ZyXEL Communications Prestige 652H series, User Manual

Page 1: ...Prestige 652H HW Series ADSL Security Wireless LAN Router User s Guide Version 3 40 March 2004 ...

Page 2: ...d by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subj...

Page 3: ... instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment...

Page 4: ...f the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authoriz...

Page 5: ...sales zyxel com 1 714 632 0858 ftp us zyxel com ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A support zyxel de 49 2405 6909 0 www zyxel de GERMANY sales zyxel de 49 2405 6909 99 ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany 33 0 4 72 52 97 97 FRANCE info zyxel fr 33 0 4 72 52 19 20 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest Franc...

Page 6: ...AIL FAX1 FTP SITE REGULAR MAIL support zyxel se 46 31 744 7700 www zyxel se SWEDEN sales zyxel se 46 31 744 7701 ZyXEL Communications A S Sjöporten 4 41764 Göteborg Sweden support zyxel fi 358 9 4780 8411 www zyxel fi FINLAND sales zyxel fi 358 9 4780 8448 ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland ...

Page 7: ...w 2 1 2 2 Accessing the Prestige Web Configurator 2 1 2 3 Resetting the Prestige 2 2 2 4 Navigating the Prestige Web Configurator 2 4 Chapter 3 Wizard Setup 3 1 3 1 Wizard Setup Introduction 3 1 3 2 Encapsulation 3 1 3 3 Multiplexing 3 2 3 4 VPI and VCI 3 2 3 5 Wizard Setup Configuration First Screen 3 2 3 6 IP Address and Subnet Mask 3 4 3 7 IP Address Assignment 3 4 3 8 Nailed Up Connection PPP ...

Page 8: ... 8 Introduction to WPA 7 11 7 9 WPA PSK Application Example 7 12 7 10 WPA with RADIUS Application Example 7 13 7 11 Security Parameters Summary 7 14 7 12 Wireless Client WPA Supplicants 7 15 7 13 Configuring 802 1x and WPA 7 15 7 14 Configuring Local User Authentication 7 22 7 15 Configuring RADIUS 7 24 7 16 Configuring Roaming 7 25 Chapter 8 WAN Setup 8 1 8 1 WAN Overview 8 1 8 2 Metric 8 1 8 3 P...

Page 9: ... 1 12 3 Introduction to ZyXEL s Firewall 12 2 12 4 Denial of Service 12 3 12 5 Stateful Inspection 12 7 12 6 Guidelines For Enhancing Security With Your Firewall 12 11 12 7 Packet Filtering Vs Firewall 12 12 Chapter 13 Firewall Screens 13 1 13 1 Access Methods 13 1 13 2 Firewall Policies Overview 13 1 13 3 Rule Logic Overview 13 2 13 4 Connection Direction Examples 13 4 13 5 Configuring Firewall 1...

Page 10: ...16 15 Viewing SA Monitor 16 26 16 16 Configuring Global Setting 16 28 16 17 Telecommuter VPN IPSec Examples 16 29 16 18 VPN and Remote Management 16 32 Remote Management UPnP and Logs VI Chapter 17 Remote Management Configuration 17 1 17 1 Remote Management Overview 17 1 17 2 Telnet 17 2 17 3 FTP 17 3 17 4 Web 17 3 17 5 Configuring Remote Management 17 3 Chapter 18 Universal Plug and Play UPnP 18 ...

Page 11: ...7 21 5 Diagnostic Screens 21 9 21 6 Firmware Screen 21 11 21 7 Configuration Screen 21 13 SMT General Configuration IX Chapter 22 Introducing the SMT 22 1 22 1 SMT Introduction 22 1 22 2 Navigating the SMT Interface 22 4 22 3 Changing the System Password 22 6 Chapter 23 Menu 1 General Setup 23 1 23 1 General Setup 23 1 23 2 Procedure To Configure Menu 1 23 1 Chapter 24 Menu 2 WAN Backup Setup 24 1...

Page 12: ... 28 DMZ Setup 28 1 28 1 Configuring DMZ Setup 28 1 28 2 DMZ Port Filter Setup 28 1 28 3 TCP IP Setup 28 2 Chapter 29 Remote Node Configuration 29 1 29 1 Remote Node Setup Overview 29 1 29 2 Remote Node Setup 29 1 29 3 Remote Node Network Layer Options 29 6 29 4 Remote Node Filter 29 8 29 5 Editing ATM Layer Options 29 9 Chapter 30 Static Route Setup 30 1 30 1 IP Static Route Overview 30 1 30 2 Con...

Page 13: ...ser Accounts on the Prestige 36 6 Chapter 37 System Information and Diagnosis 37 1 37 1 System Status 37 1 37 2 System Information 37 3 37 3 Log and Trace 37 5 37 4 Diagnostic 37 8 Chapter 38 Firmware and Configuration File Maintenance 38 1 38 1 Filename Conventions 38 1 38 2 Backup Configuration 38 2 38 3 Restore Configuration 38 7 38 4 Uploading Firmware and Configuration Files 38 10 Chapter 39 ...

Page 14: ...g SA Monitor 44 1 Chapter 45 Internal SPTGEN 45 1 45 1 Internal SPTGEN Overview 45 1 45 2 The Configuration Text File Format 45 1 45 3 Internal SPTGEN FTP Download Example 45 3 45 4 Internal SPTGEN FTP Upload Example 45 4 Appendices and Index XII Appendix A Troubleshooting A 1 Appendix B IP Subnetting B 1 Appendix C Wireless LAN and IEEE 802 11 C 1 Appendix D PPPoE D 1 Appendix E Virtual Circuit T...

Page 15: ...izard Screen 4 3 14 Figure 4 1 Password 4 1 Figure 5 1 LAN and WAN IP Addresses 5 1 Figure 5 2 LAN 5 4 Figure 6 1 DMZ 6 8 Figure 7 1 RTS CTS 7 2 Figure 7 2 Prestige Wireless Security Levels 7 3 Figure 7 3 Wireless 7 5 Figure 7 4 MAC Address Filter 7 8 Figure 7 5 EAP Authentication 7 11 Figure 7 6 WPA PSK Authentication 7 13 Figure 7 7 WPA with RADIUS Application Example 7 14 Figure 7 8 Wireless LA...

Page 16: ...AN Traffic 13 5 Figure 13 3 Default Policy 13 6 Figure 13 4 Rule Summary 13 8 Figure 13 5 Insert Append A Firewall Rule 13 11 Figure 13 6 Add Edit A Custom Port 13 14 Figure 13 7 Rule Summary 13 15 Figure 13 8 Rule Edit Example 13 16 Figure 13 9 Edit Custom Port Example 13 17 Figure 13 10 My Service Rule Configuration 13 18 Figure 13 11 My Service Example Rule Summary 13 19 Figure 13 12 Anti Probi...

Page 17: ...agnostic General 21 9 Figure 21 7 Diagnostic DSL Line 21 10 Figure 21 8 Firmware Upgrade 21 12 Figure 21 9 Network Temporarily Disconnected 21 12 Figure 21 10 Error Message 21 13 Figure 21 11 Backup Configuration 21 14 Figure 21 12 Restore Configuration 21 14 Figure 21 13 Configuration Upload Successful 21 15 Figure 21 14 Network Temporarily Disconnected 21 15 Figure 21 15 Configuration Upload Err...

Page 18: ...nu 4 Internet Access Setup 27 5 Figure 28 1 Menu 5 DMZ Setup 28 1 Figure 28 2 Menu 5 1 DMZ Port Filter Setup 28 1 Figure 28 3 Menu 5 DMZ Setup 28 2 Figure 28 4 Menu 5 2 TCP IP Setup 28 2 Figure 29 1 Menu 11 Remote Node Setup 29 2 Figure 29 2 Menu 11 1 Remote Node Profile 29 3 Figure 29 3 Menu 11 3 Remote Node Network Layer Options 29 6 Figure 29 4 Sample IP Addresses for a TCP IP LAN to LAN Connec...

Page 19: ...32 20 Example 4 Menu 15 1 1 1 Address Mapping Rule 32 18 Figure 32 21 Example 4 Menu 15 1 1 Address Mapping Rules 32 18 Figure 33 1 Menu 21 2 Firewall Setup 33 2 Figure 34 1 Outgoing Packet Filtering Process 34 2 Figure 34 2 Filter Rule Process 34 3 Figure 34 3 Menu 21 Filter Set Configuration 34 4 Figure 34 4 NetBIOS_WAN Filter Rules Summary 34 5 Figure 34 5 NetBIOS_LAN Filter Rules Summary 34 5 ...

Page 20: ...7 Figure 38 6 Successful Backup Confirmation Screen 38 7 Figure 38 7 Telnet into Menu 24 6 38 8 Figure 38 8 Restore Using FTP Session Example 38 9 Figure 38 9 System Maintenance Restore Configuration 38 9 Figure 38 10 System Maintenance Starting Xmodem Download Screen 38 9 Figure 38 11 Restore Configuration Example 38 10 Figure 38 12 Successful Restoration Confirmation Screen 38 10 Figure 38 13 Te...

Page 21: ...edule Set Setup 42 2 Figure 42 3 Applying Schedule Set s to a Remote Node PPPoE 42 4 Figure 43 1 VPN SMT Menu Tree 43 1 Figure 43 2 Menu 27 VPN IPSec Setup 43 2 Figure 43 3 Menu 27 1 IPSec Summary 43 2 Figure 43 4 Menu 27 1 1 IPSec Setup 43 6 Figure 43 5 Menu 27 1 1 1 IKE Setup 43 11 Figure 43 6 Menu 27 1 1 2 Manual Setup 43 14 Figure 44 1 Menu 27 2 SA Monitor 44 1 Figure 45 1 Configuration Text F...

Page 22: ...r 802 1x Protocol 7 17 Table 7 6 Wireless LAN 802 1x WPA for WPA Protocol 7 19 Table 7 7 Wireless LAN 802 1x WPA for WPA PSK Protocol 7 21 Table 7 8 Local User Database 7 24 Table 7 9 RADIUS 7 25 Table 7 10 Roaming 7 28 Table 8 1 WAN Setup 8 5 Table 8 2 WAN Backup 8 10 Table 8 3 Advanced WAN Backup 8 13 Table 8 4 Advanced Modem Setup 8 17 Table 9 1 NAT Definitions 9 1 Table 9 2 NAT Mapping Types 9...

Page 23: ...0 SA Monitor 16 28 Table 16 11 Global Setting 16 29 Table 16 12 Telecommuters Sharing One VPN Rule Example 16 30 Table 16 13 Telecommuters Using Unique VPN Rules Example 16 31 Table 17 1 Remote Management 17 3 Table 18 1 Configuring UPnP 18 2 Table 19 1 Log Settings 19 3 Table 19 2 View Logs 19 5 Table 19 3 SMTP Error Messages 19 5 Table 20 1 Application based Bandwidth Management Example 20 2 Tab...

Page 24: ...ble 24 1 Menu 2 WAN Backup Setup 24 2 Table 24 2 Menu 2 1Traffic Redirect Setup 24 4 Table 24 3 Menu 2 2 Dial Backup Setup 24 5 Table 24 4 Menu 2 2 1 Advanced Dial Backup Setup AT Commands Fields 24 6 Table 24 5 Menu 2 2 1 Advanced Dial Backup Setup Call Control Parameters 24 7 Table 24 6 Menu 11 1 Remote Node Profile Backup ISP 24 8 Table 24 7 Menu 11 3 Remote Node Network Layer Options 24 11 Tab...

Page 25: ... 1 Menu 24 1 System Maintenance Status 37 2 Table 37 2 Menu 24 2 1 System Maintenance Information 37 4 Table 37 3 Menu 24 3 2 System Maintenance Syslog and Accounting 37 7 Table 37 4 Menu 24 4 System Maintenance Menu Diagnostic 37 8 Table 38 1 Filename Conventions 38 2 Table 38 2 General Commands for GUI based FTP Clients 38 4 Table 38 3 General Commands for GUI based TFTP Clients 38 6 Table 39 1 ...

Page 26: ...sses B 1 Chart B 2 Allowed IP Address Range By Class B 2 Chart B 3 Natural Masks B 2 Chart B 4 Alternative Subnet Mask Notation B 3 Chart B 5 Subnet 1 B 4 Chart B 6 Subnet 2 B 4 Chart B 7 Subnet 1 B 5 Chart B 8 Subnet 2 B 5 Chart B 9 Subnet 3 B 5 Chart B 10 Subnet 4 B 6 Chart B 11 Eight Subnets B 6 Chart B 12 Class C Subnet Planning B 7 Chart B 13 Class B Subnet Planning B 7 Chart K 1 System Maint...

Page 27: ...s applications The web configurator parts of this guide contain background information on features configurable by web configurator The SMT parts of this guide contain background information solely on features not configurable by web configurator Use the web configurator System Management Terminal SMT or command interpreter interface to configure your Prestige Not all features can be configured th...

Page 28: ...w Roman font Predefined field choices are in Bold Arial font Command and arrow keys are enclosed in square brackets ENTER means the Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Co...

Page 29: ...ey Prestige Computer Notebook computer Server Modem Firewall Telephone Switch Router DSLAM Wireless Access Point Wireless Signal The following section offers some background information on DSL Skip to Chapter 1 if you wish to begin working with your router right away ...

Page 30: ...pstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an extended download that includes graphics and text As data rates increase the carrying distance decreases That means that users who are beyond a certain distance from the telephone company s central o...

Page 31: ... I Getting Started This part is structured as a step by step guide to help you access your Prestige It covers key features and applications accessing the web configurator and configuring the wizard screens for initial setup ...

Page 32: ......

Page 33: ...e coverage area The web browser based Graphical User Interface provides easy management 1 2 Features of the Prestige Your Prestige is packed with a number of features that give it the flexibility to provide a complete networking solution for almost any user High Speed Internet Access Your Prestige ADSL router can support downstream transmission rates of up to 8Mbps and upstream transmission rates ...

Page 34: ...o the local area network without any wiring efforts and enjoy reliable high speed connectivity 802 11b Data Rate Mbps Modulation 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5 11 CCK Complementary Code Keying The Prestige may be prone to RF Radio Frequency interference from other 2 4 GHz devices such as microwave ovens wireless phones Bluetooth...

Page 35: ...etwork PPPoE Support RFC2516 PPPoE Point to Point Protocol over Ethernet emulates a dial up connection It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL The PPPoE driver on the Prestige is transparent to the computers on the LAN which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on indiv...

Page 36: ... Internet You must register for this service with a Dynamic DNS service provider Multiple PVC Permanent Virtual Circuits Support Your Prestige supports up to 8 PVC s ADSL Transmission Rate Standards Full Rate ANSI T1 413 Issue 2 G dmt G 992 1 with line rate support of up to 8 Mbps downstream and 832 Kbps upstream G lite G 992 2 with line rate support of up to 1 5Mbps downstream and 512Kbps upstrea...

Page 37: ...raditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator PPP Point to Point Protocol link layer protocol Transparent bridging for unsupported network layer protoc...

Page 38: ... back AIS and RDI OAM cells Other PPPoE Features PPPoE idle time out PPPoE Dial on Demand Diagnostics Capabilities The Prestige can perform self diagnostic tests These tests check the integrity of the following circuitry FLASH memory ADSL circuitry RAM LAN port Packet Filters The Prestige s packet filtering functions allows added network security and management Ease of Installation Your Prestige i...

Page 39: ...ion for the Prestige 652H HW you can insert an optional wireless PCMICA card into the Prestige and allow wireless clients access to your network resources A typical Internet access application is shown below Figure 1 1 Prestige Internet Access Application Internet Single User Account For a SOHO Small Office Home Office environment your Prestige offers the Single User Account SUA feature that allow...

Page 40: ...l Application 1 3 3 VPN Application The Prestige s VPN feature makes it an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for leased lines between sites VPN ensures the privacy and integrity of your data transmissions ...

Page 41: ... To Know Your Prestige 1 9 Figure 1 3 VPN Application 1 3 4 LAN to LAN Application You can use the Prestige to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application for your Prestige is shown as follows ...

Page 42: ...Prestige 652H HW Series User s Guide 1 10 Getting To Know Your Prestige Figure 1 4 Prestige LAN to LAN Application ...

Page 43: ...ter or Netscape Navigator 7 0 and later versions with JavaScript enabled It is recommended that you set your screen resolution to 1024 by 768 pixels 2 2 Accessing the Prestige Web Configurator Step 1 Make sure your Prestige hardware is properly connected refer to the Compact Guide Step 2 Prepare your computer computer network to connect to the Prestige refer to the Compact Guide Step 3 Launch your...

Page 44: ... and flow control set to none The password will be reset to 1234 also 2 3 1 Using The Reset Button Step 1 Make sure the SYS LED is on not blinking Step 2 Press the RESET button for ten seconds and then release it When the SYS LED begins to blink the defaults have been restored and the Prestige restarts 2 3 2 Uploading a Configuration File Via Console Port Download the default configuration file fr...

