advertisement
▼
Scroll to page 2
of 349
Nortel Business Secure Router 222 Configuration — Advanced BSR222 Business Secure Router Document Number: NN47922-501 Document Version: 1.3 Date: March 2007 2 Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. All other trademarks and registered trademarks are the property of their respective owners. NN47922-501 3 Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 USA and Canada Authorized Distributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Technical Support - GNTS/GNPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Presales Support (CSAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 EMEA (Europe, Middle East, Africa) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Technical Support - CTAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 CALA (Caribbean & Latin America) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Technical Support - CTAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 APAC (Asia Pacific) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Technical Support - GNTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Chapter 1 Getting to know your Nortel Business Secure Router 222 . . . . . . . . . . . . 31 Introducing the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Physical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4-Port switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Autonegotiating 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Autonegotiating 10/100 Mb/s Ethernet WAN . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Auxiliary port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Nortel Business Secure Router 222 Configuration — Advanced 4 Contents Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 IEEE 802.1x for network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Central Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 DHCP (Dynamic Host Configuration Protocol) . . . . . . . . . . . . . . . . . . . . . . . . 37 Full network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Road Runner support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Logging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Upgrade Business Secure Router Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Embedded FTP and TFTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Applications for the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . 39 Secure broadband internet access and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 NN47922-501 Contents 5 Chapter 2 Introducing the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Introduction to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Accessing the SMT via the console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Logging on to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Navigating the SMT interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Changing the system password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 SMT menus at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 SMT menu 1 - general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Introduction to general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Chapter 3 WAN and Dial Backup Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Introduction to WAN and dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Dial backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring dial backup in menu 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Advanced WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Remote node profile (Backup ISP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Editing PPP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Editing TCP/IP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Editing logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Remote node filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Chapter 4 LAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Introduction to LAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Accessing the LAN menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 LAN port filter setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 TCP/IP and DHCP ethernet setup menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Nortel Business Secure Router 222 Configuration — Advanced 6 Contents IP Alias Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Chapter 5 Internet access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Introduction to internet access setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Ethernet encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Configuring the PPTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring the PPPoE client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Basic setup complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Chapter 6 Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Introduction to Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Remote Node profile setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Outgoing Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Nailed-Up Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Edit IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Remote Node filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Chapter 7 IP Static Route Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 IP Static Route Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Chapter 8 Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Chapter 9 Network Address Translation (NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Using NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 NN47922-501 Contents 7 SUA (Single User Account) Versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Applying NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 SUA Address Mapping Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 User-Defined Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Ordering Your Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring a server behind NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 General NAT examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Internet access only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Example 2: Internet access with an inside server . . . . . . . . . . . . . . . . . . . . . . . . 123 Example 3: Multiple public IP addresses with inside servers . . . . . . . . . . . . . . . 124 Configuring Trigger Port forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Chapter 10 Introducing the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Using SMT menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Activating the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Chapter 11 Filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Introduction to filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Filter Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Configuring a Filter Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Configuring a Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuring a TCP/IP Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuring a Generic Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Example Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Filter Types and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Firewall Versus Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Applying a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Applying LAN Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Applying Remote Node Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Nortel Business Secure Router 222 Configuration — Advanced 8 Contents Chapter 12 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Chapter 13 System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 System password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring external RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Chapter 14 System information and diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Introduction to System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 System information and console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Log and trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Syslog logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Packet triggered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Filter log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 PPP log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Call-Triggering packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 WAN DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Chapter 15 Firmware and configuration file maintenance . . . . . . . . . . . . . . . . . . . . . 179 Filename conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Using the FTP command from the command line . . . . . . . . . . . . . . . . . . . . . . . . 181 NN47922-501 Contents 9 Example of FTP commands from the command line . . . . . . . . . . . . . . . . . . . . . . 182 GUI-based FTP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 TFTP and FTP over WAN Management Limitations . . . . . . . . . . . . . . . . . . . . . . 183 Backup configuration using TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 TFTP command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 GUI-based TFTP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Back up via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Restore Using FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Restore using FTP session example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Restore via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Uploading Firmware and Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Firmware file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Configuration file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 FTP file upload command from the DOS prompt example . . . . . . . . . . . . . . . . . 191 FTP Session Example of Firmware File Upload . . . . . . . . . . . . . . . . . . . . . . . . . 192 TFTP file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 TFTP upload command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Uploading via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Uploading Firmware File Via Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Uploading Xmodem firmware using HyperTerminal . . . . . . . . . . . . . . . . . . . . . . 195 Uploading configuration file via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Uploading Xmodem configuration file using HyperTerminal . . . . . . . . . . . . . . . . 197 Chapter 16 System Maintenance menus 8 to 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Command Interpreter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Call control support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Budget management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Time and Date setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Resetting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Nortel Business Secure Router 222 Configuration — Advanced 10 Contents Chapter 17 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Remote Management Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 18 Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Appendix A Setting up your computer IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Windows 95/98/Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Installing components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Windows 2000/NT/XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Macintosh OS 8/9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Macintosh OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Verifying settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Appendix B Triangle Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 The Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 The Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 The Triangle Route Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 IP aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Appendix C Importing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Import Business Secure Router certificates into Netscape Navigator . . . . . . . . . . . . 233 Importing the Business Secure Router Certificate into Internet Explorer . . . . . . . . . . 234 Enrolling and Importing SSL Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Using a certificate when accessing the Business Secure Router example . . . . . . . . 247 NN47922-501 Contents 11 Appendix D PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 PPPoE in action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Benefits of PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Traditional dial-up scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 How PPPoE works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Business Secure Router as a PPPoE client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Appendix E PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 What is PPTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 How can we transport PPP frames from a PC to a broadband modem over Ethernet? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 PPTP and the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 PPTP protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Control and PPP connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Call connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 PPP data connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Appendix F Hardware specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Cable pin assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 AC Power Adapter Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Appendix G IP subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 IP classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Subnet masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Example: two subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Example: four subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Example: eight subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Subnetting with Class A and Class B networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Nortel Business Secure Router 222 Configuration — Advanced 12 Contents Appendix H Command Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Exit Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Ethernet Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 IP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 IPSec commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Sys firewall commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Bandwidth management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Certificates commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 IEEE 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 RADIUS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Appendix I NetBIOS filter commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Display NetBIOS filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 NetBIOS filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Example commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Appendix J Boot Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Appendix K Log descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 VPN/IPSec logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Log commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring what you want the Business Secure Router to log . . . . . . . . . . . . . . 333 Displaying logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Log command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Appendix L NN47922-501 Contents 13 Brute force password guessing protection. . . . . . . . . . . . . . . . . . . . . . . . 335 Appendix M SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 SIP Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 SIP Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 SIP Service Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 SIP Call Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 SIP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 SIP User Agent Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 SIP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 SIP Redirect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 SIP Register Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 RTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Nortel Business Secure Router 222 Configuration — Advanced 14 Contents NN47922-501 15 Figures Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 39 Figure 2 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 3 SMT Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 4 Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Figure 5 Menu 23.1 System Security: Change Password . . . . . . . . . . . . . . . . . . . 45 Figure 6 SMT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Figure 7 menu 1: general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Figure 8 Configure dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Figure 9 Menu 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Figure 10 Menu 2: dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Figure 11 Menu 2.1 advanced WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Figure 12 Menu 11.2 remote node profile (Backup ISP) . . . . . . . . . . . . . . . . . . . . . . 60 Figure 13 Menu 11.2.1: Remote node PPP options . . . . . . . . . . . . . . . . . . . . . . . . . 63 Figure 14 Menu 11.2.2: remote node network layer options . . . . . . . . . . . . . . . . . . . 64 Figure 15 Menu 11.2.3: remote node setup script . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Figure 16 Menu 11.2.4: dial backup remote node filter . . . . . . . . . . . . . . . . . . . . . . . 69 Figure 17 Menu 3: LAN setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Figure 18 Menu 3.1: LAN port filter setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Figure 19 Menu 3: TCP/IP and DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Figure 20 Figure 21-4 menu 3.2: TCP/IP and DHCP Ethernet setup . . . . . . . . . . . . 73 Figure 21 Menu 3.2.1: IP Alias setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Figure 22 Menu 4: internet access setup (Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . 80 Figure 23 Internet access setup (PPTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Figure 24 Internet access setup (PPPoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Figure 25 Menu 11 Remote Node Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Figure 26 Menu 11.1: Remote Node profile for Ethernet Encapsulation . . . . . . . . . . 87 Figure 27 Menu 11.1: Remote Node profile for PPPoE Encapsulation . . . . . . . . . . . 89 Figure 28 Menu 11.1: Remote Node Profile for PPTP Encapsulation . . . . . . . . . . . 91 Nortel Business Secure Router 222 Configuration — Advanced 16 Figures Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation 93 Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) . . . . . . . . . . . 96 Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) . . . . . 96 Figure 32 Menu 11.1: Remote Node Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Figure 33 Menu 11.1.5: Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Figure 34 Menu 12: IP Static Route Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Figure 35 Menu 12. 1: Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Figure 36 Menu 14- Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Figure 37 Menu 14.1- Edit Dial-in User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Figure 38 Menu 4: Applying NAT for Internet Access . . . . . . . . . . . . . . . . . . . . . . . 108 Figure 39 Menu 11.1.2: Applying NAT to the Remote Node . . . . . . . . . . . . . . . . . . 109 Figure 40 Menu 15: NAT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Figure 41 Menu 15.1: Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Figure 42 Menu 15.1.255: SUA Address Mapping Rules . . . . . . . . . . . . . . . . . . . . 112 Figure 43 Menu 15.1.1: First Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Figure 44 Menu 15.1.1.1: Editing or configuring an individual rule in a set . . . . . . 116 Figure 45 Menu 15.2: NAT Server Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Figure 46 15.2.1: NAT Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Figure 47 Menu 15.2: NAT Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Figure 48 Multiple servers behind NAT example . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Figure 49 NAT Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Figure 50 Menu 4: Internet access & NAT example . . . . . . . . . . . . . . . . . . . . . . . . 122 Figure 51 NAT Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Figure 52 Menu 15.2: Specifying an inside server . . . . . . . . . . . . . . . . . . . . . . . . . 124 Figure 53 NAT example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Figure 54 Example 3: Menu 11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Figure 55 Example 3: Menu 15.1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Figure 56 Example 3: Final Menu 15.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Figure 57 Example 3: Menu 15.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Figure 58 Menu 15.3: Trigger Port Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Figure 59 Menu 21: Filter and Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Figure 60 Menu 21.2: Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Figure 61 Outgoing packet filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Figure 62 Filter rule process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 NN47922-501 Figures 17 Figure 63 Menu 21: Filter and Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Figure 64 Menu 21.1: Filter Set Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Figure 66 Executing an IP filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Figure 67 Menu 21.1.1.1: Generic Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Figure 68 Telnet filter Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Figure 69 Example Filter: Menu 21.1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Figure 70 Example Filter Rules Summary: Menu 21.1.3 . . . . . . . . . . . . . . . . . . . . 150 Figure 71 Protocol and Device Filter Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Figure 72 Filtering LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Figure 73 Filtering Remote Node Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Figure 74 Menu 22: SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Figure 75 Menu 23 System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Figure 76 Menu 23 system security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Figure 77 Menu 23.2 System Security: RADIUS server . . . . . . . . . . . . . . . . . . . . . 160 Figure 78 Menu 23 System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Figure 79 Menu 23.4 System Security: IEEE802.1x . . . . . . . . . . . . . . . . . . . . . . . . 162 Figure 80 Menu 24: System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Figure 81 Menu 24.1: System Maintenance: Status Figure 82 Menu 24.1 — System Maintenance — Status . . . . . . . . . . . . . . . . . . . . 167 Figure 83 System Information and Console Port Speed . . . . . . . . . . . . . . . . . . . . . 169 Figure 84 Menu 24.2.1: System Maintenance Information Figure 85 Menu 24.2.2: System Maintenance: Change Console Port Speed . . . . 171 Figure 86 Menu 24.3: System Maintenance: Log and Trace . . . . . . . . . . . . . . . . . 171 Figure 87 Menu 24.3.2: System Maintenance: Syslog Logging . . . . . . . . . . . . . . . 172 . . . . . . . . . . . . . . . . . . . . . . . 167 . . . . . . . . . . . . . . . . . . 170 Figure 88 Call-Triggering packet example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Figure 89 Menu 24.4: System Maintenance: Diagnostic . . . . . . . . . . . . . . . . . . . . 177 Figure 90 WAN & LAN DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Figure 91 Menu 24.5 - System Maintenance - Backup Configuration . . . . . . . . . . 181 Figure 92 FTP Session Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Figure 93 Menu 24.5 System Maintenance: Backup Configuration . . . . . . . . . . . . 185 Figure 94 Menu 24.5 System Maintenance: Starting Xmodem Download Screen . 185 Figure 95 Backup Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Figure 96 Successful Backup Confirmation Screen . . . . . . . . . . . . . . . . . . . . . . . . 186 Figure 97 Telnet into Menu 24.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Nortel Business Secure Router 222 Configuration — Advanced 18 Figures Figure 98 Restore using FTP session example . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Figure 99 System Maintenance: Restore Configuration . . . . . . . . . . . . . . . . . . . . . 188 Figure 100 System Maintenance: Starting Xmodem Download Screen . . . . . . . . . . 189 Figure 101 Successful Restoration Confirmation Screen . . . . . . . . . . . . . . . . . . . . . 189 Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware . . . . . . . . . . . . . . . . 190 Figure 103 Telnet Into Menu 24.7.2 System Maintenance . . . . . . . . . . . . . . . . . . . 191 Figure 104 FTP Session Example of Firmware File Upload . . . . . . . . . . . . . . . . . . . 192 Figure 105 Menu 24.7.1 as seen using the Console Port . . . . . . . . . . . . . . . . . . . . . 194 Figure 106 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Figure 107 Menu 24.7.2 as seen using the Console Port . . . . . . . . . . . . . . . . . . . . 196 Figure 108 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Figure 109 Command mode in Menu 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Figure 110 Valid commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Figure 111 Call Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Figure 112 Budget Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Figure 113 Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Figure 114 Menu 24: System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Figure 115 Menu 24.10 System Maintenance: Time and Date Setting . . . . . . . . . . 206 Figure 116 Menu 24.11 – Remote Management Control . . . . . . . . . . . . . . . . . . . . . 210 Figure 117 Menu 26 Schedule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Figure 118 Menu 26.1 Schedule Set Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Figure 119 Applying Schedule Sets to a Remote Node (PPPoE) . . . . . . . . . . . . . . . 216 Figure 120 WIndows 95/98/Me: network: configuration . . . . . . . . . . . . . . . . . . . . . . 218 Figure 121 Windows 95/98/Me: TCP/IP properties: IP address . . . . . . . . . . . . . . . . 219 Figure 122 Windows 95/98/Me: TCP/IP Properties: DNS configuration . . . . . . . . . . 220 Figure 123 Windows XP: Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Figure 124 Windows XP: Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Figure 125 Windows XP: Control Panel: Network Connections: Properties . . . . . . . 222 Figure 126 Windows XP: Local Area Connection Properties . . . . . . . . . . . . . . . . . . 222 Figure 127 Windows XP: Advanced TCP/IP settings . . . . . . . . . . . . . . . . . . . . . . . . 223 Figure 128 Windows XP: Internet Protocol (TCP/IP) properties . . . . . . . . . . . . . . . . 224 Figure 129 Macintosh OS 8/9: Apple Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Figure 130 Macintosh OS 8/9: TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Figure 131 Macintosh OS X: Apple menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Figure 132 Macintosh OS X: Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 NN47922-501 Figures 19 Figure 133 Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Figure 134 Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Figure 135 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Figure 136 Security Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Figure 137 Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Figure 138 Certificate General Information before Import . . . . . . . . . . . . . . . . . . . . 235 Figure 139 Certificate Import Wizard 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Figure 140 Certificate Import Wizard 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Figure 141 Certificate Import Wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Figure 142 Root Certificate Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Figure 143 Certificate General Information after Import . . . . . . . . . . . . . . . . . . . . . . 239 Figure 144 Business Secure Router Trusted CA screen . . . . . . . . . . . . . . . . . . . . . 240 Figure 145 CA certificate example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Figure 146 Personal certificate import wizard 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Figure 147 Personal certificate import wizard 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Figure 148 Personal certificate import wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Figure 149 Personal certificate import wizard 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Figure 150 Personal certificate import wizard 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Figure 151 Personal certificate import wizard 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Figure 152 Access the Business Secure Router via HTTPS . . . . . . . . . . . . . . . . . . 247 Figure 153 SSL client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Figure 154 Business Secure Router secure login screen . . . . . . . . . . . . . . . . . . . . . 248 Figure 155 Single-PC per Router Hardware Configuration . . . . . . . . . . . . . . . . . . . . 250 Figure 156 Business Secure Router as a PPPoE Client . . . . . . . . . . . . . . . . . . . . . 251 Figure 157 Transport PPP frames over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Figure 158 Business Secure Router as a PPTP client . . . . . . . . . . . . . . . . . . . . . . . 254 Figure 159 PPTP protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Figure 160 Example message exchange between PC and an ANT . . . . . . . . . . . . . 256 Figure 161 Console or dial backup port pin layouts . . . . . . . . . . . . . . . . . . . . . . . . . 258 Figure 162 Ethernet cable pin assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Figure 163 NetBIOS Display Filter Settings Command Example . . . . . . . . . . . . . . . 310 Figure 164 Option to Enter Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Figure 165 Boot Module Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Figure 166 Example VPN initiator IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Figure 167 Example VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Nortel Business Secure Router 222 Configuration — Advanced 20 Figures Figure 168 SIP User Agent Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Figure 169 SIP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Figure 170 SIP Redirect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Figure 171 Business Secure Router SIP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 NN47922-501 21 Tables Table 1 Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Table 2 Main menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Table 3 Main menu summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Table 4 General setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Table 5 Configure dynamic DNS menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Table 6 MAC address cloning in WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Table 7 Menu 2: dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Table 8 Advanced WAN port setup: AT commands fields . . . . . . . . . . . . . . . . . . . 58 Table 9 Fields in menu 11.2 remote node profile (Backup ISP) . . . . . . . . . . . . . . 60 Table 10 Remote node PPP options menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Table 11 Remote node network layer options menu fields . . . . . . . . . . . . . . . . . . . 64 Table 12 Menu 11.2.3: remote node script menu fields . . . . . . . . . . . . . . . . . . . . . . 