Manuals
/
Brands
/
Computer Equipment
/
Network Card
/
ZyXEL Communications
/
Computer Equipment
/
Network Card
ZyXEL Communications
202H
Figure 1-4Secure Internet Access and VPN Application
1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
309
Download
309 pages, 4.93 Mb
34
35
36
37
38
39
40
41
42
43
44
45
Prestige 202H User’s Guide
Figure
1-4
Secure Internet Access and VPN Application
Getting to Know Your Prestige
1-7
Contents
ISDN Router
User’s Guide
Copyright
Copyright © 2003 by ZyXEL Communications Corporation
Disclaimer
Trademarks
Notice
Certifications
Information for Canadian Users
Caution
Note
ZyXEL Limited Warranty
NOTE
Customer Support
Table of Contents
Chapter 6 Ethernet Setup
Chapter 7 Internet Access Setup
Page
Chapter 14 Configuring Firewall with the Web Configurator
Chapter 15 Creating Custom Rules
Chapter 18 Filter Configuration
Page
Chapter 24 Remote Management
Chapter 25 Introduction to VPN/IPSec
Chapter 26 VPN/IPSec Setup
Page
List of Figures
Page
Page
Page
Page
Page
Page
List of Tables
Page
Page
Page
Preface
About This User's Manual
Related Documentation
User Guide Feedback
Syntax Conventions
Control Panels
Modem
Part I:
Getting Started
Page
Getting to Know Your Prestige
1.1Introducing the Prestige 202H
1.2Features
IPSec VPN Capability
Firewall
Auto-negotiating10/100 Mbps Ethernet LAN
Auto-crossover10/100 Mbps Ethernet LAN
Call Scheduling
Network Address Translation (NAT)
SNMP (Simple Network Management Protocol – Versions 1 and 2)
Outgoing Data Call Bumping Support
CLID Callback Support For Dial-InUsers
TCP/IP and PPP Support
Dial-on-Demand
PPP Multilink
1.3Internet Access With the Prestige
1.3.1 Internet Access
Internet Single User Account
1.3.2 LAN-to-LANConnection
1.3.3 Remote Access Server
1.3.4 Secure Broadband Internet Access and VPN
Figure 1-4Secure Internet Access and VPN Application
Page
Hardware Installation
2.1Front Panel
2.2Rear Panel and Connections
2.2.1 Connecting the ISDN Line
2.2.2 Connecting the Console Port
2.2.3 Connecting a Computer to the Router
2.2.4 Connecting the Power Adaptor to your Router
2.3Turn On Your Router
Page
Introducing the SMT
3.1Introduction to the SMT
3.2Accessing the Prestige via the Console Port
3.3Initial Screen
3.3.1 Entering the Password
3.4Navigating the SMT Interface
3.4.1 System Management Terminal Interface Summary
3.5SMT Menu Overview
3.6Changing the System Password
3.7Resetting the Prestige
3.7.1 Uploading a Configuration File Via Console Port
Transfer
Send File
Figure 3-6Example Xmodem Upload
SMT Menu 1 General Setup
4.1General Setup Overview
4.1.1 General Setup and System Name
4.2Configuring General Setup
4.3Dynamic DNS
4.3.1 DYNDNS Wildcard
4.4Configuring Dynamic DNS
Page
ISDN Setup
5.1ISDN Setup Overview
5.1.1 IDSN Setup
5.2ISDN Advanced Setup Menus
Switch Type
Calling Line Indication
PABX Outside Line Prefix
PABX Number (with S/T Bus Number) for Loopback
Outgoing Calling Party Number
Data Link Connection
5.2.1 Configuring Advanced Setup
5.3NetCAPI
5.3.1 Overview
CAPI
ISDN-DCP
5.3.2 Configuring the Prestige as a NetCAPI Server
5.3.3 RVS-COM
Example of Installing CAPI driver and Communication Software
