ZyXEL Communications P-312 6.3 NAT Server Sets

P312 Broadband Security Gateway

NAT 6-11

Field Description Option/Example

examples. and Server

Local IP Only local IP fields are N/A for server;

Global IP fields MUST be set for

Server.

Start This is the starting local IP address (ILA). 0.0.0.0

End This is the ending local IP address (ILA). If

the rule is for all local IPs, then put the Start

IP as 0.0.0.0 and the End IP as

255.255.255.255. This field is N/A for One-

to-One and Server types.

255.255.255.255

Global IP Start This is the starting global IP address (IGA).

If you have a dynamic IP, enter 0.0.0.0 as

the Global IP Start. Note that Global IP

Start can be set to 0.0.0.0 only if the types

are Many-to-One or Server.

0.0.0.0

End This is the ending global IP address (IGA).

This field is N/A for One-to-One, Many-to-

One and Server types.

172.16.23.55

Note: For all Local and Global IPs, the End IP address must begin after the IP Start

address, i.e., you cannot have an End IP address beginning before the Start IP

address.

6.3 NAT Server Sets

A NAT server set is a list of inside servers (behind NAT on the LAN) that you can make visible to the

outside world. Menu 15.2 – NAT Server Sets is used to configure these servers. If you’re using Ethernet

Encapsulation with either RR-Manager or RR-Toshiba Service Type port 12 set to 1025 (non-editable)

as displayed in Figure 6-11.

6.3.1 Multiple Servers behind NAT

If you wish, you can make inside servers for different services, e.g., web or FTP, visible to the outside

users, even though NAT makes your whole inside network appear as a single machine to the outside world.

A service is identified by the port number, e.g., web service is on port 80 and FTP on port 21.

As an example (see the following figure), if you have a web server at 192.168.1.36 and an FTP server

192.168.1.33, then you need to specify for port 80 (web) the server at IP address 192.168.1.36 and for port

21 (FTP) another at IP address 192.168.1.33.

Please note that a server can support more than one service, e.g., a server can provide both FTP and DNS

service, while another provides only web service.

Contents

Main Prestige 312 Broadband Security Gateway P312 Broadband Security Gateway FCC Statement iii Federal Communications Commission (FCC) Interference Statement iv Canadian Users Information for Canadian Users Declaration of Conformity Prestige 312 Standard Standard Item Versi on Page Page viii Customer Support Customer Support Table of Contents Page Page Page Page Page Page List of Figures Page Page Page Page Page Page List Of Tables Page Page Page Preface Page Page Page Chapter 1 Getting to Know Your Prestige 1.1 The Prestige 312 Broadband Security Gateway 1.2 Features of The Prestige 312 Page 1.3 Applications for Prestige 312 1.3.1 Broadband Internet Access via Cable or xDSL Modem Page Chapter 2 Hardware Installation & Initial Setup 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs 2.2 Prestige 312 Rear Panel and Connections 2.3 Additional Installation Requirements 2.4 Housing 2.5 Power Up Your Prestige P312 Broadband Security Gateway Hardware Installation & Initial Setup 2-5 Figure 2-4 Password Screen 2.6 Navigating the SMT Interface 2-6 Hardware Installation & Initial Setup 2.6.1 Main Menu After you enter the password, the SMT displays the Prestige 312 Main Menu, as shown below. Figure 2-5 Prestige 312 Main Menu 2.6.2 System Management Terminal Interface Summary Table 2-3 Main Menu Summary 2.7 Changing the S ystem Password 2.7.1 Resetting the Prestige 2.8 General Setup 2.8.1 Dynamic DNS 2.8.2 Configuring Dynamic DNS 2.9 WAN Setup 2.10 LAN Setup 2.10.1 LAN Port Filter Setup Chapter 3 Internet Access 3.1 TCP/IP and DHCP for LAN 3.1.1 Factory LAN Defaults 3.1.2 IP Address and Subnet Mask 3.1.3 Private IP Addresses 3.1.4 RIP Setup 3.1.5 DHCP Configuration 3.1.6 IP Multicast 3.1.7 IP Alias 3.2 TCP/IP and DHCP Ethernet Setup Page 3-6 Internet Access P312 Broadband Security Gateway Internet Access 3-7 3.2.1 IP Alias Setup 3.3 Internet Access Setup 3.3.1 Ethernet Encapsulation 3.3.2 PPTP Encapsulation 3.3.3 Configuring the PPTP Client 3.3.4 PPPoE Encapsulation Page 3.4 Basic Setup Complete Page Chapter 4 Remote Node Setup 4.1 Remote Node Profile 4.1.1 Ethernet Encapsulation 4-2 Remote Node Setup Table 4-1 Fields in Menu 11.1 4.1.2 PPPoE Encapsulation 4-4 Remote Node Setup Table 4-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) 4.1.3 PPTP Encapsulation Remote Node Setup 4-5 4-6 Remote Node Setup 4.2 Editing TCP/IP Options (with Ethernet Encapsulation) 4.2.1 Editing TCP/IP Options (with PPTP Encapsulation) 4-8 Remote Node Setup 4.2.2 Editing TCP/IP Options (with PPPoE Encapsulation) 4.3 Remote Node Filter Page Page 5.1 IP Static Route Setup IP Static Route Setup 5-3 Table 5-1 IP Static Route Menu Fields Page Chapter 6 Network Address Translation (NAT) 6.1 Introduction 6.1.1 NAT Definitions 6.1.2 What NAT Does 6.1.3 How NAT works 6.1.4 NAT Mapping Types 6.1.5 SUA (Single User Account) Versus NAT 6.1.6 NAT Application 6.2 SMT Menus 6.2.1 Applying NAT in the SMT Menus Page 6.2.2 Configuring NAT 6.2.3 Address Mapping Sets and NAT Server Sets: Page Page Page Page 6.3 NAT Server Sets 6.3.1 Multiple Servers behind NAT 6.3.2 Configuring a Server behind NAT 6.4 Examples 6.4.1 Internet Access Only Page 6.4.2 Example 2 Internet Access with an Inside Server 6.4.3 Example 3 General Case Page Page Page 6.4.4 Example 4 NAT Unfriendly Application Programs 6-20 NAT Figure 6-23 Example 4 - Menu 15.1.1 - Address Mapping Rules Page Page Chapter 7 Filter Configuration 7.1 About Filtering 7.1.1 The Filter Structure of the Prestige Filters 7-3 Execute Filter Rule Filter Set Forward Drop Check Next Rule 7.2 Configuring a Filter Set Filters 7-5 Figure 7-6 NetBIOS_WAN Filter Rules Summary Figure 7-7 NetBIOS _LAN Filter Rules Summary Figure 7-8 TEL_FTP_WEB_WAN Filter Rules Summary 7-6 Filters 7.2.1 Filter Rules Summary Menu 7.2.2 Configuring a Filter Rule 7.2.3 TCP/IP Filter Rule 7-8 Filters Filters 7-9 Page Filters 7-11 Figure 7-10 Executing an IP Filter 7.2.4 Generic Filter Rule Filters 7-13 7.3 Example Filter Page 7.4 Filter Types and NAT 7.5 Firewall 7.6 Applying a Filter and Factory Defaults 7.6.1 LAN traffic 7.6.2 Remote Node Filters Chapter 8 SNMP Configuration 8.1 About SNMP 8.2 Configuring SNMP Page Chapter 9 System Information & Diagnosis 9.1 System Status System Information & Diagnosis 9-3 9.2 System Information and Console Port Speed 9.2.1 System Information 9.2.2 Console Port Speed 9.3 Log and Trace 9.3.1 Viewing Error Log 9.3.2 UNIX Syslog Page 9-8 System Information & Diagnosis 1. CDR 2. Packet triggered 3. Filter log System Information & Diagnosis 9-9 4. PPP log 5. Firewall log 9.3.3 Call-Triggering Packet 9.4 Diagnostic 9.4.1 WAN DHCP Page Chapter 10 Transferring Files 10.1 Filename conventions 10.1.1 Firmware Development 10.2 Backup Configuration 10.3 Restore Configuration 10.4 Upload Firmware 10.4.1 Uploading the Router Firmware 10.4.2 Uploading Router Configuration File 10.5 TFTP File Transfer 10.5.1 Example TFTP Command 10.6 FTP File Transfer 10.6.1 Using the FTP command from the DOS Prompt Page Page Chapter 11 System Maintenance & Information 11.1 Command Interpreter Mode 11.2 Call Control Support 11.2.1 Budget Management 11.2.2 Call History 11.3 Time and Date Setting 11.3.1 How often does the Prestige update the time? System Maintenance & Information 11-5 Figure 11-6 System Maintenance Time and Date Setting Table 11-3 Time and Date Setting Fields 11.4 Remote Management Setup 11.5 Boot Commands 11-8 System Maintenance & Information Figure 11-9 Boot Module Commands Chapter 12 Telnet Configuration and Capabilities 12.1 About Telnet Configuration 12.2 Telnet Under NAT 12.3 Telnet Capabilities 12.3.1 Single Administrator 12.4 Telnet Under the Firewall Page Chapter 13 What is a Firewall 13.1 Types of Firewalls 13.1.1 Packet Filtering Firewalls 13.1.2 Application-level Firewalls 13.1.3 Stateful Inspection firewalls 13.2 Introduction to ZyXELs Firewall 13.3 Denial of Service 13.3.1 Basics 13.3.2 Types of DoS attacks Page 13.4 Stateful Inspection 13.4.1 Stateful Inspection Process 13.4.2 Stateful Inspection & the Prestige 13.4.3 TCP Security 13.4.4 UDP/ICMP Security 13.4.5 Upper Layer Protocols 13.5 Guidelines For Enhancing Securit y With Your Firewall 13.5.1 Security In General Page Page Chapter 14 Introducing the Prestige Firewall 14.1 SMT Menus 14.1.1 View Firewall Log 14.1.2 Attack Types Page Page Introducing the Prestige Firewall 14-5 Table 14-4 View Firewall Log 14.2 The Big Picture Filtering, Firewall and NAT 14.3 Packet Filtering Vs Firewall 14.3.1 Packet Filtering: 14.3.2 Firewall: Page Chapter 15 Introducing the Prestige Web Configurator 15.1 Web Configurator Login and Welcome Screens Page 15.3 E-Mail 15.3.1 What are Alerts? 15.3.2 What are Logs? Introducing the Prestige Web Configurator 15-5 Table 15-1 E-Mail 15.3.3 SMTP Error Messages 15.3.4 Example E-Mail Log 15.4 Attack Alert 15.4.1 Threshold Values: 15.4.2 Half-Open Sessions Page P312 Broadband Security Gateway 15-10 Introducing the Prestige Web Configurator Table 15-3 Attack Alert Introducing the Prestige Web Configurator 15-11 Page Chapter 16 Creating Custom Rules 16.1 Rules Overview 16.2 Rule Logic Overview 16.2.1 Rule Checklist 16.2.2 Security Ramifications 16.2.3 Key Fields For Configuring Rules 16.3 Connection Direction 16.4 Services Supported Creating Custom Rules 16-5 Table 16-1 Services Supported 16.5 Rule Summary Creating Custom Rules 16-7 Table 16-2 Firewall Rules Summary First Screen Table 16-1 16.5.1 Creating/Editing Firewall Rules Page P312 Broadband Security Gateway 16-10 Creating Custom Rules 16.5.2 Source & Destination Addresses Page 16.6 Timeout 16.6.1 Factors Influencing Choices for Timeout Values: Page P312 Broadband Security Gateway 16-14 Creating Custom Rules Table 16-5 Timeout Menu Page 17.2 Creating/Editing A Custom Port Page P312 Broadband Security Gateway 17-4 Custom Ports Table 17-2 Creating/Editing A Custom Port Page P312 Broadband Security Gateway 18-2 Logs Table 18-1 Log Screen Page Page Chapter 19 Example Firewall Rules 19.1 Examples 19.1.1 Example 1 - Firewall Rule To Allow Web Service From The Internet Page Page Page Page 19.1.2 Example 2 Small Office With Mail, FTP and Web Servers Page Page Page Page 19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet Page Page Page Chapter 20 Content Filtering 20.1 Restrict Web Features 20.1.1 ActiveX 20.1.2 Java 20.1.3 Cookies 20.2 Blocking URLs 20.3 Content Filteri ng Using the Web Configurator Page Page Page Chapter 21 Troubleshooting 21.1 Problems Starting Up the Prestige 21-2 Troubleshooting 21.2 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface 21.3 Problems with the WAN interface Table 21-3 Troubleshooting the WAN interface Troubleshooting 21-3 21.4 Problems with Internet Access Table 21-4 Troubleshooting Internet Access 21.5 Problems with the Firewall Page Appendix A PPPoE Page Appendix B PPTP Page Hardware Specifications I Appendix C Hardware Specifications Pin1 Pin 6 Pin 9 Appendix D Important Safety Instructions CLI Commands K Appendix E Firewall CLI Commands LCLI Commands CLI Commands M NCLI Commands CLI Commands O P Power Adapter Specifications Appendix F Power Adapter Specs Power Adapter Specifications Q RGlossary Glossary of Terms Glossary S TGlossary Glossary U VGlossary Glossary W XGlossary Glossary Y ZGlossary Glossary AA Page Index CC Index A B C D F G H I J L M N O P S T U V W X Z