68 Table 13 DHCP Ethernet setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Table 14 LAN TCP/IP setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Table 15 IP Alias setup menu field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Table 16 Menu 4: internet access setup menu fields . . . . . . . . . . . . . . . . . . . . . . . 80 Table 17 New fields in menu 4 (PPTP) Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Table 18 New fields in menu 4 (PPPoE) screen . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Table 19 Fields in menu 11.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Table 20 Fields in Menu 11.1 (PPPoE Encapsulation Specific) . . . . . . . . . . . . . . . . 90 Table 21 Fields in Menu 11.1 (PPTP Encapsulation) . . . . . . . . . . . . . . . . . . . . . . . 91 Table 22 Remote Node Network Layer Options Menu Fields . . . . . . . . . . . . . . . . . 93 Table 23 Menu 11.1: Remote Node profile (Traffic Redirect Field) . . . . . . . . . . . . . 97 Table 24 Menu 11.1.5: Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Table 25 IP Static Route Menu Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Table 26 Menu 14.1- Edit Dial-in User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Table 27 Applying NAT in Menus 4 & 11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Table 28 SUA Address Mapping Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Table 29 Fields in menu 15.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Nortel Business Secure Router 222 Configuration — Advanced 22 Tables Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set . . . . . . 116 Table 31 15.2.1: NAT Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Table 32 Menu 15.3: Trigger Port setup description . . . . . . . . . . . . . . . . . . . . . . . 130 Table 33 Abbreviations used in the Filter Rules Summary Menu . . . . . . . . . . . . . 140 Table 34 Rule abbreviations used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Table 35 TCP/IP Filter Rule Menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Table 36 Generic Filter Rule Menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Table 37 SNMP Configuration Menu Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Table 38 SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Table 39 Menu 23.2 System Security: RADIUS Server . . . . . . . . . . . . . . . . . . . . . 161 Table 40 Menu 23.4 System Security: IEEE802.1x . . . . . . . . . . . . . . . . . . . . . . . . 163 Table 41 System Maintenance: Status Menu Fields . . . . . . . . . . . . . . . . . . . . . . . 167 Table 42 Fields in System Maintenance: Information . . . . . . . . . . . . . . . . . . . . . . 170 Table 43 System Maintenance Menu Syslog Parameters . . . . . . . . . . . . . . . . . . . 172 Table 44 System Maintenance menu diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Table 45 Filename Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Table 46 General commands for GUI-based FTP clients . . . . . . . . . . . . . . . . . . . 182 Table 47 General commands for GUI-based TFTP clients . . . . . . . . . . . . . . . . . . 184 Table 48 Valid commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Table 49 Budget management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Table 50 Call History Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Table 51 Time and Date Setting Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Table 52 Menu 24.11 – Remote Management control . . . . . . . . . . . . . . . . . . . . . . 210 Table 53 Menu 26.1 Schedule Set Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Table 54 General specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Table 55 Console or dial backup port pin assignments . . . . . . . . . . . . . . . . . . . . . 258 Table 57 Allowed IP address range By class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Table 56 Classes of IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Table 58 Natural Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Table 59 Alternative Subnet Mask Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Table 60 Subnet 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Table 61 Subnet 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Table 62 Subnet 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Table 63 Subnet 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Table 66 Eight subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 NN47922-501 Tables 23 Table 64 Subnet 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Table 65 Subnet 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Table 67 Class C subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Table 68 Class B subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Table 69 Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Table 70 Exit Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Table 71 Ether Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Table 72 IP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Table 73 IPSec commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Table 74 Sys firewall commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Table 75 Bandwidth management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Table 76 Certificates commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Table 77 IEEE 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Table 78 RADIUS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Table 79 NetBIOS filter default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Table 80 System error logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Table 81 System maintenance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Table 82 UPnP logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Table 83 Content filtering logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Table 84 Attack logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Table 85 Access logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Table 86 ACL setting notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Table 87 ICMP notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Table 88 Sys log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Table 89 Sample IKE key exchange logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Table 90 Sample IPSec logs during packet transmission . . . . . . . . . . . . . . . . . . . 328 Table 91 RFC-2408 ISAKMP payload types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Table 92 PKI logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Table 93 Certificate path verification failure reason codes . . . . . . . . . . . . . . . . . . 330 Table 94 IEEE 802.1X logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Table 95 Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Table 96 Brute force password guessing protection commands . . . . . . . . . . . . . . 335 Table 97 SIP Call Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Nortel Business Secure Router 222 Configuration — Advanced 24 Tables NN47922-501 25 Preface Before you begin This guide is designed to assist you with advanced configuration of your Business Secure Router for its various applications. Note: This guide explains how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. See the basic manual for how to use the WebGUI to configure your Business Secure Router. Not all features can be configured through all interfaces. The SMT parts of this manual contain background information solely on features not configurable by the WebGUI. The WebGUI parts of the basic manual contain background information on features configurable by the WebGUI and the SMT. Text conventions This guide uses the following text conventions: Enter means for you to type one or more characters and press the [ENTER] key. Select or Choose means for you to use one of the predefined choices. The SMT menu titles and labels are written in Bold Times New Roman font. Menu choices are written in Bold Arial font. Nortel Business Secure Router 222 Configuration — Advanced 26 Preface A single keystroke is written in Arial font and enclosed in square brackets, for instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem. Related publications For more information about using the Business Secure Router VPN Switch, refer to the following publications: • Nortel Business Secure Router 222 — Fundamentals (NN47922-301) The Fundamentals guide is designed to help you get up and running right away. It contains connection information and instructions on getting started. • Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) The basic manual covers how to use the WebGUI to configure your Business Secure Router. • WebGUI Online Help Embedded WebGUI help for descriptions of individual screens and supplementary information Hard-copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe Systems at www.adobe.com to download a free copy of the Adobe Reader. NN47922-501 Preface 27 How to get help If you do not see an appropriate number in this list, go to www.nortel.com/cs. USA and Canada Authorized Distributors Technical Support - GNTS/GNPS Telephone: 1-800-4NORTEL (1-800-466-7835) If you already have a PIN Code, you can enter Express Routing Code (ERC) 196#. If you do not yet have a PIN Code, or for general questions and first line support, you can enter ERC 338#. Web Site: www.nortel.com/cs Presales Support (CSAN) Telephone: 1-800-4NORTEL (1-800-466-7835) Use Express Routing Code (ERC) 1063# EMEA (Europe, Middle East, Africa) Technical Support - CTAS Telephone: *European Free phone 00800 800 89009 European Alternative: United Kingdom +44 (0)870-907-9009 Africa +27-11-808-4000 Israel 800-945-9779 Calls are not free from all countries in Europe, Middle East, or Africa. Nortel Business Secure Router 222 Configuration — Advanced 28 Preface Fax: 44-191-555-7980 E-mail: [email protected] CALA (Caribbean & Latin America) Technical Support - CTAS Telephone: 1-954-858-7777 E-mail: [email protected] APAC (Asia Pacific) Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: [email protected] Australia 1-800-NORTEL (1-800-667-835) China 010-6510-7770 India 011-5154-2210 Indonesia 0018-036-1004 Japan 0120-332-533 Malaysia 1800-805-380 New Zealand 0800-449-716 NN47922-501 Preface Philippines 1800-1611-0063 Singapore 800-616-2004 South Korea 0079-8611-2001 Taiwan 0800-810-500 Thailand 001-800-611-3007 Service Business Centre & Pre-Sales Help Desk +61-2-8870-5511 29 Nortel Business Secure Router 222 Configuration — Advanced 30 Preface NN47922-501 31 Chapter 1 Getting to know your Nortel Business Secure Router 222 This chapter introduces the main features and applications of the Business Secure Router. Introducing the Nortel Business Secure Router 222 The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN). By integrating Network Address Translation (NAT), firewall and Virtual Private Network (VPN) capability, the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network. The embedded WebGUI assists in easy setup and management of the Business Secure Router via an Internet browser. Features This section lists the key features of the Business Secure Router. Table 1 Feature Specifications Feature Specification Number of static routes 12 Number of NAT sessions 4096 Number of SUA servers 12 Nortel Business Secure Router 222 Configuration — Advanced 32 Chapter 1 Getting to know your Nortel Business Secure Router 222 Table 1 Feature Specifications Feature Specification Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of concurrent VPN IPSec Connections 60 Number of IP pools can be used to assign IP addresses to remote users 3 for VPN client termination Number of configurable split networks for VPN client termination 16 Number of configurable inverse split networks for VPN client termination 16 Number of configurable subnets per split network for VPN client termination 64 Physical features 4-Port switch A combination of switch and router makes your Nortel Business Secure Router 222 a cost effective and viable network solution. You can connect up to four computers or phones to the Business Secure Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN. Autonegotiating 10/100 Mb/s Ethernet LAN The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet. Autosensing 10/100 Mb/s Ethernet LAN The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable. Autonegotiating 10/100 Mb/s Ethernet WAN The 10/100 Mb/s Ethernet WAN port attaches to the Internet via broadband modem or router and automatically detects if it is on a 10 or a 100 Mb/s Ethernet. NN47922-501 Chapter 1 Getting to know your Nortel Business Secure Router 222 33 Auxiliary port The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails. Time and date Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router. You can also set the time manually. Reset button The Business Secure Router reset button is built into the rear panel. Use this button to restart the Business Secure Router or restore the factory default password to PlsChgMe!, IP address to 192.168.1.1, subnet mask to 255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting at 192.168.1.2. Nonphysical features IPSec VPN capability Establish Virtual Private Network (VPN) tunnels to connect home or office computers to your company network using data encryption and the Internet; thus providing secure communications without the expense of leased site-to-site lines. VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products. Nortel Contivity Client Termination The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software. Nortel Business Secure Router 222 Configuration — Advanced 34 Chapter 1 Getting to know your Nortel Business Secure Router 222 Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. SSH The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network. HTTPS HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure WebGUI access to the Business Secure Router. IEEE 802.1x for network security The Business Secure Router supports the IEEE 802.1x standard for user authentication. With the local user profile in the Business Secure Router, you can configure up 32 user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server. Firewall The Business Secure Router has a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The Business Secure Router firewall supports TCP/UDP inspection, DoS detection and protection, real time alerts, reports and logs. NN47922-501 Chapter 1 Getting to know your Nortel Business Secure Router 222 35 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords. Content filtering The Business Secure Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The Business Secure Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled. Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network. Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Business Secure Router and other UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network. Call scheduling Configure call time periods to restrict and allow access for users on remote nodes. PPPoE PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks via a familiar dial-up networking user interface. Nortel Business Secure Router 222 Configuration — Advanced 36 Chapter 1 Getting to know your Nortel Business Secure Router 222 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. The Business Secure Router supports one PPTP server connection at any given time. Dynamic DNS support With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider. IP Multicast The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The Business Secure Router supports versions 1 and 2. IP Alias Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The Business Secure Router supports three logical LAN interfaces via its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network. Central Network Management With Central Network Management (CNM), an enterprise or service provider network administrator can manage your Business Secure Router. The enterprise or service provider network administrator can configure your Business Secure Router, perform firmware upgrades, and do troubleshooting for you. NN47922-501 Chapter 1 Getting to know your Nortel Business Secure Router 222 37 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2). Network Address Translation (NAT) NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network. Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. Port Forwarding Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. DHCP (Dynamic Host Configuration Protocol) With DHCP (Dynamic Host Configuration Protocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server. The Business Secure Router has built in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway, and DNS servers to all systems that support the DHCP client. The Business Secure Router can also act as a surrogate DHCP server, where it relays IP address assignment from another DHCP server to the clients. Nortel Business Secure Router 222 Configuration — Advanced 38 Chapter 1 Getting to know your Nortel Business Secure Router 222 Full network management The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection. Road Runner support In addition to standard cable modem services, the Business Secure Router supports Time Warner’s Road Runner Service. Logging and tracing The Business Secure Router supports the following logging and tracing functions to help with management: • • Built in message logging and packet tracing Unix syslog facility support Upgrade Business Secure Router Firmware The firmware of the Business Secure Router can be upgraded via the console port or the LAN. Embedded FTP and TFTP Servers The Business Secure Router’s embedded FTP and TFTP Servers enable fast firmware upgrades, as well as configuration file backups and restoration. NN47922-501 Chapter 1 Getting to know your Nortel Business Secure Router 222 39 Applications for the Nortel Business Secure Router 222 Secure broadband internet access and VPN You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management. VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers. Figure 1 Secure Internet Access and VPN Application Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced 40 Chapter 1 Getting to know your Nortel Business Secure Router 222 Hardware Setup Refer to Nortel Business Secure Router 222 — Fundamentals (NN47922-301) for hardware connection instructions. Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions. NN47922-501 41 Chapter 2 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. Introduction to the SMT The Business Secure Router SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a Telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via the console port, how to navigate the SMT, and how to configure SMT menus. Accessing the SMT via the console port Make sure you have the physical connection properly set up as described in the hardware installation chapter. When configuring using the console port, you need a computer equipped with communications software configured to the following parameters: • • • VT100 terminal emulation 9 600 baud No parity, 8 data bits, 1 stop bit, flow control set to none Initial screen When you turn on your Business Secure Router, it performs several internal tests as well as line initialization. Nortel Business Secure Router 222 Configuration — Advanced 42 Chapter 2 Introducing the SMT After the tests, the Business Secure Router asks you to press [ENTER] to continue, as shown in Figure 2. Figure 2 Initial screen initialize ch =0, ethernet address: 00:A0:C5:22:1A:03 initialize ch =1, ethernet address: 00:A0:C5:22:1A:04 Press ENTER to continue... Logging on to the SMT The logon screen appears after you press [ENTER], prompting you to enter the username, as shown in Figure 3. Type the username (nnadmin is the default) and press [ENTER]. The logon screen prompts you to enter the password. Figure 3 SMT Login Enter Username : XXXX Enter Password : XXXX Type the password (PlsChgMe! is the default) and press [ENTER]. As you type the password, the screen displays an X for each character you type. Note that if there is no activity for longer than five minutes after you log on, your Business Secure Router will automatically log you off and display a blank screen. If you see a blank screen, press [ENTER] to bring up the logon screen again. Navigating the SMT interface The SMT is an interface that you use to configure your Business Secure Router. NN47922-501 Chapter 2 Introducing the SMT 43 Table 2 lists several operations you must be familiar with before attempting to modify the configuration. Table 2 Main menu commands Operations Keystrokes Descriptions Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER]. Move up to a previous menu [ESC] Press the [ESC] key to move back to the previous menu. Move to a “hidden” menu Press [SPACE BAR] Fields beginning with “Edit” lead to hidden to change No to Yes menus and have a default setting of No. Press then press [ENTER]. [SPACE BAR] to change No to Yes, and then press [ENTER] to go to a “hidden” menu. Move the cursor [ENTER] or [UP] or [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP] or [DOWN] arrow keys to move to the previous or the next fields, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices. There are two types of fields. The first requires you to type in the appropriate information. The second allows you to cycle through the available choices by pressing [SPACE BAR]. Required fields <? > All fields with the symbol <?> must be filled in order be able to save the new configuration. N/A fields <N/A> Some of the fields in the SMT will show a <N/A>. This symbol refers to an option that is Not Applicable. Save your configuration [ENTER] Save your configuration by pressing [ENTER] at the message “Press ENTER to confirm or ESC to cancel”. Saving the data on the screen will take you, in most cases, to the previous menu. Make sure you save your settings in each screen that you configure. Exit the SMT Type 99, then press [ENTER]. Type 99 at the main menu prompt and press [ENTER] to exit the SMT interface. Main menu After you enter the password, the SMT displays the Business Secure Router Main Menu, as shown in Figure 4. Not all models have all the features shown. Nortel Business Secure Router 222 Configuration — Advanced 44 Chapter 2 Introducing the SMT Figure 4 Main menu Business Secure Router Main Menu Getting Started 1. 2. 3. 4. Advanced Management General Setup WAN Setup LAN Setup Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup 21. 22. 23. 24. 26. Filter and Firewall Setup SNMP Configuration System Security System Maintenance Schedule Setup 99.Exit Enter Menu Selection Number: Table 3 describes the fields in Figure 4. Table 3 Main menu summary NN47922-501 No. Menu Title Function 1 General Setup Use this menu to set up dynamic DNS and administrative information. 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection. 3 LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings. 4 Internet Access Setup Configure your Internet Access setup (Internet address, gateway IP address, and logon) with this menu. 11 Remote Node Setup Use this menu to configure detailed remote node settings (your ISP is also a remote node) as well as apply WAN filters. 12 Static Routing Setup Configure IP static routes in this menu. 14 Dial-in User Setup Use this menu to configure the Dial-in User information 15 NAT Setup Use this menu to configure Network Address Translation. 21 Filter and Firewall Setup Configure filters, activate or deactivate the firewall, and view the firewall log. Chapter 2 Introducing the SMT 45 Table 3 Main menu summary No. Menu Title Function 22 SNMP Configuration Use this menu to configure SNMP-related parameters. 23 System Security Use this menu to change your password and enable network user authentication. 24 System Maintenance From displaying system status to uploading firmware, this menu provides comprehensive system maintenance. 26 Schedule Setup Use this menu to schedule outgoing calls. 99 Exit Use this menu to exit (necessary for remote configuration). Changing the system password To change the Business Secure Router administrator password:. 1 From the main menu, enter 23 to display Menu 23 – System Security. 2 Enter 1 to display Menu 23.1 – System Security – Change Password. Figure 5 Menu 23.1 System Security: Change Password Menu 23.1 – System Security – Change Password Old Password= **** New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 3 Type your existing system password in the Old Password field, and press [ENTER]. 4 Type your new system password in the New Password field (up to 30 characters), and press [ENTER]. 5 Retype your new system password in the Retype to confirm field for confirmation and press [ENTER]. Note that as you type a password, the screen displays an asterisk * for each character you type. Nortel Business Secure Router 222 Configuration — Advanced 46 Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview NN47922-501 47 SMT menu 1 - general setup Introduction to general setup Menu 1 - general setup contains administrative and system-related information. Configuring general setup Enter 1 in the main menu to open Menu 1: general setup. The Menu 1 - General Setup screen appears, as shown in Figure 7. Fill in the required fields. Figure 7 menu 1: general setup Menu 1 - General Setup System Name= Business Secure Router Domain Name= www.nortel.com First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Press ENTER to confirm or ESC to cancel: Nortel Business Secure Router 222 Configuration — Advanced 48 Chapter 2 SMT menu 1 - general setup Table 4 describes the fields in Figure 7. Table 4 General setup menu fields NN47922-501 Field Description Example System name Choose a descriptive name for identification purposes. Business Nortel recommends you enter your computer name in Secure Router this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes - and underscores _ are accepted. Domain name Enter the domain name (if you know it) here. If you nortel.com leave this field blank, the ISP assigns a domain name via DHCP. You can go to menu 24.8 and type sys domain name to see the current domain name used by your router. The domain name entered by you is given priority over the ISP-assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER]. Chapter 2 SMT menu 1 - general setup 49 Table 4 General setup menu fields Field Description Example First system DNS server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because Second system without it, you must know the IP address of a machine before you can access it. The Business Secure Router DNS server uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and Third system the time server. DNS server Press [SPACE BAR] and then [ENTER] to select an option. Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you select From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you save your changes. Select User-Defined if you have the IP address of a DNS server. The IP address can be public or a private address on your local LAN. Enter the DNS server's IP address in the field to the right. A User-Defined entry with the IP address set to 0.0.0.0 changes to None after you save your changes. A duplicate User-Defined entry changes to None after you save your changes. Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server. Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer. Enter the DNS server IP address in the field to the right. With a private DNS server, you must also configure the first DNS server entry in SMT menu 3.1 to use DNS Relay. Nortel Business Secure Router 222 Configuration — Advanced 50 Chapter 2 SMT menu 1 - general setup Table 4 General setup menu fields Field Description Example You must also configure a VPN branch office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address. A Private DNS entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate Private DNS entry changes to None after you save your changes. Edit dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS, discussed next. No (default) After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Configuring dynamic DNS To configure Dynamic DNS, go to Menu 1: General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS (Figure 8). Not all models have every field shown. NN47922-501 Chapter 2 SMT menu 1 - general setup 51 Figure 8 Configure dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.ORG Active= No DDNS Type= DynamicDNS Host Name 1= Host Name 2= Host Name 3= Username= Password= ******** Enable Wildcard Option= No Enable Off Line Option= N/A IP Address Update Policy: DDNS Server Auto Detect IP Address= No Use Specified IP Address= No Use IP Address= N/A Press ENTER to confirm or ESC to cancel: Follow the instructions in Table 5 to configure Dynamic DNS parameters. Table 5 Configure dynamic DNS menu fields Field Description Example Service Provider This is the name of your Dynamic DNS service provider. www.dyndns.org (default) Active Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active. Yes DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDNS DynamicDNS if you have a dynamic IP address. (default) Select StaticDNS if you have a static IP address. Select CustomDNS to have dyns.org provide DNS service for a domain name that you already have from a source other than dyndns.org. Host1-3 Enter your host names in the fields provided. You can specify up to two host names separated by a comma in each field. me.dyndns.org EMAIL Enter your e-mail address. mail@mailserver User Enter your username. Password Enter the password assigned to you. Enable Wildcard Your Business Secure Router supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider. Nortel Business Secure Router 222 Configuration — Advanced 52 Chapter 2 SMT menu 1 - general setup Table 5 Configure dynamic DNS menu fields Field Description Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http://www.dyndns.org/ Example traffic is redirected to a URL that you have previously specified (see www.dyndns.org for details). IP Address Update Policy: You can select Yes in either the DDNS Server Auto Detect IP Address field (recommended) or the Use Specified IP Address field, but not both. With the DDNS Server Auto Detect IP Address and Use Specified IP Address fields both set to No, the DDNS server automatically updates the IP address of the host names with the Business Secure Router’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the Business Secure Router must have a public WAN IP address in order for DDNS to work. DDNS Server Auto Detect IP Address Press [SPACE BAR] to select Yes and then press Yes [ENTER] to have the DDNS server automatically update the IP address of the host names with the public IP address that the Business Secure Router uses or is behind. You can set this field to Yes whether the IP address is public or private, static or dynamic. Use Specified IP Address Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the host names to the IP address specified below. Only select Yes if the Business Secure Router uses or is behind a static public IP address. Use IP Address Enter the static public IP address if you select Yes N/A in the Use Specified IP Address field. No After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. NN47922-501 53 Chapter 3 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. Introduction to WAN and dial backup setup This chapter explains how to configure settings for your WAN port and how to configure the Business Secure Router for a dial backup connection. WAN setup From the main menu, enter 2 to open menu 2 Nortel Business Secure Router 222 Configuration — Advanced 54 Chapter 3 WAN and Dial Backup Setup Figure 9 Menu 2 Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 6 describes the MAC address fields in Figure 9. See Table 7 for descriptions of the dial-backup fields. Table 6 MAC address cloning in WAN setup Field Description Example MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one IP address of two methods to assign a MAC Address. Choose attached on Factory Default to select the factory-assigned default LAN MAC Address. Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field. IP Address This field is applicable only if you choose the IP address attached on LAN method in the Assigned By field. Enter the IP address of the computer on the LAN whose MAC you are cloning. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. NN47922-501 192.168.1.35 Chapter 3 WAN and Dial Backup Setup 55 Dial backup The Dial Backup port or CON/AUX port can be used in reserve as a traditional dial-up connection if the broadband connection to the WAN port fail. This feature is not available on all models. To set up the auxiliary port (Dial Backup or CON/ AUX) for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Hardware Installation chapter), then configure: • • • Menu 2 - WAN Setup Menu 2.1 - Advanced WAN Setup Menu 11.1 - Remote Node Profile (Backup ISP), as shown in Figure 26 on page 87 Refer also to the traffic redirect section for information on an alternate backup WAN connection. Configuring dial backup in menu 2 From the main menu, enter 2 to open menu 2. Nortel Business Secure Router 222 Configuration — Advanced 56 Chapter 3 WAN and Dial Backup Setup Figure 10 Menu 2: dial backup setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 7 describes the fields in Figure 10. Table 7 Menu 2: dial backup setup Field Description Example Active Use this field to turn the dial-backup feature on (Yes) or off (No). No Port Speed Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device. Available speeds are: 9 600, 19 200, 38 400, 57 600, 115 200 or 230 400 b/ s. 115200 Enter the AT command string to initialize the WAN device. Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. at&fs0=0 Dial-Backup: AT Command String: Init NN47922-501 Chapter 3 WAN and Dial Backup Setup 57 Table 7 Menu 2: dial backup setup Field Description Example Edit Advanced Setup To edit the advanced setup for the Dial Backup port, move the cursor to this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup. Yes After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Advanced WAN setup Note: Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes, and then press [ENTER]. Nortel Business Secure Router 222 Configuration — Advanced 58 Chapter 3 WAN and Dial Backup Setup Figure 11 Menu 2.1 advanced WAN setup Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= atdt Dial Timeout(sec)= 60 Drop= ~~+++~~ath Retry Count= 0 Answer= ata Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Drop DTR When Hang Up= Yes Call Back Delay(sec)= 15 AT Response Strings: CLID= NMBR = Called Id= Speed= CONNECT Press ENTER to Confirm or ESC to Cancel: Table 8 describes the fields in Figure 11. Table 8 Advanced WAN port setup: AT commands fields Field Description Default Dial Enter the AT Command string to make a call. atdt Drop Enter the AT Command string to drop a call. ~ +++ath represents a one second wait. For example, ~~~+++~~ath can be used if your modem has a slow response time. Answer Enter the AT Command string to answer a call. Drop DTR When Hang Up Press the [SPACE BAR] to choose either Yes or No. When Yes is selected (the default), the DTR (Data Yes Terminal Ready) signal is dropped after the “AT Command String: Drop” is sent out. AT Command Strings: ata AT Response String: NN47922-501 CLID (Calling Line Identification) Enter the keyword that precedes the CLID (Calling NMBR = Line Identification) in the AT response string. This lets the Business Secure Router capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called Id Enter the keyword preceding the dialed number. TO Chapter 3 WAN and Dial Backup Setup 59 Table 8 Advanced WAN port setup: AT commands fields Field Description Default Speed Enter the keyword preceding the connection speed. CONNECT Dial Timeout (sec) Enter a number of seconds for the Business Secure Router to keep trying to set up an outgoing call before timing out (stopping). The Business Secure Router times out and stops if it cannot set up an outgoing call within the timeout value. 60 seconds Retry Count Enter a number of times for the Business Secure Router to retry a busy or no-answer phone number before blacklisting the number. 0 to disable the blacklist control Retry Interval (sec) Enter a number of seconds for the Business Secure Router to wait before trying another call after a call has failed. This applies before a phone number is blacklisted. Drop Timeout (sec) Enter a number of seconds for the Business Secure Router to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation. 20 seconds Call Back Delay (sec) Enter a number of seconds for the Business Secure Router to wait between dropping a callback request call and dialing the corresponding callback call. 15 seconds Call Control Remote node profile (Backup ISP) Enter 2 in Menu 11 Remote Node Setup to open Menu 11.2 Remote Node Profile (Backup ISP) (Figure 12) and configure the setup for your Dial Backup port connection. This feature is not available on all models. Nortel Business Secure Router 222 Configuration — Advanced 60 Chapter 3 WAN and Dial Backup Setup Figure 12 Menu 11.2 remote node profile (Backup ISP) Menu 11.2 - Remote Node Profile (Backup ISP) Rem Node Name= GUI Active= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Edit PPP Options= No Rem IP Addr= 0.0.0.0 Edit IP= No Edit Script Options= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: Table 10 describes the fields in Figure 12. Table 9 Fields in menu 11.2 remote node profile (Backup ISP) Field Description Example Rem Node Name Enter a descriptive name for the remote node. This field LAoffice can be up to eight characters. Active Press [SPACE BAR] and then [ENTER] to select Yes to Yes enable the remote node or No to disable the remote node. Outgoing NN47922-501 My Login Enter the login name assigned by your ISP for this remote node. jim My Password Enter the password assigned by your ISP for this remote ***** node. Retype to Confirm Type the password again to make sure you have it correct. ***** Chapter 3 WAN and Dial Backup Setup 61 Table 9 Fields in menu 11.2 remote node profile (Backup ISP) Field Description Example Authen This field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your Business Secure Router will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only. CHAP/PAP Pri Phone # Sec Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Business Secure Router dials the Secondary Phone number, if available. Some areas require dialing the pound sign # before the phone number for local calls. Include a # symbol at the beginning of the phone numbers as required. Edit PPP Options Move the cursor to this field and use the space bar to No select [Yes] and press [Enter] to edit the PPP options for (default) this remote node. This brings you to Menu 11.2.1 Remote Node PPP Options (See “Editing PPP options” on page 62). Rem IP Addr Leave the field set to 0.0.0.0 (default) if the remote gateway has a dynamic IP address. Enter the remote gateway’s IP address here if it is static. Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] No to select Yes and press [ENTER] to go to Menu 11.2.2 - (default) Remote Node Network Layer Options. See “Editing TCP/IP options” on page 63 for more information. Edit Script Options Press [SPACE BAR] to select Yes and press [ENTER] to No edit the AT script for the dial backup remote node (Menu (default) 11.2.3 - Remote Node Script). See “Editing logon script” on page 66 for more information. 0.0.0.0 (default) Telco Option Allocated Budget Enter the maximum number of minutes that this remote 0 node can be called within the time period configured in (default) the Period field. The default for this field is 0, meaning there is no budget control and no time limit for accessing this remote node. Period(hr) Enter the time period (in hours) for how often the budget 0 should be reset. For example, to allow calls to this (default) remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour). Nortel Business Secure Router 222 Configuration — Advanced 62 Chapter 3 WAN and Dial Backup Setup Table 9 Fields in menu 11.2 remote node profile (Backup ISP) Field Description Example Schedules You can apply up to four schedule sets here. For more details, refer to Chapter 18, “Call scheduling,” on page 213. 1,3,5 Nailed-Up Connection Press [SPACE BAR] to select Yes to set this connection No to always be on, regardless of whether or not there is (default) any traffic. Select No to have this connection act as a dial-up connection. Session Options Edit Filter sets This field leads to another “hidden” menu. Use No [SPACE BAR] to select Yes and press [ENTER] to open (default) menu 11.2.4 to edit the filter sets. See “Remote node filter” on page 69 for more details. Idle Timeout Enter the number of seconds of idle time (when there is 100 no traffic from the Business Secure Router to the remote seconds node) that can elapse before the Business Secure (default) Router automatically disconnects the PPP connection. This option only applies when the Business Secure Router initiates the call. After you configure this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. Editing PPP options The Business Secure Router dial back-up feature uses PPP. To edit the remote node PPP options, move the cursor to the [Edit PPP Options] field in Menu 11.2 - Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to open Menu 11.2.1 as shown in Figure 13. NN47922-501 Chapter 3 WAN and Dial Backup Setup 63 Figure 13 Menu 11.2.1: Remote node PPP options Menu 11.2.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Table 10 describes the Remote Node PPP Options Menu, and contains instructions about how to configure the PPP options fields. Table 10 Remote node PPP options menu fields FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then [ENTER] to select Standard PPP CISCO PPP if your Dial Backup WAN device uses (default) Cisco PPP encapsulation, otherwise select Standard PPP. Compression Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. No (default) Editing TCP/IP options Move the cursor to the Edit IP field in menu 11.2, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.2.2 - Network Layer Options. Nortel Business Secure Router 222 Configuration — Advanced 64 Chapter 3 WAN and Dial Backup Setup Figure 14 Menu 11.2.2: remote node network layer options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= None Metric= 15 Private= No RIP Direction= Both Version= RIP-2B Multicast= None Enter here to CONFIRM or ESC to CANCEL: Table 11 describes the fields in Figure 14. Table 11 Remote node network layer options menu fields Field Description IP Address Assignment If your ISP did not assign you an explicit IP address, press Dynamic [SPACE BAR] and then [ENTER] to select Dynamic; (default) otherwise select Static and enter the IP address & subnet mask in the following fields. Rem IP Address Leave this field set to 0.0.0.0 to have the ISP or other remote router dynamically (automatically) send its IP address if you do not know it. Enter the remote gateway’s IP address here if you know it (static). Rem Subnet Mask Leave this field set to 0.0.0.0 to have the ISP or other 0.0.0.0 remote router dynamically send its subnet mask if you do (default) not know it. Enter the remote gateway’s subnet mask here if you know it (static). My WAN Addr Leave the field set to 0.0.0.0 to have the ISP or other remote router dynamically (automatically) assign your WAN IP address if you do not know it. Enter your WAN IP address here if you know it (static). This is the address assigned to your local Business Secure Router, not the remote router. NN47922-501 Example 0.0.0.0 (default) 0.0.0.0 (default) Chapter 3 WAN and Dial Backup Setup 65 Table 11 Remote node network layer options menu fields Field Description Example Network Address Translation With Network Address Translation (NAT), you can None translate an Internet protocol address used within one (default) network (for example a private IP address used in a local network) to a different IP address known within another network (for example, a public IP address used on the Internet). Press [SPACE BAR] and then [ENTER] to select either Full Feature, None or SUA Only. Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set! See Chapter 9, “Network Address Translation (NAT),” on page 107 for a full discussion on this feature. Metric Enter a number from 1 to 15 to set this route’s priority. The 15 smaller the number, the higher priority the route has. (default) Private This parameter determines if the Business Secure Router No includes the route to this remote node in its RIP (default) broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node is propagated to other hosts through RIP broadcasts. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction from Both/ None/In Only/Out Only and None. Both (default) Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/RIP-2M. RIP-1 Multicast IGMP (Internet Group Multicast Protocol) is a None network-layer protocol used to establish membership in a (default) Multicast group. The Business Secure Router supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or select None to disable it. See Chapter 4, “LAN setup,” on page 71 for more information on this feature. Once you have completed filling in Menu 11.2.2 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11.2, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced 66 Chapter 3 WAN and Dial Backup Setup Editing logon script For some remote gateways, text logon is required before PPP negotiation is started. The Business Secure Router provides a script facility for this purpose. The script has six programmable sets; each set is composed of an Expect string and a ‘Send’ string. After matching a message from the server to the ‘Expect’ field, the Business Secure Router returns the set’s Send string to the server. For instance, a typical logon sequence starts with the server printing a banner, a logon prompt for you to enter the username and a password prompt to enter the password: Welcome to Acme, Inc. Login: myLogin Password: To handle the first prompt, you specify ogin: as the Expect string and myLogin as the Send string in set 1. The reason for leaving out the leading L is to avoid having to know exactly whether it is upper or lower case. Similarly, you specify word: as the Expect string and your password as the Send string for the second prompt in set 2. You can use two variables, $USERNAME and $PASSWORD (all upper case), to represent the actual username and password in the script, so they do not show in clear text. They are replaced with the outgoing login name and password in the remote node when the Business Secure Router sees them in a ‘Send’ string. Note that both variables must be entered exactly as shown. No other characters can appear before or after, either, i.e., they must be used alone in response to logon and password prompts. Note that the ordering of the sets is significant, i.e., starting from set 1, the Business Secure Router waits until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’ and the ‘Send’ fields of the current set are empty, the Business Secure Router terminates the script processing and start PPP negotiation. This implies two things: first, the sets must be contiguous; the sets after an empty one are ignored. Second, the last set must match the final message sent by the server. For instance, if the server prints: NN47922-501 Chapter 3 WAN and Dial Backup Setup 67 login successful. Starting PPP... after you enter the password, then you must create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the Business Secure Router starts PPP prematurely right after sending your password to the server. If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the Business Secure Router times out and drops the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. Nortel Business Secure Router 222 Configuration — Advanced 68 Chapter 3 WAN and Dial Backup Setup Figure 15 Menu 11.2.3: remote node setup script Menu 11.2.3 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Table 12 describes the fields in Figure 15. Table 12 Menu 11.2.3: remote node script menu fields Field Description Active Press [SPACE BAR] and then [ENTER] to select either No Yes to enable the AT strings or No to disable them. (default) Set 1-6: Expect Enter an Expect string to match. After matching the Expect string, the Business Secure Router returns the string in the Send field. Set 1-6: Send Enter a string to send out after the Expect string is matched. NN47922-501 Example 0.0.0.0 Chapter 3 WAN and Dial Backup Setup 69 Remote node filter Move the cursor to the field Edit Filter Sets in menu 11.2, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.2.4 Remote Node Filter. Use menu 11.2.4 to specify the filter sets to apply to the incoming and outgoing traffic between this remote node and the Business Secure Router to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Refer to Chapter 11, “Filter configuration,” on page 135 for more information about defining the filters. Figure 16 Menu 11.2.4: dial backup remote node filter Menu 11.2.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Nortel Business Secure Router 222 Configuration — Advanced 70 Chapter 3 WAN and Dial Backup Setup NN47922-501 71 Chapter 4 LAN setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN setup This section describes how to configure the Business Secure Router for LAN connections. Accessing the LAN menus From the main menu, enter 3 to open Menu 3 – LAN setup Figure 17 Menu 3: LAN setup. Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: LAN port filter setup With Menu 3, you can specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets are useful to block certain packets, reduce traffic, and prevent security breaches. Nortel Business Secure Router 222 Configuration — Advanced 72 Chapter 4 LAN setup Figure 18 Menu 3.1: LAN port filter setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 19 Menu 3: TCP/IP and DHCP setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup, as shown in Figure 20. NN47922-501 Chapter 4 LAN setup 73 Figure 20 Figure 21-4 menu 3.2: TCP/IP and DHCP Ethernet setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.2 IP Address= 192.168.1.1 Size of Client IP Pool= 126 IP Subnet Mask= 255.255.255.0 First DNS Server= From ISP RIP Direction= None IP Address= N/A Version= N/A Second DNS Server= From ISP Multicast= None IP Address= N/A Edit IP Alias= No Third DNS Server= From ISP IP Address= N/A DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Follow the instructions in Table 13 to configure the DHCP fields. Table 13 DHCP Ethernet setup menu fields Field Description Example DHCP This field enables and disables the DHCP server. If set to Server, your Business Secure Router will act as a DHCP server. If set to None, the DHCP server will be disabled. Server This field specifies the first of the contiguous addresses in the IP address pool. 192.168.1.2 Configuration: Client IP Pool Starting Address Nortel Business Secure Router 222 Configuration — Advanced 74 Chapter 4 LAN setup Table 13 DHCP Ethernet setup menu fields NN47922-501 Field Description Example Size of Client IP Pool This field specifies the size or count of the IP address pool. 126 First DNS Server Second DNS Server Third DNS Server The Business Secure Router passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you chose From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you save your changes. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the IP Address field below. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you save your changes. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you save your changes. Select DNS Relay to have the Business Secure Router act as a DNS proxy. The Business Secure Router's LAN IP address displays in the IP Address field below (read-only). The Business Secure Router tells the DHCP clients on the LAN that the Business Secure Router itself is the DNS server. When a computer on the LAN sends a DNS query to the Business Secure Router, the Business Secure Router forwards the query to the Business Secure Router's system DNS server (configured in the SYSTEM General screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you save your changes. Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. Chapter 4 LAN setup 75 Use the instructions in Table 14 to configure TCP/IP parameters for the LAN port. Table 14 LAN TCP/IP setup menu fields Field Description Example IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. 192.168.1.1 (default) IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Business Secure Router. 255.255.255.0 RIP Direction Press [SPACE BAR] and then [ENTER] to select Both the RIP direction. Options are: Both, In Only, (default) Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select RIP-1 the RIP version. Options are: (default) RIP-1, RIP-2B or RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a None network-layer protocol used to establish membership in a Multicast group. The Business Secure Router supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] and then [ENTER] to enable IP Multicasting or select None (default) to disable it. Edit IP Alias The Business Secure Router supports three logical LAN interfaces via its single physical Ethernet interface with the Business Secure Router itself as the gateway for each LAN network. Press [SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1. TCP/IP Setup: Yes IP Alias Setup You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown in Figure 21. Nortel Business Secure Router 222 Configuration — Advanced 76 Chapter 4 LAN setup Figure 21 Menu 3.2.1: IP Alias setup Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Use the instructions in Table 15 to configure IP Alias parameters.s Table 15 IP Alias setup menu field NN47922-501 Field Description Example IP Alias Choose Yes to configure the LAN network for the Business Secure Router. Yes IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. 192.168.1.1 IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Business Secure Router. 255.255.255.0 Chapter 4 LAN setup 77 Table 15 IP Alias setup menu field Field Description Example RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are Both, In Only, Out Only or None. None Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are RIP-1, RIP-2B or RIP-2M. RIP-1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the Business Secure Router. 1 Outgoing Protocol Filters Enter the filter sets you wish to apply to the outgoing traffic between this node and the Business Secure Router. 2 Nortel Business Secure Router 222 Configuration — Advanced 78 Chapter 4 LAN setup NN47922-501 79 Chapter 5 Internet access This chapter shows you how to configure your Business Secure Router for Internet access. Introduction to internet access setup Use the information from your ISP along with the instructions in this chapter to set up your Business Secure Router to access the Internet. There are three different menu 4 screens, depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine which encapsulation type you should use. Ethernet encapsulation If you choose Ethernet in menu 4 you will see Figure 22. Nortel Business Secure Router 222 Configuration — Advanced 80 Chapter 5 Internet access Figure 22 Menu 4: internet access setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Table 16 describes the fields in Figure 22. Table 16 Menu 4: internet access setup menu fields Field Description ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (Road Runner Toshiba authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Telstra. Choose a Road Runner flavor if your ISP is Time Warner's Road Runner; otherwise choose Standard. DSL users must choose the Standard option only. The My Login, My Password and Login Server fields are not applicable in this case. NN47922-501 My Login Enter the logon name given to you by your ISP. My Password Enter the password associated with the login name above. Chapter 5 Internet access 81 Table 16 Menu 4: internet access setup menu fields Field Description Retype to Confirm Enter the password again to make sure that you have entered it correctly. Login Server The Business Secure Router finds the Road Runner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address. IP Address Assignment If your ISP did not assign you a fixed IP address, press [SPACE BAR] and then [ENTER] to select Dynamic, otherwise select Static and enter the IP address and subnet mask in the following fields. IP Address Enter the (fixed) IP address assigned to you by your ISP (static IP address Assignment is selected in the previous field). IP Subnet Mask Enter the subnet mask associated with your static IP. Gateway IP Address Enter the gateway IP address associated with your static IP. Network Address Translation With the NAT, you can translate an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, ManyOne-to-One and Server. When you select Full Feature you must configure at least one address mapping set! See Chapter 9, “Network Address Translation (NAT),” on page 107 for a more detailed discussion on the Network Address Translation feature. Configuring the PPTP client Note: The Business Secure Router supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. Nortel Business Secure Router 222 Configuration — Advanced 82 Chapter 5 Internet access After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the screen show in Figure 23. Figure 23 Internet access setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A My Login= username My Password= ****** Retype to Confirm= ****** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address=N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Table 17 contains instructions about the new fields when you choose PPTP in the Encapsulation field in menu 4. Table 17 New fields in menu 4 (PPTP) Screen Field Description Example Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field. PPTP Idle Timeout This value specifies the time, in seconds, that elapses 100 before the Business Secure Router automatically (default) disconnects from the PPTP server. Configuring the PPPoE client If you enable PPPoE in menu 4, you will see the screen in figure 24. For more information about PPPoE, see Appendix E, “PPPoE,” on page 253. NN47922-501 Chapter 5 Internet access 83 Figure 24 Internet access setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ****** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= Full Feature Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 18 describes the fields in Figure 24. Table 18 New fields in menu 4 (PPPoE) screen Field Description Example Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices in the IP Address field. PPPoE Idle Timeout This value specifies the time in seconds that elapses before the Business Secure Router automatically disconnects from the PPPoE server. 100 (default) If you need a PPPoE service name to identify and reach the PPPoE server, go to menu 11 and enter the PPPoE service name provided to you in the Service Name field. Nortel Business Secure Router 222 Configuration — Advanced 84 Chapter 5 Internet access Basic setup complete Well done! You have successfully connected, installed and set up your Business Secure Router to operate on your network, as well as access the Internet. Note: When the firewall is activated, the default policy can communicate to the Internet if the communication originates from the LAN, and blocks all traffic to the LAN that originates from the Internet. You can deactivate the firewall in menu 21.2 or via the Business Secure Router embedded WebGUI. You can also define additional firewall rules or modify existing ones, but exercise extreme caution in doing so. See the chapters on firewalls in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for more information on the firewall. NN47922-501 85 Chapter 6 Remote Node setup This chapter shows you how to configure a remote node. Introduction to Remote Node setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 Remote Node Profile, Menu 11.1.2 - Remote Node Network Layer Options and Menu 11.1.4 - Remote Node Filter. Remote Node setup From the main menu, select menu option 11 to open Menu 11 Remote Node Setup (Figure 25). Enter 1 to open Menu 11.1 Remote Node Profile and configure the setup for your regular ISP. Enter 2 to open Menu 11.1 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection. Nortel Business Secure Router 222 Configuration — Advanced 86 Chapter 6 Remote Node setup Figure 25 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit: Remote Node profile setup This section explains how to configure the remote node profile menu. Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown in Figure 26. NN47922-501 Chapter 6 Remote Node setup 87 Figure 26 Menu 11.1: Remote Node profile for Ethernet Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 19 describes the fields in Figure 26. Table 19 Fields in menu 11.1 Field Description Example Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. LAoffice Active Press [SPACE BAR] and then [ENTER] to select Yes (activate remote node) or No (deactivate remote node). Yes Encapsulation Ethernet is the default encapsulation. Press Ethernet [SPACE BAR] and then [ENTER] to change to PPPoE or PPTP encapsulation. Service Type Press [SPACE BAR] and then [ENTER] to select from Standard Standard, RR-Toshiba (Road Runner Toshiba authentication method) or RR-Manager (Road Runner Manager authentication method). Choose one of the Road Runner methods if your ISP is Time Warner's Road Runner; otherwise choose Standard. Nortel Business Secure Router 222 Configuration — Advanced 88 Chapter 6 Remote Node setup Table 19 Fields in menu 11.1 Field Description Example Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. poellc Outgoing My Login This field is applicable for PPPoE encapsulation only. Enter the logon name assigned by your ISP when the Business Secure Router calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server. jim My Password Enter the password assigned by your ISP when the Business Secure Router calls this remote node. Valid for PPPoE encapsulation only. ***** Retype to Confirm Type your password again to make sure that you have entered it correctly. ***** Server IP This field is valid only when Road Runner is selected in the Service Type field. The Business Secure Router finds the Road Runner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here. Route This field refers to the protocol that is routed by your Business Secure Router. IP Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.1.2 Remote Node Network Layer Options. No (default) Session Options Edit Filter sets This field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.1.4 to edit the filter sets. See “Remote Node filter” on page 95 for more details. No (default) After you configure this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. PPPoE Encapsulation The Business Secure Router supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you are using the Business Secure Router with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, you then see Figure 27. Please see Appendix E, “PPPoE,” on page 253 for more information about PPPoE. NN47922-501 Chapter 6 Remote Node setup 89 Figure 27 Menu 11.1: Remote Node profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Outgoing Authentication Protocol Generally speaking, you must employ the strongest authentication protocol possible. However, some vendors’ implementation includes a specific authentication protocol in the user profile. It disconnects if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified. If you encounter a case where the peer disconnects right after a successful authentication, make sure that you specify the correct authentication protocol when connecting to such an implementation. Nortel Business Secure Router 222 Configuration — Advanced 90 Chapter 6 Remote Node setup Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up, regardless of traffic demand. The Business Secure Router does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Business Secure Router tries to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive. Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. Table 20 describes the fields specific to PPPoE encapsulation. Table 20 Fields in Menu 11.1 (PPPoE Encapsulation Specific) Field Description Example Authen This field sets the authentication protocol used for CHAP/PAP outgoing calls. Options for this field are: CHAP/PAP - Your Business Secure Router accepts either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only. Telco Option NN47922-501 Allocated Budget The field sets a ceiling for outgoing call time for this remote 0 node. The default for this field is 0, meaning no budget (default) control. Period(hr) This field is the time period in which the budget is reset. 