5.3.4 Configuring NetCAPI
Page
Ethernet Setup
6.1Ethernet Setup
6.1.1 General Ethernet Setup
6.2Ethernet TCP/IP and DHCP Server
6.2.1 Factory Ethernet Defaults
6.2.2 IP Address and Subnet Mask
6.2.3 Private IP Addresses
6.2.4 RIP Setup
6.2.5 DHCP Configuration
IP Pool Setup
DNS Server Address
6.3Configuring TCP/IP Ethernet and DHCP
6.4IP Alias
6.5IP Alias Setup
Table 6-4IP Menu 3.2.1 – IP Alias Setup
Internet Access Setup
7.1Internet Access Overview
7.2Internet Access Setup
Idle Timeout only applies when the router initiates the call
Part II:
Advanced Applications
Remote Node Configuration
8.1Remote Node Overview
8.1.1 Minimum Toll Period
8.2Remote Node Setup
Figure 8-1Menu 11 Remote Node Setup
Remote Node Profile
Figure 8-2Menu 11.1 Remote Node Profile
Table 8-1Menu 11.1 Remote Node Profile
Page
Page
8.3Outgoing Authentication Protocol
8.4PPP Multilink
8.5Bandwidth on Demand
8.6Editing PPP Options
Figure 8-3Menu 11.2 Remote Node PPP Options
Table 8-3Menu 11.2 Remote Node PPP Options
8.7LAN-to-LANApplication
LAN 1 Setup
Figure 8-5LAN 1 Setup
LAN 2 Setup
Figure 8-6LAN 2 Setup
8.8Configuring Network Layer Options
Table 8-5Remote Node Network Layer Options
Table 8-6Remote Node Network Layer Options
My Wan Addr
8.9Configuring Filter
Figure 8-8Menu 11.5 Remote Node Filter
Page
Static Route Setup
9.1Static Route Overview
IP Static Route Setup
Figure 9-2Menu 12 IP Static Route Setup
Edit IP Static Route
Figure 9-3Menu 12.1 Edit IP Static Route
Table 9-1Menu 12.1 Edit IP Static Route
Page
Page
Dial-inSetup
10.1 Dial-inUsers Overview
10.2 Default Dial-inUser Setup
10.2.1 CLID Callback Support For Dial-InUsers
10.3 Setting Up Default Dial-in
Page
10.3.1 Default Dial-inFilter
10.4 Callback Overview
10.5 Dial-InUser Setup
Figure 10-3Menu 14 Dial-inUser Setup
Edit
User
Figure 10-4Menu 14.1 Edit Dial-inUser
Table 10-3Edit Dial-inUser
10.6 Telecommuting Application With Windows Example
Figure 10-5Example of Telecommuting
Configuring Menu 13:
Figure 10-6Configuring Menu 13 for Remote Access Configuring Menu
Figure 10-7Edit Dial-in-User
callback
10.7 LAN-to-LANServer Application Example
10.7.1 Configuring Callback in LAN-to-LANApplication
Figure 10-9LAN 1 LAN-to-LANApplication
Figure 10-10LAN 2 LAN-to-LANApplication
10.7.2 Configuring With CLID in LAN-to-LANApplication
Prestige on LAN
Figure 10-12Callback With CLID Configuration
Menu
Figure 10-13Configuring CLID With Callback
Rem CLID
Figure 10-14Callback and CLID Connection Test
Network Address Translation (NAT)
11.1 NAT Overview
11.1.1 NAT Definitions
11.1.2 What NAT Does
11.1.3 How NAT Works
11.1.4 NAT Application
11.1.5 NAT Mapping Types
11.1.6 SUA (Single User Account) Versus NAT
11.2 Applying NAT
11.3 NAT Setup
11.3.1 Address Mapping Sets
SUA Address Mapping Set
11.3.2 User-DefinedAddress Mapping Sets
11.3.3 Ordering Your Rules
No changes to the set take place until this action is taken
Menu 15.1.1.1 - Address Mapping Rule
Local
Global Start/End IPs
An End IP address must be numerically greater than its corresponding IP Start
11.4 NAT Server Sets – Port Forwarding
11.4.1 Configuring a Server behind NAT
Menu 15.2 - NAT Server Sets
