Manuals / Motorola / Computer Equipment / Network Router

Motorola 7.7.4 manual Remote Access Control, Password Protection, Network Address Translation NAT

Models: 7.7.4

1 351

Download 351 pages 50.78 Kb

Page 18

Security

Remote Access Control

You can determine whether or not an administrator or other authorized person has access to conﬁguring your Gateway. This access (either time-restricted or unlimited until the router is rebooted) can be turned on or off in the Web interface. Additionally, permanent remote access can be conﬁgured in the CLI.

Password Protection

Access to your Motorola Netopia® device can be controlled through two access control accounts, Admin or User.

•The Admin, or administrative user, performs all conﬁguration, management or mainte- nance operations on the Gateway.

•The User account provides monitor capability only.

A user may NOT change the conﬁguration, perform upgrades or invoke maintenance functions.

Network Address Translation (NAT)

The Motorola Netopia® Gateway Network Address Translation (NAT) security feature lets you conceal the topology of a hard-wired Ethernet or wireless network connected to its LAN interface from Gateways on networks connected to its WAN interface. In other words, the end computer stations on your LAN are invisible from the Internet.

Only a single WAN IP address is required to provide this security support for your entire LAN.

LAN sites that communicate through an Internet Service Provider typically enable NAT, since they usually purchase only one IP address from the ISP.

•When NAT is ON, the Motorola Netopia® Gateway “proxies” for the end computer sta- tions on your network by pretending to be the originating host for network communica- tions from non-originating networks. The WAN interface address is the only IP address exposed.

18

Image 18

Motorola 7.7.4 manual Remote Access Control, Password Protection, Network Address Translation NAT