0 For example, if we are allowed to call this remote node for (default) a maximum of 10 minutes every hour, then the Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour). Schedules You can apply up to four call schedule sets here. Nailed-Up Connection This field specifies if you want to make the connection to this remote node a nailed-up connection. More details are given earlier in this section. Session Options Idle Timeout Type the length of idle time (when there is no traffic from 100 the Business Secure Router to the remote node) in seconds seconds that can elapse before the Business Secure (default) Router automatically disconnects the PPPoE connection. This option only applies when the Business Secure Router initiates the call. No (default) Chapter 6 Remote Node setup 91 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. See Appendix F, “PPTP,” on page 257 for information about PPTP. Figure 28 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name= N/A Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= My IP Mask= Server IP Addr= Connection ID/Name= Route= IP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 21 shows how to configure fields in menu 11.1 not previously discussed. Table 21 Fields in Menu 11.1 (PPTP Encapsulation) Field Description Example Encapsulation Press [SPACE BAR] and then [ENTER] to select PPTP. You must also go to menu 11.1.2 to check the IP Address setting after you select the encapsulation method. PPTP My IP Addr Enter the IP address of the WAN Ethernet port. 10.0.0.140 My IP Mask Enter the subnet mask of the WAN Ethernet port. 255.255.255.0 My Server IP Addr Enter the IP address of the ANT modem. 10.0.0.138 Nortel Business Secure Router 222 Configuration — Advanced 92 Chapter 6 Remote Node setup Table 21 Fields in Menu 11.1 (PPTP Encapsulation) Field Description Example Connection ID/ Name Enter the connection ID or connection name in the N:My ISP ANT. It must follow the “c:id” and “n:name” format. This field is optional and depends on the requirements of your DSL modem. Schedules You can apply up to four call schedule sets here. Nailed-Up Connections Press [SPACE BAR] and then [ENTER] to select Yes if you want to make the connection to this remote node a nailed-up connection. No Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Network Layer Options. NN47922-501 Chapter 6 Remote Node setup 93 Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. Table 22 describes the fields in Figure 29. Table 22 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If your ISP did not assign you an explicit IP address, press Dynamic [SPACE BAR] and then [ENTER] to select Dynamic; (default) otherwise select Static and enter the IP address & subnet mask in the following fields. (Rem) IP Address If you have a Static IP Assignment, enter the IP address assigned to you by your ISP. (Rem) IP Subnet Mask If you have a Static IP Assignment, enter the subnet mask assigned to you. Nortel Business Secure Router 222 Configuration — Advanced 94 Chapter 6 Remote Node setup Table 22 Remote Node Network Layer Options Menu Fields NN47922-501 Field Description Example Gateway IP Addr This field is applicable to Ethernet encapsulation only. Enter the gateway IP address assigned to you if you are using a static IP address. My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number. If this is the case, enter the IP address assigned to the WAN port of your Business Secure Router. Note that this is the address assigned to your local Business Secure Router, not the remote router. Network Address Translation With Network Address Translation (NAT), the device can SUA Only translate an Internet protocol address used within one (default) network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set! See Chapter 9, “Network Address Translation (NAT) for a full discussion on this feature. Metric Enter a number from 1 to 15 to set this route’s priority among the Business Secure Router routes. The smaller the number, the higher priority the route has. Private This field is valid only for PPTP/PPPoE encapsulation. No This parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP None direction from Both/ None/In Only/Out Only. The default (default) for RIP on the WAN side is None. Nortel recommends that you do not change this setting. 1 Chapter 6 Remote Node setup 95 Table 22 Remote Node Network Layer Options Menu Fields Field Description Example Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/RIP-2M or None. N/A Multicast IGMP (Internet Group Multicast Protocol) is a None network-layer protocol used to establish membership in a (default) Multicast group. The Business Secure Router supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it. After you complete filling in Menu 11.1.2 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11.1, or press [ESC] at any time to cancel. Remote Node filter Move the cursor to the field Edit Filter Sets in menu 11.1, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.1.4Remote Node Filter. Use menu 11.1.4 to specify the filter sets to apply to the incoming and outgoing traffic between this remote node and the Business Secure Router to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. For more information about defining the filters, refer to Chapter 11, “Filter configuration,” on page 135. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets. Nortel Business Secure Router 222 Configuration — Advanced 96 Chapter 6 Remote Node setup Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= Device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= Device filters= Enter here to CONFIRM or ESC to CANCEL: To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1—Remote Node Profile as shown in Figure 32. NN47922-501 Chapter 6 Remote Node setup 97 Figure 32 Menu 11.1: Remote Node Profile Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. To configure traffic redirect properties, press [SPACE BAR] to select Yes in the Edit Traffic Redirect field and then press [ENTER]. Table 23 Menu 11.1: Remote Node profile (Traffic Redirect Field) Field Description Edit Traffic Redirect Press [SPACE BAR] to select Yes or No. Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.1.5 — Traffic Redirect Setup. Example Yes Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced 98 Chapter 6 Remote Node setup Traffic Redirect setup Configure parameters that determine when the Business Secure Router forwards WAN traffic to the backup gateway using Menu 11.1.5 — Traffic Redirect Setup. Figure 33 Menu 11.1.5: Traffic Redirect setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 3 Period (sec)= 5 Timeout (sec)= 3 Press ENTER to Confirm or ESC to Cancel: Table 24 describes the fields in Figure 33. Table 24 Menu 11.1.5: Traffic Redirect setup Field Description Example Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No. Yes Configuration: NN47922-501 Backup Gateway IP Address Enter the IP address of your backup gateway in dotted 0.0.0.0 decimal notation. The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router Internet connection terminates. Metric Enter a number from 1 to 15 to set this route’s priority among the Business Secure Router routes. The smaller the number, the higher priority the route has. 15 (default) Chapter 6 Remote Node setup 99 Table 24 Menu 11.1.5: Traffic Redirect setup Field Description Example Check WAN IP Address Enter the IP address of a reliable nearby computer (for example, your ISP’s DNS server address) to test your Business Secure Router’s WAN accessibility. The Business Secure Router uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PPPoE Encapsulation, enter 0.0.0.0 to configure the Business Secure Router to check the PVC (Permanent Virtual Circuit) or PPTP tunnel. 0.0.0.0 Fail Tolerance Enter the number of times your Business Secure Router 3 can attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway. A good number is 2 to 5 seconds. Period (sec) Enter the time interval (in seconds) between WAN connection checks. A good number is 5 to 60 seconds. Timeout (sec) Enter the number of seconds the Business Secure Router waits for a ping response from the IP Address in the Check 3 WAN IP Address field before it times out. The number in this field should be less than the number in the Period field. A good number is 3 to 50 seconds. The WAN connection is considered “down” after the Business Secure Router times out the number of times specified in the Fail Tolerance field. 5 After you complete this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced 100 Chapter 6 Remote Node setup NN47922-501 101 Chapter 7 IP Static Route Setup This chapter shows you how to configure static routes with your Business Secure Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 34 to configure IP static routes in menu 12. 1. Note: The “Reserved” static route entry is for the default WAN route. You cannot modify or delete a static default route. Figure 34 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ Nortel Business Secure Router 222 Configuration — Advanced 102 Chapter 7 IP Static Route Setup 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. Figure 35 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 2 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Table 25 describes the IP Static Route Menu fields. Table 25 IP Static Route Menu Fields NN47922-501 Field Description Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate or deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. IP Subnet Mask Enter the IP subnet mask for this destination. Gateway IP Address Enter the IP address of the gateway. The gateway is an immediate neighbor of your Business Secure Router that forwards the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Business Secure Router; over the WAN, the gateway must be the IP address of one of the remote nodes. Chapter 7 IP Static Route Setup 103 Table 25 IP Static Route Menu Fields Field Description Metric Enter a number from 1 to 15 to set the priority for the route among the Business Secure Router routes. The smaller the number, the higher priority the route has. Private This parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts. After you complete filling in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. Nortel Business Secure Router 222 Configuration — Advanced 104 Chapter 7 IP Static Route Setup NN47922-501 105 Chapter 8 Dial-in User Setup This chapter shows you how to create user accounts on the Business Secure Router. Dial-in User Setup By storing user profiles locally, your Business Secure Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your Business Secure Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup. Figure 36 Menu 14- Dial-in User Setup Menu 14 - Dial-in User Setup 1. 2. 3. 4. 5. 6. 7. 8. ________ ________ ________ ________ ________ ________ ________ ________ 9. 10. 11. 12. 13. 14. 15. 16. ________ ________ ________ ________ ________ ________ ________ ________ 17. 18. 19. 20. 21. 22. 23. 24. ________ ________ ________ ________ ________ ________ ________ ________ 25. 26. 27. 28. 29. 30. 31. 32. ________ ________ ________ ________ ________ ________ ________ ________ Enter Menu Selection Number: Type a number and press [ENTER] to edit the user profile. Nortel Business Secure Router 222 Configuration — Advanced 106 Chapter 8 Dial-in User Setup Figure 37 Menu 14.1- Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 26 describes the fields in Figure 37. Table 26 Menu 14.1- Edit Dial-in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive. Active Press [SPACE BAR] to select Yes and press [ENTER] to enable the user profile. Password Enter a password up to 31 characters long for this user profile. After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. NN47922-501 107 Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Business Secure Router. Using NAT Note: You must create a firewall rule in addition to setting up SUA/ NAT, to allow traffic from the WAN to be forwarded through the Business Secure Router. SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. For a detailed description of NAT set for SUA, see“Address Mapping Sets” on page 110. The Business Secure Router also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Note: Choose SUA Only if you have just one public WAN IP address for your Business Secure Router. Choose Full Feature if you have multiple public WAN IP addresses for your Business Secure Router. Applying NAT You apply NAT via menus 4 or 11.1.2 (Figure 39 on page 109). Figure 38 shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup. Nortel Business Secure Router 222 Configuration — Advanced 108 Chapter 9 Network Address Translation (NAT) Figure 38 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: Figure 39 shows how you apply NAT to the remote node in menu 11.1. Enter 11 from the main menu. Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.1.2 - Remote Node Network Layer Options. NN47922-501 Chapter 9 Network Address Translation (NAT) 109 Figure 39 Menu 11.1.2: Applying NAT to the Remote Node Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Table 27 describes the fields in Figure 39. Table 27 Applying NAT in Menus 4 & 11.1.2 Field Description Options Network Address Translation When you select this option the SMT uses Address Mapping Set 1 (menu 15.1 - “Address Mapping Sets” on page 110 for further discussion). Choose Full Feature if you have multiple public WAN IP addresses for your Business Secure Router. When you select Full Feature you must configure at least one address mapping set! Full Feature NAT is disabled when you select this option. None When you select this option the SMT uses Address Mapping Set 255 (menu 15.1 - “Address Mapping Sets” on page 110). Choose SUA Only if you have just one public WAN IP address for your Business Secure Router. SUA Only Nortel Business Secure Router 222 Configuration — Advanced 110 Chapter 9 Network Address Translation (NAT) NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.1.2, the SMT uses Set 1. When you select SUA Only, the SMT uses the pre-configured Set 255 (read only). The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. To configure NAT, enter 15 from the main menu to bring up the screen shown in Figure 40. Figure 40 Menu 15: NAT Setup Menu 15 — NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: Note: Configure LAN IP addresses in NAT menus 15.1 and 15.2. Address Mapping Sets Enter 1 to bring up Menu 15.1—Address Mapping Sets. NN47922-501 Chapter 9 Network Address Translation (NAT) 111 Figure 41 Menu 15.1: Address Mapping Sets Menu 15.1 — Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: SUA Address Mapping Set Enter 255 to display the screen shown in Figure 42 (see “SUA (Single User Account) Versus NAT” on page 107). The fields in this menu cannot be changed. Nortel Business Secure Router 222 Configuration — Advanced 112 Chapter 9 Network Address Translation (NAT) Figure 42 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx Local Start IP Local End IP --- --------------- --------------- 0.0.0.0 255.255.255.255 1. 2. Global Start IP --------------- Global End IP Type --------------- ------ 0.0.0.0 M-1 0.0.0.0 Server 3. 4. 5. 6. 7. 8. 9. 10. Press ENTER to Confirm or ESC to Cancel: Table 28 explains the fields in Figure 42. Note: Menu 15.1.255 is read-only. Table 28 SUA Address Mapping Rules NN47922-501 Field Description Example Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. SUA Idx This is the index or rule number. 1 Local Start IP Local Start IP is the starting local IP address (ILA). 0.0.0.0 Chapter 9 Network Address Translation (NAT) 113 Table 28 SUA Address Mapping Rules Field Description Example Local End IP Local End IP is the ending local IP address (ILA). If 255.255.255.255 the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA). If you 0.0.0.0 have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA). Type These are the mapping types discussed above. With Server Server, you can specify multiple servers of different types behind NAT to this machine. Examples is found in the section “General NAT examples” on page 121. After you configure a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. User-Defined Address Mapping Sets Go to menu 15.1. Enter 1 to bring up the menu shown in figure below. Look at the differences from the previous menu. Note the extra Action and Select Rule fields means you can configure rules in this screen. Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. Note: The entire set is deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. Nortel Business Secure Router 222 Configuration — Advanced 114 Chapter 9 Network Address Translation (NAT) Figure 43 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP --- --------------- --------------- Global Start IP --------------- Global End IP Type --------------- ------ 1. 2 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed on the screen shown in Figure 44. Ordering Your Rules Ordering your rules is important because the Business Secure Router applies the rules in the order that you specify. When a rule matches the current packet, the Business Secure Router takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule is pushed up by that number of empty rules. For example, if you NN47922-501 Chapter 9 Network Address Translation (NAT) 115 have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. If you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 29 Fields in menu 15.1.1 Field Description Example Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set is deleted. NAT_SET Action The default is Edit. Edit means you want to edit a selected Edit rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule are then moved down by one rule. Delete means to delete the selected rule and all the rules after the selected one advance one rule. None disables the Select Rule item. Select Rule When you choose Edit, Insert Before or Delete in the 1 previous field, the cursor jumps to this field so you can select the rule to apply the action in question. Note: You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken. Selecting Edit in the Action field and then selecting a rule brings up the menu shown in Figure 44, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. Note: An IP End address must be numerically greater than its corresponding IP Start address. Nortel Business Secure Router 222 Configuration — Advanced 116 Chapter 9 Network Address Translation (NAT) Figure 44 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Press ENTER to Confirm or ESC to Cancel: Table 30 describes the fields in Figure 44. Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Description Example Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. If you choose Server, you can specify multiple servers of different types behind NAT to this computer. See “Example 3: Multiple public IP addresses with inside servers” on page 124 for an example. One-to-On e Local IP Only local IP fields are N/A for server; Global IP fields must be set for Server. Enter the starting local IP address (ILA). 0.0.0.0 Start End NN47922-501 Enter the ending local IP address (ILA). If the rule is for all N/A local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One and Server types. Chapter 9 Network Address Translation (NAT) 117 Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Global IP Start End Description Example Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many-to-One or Server. 0.0.0.0 Enter the ending global IP address (IGA). This field is N/A for N/A One-to-One, Many-to-One and Server types. After you finish configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. Configuring a server behind NAT Note: If you do not assign a Default Server IP address, the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup. 2 Enter 2 to go to Menu 15.2 - NAT Server Setup. Nortel Business Secure Router 222 Configuration — Advanced 118 Chapter 9 Network Address Translation (NAT) Figure 45 Menu 15.2: NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: 3 NN47922-501 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.1 - NAT Server Configuration (see the next figure). Chapter 9 Network Address Translation (NAT) 119 Figure 46 15.2.1: NAT Server Configuration 15.2.1 - NAT Server Configuration Index= 1 ----------------------------------------------------------------Name= Active= No Start port= 0 End port= 0 IP Address= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 31 15.2.1: NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry. Name Enter a name to identify this port-forwarding rule. Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the NAT server entry. Start Port End Port Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. IP Address Enter the inside IP address of the server. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 4 Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. Nortel Business Secure Router 222 Configuration — Advanced 120 Chapter 9 Network Address Translation (NAT) 5 Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Figure 47 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: You assign the private network IP addresses. The NAT network appears as a single host on the Internet. A is the FTP/Telnet/SMTP server. NN47922-501 Chapter 9 Network Address Translation (NAT) 121 Figure 48 Multiple servers behind NAT example Business Secure Router General NAT examples The following are some examples of NAT configuration. Internet access only In the Internet access example shown in Figure 49, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 49 NAT Example 1 Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced 122 Chapter 9 Network Address Translation (NAT) Figure 50 Menu 4: Internet access & NAT example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section “General NAT examples” on page 121. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.1.2 is specifically preconfigured to handle this case. NN47922-501 Chapter 9 Network Address Translation (NAT) 123 Example 2: Internet access with an inside server Figure 51 NAT Example 2 Business Secure Router In this case, you do exactly as shown in Figure 51 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure 52. Nortel Business Secure Router 222 Configuration — Advanced 124 Chapter 9 Network Address Translation (NAT) Figure 52 Menu 15.2: Specifying an inside server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Example 3: Multiple public IP addresses with inside servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example reserves one IGA for each department with an FTP server and all departments use the other IGA. Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA. Map the third IGA to an inside web server and mail server. Four rules need to be configured, two bi-directional and two uni-directional, as follows. NN47922-501 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to the second internal FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN. If you choose type Server, you can specify multiple servers, of different types, to other computers behind NAT on the LAN. Chapter 9 Network Address Translation (NAT) 125 The example situation looks like this: Figure 53 NAT example 3 Business Secure Router 1 In this case you must configure Address Mapping Set 1 from Menu 15.1 Address Mapping Sets. Therefore, you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.1.2) (see Figure 54). 2 Enter 15 from the main menu. 3 Enter 1 to configure the Address Mapping Sets. 4 Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm. 5 Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (see Figure 55). 6 Repeat the previous step for rules 2 to 4 as outlined above. 7 When finished, menu 15.1.1 looks like as shown in Figure 56. Nortel Business Secure Router 222 Configuration — Advanced 126 Chapter 9 Network Address Translation (NAT) Figure 54 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: Figure 55 shows how to configure the first rule. NN47922-501 Chapter 9 Network Address Translation (NAT) 127 Figure 55 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced 128 Chapter 9 Network Address Translation (NAT) Figure 56 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP --- --------------- --------------- Global Start IP --------------- Global End IP Type --------------- ------ 1. 192.168.1.10 10.132.50.1 1-1 2 10.132.50.2 1-1 10.132.50.3 M-1 192.168.1.11 3. 0.0.0.0 255.255.255.255 4. 10.132.50.3 Server 5. 6. 7. 8. 9. 10. Action= Edit Select Rule= Now configure the IGA3 to map to our web server and mail server on the LAN. NN47922-501 8 Enter 15 from the main menu. 9 Now enter 2 from this menu and configure it as shown in Example 3: Menu 15.2. Chapter 9 Network Address Translation (NAT) 129 Figure 57 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Configuring Trigger Port forwarding Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in Figure 58. Nortel Business Secure Router 222 Configuration — Advanced 130 Chapter 9 Network Address Translation (NAT) Figure 58 Menu 15.3: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Rule Name Start Port Trigger End Port Start Port End Port ---------------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12. 0 0 0 0 Press ENTER to Confirm or ESC to Cancel: Table 32 describes the fields in Figure 58. Table 32 Menu 15.3: Trigger Port setup description NN47922-501 Field Description Example Rule This is the rule index number. 1 Name Enter a unique name for identification purposes. You can enter up to 15 characters in this field. All characters are permitted including spaces. Real Audio Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Business Secure Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Enter a port number or the starting port number in a range of port numbers. 6970 Chapter 9 Network Address Translation (NAT) 131 Table 32 Menu 15.3: Trigger Port setup description Field Description Example End Port Enter a port number or the ending port number in a range of port 7170 numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Business Secure Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers. End Port Enter a port number or the ending port number in a range of port 7070 numbers. 7070 Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced 132 Chapter 9 Network Address Translation (NAT) NN47922-501 133 Chapter 10 Introducing the firewall This chapter shows you how to get started with the firewall. Using SMT menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown in Figure 59. Figure 59 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 60. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the WebGUI to configure firewall rules. Nortel Business Secure Router 222 Configuration — Advanced 134 Chapter 10 Introducing the firewall Figure 60 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies. You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the WebGUI to configure the firewall. Press ENTER to Confirm or ESC to Cancel: Note: Configure the firewall rules using the WebGUI or CLI commands. NN47922-501 135 Chapter 11 Filter configuration This chapter shows you how to create and apply filters. Introduction to filters Your Business Secure Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters. Data filtering screens the data to determine if the packet is allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the LAN side. Call filtering is used to determine if a packet is allowed to trigger a call. Remote node call filtering is only applicable when using PPPoE encapsulation. Outgoing packets must undergo data filtering before they encounter call filtering as shown in Figure 61. Nortel Business Secure Router 222 Configuration — Advanced 136 Chapter 11 Filter configuration Figure 61 Outgoing packet filtering process C all Filtering A ctiveD ata O utgoing P acket D ata Filtering N o m atch M atch D rop packet B uilt-in default C all Filters N o m atch U ser-defined C all Filters (if applicable) M atch D roppacket if linenot up N o m atch Initiatecall if linenot up S endpacket andreset IdleTim er M atch D roppacket if linenot up O r O r S endpacket but donot reset IdleTim er S endpacket but donot reset IdleTim er For incoming packets, your Business Secure Router applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. Filter Structure A filter set consists of one or more filter rules. Usually, you group related rules, for example, all the rules for NetBIOS, into a single set and give it a descriptive name. With the Business Secure Router, you can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Sets of factory default filter rules are configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming Telnet sessions. A summary of their filter rules is shown in the figures that follow. Figure 62 illustrates the logic flow when executing a filter rule. Also see Figure 66 for the logic flow when executing an IP filter. NN47922-501 Chapter 11 Filter configuration 137 Figure 62 Filter rule process Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Filter Set Fetch First Filter Rule Fetch Next Filter Rule Yes Yes Next Filter Set Available? No Next filter Rule Available? No Active? Yes No Check Next Rule Execute Filter Rule Forward Drop Drop Packet Accept Packet You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Nortel Business Secure Router 222 Configuration — Advanced 138 Chapter 11 Filter configuration Configuring a Filter Set The Business Secure Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 63 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: NN47922-501 Chapter 11 Filter configuration 139 2 Enter 1 to bring up the menu 21.1. Figure 64 Menu 21.1: Filter Set Configuration Menu 21.1 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 _______________ 4 _______________ 10 _______________ 5 _______________ 11 _______________ 6 _______________ 12 _______________ Enter Filter Set Number to Configure= 0 Edit Comments= N/A Press ENTER to Confirm or ESC to Cancel: 3 Select the filter set you wish to configure (1-12) and press [ENTER]. 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message “Press ENTER to confirm” to open Menu 21.1.1 - Filter Rules Summary. The screen shown in Figure 65 shows the summary of the existing rules in the filter set. Table 33 and Table 34 contain a brief description of the abbreviations used in the previous menus. Nortel Business Secure Router 222 Configuration — Advanced 140 Chapter 11 Filter configuration Table 33 Abbreviations used in the Filter Rules Summary Menu Field Description # The filter rule number: 1 to 6. A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More: “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N” means there are no more rules to check. You can specify an action to be taken for example, forward the packet, drop the packet or check the next rule. For the latter, the next rule is independent of the rule just checked. m Action Matched: “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N“ means to check the next rule. n Action Not Matched: “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. Table 34 Rule abbreviations used Abbreviation Description IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number GEN Off Offset Len Length The next section provides information on configuring the filter rules. NN47922-501 Chapter 11 Filter configuration 141 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, for example, protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the Business Secure Router warns you and prevents you from saving. Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. Using TCP/IP rules, you can base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown in Figure 65. Nortel Business Secure Router 222 Configuration — Advanced 142 Chapter 11 Filter configuration Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 35 describes how to configure your TCP/IP filter rule. Table 35 TCP/IP Filter Rule Menu fields Field Description Active Press [SPACE BAR] and then [ENTER] to select Yes Yes to activate the filter rule or No to deactivate it. No IP Protocol Protocol refers to the upper layer protocol, for 0-255 example, TCP is 6, UDP is 17 and ICMP is 1. Type a value between 0 and 255. A value of 0 matches ANY protocol. IP Source Route Press [SPACE BAR] and then [ENTER] to select Yes Yes to apply the rule to packets with an IP source route No option. Otherwise the packets must not have a source route option. The majority of IP packets do not have source route. Destination NN47922-501 Options Chapter 11 Filter configuration 143 Table 35 TCP/IP Filter Rule Menu fields Field Description Options IP Address Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. 0.0.0.0 IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65 535. This field is ignored if it is 0. 0-65535 Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. None Less Greater Equal Not Equal IP Address Enter the source IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. 0.0.0.0 IP Mask Enter the IP mask to apply to the Source: IP Addr. 0.0.0.0 Port # Enter the source port of the packets that you wish to 0-65535 filter. The range of this field is 0 to 65 535. This field is ignored if it is 0. Port # Comp Press [SPACE BAR] and then [ENTER] to select the None comparison to apply to the source port in the packet Less against the value given in Source: Port #. Greater Equal Not Equal TCP Estab This field is applicable only when the IP Protocol field Yes is 6, TCP. Press [SPACE BAR] and then [ENTER] to No select Yes to have the rule match packets that want to establish a TCP connection (SYN=1 and ACK=0); if No, it is ignored. More Press [SPACE BAR] and then [ENTER] to select Yes Yes or No. If Yes, a matching packet is passed to the No next filter rule before an action is taken; if No, the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be N/A. Source Nortel Business Secure Router 222 Configuration — Advanced 144 Chapter 11 Filter configuration Table 35 TCP/IP Filter Rule Menu fields Field Description Options Log Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets are logged. Action Matched - Only packets that match the rule parameters are logged. Action Not Matched - Only packets that do not match the rule parameters are logged. Both – All packets are logged. None Action Matched Action Not Matched Both Action Matched Press [SPACE BAR] and then [ENTER] to select the Check Next action for a matching packet. Rule Forward Drop Action Not Matched Press [SPACE BAR] and then [ENTER] to select the Check Next action for a packet not matching the rule. Rule Forward Drop After you configure Menu 21.1.1.1 - TCP/IP Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data is displayed on Menu 21.1.1 - Filter Rules Summary. Figure 66 illustrates the logic flow of an IP filter. NN47922-501 Chapter 11 Filter configuration 145 Figure 66 Executing an IP filter Packet into IP Filter Filter Active? No Yes Apply SrcAddrMask to Src Addr Check Src IP Addr Not Matched Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Not Matched Matched Check IP Protocol Not Matched Matched Check Src & Dest Port Not Matched Matched More? Yes No Action Matched Drop Drop Packet Action Not Matched Check Next Rule Check Next Rule Drop Forward Forward Check Next Rule Accept Packet Nortel Business Secure Router 222 Configuration — Advanced 146 Chapter 11 Filter configuration Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. With generic rules you can filter non-IP packets. For IP packets, it is generally easier to use the IP rules directly. For generic rules, the Business Secure Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The Business Secure Router applies the Mask (using the bit-wise-AND action) to the data portion before comparing the result against the Value to determine a match. The Mask and Value are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF. To configure a generic rule, select Generic Filter Rule in the Filter Type field in menu 21.1.4.1 and press [ENTER] to open Generic Filter Rule, as shown in Figure 67. Figure 67 Menu 21.1.1.1: Generic Filter Rule Menu 21.1.1.1 - Generic Filter Rule Filter #: 1,1 Filter Type= Generic Filter Rule Active= No Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. NN47922-501 Chapter 11 Filter configuration 147 Table 36 describes the fields in the Generic Filter Rule menu. Table 36 Generic Filter Rule Menu fields Field Description Options Filter # This is the filter set, filter rule coordinates, for example, 2,3 refers to the second filter set and the third rule of that set. Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed below each type will be different. TCP/ IP filter rules are used to filter IP packets while generic filter rules allow filtering of non-IP packets. Generic Filter Rule TCP/IP Filter Rule Active Select Yes to turn on the filter rule or No to turn it off. Yes / No Offset Enter the starting byte of the data portion in the packet that you wish to compare. The range for this field is from 0 to 255. 0-255 Length Enter the byte count of the data portion in the packet that you 0-8 wish to compare. The range for this field is 0 to 8. Mask Enter the mask (in Hexadecimal notation) to apply to the data portion before comparison. Value Enter the value (in Hexadecimal notation) to compare with the data portion. More If Yes, a matching packet is passed to the next filter rule Yes before an action is taken; or the packet is disposed of No according to the action fields. If More is Yes, then Action Matched and Action Not Matched are No. Log Select the logging option from the following: None - No packets are logged. Action Matched - Only packets that match the rule parameters are logged. Action Not Matched - Only packets that do not match the rule parameters are logged. Both – All packets are logged. None Action Matched Action Not Matched Both Action Matched Select the action for a packet matching the rule. Check Next Rule Forward Drop Nortel Business Secure Router 222 Configuration — Advanced 148 Chapter 11 Filter configuration Table 36 Generic Filter Rule Menu fields Field Description Options Action Not Matched Select the action for a packet not matching the rule. Check Next Rule Forward Drop After you complete filling in Menu 21.1.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data is now be displayed on Menu 21.1.1 Filter Rules Summary. Example Filter The example shown in Figure 68 is set to block outside users from accessing the Business Secure Router via Telnet. See the included disk for more Filter Rules example. Figure 68 Telnet filter Example Business Secure Router NN47922-501 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. Chapter 11 Filter configuration 149 3 Enter the index of the filter set you wish to configure (for example 3) and press [ENTER]. 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in Figure 69. Figure 69 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. When you press [ENTER] to confirm, the screen shown in Figure 70 is displayed. Note that there is only one filter rule in this set. The screen shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination Telnet ports (DP = 23). M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched, whether or not there are more rules to be checked (there are none in this example). Nortel Business Secure Router 222 Configuration — Advanced 150 Chapter 11 Filter configuration Figure 70 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number (1-6) to Configure: 1 After you have created the filter set, you must apply it. NN47922-501 1 Enter 11 from the main menu to go to menu 11. 2 Then enter 1 to open Menu 11.1 Remote Node Profile. 3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. 4 This brings you to menu 11.1.4. Apply a filter set (our example is filter set 3) as shown in Figure 73. 5 After you enter the set numbers, press [ENTER] to confirm and leave menu 11.1.4. Chapter 11 Filter configuration 151 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data that’s going through between LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the Business Secure Router applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the Business Secure Router is receiving and sending the packets; for example. the interface. The interface can be an Ethernet port or any other hardware port, as illustrated in Figure 71. Figure 71 Protocol and Device Filter Sets Firewall Versus Filters Firewall configuration is discussed in Chapter 10, “Introducing the firewall,” on page 133 chapters of this manual. Further comparisons are also made between filtering, NAT and the firewall. Nortel Business Secure Router 222 Configuration — Advanced 152 Chapter 11 Filter configuration Applying a Filter This section shows you where to apply the filters after you design them. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and block incoming Telnet, FTP and HTTP connections. Note: Nortel recommends that you apply filters if you do not activate the firewall. Applying LAN Filters LAN traffic filter sets are useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the numbers of the filter sets that you want to apply, as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, for example., 3, 4, 6, 11. Input filter sets filter incoming traffic to the Business Secure Router and output filter sets filter outgoing traffic from the Business Secure Router. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets. Figure 72 Filtering LAN Traffic Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Ethernet Interface= 10BaseT Input Filter Sets= Output Filter Sets= Press ENTER to Confirm or ESC to Cancel: NN47922-501 Chapter 11 Filter configuration 153 Applying Remote Node Filters Go to menu 11.1.4 (shown in Figure 73 – note that call filter sets are only present for PPPoE encapsulation) and enter the numbers of the filter sets, as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and to block incoming Telnet, FTP and HTTP connections. Figure 73 Filtering Remote Node Traffic Menu 11.1.4 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced 154 Chapter 11 Filter configuration NN47922-501 155 Chapter 12 SNMP Configuration This chapter explains SNMP configuration menu 22. Note: SNMP is only available if TCP/IP is configured. SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password. Figure 74 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= PlsChgMe!RO Set Community= PlsChgMe!RW Trusted Host= 0.0.0.0 Trap: Community= Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced 156 Chapter 12 SNMP Configuration Table 37 describes the SNMP configuration parameters. Table 37 SNMP Configuration Menu Fields Field Description Example Get Community Type the Get community, which is the password for the incoming Get- and GetNext requests from the management station. Public (default) Set Community Type the Set community, which is the password for incoming Set requests from the management station. Public (default) Trusted Host If you enter a trusted host, your Business Secure Router will only respond to SNMP messages from this address. A blank (default) field means your Business Secure Router will respond to all SNMP messages it receives, regardless of source. 0.0.0.0 Trap Community Type the Trap community, which is the password sent with each trap to the SNMP manager. Public Destination Type the IP address of the station to send your SNMP traps to. 0.0.0.0 After you complete this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. SNMP Traps The Business Secure Router will sends traps to the SNMP manager when any one of the following events occurs: Table 38 SNMP Traps NN47922-501 Trap # Trap Name Description 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 1 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). 4 authenticationFailure (defined A trap is sent to the manager when receiving in RFC-1215) any SNMP get or set requirements with the wrong community (password). Chapter 12 SNMP Configuration 157 Table 38 SNMP Traps Trap # Trap Name Description 6 whyReboot (defined in MIB) A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start). 6a For intentional reboot: A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", and others). 6b For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. Nortel Business Secure Router 222 Configuration — Advanced 158 Chapter 12 SNMP Configuration NN47922-501 159 Chapter 13 System security This chapter describes how to configure the system security on the Business Secure Router. System security You can configure the system password, an external RADIUS server and 802.1x in this menu. System password Figure 75 Menu 23 System security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: Nortel recommends you change the default password. If you forget your password, you have to restore the default configuration file. For more information, see “Restoring the factory-default configuration settings” in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500). Nortel Business Secure Router 222 Configuration — Advanced 160 Chapter 13 System security Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 76 Menu 23 system security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security – RADIUS Server, as shown in Figure 77. Figure 77 Menu 23.2 System Security: RADIUS server Menu 23.2 - System Security - RADIUS Server Authentication Server: Active= No Server Address= 0.0.0.0 Port #= 1812 Shared Secret= ******** Accounting Server: Active= No Server Address= 0.0.0.0 Port #= 1813 Shared Secret= ******** Press ENTER to Confirm or ESC to Cancel: NN47922-501 Chapter 13 System security 161 Table 39 describes the fields in Figure 77. Table 39 Menu 23.2 System Security: RADIUS Server Field Description Authentication Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external authentication server. Server Address Enter the IP address of the external authentication server in dotted decimal notation. Port # The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Shared Secret Specify a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the Business Secure Router. The key is not sent over the network. This key must be the same on the external authentication server and Business Secure Router. Accounting Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external accounting server. Server Address Enter the IP address of the external accounting server in dotted decimal notation. Port # The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Shared Secret Specify a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the Business Secure Router. The key is not sent over the network. This key must be the same on the external accounting server and Business Secure Router. After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced 162 Chapter 13 System security IEEE 802.1x The IEEE 802.1x standards outline enhanced security methods for both the authentication of users and encryption key management. Follow the steps below to enable EAP authentication on your Business Secure Router. 1 From the main menu, enter 23 to display Menu23 – System Security. Figure 78 Menu 23 System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: 2 Enter 4 to display Menu 23.4 – System Security – IEEE802.1x. Figure 79 Menu 23.4 System Security: IEEE802.1x Menu 23.4 - System Security - IEEE802.1x Port Control= Authentication Required ReAuthentication Timer (in second)= 1800 Idle Timeout (in second)= 3600 Authentication Databases= Local User Database Only Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. NN47922-501 Chapter 13 System security 163 Table 40 describes the fields in Figure 79. Table 40 Menu 23.4 System Security: IEEE802.1x Field Description Port Control Press [SPACE BAR] and select a security mode. Select No Authentication Required to allow any computer access to your network without entering usernames and passwords. This is the default setting. Selecting Authentication Required means computers have to enter usernames and passwords before access to the network is allowed. Select No Access Allowed to block all computers from accessing the network. The following fields are not available when you select No Authentication Required or No Access Allowed. ReAuthentication Timer (in second) Specify how often a client has to reenter the username and password to stay connected to the network. This field is activated only when you select Authentication Required in the Port Control field. Enter a time interval between 10 and 9 999 (in seconds). The default time interval is 1 800 seconds (or 30 minutes). Idle Timeout (in second) The Business Secure Router automatically disconnects a client from the network after a period of inactivity. The client needs to enter the username and password again before access to the network is allowed. This field is activated only when you select Authentication Required in the Port Control field. The default time interval is 3 600 seconds (or 1 hour). Nortel Business Secure Router 222 Configuration — Advanced 164 Chapter 13 System security Table 40 Menu 23.4 System Security: IEEE802.1x Field Description Authentication Databases The authentication database contains user login information. The local user database is the built-in database on the Business Secure Router. The RADIUS is an external server. Use this field to decide which database the Business Secure Router should use (first) to authenticate a user. Before you specify the priority, make sure you have set up the corresponding database correctly first. Select Local User Database Only to have the Business Secure Router just check the built-in user database on the Business Secure Router for a user's username and password. Select RADIUS Only to have the Business Secure Router just check the user database on the specified RADIUS server for a user's username and password. Select Local first, then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user's username and password. If the user name is not found, the Business Secure Router then checks the user database on the specified RADIUS server. Select RADIUS first, then Local to have the Business Secure Router first check the user database on the specified RADIUS server for a user's username and password. If the Business Secure Router cannot reach the RADIUS server, the Business Secure Router then checks the local user database on the Business Secure Router. If the username is not found or the password does not match in the RADIUS server, the Business Secure Router does not check the local user database and the authentication fails. After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. After you enable user authentication, you need to specify an external RADIUS server or create local user accounts on the Business Secure Router for authentication. NN47922-501 165 Chapter 14 System information and diagnosis This chapter covers SMT menus 24.1 to 24.4. Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your Business Secure Router. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown in Figure 80. Nortel Business Secure Router 222 Configuration — Advanced 166 Chapter 14 System information and diagnosis Figure 80 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: System Status The first selection, System Status, gives you information on the version of your system firmware and the status and statistics of the ports, as shown in the next figure. System Status is a tool that can be used to monitor your Business Secure Router. Specifically, it gives you information on your system firmware version, number of packets sent, and number of packets received. To get to the System Status: NN47922-501 1 Enter number 24 to go to Menu 24 - System Maintenance. 2 In this menu, enter 1 to open System Maintenance - Status. 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Chapter 14 System information and diagnosis 167 Figure 81 Menu 24.1: System Maintenance: Status Figure 82 Menu 24.1 — System Maintenance — Status Port WAN LAN Port WAN LAN Status Down 100M/Full Menu 24.1 - System Maintenance - Status 00:02:07 Thu. Jan. 01, 2004 TxPkts 0 12 Rx B/s 0 64 Ethernet Address 00:13:49:00:00:02 00:13:49:00:00:01 System up Time: RxPkts 0 7 Cols 0 0 IP Address 0.0.0.0 192.168.1.1 Tx B/s 0 0 IP Mask 0.0.0.0 255.255.255.0 Up Time 0:00:00 0:00:10 DHCP Client Server 0:00:15 Name: Routing: IP RAS F/W Version: VBSR222_2.6.0.0.003b1 | 07/19/2006 Press Command: COMMANDS: 1-Drop WAN 9-Reset Counters ESC-Exit Table 41 describes the fields present in Menu 24.1 - System Maintenance Status. These fields are read-only and meant for diagnostic purposes. The upper right corner of the screen shows the time and date according to the format you set in menu 24.10. Table 41 System Maintenance: Status Menu Fields Field Description Port Identifies a port (WAN, or LAN) on the Business Secure Router. Status Shows the port speed and duplex setting if you are using Ethernet Encapsulation and Down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) or drop (dropping a call) if you are using PPPoE Encapsulation. TxPkts The number of transmitted packets on this port. RxPkts The number of received packets on this port. Cols The number of collisions on this port. Tx B/s Shows the transmission speed in Bytes per second on this port. Nortel Business Secure Router 222 Configuration — Advanced 168 Chapter 14 System information and diagnosis Table 41 System Maintenance: Status Menu Fields Field Description Rx B/s Shows the reception speed in Bytes per second on this port. Up Time Total amount of time the line has been up. Ethernet Address The Ethernet address of the port listed on the left. IP Address The IP address of the port listed on the left. IP Mask The IP mask of the port listed on the left. DHCP The DHCP setting of the port listed on the left. System up Time The total time the Business Secure Router has been on. RAS F/W Version The release of firmware currently on the Business Secure Router and the date the release was created. Name This is the Business Secure Router system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. Enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24 System information and console port speed With your system you can choose different console port speeds. To get to the System Information and Console Port Speed. NN47922-501 1 Enter 24 to go to Menu 24 – System Maintenance. 2 Enter 2 to open Menu 24.2 - System Information and Console Port Speed. 3 From this menu you have two choices, as shown in Figure 83: Chapter 14 System information and diagnosis 169 Figure 83 System Information and Console Port Speed Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: System Information System Information gives you information about your system, as shown in Figure 84. More specifically, it gives you information on your routing protocol, Ethernet address and IP address. Nortel Business Secure Router 222 Configuration — Advanced 170 Chapter 14 System information and diagnosis Figure 84 Menu 24.2.1: System Maintenance Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP RAS F/W Version: VBSR222_2.6.0.0.003b1 | 07/19/2006 Country Code: 255 LAN Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Table 42 Fields in System Maintenance: Information Field Description Name This is the Business Secure Router system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. RAS F/W Version The release of firmware currently on the Business Secure Router and the date the release was created. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your Business Secure Router. IP Address This is the IP address of the Business Secure Router in dotted decimal notation. IP Mask This shows the IP mask of the Business Secure Router. DHCP This field shows the DHCP setting of the Business Secure Router. When finished viewing, press [ESC] or [ENTER] to exit. NN47922-501 Chapter 14 System information and diagnosis 171 Console port speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your Business Secure Router supports 9 600 (default), 19 200, 38 400, 57 600, and 115 200 b/s for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in Figure 85. Figure 85 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 – System Maintenance – Change Console Port Speed Console Port Speed: 115200 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Log and trace The Business Secure Router has a syslog facility for message logging, and a trace function for viewing call-triggering packets. Figure 86 Menu 24.3: System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 2. Syslog Logging 4. Call-Triggering Packet Press ENTER to Confirm or ESC to Cancel Syslog logging The Business Secure Router uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as shown in Figure 87. Nortel Business Secure Router 222 Configuration — Advanced 172 Chapter 14 System information and diagnosis Figure 87 Menu 24.3.2: System Maintenance: Syslog Logging Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= No Syslog Server IP Address= ? Log Facility= Local 1 Press ENTER to Confirm or ESC to Cancel Configure the syslog parameters described in Table 43 to activate syslog, and then choose what you want to log. Table 43 System Maintenance Menu Syslog Parameters Parameter Description Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog Server IP Address Enter the IP Address of the server that logs the CDR (Call Detail Record) and system messages. For example, the syslog server. Log Facility Press [SPACE BAR] and then [ENTER] to select a Local option. Using the log facility, you can log the message to different files in the server. Refer to the documentation of your syslog program for more details. After you finish configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your Business Secure Router sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str NN47922-501 Chapter 14 System information and diagnosis 173 board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote Call Number) L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02 Call Terminated Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c0200010061626364656 66768696a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600 220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500 4000077600000 Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD Nortel Business Secure Router 222 Configuration — Advanced 174 Chapter 14 System information and diagnosis IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port dpo: Destination port Mar 03 10:39:43 202.132.155.97 RAS: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 RAS: IP[Src=192.168.1.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:52 202.132.155.97 RAS: GEN[ffffffffffff0080] }S05>R01mF Mar 03 12:00:57 202.132.155.97 RAS: GEN[00a0c5f502010080] }S05>R01mF Mar 03 12:01:06 202.132.155.97 RAS: IP[Src=192.168.1.33 Dst=202.132.155.93 TCP spo=01170 dpo=00021]}S04>R01mF PPP log PPP Log Message Format SdcmdSyslogSend( SYSLOG_PPPLOG, SYSLOG_NOTICE, String ); String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing / ppp:Proto Shutdown Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 RAS: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 RAS: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 RAS: ppp:CCP Closing NN47922-501 Chapter 14 System information and diagnosis 175 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”) rule: <a,b> where a means "set" number; b means "rule" number. Action: nothing(N) block (B) forward (F) 08-01-2000 11:48:41 Local1.Notice 192.168.10.10 RAS: FW ->172.21.1.80 :137 |UDP|default permit:<2,0>|B 08-01-2000 11:48:41 Local1.Notice 192.168.10.10 RAS: FW :520 ->192.168.77.88 :520 |UDP|default permit:<2,0>|B 08-01-2000 11:48:39 Local1.Notice 192.168.10.10 RAS: FW ->172.21.1.50 |IGMP<2>|default permit:<2,0>|B 08-01-2000 11:48:39 Local1.Notice 192.168.10.10 RAS: FW ->172.21.1.25 |IGMP<2>|default permit:<2,0>|B 172.21.1.80 :137 192.168.77.88 172.21.1.50 172.21.1.25 Call-Triggering packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easily readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown in Figure 88. Figure 88 Call-Triggering packet example IP Frame: ENET0-RECV Size: 44/ 44 Time: 17:02:44.262 Frame Type: IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Nortel Business Secure Router 222 Configuration — Advanced 176 Chapter 14 System information and diagnosis Flags = 0x00 Fragment Offset = 0x00 Time to Live = 0xFE (254) Protocol = 0x06 (TCP) Header Checksum = 0xFB20 (64288) Source IP = 0xC0A80101 (192.168.1.1) Destination IP = 0x00000000 (0.0.0.0) TCP Header: Source Port = 0x0401 (1025) Destination Port = 0x000D (13) Sequence Number = 0x05B8D000 (95997952) Ack Number = 0x00000000 (0) Header Length = 24 Flags = 0x02 (....S.) Window Size = 0x2000 (8192) Checksum = 0xE06A (57450) Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 02 00 RAW DATA: 0000: 45 00 00 2C 00 02 00 00-FE 06 FB 20 C0 A8 01 01 E......... .... 0010: 00 00 00 00 04 01 00 0D-05 B8 D0 00 00 00 00 00 ................ 0020: 60 02 20 00 E0 6A 00 00-02 04 02 00 Press any key to continue... With the diagnostic facility, you can test the different aspects of your Business Secure Router to determine if it is working properly. In Menu 24.4, you can choose among various types of diagnostic tests to evaluate your system, as shown in Figure 89. NN47922-501 Chapter 14 System information and diagnosis 177 Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This opens Menu 24.4 - System Maintenance - Diagnostic. Figure 89 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in WAN & LAN DHCP. LAN DHCP is discussed in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500). The Business Secure Router can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.1.2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or None, (when you have a static IP). Using the WAN Release and Renewal fields in menu 24.4, you can release or renew the assigned WAN IP address, subnet mask and default gateway, or do both. This is similar to using the file winipcfg. Nortel Business Secure Router 222 Configuration — Advanced 178 Chapter 14 System information and diagnosis Figure 90 WAN & LAN DHCP Business Secure Router Table 44 describes the diagnostic tests available in menu 24.4 for your Business Secure Router and associated connections. Table 44 System Maintenance menu diagnostic Field Description Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. Internet Setup Test This feature is only available for dial-up connections using PPPoE or PPTP encapsulation. Enter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 Internet Access. Refer to Chapter 5, “Internet access,” on page 79 for more details. Reboot System Enter 11 to reboot the Business Secure Router. Host IP Address= If you entered 1 in Ping Host, enter the IP address of the computer you want to ping in this field. Enter the number of the selection you want to perform or press [ESC] to cancel. NN47922-501 179 Chapter 15 Firmware and configuration file maintenance This chapter tells you how to backup and restore your configuration file, as well as upload new firmware and configuration files. Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It comes with a rom filename extension. Once you have customized the Business Secure Router settings, they can be saved back to your computer under a filename of your choosing. The system firmware (sometimes referred to as the ras file) has a bin filename extension. With many FTP and TFTP clients, the filenames are similar to those seen next. Note: Only use firmware for your Business Secure Router specific model. Refer to the label on the bottom of your Business Secure Router. ftp> put firmware.bin ras This is a sample FTP session showing the transfer of the computer file firmware.bin to the Business Secure Router. ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to the computer file config.cfg. Nortel Business Secure Router 222 Configuration — Advanced 180 Chapter 15 Firmware and configuration file maintenance If your (T)FTP client does not allow you to have a destination filename different than the source, you must rename the firmware and config file names as the Business Secure Router only recognizes rom-0 and ras. Be sure you keep unaltered copies of both files for later use. Table 45 is a summary. Note that the internal filename refers to the filename on the Business Secure Router and the external filename refers to the filename not on the Business Secure Router, that is, on your computer, local network or FTP site and so the name (but not the extension) can vary. After uploading new firmware, see the F/W version field in Menu 24.2.1 – System Maintenance – Information to confirm that you have uploaded the correct firmware version. The AT command is the command you enter after you press y when prompted in the SMT menu to go into debug mode. Table 45 Filename Conventions File Type Internal Name External Name Description Configuration Rom-0 File This is the configuration filename on the Business Secure Router. Uploading the rom-0 file replaces the entire ROM file system, including your Business Secure Router configurations, system-related data (including the default password), the error log and the trace log. *.rom Firmware This is the name for the firmware on the Contivity. *.bin Ras Backup configuration Note: The Business Secure Router displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console port or Telnet. Using Option 5 from Menu 24 – System Maintenance, you can back up the current Business Secure Router configuration to your computer. Backup is highly recommended once your Business Secure Router is functioning properly. FTP is the preferred method for backing up your current configuration to your computer NN47922-501 Chapter 15 Firmware and configuration file maintenance 181 since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download or upload and you do not have to rename the files. Note that terms download and upload are relative to the computer. Download means to transfer from the Business Secure Router to the computer, while upload is a transfer from your computer to the Business Secure Router. Backup configuration Follow the instructions as shown in Menu 24.5 (Figure 91). Figure 91 Menu 24.5 - System Maintenance - Backup Configuration Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Business Secure Router. Then type "nnadmin" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current Business Secure Router configuration to your workstation. For details on FTP commands, please consult the documentation of your FTP client program. For details on backup using TFTP (note that you must remain in this menu to back up using TFTP), please see your Business Secure Router manual. Press ENTER to Exit: Using the FTP command from the command line 1 Launch the FTP client on your computer. 2 Enter open, followed by a space and the IP address of your Business Secure Router. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default password is PlsChgMe!). Nortel Business Secure Router 222 Configuration — Advanced 182 Chapter 15 Firmware and configuration file maintenance 5 Enter bin to set transfer mode to binary. 6 Use get to transfer files from the Business Secure Router to the computer, for example, get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it config.rom. See earlier in this chapter for more information on filename conventions. 7 Enter quit to exit the ftp prompt. Example of FTP commands from the command line Figure 92 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 config.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit GUI-based FTP clients Table 46 describes some of the commands that you can see in GUI-based FTP clients. Table 46 General commands for GUI-based FTP clients NN47922-501 Command Description Host Address Enter the address of the host server. Logon Type Anonymous. This is when a user ID and password is automatically supplied to the server for anonymous access. Anonymous logons will work only if your ISP or service administrator has enabled this option. Normal. The server requires a unique User ID and Password to log on. Transfer Type Transfer files in either ASCII (plain text format) or in binary mode. Chapter 15 Firmware and configuration file maintenance 183 Table 46 General commands for GUI-based FTP clients Command Description Initial Remote Directory Specify the default remote directory (path). Initial Local Directory Specify the default local directory (path). TFTP and FTP over WAN Management Limitations TFTP, FTP and Telnet over WAN do not work when: • • • • You disable Telnet service in menu 24.11. You apply a filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) to block Telnet service. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the Business Secure Router disconnects the Telnet session immediately. You are running an SMT console session. Backup configuration using TFTP The Business Secure Router supports the uploading and downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Nortel does not recommend using TFTP over WAN, although it can work. To use TFTP, your computer must have both Telnet and TFTP clients. To back up the configuration file, follow the procedure shown next. 1 Use Telnet from your computer to connect to the Business Secure Router and log on. Because TFTP does not have any security checks, the Business Secure Router records the IP address of the Telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter command “sys stdio 0” to disable the SMT timeout, so the TFTP transfer is not interrupted. Enter command “sys stdio 5” to restore the five-minute SMT timeout (default) after the file transfer is complete. Nortel Business Secure Router 222 Configuration — Advanced 184 Chapter 15 Firmware and configuration file maintenance 4 Launch the TFTP client on your computer and connect to the Business Secure Router. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the Business Secure Router and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note: Telnet connection must be active and the SMT must be in CI mode before and during the TFTP transfer. For details on TFTP commands (see “TFTP command example” on page 184), consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the Business Secure Router to the computer and “binary” to set binary transfer mode. TFTP command example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Business Secure Router IP address, “get” transfers the file source on the Business Secure Router (rom-0, name of the configuration file on the Business Secure Router) to the file destination on the computer and renames it config.rom. GUI-based TFTP clients Table 47 describes some of the fields that appear in GUI-based TFTP clients. Table 47 General commands for GUI-based TFTP clients NN47922-501 Command Description Host Enter the IP address of the Business Secure Router. 192.168.1.1 is the Business Secure Router’s default IP address when shipped. Send/Fetch Use Send to upload the file to the Business Secure Router and Fetch to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. Chapter 15 Firmware and configuration file maintenance 185 Table 47 General commands for GUI-based TFTP clients Command Description Remote File This is the filename on the Business Secure Router. The filename for the firmware is “ras” and for the configuration file, is “rom-0”. Binary Transfer the file in binary mode. Abort Stop transfer of the file. Refer to Chapter 17, “Remote Management,” on page 209 for information about configurations that disallow TFTP and FTP over WAN. Back up via console port Back up configuration via the console port by following the HyperTerminal procedure. Procedures using other serial communications programs are similar. Display menu 24.5 and enter “y” at the screen shown in Figure 93. Figure 93 Menu 24.5 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 94 shows the screen which indicates that the Xmodem download has started. Figure 94 Menu 24.5 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Run the HyperTerminal program by clicking Transfer, then Receive File as shown in Figure 95. Nortel Business Secure Router 222 Configuration — Advanced 186 Chapter 15 Firmware and configuration file maintenance Figure 95 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Click Receive. After a successful backup, the screen shown in Figure 96 appears. Press any key to return to the SMT menu. Figure 96 Successful Backup Confirmation Screen ** Backup Configuration completed. OK. ### Hit any key to continue.### Restore configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; do not attempt to restore unless you have a backup configuration file stored on disk. FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster. note that you must wait for the system to automatically restart after the file transfer is complete. Warning: Do not interrupt the file transfer process as this can permanently damage your Business Secure Router. NN47922-501 Chapter 15 Firmware and configuration file maintenance 187 Restore Using FTP For details about back up using FTP and TFTP, refer to “Backup configuration” on page 180. Figure 97 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Business Secure Router. Then type "nnadmin" and SMT password as requested. 3. Type "put backupfilename rom-0" where backupfilename is the name of your backup configuration file on your workstation and rom-0 is the remote file name on the Business Secure Router. This restores the configuration to your Business Secure Router. 4. The system reboots automatically after a successful file transfer For details on FTP commands, please consult the documentation of your FTP client program. For details on backup using TFTP (note that you must remain in this menu to back up using TFTP), please see your Business Secure Router manual. Press ENTER to Exit: 1 Launch the FTP client on your computer. 2 Enter open, followed by a space and the IP address of your Business Secure Router. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “PlsChgMe!”). 5 Enter bin to set transfer mode to binary. 6 Find the rom file (on your computer) that you want to restore to your Business Secure Router. 7 Use put to transfer files from the Business Secure Router to the computer, for example, “put config.rom rom-0” transfers the configuration file config.rom on your computer to the Business Secure Router. See “Filename conventions” on page 179 for more information about filename conventions. Nortel Business Secure Router 222 Configuration — Advanced 188 Chapter 15 Firmware and configuration file maintenance 8 Enter quit to exit the ftp prompt. The Business Secure Router automatically restarts after a successful restore process. Restore using FTP session example Figure 98 Restore using FTP session example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Chapter 17, “Remote Management,” on page 209 to read about configurations that disallow TFTP and FTP over WAN. Restore via console port Restore configuration via console port by following the HyperTerminal procedure. Procedures using other serial communications programs are similar. Display menu 24.6 and enter y at the prompt. Figure 99 System Maintenance: Restore Configuration Ready to restore Configuration via Xmodem. Do you want to continue (y/n): Figure 100 indicates that the Xmodem download has started. NN47922-501 Chapter 15 Firmware and configuration file maintenance 189 Figure 100 System Maintenance: Starting Xmodem Download Screen Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Click Send. Run the HyperTerminal program by clicking Transfer, then Send File. Starting XMODEM download (CRC mode) ... CCCCCCCCC After a successful restoration, the screen shown in Figure 101 appears. Press any key to restart the Business Secure Router and return to the SMT menu. Figure 101 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure “Restore configuration” on page 186, or by following the instructions in Menu 24.7.2 – System Maintenance – Upload System Configuration File. Warning: Do not interrupt the file transfer process as this can permanently damage your Business Secure Router. Nortel Business Secure Router 222 Configuration — Advanced 190 Chapter 15 Firmware and configuration file maintenance Firmware file upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the Business Secure Router, the screens for uploading firmware and the configuration file using FTP appear. Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "nnadmin" and SMT password as requested. 3. Type "put firmwarefilename ras" where "firmwarefilename" is the name of your firmware upgrade file on your workstation and "ras" is the remote file name on the system. 4. The system reboots automatically after a successful firmware upload. For details on FTP commands, please consult the documentation of your FTP client program. For details on uploading system firmware using TFTP (note that you must remain on this menu to upload system firmware using TFTP), please see your manual. Press ENTER to Exit: NN47922-501 Chapter 15 Firmware and configuration file maintenance 191 Configuration file upload The screen shown in Figure 103 appears when you access menu 24.7.2 via Telnet. Figure 103 Telnet Into Menu 24.7.2 System Maintenance Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "nnadmin" and SMT password as requested. 3. Type "put configurationfilename rom-0" where "configurationfilename" is the name of your system configuration file on your workstation, which will be transferred to the "rom-0" file on the system. 4. The system reboots automatically after the upload system configuration file process is complete. For details on FTP commands, please consult the documentation of your FTP client program. For details on uploading system firmware using TFTP (note that you must remain on this menu to upload system firmware using TFTP), please see your manual. Press ENTER to Exit: To upload the firmware and the configuration files, follow the examples in the rest of this chapter: FTP file upload command from the DOS prompt example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your Business Secure Router. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “PlsChgMe!”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the Business Secure Router, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Business Secure Router and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer Nortel Business Secure Router 222 Configuration — Advanced 192 Chapter 15 Firmware and configuration file maintenance (config.rom) to the Business Secure Router and renames it rom-0. Likewise get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it “config.rom.” See “Filename conventions” on page 179 for more information about filename conventions. 7 Enter “quit” to exit the ftp prompt. Note: The Business Secure Router automatically restarts after a successful file upload. FTP Session Example of Firmware File Upload Figure 104 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put firmware.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 1103936 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit More commands (found in GUI-based FTP clients) are listed earlier in this chapter. Refer to the “Remote Management” on page 209 section to read about configurations that disallow TFTP and FTP over WAN. TFTP file upload The Business Secure Router also supports the uploading of firmware files using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP also works over WAN, Nortel does not recommend doing this. 1 NN47922-501 To use TFTP, your computer must have both Telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Chapter 15 Firmware and configuration file maintenance 193 2 Use Telnet from your computer to connect to the Business Secure Router and log on. Because TFTP does not have any security checks, the Business Secure Router records the IP address of the Telnet client and accepts TFTP requests only from this address. 3 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 4 Enter the command sys stdio 0 to disable the management timeout, so the TFTP transfer is not interrupted. Enter command sys stdio 5 to restore the five-minute management timeout (default) when the file transfer is complete. 5 Launch the TFTP client on your computer and connect to the Business Secure Router. Set the transfer mode to binary before starting data transfer. 6 Use the TFTP client (see the example below) to transfer files between the Business Secure Router and the computer. The file name for the firmware is ras. Note that the telnet connection must be active and the Business Secure Router must be in CI mode before and during the TFTP transfer. For details about TFTP commands (see “TFTP upload command example” on page 193), consult the documentation of your TFTP client program. For UNIX, use get to transfer from the Business Secure Router to the computer, put to transfer from the computer to the Business Secure Router, and binary to set binary transfer mode. TFTP upload command example The following is an example TFTP command: tftp [-i] host put firmware.bin ras where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Business Secure Router’s IP address and “put” transfers the file source on the computer (firmware.bin – name of the firmware on the computer) to the file destination on the remote host (ras - name of the firmware on the Business Secure Router). Commands that appear in GUI-based TFTP clients are listed earlier in this chapter. Nortel Business Secure Router 222 Configuration — Advanced 194 Chapter 15 Firmware and configuration file maintenance Uploading via console port FTP or TFTP are the preferred methods for uploading firmware to your Business Secure Router. However, in the event of your network being down, uploading files is only possible with a direct connection to your Business Secure Router via the console port. Under normal conditions, Nortel does not recommend uploading files via the console port, as FTP or TFTP are faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download or upload. Uploading Firmware File Via Console Port Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in Figure 105. Figure 105 Menu 24.7.1 as seen using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To 1. 2. 3. upload system firmware: Enter "y" at the prompt below to go into debug mode. Enter "atur" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the Business Secure Router. Warning: Proceeding with the upload will erase the current system firmware. Do You Wish To Proceed:(Y/N) After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs is similar. NN47922-501 Chapter 15 Firmware and configuration file maintenance 195 Uploading Xmodem firmware using HyperTerminal 1 Click Transfer, and then Send File to display the screen in Figure 106. Figure 106 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol Click Send. 2 After the configuration upload process is complete, restart the Business Secure Router by entering atgo. Uploading configuration file via console port 1 Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in Figure 107. Nortel Business Secure Router 222 Configuration — Advanced 196 Chapter 15 Firmware and configuration file maintenance Figure 107 Menu 24.7.2 as seen using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1. Proceeding with the upload will erase the current configuration file. 2. The system’s console port speed (Menu 24.2.2) may change when it is restarted; please adjust your terminal's speed accordingly. The password may change (menu 23), also. 3. When uploading the DEFAULT configuration file, the console port speed will be reset to 9600 bps and the password to "setup". Do You Wish To Proceed:(Y/N) NN47922-501 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure in “Uploading Xmodem firmware using HyperTerminal” on page 195. The procedure for other serial communications programs is similar. 3 Enter atgo to restart the Business Secure Router. Chapter 15 Firmware and configuration file maintenance 197 Uploading Xmodem configuration file using HyperTerminal 1 Click Transfer, then Send File to display the screen shown in Figure 108. Figure 108 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Click Send. 2 After the configuration upload process is complete, restart the Business Secure Router by entering atgo. Nortel Business Secure Router 222 Configuration — Advanced 198 Chapter 15 Firmware and configuration file maintenance NN47922-501 199 Chapter 16 System Maintenance menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. Command Interpreter mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or www.nortel.com for more detailed information about CI commands. Enter 8 from Menu 24 - System Maintenance. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Nortel Business Secure Router 222 Configuration — Advanced 200 Chapter 16 System Maintenance menus 8 to 10 Figure 109 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Firmware Update 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Command syntax The command keywords are in Courier New font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The | symbol means “or”. For example, sys filter netbios config <type> <on|off> NN47922-501 Chapter 16 System Maintenance menus 8 to 10 201 means that you must specify the type of netbios filter and whether to turn it on or off. Command usage A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 110 Valid commands ras> ? Valid commands are: sys ipsec 8021x exit bm ether certificates ip radius Table 48 Valid commands Command Description sys The system commands display device information and configure device settings. exit This command returns you to the SMT main menu. ether This commands display Ethernet information and configure Ethernet settings. ip This commands display IP information and configure IP settings. ipsec This commands display IPSec information and configure IPSec settings. bm This commands display bandwidth management information and configure bandwidth management settings. certificates This commands display certificate information and configure certificate settings. radius This commands display RADIUS information. 8021x This commands display IEEE 802.1x information. Nortel Business Secure Router 222 Configuration — Advanced 202 Chapter 16 System Maintenance menus 8 to 10 Call control support The Business Secure Router provides two call control functions: budget management and call history. Note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. With the budget management function, you can set a limit on the total outgoing call time of the Business Secure Router within certain times. When the total outgoing call time exceeds the limit, the current call is dropped and any future outgoing calls are blocked. Call history chronicles preceding incoming and outgoing calls. To access the call control menu, select option 9 in menu 24 to go to Menu 24.9 System Maintenance - Call Control, as shown in Figure 111. Figure 111 Call Control Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number: Budget management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the Budget Management menu (Figure 112). NN47922-501 Chapter 16 System Maintenance menus 8 to 10 203 Figure 112 Budget Management Menu 24.9.1 - Budget Management Remote Node 1.ChangeMe Connection Time/Total Budget No Budget Elapsed Time/Total Period No Budget 2.GUI No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call is dropped and further outgoing calls to that remote node is blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node. Enter 0 to update the screen. The budget and the reset period can be configured in menu 11.1 for the remote node. Table 49 Budget management Field Description Example Remote Node Enter the index number of the remote 1 node you want to reset (just one in this case) Connection Time/ Total Budget This is the total connection time that has gone by (within the allocated budget that you set in menu 11.1). 5/10 means that 5 minutes out of a total allocation of 10 minutes have lapsed. Elapsed Time/Total Period The period is the time cycle in hours that the allocation budget is reset (see menu 11.1.) The elapsed time is the time used up within this period. 0.5/1 means that 30 minutes out of the 1-hour time period has lapsed. Enter “0” to update the screen or press [ESC] to return to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced 204 Chapter 16 System Maintenance menus 8 to 10 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 113 Call History Menu 24.9.2 - Call History Phone Number 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dir Rate #call Max Min Total Enter Entry to Delete(0 to exit): Table 50 describes the fields in Figure 113. Table 50 Call History Fields Field Description Phone Number The PPPoE service names are shown here. Dir This shows whether the call is incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number. Max This is the length of time of the longest telephone call. Min This is the length of time of the shortest telephone call. Total This is the total length of time of all the telephone calls to and from that telephone number. Enter an entry number to delete it or 0 to exit. NN47922-501 Chapter 16 System Maintenance menus 8 to 10 205 Time and Date setting There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Business Secure Router. With Menu 24.10, you can update the time and date settings of your Business Secure Router. The real time is then displayed in the Business Secure Router error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenancet. Figure 114 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your Business Secure Router, as shown in Figure 115. Nortel Business Secure Router 222 Configuration — Advanced 206 Chapter 16 System Maintenance menus 8 to 10 Figure 115 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): 01 : 07 : 41 N/A N/A N/A Current Date: New Date (yyyy-mm-dd): 2000 - 01 - 01 N/A N/A N/A Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr): Jan. - 1st Jan. - 1st - Sat. - Sat. - 00 00 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 51 describes the fields in Figure 115. Table 51 Time and Date Setting Fields NN47922-501 Field Description Time Protocol Enter the time service protocol that your time server uses. Not all time servers support all protocols, so check with your ISP or network administrator or use trial and error to find a protocol that works. The main differences between the time protocols are the format. Daytime (RFC 867) format is the day/month/year/time zone of the server. Time (RFC-868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC-1305), is similar to Time (RFC-868). Select Manual to enter the new time and new date manually. Time Server Address Enter the IP address or domain name of your timeserver. Check with your ISP or network administrator if you are unsure of this information. The default is a.ntp.alphazed.net. Current Time This field displays an updated time only when you reenter this menu. New Time Enter the new time in hour, minute and second format. This field is available when you select Manual in the Time Protocol field. Chapter 16 System Maintenance menus 8 to 10 207 Table 51 Time and Date Setting Fields Field Description Current Date This field displays an updated date only when you reenter this menu. New Date Enter the new date in year, month and day format. This field is available when you select Manual in the Time Protocol field. Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Time Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings. If you use daylight savings time, then choose Yes. Start Date Configure the day and time when Daylight Saving Time starts if you (mm-nth-week-hr) select Yes in the Daylight Saving field. The hr field uses the 24-hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 a.m. local time. So, in the United States, select Apr., 1st, Sun. and type 02 in the hr field. Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Mar., Last, Sun. The time you type in the hr field depends on your time zone. In Germany, for instance, type 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). End Date Configure the day and time when Daylight Saving Time ends if you (mm-nth-week-hr) select Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 a.m. local time. So, in the United States, select Oct., Last, Sun. and type 02 in the hr field. Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Oct., Last, Sun. The time you type in the hr field depends on your time zone. In Germany, for instance, type 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. Nortel Business Secure Router 222 Configuration — Advanced 208 Chapter 16 System Maintenance menus 8 to 10 Resetting the Time The Business Secure Router resets the time in three instances: • • • NN47922-501 After you make changes to and leave menu 24.10 After starting up the Business Secure Router starts up, if a time server configured in menu 24.10 After starting the Business Secure Router, in 24-hour intervals 209 Chapter 17 Remote Management This chapter covers remote management found in SMT menu 24.11. Remote Management With remote management, you can determine which services and protocols can access which Business Secure Router interface (if any) from which computers. You can manage your Business Secure Router from a remote location via: • • • • Internet (WAN only) ALL (LAN and WAN) LAN only Neither (Disable) Note: When you Choose WAN only or ALL (LAN & WAN), you still need to configure a firewall rule to allow access. To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Nortel Business Secure Router 222 Configuration — Advanced 210 Chapter 17 Remote Management Figure 116 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 Port = 21 Access = Disable Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = Disable Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Authenticate Client Certificates = No Port = 443 Access = Disable Secure Client IP = 0.0.0.0 Port = 80 Access = LAN only Secure Client IP = 0.0.0.0 Port = 161 Access = Disable Secure Client IP = 0.0.0.0 Port = 53 Access = LAN only Secure Client IP = 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Table 52 describes the fields in Figure 116. Table 52 Menu 24.11 – Remote Management control NN47922-501 Field Description Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read-only labels denotes a service that you can use to remotely manage the Business Secure Router. Port This field shows the port number for the service or protocol. You can change the port number if needed, but you must use the same port number to access the Business Secure Router. Access Select the access interface (if any) by pressing [SPACE BAR], then [ENTER] to choose from: LAN only, WAN only, ALL or Disable. Secure Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the Business Secure Router. Enter an IP address to restrict access to a client with a matching IP address. Chapter 17 Remote Management 211 Table 52 Menu 24.11 – Remote Management control Field Description Certificate Press [SPACE BAR] and then [ENTER] to select the certificate that the Business Secure Router uses to identify itself. The Business Secure Router is the SSL server and must always authenticate itself to the SSL client (the computer that requests the HTTPS connection with the Business Secure Router). Authenticate Client Certificates Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to authenticate itself to the Business Secure Router by sending the Business Secure Router a certificate. To do that, the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Business Secure Router (see Appendix C, “Importing certificates,” on page 233 for details). After you fill this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel. Remote Management Limitations Remote management over LAN or WAN does not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a Telnet, FTP, or Web service. 2 You disable that service in menu 24.11. 3 The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Business Secure Router disconnects the session immediately. 4 There is an SMT console session running. 5 There is already another remote management session of the same type (web, FTP or Telnet) running. Only one remote management session of the same type can run at one time. 6 There is a web remote management session running with a Telnet session. A Telnet session is disconnected if you begin a web session; it does not begin if a Web session is already running. 7 There is a firewall rule that blocks remote management. Nortel Business Secure Router 222 Configuration — Advanced 212 Chapter 17 Remote Management NN47922-501 213 Chapter 18 Call scheduling Using call scheduling (applicable only for PPPoA or PPPoE encapsulation), you can dictate when a remote node is called and for how long. Introduction Using the call scheduling feature, the Business Secure Router can manage a remote node and dictate when a remote node is called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.1 — Remote Node Profile. From the main menu, enter 26 to access Menu 26 — Schedule Setup as shown in Figure 117. Figure 117 Menu 26 Schedule Setup Menu 26 - Schedule Setup Schedule Set # Name ------ ----------------1 AlwaysOn 2 _______________ 3 _______________ 4 _______________ 5 _______________ 6 _______________ Schedule Set # Name ------ ----------------7 _______________ 8 _______________ 9 _______________ 10 _______________ 11 _______________ 12 _______________ Enter Schedule Set Number to Configure= 0 Edit Name= N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced 214 Chapter 18 Call scheduling Lower numbered sets take precedence over higher numbered sets, thereby avoiding scheduling conflicts. For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the Business Secure Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on. You can design up to 12 schedule sets, but you can only apply up to four schedule sets for a remote node. Note: To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown in Figure 118. Figure 118 Menu 26.1 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 – 01 - 01 How Often= Once Once: Date(yyyy/mm/dd)= 2000 – 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A Thursday= N/A Friday= N/A Saturday= N/A Start Time (hh:mm)= 00 : 00 Duration (hh:mm)= 00 : 00 Action= Forced On Press ENTER to Confirm or ESC to Cancel NN47922-501 Chapter 18 Call scheduling 215 If a connection is already established, your Business Secure Router does not drop it. After the connection is dropped manually or it times out, then that remote node cannot be triggered until the end of the Duration. Table 53 Menu 26.1 Schedule Set Setup Field Description Example Active Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to activate the schedule set. Yes Start Date Enter the start date when you wish the set to take effect in 2000-01-01 year-month-date format. Valid dates are from the present to 2036-February-5. How Often Press the [SPACE BAR] and then [ENTER] to select Once Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. After Once is selected, the schedule rule deletes automatically after the scheduled time elapses. Once: Date If you selected Once in the How Often field above, enter the date the set should activate here in year-month-date format. Weekday: Day If you selected Weekly in the How Often field above, select Yes the days when the set should activate (and recur) by going No to that days and pressing [SPACE BAR] to select Yes. After N/A you complete this menu, press [ENTER] to exit. Start Time Enter the start time when you wish the schedule set to take 09:00 effect in hour-minute format. Duration Enter the maximum length of time this connection is allowed, in hour-minute format. Action Forced On means that the connection is maintained Forced On whether or not there is a demand call on the line and persists for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line. Enable Dial-On-Demand means that this schedule permits a demand call on the line. Disable Dial-On-Demand means that this schedule prevents a demand call on the line. 2000-01-01 08:00 After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced 216 Chapter 18 Call scheduling After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure 119. Figure 119 Applying Schedule Sets to a Remote Node (PPPoE) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preferences. NN47922-501 217 Appendix A Setting up your computer IP address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, and Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package. TCP/IP is already installed on computers using Windows NT/2000/XP, or Macintosh OS 7 and later operating systems. After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to communicate with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the Business Secure Router LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window Nortel Business Secure Router 222 Configuration — Advanced 218 Appendix A Setting up your computer IP address Figure 120 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: a In the Network window, click Add. b Select Adapter and click Add. c Select the manufacturer and model of your network adapter and click OK. If you need TCP/IP: a In the Network window, click Add. b Select Protocol and click Add. c Select Microsoft from the list of manufacturers. d Select TCP/IP from the list of network protocols and click OK. If you need Client for Microsoft Networks: NN47922-501 Appendix A Setting up your computer IP address 219 a Click Add. b Select Client and click Add. c Select Microsoft from the list of manufacturers. d Select Client for Microsoft Networks from the list of network clients and click OK. e Restart your computer so your changes take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. — If your IP address is dynamic, select Obtain an IP address automatically. — If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 121 Windows 95/98/Me: TCP/IP properties: IP address 3 Click the DNS Configuration tab. — If you do not know your DNS information, select Disable DNS. Nortel Business Secure Router 222 Configuration — Advanced 220 Appendix A Setting up your computer IP address — If you know your DNS information, select Enable DNS and type the information in the fields below (you do not need to fill them all in). Figure 122 Windows 95/98/Me: TCP/IP Properties: DNS configuration 4 Click the Gateway tab. — If you do not know your gateway’s IP address, remove previously installed gateways. — If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your Business Secure Router and restart your computer when prompted. Verifying Settings NN47922-501 1 Click Start and then Run. 2 In the Run window, type winipcfg and click OK to open the IP Configuration window. 3 Select your network adapter. Your computer IP address, subnet mask, and default gateway will be displayed. Appendix A Setting up your computer IP address 221 Windows 2000/NT/XP 1 For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 123 Windows XP: Start menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 124 Windows XP: Control Panel Nortel Business Secure Router 222 Configuration — Advanced 222 Appendix A Setting up your computer IP address 3 Right-click Local Area Connection and then click Properties. Figure 125 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 126 Windows XP: Local Area Connection Properties NN47922-501 Appendix A Setting up your computer IP address 223 5 The Internet Protocol TCP/IP Properties window appears (the General tab in Windows XP). — If you have a dynamic IP address, click Obtain an IP address automatically. — If you have a static IP address, click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 127 Windows XP: Advanced TCP/IP settings 6 If you do not know your gateway IP address, remove any previously installed gateways in the IP Settings tab and click OK. Ë Do one or more of the following if you want to configure additional IP addresses: — In the IP Settings tab, in IP addresses, click Add. — In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. — Repeat the above two steps for each IP address you want to add. — Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. Nortel Business Secure Router 222 Configuration — Advanced 224 Appendix A Setting up your computer IP address — In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. — Click Add. — Repeat the previous three steps for each default gateway you want to add. — Click OK when finished. 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): — Click Obtain DNS server address automatically if you do not know your DNS server IP addresses. — If you know your DNS server IP addresses, click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. Figure 128 Windows XP: Internet Protocol (TCP/IP) properties NN47922-501 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. Appendix A Setting up your computer IP address 225 10 Turn on your Business Secure Router and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type ipconfig and press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 129 Macintosh OS 8/9: Apple Menu Nortel Business Secure Router 222 Configuration — Advanced 226 Appendix A Setting up your computer IP address 2 Select Ethernet built-in from the Connect via list. Figure 130 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Business Secure Router in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your Business Secure Router and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. NN47922-501 Appendix A Setting up your computer IP address 227 Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 131 Macintosh OS X: Apple menu 2 Click Network in the icon bar. — Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. Figure 132 Macintosh OS X: Network Nortel Business Secure Router 222 Configuration — Advanced 228 Appendix A Setting up your computer IP address 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Business Secure Router in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your Business Secure Router and restart your computer (if prompted). Verifying settings Check your TCP/IP properties in the Network window. NN47922-501 229 Appendix B Triangle Route The Ideal Setup When the firewall is on, your Business Secure Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Business Secure Router to protect your LAN against attacks. Figure 133 Ideal Setup Business Secure Router The Triangle Route Problem You can have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the Business Secure Router LAN IP address), the triangle route (also called asymmetrical route) problem can occur. The steps below describe the triangle route problem. A traffic route is a path for sending or receiving data packets between two Ethernet devices. Some companies have more than one alternate route to one or more ISPs. If the LAN and ISP are in the same subnet, the triangle route problem can occur. The steps below describe the triangle route problem. Nortel Business Secure Router 222 Configuration — Advanced 230 Appendix B Triangle Route 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 The Business Secure Router reroutes the SYN packet through Gateway B on the LAN to the WAN. 3 The reply from the WAN goes directly to the computer on the LAN without going through the Business Secure Router. As a result, the Business Secure Router resets the connection, as the connection is not acknowledged. Figure 134 Triangle Route Problem Business Secure Router The Triangle Route Solutions IP aliasing Using IP alias, you can partition your network into logical sections over the same Ethernet interface. Your Business Secure Router supports up to three logical LAN interfaces with the Business Secure Router being the gateway for each logical network. By putting your LAN and Gateway B in different subnets, all returning network traffic must pass through the Business Secure Router to your LAN. The following steps describe such a scenario. 1 NN47922-501 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. Appendix B Triangle Route 231 2 The Business Secure Router reroutes the packet to Gateway B, which is in Subnet 2. 3 The reply from WAN goes to the Business Secure Router. 4 The Business Secure Router ends the response to the computer in Subnet 1. Figure 135 IP Alias WAN Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced 232 Appendix B Triangle Route NN47922-501 233 Appendix C Importing certificates This appendix shows examples for importing certificates. Import Business Secure Router certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in Figure 136 to do this. Figure 136 Security Certificate Nortel Business Secure Router 222 Configuration — Advanced 234 Appendix C Importing certificates Importing the Business Secure Router Certificate into Internet Explorer For Internet Explorer to trust a self-signed certificate from the Business Secure Router, simply import the self-signed certificate into your operating system as a trusted certification authority. To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certification authority. The following example procedure shows how to import the Business Secure Router’s (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in Figure 137. Figure 137 Login Screen NN47922-501 Appendix C Importing certificates 235 2 Click Install Certificate to open the Install Certificate wizard. Figure 138 Certificate General Information before Import Nortel Business Secure Router 222 Configuration — Advanced 236 Appendix C Importing certificates 3 Click Next to begin the Install Certificate wizard. Figure 139 Certificate Import Wizard 1 NN47922-501 Appendix C Importing certificates 237 4 Select where you want to store the certificate and click Next. Figure 140 Certificate Import Wizard 2 Nortel Business Secure Router 222 Configuration — Advanced 238 Appendix C Importing certificates 5 Click Finish to complete the Import Certificate wizard. Figure 141 Certificate Import Wizard 3 6 Click Yes to add the Business Secure Router certificate to the root store. Figure 142 Root Certificate Store NN47922-501 Appendix C Importing certificates 239 Figure 143 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the Business Secure Router. You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active (see “Certificates” in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the Business Secure Router (see the Business Secure Router’s Trusted CA WebGUI screen—Figure 144). Nortel Business Secure Router 222 Configuration — Advanced 240 Appendix C Importing certificates Figure 144 Business Secure Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificate, your personal certificates and a password to install the personal certificates. NN47922-501 Appendix C Importing certificates 241 Installing the CA’s certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown in Figure 145. Figure 145 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing your personal certificates You need a password in advance. The CA can issue the password or you can specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to Figure 146 Nortel Business Secure Router 222 Configuration — Advanced 242 Appendix C Importing certificates 1 Click Next to begin the wizard. Figure 146 Personal certificate import wizard 1 NN47922-501 Appendix C Importing certificates 243 2 The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate. Figure 147 Personal certificate import wizard 2 Nortel Business Secure Router 222 Configuration — Advanced 244 Appendix C Importing certificates 3 Enter the password given to you by the CA. Figure 148 Personal certificate import wizard 3 NN47922-501 Appendix C Importing certificates 245 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 149 Personal certificate import wizard 4 Nortel Business Secure Router 222 Configuration — Advanced 246 Appendix C Importing certificates 5 Click Finish to complete the wizard and begin the import process. Figure 150 Personal certificate import wizard 5 6 Figure 151 shows the screen that appears when the certificate is correctly installed on your computer. Figure 151 Personal certificate import wizard 6 NN47922-501 Appendix C Importing certificates 247 Using a certificate when accessing the Business Secure Router example Use the following procedure to access the Business Secure Router via HTTPS. 1 Enter https://Business Secure Router IP Address/ in your browser’s web address field. Figure 152 Access the Business Secure Router via HTTPS 2 When Authenticate Client Certificates is selected on the Business Secure Router, you are asked to select a personal certificate to send to the Business Secure Router. This screen displays even if you only have a single certificate, as shown in Figure 153. Figure 153 SSL client authentication Nortel Business Secure Router 222 Configuration — Advanced 248 Appendix C Importing certificates 3 The Business Secure Router login screen appears. Figure 154 Business Secure Router secure login screen NN47922-501 249 Appendix D PPPoE PPPoE in action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 155). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP. Benefits of PPPoE PPPoE offers the following benefits: • • • It provides you with a familiar dial-up networking (DUN) user interface. It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users. For GSTN (PSTN and ISDN), the switching fabric is already in place. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional dial-up scenario Figure 155 depicts a typical hardware configuration where the PCs use traditional dial-up networking. Nortel Business Secure Router 222 Configuration — Advanced 250 Appendix D PPPoE Figure 155 Single-PC per Router Hardware Configuration Business Secure Router How PPPoE works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC acts as an L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions. With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and is between the modem and the AC, as opposed to all the way to the ISP. However, the PPP negotiation is between the PC and the ISP. Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs. NN47922-501 Appendix D PPPoE 251 Figure 156 Business Secure Router as a PPPoE Client Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced 252 Appendix D PPPoE NN47922-501 253 Appendix E PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet. For the rest of the connection, the PPP frames are transported with PPP over AAL5 (RFC 2364) The PPP connection, however, is still between the PC and the ISP. The various connections in this setup are depicted in the following diagram. The drawback of this solution is that it requires one separate ATM VC per destination. Figure 157 Transport PPP frames over Ethernet Nortel Business Secure Router 222 Configuration — Advanced 254 Appendix E PPTP PPTP and the Business Secure Router When the Business Secure Router is deployed in such a setup, it appears as a PC to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98, and NT clients to an NT server in a remote location. Using the pass-through feature, users on the network can access a different remote server using the Business Secure Router's Internet connection. In SUA/NAT mode, the Business Secure Router is able to pass the PPTP packets to the internal PPTP server (for example, NT server) behind the NAT. You must configure port forwarding for port 1723 to have the Business Secure Router forward PPTP packets to the server. In the case above as the remote PPTP Client initializes the PPTP connection, the user must configure the PPTP clients. The Business Secure Router initializes the PPTP connection hence; there is no need to configure the remote PPTP clients. Figure 158 Business Secure Router as a PPTP client Business Secure Router PPTP protocol overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials or answers the phone calls and relays the PPP frames to the PNS. The PPTP user is not necessarily a PPP client, it can also be a PPP server. Both the PNS and the NN47922-501 Appendix E PPTP 255 PAC must have IP connectivity; however, the PAC must also have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS. Figure 159 PPTP protocol overview Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the Business Secure Router, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server. Control and PPP connections Each PPTP session has distinct control connection and PPP data connection. Call connection The control connection runs over TCP. Similar to L2TP, a tunnel control connection is first established before call control messages can be exchanged. Note that a tunnel control connection supports multiple call sessions. Figure 160 depicts the message exchange of a successful call setup between a PC and an ANT. Nortel Business Secure Router 222 Configuration — Advanced 256 Appendix E PPTP Figure 160 Example message exchange between PC and an ANT PPP data connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. NN47922-501 257 Appendix F Hardware specifications Cable pin assignments Table 54 General specifications Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA MTBF 416 107 hrs (Mean Time Between Failures) Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10/100Mb/s Half / Full autonegotiation Ethernet Specification for LAN/ VPN Ports 10/100Mb/s Half / Full autonegotiation, autosensing In a serial communications connection, generally a computer is DTE (DataTerminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The Business Secure Router is DCE when you connect a computer to the console port. The Business Secure Router is DTE when you connect a modem to the dial backup port. Nortel Business Secure Router 222 Configuration — Advanced 258 Appendix F Hardware specifications Figure 161 Console or dial backup port pin layouts 1 P i n 5 P i n 1 P i n 9 P i n 6 Table 55 Console or dial backup port pin assignments 1 CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD Pin 3 = DTE-TXD Pin 4 = DCE –DSR Pin 4 = DTE-DTR Pin 5 = GND Pin 5 = GND Pin 6 = DCE –DTR Pin 6 = DTE-DSR Pin 7 = DCE –CTS Pin 7 = DTE-RTS Pin 8 = DCE –RTS Pin 8 = DTE-CTS PIN 9 = NON PIN 9 = NON. The CON/AUX port also has these pin assignments. The CON/AUX switch changes the setting in the firmware only and does not change the CON/AUX port’s pin assignments. Business Secure Routers with a CON/AUX port also have a 9-pin adapter for the console cable with these pin assignments on the male end. Products without flow control only use pins 2, 3, and 5. NN47922-501 Appendix F Hardware specifications 259 Figure 162 Ethernet cable pin assignments WAN/LAN Ethernet Cable Pin Layout: Straight-Through Crossover (Switch) 1 IRD + (Adapter) 1 OTD + (Switch) 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 3 OTD + 3 IRD + 3 OTD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - 6 OTD - (Switch) 1 IRD + IRD - AC Power Adapter Specifications Use only power supplies listed in the user instructions. Phihong, Model PSA21R-180 Note: Not to remove the plug and plug into a wall outlet by itself; always attach the plug to the power supply first before insert into the wall. Leader, Model MU18-2180100-XX (XX can be A1, A2, A3, B2 or C5 for the different plugs used) Nortel Business Secure Router 222 Configuration — Advanced 260 Appendix F Hardware specifications NN47922-501 261 Appendix G IP subnetting IP addressing Routers route based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • • • • Class A addresses have a 0 in the left-most bit. In a class A address, the first octet is the network number and the remaining three octets make up the host ID. Class B addresses have a 1 in the left-most bit and a 0 in the next left most bit. In a class B address, the first two octets make up the network number and the two remaining octets make up the host ID. Class C addresses begin (starting from the left) with 1 1 0. In a class C address, the first three octets make up the network number and the last octet is the host ID. Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting. (There is also a class “E” address, which is reserved for future use.) Nortel Business Secure Router 222 Configuration — Advanced 262 Appendix G IP subnetting Table 56 Classes of IP addresses IP Address: Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note: Host IDs of all zeros or all ones are not allowed. Therefore: A class C network (8 host bits) can have 28 –2 or 254 hosts. A class B address (16 host bits) can have 216 –2 or 65 534 hosts. A class A address (24 host bits) can have 224 –2 hosts (approximately 16 million hosts). Since the first octet of a class A IP address must contain a 0, the first octet of a class A address can have a value of 0 to 127. Similarly the first octet of a class B must begin with 10, therefore the first octet of a class B address has a valid range of 128 to 191. The first octet of a class C address begins with 110, and therefore has a range of 192 to 223. Table 57 Allowed IP address range By class Class Allowed Range of First Octet (Binary) Allowed Range of First Octet (decimal) Class A 00000000 to 01111111 0 to 127 Class B 10000000 to 10111111 128 to 191 Class C 11000000 to 11011111 192 to 223 Class D 11100000 to 11101111 224 to 239 NN47922-501 Appendix G IP subnetting 263 Subnet masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask contains 32 bits. If there is a 1 in the bit, then the corresponding bit of the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. Subnet masks are expressed in dotted decimal notation just as IP addresses are. The natural masks for class A, B, and C IP addresses are as follows. Table 58 Natural Masks Class Natural mask A 255.0.0.0 B 255.255.0.0 C 255.255.255.0 Subnetting With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits. By convention, subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32-bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. Nortel Business Secure Router 222 Configuration — Advanced 264 Appendix G IP subnetting Table 59 shows all possible subnet masks for a class C address using both notations. Table 59 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255.255.255.0 /24 0000 0000 255.255.255.128 /25 1000 0000 255.255.255.192 /26 1100 0000 255.255.255.224 /27 1110 0000 255.255.255.240 /28 1111 0000 255.255.255.248 /29 1111 1000 255.255.255.252 /30 1111 1100 The first mask shown is the class C natural mask. Normally, if no mask is specified, it is understood that the natural mask is being used. Example: two subnets As an example, you have a class C address 192.168.1.0 with subnet mask of 255.255.255.0. Network number Host ID IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask 255.255.255. 0 Subnet Mask (Binary) 11111111.11111111.11111111. 00000000 The first three octets of the address make up the network number (class C). You want to have two separate networks. NN47922-501 Appendix G IP subnetting 265 Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The borrowed host ID bit can be either 0 or 1, thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. Note: In the following charts, shaded or bolded last-octet bit values indicate host ID bits borrowed to form network ID bits. The number of borrowed host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after borrowing) determines the number of hosts you can have on each subnet. Table 60 Subnet 1 Network number Last Octet bit value IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask 255.255.255. 128 Subnet Mask (Binary) 11111111.11111111.11111111. 10000000 Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.127 Highest Host ID: 192.168.1.126 Table 61 Subnet 2 Network number Last octet bit value IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask 255.255.255. 128 Subnet Mask (Binary) 11111111.11111111.11111111. 10000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 The remaining 7 bits determine the number of hosts each subnet can have. Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 27 – 2 or 126 hosts for each subnet. Nortel Business Secure Router 222 Configuration — Advanced 266 Appendix G IP subnetting 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: four subnets The above example illustrated using a 25-bit subnet mask to divide a class C address space into two subnets. Similarly to divide a class C address into four subnets, you need to borrow two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26-2 or 62 hosts for each subnet (all 0s is the subnet itself, all 1s is the broadcast address on the subnet). Table 62 Subnet 1 Network number Last octet bit value IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.63 Highest Host ID: 192.168.1.62 Table 63 Subnet 2 Network number Last octet bit value IP Address 192.168.1. 64 IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.64 Lowest Host ID: 192.168.1.65 Broadcast Address: 192.168.1.127 Highest Host ID: 192.168.1.126 NN47922-501 Appendix G IP subnetting 267 Table 64 Subnet 3 Network number Last Octet Bit Value IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Table 65 Subnet 4 Network number Last Octet Bit Value IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example: eight subnets Similarly, use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). Table 66 shows class C IP address last-octet values for each subnet. Table 66 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 Nortel Business Secure Router 222 Configuration — Advanced 268 Appendix G IP subnetting Table 66 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address 7 192 193 222 223 8 224 225 254 255 Table 67 is a summary for class C subnet planning. Table 67 Class C subnet planning No. Borrowed Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 Subnetting with Class A and Class B networks. For class A and class B addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class B address has two host ID octets available for subnetting and a class A address has three host ID octets (see Table 56) available for subnetting. Table 68 is a summary for class B subnet planning. Table 68 Class B subnet planning No. “Borrowed” Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 1 255.255.128.0 (/17) 2 32 766 2 255.255.192.0 (/18) 4 16 382 3 255.255.224.0 (/19) 8 8 190 4 255.255.240.0 (/20) 16 4 094 NN47922-501 Appendix G IP subnetting 269 Table 68 Class B subnet planning No. “Borrowed” Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 5 255.255.248.0 (/21) 32 2 046 6 255.255.252.0 (/22) 64 1 022 7 255.255.254.0 (/23) 128 510 8 255.255.255.0 (/24) 256 254 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1 024 62 11 255.255.255.224 (/27) 2 048 30 12 255.255.255.240 (/28) 4 096 14 13 255.255.255.248 (/29) 8 192 6 14 255.255.255.252 (/30) 16 384 2 15 255.255.255.254 (/31) 32 768 1 Nortel Business Secure Router 222 Configuration — Advanced 270 Appendix G IP subnetting NN47922-501 271 Appendix H Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • The command keywords are in Courier New font. Enter the command keywords exactly as shown. Do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The |symbol means or. For example, sys filter netbios config <type> <on|off> means that you must specify the type of netbios filter and whether to turn it on or off. Command usage A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when you are finished. Nortel Business Secure Router 222 Configuration — Advanced 272 Appendix H Command Interpreter Sys commands Table 69 lists and describes the system commands. Each of these commands must be preceded by sys. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Table 69 Sys commands Command Description atsh Displays the MRD field. callhist Displays the call history. display remove <index> Removes an entry from the call history. name [name] Sets or displays the client logon name. password [password] Sets or displays the client logon password. [countrycode] Sets or displays the country code. date [year month date] Sets or displays the system’s current date. time [hour [min [sec]]] Sets or displays the system time. period [day] Sets how often the Business Secure Router gets the date and time from the time server. client countrycode datetime Gets the date and time from the time server. sync Displays the domain name that the device sends to the LAN DHCP clients. domainname edit <filename> Maintains extra phone numbers for outgoing (dial backup) calls. extraphnum add <set 1-3> <1st phone num> [2nd phone num] node Adds extra phone numbers. Displays the extra phone numbers. display NN47922-501 Edits the system preset text files such as autoexec.net. <num> Sets all extra phone numbers to remote node <num>. Appendix H Command Interpreter 273 Table 69 Sys commands Command Description remove <set 1-3> Removes extra phone numbers. Resets node and mask. reset feature Displays a list of the device’s major features. firmware Displays the ISDN firmware type. firewall See “Sys firewall commands” on page 297 for information about the system firewall commands. hostname [hostname] Sets or displays the system name. 8021x Records logs for IEEE 802.1X. access [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for access control logs. attack [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for firewall attack logs. cdr [0:none/1:log] Records Call Detail Record logs. display Displays the category settings. error [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for system error logs. icmp [0:none/1:log] Records ICMP logs. ike [0:none/1:log/2:alert/ 3:both] Records, sends alerts or both for access control logs. ipsec [0:none/1:log/ 2:alert/3:both] Records the access control logs javablocked [0:none/1:log] Records the java blocked logs. mten [0:none/1:log] Records the system maintenance logs. packetfilter [0:none/ 1:log] Records the packet filter logs. ppp [0:none/1:log] Records the PPP logs. remote [0:none/1:log] Records the remote management logs. tcpreset [0:none/1:log] Records the TCP reset logs. upnp [0:none/1:log] Records the UPnP logs. logs category Nortel Business Secure Router 222 Configuration — Advanced 274 Appendix H Command Interpreter Table 69 Sys commands Command Description urlblocked [0:none/1:log/ 2:alert/3:both] Records and/or sends alerts for web access blocked logs. urlforward [0:none/1:log] Records web access forward logs. Clears the log. clear display [access|attack|error|ike|i psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] Displays all logs or specifies a category of logs. clear Clears the error log. disp Displays the error log. online Turns the error log online display on or off. errlog Loads the log settings buffer. Use this command before you configure the log settings. Use sys logs save after you configure the log settings. load mail alertAddr [mail address] Sends alerts to this e-mail address. clearLog [0:no/1:yes] Enables the switch to clear the log after sending logs via e-mail. display Displays the logs and alerts mail settings. logAddr [mail address] Sends logs to this e-mail address. schedule display Displays the mail schedule. schedule hour [0-23] Sets the hour to send logs. schedule minute [0-59] Sets the minute to send the logs. schedule policy [0:full/ 1:hourly/2:daily/3:weekly/ 4:none] Sets the mail schedule policy. schedule week [0:sun/1:mon/ Sets the day of the week to send 2:tue/3:wed/4:thu/5:fri/ weekly logs. 6:sat] server [domainName/IP] NN47922-501 Sets the domain name or IP address of the mail server to which the logs are sent. Appendix H Command Interpreter 275 Table 69 Sys commands Command Description subject [mail subject] Sets the log e-mail’s subject. auth Enables or disables SMTP authentication. user Sets the SMTP authentication username. passwd Sets the SMTP authentication password. Saves the log settings from the buffer. save syslog active [0:no/1:yes] Enables or disables syslog logging. display Displays the syslog settings. facility [Local ID(1-7)] Specifies the file to which the device logs the syslog messages. server [domainName/IP] Specifies the IP address of the syslog server the syslogs are sent. switch <0:on|1:off> Turns log consolidation on or off. period Sets the consolidation period (in seconds). msglist Displays the consolidated messages. <minute> Sets how often to resolve the mail and syslog server domain name to an IP address. bmlog <0:no|1:yes> Turns the broadcast or multicast log on or off. display Displays switch settings. trilog <0:no|1:yes> Turns triangle route logging on or off. [0:cold boot/1: immediate reboot/2: bootModule debug mode] Restarts the device. load <entry no.