Figure 11-10Menu 15.2 NAT Server Sets
Menu 15.2 NAT Server Setup
Figure 11-11Menu 15.2 NAT Server Setup
Start Port No
11.5 General NAT Examples
11.5.1 Example 1: Internet Access Only
Figure 11-13NAT Example
Figure 11-14Menu 4 Internet Access & NAT Example
NAT
Network Address Translation
11.5.2 Example 2: Internet Access with an Inside Server
11.5.3 Example 3: Multiple Public IP Addresses With Inside Servers
Figure 11-17NAT Example
Menu 15.1 - Address Mapping Sets
Edit Action
One-to-One
Start IP
Figure 11-18Example 3: Menu
Figure 11-19Example 3: Menu
Figure 11-20Example 3: Final Menu
Step 9. Enter 2 in Menu 15 - NAT Setup
Example 3: Menu
11.5.4 Example 4: NAT Unfriendly Application Programs
Figure 11-22Example 4: Menu 15.1.1.1 Address Mapping Rule
Figure 11-23Example 4: Menu 15.1.1 Address Mapping Rules
Part III:
Firewall
Firewalls
12.1 Firewall Overview
12.2 Types of Firewalls
12.2.1 Packet Filtering Firewalls
12.2.2 Application-levelFirewalls
12.3 Introduction to ZyXEL’s Firewall
12.4 Denial of Service
12.4.1 Basics
12.4.2 Types of DoS Attacks
Figure 12-2 Three-WayHandshake
SYN Attack
Figure 12-3SYN Flood
LAND Attack
brute-force
Figure 12-4Smurf Attack
Table 12-2ICMP Commands That Trigger Alerts
12.5 Stateful Inspection
12.5.1 Stateful Inspection Process
12.5.2 Stateful Inspection and the Prestige
12.5.3 TCP Security
12.5.4 UDP/ICMP Security
12.5.5 Upper Layer Protocols
12.6 Guidelines For Enhancing Security With Your Firewall
12.6.1 Security In General
12.7 Packet Filtering Vs Firewall
12.7.1 Packet Filtering:
When To Use Filtering
12.7.2 Firewall
When To Use The Firewall
Page
Introducing the Prestige Firewall
13.1 Access Methods
13.2 Using Prestige SMT Menus
13.2.1 Activating the Firewall
13.2.2 Viewing the Firewall Log
Table 13-1View Firewall Log
Page
Chapter 14 Configuring Firewall with the Web Configurator
14.1 Web Configurator Login and Main Menu Screens
Figure 14-2Firewall Functions
Table 14-1Predefined Services
14.2 Enabling the Firewall
14.3 E-mail
14.3.1 Alerts
Table 14-2 E-mail
14.3.2 SMTP Error Messages
14.3.3 Example E-mailLog
14.4 Attack Alert
14.4.1 Threshold Values
14.4.2 Half-OpenSessions
TCP Maximum Incomplete and Blocking Time
Alert
Figure 14-6Attack Alert
Table 14-4Attack Alert
Page
Page
Page
Creating Custom Rules
15.1 Rules Overview
15.2 Rule Logic Overview
15.2.1 Rule Checklist
15.2.2 Security Ramifications
15.2.3Key Fields For Configuring Rules
Action
Service
Source Address
15.3 Connection Direction
15.3.1 LAN to WAN Rules
15.3.2 WAN to LAN Rules
15.4 Rule Summary
Figure 15-3Firewall Rules Summary: First Screen
Table 15-1Firewall Rules Summary: First Screen
15.5 Predefined Services
Table 15-2Predefined Services
Page
15.5.1 Creating/Editing Firewall Rules
Figure 15-4Creating/Editing A Firewall Rule
15.5.2 Source and Destination Addresses
15.6 Timeout
15.6.1 Configuring Timeout Values
Page
Customized Services
16.1 Customized Services Overview
16.2 Creating/Editing A Customized Service
16.3 Example Firewall Rule
Figure 16-3Configure Source IP
Firewall Customized Services Config
Figure 16-4Customized Service for MyService
Customized services show up with an “*” before their names in the Services list
box and the Rule Summary list box. Click Apply after you’ve created your
Figure 16-5MyService Rule Configuration
Rule Summary
Figure 16-6Example Rule Summary
Firewall Logs
17.1 Log Screen
Table 17-1Log Screen
Part IV:
Advanced Management
Page
Filter Configuration
18.1 Filtering Overview
Figure 18-1Outgoing Packet Filtering Process
Execute
Filter Rule
18.2 Configuring a Filter Set
Figure 18-4Menu 21.1 Filter Set Configuration
Edit Comments
Menu 21.1.x- Filter Rules Summary
Figure 18-5NetBIOS_WAN Filter Rules Summary
Figure 18-6NetBIOS _LAN Filter Rules Summary
18.2.1 Filter Rules Summary Menus
Table 18-2Rule Abbreviations Used
18.3 Configuring a Filter Rule
18.3.1 TCP/IP Filter Rule
Figure 18-9Menu 21.1.7.1 TCP/IP Filter Rule
Table 18-3Menu 21.1.7.1 TCP/IP Filter Rule
Page
Page
Figure 18-10Executing an IP Filter
18.3.2 Generic Filter Rule
Check Next
18.4 Filter Types and NAT
18.5 Example Filter
Figure 18-13Sample Telnet Filter
Menu 21 - Filter and Firewall Setup
Menu 21.1 - Filter Set Configuration
Menu 21.1.9 - Filter Rules
Summary
Figure 18-14Sample Filter Menu
18.6 Applying Filters and Factory Defaults
18.6.1 Ethernet Traffic
18.6.2 Remote Node Filters
Figure 18-17Filtering Remote Node Traffic
Page
SNMP Configuration
19.1 SNMP Overview
19.2 Supported MIBs
19.3 SNMP Configuration
19.4 SNMP Traps
Table 19-2SNMP Traps
Table 19-3Ports and Permanent Virtual Circuits
System Information and Diagnosis
20.1 System Status Overview
20.2 System Status
Figure 20-2Menu 24.1 System Maintenance Status
Table 20-1Menu 24.1 System Maintenance Status
20.3 System Information and Console Port Speed
20.3.1 System Information
20.3.2 Console Port Speed
20.4 Log and Trace
20.4.1 Viewing Error Log
20.4.2 Unix Syslog
Figure 20-8Menu 24.3.2 System Maintenance Unix Syslog
Table 20-3Menu 24.3.2 System Maintenance Unix Syslog
Page
20.5 Accounting Server
20.6 Call Triggering Packet
20.7 Diagnostic
Figure 20-11Menu 24.4 System Maintenance Diagnostic
Menu 24 – System Maintenance
Diagnostic
Table 20-4System Maintenance Menu Diagnostic
Manual Call
Figure 20-12Display for a Successful Manual Call
Page
21.1 Filename Conventions
21.2 Backup Configuration
21.2.1 Backup Configuration
21.2.2 Using the FTP Command from the Command Line
21.2.3 Example of FTP Commands from the Command Line
21.2.4 GUI-basedFTP Clients
21.2.5 Remote Management Limitations
21.2.6 Backup Configuration Using TFTP
21.2.7 TFTP Command Example
21.2.8 GUI-basedTFTP Clients
21.2.9 Backup Via Console Port
21.3 Restore Configuration
21.3.1 Restore Using FTP
21.3.2 Restore Using FTP Session Example
21.3.3 Restore Via Console Port
21.4 Uploading Firmware and Configuration Files
21.4.1 Firmware File Upload
21.4.2 Configuration File Upload
21.4.3 FTP File Upload Command from the DOS Prompt Example
21.4.4 FTP Session Example of Firmware File Upload
21.4.5 TFTP File Upload
21.4.6 TFTP Upload Command Example
21.4.7 Uploading Via Console Port
21.4.8 Uploading Firmware File Via Console Port
21.4.9 Example Xmodem Firmware Upload Using HyperTerminal
21.4.10Uploading Configuration File Via Console Port
21.4.11Example Xmodem Configuration Upload Using HyperTerminal
Figure 21-20Example Xmodem Upload
Page
SMT Menus 24.8 to
22.1 Command Interpreter Mode
22.2 Call Control Support
22.2.1 Call Control Parameters
22.2.2 Black List
22.2.3 Budget Management
22.2.4 Call History
22.3 Time and Date
Daytime (RFC 867)
Time
(RFC-868)
NTP (RFC-1305) the default, is similar to Time (RFC-868)
22.3.1 Resetting the Time
Call Scheduling
23.1 Call Scheduling Overview
23.2 Configuring Call Scheduling
To delete a schedule set, enter the set number and press [SPACE BAR] and then
[ENTER] or [DEL] in the Edit Name field
Menu 26.1 - Schedule Set Setup
Figure 23-2Menu 26.1 Schedule Set Setup
Table 23-1Menu 26.1 Schedule Set Setup
23.3 Applying Schedule Sets
Figure 23-3Applying Schedule Set(s)
Remote Management
24.1 Remote Management Overview
24.1.1 Remote Management Limitations
24.1.2 Remote Management and NAT
24.1.3 System Timeout
24.2 Telnet
24.3 FTP
24.4 Web
24.5 Configuring Remote Management
Figure 24-2Remote Management
Table 24-1Remote Management
Page
Introduction to VPN/IPSec
25.1 VPN Overview
25.1.1 IPSec
25.1.2 Security Association
25.1.3 Other Terminology
25.1.4 VPN Applications
25.2 IPSec Architecture
25.2.1 IPSec Algorithms
25.2.2 Key Management
25.3 Encapsulation
25.3.1 Transport Mode
25.3.2 Tunnel Mode
25.4 IPSec and NAT
VPN/IPSec Setup
26.1 VPN/IPSec Overview
26.1.1 VPN/IPSec SMT Menus
26.2 IPSec Algorithms
26.2.1 AH (Authentication Header) Protocol
26.2.2 ESP (Encapsulating Security Payload) Protocol
26.3 My IP Address
26.4 Secure Gateway Address
26.4.1 Dynamic Secure Gateway Address
26.5 IPSec Summary
Figure 26-4Menu 27.1 IPSec Summary
Table 26-2Menu 27.1 IPSec Summary
Page
Page
26.6 Keep Alive
26.7 ID Type and Content
26.7.1 ID Type and Content Examples
26.8 Pre-SharedKey
26.9 IPSec Setup
Figure 26-5Menu 27.1.1 IPSec Setup
Table 26-7Menu 27.1.1 IPSec Setup
Page
Page
26.10 IKE Phases
Figure 26-6Two Phases to Set Up the IPSec SA
26.10.1Negotiation Mode
26.10.2Diffie-Hellman(DH) Key Groups
26.10.3Perfect Forward Secrecy (PFS)
26.11 Configuring IKE Settings
Page
26.12 Manual Key Setup
26.12.1Active Protocol
26.12.2Security Parameter Index (SPI)
Figure 26-8Menu 27.1.1.2 Manual Setup
Table 26-10Menu 27.1.1.2 Manual Setup
26.13 Telecommuter VPN/IPSec Examples
26.13.1Telecommuters Sharing One VPN Rule Example
Table 26-11Telecommuter and Headquarters Configuration Example
Figure 26-9Telecommuters Sharing One VPN Rule Example
26.13.2Telecommuters Using Unique VPN Rules Example
SA Monitor
27.1 SA Monitor Overview
Table 27-1Menu 27.2 SA Monitor
IPSec Log
28.1 IPSec Logs
Figure 28-2Example VPN Responder IPSec Log
Double exclamation marks (!!) denote an error or warning message
Table 28-1Sample IKE Key Exchange Logs
Page
Table 28-2Sample IPSec Logs During Packet Transmission
Table 28-3 RFC-2408ISAKMP Payload Types
Page
Part V:
Appendices and Index
Page
Appendix A
Troubleshooting
Problems Starting Up the Prestige
Problems With the ISDN Line
Problems With a LAN Interface
Problems Connecting to a Remote Node or ISP
Remote User Dial-inProblems
Problems With the Password
Problems With Remote Management
Appendix B
Power Adapter Specifications
Page
Index