Contents

Administrator’s Handbook Copyright Table of Contents Advanced Setup Index Table of Contents Introduction Organization Documentation Conventions Bold terminal type User-entered text face Overview of Major Capabilities PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Instant-On PPPWide Area Network Termination Dhcp Dynamic Host Conﬁguration Protocol Server DNS ProxyUPnP Diagnostics Embedded Web ServerManagement Remote Access Control Password ProtectionNetwork Address Translation NAT NAT Motorola Netopia GatewayInternal Servers Motorola Netopia Advanced Features for NATDefault Server Combination NAT Bypass ConﬁgurationIP-Passthrough VPN IPSec Pass ThroughVPN IPSec Tunnel Termination Dynamic DNS Stateful Inspection Firewall Page Basic Mode Setup Important Safety Instructions Set up the Motorola Netopia Gateway Microsoft Windows Set up the Motorola Netopia Gateway Macintosh MacOS 9 or higher or Mac OS Conﬁgure the Motorola Netopia Gateway Page Configure the Motorola Netopia Gateway Motorola Netopia Gateway Status Indicator Lights Accessing the Web User Interface Links Bar Home Home Page InformationHome Page Links Enable Wireless Wireless ID SsidPrivacy Operating Mode Advanced Conﬁguration Options optionalDefault Channel About Closed System Mode and Wireless Encryption Privacy Radius Server authentication Page WPA-PSK WEP-Manual Examples Enable Multiple Wireless IDs Home Page WiFi Multimedia Page Wireless MAC Authorization optional Page Home Link Gaming Supported Games and Software Http Deﬁne Custom Service Page Static NAT Page Link Advanced Setup Link Status ATM LAN Wireless supported models only User List Link Diagnostics Link Help Advanced Setup Open the Web ConnectionPage Home Page Advanced Setup Summary Information Advanced Setup Conﬁgure Link Conﬁgure Link Connection Select the IP Type Links Bar Link Dhcp Server Additional IP Subnets Page Link IP Passthrough Click Enable Link NAT Page Supported Games and Software Nntp Deﬁne Custom Service Page Static NAT Link IPSec IPSec VPNConﬁguring an IPSec VPN Tunnel Parameter Motorola Netopia Peer Gateway Tunnel Conﬁguration page appears Click the Submit button Links Bar 100 Parameter Descriptions101 PAT Address102 Soft MBytes103 Link Router Password 104Link Time Zone 105Overview 106Ethernet Switching/Policy Setup 107108 109 110 111 112 Multiple Wireless IDs on 113114 115 116 117 118 Example119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 Link Status 144Ethernet 145Wireless 146Logs 147User List 148149 150 Result MeaningLink Remote Access 151From a Server 152Link Reset Router 153Link Restart Router 154155 Help 156Basic Troubleshooting 157Status Indicator Lights 158LED Function Summary Matrix 159160 Thicker than the standard telephone cableRear View 161162 Command Line Interface 163164 Overview 165166 Config Commands 167Logging 168Saving Settings Ending a CLI Session169 Shell Command Shortcuts Shell Prompt170 Common Commands Download serveraddress ﬁlename conﬁrm 172License key Loglevel level173 Netstat Netstat -r174 Reset cdmode Reset arpReset atm Reset crashReset log Reset heartbeatReset ipmap Reset security-logShow all-info Show backupRestart seconds Show bridge interfacesShow enet all Show diffservShow dslf device-association 178Show group-mgmt Show featuresShow etheroam ah Show ip arpShow ip ipsec Show ip igmpShow ip interfaces Show ip ﬁrewallShow pppoe Show logShow memory all Show rtspShow vlan 182183 Show wireless all Show wireless clients MACaddress184 View conﬁg WAN CommandsUpload serveraddress ﬁlename conﬁrm WhoReset dsl Reset dhcp client release vcc-idReset dhcp client renew vcc-id Reset ppp vccnShow ppp stats lcp ipcp Config Mode PromptNavigating the Config Hierarchy Start ppp vccnEntering Commands in Config Mode Set ip ethernet a ipaddress188 Step Mode a CLI Conﬁguration Technique Guidelines Config CommandsDisplaying Current Gateway Settings 189Validating Your Conﬁguration 190Remote ATA Conﬁguration Commands Set ata proﬁle 0.. ata-static-wan-subnet-mask subnetmask Set ata proﬁle 0.. ata-dhcpc-vid stringSet ata proﬁle 0.. ata-static-wan-ip ipaddr Set ata proﬁle 0.. ata-static-wan-gateway ipaddrSet ata proﬁle 0.. ata-auth-id value Set ata proﬁle 0.. ata-user-password stringSet ata proﬁle 0.. ata-outproxy-port port Set ata proﬁle 0.. ata-user-name stringSet atm option on off DSL CommandsSet atm vcc n qos service-class cbr ubr vbr Set atm vcc n option on offSet atm vcc n vpi 0 Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n qos max-burst-size 1 ...n Set atm vcc n vci 0Set bridge sys-bridge on off Bridging SettingsSet atm vccn pppoe-sessions 1 Set bridge concurrent-bridging-routing on offSet bridge dsl vccn option on off Set bridge table-timeout 30Set bridge ethernet option on off 197Dhcp Settings Set dhcp range 2.. start-address ipaddress Set dhcp default-option-group nameSet dhcp server-address ipaddress Set dhcp range 2.. end-address ipaddressSet dhcp gen-option name name Set dhcp gen-option option 1200 201 Option Data Format Data Size Can Bytes Conﬁgure202 Set dhcp gen-option data-type ascii hex dotted-decimal Set dhcp gen-option data data203 Set dhcp ﬁlterset name string rule n dhcp-option 0 Set dhcp ﬁlterset name string rule n absent-action204 Set dhcp ﬁlterset name string rule n match-pool ipaddress Pass discard continueSet dhcp ﬁlterset name string rule n match-str matchstring Set dhcp ﬁlterset name string rule n absent-pool ipaddressSet dhcp assigned-ﬁlterset string 206Set dmt wiringMode auto tipring AA1 DMT SettingsSet dmt dmt dying-gasp default off on Set dmt dsl-annex-support off onSet dns proxy-enable Set dmt metallic-termination auto disabled alwaysonDomain Name System Settings Set dns domain-name domain-nameSet dns secondary-address ipaddress Set dns conﬁgured-dns-priority 0209 210 Igmp Settings 211212 Set igmp query-intvl value Set igmp snooping off onSet igmp robustness value Set igmp query-response-intvl valueSet igmp version 1 2 Set igmp wireless-m2u on offSet igmp log-enable on off Set igmp last-member-query-intvl valueSet ip option on off IP SettingsSet ip arp-timeout 60 Set ip dsl vccn address ipaddressSet ip dsl vccn netmask netmask Set ip dsl vccn restrictions admin-disabled noneSet ip dsl vccn broadcast broadcastaddress Set ip dsl vccn addr-mapping on offSet ip dsl vccn unnumbered on off Set ip dsl vccn mcast-fwd on offSet ip dsl vccn igmp-null-source-addr on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ethernet a address ipaddress Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a broadcast broadcastaddressSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a restrictions none admin-disabledSet ip ethernet a netmask netmask 219Set ip ethernet a subnet n address ipaddress Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip ethernet a subnet 2 .. option on off Set ip ethernet a subnet n netmask netmaskSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn option on offSet ip ip-ppp vccn address ipaddress 221Set ip ip-ppp vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip ip-ppp vccn restrictions admin-disabled noneSet ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn mcast-fwd on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn igmp-null-source-addr on off Set ip ip-ppp vccn unnumbered on offSet ip ip-ppp vccn dns acquired-dns-priority 0 224Set ip ipsec-passthrough off on Set ip static-arp ip-addressipaddressSet ip igmp-forwarding off on 225Set ip prioritize off on 226Set diffserv option off on Set diffserv lohi-ratio 60 100 percent227 Qos off assure expedite network-control 228Set diffserv qos dscp-map default custom 229By default, the following settings are used in custom mode 230Queue Conﬁguration 231232 Set queue name wfq weight-type bps 233234 Set queue name priorityqueuename default-inputqueuename 235Rate-limiting weighted fair queue to 100Kbps 236Set ip static-routes destination-networknetaddress Set ip sip-passthrough on offSet ip ethernet B rtsp-passthrough off on 237238 Set ip-maps name name internal-ip ip address IPMaps SettingsDelete ip static-routes destination-network netaddress Set ip-maps name name external-ip ip addressNetwork Address Translation NAT Default Settings Network Address Translation NAT Pinhole SettingsSet pinhole name name external-port-start 0 Set pinhole name nameSet pinhole name name protocol-select tcp udp Set pinhole name name external-port-end 0PPPoE /PPPoA Settings Set ppp module vccn echo-period integer Set ppp module vccn protocol-compression on offSet ppp module vccn lcp-echo-requests on off Set ppp module vccn lost-echoes-max integerSet ppp module vccn connection-type instant-on always-on Set ppp module vccn restart-timer integerSet ppp module vccn terminate-max integer Set ppp module vccn time-out integerSet ppp module vccn port-authentication username username Set ppp module vccn port-authentication password password245 Set wan-over-ether pppoe-with-ipoe on off PPPoE with IPoE SettingsSet wan-over-ether pppoe on off Set wan-over-ether ipoe-sessions 1Set atm vcc n encap pppoe-llc 247Set ip ip-ppp vcc1 igmp-null-source-addr off on Ethernet Port SettingsSet ip ip-ppp vcc1 mcast-fwd on off 248Set ethernet oam ah option off on 802.3ah Ethernet OAM SettingsSet ethernet oam ah mode active passive Set ethernet oam ah pass-through off onEtheroam ah ping Set ethernet oam ah discovery-timer 1Set ethernet oam ah keepalive-timer 5 250Set preference more lines Command Line Interface Preference SettingsSet preference verbose on off 251Set servers telnet-tcp 1 Port Renumbering SettingsSet servers web-http 1 252Security Settings 253254 Application Select this Level Other Considerations255 Port Session Type Port StateSet security ipsec option off on off 256Set security ipsec tunnels name 123 tun-enable on on off Set security ipsec tunnels name257 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 258Set security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth username usernameSet security ipsec tunnels name 123 local-id idvalue Set security ipsec tunnels name 123 remote-id idvalue260 261 Set security state-insp tcp-timeout 30 262Set security state-insp xposed-addr exposed-address# n Set security state-insp udp-timeout 30Set security state-insp dos-detect off on Set security state-insp xposed-addrExposed-address# n protocol tcp udp both any 264Snmp Settings Set snmp v3 enable off on Set snmp notify type v1-trap v2-trap inform266 Set snmp v3 ro-account security-name string Set snmp v3 ro-account auth-passwordSet snmp v3 ro-account priv-password Set snmp v3 ro-account security-model none auth auth+privSet snmp v3 rw-account security-name string Set snmp v3 rw-account auth-passwordSet snmp v3 rw-account priv-password Set snmp v3 rw-account security-model none auth auth+privSet system name name System SettingsShow snmp v3 engine-id 269270 Set system ftp-server option off on Set system idle-timeout telnet 1...120 http 1Set system username administrator name user name Set system log-size 10240Set system password admin user Sleep Contact-email string@domainname location string272 Set system zerotouch option on off Set system zerotouch redirect-url redirection-URL273 Syslog Default syslog installation procedure 275Type save 276Wireless Settings supported models Set wireless mode both-b-and-g b-only g-only Set wireless multi-ssid option on off278 279 Set wireless no-bridging off on Set wireless tx-power full medium fair low minimal280 Set wireless wmm option off on 281282 283 Set wireless network-id privacy pre-shared-key string Set wireless network-id privacy default-keyid284 Set wireless mac-auth option on off 285286 Set radius alt-radius-name servernamestring Set radius radius-name servernamestringSet radius radius-secret sharedsecret Set radius alt-radius-secret sharedsecretVlan Settings Set vlan name name ports port promote off on Set vlan name name ports port tag off onSet vlan name name ports port priority off on Set vlan name name ports port port-pbits 0290 Assign an IP interfaceAn example of a Triple-Play setup 291292 Set vlan name PPPoE11 id293 Set voip phone 0 1 sip-proxy-server servername ipaddress VoIP settingsSet voip phone 0 1 sip-option off on Set voip phone 0 1 sip-proxy-server-domain domainnameSet voip phone 0 1 sip-out-proxy-server Set voip phone 0 1 sip-registrar-setting sip-expires-time 0Set voip phone 0 1 sip-user-password password Set voip phone 0 1 sip-user-display-name nameSet voip phone 0 1 codec G72616 priority 1 2 3 4 5 6 7 none 3 4 5 6 7 noneSet voip phone 0 1 codec G729A priority 1 2 3 4 5 6 7 none Set voip phone 0 1 codec G72624 priority 1 2 3 4 5 6 7 none297 Set voip phone 0 1 sip-advanced-setting dsp-settings 298Echo-max-attenuation 0 299300 Set upnp log off on UPnP settingsSet upnp option on off Set upnp read-only off onDSL Forum settings Set dslf-lanmgmt option off on302 303 Set backup failure-timeout 1 Backup IP Gateway SettingsSet backup option disabled manual automatic Set backup ping-host 1 2 name addressSet ip backup-gateway option on off Set backup auto-recovery off onSet backup recovery-timeout 1 Set ip backup-gateway interface ip-addressVdsl Settings 306Vdsl Parameter Defaults 307308 Vdsl Parameters Accepted Values309 Parameter310 Etsi M2 CAB311 312 313 314 Glossary 315316 317 318 319 320 Ethernet crossover cable. See crossover cable 321322 323 324 325 326 327 328 329 330 331 332 Description 333334 Software and protocolsAgency approvals 335Manufacturer’s Declaration of Conformance 336337 Declaration for Canadian usersImportant Safety Instructions 338CFR Part 68 Information 339Electrical Safety Advisory 340Copyright Acknowledgments 341342 343 344 Index DSL 66 248 NTP VPI/VCI 350