Page 45: ...ng the Web Configurator 2 3 Figure 2 2 Example Xmodem Upload Step 5 After successful firmware upload enter atgo to restart the router Type the configuration file s location or click Browse to search for it Choose the Xmodem protocol Then click Send ...

Page 46: ...ns to configure your Prestige for the first time Click a link under Advanced Setup to configure advanced Prestige features Click a link under Maintenance to see Prestige performance statistics upload firmware and back up restore or upload a configuration file Click Site Map to go to the Site Map screen Click Logout in the navigation panel when you have finished a Prestige management session Figure...

Page 47: ...estige RADIUS Configure this screen to use an external server to authenticate wireless and or VPN users Roaming Use this screen to enable roaming on your Prestige WAN WAN Setup Use this screen to change the Prestige s WAN remote node settings WAN Backup Use this screen to configure your traffic redirect properties and WAN backup settings NAT SUA Only Use this screen to configure servers behind the...

Page 48: ... manage the Prestige UPnP Use this screen to enable UPnP on the Prestige Logs Log Settings Use this screen to change your Prestige s log settings View Log Use this screen to view the logs for the categories that you selected BW Manager Summary Use this screen to enable bandwidth management on an interface Class Setup Use this screen to set up the bandwidth classes Monitor Use this screen to view t...

Page 49: ... FUNCTION DSL Line These screens display information to help you identify problems with the DSL line Firmware Use this screen to upload firmware to your Prestige Configuration Use this screen to backup and restore the configuration or reset the factory defaults to your Prestige LOGOUT Click this label to exit the web configurator ...

Page 50: ......

Page 51: ...uted Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 3 2 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP The Prestige bridges a PPP session over Ethernet PPP over Etherne...

Page 52: ...e VC1 carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 3 3 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not pr...

Page 53: ...ox Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virt...

Page 54: ... Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number ...

Page 55: ...te IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks 10 0 0 0 10 255 255 255 1...

Page 56: ...us reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern 3 9 NAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a different IP address known within anot...

Page 57: ...ect Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on Demand with 0 as the id...

Page 58: ...RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select None SUA Only or Full Feature from the drop sown list box Refer to the NAT chapter for more details Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen ...

Page 59: ...a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the IP Subnetting appendix to calculate a subnet mask If you are implementing subnetting ENET ENCAP Gateway You must spe...

Page 60: ... Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen Figure 3 5 Internet Connection with PPPoA The following table describes the fields in this screen Table 3 5 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you ...

Page 61: ...ction on Demand with 0 as the idle time out which means the Internet session will not timeout Select Nailed Up Connection when you want your connection up all the time The Prestige will try to bring up the connection automatically if it is disconnected The schedule rule s in SMT menu 26 has priority over your Connection settings Network Address Translation This option is available if you select Ro...

Page 62: ...of 192 168 1 1 for other server machines for example server for mail FTP telnet web etc that you may have 3 12 Wizard Setup Configuration Third Screen Step 1 Verify the settings in the screen shown next To change the LAN information on the Prestige click Change LAN Configurations Otherwise click Save Settings to save the configuration and skip to the section 3 13 Figure 3 6 Wizard Screen 3 Step 2 ...

Page 63: ... 168 1 1 factory default If you changed the Prestige s LAN IP address you must use the new IP address if you want to access the web configurator again LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP DHCP Server From the DHCP Server drop down list box select On to allow your Prestige to assign IP addresses an IP default gateway and DNS servers to computer systems that support th...

Page 64: ...rs The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask Secondary DNS Server As above Back Click Back to go back to the previous screen Finish Click Finish to save the settings and proceed to the next wizard screen 3 13 Wizard Setup Configuration Connection Tests The Prestige automatically tests the connection to the computer s connected to the LAN ports To ...

Page 65: ...igate to www zyxel com Internet access is just the beginning Refer to the rest of this User s Guide for more detailed information on the complete range of Prestige features If you cannot access the Internet open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct ...

Page 66: ......

Page 67: ...Password LAN DMZ Wireless LAN and WAN II Part II Password LAN DMZ Wireless LAN and WAN This part covers the password LAN Local Area Network DMZ wireless LAN and WAN setup ...

Page 68: ......

Page 69: ...rd for accessing the Prestige 4 2 Configuring Password To change your Prestige s password recommended click Password The screen appears as shown Figure 4 1 Password The following table describes the fields in this screen Table 4 1 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type the new password ...

Page 70: ...e 4 2 Password Setup Table 4 1 Password LABEL DESCRIPTION Retype to Confirm Type the new password again in this field Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begin configuring this screen afresh ...

Page 71: ...d the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and the other outside the WAN network as shown next Figure 5 1 LAN and WAN IP Addresses 5 2 DNS Server Address DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extre...

Page 72: ...n leave the DNS servers out of the DHCP setup under all circumstances If your ISP gives you explicit DNS servers make sure that you enter their IP addresses in the LAN Setup screen This way the Prestige can pass the DNS servers to the computers and the computers can query the DNS server directly without the Prestige s intervention 5 3 DNS Server Address Assignment Use DNS Domain Name System to map...

Page 73: ...2B uses subnet broadcasting while RIP 2M uses multicasting 5 4 4 Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just 1 IGMP Internet Group Multicast Protocol is a network layer protocol used to establish mem...

Page 74: ... IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server field ...

Page 75: ...hen enter the IP address of the actual remote DHCP server here TCP IP IP Address Enter the IP address of your Prestige in dotted decimal notation for example 192 168 1 1 factory default IP Subnet Mask Type the subnet mask assigned to you by your ISP if given RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP 2B and RIP 2M Mu...

Page 76: ......

Page 77: ...et users can have access to host servers on the DMZ but no access to the LAN unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user It is highly recommended that you connect all of your public servers to the DMZ port If you have more than one public server connect a hub to the DMZ port It is also highly recommended that you keep al...

Page 78: ... your Prestige s DMZ port in dotted decimal notation Make sure the IP address is on a separate subnet from the LAN port IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your Prestige will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige 255 255 255 ...

Page 79: ...eive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version ...

Page 80: ......

Page 81: ...al network RADIUS server for remote user authentication and accounting 7 1 2 Channel A channel is the radio frequency ies used by IEEE 802 11b wireless devices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Interference occurs when radio signals from ...

Page 82: ... can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer...

Page 83: ... RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size 7 2 Levels of Security Wireless security is vital to your network to protect wireless communication between wireless stations access points and the wired network The figure below shows the possible wireless security levels ...

Page 84: ...eless LAN and Wireless to the display the Wireless screen 7 4 Inserting a PCMCIA Wireless LAN Card Use a ZyAIR series wireless LAN PCMCIA card to add optional wireless LAN capabilities Step 1 Turn off the Prestige Never insert or remove a wireless LAN card when the Prestige is turned on Step 2 Locate the slot labeled Wireless LAN on the Prestige Step 3 With its pin connector facing the slot and th...

Page 85: ... enable the wireless LAN you should configure some security by setting MAC filters and or 802 1x security otherwise your wireless LAN will be vulnerable upon enabling it Select the check box to enable the wireless LAN ESSID The ESSID Extended Service Set Identification is a unique name to identify the Prestige in the wireless LAN Wireless stations associating to the Prestige must have the same ESS...

Page 86: ...entation Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 WEP Encryption WEP Wired Equivalent Privacy encrypts data frames before transmitting over the wireless network Select Disable to allow all wireless computers to communicate with the access points without any d...

Page 87: ...Allow Association or exclude up to 32 devices from accessing the Prestige Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of the devices to configure this screen To change your Prestige s MAC filter settin...

Page 88: ...Prestige 652H HW Series User s Guide 7 8 Wireless LAN Setup Figure 7 4 MAC Address Filter The following table describes the fields in this menu ...

Page 89: ...cel Click Cancel to begin configuring this screen afresh 7 7 Network Authentication You can set the Prestige and your network to authenticate a wireless station before the wireless station can communicate with the Prestige and the wired network to which the Prestige is connected 7 7 1 EAP EAP is an authentication protocol designed originally to run over PPP Point to Point Protocol frame in order t...

Page 90: ...roper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the...

Page 91: ...on and improved data encryption 7 8 1 User Authentication WPA applies IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database You can t use the Prestige s Local User Database for WPA authentication purposes since the Local User Database uses EAP MD5 which cannot be used to generate keys See later in this chapter and the appendices f...

Page 92: ...y data packet and by creating an integrity checking mechanism MIC TKIP makes it much more difficult to decode data on a Wi Fi network than WEP making it difficult for an intruder to break into the network The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials The common p...

Page 93: ... distribution system Step 1 The AP passes the wireless client s authentication request to the RADIUS server Step 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly Step 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to ...

Page 94: ...what other security parameters you should configure for each Authentication Method key management protocol type You enter manual keys by first selecting 64 bit WEP or 128 bit WEP from the WEP Encryption field and then typing the keys in ASCII or hexadecimal format in the key text boxes MAC address filters are not dependent on how you configure these security features ...

Page 95: ...ng system instructing the wireless client how to use WPA At the time of writing the most widely available supplicants are the WPA patch for Windows XP Funk Software s Odyssey client and Meetinghouse Data Communications AEGIS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it 7...

Page 96: ...uired allows all wireless stations access to the wired network without entering usernames and passwords This is the default setting Authentication Required means that all wireless stations have to enter usernames and passwords before access to the wired network is allowed Select Authentication Required to configure Key Management Protocol and other related fields Back Click Back to go to the main ...

Page 97: ...ons have to reenter usernames and passwords in order to stay connected This field is activated only when you select Authentication Required in the Wireless Port Control field Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has prior...

Page 98: ... station Before you specify the priority make sure you have set up the corresponding database correctly first Select Local User Database Only to have the Prestige just check the built in user database on the Prestige for a wireless station s username and password Select RADIUS Only to have the Prestige just check the user database on the specified RADIUS server for a wireless station s username an...

Page 99: ...ion Authentication Required WPA Select Authentication Required in the Wireless Port Control field and WPA in the Key Management Protocol field to display the next screen Figure 7 10 Wireless LAN 802 1x WPA for WPA Protocol The following table describes the labels not previously discussed Table 7 6 Wireless LAN 802 1x WPA for WPA Protocol LABEL DESCRIPTION Key Management Protocol Choose WPA in this...

Page 100: ...ly encrypted by TKIP when WPA or WPA PSK Key Management Protocol is selected WPA Group Key Update Timer The WPA Group Key Update Timer is the rate at which the AP if using WPA PSK key management or RADIUS server if using WPA key management sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN ...

Page 101: ...sed for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols WPA Mixed Mode The Prestige can operate in WPA Mixed Mode which supports both clients running WPA and clients running dynamic WEP key exchange with ...

Page 102: ...A Mixed Mode All unicast traffic is automatically encrypted by TKIP when WPA or WPA PSK Key Management Protocol is selected Authentication Databases This field is only visible when WPA Mixed Mode is enabled 7 14 Configuring Local User Authentication By storing user profiles locally your Prestige is able to authenticate wireless users without interacting with a network RADIUS server However there i...

Page 103: ...Prestige 652H HW Series User s Guide Wireless LAN Setup 7 23 Figure 7 12 Local User Database The following table describes the fields in this screen ...

Page 104: ... 31 characters long for this user profile Back Click Back to go to the main wireless LAN setup screen Apply Click Apply to save these settings back to the Prestige Cancel Click Cancel to begin configuring this screen again 7 15 Configuring RADIUS Once you enable the EAP authentication you need to specify the external sever for remote user authentication and accounting To set up your Prestige s RAD...

Page 105: ... Active Select Yes from the drop down list box to enable user authentication through an external accounting server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional informat...

Page 106: ...t scans and uses the channel of a new access point which then informs the access points on the LAN about the change The new information is then propagated to the other access points on the LAN An example is shown in Figure 7 14 With roaming a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to e...

Page 107: ...nts must be met in order for wireless stations to roam between the coverage areas 1 All the access points must be on the same subnet and configured with the same ESSID 2 If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station 3 The adjacent access points should use different radio channels whe...

Page 108: ...et and the wireless stations must have the same ESSID to allow roaming Port Enter the port number to communicate roaming information between access points The port number must be the same on all access points Make sure this port is not used by other services Back Click Back to go to the main wireless LAN setup screen Apply Click Apply to save these settings back to the Prestige Cancel Click Cancel...

Page 109: ...edirect route see section 8 6 3 WAN backup route also called dial backup see section 8 6 For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the normal route acts as the primary default route If the normal route fails to connect to the Internet the Prestige tries the traffic redirect route next In the same ...

Page 110: ... Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network This agreement helps eliminate congestion which is important for transmission of real time data such as audio and video connections Peak Cell Rate PCR is the maximum rate at which the sender can send cells This parameter may be lower but not...

Page 111: ...H HW Series User s Guide WAN Setup 8 3 Figure 8 1 Example of Traffic Shaping 8 5 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN WAN Setup The screen differs by the encapsulation ...

Page 112: ...Prestige 652H HW Series User s Guide 8 4 WAN Setup Figure 8 2 WAN Setup The following table describes the fields in this screen ...

Page 113: ...cuit Refer to the appendix for more information VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for ap...

Page 114: ...h time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address field below Connection PPPoA and PPPoE encapsulation only The schedule rule s in SMT menu 26 have priority over ...

Page 115: ...d decimal notation Refer to the Subnetting appendix on how to calculate a subnet mask If you are implementing subnetting ENET ENCAP Gateway ENET ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel Click Cancel to begin c...

Page 116: ...r three logical networks with the Prestige itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 8 4 Traffic Redirect LAN Setup 8 8 Configuring WAN Backup To change your Prestige s WAN ...

Page 117: ...Prestige 652H HW Series User s Guide WAN Setup 8 9 Figure 8 5 WAN Backup The following table describes the fields in this screen ...

Page 118: ...gher priority connection Type the number of seconds 30 recommended for the Prestige to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds 3 recommended for your Prestige to wait for a ping response from one of the IP addresses in the Check WAN IP Address fields before timing out the request The WAN connection is considered ...

Page 119: ... external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps User Name Type the login name assigned by your ISP Password Type the password assigned by your ISP Pri Phone Type the first primary phone number from the ISP for this remote node Some areas require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as...

Page 120: ...Prestige 652H HW Series User s Guide 8 12 WAN Setup Figure 8 6 Advanced WAN Backup ...

Page 121: ...s require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list box to select the speed of the connection between the dial backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command Initial String Type the AT command string t...

Page 122: ... 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also RIP Direction RIP Routing Information Pro...

Page 123: ...ackup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured in the Period field If you set the Allocated Budget to 0 you will not be able to use the dial backup connection Period Type the time period in hours for how often the budget should be reset For example to allow calls to this remote node for a maximum of 10 minutes ...

Page 124: ...onse strings tell the Prestige the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation of your WAN device to find the correct tags 8 13 Configuring Advanced Modem Setup To configure settings for your backup WAN modem click WAN WAN Backup and then the Advanced Setup button The Adva...

Page 125: ...l Type the AT Command string to make a call Example atdt Drop Type the AT Command string to drop a call represents a one second wait for example ath can be used if your modem has a slow response time Answer Type the AT Command string to answer a call Example ata Drop DTR When Hang Up Select this check box to have the Prestige drop the DTR Data Terminal Ready signal after the AT Command String Drop...

Page 126: ...mber of times for the Prestige to retry a busy or no answer phone number before blacklisting the number Example 0 Retry Interval Type a number of seconds for the Prestige to wait before trying another call after a call has failed This applies before a phone number is blacklisted Example 10 Drop Timeout Type the number of seconds for the Prestige to wait before dropping the DTR signal if it does no...

Page 127: ...NAT Dynamic DNS and Time and Date III Part III NAT Dynamic DNS and Time and Date This part covers NAT Network Address Translation dynamic DNS Domain Name Sever and Time and Date setup ...

Page 128: ......

Page 129: ... local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host ...

Page 130: ... not define any servers for Many to One and Many to Many Overload mapping see Table 9 2 NAT offers the additional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each pa...

Page 131: ...Figure 9 2 NAT Application With IP Alias 9 1 5 NAT Mapping Types NAT supports five types of IP port mapping They are 1 One to One In One to One mode the Prestige maps one local IP address to one global IP address 2 Many to One In Many to One mode the Prestige maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single...

Page 132: ...ead Port numbers do not change for One to One and Many to Many No Overload NAT mapping types The following table summarizes these types Table 9 2 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION One to One ILA1ÅÆ IGA1 1 1 Many to One SUA PAT ILA1ÅÆ IGA1 ILA2ÅÆ IGA1 M 1 Many to Many Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA1 ILA4ÅÆ IGA2 M M Ov Many to Many No Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 IL...

Page 133: ... better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsu...

Page 134: ...Point to Point Tunneling Protocol 1723 9 3 2 Configuring Servers Behind SUA Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a singl...

Page 135: ...e LABEL DESCRIPTION None Select this radio button to disable NAT SUA Only Select this radio button if you have just one public WAN IP address for your Prestige The Prestige uses Address Mapping Set 1 in the NAT Edit SUA NAT Server Set screen Edit Details Click this link to go to the NAT Edit SUA NAT Server Set screen Full Feature Select this radio button if you have multiple public WAN IP addresse...

Page 136: ...ige discards all packets received for ports that are not specified here or in the remote management setup Click NAT select SUA Only and click Edit Details to open the following screen Refer to Table 9 3 for port numbers commonly used for particular services Figure 9 5 Edit SUA NAT Server Set The following table describes the fields in this screen ...

Page 137: ... Save to save your changes back to the Prestige Cancel Click Cancel to return to the previous configuration 9 6 Configuring Address Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify When a rule matches the current packet the Prestige takes the corresponding action and the remaining rules are ignored If there are any empty rules before you...

Page 138: ...al IP Address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to one and Server mapping types Global Start IP This is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP You can only do this for Many to One and Server mapp...

Page 139: ...rted only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Back Click Back to return to the NAT Mode screen 9...

Page 140: ...al Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This is the starting global IP ...

Page 141: ...ends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 10 1 1 DYNDNS Wildcard Enabling the wildcard featur...

Page 142: ... This is the name of your Dynamic DNS service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type your user name Password Type the password assigned to you Enable Wildcard Select the check box to enable DYNDNS Wildcard Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to begi...

Page 143: ...ble on all models Use this screen to configure the Prestige s time and date settings 11 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to configure the Prestige s time based on your local time zone Figure 11 1 Time and Date ...

Page 144: ...the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Select this option if you use daylight savings time Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Start Date Enter the month and day tha...

Page 145: ...and then click Apply Time Current Time This field displays the time of your Prestige Each time you reload this page the Prestige synchronizes the time with the time server New Time This field displays the last updated time from the time server When you select None in the Use Protocol when Bootup field enter the new time in this field and then click Apply Apply Click Apply to save your changes back...

Page 146: ......

Page 147: ...ers IV Part IV Firewalls and Content Filters This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules and an overview of content filtering ...

Page 148: ......

Page 149: ...irewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 12 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 12 2 1 Packet F...

Page 150: ...caching that some proxies support See section 12 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 12 3 Introduction to ZyXEL s Firewall The Prestige firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the...

Page 151: ... perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client com...

Page 152: ...ket is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 thr...

Page 153: ...YN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively lon...

Page 154: ...oadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as ...

Page 155: ...oming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall The Prestige blocks all IP Spoofing attempts 12 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted ...

Page 156: ...l rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the packet is permitted a denied packet would simply be dropped at this point 3 The firewall inspects packets to determine and record information about the state of the packet s connection This information is recorded in a new state table ent...

Page 157: ...s temporary inbound access list entries are deleted 12 5 2 Stateful Inspection and the Prestige Additional rules may be defined to extend or override the default rules For example a rule may be created which will i Block all traffic of a certain type such as IRC Internet Relay Chat from the LAN to the Internet ii Allow certain types of traffic from the Internet to specific hosts on the LAN iii All...

Page 158: ... sequence numbers However at the very minimum they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in order to build virtual connections in the cache For instance any UDP packet that originates on the LAN will create a cache entry Its IP address and port pairs will be stored For a short period of...

Page 159: ...y local service such as SNMP or NTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network 5 For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configur...

Page 160: ... such as or 8 Upgrade your software regularly Many older versions of software especially web browsers have well known security deficiencies When you upgrade to the latest versions you get the latest patches and fixes 9 If you use chat rooms or IRC sessions be careful with any information you reveal to strangers 10 If your system starts exhibiting odd behavior contact your ISP Some hackers will set...

Page 161: ...ket masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur When To Use The Firewall 1 To prevent DoS attacks and pre...

Page 162: ......

Page 163: ... Firewall rules are grouped based on the direction of travel of packets to which they apply LAN to LAN Router WAN to LAN DMZ to LAN LAN to WAN WAN to WAN Router DMZ to WAN LAN to DMZ WAN to DMZ DMZ to DMZ Router By default the Prestige s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to manage the Prestige and comm...

Page 164: ...from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence...

Page 165: ...more effective 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers 4 Does this rule conflict with any existing rules Once these questions have been answered adding rules is simply a matter of plug...

Page 166: ... associated interface LAN WAN or DMZ respectively LAN to LAN Router means policies for LAN to Prestige the policies for managing the Prestige through the LAN interface and policies for LAN to LAN the policies that control routing between two subnets on the LAN Similarly WAN to WAN Router and DMZ to DMZ Router polices apply in the same way to the WAN and DMZ ports 13 4 1 LAN to WAN Rules The defaul...

Page 167: ... wish to allow certain WAN users to have access to your LAN you will need to create custom rules to allow it See the following figure Figure 13 2 WAN to LAN Traffic By default NO incoming connections WAN to LAN are allowed unless you create rules allowing certain WAN users services access to your LAN 13 5 Configuring Firewall Click Firewall to open the Default Policy screen Enable or activate the ...

Page 168: ...CRIPTION Firewall Enabled Select this check box to activate the firewall The Prestige performs access control and protects against Denial of Service DoS attacks when the firewall is activated Allow Asymmetrical Route Select this check box to have the Prestige firewall permit the use of triangle route topology on the network See the appendix for more on triangle route topology ...

Page 169: ...the drop down list box to select the traffic direction to which you want to apply this firewall rule Default Action Use the radio buttons to select whether to Block silently discard or Forward allow the passage of packets that are traveling in the selected direction Log Select the check box to create a log when the above action is taken for packets that are traveling in the selected direction and ...

Page 170: ...mory for recording firewall rules it is currently using Packet Direction Use the drop down list box to select a direction of travel of packets LAN to LAN Router LAN to WAN LAN to DMZ WAN to WAN Router WAN to LAN WAN to DMZ DMZ to DMZ Router DMZ to LAN or DMZ to WAN for which you want to configure firewall rules Default Policy This field displays the default action and log policy you selected in th...

Page 171: ...ist box displays the services to which this firewall rule applies Please note that a blank service type is equivalent to Any See Table 13 5 for more information Action This is the specified action for that rule either Block or Forward Note that Block means the firewall silently discards the packet Schedule This field tells you whether a schedule is specified Yes or not No Log This field shows you ...

Page 172: ...his screen afresh 13 5 2 Configuring Firewall Rules Follow these directions to create a new rule Step 1 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 Step 2 Click Insert to display this screen and refer to the following table for information on the l...

Page 173: ...Prestige 652H HW Series User s Guide Firewall Screens 13 11 Figure 13 5 Insert Append A Firewall Rule ...

Page 174: ...et Mask Type the subnet mask here if applicable Add Click Add to add a new address to the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delete Highlight an existing source or destination address from the Source or Destination Address box above and click...

Page 175: ...se logs Alert Send Alert Message to Administrator When Matched Select this check box to have the Prestige generate an alert when the rule is matched Back Click Back to return the Rule Summary screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Delete Click Delete to remove this rule 13 5 3 Configuring Custom Ports Co...

Page 176: ... box Port Configuration Type Select Single to specify one port only or Range to specify a span of ports that define your customized service Port Number Enter a single port number or the range of port numbers that define your customized service Back Click Back to return to the Firewall Edit Rule screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to ex...

Page 177: ... for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 Step 3 Click Insert to display the firewall rule configuration screen Step 4 Select Any in the Destination Address box and then click Delete Step 5 Configure the source address screen as follows and click Add Select WAN to LAN from the drop down list b...

Page 178: ...Prestige 652H HW Series User s Guide 13 16 Firewall Screens Figure 13 8 Rule Edit Example ...

Page 179: ... follows and click Apply Figure 13 9 Edit Custom Port Example Step 8 The Rule Summary screen displays use the arrows between Available Services and Selected Services to configure it as follows Click Apply when you are done Custom ports show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom port ...

Page 180: ...e 652H HW Series User s Guide 13 18 Firewall Screens Figure 13 10 My Service Rule Configuration This is the address range of the My Service servers This is your My Service custom port Click Apply when finished ...

Page 181: ...e Prestige already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services may...

Page 182: ...transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICQ UDP 4000 This is a popular Internet chat program IKE UDP 500 The Internet Key Exchange algorithm is used for key dis...

Page 183: ...TP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media contr...

Page 184: ...ost systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution 13 8 Anti Probing If an outside user attempts to probe an unsupported port on your Prestige an ICMP response packet is automatically returned This allows ...

Page 185: ... for unused ports thus leaving the unused ports and the Prestige unseen By default this option is not selected and the Prestige will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports and a TCP Reset packet for a port probe on its unused TCP ports Note that the probing packets must first traverse the Prestige s firewall mechanism before reaching this anti probing m...

Page 186: ... parameters when something is not working and after you have checked the firewall counters These default values should work fine for normal small offices with ADSL bandwidth Factors influencing choices for threshold values are 1 The maximum number of opened sessions 2 The minimum capacity of server backlog in your LAN network 3 The CPU power of servers in your LAN network 4 Network bandwidth 5 Typ...

Page 187: ...ed in the last one minute sample period TCP Maximum Incomplete and Blocking Time An unusually high number of half open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host Whenever the number of half open sessions with the same destination host address rises above a threshold TCP Maximum Incomplete the Prestige starts del...

Page 188: ...Firewall Threshold LABEL DESCRIPTION DEFAULT VALUES Denial of Service Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Prestige continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions ...

Page 189: ... below this number 80 existing half open sessions Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open sessions rises above this number the Prestige deletes half open sessions as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the...

Page 190: ...sion when a new connection request comes Deny New Connection Request for Select this radio button and specify for how long the Prestige should block new connection requests when TCP Maximum Incomplete is reached Enter the length of blocking time in minutes between 1 and 256 Back Click Back to return to the Firewall Functions screen Apply Click Apply to save your changes back to the Prestige Cancel...

Page 191: ... set a schedule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 14 2 Configuring Keyword Blocking Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the Prestige blocks all sites containing this keyword including the URL http w...

Page 192: ...t this check box to enable this feature Block Websites that contain these keywords in the URL This box contains the list of all the keywords that you have configured the Prestige to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 64 ch...

Page 193: ...will get a message telling you that the content filter is blocking this request Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to return to the previously saved settings 14 3 Configuring the Schedule To set the days and times for the Prestige to perform content filtering click Content Filter and Schedule The screen a...

Page 194: ...o the previous screen Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings 14 4 Configuring Trusted Computers To exclude a range of users on the LAN from content filtering on your Prestige click CONTENT FILTER and Trusted The screen appears as shown Figure 14 3 Content Filter Trusted The following table describes the fields in this screen Table 14 3...

Page 195: ...ddress of a specific range of users on your LAN that you want to exclude from content filtering Leave this field blank if you want to exclude an individual computer Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Cancel Click Cancel to return to the previously saved settings ...

Page 196: ......

Page 197: ...VPN IPSec V Part V VPN IPSec This part provides information about configuring VPN IPSec for secure communications ...

Page 198: ......

Page 199: ...tions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 15 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 15 1 3...

Page 200: ...plications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that s...

Page 201: ...ding implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Please see section 16 2 for more information 15 2 2 Key Management Key management allows you to deter...

Page 202: ...ernal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communications have two sets of IP headers Outside header The outside IP header contains the destination IP address of the VPN gateway Inside header The inside IP header con...

Page 203: ... with authentication the packet contents in this case the entire original packet are encrypted The encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device Transpo...

Page 204: ......

Page 205: ...rity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification ...

Page 206: ...or maximum security 16 3 My IP Address My IP Address is the WAN IP address of the Prestige The Prestige has to rebuild the VPN tunnel if the My IP Address changes after setup The following applies if this field is configured as 0 0 0 0 The Prestige uses the current Prestige WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the Prestige uses the dial backup I...

Page 207: ...This may be useful for telecommuters initiating a VPN tunnel to the company network See section 16 17 for configuration examples The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 16 5 VPN Summary Screen The following figure helps explain the main fields in the web configurator Figure 16 1 IPSec Summary Fields Local and remot...

Page 208: ... 16 2 VPN Summary LABEL DESCRIPTION No This is the VPN policy index number Click a number to edit VPN policies Name This field displays the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Yes signifies that this VPN policy is active No signifies that this VPN policy is not active ...

Page 209: ...d to Single The beginning and ending static IP addresses in a range of computers are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Range A static IP address and a subnet mask are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Subnet Encap This field displays Tunnel or Transport mode Tunne...

Page 210: ...the two IPSec routers because the NAT router changes the header of the IPSec packet In the previous figure IPSec router A sends an IPSec packet in an attempt to initiate a VPN The NAT router changes the IPSec packet s header so it does not match the header for which IPSec router B is checking Therefore IPSec router B does not respond and the VPN connection cannot be built NAT traversal solves the ...

Page 211: ... office 1 uses the Intranet DNS server in headquarters The DNS server feature for VPN does not work with Windows 2000 or Windows XP Figure 16 4 VPN Host using Intranet DNS Server Example If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote network 16 8 ID Type and Content With aggressive negotiation mode se...

Page 212: ...k to have the Prestige automatically use its own IP address DNS Type a domain name up to 31 characters by which to identify this Prestige E mail Type an e mail address up to 31 characters by which to identify this Prestige The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 1...

Page 213: ...s IP but Prestige A s Peer ID type is set to E mail An ID mismatched message displays in the IPSEC LOG Table 16 6 Mismatching ID Type and Content Configuration Example PRESTIGE A PRESTIGE B Local ID type IP Local ID type IP Local ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 16 9 Pre Shared Key A pre shared key id...

Page 214: ...Prestige 652H HW Series User s Guide 16 10 VPN Screens Figure 16 5 VPN IKE ...

Page 215: ...ement In order for an IPSec router behind a NAT router to receive an initiating IPSec packet set the NAT router to forward UDP port 500 to the IPSec router behind the NAT router Name Type up to 32 characters to identify this VPN policy You may use any character including spaces but the Prestige drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box IKE provides more ...

Page 216: ...e Local Address Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your Prestige When the Local Address Type field is configured to Subnet this is a static IP address on the LAN behind your Prestige End Subnet Mask When the Local Address Type field is configured to Single this field is N A When the Local Address Type field is configur...

Page 217: ...identify this Prestige by its IP address Select DNS to identify this Prestige by a domain name Select E mail to identify this Prestige by an e mail address Content When you select IP in the Local ID Type field type the IP address of your computer in the local Content field The Prestige automatically uses the IP address in the My IP Address field refer to the My IP Address field description if you ...

Page 218: ...te IPSec router by an e mail address Content The configuration of the peer content depends on the peer ID type For IP type the IP address of the computer with which you will make the VPN connection If you configure this field to 0 0 0 0 or leave it blank the Prestige will use the address in the Secure Gateway Address field refer to the Secure Gateway Address field description For DNS or E mail typ...

Page 219: ... Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields described below Pre Shared Key Type your pre shared key in this field A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is call...

Page 220: ... NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for ma...

Page 221: ...ryption algorithm Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see section 16 11 3 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long the IPSec SA should stay up before it times out The Prestige automatically renegoti...

Page 222: ...Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys 16 11 3 Perfect Forward Secrecy PFS Enabling PFS means that the key is transient The key is t...

Page 223: ...16 19 Figure 16 7 VPN IKE Advanced Setup The following table describes the fields in this screen Table 16 8 VPN IKE Advanced Setup LABEL DESCRIPTION VPN IKE Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc 0 is the default and signifies any protocol ...

Page 224: ...25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field If Remote Start Port is left at 0 End will also remain at 0 Phase 1 Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Pre Shared Key Type you...

Page 225: ...ange from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit ra...

Page 226: ... from the drop down list box to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Apply Click Apply to save your changes back to the Prestige and return to the VPN IKE screen Cancel Click Cancel to return to the VPN IKE screen without saving your changes 16 13Manual Key Setup Manual key m...

Page 227: ...Prestige 652H HW Series User s Guide VPN Screens 16 23 Figure 16 8 Manual Setup ...

Page 228: ...he remote IPSec router s configured remote IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Local Address Type Use the drop down menu to choose Single Range or Subnet ...

Page 229: ...mote IPSec router When the Remote Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configured to Single this field is N A When the Remote Address Type field is configured to Range enter the end static IP address in a range of computers on the network behind the remote IPSec route...

Page 230: ...ith 3DES type a unique key 24 characters long Any characters may be used including spaces but trailing spaces are truncated Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal s...

Page 231: ...e SA times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not timeout until the SA lifetime period expires See section 16 6 on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic Figure 16 9 SA Monitor ...

Page 232: ... Both AH and ESP increase Prestige processing requirements and communications latency delay Disconnect Select Disconnect next to a security association and then click Apply to stop that security association Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige Refresh Click Refresh to display the current active VPN connection s 16 16Configurin...

Page 233: ...lick Cancel to begin configuring this screen afresh 16 17Telecommuter VPN IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters The telecommuters use IPSec routers with dynamic WAN IP addresses The Prestige at headquarters has a static public IP address 16 17 1 Telecommuters Sharing One VPN Rule Example See the following...

Page 234: ...e negotiation mode see section 16 11 1 the Prestige can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules configured on the Prestige at headquarters can overlap The local IP addresses of th...

Page 235: ...e IP Address 192 168 1 10 Local ID Type E mail Peer ID Type E mail Local ID Content bob bigcompanyhq com Peer ID Content bob bigcompanyhq com Telecommuter A telecommutera dydns org Headquarters Prestige Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192 168 2 12...

Page 236: ...Telecommuter C telecommuterc dydns org Headquarters Prestige Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN myplace com Peer ID Content myVPN myplace com Local IP Address 192 168 4 15 Secure Gateway Address telecommuterc com Remote Address 192 168 4 15 16 18VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Manag...

Page 237: ... UPnP and Logs VI Part VI Remote Management UPnP and Logs This part contains information on how to configure the Prestige for remote management setting up Universal Plug and Play UPnP and setting up and displaying logs ...

Page 238: ......

Page 239: ...location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you Choose WAN only or ALL LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The Prestige automatically disconnects a remote management sessi...

Page 240: ...time 5 There is a firewall rule that blocks it 17 1 2 Remote Management and NAT When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN 17 1 3 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out if the management sess...

Page 241: ...nt Click Remote Management to open the following screen Figure 17 2 Remote Management The following table describes the fields in this screen Table 17 1 Remote Management LABEL DESCRIPTION Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige Access Status Select the access interface Choices are All LAN Only WAN Only and Disable Port This field shows t...

Page 242: ...CRIPTION Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the Prestige Type an IP address to restrict access to a client with a matching IP address Apply Click Apply to save your settings back to the Prestige Cancel Click Cancel to begin configuring this screen afresh ...

Page 243: ...lecting the icon of a UPnP device will allow you to access the information and properties of that device 18 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service desc...

Page 244: ...g tested UPnP broadcasts are only allowed on the LAN See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows 18 2 1 Configuring UPnP From the Site Map in the main menu click UPnP under Advanced Setup to display the screen shown next Figure 18 1 Configuring UPnP The following table describes the fields in this screen Table 18 1 ...

Page 245: ... application Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets Apply Click Apply to save the setting to the Prestige Cancel Click Cancel to return to the previously saved settings 18 3 Installing UPnP in Windows Example ...

Page 246: ...tart the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP Step 1 Click Start and Control Panel Step 2 Double click Network Connections Step 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays Step 4 Select Networkin...

Page 247: ...ample This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of the Prestige Turn on your computer and the Prestige Auto discover Your UPnP enabled Network Device Step 1 Click Start and Control Panel Double click Network Connections An icon displays unde...

Page 248: ... were automatically created Step 4 You may edit or delete the port mappings or click Add to manually add port mappings When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically Step 5 Select Show icon in notification area when connected option and click OK An icon displays in the system tray ...

Page 249: ...you can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not know the IP address of the Prestige Follow the steps below to access the web configurator Step 1 Click Start and then Control Panel Step 2 Double click Network Connections Step 3 Select My Network Places under Other Places ...

Page 250: ...P enabled device displays under Local Network Step 5 Right click on the icon for your Prestige and select Invoke The web configurator login screen displays Step 6 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige ...

Page 251: ... attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black 19 2 Configuring Log Settings Use the Log Settings screen to configure to where the Prestige is to send logs the schedule for when the Prestige is to s...

Page 252: ...Prestige 652H HW Series User s Guide 19 2 Logs Screens Figure 19 1 Log Settings The following table describes the fields in this screen ...

Page 253: ... to enable UNIX syslog Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to your UNIX manual for more information Send Log Log Schedule This drop down menu is used to configure...

Page 254: ...ck Apply to save your customized settings and exit this screen Cancel Click Cancel to return to the previously saved settings 19 3 Displaying the Logs Click Logs and then View Log to open the View Logs screen Use the View Logs screen to see the logs for the categories that you selected in the Log Settings screen see section 19 2 Log entries in red indicate alerts The log wraps around and deletes t...

Page 255: ... IP address and the port number of the incoming packet Notes This field displays additional information about the log entry Back Click Back to return to the previous screen Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in the Address Info fields in Log Settings see section 19 2 Refresh Click Re...

Page 256: ...8 1 131 To 192 168 1 255 default policy forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10 10 10 10 match forward 09 54 19 UDP src port 03516 dest port 00053 1 01 snip snip 126 Apr 7 00 From 192 168 1 1 To 192 168 1 255 match forward 10 05 00 UDP src port 00520 dest port 00520 1 02 127 Apr 7 00 From 192 168 1 131 To 192 168 1 255 match forward 10 05 17 UDP s...

Page 257: ...Bandwidth Management VII Part VII Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management ...

Page 258: ......

Page 259: ... dropped packets at the next routing device For example you can set the WAN interface speed to 1000kbps if the ADSL connection has an upstream speed of 1000kbps All configuration screens display measurements in kbps kilobits per second but this User s Guide also uses Mbps megabits per second for brevity s sake 20 2 Bandwidth Classes and Filters Use bandwidth classes and child classes to allocate s...

Page 260: ...al available bandwidth 20 4 Bandwidth Management Usage Examples These examples show bandwidth management allotments on a WAN interface that is configured for 640Kbps 20 4 1 Application based Bandwidth Management Example The bandwidth classes in the following example are based solely on application Each bandwidth class VoIP Web FTP E mail and Video is allotted 128kbps Table 20 1 Application based B...

Page 261: ...uses bandwidth classes based on LAN subnets and applications specific applications in each subnet are allotted bandwidth Table 20 3 Application and Subnet based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 64 kbps 64 kbps Web 64 kbps 64 kbps FTP 64 kbps 64 kbps E mail 64 kbps 64 kbps Video 64 kbps 64 kbps Table 20 4 Application and Subnet based Bandwidth Management Ex...

Page 262: ...g among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the Prestige first makes sure that each bandwidth class gets up to its bandwidth allotment Next the Prestige divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels ...

Page 263: ...eted 2 Mbps the Prestige also divides the remaining 1 Mbps among the classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total of unbudgeted and unused bandwidth among the classes that require more bandwidth In this case suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administr...

Page 264: ...dth A parent class s unused bandwidth is given to the highest priority child class first The child class can also borrow bandwidth from a higher parent class grandparent class if the child class s parent class is also configured to borrow bandwidth from its parent class This can go on for as many levels as are configured to borrow bandwidth from their parent class see section 20 7 1 The total of t...

Page 265: ...width Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled ...

Page 266: ...ng on individual child classes the Prestige functions as follows 1 The Prestige sends traffic according to each bandwidth class s bandwidth budget 2 The Prestige assigns a parent class s unused bandwidth to its child classes that have more traffic than their budgets and have bandwidth borrowing enabled The Prestige gives priority to bandwidth child classes of higher priority and treats bandwidth c...

Page 267: ...ace regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the Prestige and be managed by bandwidth management Active Select an interface s check box to enable bandwidth management on that interface Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budg...

Page 268: ...flow guarantee To fine tune the levels of services on the priority of the traffic flow using QoS places a heavy burden on the network infrastructure DiffServ is a class of service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Poi...

Page 269: ...B CLASS 2 AF21 AF22 AF23 SUB CLASS 1 AF11 AF12 AF13 20 10Configuring Class Setup The class setup screen displays the configured bandwidth classes by individual interface Select an interface and click the buttons to perform the actions described next Click to expand the class tree or click to collapse the class tree Each interface has a permanent root class The bandwidth budget of the root class is...

Page 270: ...t an interface from the drop down list box for which you wish to set up classes Back Click Back to go to the main BW Manager screen Add Child Class Click Add Child class to add a sub class Edit Click Edit to configure the selected class You cannot edit the root class Delete Click Delete to delete the class and all its child classes You cannot delete the root class Statistics Click Statistics to di...

Page 271: ... in the Class Configuration screen You must use the Bandwidth Manager Summary screen to enable bandwidth management on an interface before you can configure classes for that interface To add a child class click BW Manager then Class Setup Click the Add Child Class button to open the following screen Table 20 14 Bandwidth Manager Class Configuration ...

Page 272: ...ts bandwidth budget Bandwidth borrowing is governed by the priority of the child classes That is a child class with the highest priority 7 is the first to borrow bandwidth from its parent class Do not select this for the classes directly below the root class if you want to leave bandwidth available for other traffic types see 20 6 1 or you want to set the interface s speed to match what the next d...

Page 273: ...ndix for more information on IP subnetting Destination Port Enter the port number of the destination A blank destination port means any destination port Source IP Address Enter the source IP address A blank source IP address means any source IP address Source Subnet Mask Enter the source subnet mask This field is N A if you do not specify a Source IP Address Refer to the appendix for more informat...

Page 274: ...ple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 20 10 2 Bandwidth Management Statistics Use the Bandwidth Management Statistics screen to view network performanc...

Page 275: ...isplays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 means one second ago Update Period seconds Enter the time...

Page 276: ... Bandwidth Manager Monitor The following table describes the labels in this screen Table 20 20 Bandwidth Manager Monitor LABEL DESCRIPTION Interface Select an interface from the drop down list box to view the bandwidth usage of its bandwidth classes Class Name This field displays the name of the class Budget kbps This field displays the amount of bandwidth allocated to the class Current Usage kbps...

Page 277: ...Maintenance VIII Part VIII Maintenance This part covers the maintenance screens ...

Page 278: ......

Page 279: ...port traffic statistics 21 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 21 2 System Status Screen Click System Status to open the following screen where you can use to monitor your Prestige Note that these fields are READ ONLY and only for diagnostic purposes ...

Page 280: ...Prestige 652H HW Series User s Guide 21 2 Maintenance Figure 21 1 System Status The following table describes the fields in this screen ...

Page 281: ...t IP address IP Subnet Mask This is the WAN port IP subnet mask Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control or Ethernet address unique to your Prestige IP Address This is the LAN port ...

Page 282: ...s Click Show Statistics to see the performance statistics such as number of packets sent and number of packets received for each port 21 2 1 System Statistics Click Show Statistics in the System Status screen to open the following screen Read only information here includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is c...

Page 283: ... this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you re using PPPoE encapsulation For a LAN port this shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of pac...

Page 284: ...it When configured as a server the Prestige provides the TCP IP configuration for the clients If set to None DHCP service will be disabled and you must have another DHCP server on your LAN or else the computer must be manually configured Click Maintenance and then DHCP Table Read only information here relates to your DHCP status The DHCP table shows current DHCP Client information including IP Add...

Page 285: ... address es of the wireless stations that are currently logged in to the network Click Wireless LAN under Maintenance and then Association List to open the screen shown next Figure 21 4 Association List The following table describes the fields in this screen Table 21 4 Association List LABEL DESCRIPTION This is the index number of an associated wireless station MAC Address This field displays the ...

Page 286: ...e table 21 4 2 Channel Usage Table This screen displays the state of the channels within the Prestige s transmission range Click Wireless LAN under Maintenance and then Channel Usage Table to open the screen shown next Figure 21 5 Channel Usage Table The following table describes the fields in this screen Table 21 5 Channel Usage Table LABEL DESCRIPTION Channel This is the index number of the chan...

Page 287: ...ithin the Prestige s transmission range Back Click Back to return to the previous screen Refresh Click Refresh to renew the information in the table 21 5 Diagnostic Screens These read only screens display information to help you identify problems with the Prestige 21 5 1 Diagnostic General Screen Click Diagnostic and then General to open the screen shown next Figure 21 6 Diagnostic General ...

Page 288: ...test a connection Ping Click this button to ping the IP address that you entered Reset System Click this button to reboot the Prestige A warning dialog box is then displayed asking you if you re sure you want to reboot the system Click OK to proceed Back Click this button to go back to the main Diagnostic screen 21 5 2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the scree...

Page 289: ... is useful for troubleshooting problems with the DSLAM and ATM network Upstream Noise Margin Click this button to display the upstream noise margin Downstream Noise Margin Click this button to display the downstream noise margin Back Click this button to go back to the main Diagnostic screen 21 6 Firmware Screen Find firmware at www zyxel com in a file that usually uses the system model name with ...

Page 290: ...p files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes Do not turn off the Prestige while firmware upload is in progress After you see the Firmware Upload in Process screen wait two minutes before logging into the Prestige again The Prestige automatically restarts in this time causing a temporary network disconnect In some operati...

Page 291: ...t The following screens are not available on all models 21 7 1 Backup Configuration Backup configuration allows you to back up save the Prestige s current configuration to a file on your computer Once your Prestige is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful...

Page 292: ... extension e g prestige rom The system reboots automatically after the file transfer is complete and uses the configured values in the file WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR Prestige When the Restore Configuration process is complete the Prestige will automatically restart Click Configuration and then Restore to display the screen shown next Fig...

Page 293: ...ige while configuration file upload is in progress After you see a configuration upload successful screen you must then wait one minute before logging into the Prestige again Figure 21 13 Configuration Upload Successful The Prestige automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 21 14 Networ...

Page 294: ...d Error 21 7 3 Back to Factory Defaults Clicking the Reset button in this section clears all user entered configuration information and returns the Prestige to its factory defaults as shown on the screen This will erase all configurations that you have applied Click Configuration and then Default to display the screen shown next Figure 21 16 Back to Factory Default The following warning screen wil...

Page 295: ...Maintenance 21 17 Figure 21 17 Reset Warning Message You can also press the RESET button on the side panel to reset the factory defaults of your Prestige Refer to the Resetting the Prestige section for more information on the RESET button ...

Page 296: ......

Page 297: ... Management Terminal configuration for general setup WAN backup LAN setup wireless LAN setup Internet access remote node static route NAT and enabling the firewall See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 298: ......

Page 299: ...parity 8 data bits 1 stop bit data flow set to none 9600 bps port speed Press ENTER to display the SMT password screen The default password is 1234 22 1 2 Procedure for SMT Configuration via Telnet The following procedure details how to telnet into your Prestige Step 1 In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default IP address and click OK ...

Page 300: ...log in your Prestige will automatically log you out Figure 22 1 Login Screen 22 1 4 Prestige SMT Menu Overview We use the Prestige 652H HW 31 SMT menus in this guide as an example The SMT menus vary slightly for different Prestige models The following figure gives you an overview of the various SMT menu screens of your Prestige Enter Password ...

Page 301: ... and Console port Speed Menu 24 10 Time and Date Setting Menu 26 Schedule Setup Menu 26 x Schedule Set Setup Menu 24 9 Call Control Menu 24 9 1 Budget Management Menu 24 11 Remote Management Menu 3 5 Wireless LAN Setup Menu 3 5 1 WLAN MAC Address Filter Menu 2 WAN Backup Setup Menu 3 2 1 IP Alias Setup Menu 23 1 Change Password Menu 23 2 RADIUS Server Menu 23 4 IEEE802 1X Menu 1 1 Configure Dynami...

Page 302: ... to the next field You can also use the UP DOWN arrow keys to move to the previous and the next field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields or ChangeMe All fie...

Page 303: ...tic Routing Setup Use this menu to set up static routes 14 Dial in User Setup Use this menu to set up local user profiles on the Prestige 15 NAT Setup Use this menu to specify inside servers when NAT is enabled 21 Filter and Firewall Setup Use this menu to configure filters activate deactivate the firewall and view the firewall log 22 SNMP Configuration Use this menu to set up SNMP related paramet...

Page 304: ...sword Change the Prestige default password by following the steps shown next Step 1 Enter 23 in the main menu to display Menu 23 System Security Step 2 Enter 1 to display Menu 23 1 System Security Change Password as shown next Step 3 Type your existing system password in the Old Password field for example 1234 and press ENTER Figure 22 4 Menu 23 1 Change Password Step 4 Type your new system passwo...

Page 305: ...s 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the Prestige System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the Prestige Sy...

Page 306: ...ave this field blank the ISP may assign a domain name via DHCP You can go to menu 24 8 and type sys domainname to see the current domain name used by your gateway If you want to clear this field just press the SPACE BAR The domain name entered by you is given priority over the ISP assigned domain name zyxel com tw Edit Dynamic DNS Press the SPACE BAR to select Yes or No default Select Yes to confi...

Page 307: ...lt Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password assigned to you Enable Wildcard Your Prestige supports DYNDNS Wildcard Press SPACE BAR and then ENTER to selec...

Page 308: ......

Page 309: ...s 24 2 Dial Backup To set up the auxiliary port for use in the event that the regular WAN connection is dropped first make sure you have set up the port connection and the CON AUX switch to AUX on the Prestige and then configure 1 Menu 2 WAN Backup Setup 2 Menu 2 2 Dial Backup Setup 3 Menu 2 2 1 Advanced Dial Backup Setup 4 Menu 11 1 Remote Node Profile Backup ISP Refer also to the traffic redirec...

Page 310: ...address of a reliable nearby computer for example your ISP s DNS server address When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response KeepAlive Fail Tolerance Type the number of times 2 recommended that your Prestige may ping the IP addresses configured in the Check WAN IP Addr...

Page 311: ... press ENTER to configure Menu 2 1 Traffic Redirect Setup Select No default if you do not want to configure this feature Dial Backup Press SPACE BAR to select Yes or No Select Yes and press ENTER to configure Menu 2 2 Dial Backup Setup Select No default if you do not want to configure this feature When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your confi...

Page 312: ... Prestige uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost When you have ...

Page 313: ...Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands at fs0 0 Edit Advanced Setup To edit the advanced setup for the Dial Backup port move the cursor to this field press the SPACE BAR to select Yes and then press ENTER to go to Menu 2 2 1 Advanced Dial Backup Setup Yes When you...

Page 314: ...rings Dial Enter the AT Command string to make a call atdt Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time ath Answer Enter the AT Command string to answer a call ata Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default the DTR Data Terminal Ready signal is dropp...

Page 315: ...seconds for the Prestige to keep trying to set up an outgoing call before timing out stopping The Prestige times out and stops if it cannot set up an outgoing call within the timeout value 60 seconds Retry Count Enter a number of times for the Prestige to retry a busy or no answer phone number before blacklisting the number 0 to disable the blacklist control Retry Interval sec Enter a number of se...

Page 316: ...n be up to eight characters LAoffice Active Press SPACE BAR and then ENTER to select Yes to enable the remote node or No to disable the remote node Yes Outgoing My Login Enter the login name assigned by your ISP for this remote node jim My Password Enter the password assigned by your ISP for this remote node Menu 11 1 Remote Node Profile Backup ISP Rem Node Name Edit PPP Options No Active Yes Rem ...

Page 317: ...mote Node PPP Options see section 24 7 No default Rem IP Addr Leave the field set to 0 0 0 0 if the remote gateway has a dynamic IP address Enter the remote gateway s IP address here if it is static 0 0 0 0 Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 Remote Node Network Layer Options See section 24 8 for more information No default Edi...

Page 318: ...n elapse before the Prestige automatically disconnects the PPP connection This option only applies when the Prestige initiates the call 100 seconds default Once you have configured this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 24 7 Editing PPP Options The Prestige s dial back up feature uses PPP To edit the remote node PPP...

Page 319: ...e Node Network Layer Options The following table describes the fields in this menu Table 24 7 Menu 11 3 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE Rem IP Address Leave this field set to 0 0 0 0 to have the ISP or other remote router dynamically automatically send its IP address if you do not know it Enter the remote gateway s IP address here if you know it static 0 0 0 0 DEFAULT R...

Page 320: ...E BAR and then ENTER to select the RIP direction from Both None In Only Out Only and None Both default Version Press SPACE BAR and then ENTER to select the RIP version from RIP 1 RIP 2B RIP 2M RIP 1 Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group The Prestige supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Pr...

Page 321: ... that the ordering of the sets is significant i e starting from set 1 the Prestige will wait until the Expect string is matched before it proceeds to set 2 and so on for the rest of the script When both the Expect and the Send fields of the current set are empty the Prestige will terminate the script processing and start PPP negotiation This implies two things first the sets must be contiguous the...

Page 322: ...s the string in the Send field Set 1 6 Send Enter a string to send out after the Expect string is matched 0 0 0 0 Once you have configured this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 24 10Remote Node Filter Move the cursor to the field Edit Filter Sets in Menu 11 1 Remote Node Profile Backup ISP and then press SPACE BAR ...

Page 323: ... to the Filters chapter for more information on defining the filters Figure 24 11 Menu 11 5 Dial Backup Remote Node Filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 Remote Node Profile Backup ISP Rem Node Name Edit PPP Options No Active Yes Rem IP Addr Edit IP No...

Page 324: ......

Page 325: ...n menu enter 3 to display menu 3 Figure 25 1 Menu 3 LAN Setup 25 1 1 General Ethernet Setup This menu allows you to specify filter set s that you wish to apply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and DHCP Setup ...

Page 326: ...ned below For TCP IP Ethernet setup refer to the Internet Access Application chapter For bridging Ethernet setup refer to the Bridging Setup chapter 25 3 TCP IP Ethernet Setup and DHCP Use menu 3 2 to configure your Prestige for TCP IP To edit menu 3 2 enter 3 from the main menu to display Menu 3 LAN Setup When menu 3 appears press 2 and press ENTER to display Menu 3 2 TCP IP and DHCP Ethernet Set...

Page 327: ...ed to be set Server default Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool 192 168 1 33 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Primary DNS Server Secondary DNS Server Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients along with the IP address an...

Page 328: ...M RIP 1 default Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group The Prestige supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press the SPACE BAR to enable IP Multicasting or select None to disable it None default IP Policies Create policies using SMT menu 25 see the IP Policy Routing chapter and apply them on...

Page 329: ... Setup To setup port based VLAN enter 3 from the main menu to display Menu 3 LAN Setup When menu 3 appears press 6 and press ENTER to display Menu 3 6 Port Based VLAN Setup as shown next Figure 25 4 Menu 3 6 Port Based VLAN Setup Press SPACE BAR to select Yes and press ENTER to allow the port in the top row to communicate with the corresponding port on the left Otherwise press SPACE BAR to select ...

Page 330: ......

Page 331: ...Never insert or remove a wireless LAN card when the Prestige is turned on Step 2 Locate the slot labeled Wireless LAN on the Prestige Step 3 With its pin connector facing the slot and the LED side facing upwards slide the ZyAIR wireless LAN card into the slot Never force bend or twist the wireless LAN card into the slot Step 4 Turn on the Prestige The WLAN LED should turn on 26 3 Wireless LAN Setu...

Page 332: ...anning No Channel ID Press SPACE BAR to select a channel This allows you to set the operating frequency channel depending on your particular region CH01 2412MHz RTS Threshold RTS Request To Send threshold number of bytes enables RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC Service ...

Page 333: ...receded by 0x for each key 1 4 If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters or 26 hexadecimal characters 0 9 A F preceded by 0x for each key 1 4 There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations Ed...

Page 334: ...owed or denied access to the Prestige in these address fields When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen Menu 3 5 1 WLAN MAC Address Filter Active No Filter Action Allowed Association 1 00 00 00 00 00 00 13 00 00 00 00 00 00 25 00 00 00 00 00 00 2 00 00 00 0...

Page 335: ...Edit Roaming Configuration field Press SPACE BAR to select Yes and then press ENTER Menu 3 5 2 Roaming Configuration displays as shown next Figure 26 4 Menu 3 5 2 Roaming Configuration The following table describes the fields in this menu Menu 3 5 2 Roaming Configuration Active Yes Port 3517 Press ENTER to Confirm or ESC to Cancel Menu 3 5 Wireless LAN Setup ESSID Wireless Hide ESSID No Channel ID...

Page 336: ...have two or more Prestiges on the same subnet Port Type the port number to communicate roaming information between access points The port number must be the same on all access points Make sure this port is not used by other services When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to th...

Page 337: ...the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 see IP Policy Routing and apply them on the Prestige LAN and or WAN interfaces using menus 3 2 LAN and 11 3 WAN 27 3 IP Alias IP Alias allows you to partition a physical network into different logical networks ove...

Page 338: ...e the second and third network Figure 27 3 Menu 3 2 TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Addres 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 ...

Page 339: ...ices are None Both In Only or Out Only None Version Press SPACE BAR to select the RIP version Choices are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the Prestige Outgoing Protocol Filters Enter the filter set s you wish to apply to the outgoing traffic between this node and the Prestige When you have...

Page 340: ...you configure your Prestige for Internet access you need to collect your Internet account information Use the Internet Account Information table in the Compact Guide to record your Internet account information Note that if you are using PPPoA or PPPoE encapsulation then the only ISP information you need is a login name and password You only need to know the Ethernet Encapsulation Gateway IP addres...

Page 341: ...th Identifier VPI assigned to you 8 VCI Enter the Virtual Channel Identifier VCI assigned to you 35 ATM QoS Type Press SPACE BAR and select CBR Continuous Bit Rate to specify fixed always on bandwidth Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR Variable Bit Rate for bursty traffic and bandwidth sharing with other applications UBR Peak Cell...

Page 342: ... address supplied by your ISP when you are using ENET ENCAP encapsulation N A Idle Timeout This value specifies the number of idle seconds that elapse before the Prestige automatically disconnects the PPPoE session 0 IP Address Assignment Press SPACE BAR to select Static or Dynamic address assignment Dynamic IP Address Enter the IP address supplied by your ISP if applicable N A Network Address Tra...

Page 343: ... Menu 5 DMZ Setup 28 2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server s traffic Figure 28 2 Menu 5 1 DMZ Port Filter Setup Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device f...

Page 344: ...e 28 4 Menu 5 2 TCP IP Setup The TCP IP setup fields are the same as the ones in Menu 3 2 TCP IP Ethernet Setup Each public server will need a unique IP address Refer to section 25 3 for information on how to configure these fields DMZ and LAN IP addresses must be on separate subnets You must also configure NAT for the DMZ port see the NAT chapter in menus 15 1 and 15 2 Menu 5 DMZ Setup 1 DMZ Port...

Page 345: ...configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in three submenus edit IP and bridge options in menu 11 3 edit ATM options in menu 11 6 and edit filter sets in menu 11 5 29 2 Remote Node Setup This section describes the protocol independent parameters for a remo...

Page 346: ...N application Here are some examples of more suitable combinations in such an application Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combination because no extra protocol identifying headers are needed The PPP protocol already contains this information Scenario 2 One VC One Protocol IP Selecting RFC 1483 encapsulation with VC based mult...

Page 347: ...d then the Rem Login Rem Password My Login My Password and Authen fields are not applicable N A ENET ENCAP Multiplexing Press SPACE BAR and then ENTER to select the method of multiplexing that your ISP uses either VC based or LLC based LLC based Service Name When using PPPoE encapsulation type the name of your PPPoE service here N A Incoming Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Rou...

Page 348: ...en requested by this remote node CHAP accept CHAP Challenge Handshake Authentication Protocol only Authen PAP accept PAP Password Authentication Protocol only Route This field determines the protocol used in routing Options are IP and None IP Bridge When bridging is enabled your Prestige will forward any packet that it does not route to this remote node otherwise the packets are discarded Select Y...

Page 349: ...ions Edit Filter Sets Use SPACE BAR to choose Yes and press ENTER to open menu 11 5 to edit the filter sets See the Remote Node Filter section for more details No default Idle Timeout sec Type the number of seconds 0 9999 that can elapse when the Prestige is idle there is no traffic going to the remote node before the Prestige automatically disconnects the remote node 0 means that the session will...

Page 350: ...ons FIELD DESCRIPTION EXAMPLE IP Address Assignment Press SPACE BAR and then ENTER to select Dynamic if the remote node is using a dynamically assigned IP address or Static if it is using a static fixed IP address You will only be able to configure this in the ISP node also the one you configure in menu 4 all other nodes are set to Static Dynamic Rem IP Addr This is the IP address you entered in t...

Page 351: ...eld the SMT uses NAT server set 1 in menu 15 2 see the NAT chapter for details 2 Metric The metric represents the cost of transmission for routing purposes IP routing uses hop count as the cost measurement with a minimum of 1 for directly connected networks Type a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is us...

Page 352: ...P addresses to help you understand the field of My WAN Addr in menu 11 3 Refer to the previous LAN and WAN IP Addresses figure in the web configurator chapter on LAN setup for a brief review of what a WAN IP is My WAN Addr indicates the local Prestige WAN IP 172 16 0 1 in the following figure while Rem IP Addr indicates the peer WAN IP 172 16 0 2 in the following figure Figure 29 4 Sample IP Addre...

Page 353: ... Figure 29 5 Menu 11 5 Remote Node Filter RFC 1483 or ENET Encapsulation Figure 29 6 Menu 11 5 Remote Node Filter PPPoA or PPPoE Encapsulation 29 5 Editing ATM Layer Options Follow the steps shown next to edit Menu 11 6 Remote Node ATM Layer Options In menu 11 1 move the cursor to the Edit ATM Options field and then press SPACE BAR to select Yes Press ENTER to display Menu 11 6 Remote Node ATM Lay...

Page 354: ...rotocols with protocol identifying information being contained in each packet header Figure 29 8 Menu 11 6 for LLC based Multiplexing or PPP Encapsulation Menu 11 6 Remote Node ATM Layer Options VPI VCI VC Multiplexing VC Options for IP VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 VC Options for Bridge VPI 1 VCI 36 ATM QoS Type N A Peak Cell R...

Page 355: ...R to display Menu 11 8 Advance Setup Options Figure 29 10 Menu 11 8 Advance Setup Options The following table describes the fields in this menu Menu 11 8 Advance Setup Options PPPoE PPPoE_Client_PC No Press ENTER to Confirm or ESC to Cancel Menu 11 1 Remote Node Profile Rem Node Name MyISP Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing LLC based Edit ATM Options N...

Page 356: ...heir computers to connect to the ISP via the Prestige Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate Press SPACE BAR to select No and press ENTER to disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP ...

Page 357: ...t is directly connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the following figure through remote node Router 1 However the Prestige is unable to route a packet to network N3 because it does not know that there is a route thr...

Page 358: ...e Setup shown next Figure 30 3 Menu 12 1 IP Static Route Setup Step 3 Now type the route number of a static route you want to configure Menu 12 1 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 ________ 11 ________ 12 ________ 13 ________ 14 ________ 15 ________ 16 ________ Enter selection number Menu 12 Static Route Setup...

Page 359: ...be identical to the host ID IP Subnet Mask Type the subnet mask for this destination Follow the discussion on IP Subnet Mask in this manual Gateway IP Address Type the IP address of the gateway The gateway is an immediate neighbor of your Prestige that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your Prestige over WAN the gateway must b...

Page 360: ...o this remote node in its RIP broadcasts If set to Yes this route is kept private and is not included in RIP broadcasts If No the route to this remote node will be propagated to other hosts through RIP broadcasts When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen ...

Page 361: ...ocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if you need it do not bridge what the Prestige can route 31 2 Bridge Ethernet Setup Basically all non local packets are bridged to the WAN Your Prestige does not support IPX 31 2 1 Remote Node Bridging Setup ...

Page 362: ...Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Press ENTER to Confirm or ESC to Cancel Menu 11 1 Remote Node Profile Rem Node Name Route IP Active Yes Bridge Yes Encapsulation ENET ENCAP Edit IP Bridge No Multiplexing VC based Edit ATM Options No Service Name N A Edit Advance Options N A In...

Page 363: ...R to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 31 2 2 Bridge Static Route Setup Similar to network layer static routes a bridging static route tells the Prestige the route to a node before a connection is established You configure bridge static routes in menu 12 3 1 go to menu 12 choose option 3 then choose a static route to edit ...

Page 364: ...puter that you want to bridge the packets to IP Address If available type the IP address of the destination computer that you want to bridge the packets to Gateway Node Press SPACE BAR and then ENTER to select the number of the remote node one to eight that is the gateway of this static route When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to sav...

Page 365: ... mapping Many to One and Server See section 32 3 1 for a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types 1 Choose SUA Only if you have just one public WAN IP address for your Prestige 2 Choose Full Feature if you have multiple public WAN IP addr...

Page 366: ...ove the cursor to the Edit IP Bridge field press SPACE BAR to select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation RFC 1483 Multiplexing LLC based VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N A ENET ENCAP Gateway N A IP Add...

Page 367: ...SUA Only 32 3 NAT Setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN and the DMZ Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 the SMT will use Set 1 When you select SUA Only the SMT will use the pre configured Set 255 read only The server set is a list of LAN and DMZ servers mapped to e...

Page 368: ...ets Enter 1 to bring up Menu 15 1 Address Mapping Sets Figure 32 4 Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 32 1 1 The fields in this menu cannot be changed Menu 15 1 Address Mapping Sets 1 ACL Default Set 2 3 4 5 6 7 8 255 SUA read only Enter Menu Selection Number Enter Menu Selection Number Menu 15 NAT Setup 1 Address Mapping Se...

Page 369: ...ding local IP address ILA If the rule is for all local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 255 255 255 255 Global Start IP This is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types Server allows us to specify multiple servers ...

Page 370: ...e in the Set Name field means that this is a required field and you must enter a name for the set Figure 32 6 Menu 15 1 1 First Set If the Set Name field is left blank the entire set will be deleted The Type Local and Global Start End IPs are configured in menu 15 1 1 1 described later and the values are displayed here Ordering Your Rules Ordering your rules is important because the Prestige appli...

Page 371: ...ing field Insert Before means to insert a rule before the rule selected The rules after the selected rule will then be moved down by one rule Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule None disables the Select Rule item Edit Select Rule When you choose Edit Insert Before or Delete in the previous field the cursor jumps to this f...

Page 372: ...al IP fields MUST be set for Server Start This is the starting local IP address ILA 0 0 0 0 End This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One and Server types N A Global IP Start This is the starting inside global IP address IGA If you have a dynamic IP enter 0 0 0 0 as th...

Page 373: ...or press ESC to cancel and go back to the previous screen 32 4 Configuring a Server behind NAT Follow these steps to configure a server behind NAT Step 4 Enter 15 in the main menu to go to Menu 15 NAT Setup Step 5 Enter 2 to display Menu 15 2 NAT Server Sets as shown next Figure 32 8 Menu 15 2 NAT Server Setup Step 6 Enter 1 to go to Menu 15 2 1 NAT Server Setup as follows Menu 15 2 NAT Server Set...

Page 374: ...ld In the following figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 9 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel Menu 15 2 1 NAT Server Setup Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 21 25 192 168 1 33 3 0 0 0 0...

Page 375: ...l NAT Examples The following are some examples of NAT configuration 32 5 1 Example 1 Internet Access Only In the following Internet access example you only need one rule where your ILAs Inside Local addresses all map to one dynamic IGA Inside Global Address assigned by your ISP Figure 32 11 NAT Example 1 ...

Page 376: ... an Inside Server Figure 32 13 NAT Example 2 In this case you do exactly as above use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in the next figure Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation RFC 1483 Multiplexing LLC based VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum...

Page 377: ...e first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping Rule 4 You also map your third IGA to the web server and mail server on t...

Page 378: ...er 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule field Press ENTER to confirm Step 5 Select Type as One to One direct mapping for packets going both ways and enter the local Start IP as 192 168 1 10 the IP address of FTP Server 1 the global Start IP as 10 132 50 1 our first IGA S...

Page 379: ... Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B ...

Page 380: ... NAT Setup Step 10 Enter 1 in Menu 15 2 NAT Server Sets to see the following menu Configure it as shown Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to ...

Page 381: ...ing as port numbers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 32 19 NAT Example 4 Menu 15 2 1 NAT Server Setup Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 21 3 25 25 192 168 1 20 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 1...

Page 382: ...u ve configured your rule you should be able to check the settings in menu 15 1 1 as shown next Figure 32 21 Example 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Ru...

Page 383: ...r the most comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters for instructions SMT screens allow you to activate the firewall and view firewall logs 33 3 Enabling the Firewall From the main menu enter 21 to go to Menu 21 Filter Set and Firewall Configuration to...

Page 384: ...attacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes LAN to WAN Set Name ACL Default Set WAN to LAN Set Name ACL Default Set Please configure the Firewall function ...

Page 385: ...NMP system security system information and diagnosis firmware and configuration file maintenance system maintenance remote management IP Policy Routing and call scheduling See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 386: ......

Page 387: ... are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is used to determine if a packet should be allowed to trigger a call Outgoing packets must undergo data filtering before they encounter call filtering Call filters are divided into two groups the built i...

Page 388: ...figures that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable Initiate call if line not up Active Data Send packet and reset Idle Timer Or Or Drop packet if line not up Drop packet if line not up Send packet but do not reset Idle Timer Send packet but do not res...

Page 389: ...able Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 34 2 Filter Rule Process You can apply up to four filter sets to a particular port to block various types of packets Because each filter set can have up to six rules you can have a maximum of 24 rules active for a single port ...

Page 390: ... Step 1 Enter 21 in the main menu to display Menu 21 Filter and Firewall Setup Step 2 Enter 1 to display Menu 21 1 Filter Set Configuration as shown next Figure 34 3 Menu 21 Filter Set Configuration Step 3 Type the filter set to configure no 1 to 12 and press ENTER Step 4 Type a descriptive name or comment in the Edit Comments field and press ENTER Step 5 Press ENTER at the message Press ENTER to ...

Page 391: ...0 0 0 DA 0 0 0 0 DP 139 N D N 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 5 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 6 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 N D F Enter Filter Rule Number 1 6 to Configure Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 17 SA 0 0 0 0 SP 137 DA 0 0 0 0 DP 53 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Menu 21 1...

Page 392: ...taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken for instance forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the packet immediately and skip checking the remaining rules D means to drop the packet N means to check t...

Page 393: ...To speed up filtering all rules in a filter set must be of the same class for instance protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filters field or vice versa the Prestige wil...

Page 394: ... filter rule No default IP Protocol This is the upper layer protocol for example TCP is 6 UDP is 17 and ICMP is 1 The value must be between 0 and 255 A value of O matches ANY protocol 0 to 255 IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination If Yes the rule applies to any packet with an IP source route The majority ...

Page 395: ...eld IP mask Port Type the source port of the packets you want to filter The range of this field is 0 to 65535 A 0 field is ignored 0 to 65535 Port Comp Select the comparison to apply to the source port in the packet against the value given in Source Port field Choices are None Less Greater Equal or Not Equal None TCP Estab This applies only when the IP Protocol field is 6 TCP If Yes the rule match...

Page 396: ...rd or Drop Check Next Rule default Action Not Matched Select the action for a packet not matching the rule Choices are Check Next Rule Forward or Drop Check Next Rule default When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen The following figure illustrates the log...

Page 397: ...ter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched Figure 34 8 Executing an IP Filter ...

Page 398: ...Mask and Value fields are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select an empty filter set in menu 21 for example 5 Select Generic Filter Rule in the Filter Type field and press ENTER to open Menu 21 1 5 1 Generic Filter Rule a...

Page 399: ...ly to the data portion before comparison Value Type the value in Hexadecimal to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be N A No default Log Select the logging option from the following None ...

Page 400: ... the exact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are applied at the point where the Prestige is receiving and sending the packets for instanc...

Page 401: ...e Telnet Filter Step 1 Enter 1 in the menu 21 to display Menu 21 1 Filter Set Configuration Step 2 Enter the index number of the filter set you want to configure in this case 6 Step 3 Type a descriptive name or comment in the Edit Comments field for example TELNET_WAN and press ENTER ...

Page 402: ... Mask 0 0 0 0 Port Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type The first filter rule type determines all subsequent filter types within a set Select Yes to make the rule active 6 is the TCP protocol The port number for the telnet service TCP protocol is 23 See RF...

Page 403: ...tion shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in menu 21 but have not been applied to filter traffic Menu 21 1 6 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure 1 M N means an action can be taken immediately The a...

Page 404: ...you want to apply as appropriate You can choose up to four filter sets from twelve by typing their numbers separated by commas for example 3 4 6 11 The factory default filter set NetBIOS_LAN is inserted in the protocol filters field under Input Filter Sets in menu 3 1 in order to prevent local NetBIOS messages from triggering calls to the DNS server Figure 34 14 Filtering Ethernet Traffic 34 7 2 R...

Page 405: ... PPPoA or PPPoE encapsulation Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 6 device filters Output Filter Sets protocol filters 2 device filters Call Filter Sets Protocol filters Device filters Enter here to CONFIRM or ESC to CANCEL Apply filter 6 to block Tel FTP and Web traffic from the WAN Apply filter 2 to block NETBIOS traffic to the WAN ...

Page 406: ......

Page 407: ...ces SNMP is a member of the TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige supports SNMP version one SNMPv1 and version two c SNMPv2c The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured Figure 35 1 SNMP Management Model An SNM...

Page 408: ...response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an age...

Page 409: ...ur Prestige will only respond to SNMP messages from this address A blank default field means your Prestige will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the trap community which is the password sent with each trap to the SNMP manager public Destination Type the IP address of the station to send your SNMP traps to 0 0 0 0 When you have completed this...

Page 410: ...fined in RFC 1215 A trap is sent with the port number 5 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP gets or sets requirements with wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the mes...

Page 411: ... you forget your password you have to restore the default configuration file Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the Prestige in the Introducing the Web Configurator chapter Figure 36 1 Menu 23 System Security 36 1 2 Configuring External RADIUS Server From Menu 23 System Security enter 2 to display Menu 23 2 System Se...

Page 412: ...ministrator instructs you to do so with additional information 1812 Shared Secret Specify a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access points The key is not sent over the network This key must be the same on the external authentication server and Prestige Accounting Server Active Press SPACE BAR to select Yes and pres...

Page 413: ...nting server and Prestige When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 36 1 3 IEEE802 1x The IEEE802 1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management The WPA function is not available...

Page 414: ...he wired network The following fields are not available when you select No Authentication Required or No Access Allowed ReAuthentica tion Timer in second Specify how often a client has to re enter username and password to stay connected to the wired network This field is activated only when you select Authentication Required in the Wireless Port Control field Enter a time interval between 10 and 9...

Page 415: ... Key Exchange This field is not available when you set Key Management Protocol to WPA or WPA PSK PSK Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols when you select WPA PSK in the Key Management Protocol field WPA Mixed Mode Select Enable to activate WPA mixed mode Otherwise select Disable and configure Group Data Privacy field Data Privacy for Broad...

Page 416: ... the user database on the Prestige for a wireless station s username and password If the user name is not found the Prestige then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Prestige first check the user database on the specified RADIUS server for a wireless station s username and password If the Prestige cannot reach the RADIUS server the Pre...

Page 417: ...ters long for this user profile When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen Menu 14 Dial in User Setup 1 ________ 9 ________ 17 ________ 25 ________ 2 ________ 10 ________ 18 ________ 26 ________ 3 ________ 11 ________ 19 ________ 27 ________ 4 ________ 12 __...

Page 418: ......

Page 419: ...em Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your ADSL telephone line status number of packets sent and received To get to System Status type 24 to go to Menu 24 System Maintenance From this menu type 1 System Status There are two commands in Menu 24 1 System Maintenance Status Entering 1 resets the counters ESC takes you back to the previo...

Page 420: ...in bytes per second Rx B s This shows the receiving rate in bytes per second Up Time This is the time this channel has been connected to the current remote node My WAN IP from ISP This is the IP address of the ISP remote node Ethernet This shows statistics for the LAN Status This shows the current status of the LAN Menu 24 1 System Maintenance Status 02 07 37 Sat Jan 01 2000 Node Lnk Status TxPkts...

Page 421: ...his shows the upstream transfer rate in kbps Downstream Speed This shows the downstream transfer rate in kbps CPU Load This specifies the percentage of CPU utilization 37 2 System Information To get to the System Information Step 3 Enter 24 to display Menu 24 System Maintenance Step 4 Enter 2 to display Menu 24 2 System Information Step 5 From this menu you have two choices as shown in the next fi...

Page 422: ... Vendor Displays the vendor of the ADSL chipset and DSL version Standard This refers to the operational protocol the Prestige and the DSLAM Digital Subscriber Line Access Multiplexer are using LAN Ethernet Address Refers to the Ethernet MAC Media Access Control of your Prestige IP Address This is the IP address of the Prestige in dotted decimal notation IP Mask This shows the subnet mask of the Pr...

Page 423: ... to the Prestige 37 3 Log and Trace There are two logging facilities in the Prestige The first is the error logs and trace records that are stored locally The second is the UNIX syslog facility for message logging 37 3 1 Viewing Error Log The first place you should look for clues when something goes wrong is the error log Follow the procedures to view the local error trace log Step 1 Type 24 in th...

Page 424: ...rm or ESC to Cancel Press Space Bar to Toggle 48 Sat Jan 01 00 00 02 2000 PP09 WARN SNMP TRAP 3 link up 49 Sat Jan 01 00 00 02 2000 PP10 WARN Last errorlog repeat 2 Times 50 Sat Jan 01 00 00 02 2000 PP10 INFO LAN promiscuous mode 0 51 Sat Jan 01 00 00 02 2000 PP10 INFO LAN promiscuous mode 1 52 Sat Jan 01 00 00 02 2000 PP10 INFO LAN promiscuous mode 0 53 Sat Jan 01 00 00 02 2000 PP10 INFO Last err...

Page 425: ...nel Connected L2TP C02 OutCall Connected xxxx connected speed xxxxx Remote Call ID C02 CLID call refused L02 Call Terminated C02 Call Terminated Jul 19 11 19 27 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZYXEL board 0 line 0...

Page 426: ... ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZYXEL ppp CCP Closing 37 4 Diagnostic The diagnostic facility allows you to test the different aspects of your Prestige to determine if it is working properly Menu 24 4 allows you to choose among various types of diagnostic tests to evaluate your system as shown in the following figure Follow the procedure next to get to Diagnostic Step 1 From the ma...

Page 427: ...c FIELD DESCRIPTION Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot System Reboot the Prestige Command Mode Type the mode to test and diagnose your Prestige using specified commands Host IP Address If you typed 12 to Ping Host now type the address of the computer you want to ping ...

Page 428: ......

Page 429: ...Refer to the label on the bottom of your Prestige ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg This is a sample FTP session saving the current configuration to the computer file config cfg If your T FTP client does not allow you to have a destination filename different than the source you will ...

Page 430: ...d upload files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration to your computer Backup is highly recommended once your Prestige is functioning properly FTP is the preferred methods for backing up your current configuration to your computer since they are fas...

Page 431: ...ration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt 38 2 3 Example of FTP Commands from the Command Line Menu 24 5 System Maintenance Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on you...

Page 432: ...res a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Configuration and firmware files should be transferred in binary mode Initial Remote Directory Specify the default remote directory path Initial Local Directory Specify the default local directory path 38 2 5 TFTP and FTP over WAN Management Limitations TFTP FTP and Telnet ov...

Page 433: ...ys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete Step 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP client see the example below to transfer files betwe...

Page 434: ...estige The filename for the firmware is ras and for the configuration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to section 38 2 5 to read about configurations that disallow TFTP and FTP over WAN 38 2 9 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next Procedures using other serial com...

Page 435: ...o restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restoring your current computer configuration to your Prestige since FTP is faster Please note that you must wait for the syst...

Page 436: ...n file config rom on your computer to the Prestige See earlier in this chapter for more information on filename conventions Step 8 Enter quit to exit the ftp prompt The Prestige will automatically restart after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the F...

Page 437: ...isplay menu 24 6 and enter y at the following screen Figure 38 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has started Figure 38 10 System Maintenance Starting Xmodem Download Screen Step 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ftp put config rom rom 0 200 Port command okay 15...

Page 438: ... the previous Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE 38 4 1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration To use this feature your computer must hav...

Page 439: ...y after the upload system configuration file process is complete For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 1 System Maintenance Upload System Firmware To upload the system f...

Page 440: ... the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prompt The Prestige automatically restarts after a successful file upload 38 4 4 FTP Session Example of Firmware File Upload Figure 38 15 FTP Session Example of Firmware File Upload More commands found in GUI b...

Page 441: ...e active and the Prestige in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the Prestige to the computer put the other way around and binary to set binary transfer mode 38 4 6 TFTP Upload Command Example The following is an example TFTP command tftp i host ...

Page 442: ...s should be similar 38 4 9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 38 17 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter y at the prompt below to go into debug mode 2 ...

Page 443: ...ige 38 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload ...

Page 444: ...ration File Maintenance Figure 38 19 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Browse to search for it Choose the Xmodem protocol Then click Send ...

Page 445: ...24 8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Figure 39 1 Command Mode in Menu 24 Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log ...

Page 446: ... will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 39 3 Menu 24 9 System Maintenance Call Control 39 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up the following menu Menu 24 9 S...

Page 447: ...n is selected Table 39 1 Menu 24 9 1 System Maintenance Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have...

Page 448: ...ance Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen Figure 39 6 Menu 24 10 System Maintenance Time and Date Setting Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup None Time Server Address N A Current Time 00 00 00 New Time hh mm ss 11 23 16 Current Date 2000 01 01 New Date yyyy mm dd 2001 03 01 Time Zone...

Page 449: ...e unsure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays an updated date only when you re enter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone...

Page 450: ......

Page 451: ...access See the firewall chapters for details on configuring firewall rules 40 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Remote Management Control 40 2 1 Remote Management Setup You may manage your Prestige from a remote location via the Internet WAN only the LAN only All LAN and ...

Page 452: ...if any by pressing the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service or protocol to access the Prestige Enter an IP address to restrict access to a client with a matching IP address 0 0 0 0 Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC t...

Page 453: ...agement session with an equal or higher priority running You may only have one remote management session running at one time 5 There is a firewall rule that blocks it 40 3 Remote Management and NAT When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN 40 4 System Timeout There is a default system manageme...

Page 454: ......

Page 455: ...hery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 41 3 Routing Policy Individual routing policies are used as part of the overall IPPR proces...

Page 456: ...e the index of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set including the criteria and the action of a single policy and whether a policy is active or not Each policy contains two lines The former part is the criteria of the incoming packet and the latter is the action Between these two parts separator means the action i...

Page 457: ... 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __________________________________________________________________________ __________________________________________________________________________ 4 N __________________________________________________...

Page 458: ...ER to select Yes to activate or No to deactivate the policy Inactive policies are displayed with a minus sign in SMT menu 25 Criteria IP Protocol IP layer 4 protocol for example UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Care Normal Min Delay Max Thruput Min Cost or Max Reliable Menu 25 1 1 IP Routing Policy Policy Set Name test Active Yes Criteria ...

Page 459: ...uld be taken on criteria Matched or Not Matched Gateway addr Defines the outgoing gateway address The gateway must be on the same subnet as the Prestige if it is on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing No Change No...

Page 460: ...IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies 2 4 7 9 Press ENTER to Confirm or ESC to Cancel Type IP Policy sets here Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP None Client IP Pool Startin...

Page 461: ... policy See the next figure Route 1 represents the default IP route and route 2 represents the configured IP route Figure 41 6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige follow the steps as shown next Step 1 Create a routing policy set in menu 25 Step 2 Create ...

Page 462: ...t with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp N A Source addr start 192 168 1 33 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 1...

Page 463: ...mote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Menu 25 1 1 IP Routing Policy Policy Set Name set2 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp N A Sou...

Page 464: ......

Page 465: ...own next Figure 42 1 Menu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the Prestige by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to...

Page 466: ...se Yes and press ENTER to activate the schedule set Yes Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2036 February 5 2000 01 01 How Often Should this schedule set recur weekly or be used just once only Press the SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusive If Once is...

Page 467: ...t the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call...

Page 468: ... Rem Node Name MyISP Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing LLC based Edit ATM Options No Service Name Edit Advance Options No Incoming Telco Option Rem Login Allocated Budget min 0 Rem Password Period hr 0 Outgoing Schedule Sets 1 2 3 4 My Login user isp ch Nailed Up Connection No My Password Session Options Authen CHAP PAP Edit Filter Sets No Idle Timeou...

Page 469: ...PTGEN This part provides information about configuring VPN IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 470: ......

Page 471: ...hese main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connections This is an overview of the VPN menu tree Figure 43 1 VPN SMT Menu Tree From the main menu enter 27 to display the first VPN menu shown next ...

Page 472: ...ary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 1 Menu 27 VPN IPSec Setup 1 IPSec Summary 2 SA Monitor Enter Menu Selection Number Menu 27 1 IPSec Summary Name A Local Addr Start Addr End Mask Encap IPSec Algorithm Key Mgt Remote Addr Start Addr End Mask Secure GW Addr 001 Taiwan Y 192 168 1 35 192 168 1 38 Tunnel ESP AES MD5 IKE 172 16 2 40 172 16 2 46 193 81 13 2 002 zw50 N 1 1...

Page 473: ... address in a range of computers on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the LAN behind your Prestige 192 168 1 38 Encap This field displays Tunnel mode or Transport mode See earlier for a discussion of these You need to finish configuring the VPN policy in menu 27 1 1 1 or 27 1 1 2 if is displayed Tunnel ...

Page 474: ... Secure Gateway Address field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 Addr End Mask When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Remote Addr Start field When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the end static IP address in a range of computers on the network behind the remote IPSec ro...

Page 475: ...ge When a VPN rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively None Select Rule Type the VPN rule index number you wish to edit or delete and then press ENTER 3 When you have completed this menu press ENTER at the prompt Press E...

Page 476: ...ves the firewall Yes Keep Alive Press SPACE BAR to choose either Yes or No Choose Yes and press ENTER to have the Prestige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Menu 27 1 1 IPSec Setup Index 1 Name Taiwan Active Yes Keep Alive No Nat Traversal No Loc...

Page 477: ...an e mail address Content When you select IP in the Local ID Type field type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which to identify this Prestige When you select E mail in the Local ID Type field type an e mail address up to 31 chara...

Page 478: ...re making the VPN connection Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address the Key Management field must be set to IKE see later Zw50test com tw Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc 0 is the default and signifies any protocol 0 DNS Server If there is a private DNS server that services the VPN type its IP address here The Prestige assigns this addit...

Page 479: ...not create a VPN tunnel if you try to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 0 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field This field is N A when 0 is configured in the Po...

Page 480: ...gured to SUBNET enter a subnet mask on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Address field to 0 0 0 0 255 255 0 0 Port Start 0 is the default and signifies any port Type a port number from 0 to 65535 Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match ...

Page 481: ...ou have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 43 4 IKE Setup To edit this menu the Key Management field in Menu 27 1 1 IPSec Setup must be set to IKE Move the cursor to the Edit Key Management Setup field in Menu 27 1 1 IPSec Setup press SPACE BAR to select Yes and then press ENTER to display Menu 27 1 1 1...

Page 482: ... on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in slightly increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Press SPACE BAR to choose from DES 3DES or AES and then press ENTER AES Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are ...

Page 483: ...Tunnel Perfect Forward Secrecy PFS Perfect Forward Secrecy PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Press SPACE BAR and choose from DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower None When you have compl...

Page 484: ...se an AH Active Protocol SPI Decimal The SPI must be unique and from one to four integers 0 to 9 1234 Encryption Algorithm Press SPACE BAR to choose from NULL DES 3DES or AES and then press ENTER Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption...

Page 485: ...ication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated 123456789a bcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal The SPI must be from one to four unique decimal characters 0 to 9 long N A Authentication Algorithm Press SPACE BAR to choose from MD5 or SHA1 and then press ENTER N A Key...

Page 486: ......

Page 487: ...ntil the SA lifetime period expires See the Web configurator part on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic 44 2 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections Type 2 in Menu 27 VPN IPSec Setup and then press ENTER to go to Menu 27 2 S...

Page 488: ...de 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet This provides an additional level of security AH choices are MD5...

Page 489: ...ure save and upload multiple menus at the same time using just one configuration text file eliminating the need to navigate and configure individual SMT menus for each Prestige 45 2 The Configuration Text File Format All Internal SPTGEN text files conform to the following format field identification number field name parameter values allowed input where input is your input conforming to parameter ...

Page 490: ... than 0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 45 1 Menu 1 General Setup 10000000 Configured 0 No 1 Yes 1 10000001 System Name Str Prestige 10000002 Location Str 10000003 Contact Person s Name Str 10000004 Route IP 0 No 1 Yes 1 10000005 Route IPX 0 No 1 Yes 0 10000006 Bridge 0 No 1 Yes 0 This is the Field Name column This is the name of the field as seen in...

Page 491: ...sion V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 Please wait for the system to write SPT text file ROM t Bootbase Version V2 02 2 22 2001 13 33 11 RAM Size 8192 Kbytes FLASH Intel 8M 2 c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom t ftp bye c edit ro...

Page 492: ...sion 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put rom t ftp bye 1 Launch your FTP application 2 Enter bin The command bin sets the transfer mode to binary 3 Upload your rom t file from your computer to the Prestige using the put command computer to the Prestige 4 Exit this FTP application ...

Page 493: ...XII Part XII Appendices and Index This part contains additional background information and an index or key terms ...

Page 494: ......

Page 495: ...em In this case you should contact your vendor 1 Make sure the Prestige is connected to your computer s serial port VT100 terminal emulation 9600 bps is the default speed on leaving the factory Try other speeds in case the speed has been changed I cannot access the Prestige via the console port 2 Make sure the communications program is configured correctly The communications software should be con...

Page 496: ...configurator or the System Information and Diagnosis chapter SMT Problems with the LAN Interface Chart A 4 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION I cannot access the Prestige from the LAN If the 10M 100M LEDs on the front panel are both off refer to Chart A 2 Troubleshooting the LAN LED Make sure that the IP address and the subnet mask of the Prestige and your computer s are o...

Page 497: ...LEM CORRECTIVE ACTION I cannot access the Internet Make sure the Prestige is turned on and connected to the network If the DSL LED is off refer to Chart A 3 Troubleshooting the DSL LED Verify your WAN settings Refer to the WAN Setup chapter web configurator or the Internet Access chapter SMT Make sure you entered the correct user name and password If you use PPPoE pass through P652H HW make sure t...

Page 498: ...onfigurator PROBLEM CORRECTIVE ACTION I cannot access the web configurator Refer to Chart A 7 Troubleshooting the Password Make sure that there is not an SMT console session running Check that you have enabled web service access If you have configured a secured client IP address your computer s IP address must match it Refer to the chapter on remote management for details For WAN access you must c...

Page 499: ...when remote management may not be possible Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN Refer to Chart A 4 Troubleshooting the LAN Interface for instructions on checking your LAN connection Refer to the Problems with the WAN Interface section for instructions on checking your WAN connection I cannot remotely manage ...

Page 500: ......

Page 501: ...0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is a...

Page 502: ...subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a bit of the IP address If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit ...

Page 503: ...C address using both notations Chart B 4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 24 0000 0000 255 255 255 128 25 1000 0000 255 255 255 192 26 1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 1100 The first mask shown is the class C natural mask Normally if n...

Page 504: ... Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Chart B 6 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192...

Page 505: ... subnet Chart B 7 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Chart B 8 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address B...

Page 506: ...cast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last octet values for each subnet Chart B 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 16...

Page 507: ...etermines which bits are part of the network number and which are part of the host ID A class B address has two host ID octets available for subnetting and a class A address has three host ID octets see Chart B 1 available for subnetting The following table is a summary for class B subnet planning Chart B 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1...

Page 508: ...lass B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 25 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 ...

Page 509: ...ove from meeting to meeting accessing up to date information that facilitates the ability to communicate decisions on the fly 5 It provides campus wide networking coverage allowing enterprises the roaming capability to set up easy to use wireless networks that transparently covers an entire campus IEEE 802 11 The 1997 completion of the IEEE 802 11 standard for wireless LANs WLANs was a first impor...

Page 510: ...ommunication in an Ad hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs multiple access points APs link the WLAN to the wired network and allow users to efficiently share network resources The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood Multiple access points can provide wir...

Page 511: ...Prestige 652H HW Series User s Guide Wireless LAN and IEEE 802 11 C 3 Diagram C 2 ESS Provides Campus Wide Coverage ...

Page 512: ......

Page 513: ...ices using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN and ISDN the switching fabric is already in place 3 It allows the ISP to use the existing dial up model t...

Page 514: ...he PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Prestige as a PPPoE Client When using the Prestige as a PPPoE client the PCs on the LAN see only Ethernet and...

Page 515: ... between circuit end points Diagram E 1 Virtual Circuit Topology Think of a virtual path as a cable that contains a bundle of wires The cable connects two points and wires within the cable provide individual circuits between the two points In an ATM cell header a VPI Virtual Path Identifier identifies a link formed by a virtual path a VCI Virtual Channel Identifier identifies a channel within a vi...

Page 516: ......

Page 517: ...ta packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem Step 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN Step 2 The Prestige reroutes the SYN packet ...

Page 518: ...to three logical LAN interfaces with the Prestige being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the Prestige to your LAN The following steps describe such a scenario Step 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN Step 2 The Prestige rerou...

Page 519: ...N Side A second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your Prestige to your LAN Therefore your LAN is protected Diagram F 4 Gateways on the WAN Side ...

Page 520: ......

Page 521: ... 1 25A Power Consumption 11 W Safety Standards UL CUL CSA UL 1310 CSA C22 2 No 223 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA 121A25 Input Power AC120Volts 60Hz 19W Output Power AC 12Volts 1 25A Power Consumption 11W Safety Standards UL CUL UL 1310 CSA C22 2 No 223 EUROPEAN PLUG STANDARDS AC Power Adapter Model AA 121A3BN Input Power AC230Volts 50Hz 140mA Output Power AC12Volts 1 3A P...

Page 522: ...G STANDARDS AC Power Adapter Model AA 121A25 Input Power AC120Volts 60Hz 19W Output Power AC 12Volts 1 25A Power Consumption 14W Safety Standards UL CUL UL 1310 CSA C22 2 No 223 EUROPEAN PLUG STANDARDS AC Power Adapter Model AA 121A3BN Input Power AC230Volts 50Hz 140mA Output Power AC12Volts 1 3A Power Consumption 14W Safety Standards ITS GS CE EN 60950 UNITED KINGDOM PLUG STANDARDS AC Power Adapt...

Page 523: ...ot seen in SMT screens FN Field Name PVA Parameter Values Allowed INPUT An example of what you may enter Applies to the P652H HW The following are Internal SPTGEN screens associated with the SMT screens of your Prestige Example Internal SPTGEN Screens Table MENU 1 GENERAL SETUP SMT MENU 1 FIN FN PVA INPUT 10000000 Configured 0 No 1 Yes 0 10000001 System Name Str Prestige 10000002 Location Str 1000...

Page 524: ...10 Output protocol filters Set 2 256 30100011 Output protocol filters Set 3 256 30100012 Output protocol filters Set 4 256 30100013 Output device filters Set 1 256 30100014 Output device filters Set 2 256 30100015 Output device filters Set 3 256 30100016 Output device filters Set 4 256 MENU 3 2 TCP IP AND DHCP ETHERNET SETUP SMT MENU 3 2 FIN FN PVA INPUT 30200001 DHCP 0 None 1 Server 2 Relay 0 302...

Page 525: ...3 1 12 256 30200016 IP Policies Set 4 1 12 256 MENU 3 2 1 IP ALIAS SETUP SMT MENU 3 2 1 FIN FN PVA INPUT 30201001 IP Alias 1 0 No 1 Yes 0 30201002 IP Address 0 0 0 0 30201003 IP Subnet Mask 0 30201004 RIP Direction 0 None 1 Both 2 In Only 3 Out Only 0 30201005 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201006 IP Alias 1 Incoming protocol filters Set 1 256 30201007 IP Alias 1 Incoming protocol filters S...

Page 526: ...ection 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alias 2 Incoming protocol filters Set 3 256 30201022 IP Alias 2 Incoming protocol filters Set 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2 Outgoing pr...

Page 527: ...10 WEP Key3 30500011 WEP Key4 MENU 3 5 1 WLAN MAC ADDRESS FILTER SMT MENU 3 5 1 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 00 00 30501004 Address 2 00 00 00 00 00 00 30501005 Address 3 00 00 00 00 00 00 Continued 30501034 Address 32 00 00 00 00 00 00 MENU 4 INTERNET ACCESS SETUP SMT MENU 4 FIN FN PVA INPUT 40000000 Configured 0 No...

Page 528: ... set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP outgoing protocol filter set 4 256 40000024 ISP PPPoE idle timeout 0 40000025 Route IP 0 N...

Page 529: ... Static Route set 1 Gateway 0 0 0 0 120101006 IP Static Route set 1 Metric 0 120101007 IP Static Route set 1 Private 0 No 1 Yes 0 MENU 12 1 2 IP STATIC ROUTE SETUP SMT MENU 12 1 2 FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destination IP address 0 0 0 0 120102004 IP Static Route set 2 Destination IP subn...

Page 530: ...oute set 4 Active 0 No 1 Yes 0 120104003 IP Static Route set 4 Destination IP address 0 0 0 0 120104004 IP Static Route set 4 Destination IP subnetmask 0 120104005 IP Static Route set 4 Gateway 0 0 0 0 120104006 IP Static Route set 4 Metric 0 120104007 IP Static Route set 4 Private 0 No 1 Yes 0 MENU 12 1 5 IP STATIC ROUTE SETUP SMT MENU 12 1 5 FIN FN PVA INPUT 120105001 IP Static Route set 5 Name ...

Page 531: ... 12 1 7 IP STATIC ROUTE SETUP SMT MENU 12 1 7 FIN FN PVA INPUT 120107001 IP Static Route set 7 Name Str 120107002 IP Static Route set 7 Active 0 No 1 Yes 0 120107003 IP Static Route set 7 Destination IP address 0 0 0 0 120107004 IP Static Route set 7 Destination IP subnetmask 0 120107005 IP Static Route set 7 Gateway 0 0 0 0 120107006 IP Static Route set 7 Metric 0 120107007 IP Static Route set 7 ...

Page 532: ...20109006 IP Static Route set 9 Metric 0 120109007 IP Static Route set 9 Private 0 No 1 Yes 0 MENU 12 1 10 IP STATIC ROUTE SETUP SMT MENU 12 1 10 FIN FN PVA INPUT 120110001 IP Static Route set 10 Name 120110002 IP Static Route set 10 Active 0 No 1 Yes 0 120110003 IP Static Route set 10 Destination IP address 0 0 0 0 120110004 IP Static Route set 10 Destination IP subnetmask 0 120110005 IP Static Ro...

Page 533: ...te set 12 Destination IP address 0 0 0 0 120112004 IP Static Route set 12 Destination IP subnetmask 0 120112005 IP Static Route set 12 Gateway 0 0 0 0 120112006 IP Static Route set 12 Metric 0 120112007 IP Static Route set 12 Private 0 No 1 Yes 0 MENU 12 1 13 IP STATIC ROUTE SETUP SMT MENU 12 1 13 FIN FN PVA INPUT 120113001 IP Static Route set 13 Name Str 120113002 IP Static Route set 13 Active 0 ...

Page 534: ...N PVA INPUT 120115001 IP Static Route set 15 Name Str 120115002 IP Static Route set 15 Active 0 No 1 Yes 0 120115003 IP Static Route set 15 Destination IP address 0 0 0 0 120115004 IP Static Route set 15 Destination IP subnetmask 0 120115005 IP Static Route set 15 Gateway 0 0 0 0 120115006 IP Static Route set 15 Metric 0 120115007 IP Static Route set 15 Private 0 No 1 Yes 0 MENU 12 1 16 IP STATIC ...

Page 535: ... 0 150000006 SUA Server 2 Local IP address 0 0 0 0 150000007 SUA Server 3 Active 0 No 1 Yes 0 150000008 SUA Server 3 Protocol 0 All 6 TCP 17 U DP 0 150000009 SUA Server 3 Port Start 0 150000010 SUA Server 3 Port End 0 150000011 SUA Server 3 Local IP address 0 0 0 0 150000012 SUA Server 4 Active 0 No 1 Yes 0 150000013 SUA Server 4 Protocol 0 All 6 TCP 17 U DP 0 150000014 SUA Server 4 Port Start 0 1...

Page 536: ...50000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA Server 8 Protocol 0 All 6 TCP 17 U DP 0 150000034 SUA Server 8 Port Start 0 150000035 SUA Server 8 Port End 0 150000036 SUA Server 8 Local IP address 0 0 0 0 150000037 SUA Server 9 Active 0 No 1 Yes 0 150000038 SUA Server 9 Protocol 0 All 6 TCP 17 U DP 0 1500000...

Page 537: ...SET 1 SMT MENU 21 FIN FN PVA INPUT 210100001 Filter Set 1 Name Str MENU 21 1 1 1 FILTER SET 1 RULE 1 SMT MENU 21 1 1 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filter Set 1 Rule 1 Active 0 No 1 Yes 1 210101003 IP Filter Set 1 Rule 1 Protocol 6 210101004 IP Filter Set 1 Rule 1 Dest IP address 0 0 0 0 210101005 IP Filter Set 1 Rule 1 Dest Subnet Mask 0 210101006...

Page 538: ...1 2 FIN FN PVA INPUT 210102001 IP Filter Set 1 Rule 2 Type 2 TCP IP 2 210102002 IP Filter Set 1 Rule 2 Active 0 No 1 Yes 1 210102003 IP Filter Set 1 Rule 2 Protocol 6 210102004 IP Filter Set 1 Rule 2 Dest IP address 0 0 0 0 210102005 IP Filter Set 1 Rule 2 Dest Subnet Mask 0 210102006 IP Filter Set 1 Rule 2 Dest Port 138 210102007 IP Filter Set 1 Rule 2 Dest Port Comp 0 none 1 equal 2 not equal 3 ...

Page 539: ...le 3 Dest IP address 0 0 0 0 210103005 IP Filter Set 1 Rule 3 Dest Subnet Mask 0 210103006 IP Filter Set 1 Rule 3 Dest Port 139 210103007 IP Filter Set 1 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 1 210103008 IP Filter Set 1 Rule 3 Src IP address 0 0 0 0 210103009 IP Filter Set 1 Rule 3 Src Subnet Mask 0 210103010 IP Filter Set 1 Rule 3 Src Port 0 210103011 IP Filter Set 1 ...

Page 540: ...Filter Set 1 Rule 4 Src IP address 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 0 210104013 IP Filter Set 1 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210104014 IP Filter Set 1 Rule 4 Act Not Match 1 check next 2 forward 3 dr op 1 MENU 21 1 1 5...

Page 541: ...e 5 Act Match 1 check next 2 forward 3 dr op 3 210105014 IP Filter Set 1 Rule 5 Act Not Match 1 Check Next 2 Forward 3 Drop 1 MENU 21 1 1 6 SET 1 RULE 6 SMT MENU 21 1 1 6 FIN FN PVA INPUT 210106001 IP Filter Set 1 Rule 6 Type 2 TCP IP 2 210106002 IP Filter Set 1 Rule 6 Active 0 No 1 Yes 1 210106003 IP Filter Set 1 Rule 6 Protocol 17 210106004 IP Filter Set 1 Rule 6 Dest IP address 0 0 0 0 21010600...

Page 542: ...2 Nam Str NetBIOS_WAN MENU 21 1 2 1 FILTER SET 2 RULE 1 SMT MENU 21 1 2 1 FIN FN PVA INPUT 210201001 IP Filter Set 2 Rule 1 Type 0 none 2 TCP IP 2 210201002 IP Filter Set 2 Rule 1 Active 0 No 1 Yes 1 210201003 IP Filter Set 2 Rule 1 Protocol 6 210201004 IP Filter Set 2 Rule 1 Dest IP address 0 0 0 0 210201005 IP Filter Set 2 Rule 1 Dest Subnet Mask 0 210201006 IP Filter Set 2 Rule 1 Dest Port 137 ...

Page 543: ... IP Filter Set 2 Rule 2 Active 0 No 1 Yes 1 210202003 IP Filter Set 2 Rule 2 Protocol 6 210202004 IP Filter Set 2 Rule 2 Dest IP address 0 0 0 0 210202005 IP Filter Set 2 Rule 2 Dest Subnet Mask 0 210202006 IP Filter Set 2 Rule 2 Dest Port 138 210202007 IP Filter Set 2 Rule 2 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 1 210202008 IP Filter Set 2 Rule 2 Src IP address 0 0 0 0 21020...

Page 544: ...et Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 1 210203008 IP Filter Set 2 Rule 3 Src IP address 0 0 0 0 210203009 IP Filter Set 2 Rule 3 Src Subnet Mask 0 210203010 IP Filter Set 2 Rule 3 Src Port 0 210203011 IP Filter Set 2 Rule 3 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 0 210...

Page 545: ...0 210204009 IP Filter Set 2 Rule 4 Src Subnet Mask 0 210204010 IP Filter Set 2 Rule 4 Src Port 0 210204011 IP Filter Set 2 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 great er 0 210204013 IP Filter Set 2 Rule 4 Act Match 1 check next 2 forward 3 dr op 3 210204014 IP Filter Set 2 Rule 4 Act Not Match 1 check next 2 forward 3 dr op 1 MENU 21 1 2 5 FILTER SET 2 RULE 5 SMT MENU 21 1 2 5 F...

Page 546: ...P Filter Set 2 Rule 5 Act Match 1 check next 2 forward 3 dr op 3 210205014 IP Filter Set 2 Rule 5 Act Not Match 1 check next 2 forward 3 dr op 1 MENU 21 1 2 6 FILTER SET 2 RULE 6 SMT MENU 21 1 2 5 FIN FN PVA INPUT 210206001 IP Filter Set 2 Rule 6 Type 0 none 2 TCP IP 2 210206002 IP Filter Set 2 Rule 6 Active 0 No 1 Yes 1 210206003 IP Filter Set 2 Rule 6 Protocol 17 210206004 IP Filter Set 2 Rule 6...

Page 547: ...234 MENU 23 2 SYSTEM SECURITY RADIUS SERVER SMT MENU 23 2 FIN FN PVA INPUT 230200001 Authentication Server Configured 0 No 1 Yes 1 230200002 Authentication Server Active 0 No 1 Yes 1 230200003 Authentication Server IP Address 192 168 1 32 230200004 Authentication Server Port 1822 230200005 Authentication Server Shared Secret 111111111111111 1111111111111111 230200006 Accounting Server Configured 0...

Page 548: ...41100005 FTP Server Access 0 all 1 none 2 Lan 3 Wan 0 241100006 FTP Server Secured IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Access 0 all 1 none 2 Lan 3 Wan 0 241100009 WEB Server Secured IP address 0 0 0 0 Command Examples The following are example Internal SPTGEN screens associated with the Prestige s command interpreter commands CI COMMAND FOR ANNEX A WAN ADSL OPENCMD...

Page 549: ...1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that y...

Page 550: ...click OK If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add b Select Client and then click Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from...

Page 551: ...tomatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in ...

Page 552: ...ld and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your comp...

Page 553: ... Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections 3 Right click Local Area Connection and then click Properties ...

Page 554: ...in Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 555: ... IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the A...

Page 556: ... and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your Prestige and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Pr...

Page 557: ...ies User s Guide Setting up Your Computer s IP Address I 9 Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel 2 Select Ethernet built in from the Connect via list ...

Page 558: ...s in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the ...

Page 559: ...select Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5 Click Apply Now and close the window 6 Turn on your Prestige and restart your computer if prompted Verifying Setti...

Page 560: ......

Page 561: ...e point where the telephone line enters your residence as shown in the following figure Diagram J 1 Connecting a POTS Splitter Step 1 Connect the side labeled Phone to your telephone Step 2 Connect the side labeled Modem to your Prestige Step 3 Connect the side labeled Line to the telephone wall jack Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4KH...

Page 562: ...double jack end of the Y Connector to the Prestige Step 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Diagram J 2 Connecting a Microfilter Prestige With ISDN This section relates to people who use their Prestige with ADSL over ISDN digital telephone service only The following is an example installation for the Prestige with ISDN Diagram J 3 Prestige...

Page 563: ... The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s web configurator interface WEB Login Fail Someone has failed to log on to the router s web configurator interface TELNET Login Successfull...

Page 564: ...forbid ActiveX Destination Contains Java applet Web Block The Prestige blocked access to an IP address or domain name that contains a Java applet because the content filter is set to forbid Java applets Destination Contains cookie Web Block The Prestige blocked access to an IP address or domain name that contains a cookie because the content filter is set to forbid cookies Destination Proxy mode d...

Page 565: ...l detected a TCP SMTP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry Protocol The firewall detected an IP spoofing attack while the Prestige did not have a default route The log may also display the protocol for example TCP or UDP vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack see the section on ICMP m...

Page 566: ...st IP Protocol Direction Access did not match a firewall rule s destination IP address and the Prestige logged it src IP Protocol Direction Access did not match a firewall rule s source IP address and the Prestige logged it protocol Protocol Direction Access did not match a firewall rule s protocol and the Prestige logged it Triangle route packet forwarded Protocol The firewall allowed a triangle ...

Page 567: ...upport the ICMP packet s protocol 2 The ICMP packet is an echo reply for which there was no corresponding echo request Router reply ICMP packet The router sent an ICMP response packet This packet automatically bypasses the firewall Remote access denied The router blocked a remote access attempt Chart K 6 TCP Reset Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out T...

Page 568: ... network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the err...

Page 569: ...ponder IPSec Log The following figure shows a typical log from the VPN connection peer Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA proces...

Page 570: ...he Prestige has received an IKE negotiation request from the peer Recv Symbol IKE uses the ISAKMP protocol refer to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Chart J 10 Phase 1 IKE SA process done Phase 1 negotiation is finished Index Date Time Log 001 01 Jan 08 08 07 Recv Main Mode request from 192 168 100 100 002 01 Jan 08 08...

Page 571: ...ties exchange policy details including local and remote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule d If the security gateway is 0 0 0 0 the Prestige will use the peer s Local Addr as its Remote Addr If this IP range conflicts with a previously configured rule then the connection is not allowed Invalid IP IP start IP en...

Page 572: ...he incoming packet did not match vs My Local IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays this router s configured local IP address type or IP address that the incoming packet did not match symbol The router sent a payload type of IKE packet The following table shows sample l...

Page 573: ...tion settings are incorrect Please check them Rule d idle time out disconnect If an SA has no packets transmitted for a period of time configurable via CI command the Prestige drops the connection The following table shows RFC 2408 ISAKMP payload types that the log displays Please refer to the RFC for detailed information on each type Chart K 10 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TY...

Page 574: ......

Page 575: ...ndwidth Filter 20 1 20 14 Bandwidth Management 1 3 Bandwidth Management 20 1 Bandwidth Management Statistics 20 16 Bandwidth Manager Class Configuration 20 13 Bandwidth Manager Class Setup 20 11 Bandwidth Manager Monitor 20 18 Bandwidth Manager Summary 20 8 Basic Service Set C 2 Blocking Time 13 25 13 28 Borrow bandwidth from parent class 20 14 Bridging 25 2 31 1 Ether Address 31 4 Ethernet 31 1 E...

Page 576: ...ation Address 13 4 Device Filter rules 34 14 DH 16 18 DHCP 1 5 3 11 5 2 10 1 21 6 37 4 Diagnostic Tools 37 1 Dial Backup 24 1 dial timeout 24 7 Diffie Hellman Key Groups 16 18 Digital Subscriber Line Access Multiplexer 1 7 Direct Sequence Spread Spectrum C 1 Distribution System C 2 DMZ 6 7 And the Firewall 6 7 Port Filter Setup 28 1 Setup 28 1 28 2 TCP IP Setup See TCP IP DMZ Setup 6 7 28 1 DNS 25...

Page 577: ...Rule 34 7 Filter Log 37 7 Filter Rule 34 8 Filter Rule Process 34 3 Filter Rule Setup 34 7 Filter Rules Summary Sample 34 17 Filter Set Class 34 7 Filter Set Configuration 34 4 Filtering 34 1 34 7 Filtering Process Outgoing Packets 34 2 Finger 9 6 Firewall 1 1 12 1 Access Methods 13 1 33 1 Address Type 13 12 Alerts 13 24 Connection Direction 13 4 Creating Editing Rules 13 10 Custom Ports See Custo...

Page 578: ...ternal SPTGEN Screens H 1 Internet access 27 1 Internet Access 1 1 1 7 25 2 27 1 27 4 27 5 Internet Access Setup A 3 32 1 Internet Assigned Numbers Authority See IANA Internet Control Message Protocol 13 22 Internet Control Message Protocol ICMP 12 6 Internet Key Exchange 16 16 Internet Protocol Security 15 1 IP address 24 9 24 11 IP Address3 4 5 3 9 5 9 8 21 6 25 4 30 3 31 4 34 9 37 4 37 9 41 3 R...

Page 579: ...Burst Size 8 2 Maximum Incomplete High 13 27 Maximum Incomplete Low 13 27 Max incomplete High 13 25 Max incomplete Low 13 25 13 27 MBS See Maximum Burst Size Media Access Control 31 1 Message Logging 37 5 Metric 8 1 24 12 29 7 30 3 Multicast 5 3 24 12 29 7 Multiplexing LLC based 3 2 VC based 3 2 Multiplexing 1 5 3 2 27 5 29 2 Multiprotocol Encapsulation 3 2 My IP Address 16 2 My Login 24 8 My Pass...

Page 580: ...re Shared Key 16 9 Prestige Firewall Application 12 3 Priority 20 14 Priority based Scheduler 20 4 Private 24 12 29 7 30 4 Proportional Bandwidth Allocation 20 2 Protocol 34 8 Protocol Filter Rules 34 14 Public Servers 6 7 Q Quality of Service 41 1 R RADIUS 7 9 Shared Secret Key 7 10 RADIUS Message Types 7 10 RAS 37 4 41 2 Rate Receiving 37 2 Transmission 37 2 Read Me First xxvii Related Documenta...

Page 581: ...l 12 11 Security Parameter Index 16 22 Security Parameters 7 14 Security Ramifications 13 3 Server 9 4 32 3 32 4 32 5 32 8 32 9 32 10 32 12 32 13 39 5 Service iv 13 3 Service Type A 3 13 14 Services 9 5 9 6 setup a schedule 42 2 Sever 32 9 Simple Network Management Protocol 35 1 SMT 22 1 SMT Menu Overview 22 2 SMTP 9 6 SMTP Error Messages 19 5 Smurf 12 6 SNMP 9 6 35 1 Community 35 3 Configuration ...

Page 582: ...0 3 Restrictions 40 3 TFTP and FTP over WAN Will Not Work When 38 4 TFTP and FTP Over WAN 17 1 TFTP File Transfer 38 12 TFTP Restrictions 17 1 38 4 Three Way Handshake 12 5 Threshold Values 13 24 Time and Date 11 1 Time and Date Setting 39 4 39 5 Time Zone 39 5 Timeout 24 3 24 10 TOS Type of Service 41 1 Trace Records 37 5 Traceroute 12 7 Traffic Redirect 1 3 Traffic Redirect 8 7 8 8 Setup 24 3 Tr...

Page 583: ...6 3 Wide Area Network 8 1 Wireless Client WPA Supplicants 7 15 Wireless LAN C 1 7 1 26 1 Benefits C 1 Wireless LAN MAC Address Filtering 1 2 Wireless LAN Setup 26 1 wireless station 7 25 Wizard Setup 3 1 WLAN See Wireless LAN WPA 7 11 WPA with RADIUS Application 7 13 WPA PSK Application 7 12 X XMODEM protocol 38 2 Z ZyNOS 38 1 38 2 ZyNOS F W Version 38 1 ZyXEL Limited Warranty Note iv ZyXEL s Fire...