> Loads remote node information. disp <entry no.>(0:working buffer) Displays remote node information. consolidate updateSvrIP switch reboot rn Nortel Business Secure Router 222 Configuration — Advanced 276 Appendix H Command Interpreter Table 69 Sys commands Command Description nat <none|sua|full_feature> Configures remote node NAT. nailup <no|yes> Configures a remote node connection to be nailed up (always on). mtu <value> Sets the remote node Maximum Transmission Unit. Blocks access to a remote node. accessblock save stdio [entry no.] Saves remote node information. [minute] Sets or displays the management terminal idle timeout value. tos display Shows all runtime Temporarily Open Sessions. debug Turns TOS debug message on or off. listPerHost Displays all hosts session counts. sessPerHost Sets the session per host limit. timeout NN47922-501 display Displays all TOS (Temporarily Open Session) timeout information. icmp Sets the ICMP session idle timeout value. igmp Sets the IGMP session idle timeout value. tcpsyn Sets the SYN TCP session idle timeout value. tcp Sets the TCP session idle timeout value. tcpfin Sets the TCP FIN session idle timeout value. udp Sets the UDP-session idle-timeout value. gre Sets the GRE-session idle-timeout value. esp Sets the ESP-session idle-timeout value. ah Sets the AH-session idle-timeout value. Appendix H Command Interpreter 277 Table 69 Sys commands Command Description others Sets the idle-timeout value for other sessions. parse, brief, disp Sets the level of detail that should be displayed. “parse” displays the most detail and “disp” displays the least. switch [on|off] Enables or disables the system trace log or displays the current setting. online [on|off] Enables or disables the trace log onscreen display (for example, in the Telnet management window). level [level] Sets the level (1-10) of trace logs (1 shows the least) to display. type <bitmap> Uses hexadecimal characters to set the type of trace logs to record. trcdisp trclog disp Shows the trace log. clear Erases the trace log. call Shows call events. encapmask [mask] Shows which type of encapsulation the trace log records, or sets the encapsulation if you specify the encapsulation’s hexadecimal character. Uses trace packets to capture parts of packets in order to see the packet flow from one interface to another. trcpacket create <entry> <size> Removes the packet trace buffer. destroy channel Creates a packet trace buffer. <name> [none|incoming| outgoing|bothway] Sets the packet trace direction for a given channel. string [on|off] Enables or disables the sending of a log to the trace packet buffer when configuration changes are made or displays the current setting if neither on/off is specified. switch [on|off] Enables or disables packet trace or displays the current setting if neither on nor off is specified. disp Displays the trace packets. Nortel Business Secure Router 222 Configuration — Advanced 278 Appendix H Command Interpreter Table 69 Sys commands Command Description Sends the trace packets to another system using UDP. udp udp switch [on|off] Enables or disables the sending of the trace packets to another system using UDP or displays the current setting. udp addr <addr> Sets the target IP address for sending trace packets using UDP. udp port <port> Sets the UDP port (should match that of the target IP address) for sending trace packets using UDP. parse [[start_idx], end_idx] Displays detailed packet details of the packet range specified. Displays a brief listing of packet contents. brief Displays the RAS code and driver versions. version <filename> Displays the specified text file. switch [on|off] Turns the watchdog firmware protection feature on or off. cnt [value] Sets (0-34 463) or displays the current watchdog count (in 1.6 sec units). view wdog Restores the factory default configuration file. romreset Use these commands to configure remote server management. server NN47922-501 access <telnet|ftp|web|icmp|snmp| dns> <value> Sets the server access type. load Loads server information. disp Displays server information. port <telnet|ftp|web|snmp> <port> Sets the server port. save Saves server information. secureip <telnet|ftp| web|icmp|snmp|dns> <ip> Sets server secure IP address. Appendix H Command Interpreter 279 Table 69 Sys commands Command Description [minute] Sets or displays the password error blocking timeout value. active [0:no/1:yes] Activates or deactivates the saved UPnP settings. config [0:deny/1:permit] Allows users to make configuration changes through UPnP. pwderrtm upnp Displays UPnP information display firewall [0:deny/1:pass] Saves UPnP information. load reserve Allows UPnP to pass through the firewall. [0:deny/1:permit] Saves UPnP information. save Displays the system socket’s ID #, type, control block address (PCB), IP address and port number of peer device connected to the socket (Remote Socket) and task control block (Owner). socket filter netbios disp Displays the current NetBIOS filter modes. config <0:Between LAN and Sets NetBIOS filters. WAN/ 3: IPSec Pass through/ 4: Trigger Dial> <on|off> roadrunner debug <level> Enables or disables Road Runner service. 0: disable (default)1: enable display <iface name> Displays Road Runner information iface-name: enif0, wanif0 restart <iface name> Restarts Road Runner. debug <level> Enables or disables DDNS service. display <iface name> Displays DDNS information. ddns Nortel Business Secure Router 222 Configuration — Advanced 280 Appendix H Command Interpreter Table 69 Sys commands Command Description restart Restarts DDNS. logout This command has no effect. display Displays the CPU utilization. cpu Exit Command Table 70 Exit Command Command Description exit Ends the command interpreter session. Ethernet Commands Table 71 lists and describes the Ethernet commands. Each of these commands must be preceded by ether. For example, type ether config to display information on the LAN configuration. Table 71 Ether Commands Command Description config Displays LAN configuration information. driver cnt status disp <name> Displays the Ethernet driver counters. <ch_name> Shows the LAN status. Displays the Ethernet device type. version edit load mtu NN47922-501 <1:LAN> <value> Loads Ethernet (1:LAN) data from the System Parameters Table. Sets the Ethernet data Maximum Transmission Unit. Appendix H Command Interpreter 281 Table 71 Ether Commands Command Description accessblock <0:disable 1:enable> Blocks Internet access. speed <auto|10/half|10/ full|100/half|100/ full> Sets the Ethernet data speed and duplex. save Saves Ethernet data to the System Parameters Table. dump Displays the relationship between physical port and channel. dynamic Port set <port> <type> Sets physical port to a specific channel. Displays channel setting stored in SPT. spt IP commands Table 72 lists and describes the IP commands. Each of these commands must be preceded by ip. For example, type ip address to display the host IP address. Table 72 IP commands Command Description address [addr] Displays the host IP address. alias <iface> Sets an alias for the specified interface. aliasdis <0|1> Disables or enables the alias for the specified interface. status <iface> Displays an interface’s IP Address Resolution Protocol status. attpret <on|off> Allows or disallows the device to receive ARP from a different network or not. force <on|off> Enables or disables the ARP timeout function. arp dhcp <iface> client release Releases the DHCP client IP address. Nortel Business Secure Router 222 Configuration — Advanced 282 Appendix H Command Interpreter Table 72 IP commands Command Description renew Renews the DHCP client IP address. status [option] Displays the DHCP status. query address <ip address> Displays the domain name of an IP address. name <host name> Displays the IP address of a domain name. dns Configures the system DNS server settings. system lan httpd display Shows the system DNS server settings. edit <0: first|1: second|2: third> <0:from ISP|1:usr-def|2:n one> [IP addr ess if choosing 1] Configures the system DNS server settings. edit <0: first|1: second|2: third> <0:from ISP|1:usr-def|2:D NS Relay|3: n one> [IP address if choosing 1] Configures the LAN DNS server settings. display Shows the LAN DNS server settings. debug [on|off] Enables or disables the HTTP debug flag. This command currently does not work. icmp Displays the ICMP statistics counter. status <iface> [on|off] Sets the ICMP router discovery flag. ifconfig [iface] [ipaddr] [broadcast <addr> |mtu <value>|dynamic] Configures a network interface. ping <hostid> Pings a remote host. [if] Displays the routing table. discovery route status NN47922-501 Appendix H Command Interpreter 283 Table 72 IP commands Command Description add <dest_addr|defaul t>[/<bits>] <gateway> [<metric>] Adds a route. addiface <dest_addr|defaul t>[/<bits>] <gateway> [<metric>] Adds an entry to the routing table for the specified interface. addprivate <dest_addr|defaul t>[/<bits>] <gateway> [<metric>] Adds a private route. drop <host addr> [/ <bits>] Drops a route. Displays IP statistic counters. status udp Displays the UDP status. status These are the Routing Information Protocol commands. rip accept <gateway> Drops an entry from the RIP refuse list. Enables RIP. activate merge [on|off] Sets the RIP merge flag. refuse <gateway> Adds an entry to the RIP refuse list. request <addr> [port] Sends a RIP request to the specified address and port. reverse [on|off] RIP Poisoned Reverse. status Displays RIP statistic counters. trace Enables the RIP debug trace. mode dialin_user tcp status <iface> in [mode] Sets the Business Secure Router to use the RIP information it receives. <iface> out [mode] Sets the Business Secure Router to broadcast its routing table. [show|in|out|both |none] Shows the dial-in user RIP direction. Displays the TCP statistic counters. Nortel Business Secure Router 222 Configuration — Advanced 284 Appendix H Command Interpreter Table 72 IP commands Command Description telnet <host> [port] Creates a Telnet connection to the specified host. tftp support Displays whether or not TFTP is supported. stats Displays the TFTP statistics. <host> [ttl] [wait] [queries] Sends ICMP packets to trace the route of a remote host. join <iface1> [<iface2>] Add iface2 to the iface1’s group. break <iface> Remove the specified interface from the ipxparent group. enable [0:no/1:yes] Enables or disables content filtering. display Displays content filtering exempt zone information. actionFlags [type(1-3)][enabl e/disable] Enables or disables content filtering exempt zone action flags that determine to which IP addresses content filtering applies. add [ip1] [ip2] Sets a range of IP addresses to be in the exempt zone. delete [ip1] [ip2] Removes a range of IP addresses from the exempt zone. reset Returns the exempt zone settings to the previous configuration. traceroute xparent urlfilter exemptZone Uses the customize commands to configure content filtering for trusted Web sites, forbidden Web sites and keyword blocking. customize NN47922-501 display Displays the content filtering customize action flags. actionFlags [act(1-7)] [enable/disable] Sets the content filtering customize action flags. logFlags [type(1-3)][enabl e/disable] Sets the content filtering customize log flags. Appendix H Command Interpreter 285 Table 72 IP commands Command Description add [string] [trust/untrust/ keyword] Adds a trusted Web site, forbidden Web site or keyword blocking string. delete [string] [trust/untrust/ keyword] Deletes a trusted Web site, forbidden Web site or keyword blocking string. reset Returns to the default configuration. failcount <count> Sets the number of times that the device can ping the target without a response before forwarding traffic to the backup gateway. partner <ipaddr> Sets the traffic redirect backup gateway IP address. target <ipaddr> Sets the IP address that the device uses to test WAN accessibility. timeout <timeout> Sets the number of seconds the device waits for a response from the target. checktime <period> Sets the number of seconds the device waits between attempts to connect to the target. active <on|off> Enables or disables traffic redirect. tredir save Saves traffic redirect configuration. disp Displays the traffic redirect configuration. debug <value> Sets the traffic redirect debug value. active [1:yes|0:no] Enables or disables the reports. rpt start Starts recording reports data. stop Stops recording reports data. url Records the most visited Web sites. ip Records the LAN IP addresses that sent and received the most traffic. srv Records the most heavily used protocols or service ports. stroute display [rule # | buf] Displays the list of static routes or detailed information on a specified rule. Nortel Business Secure Router 222 Configuration — Advanced 286 Appendix H Command Interpreter Table 72 IP commands Command Description load <rule #> Loads the specified static route rule into the buffer. Saves a rule from the buffer to the System Parameters Table. save config name <site name> Sets the name for a static route. destination <dest addr>[/<bits>] <gateway> [<metric>] Sets a static route’s destination IP address and gateway. mask <IP subnet mask> Sets a static route’s subnet mask. gateway <IP address> Sets a static route’s gateway IP address. metric <metric #> Sets a static route’s metric number. private <yes|no> Turns private mode on or off. active <yes|no> Enables or disables a static route rule. [0|1] Sets whether or not the device allows ICMP fragment packets. debug [level] Sets IGMP debug level. forwardall [on|off] Activates or deactivates IGMP forwarding to all interfaces flag. querier [on|off] Turns on or off IGMP stop query flag. <iface> grouptm <timeout> Sets IGMP group timeout for the specified interface. <iface> interval <interval> Sets IGMP query interval for the specified interface. <iface> join <group> Adds an interface to a group. <iface> leave <group> Removes an interface from a group. <iface> query Sends an IGMP query on the specified interface. dropIcmp igmp iface NN47922-501 Appendix H Command Interpreter 287 Table 72 IP commands Command Description robustness <iface> rsptime [time] Sets the IGMP response time. <iface> start Turns on IGMP on the specified interface. <iface> stop Turns off IGMP on the specified interface. <iface> ttl <threshold> Sets the IGMP Time To Live threshold. <iface> v1compat [on|off] Turns on or off IGMP version 1 compatibility on the specified interface. <num> Sets the IGMP robustness variable. status Displays the IGMP status. display Shows whether the Application Layer Gateway is enabled or disabled. alg siptimeout <timeout in second> or 0 for no timeout Sets the SIP timeout period. enable <ALG_FTP|ALG_H323 |ALG_SIP> Turns on the ALG. disable <ALG_FTP|ALG_H323 |ALG_SIP> Turns off the ALG. Nortel Business Secure Router 222 Configuration — Advanced 288 Appendix H Command Interpreter IPSec commands Table 73 lists and describes the IP Sec commands. Each of these commands must be preceded by ipsec. For example, type ipsec display 3 to display the third IPSec rule, if you have it configured. Table 73 IPSec commands Command debug switch Description type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTHon|off | 5:CERT on|off | 6: All> Turns the trace for IPsec debug information on or off. level <0:None | 1:User | 2:Low | 3:High> Sets the debug level. The higher the number, the more detailed. display Shows debugging information, including type and level. <on|off> As long as there is one active IPSec rule, all packets go into the IPSec process to check against the SPD. When this switch is turned on, packets are not be put through the IPSec process, even if there are active IPSec rules. timer NN47922-501 chk_conn. <0~255> Sets the idle timeout for IPSec connections. The system disconnects an IPSec connection with no traffic for the timeout period. The interval is in minutes (2 default) and 0 means the connection never times out. dpdTime <minutes> Sets the idle timeout for IPSec connections where the Business Secure Router is waiting for a response from the peer. update_peer <0~255> Sets the autotimer for updating IPSec rules that use a domain name as the secure gateway IP address. The interval is in minutes (30 default) and 0 means it never updates. Appendix H Command Interpreter 289 Table 73 IPSec commands Command Description chk_input show_runtime <0~255> Adjusts autotimer to check if any inbound IPsec traffic has passed during the specified period. If not, the Business Secure Router disconnects the tunnel. sa Displays runtime phase 1 and phase 2 SA information. spd When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to the peer’s local IP address. This command displays these runtime SPDs. Forces the system to immediately update IPSec rules that use a domain name as the secure gateway IP address. updatePeerIp display <rule index> Displays the specified IPSec rule. policyDisplay <rule index> Displays the specified IPSec rule’s IP policies. dial <rule index> <policy index> Triggers the specified phase two connection. route lan <on|off> After IPSec processes a packet and sends it to the LAN side, this switch controls whether or not IPSec can be applied to the packet again. wan <on|off> After IPSec processes a packet and sends it to the WAN side, this switch controls whether or not IPSec can be applied to the packet again. load Edit an IPSec branch office rule with the specified rule number. <rule index> save Saves the IPSec branch office rule. config Uses these commands to configure the IPSec rule. name <name> Sets the name of the rule. active <Yes|No> Turns the rule on or off. negotiationMode <0:Main | 1:Aggressive> Sets the negotiation mode. natTraversal <Yes|No> Turns NAT traversal on or off. p1MultiPro <Yes|No> Turns phase 1 multiple proposal on or off. Nortel Business Secure Router 222 Configuration — Advanced 290 Appendix H Command Interpreter Table 73 IPSec commands Command NN47922-501 Description lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. lcIdContent <content> Sets the local ID content. myIpAddr <IP address> Sets the My IP Address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent <content> Sets the peer ID content. secureGwAddr <IP address | Domain name> Sets the secure gateway address. authMethod <0:PreSharedKey |1: RSASignature> Sets the authentication method. certificate <certificate name> Specifies the certificate to use for authentication. preShareKey <ASCII | 0xHEX> Types 8 to 32 case-sensitive ASCII characters or 16 to 62 hexadecimal (0-9, A-F) characters (preceded by 0x (zero x), which is not counted as part of the 16 to 62 characters). p1EncryAlgo <0:DES | 1:3DES | 2:AES> Sets the phase 1 encryption algorithm. p1AuthAlgo <0:MD5 | 1:SHA1> Sets the phase 1 authentication algorithm. p1SaLifeTime <seconds> Sets the phase 1 SA lifetime. keyGroup <0:DH1 | 1:DH2> Sets the key group for phase 1 IKE setup. nailUp <Yes|No> Turns nailed up feature on or off. activeProtocol <0:AH | 1:ESP> Sets the protocol. p2MultiPro <Yes|No> Turns phase 2 multiple proposal on or off. p2EncryAlgo <0:Null | 1:DES | 2:3DES | 3:AES> Sets the phase 2 encryption algorithm. p2EncryKeyLen <0:128 | 1:192 | 2:256> Sets the phase 2 encryption key length (with AES encryption). p2AuthAlgo <0:MD5 | 1:SHA1> Sets the phase 2 authentication algorithm. p2SaLifeTime <seconds> Sets the phase 2 SA lifetime. Appendix H Command Interpreter 291 Table 73 IPSec commands Command ikeList Description encap <0:Tunnel | 1:Transport> Sets the encapsulation mode. pfs <0:None | 1:DH1 | 2:DH2> Sets Perfect Forward Secrecy. antiReplay <Yes | No> Turns replay detection on or off. connType <0:Branch Office | 1:Contivity Client> Specifies whether the rule is for a branch office or Contivity Client VPN connection. authOptions <0:Username Password | 1:Group ID & Password Sets the Business Secure Router to either send just the username and password to the remote Contivity VPN switch, or a group ID and password as well. onDemand <on | off> Sets whether or not outgoing packets can automatically trigger a VPN connection to the remote Contivity VPN switch. ODService [netbios] [ntp] [none]... Sets which specific services can automatically trigger a VPN connection to the remote Contivity VPN switch. groupID <group ID> Sets the Contivity Client tunnel’s user’s group ID. groupPasswd <group password> Sets the Contivity Client tunnel’s user’s group password. username <name> Sets the Contivity Client tunnel’s user’s username. password <password> Sets the Contivity Client tunnel’s user’s password. exUseMode [enable|disable ] Turns the exclusive use mode for the Contivity Client tunnel on or off. exUseMac [MAC address] Specifies which MAC address is allowed to use the Contivity Client tunnel with exclusive use mode. clientFailOver <IP address> <IP address> <IP address> Sets the Contivity Client fail over IP addresses (of back up remote Contivity VPN switches). keepAlive <Yes|No> Turns the Keep Alive feature on or off. Displays a summary of the IKE (phase 1) rules. Nortel Business Secure Router 222 Configuration — Advanced 292 Appendix H Command Interpreter Table 73 IPSec commands Command Description ikeDelete <rule index> Deletes the specified IPSec rule. policyEdit <rule index> Edits the specified IP policy. policySave Saves the IP policy. ipsecList Displays a summary of the IPSec (phase 2) rules. policyList Displays the IP policies. policyDelete Deletes the specified IP policy. <rule index> Uses these commands to configure an IP policy for an IPSec office tunnel rule. policyConfig NN47922-501 saIndex <rule index> Binds the IP policy to an IPSec rule. active <Yes|No> Turns the IP policy on or off. lcAddrStart <IP> Sets the local starting IP address. protocol <1:ICMP | 6:TCP | 17:UDP> Sets the IP policy’s protocol. controlPing <Yes|No> Turns control ping on or off. controlPingAddr <IP> Sets the control ping IP address. lcAddrType <0:single | 1:range | 2:subnet> Sets the local address type. lcAddrEndMask <IP> Sets the local ending IP address or subnet mask. lcPortStart <port> Sets the local starting port number. lcPortEnd <port> Sets the local ending port number. rmAddrType <0:single | 1:range | 2:subnet> Sets the remote address type. rmAddrStart <IP> Sets the remote starting IP address. rmAddrEndMask <IP> Sets the remote ending IP address or subnet mask. rmPortStart <port> Sets the remote starting port number. rmPortEnd <port> Sets the remote ending port number. btNatActive <Yes | No> Turns branch tunnel NAT address mapping on or off. Appendix H Command Interpreter 293 Table 73 IPSec commands Command Description btNatType <0:single | 1:range | 2:all> Sets the type of NAT address mapping. btNatAddrStart <IP address> Sets the branch tunnel NAT starting IP address. btNatArEnd <IP address> Sets the branch tunnel NAT ending IP address or subnet mask. swSkipOverlapIP <on|off> Turn this option on to have the device allow rules with overlapping source and destination IP addresses. adjTcpMss <off|auto|user defined value> Sets the adjust TCP Maximum Segment Size. contivityDial Initiates the Contivity Client VPN connection. contivityDrop Ends the Contivity Client VPN connection. contivityState Displays information about the Contivity Client VPN connection. contivitySplit contivityTimecnt Sets the Contivity Client keep-alive interval (in seconds). <0~65535> Uses the exemptHost commands to configure specific IP addresses that are not to be part of a VPN tunnel. exemptHost display Displays the exempt host settings. load <index> Loads an exempt host. active <Yes|No> Enables or disables an exempt host. sourceStart Sets the exempt host’s source start IP address. sourceEnd Sets the exempt host’s source end IP address. destStart <IP address> Sets the exempt host’s destination start IP address. destEnd <IP address> Sets the exempt host’s destination end IP address. save btNatList Saves an exempt host. Displays the branch tunnel NAT entries. Nortel Business Secure Router 222 Configuration — Advanced 294 Appendix H Command Interpreter Table 73 IPSec commands Command Description clientTerm Loads client termination configuration from ROM to working buffer, you must execute this command before configuring client termination. load active <yes | no> Enables or disables client termination. display [user | cfg] Displays configuration and/or remote user logon status of client termination, unless a parameter is specified, displays all. Saves any client termination configuration changes to ROM. save local <on | off> Enables or disables Local User Database authentication method. local psk <on | off> Enables or disables the Pre-Shared Key authentication method for the Local User Database. radius <on | off> Enables or disables the RADIUS Server authentication method. radius groupId Configures Group ID fields for RADIUS Server authentication method. radius groupPwd Configures Group Password fields for RADIUS Server authentication method. radius psk <on | off> Enables or disables Pre-Shared Key authentication type for RADIUS Server. encr <128AES_SHA1 | 3DES_SHA1 | 3DES_MD5 | DES_SHA1 | DES_MD5 | AH_SHA1 | AH_MD5> <on | off> Enables or disables the specified encryption algorithm. DHG <DES_DH1 | 3DES_DH2 | 128AES_DH5 > <on | off> Enables or disables the specified Diffie-Hellman encryption level. aci static <on | off> Enables or disables the Use Static Address option. auth NN47922-501 Appendix H Command Interpreter 295 Table 73 IPSec commands Command Description ipPool natt ipPool <index> Select which IP pool, index is based on 1, and inactive IP pool cannot be selected. load <index> Before you configure an IP pool for client termination, you must load the specified IP pool. Currently 3 IP pools are supported, so the valid index is: 1~3 save After changing the IP pool configuration, use the save command to save the modification to the ROM. active Enables or disables the loaded IP pool. poolName Sets the IP pool’s name. startAddr Sets the IP pool’s starting IP address. subnet Sets the IP pool’s subnet. size Sets the number of IP addresses in the IP pool. status Displays the current runtime IP pool status of Client Termination. active <yes | no> Enables or disables NAT Traversal. portSwitch <enable | disable> Enables or disables Client IKE Source Port Switching. portNum Sets the NAT Traversal UDP port, valid UDP port: 1025 ~ 65535. failover <1 | 2 | 3> <IP> Sets the client failover IP address. keepalive active <yes | no> Enables or disables client failover tuning (keep-alive). interval <hh:mm:ss> Sets the keep-alive interval, valid interval 00:00:10 ~ 23:59:59. maxRetrans Sets the keep-alive max retransmissions, valid range 0~255 pfs <enable | disable> Enables or disables Perfect Forward Secrecy. idleTo <hh:mm:ss> Sets the Idle Timeout, the valid value is: 00:00:00~23:59:59, 00:00:00 means no idle timeout. aicp <on | off> Enable or disables Accept Initial Contact Payload. Nortel Business Secure Router 222 Configuration — Advanced 296 Appendix H Command Interpreter Table 73 IPSec commands Command Description rekeyTo NN47922-501 <hh:mm:ss> Sets the lifetime of a single key used for data encryption. rekeyDc Sets how much data you expect to transmit via the tunnel with a single key. A setting of 0 kb disables the Rekey Data Count, rekey data count must be more than 5. domain Sets the domain name for client termination. dns <primary | secondary> <IP> Sets primary or secondary DNS server IP addresses to be assigned to remote users. wins <primary | secondary> <IP> Sets primary or secondary WINS server IP addresses to be assigned to remote users. banner <on | off> [banner text] Sets whether or not the banner appears when a remote user logs on to the gateway. Also sets the banner text if specified (up to 256 characters). password clientStorage <on | off> Sets whether or not the Contivity VPN clients can save their logon passwords instead of always having to manually enter them. manage <on | off> Enables or disables the password management facilities, including maximum password age, minimum password length, and allow alpha-numeric passwords only. anpr <on | off> Enables or disables the requirement of a alpha-numeric password. age <days> Sets the maximum password age after which the login password expires, valid value: 0~180 days, and 0 means no expiration. minLen Sets the minimum password length. Appendix H Command Interpreter 297 Sys firewall commands Table 74 lists and describes the system firewall commands. Each of these commands must be preceded by sys firewall. For example, type sys firewall active yes to turn on the firewall. Table 74 Sys firewall commands Command Description acl active disp Displays ACLs or a specific ACL set # and rule #. <yes|no> Activates or deactivates firewall Enables or disables the firewall. disp Displays the firewall log type and count. clear Clears the firewall log count. display Displays the firewall’s dynamic rules. rst Turns TCP reset sending on or off. rst113 Turns TCP reset sending for port 113 on or off. display Displays the TCP reset sending settings. smtp Enables or disables the SMTP DoS defender. display Displays the SMTP DoS defender setting. ignore Sets if the firewall ignores DoS attacks on the LAN or WAN. dos Sets if the firewall ignores DoS attacks on the LAN or WAN. logBroadcast Displays the status of the broadcast log. triangle Sets if the firewall ignores triangle route packets on the LAN or WAN. cnt dynamicrule tcprst dos ignore Nortel Business Secure Router 222 Configuration — Advanced 298 Appendix H Command Interpreter Bandwidth management commands Table 75 lists and describes the bandwidth management commands. Each of these commands must be preceded by bm. For example, type bm show lan to display the LAN port’s bandwidth management settings. Table 75 Bandwidth management commands Command interface Description lan enable <bandwidth xxx> Enables bandwidth management (BWM) for traffic going out the LAN interface. You can also specify the b/s of bandwidth. <wrr|prr> Sets the queueing mechanism to fairness-based (WRR) or priority-based (PRR). <efficient> