8 Repeat step 1 6 of survey on site as necessary upon completion you will have an diagram and information of site survey As illustrated be...

Page 130: ...t of the IEEE 802 11i security specification draft Key differences between WAP and WEP are user authentication and improved data encryption WAP applies IEEE 802 1x Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database You can not use the P 661HW D s local user database for WPA authentication purpose since the local user database uses MD5 EAP whic...

Page 131: ...ch a client will be granted access to a WLAN Here comes WPA PSK Application example for your reference Configuration for Access point The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication can be done using local user database internal to the P 661HW D authenticate up to 32 users or an external RADIU...

Page 132: ... your wireless utility icon in your windows task bar the utility will pop up on your windows screen Step 2 Select the configuration tab type in the SSID Service Set Identifier select the operating Mode as Infrastructure and select proper channel 131 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 133: ...Notes Step 3 Click Set Security to configure the security parameters Step 4 Click OK for finish and begin to Site survey Connect to the AP as you have configured 132 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 134: ... Series Support Notes Step 5 Click Link Info tab if the PC associated and authenticated with AP successfully we will see the following information 133 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 135: ...ceIP port destIP port There are two ways to dump the trace Online Trace display the trace real time on screen Offline Trace capture the trace first and display later The details for capturing the trace in CLI as follows First of all you need to telnet to the P 661HW D firstly The password is Administrator passwords admin by default Online Trace 1 Trace LAN packet Disable to capture the WAN packet ...

Page 136: ...nable to capture the WAN packet by entering sys trcp channel mpoa00 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Display the brief trace online by entering sys trcd brief Display the detailed trace online by entering sys trcd parse Example 135 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 137: ...nel enet0 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Wait for packet passing through the Prestige over LAN Disable the trace log by entering sys trcp sw off sys trcl sw off Display the trace briefly by entering sys trcp brief Display specific packets by using sys trcp parse from_index to_index 136 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 138: ...per Terminal Step 1 Initiate a hyper terminal connection from your PC suppose you connected to the LAN port of P 661HW D Step 2 Click the properties to configure parameters to telnet to the P 661HW D 137 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 139: ...P 661HW D Series Support Notes Step 3 So that after you invoke the relevant commands you could save the logs you ve captured 138 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 140: ...st before running the TFTP software Step 2 Type the CI command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 Enter the IP address of the Prestige Step 5 To upload the firmware please save the remote file as ras to Prestige After the transfer is complete the Prestige will program the upgraded firmware into FLASH ROM and reboot i...

Page 141: ... Using TFTP to upload download SMT configurations via LAN Step 1 TELNET to your Prestige first before running the TFTP software Step 2 Type the command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 To download the P 661HW D configuration please get the remote file rom 0 from the Prestige Step 5 To upload the P 661HW D configura...

Page 142: ...figurations via LAN c tftp i PrestigeIP put localfile rom 0 Step 5 Download P 661HW D configurations via LAN c tftp i PrestigeIP get rom 0 localfile Using TFTP command on UNIX Before you begin 1 TELNET to your Prestige first before using TFTP command 2 Type the CI command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Example cppwu faelinux cppwu telnet 192 168 1 1 Tryin...

Page 143: ...ame for the firmware is ras and the configuration file is rom 0 Step 1 Use FTP client from your workstation to connect to the Prestige by entering the IP address of the Prestige Step2 Press Enter key to ignore the username because the Prestige does not check the username Step 3 Enter the CLI password as the FTP login password the default is admin Step 4 Enter command bin to set the transfer type t...

Page 144: ...rname prompt Step 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file 143 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 145: ... Series Support Notes Step 4 The Prestige reboots automatically after the uploading is finished Please do not power off the router at this moment 144 All contents copyright 2006 ZyXEL Communications Corporation ...

Page 146: ...ace 1 Shows the following commands and all major sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL public WEB site http www zyxel com support download_index php to download firmware package zip you should unzip the package to get the release note in PDF format 145 All conte...

Reviews: