Manuals / Brands / Computer Equipment / Network Card / ZyXEL Communications / Computer Equipment / Network Card

ZyXEL Communications 202H Figure 1-4Secure Internet Access and VPN Application

1 309

Download 309 pages, 4.93 Mb

35

Prestige 202H User’s Guide

Figure 1-4 Secure Internet Access and VPN Application

Getting to Know Your Prestige

1-7

Contents

ISDN Router User’s Guide Copyright Copyright © 2003 by ZyXEL Communications Corporation Disclaimer Trademarks Notice Certifications Information for Canadian Users Caution Note ZyXEL Limited Warranty NOTE Customer Support Table of Contents Chapter 6 Ethernet Setup Chapter 7 Internet Access Setup Page Chapter 14 Configuring Firewall with the Web Configurator Chapter 15 Creating Custom Rules Chapter 18 Filter Configuration Page Chapter 24 Remote Management Chapter 25 Introduction to VPN/IPSec Chapter 26 VPN/IPSec Setup Page List of Figures Page Page Page Page Page Page List of Tables Page Page Page Preface About This User's Manual Related Documentation User Guide Feedback Syntax Conventions Control Panels Modem Part I: Getting Started Page Getting to Know Your Prestige 1.1Introducing the Prestige 202H 1.2Features IPSec VPN Capability Firewall Auto-negotiating10/100 Mbps Ethernet LAN Auto-crossover10/100 Mbps Ethernet LAN Call Scheduling Network Address Translation (NAT) SNMP (Simple Network Management Protocol – Versions 1 and 2) Outgoing Data Call Bumping Support CLID Callback Support For Dial-InUsers TCP/IP and PPP Support Dial-on-Demand PPP Multilink 1.3Internet Access With the Prestige 1.3.1 Internet Access Internet Single User Account 1.3.2 LAN-to-LANConnection 1.3.3 Remote Access Server 1.3.4 Secure Broadband Internet Access and VPN Figure 1-4Secure Internet Access and VPN Application Page Hardware Installation 2.1Front Panel 2.2Rear Panel and Connections 2.2.1 Connecting the ISDN Line 2.2.2 Connecting the Console Port 2.2.3 Connecting a Computer to the Router 2.2.4 Connecting the Power Adaptor to your Router 2.3Turn On Your Router Page Introducing the SMT 3.1Introduction to the SMT 3.2Accessing the Prestige via the Console Port 3.3Initial Screen 3.3.1 Entering the Password 3.4Navigating the SMT Interface 3.4.1 System Management Terminal Interface Summary 3.5SMT Menu Overview 3.6Changing the System Password 3.7Resetting the Prestige 3.7.1 Uploading a Configuration File Via Console Port Transfer Send File Figure 3-6Example Xmodem Upload SMT Menu 1 General Setup 4.1General Setup Overview 4.1.1 General Setup and System Name 4.2Configuring General Setup 4.3Dynamic DNS 4.3.1 DYNDNS Wildcard 4.4Configuring Dynamic DNS Page ISDN Setup 5.1ISDN Setup Overview 5.1.1 IDSN Setup 5.2ISDN Advanced Setup Menus Switch Type Calling Line Indication PABX Outside Line Prefix PABX Number (with S/T Bus Number) for Loopback Outgoing Calling Party Number Data Link Connection 5.2.1 Configuring Advanced Setup 5.3NetCAPI 5.3.1 Overview CAPI ISDN-DCP 5.3.2 Configuring the Prestige as a NetCAPI Server 5.3.3 RVS-COM Example of Installing CAPI driver and Communication Software 5.3.4 Configuring NetCAPI Page Ethernet Setup 6.1Ethernet Setup 6.1.1 General Ethernet Setup 6.2Ethernet TCP/IP and DHCP Server 6.2.1 Factory Ethernet Defaults 6.2.2 IP Address and Subnet Mask 6.2.3 Private IP Addresses 6.2.4 RIP Setup 6.2.5 DHCP Configuration IP Pool Setup DNS Server Address 6.3Configuring TCP/IP Ethernet and DHCP 6.4IP Alias 6.5IP Alias Setup Table 6-4IP Menu 3.2.1 – IP Alias Setup Internet Access Setup 7.1Internet Access Overview 7.2Internet Access Setup Idle Timeout only applies when the router initiates the call Part II: Advanced Applications Remote Node Configuration 8.1Remote Node Overview 8.1.1 Minimum Toll Period 8.2Remote Node Setup Figure 8-1Menu 11 Remote Node Setup Remote Node Profile Figure 8-2Menu 11.1 Remote Node Profile Table 8-1Menu 11.1 Remote Node Profile Page Page 8.3Outgoing Authentication Protocol 8.4PPP Multilink 8.5Bandwidth on Demand 8.6Editing PPP Options Figure 8-3Menu 11.2 Remote Node PPP Options Table 8-3Menu 11.2 Remote Node PPP Options 8.7LAN-to-LANApplication LAN 1 Setup Figure 8-5LAN 1 Setup LAN 2 Setup Figure 8-6LAN 2 Setup 8.8Configuring Network Layer Options Table 8-5Remote Node Network Layer Options Table 8-6Remote Node Network Layer Options My Wan Addr 8.9Configuring Filter Figure 8-8Menu 11.5 Remote Node Filter Page Static Route Setup 9.1Static Route Overview IP Static Route Setup Figure 9-2Menu 12 IP Static Route Setup Edit IP Static Route Figure 9-3Menu 12.1 Edit IP Static Route Table 9-1Menu 12.1 Edit IP Static Route Page Page Dial-inSetup 10.1 Dial-inUsers Overview 10.2 Default Dial-inUser Setup 10.2.1 CLID Callback Support For Dial-InUsers 10.3 Setting Up Default Dial-in Page 10.3.1 Default Dial-inFilter 10.4 Callback Overview 10.5 Dial-InUser Setup Figure 10-3Menu 14 Dial-inUser Setup Edit User Figure 10-4Menu 14.1 Edit Dial-inUser Table 10-3Edit Dial-inUser 10.6 Telecommuting Application With Windows Example Figure 10-5Example of Telecommuting Configuring Menu 13: Figure 10-6Configuring Menu 13 for Remote Access Configuring Menu Figure 10-7Edit Dial-in-User callback 10.7 LAN-to-LANServer Application Example 10.7.1 Configuring Callback in LAN-to-LANApplication Figure 10-9LAN 1 LAN-to-LANApplication Figure 10-10LAN 2 LAN-to-LANApplication 10.7.2 Configuring With CLID in LAN-to-LANApplication Prestige on LAN Figure 10-12Callback With CLID Configuration Menu Figure 10-13Configuring CLID With Callback Rem CLID Figure 10-14Callback and CLID Connection Test Network Address Translation (NAT) 11.1 NAT Overview 11.1.1 NAT Definitions 11.1.2 What NAT Does 11.1.3 How NAT Works 11.1.4 NAT Application 11.1.5 NAT Mapping Types 11.1.6 SUA (Single User Account) Versus NAT 11.2 Applying NAT 11.3 NAT Setup 11.3.1 Address Mapping Sets SUA Address Mapping Set 11.3.2 User-DefinedAddress Mapping Sets 11.3.3 Ordering Your Rules No changes to the set take place until this action is taken Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs An End IP address must be numerically greater than its corresponding IP Start 11.4 NAT Server Sets – Port Forwarding 11.4.1 Configuring a Server behind NAT Menu 15.2 - NAT Server Sets Figure 11-10Menu 15.2 NAT Server Sets Menu 15.2 NAT Server Setup Figure 11-11Menu 15.2 NAT Server Setup Start Port No 11.5 General NAT Examples 11.5.1 Example 1: Internet Access Only Figure 11-13NAT Example Figure 11-14Menu 4 Internet Access & NAT Example NAT Network Address Translation 11.5.2 Example 2: Internet Access with an Inside Server 11.5.3 Example 3: Multiple Public IP Addresses With Inside Servers Figure 11-17NAT Example Menu 15.1 - Address Mapping Sets Edit Action One-to-One Start IP Figure 11-18Example 3: Menu Figure 11-19Example 3: Menu Figure 11-20Example 3: Final Menu Step 9. Enter 2 in Menu 15 - NAT Setup Example 3: Menu 11.5.4 Example 4: NAT Unfriendly Application Programs Figure 11-22Example 4: Menu 15.1.1.1 Address Mapping Rule Figure 11-23Example 4: Menu 15.1.1 Address Mapping Rules Part III: Firewall Firewalls 12.1 Firewall Overview 12.2 Types of Firewalls 12.2.1 Packet Filtering Firewalls 12.2.2 Application-levelFirewalls 12.3 Introduction to ZyXEL’s Firewall 12.4 Denial of Service 12.4.1 Basics 12.4.2 Types of DoS Attacks Figure 12-2 Three-WayHandshake SYN Attack Figure 12-3SYN Flood LAND Attack brute-force Figure 12-4Smurf Attack Table 12-2ICMP Commands That Trigger Alerts 12.5 Stateful Inspection 12.5.1 Stateful Inspection Process 12.5.2 Stateful Inspection and the Prestige 12.5.3 TCP Security 12.5.4 UDP/ICMP Security 12.5.5 Upper Layer Protocols 12.6 Guidelines For Enhancing Security With Your Firewall 12.6.1 Security In General 12.7 Packet Filtering Vs Firewall 12.7.1 Packet Filtering: When To Use Filtering 12.7.2 Firewall When To Use The Firewall Page Introducing the Prestige Firewall 13.1 Access Methods 13.2 Using Prestige SMT Menus 13.2.1 Activating the Firewall 13.2.2 Viewing the Firewall Log Table 13-1View Firewall Log Page Chapter 14 Configuring Firewall with the Web Configurator 14.1 Web Configurator Login and Main Menu Screens Figure 14-2Firewall Functions Table 14-1Predefined Services 14.2 Enabling the Firewall 14.3 E-mail 14.3.1 Alerts Table 14-2 E-mail 14.3.2 SMTP Error Messages 14.3.3 Example E-mailLog 14.4 Attack Alert 14.4.1 Threshold Values 14.4.2 Half-OpenSessions TCP Maximum Incomplete and Blocking Time Alert Figure 14-6Attack Alert Table 14-4Attack Alert Page Page Page Creating Custom Rules 15.1 Rules Overview 15.2 Rule Logic Overview 15.2.1 Rule Checklist 15.2.2 Security Ramifications 15.2.3Key Fields For Configuring Rules Action Service Source Address 15.3 Connection Direction 15.3.1 LAN to WAN Rules 15.3.2 WAN to LAN Rules 15.4 Rule Summary Figure 15-3Firewall Rules Summary: First Screen Table 15-1Firewall Rules Summary: First Screen 15.5 Predefined Services Table 15-2Predefined Services Page 15.5.1 Creating/Editing Firewall Rules Figure 15-4Creating/Editing A Firewall Rule 15.5.2 Source and Destination Addresses 15.6 Timeout 15.6.1 Configuring Timeout Values Page Customized Services 16.1 Customized Services Overview 16.2 Creating/Editing A Customized Service 16.3 Example Firewall Rule Figure 16-3Configure Source IP Firewall Customized Services Config Figure 16-4Customized Service for MyService Customized services show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your Figure 16-5MyService Rule Configuration Rule Summary Figure 16-6Example Rule Summary Firewall Logs 17.1 Log Screen Table 17-1Log Screen Part IV: Advanced Management Page Filter Configuration 18.1 Filtering Overview Figure 18-1Outgoing Packet Filtering Process Execute Filter Rule 18.2 Configuring a Filter Set Figure 18-4Menu 21.1 Filter Set Configuration Edit Comments Menu 21.1.x- Filter Rules Summary Figure 18-5NetBIOS_WAN Filter Rules Summary Figure 18-6NetBIOS _LAN Filter Rules Summary 18.2.1 Filter Rules Summary Menus Table 18-2Rule Abbreviations Used 18.3 Configuring a Filter Rule 18.3.1 TCP/IP Filter Rule Figure 18-9Menu 21.1.7.1 TCP/IP Filter Rule Table 18-3Menu 21.1.7.1 TCP/IP Filter Rule Page Page Figure 18-10Executing an IP Filter 18.3.2 Generic Filter Rule Check Next 18.4 Filter Types and NAT 18.5 Example Filter Figure 18-13Sample Telnet Filter Menu 21 - Filter and Firewall Setup Menu 21.1 - Filter Set Configuration Menu 21.1.9 - Filter Rules Summary Figure 18-14Sample Filter Menu 18.6 Applying Filters and Factory Defaults 18.6.1 Ethernet Traffic 18.6.2 Remote Node Filters Figure 18-17Filtering Remote Node Traffic Page SNMP Configuration 19.1 SNMP Overview 19.2 Supported MIBs 19.3 SNMP Configuration 19.4 SNMP Traps Table 19-2SNMP Traps Table 19-3Ports and Permanent Virtual Circuits System Information and Diagnosis 20.1 System Status Overview 20.2 System Status Figure 20-2Menu 24.1 System Maintenance Status Table 20-1Menu 24.1 System Maintenance Status 20.3 System Information and Console Port Speed 20.3.1 System Information 20.3.2 Console Port Speed 20.4 Log and Trace 20.4.1 Viewing Error Log 20.4.2 Unix Syslog Figure 20-8Menu 24.3.2 System Maintenance Unix Syslog Table 20-3Menu 24.3.2 System Maintenance Unix Syslog Page 20.5 Accounting Server 20.6 Call Triggering Packet 20.7 Diagnostic Figure 20-11Menu 24.4 System Maintenance Diagnostic Menu 24 – System Maintenance Diagnostic Table 20-4System Maintenance Menu Diagnostic Manual Call Figure 20-12Display for a Successful Manual Call Page 21.1 Filename Conventions 21.2 Backup Configuration 21.2.1 Backup Configuration 21.2.2 Using the FTP Command from the Command Line 21.2.3 Example of FTP Commands from the Command Line 21.2.4 GUI-basedFTP Clients 21.2.5 Remote Management Limitations 21.2.6 Backup Configuration Using TFTP 21.2.7 TFTP Command Example 21.2.8 GUI-basedTFTP Clients 21.2.9 Backup Via Console Port 21.3 Restore Configuration 21.3.1 Restore Using FTP 21.3.2 Restore Using FTP Session Example 21.3.3 Restore Via Console Port 21.4 Uploading Firmware and Configuration Files 21.4.1 Firmware File Upload 21.4.2 Configuration File Upload 21.4.3 FTP File Upload Command from the DOS Prompt Example 21.4.4 FTP Session Example of Firmware File Upload 21.4.5 TFTP File Upload 21.4.6 TFTP Upload Command Example 21.4.7 Uploading Via Console Port 21.4.8 Uploading Firmware File Via Console Port 21.4.9 Example Xmodem Firmware Upload Using HyperTerminal 21.4.10Uploading Configuration File Via Console Port 21.4.11Example Xmodem Configuration Upload Using HyperTerminal Figure 21-20Example Xmodem Upload Page SMT Menus 24.8 to 22.1 Command Interpreter Mode 22.2 Call Control Support 22.2.1 Call Control Parameters 22.2.2 Black List 22.2.3 Budget Management 22.2.4 Call History 22.3 Time and Date Daytime (RFC 867) Time (RFC-868) NTP (RFC-1305) the default, is similar to Time (RFC-868) 22.3.1 Resetting the Time Call Scheduling 23.1 Call Scheduling Overview 23.2 Configuring Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field Menu 26.1 - Schedule Set Setup Figure 23-2Menu 26.1 Schedule Set Setup Table 23-1Menu 26.1 Schedule Set Setup 23.3 Applying Schedule Sets Figure 23-3Applying Schedule Set(s) Remote Management 24.1 Remote Management Overview 24.1.1 Remote Management Limitations 24.1.2 Remote Management and NAT 24.1.3 System Timeout 24.2 Telnet 24.3 FTP 24.4 Web 24.5 Configuring Remote Management Figure 24-2Remote Management Table 24-1Remote Management Page Introduction to VPN/IPSec 25.1 VPN Overview 25.1.1 IPSec 25.1.2 Security Association 25.1.3 Other Terminology 25.1.4 VPN Applications 25.2 IPSec Architecture 25.2.1 IPSec Algorithms 25.2.2 Key Management 25.3 Encapsulation 25.3.1 Transport Mode 25.3.2 Tunnel Mode 25.4 IPSec and NAT VPN/IPSec Setup 26.1 VPN/IPSec Overview 26.1.1 VPN/IPSec SMT Menus 26.2 IPSec Algorithms 26.2.1 AH (Authentication Header) Protocol 26.2.2 ESP (Encapsulating Security Payload) Protocol 26.3 My IP Address 26.4 Secure Gateway Address 26.4.1 Dynamic Secure Gateway Address 26.5 IPSec Summary Figure 26-4Menu 27.1 IPSec Summary Table 26-2Menu 27.1 IPSec Summary Page Page 26.6 Keep Alive 26.7 ID Type and Content 26.7.1 ID Type and Content Examples 26.8 Pre-SharedKey 26.9 IPSec Setup Figure 26-5Menu 27.1.1 IPSec Setup Table 26-7Menu 27.1.1 IPSec Setup Page Page 26.10 IKE Phases Figure 26-6Two Phases to Set Up the IPSec SA 26.10.1Negotiation Mode 26.10.2Diffie-Hellman(DH) Key Groups 26.10.3Perfect Forward Secrecy (PFS) 26.11 Configuring IKE Settings Page 26.12 Manual Key Setup 26.12.1Active Protocol 26.12.2Security Parameter Index (SPI) Figure 26-8Menu 27.1.1.2 Manual Setup Table 26-10Menu 27.1.1.2 Manual Setup 26.13 Telecommuter VPN/IPSec Examples 26.13.1Telecommuters Sharing One VPN Rule Example Table 26-11Telecommuter and Headquarters Configuration Example Figure 26-9Telecommuters Sharing One VPN Rule Example 26.13.2Telecommuters Using Unique VPN Rules Example SA Monitor 27.1 SA Monitor Overview Table 27-1Menu 27.2 SA Monitor IPSec Log 28.1 IPSec Logs Figure 28-2Example VPN Responder IPSec Log Double exclamation marks (!!) denote an error or warning message Table 28-1Sample IKE Key Exchange Logs Page Table 28-2Sample IPSec Logs During Packet Transmission Table 28-3 RFC-2408ISAKMP Payload Types Page Part V: Appendices and Index Page Appendix A Troubleshooting Problems Starting Up the Prestige Problems With the ISDN Line Problems With a LAN Interface Problems Connecting to a Remote Node or ISP Remote User Dial-inProblems Problems With the Password Problems With Remote Management Appendix B Power Adapter Specifications Page Index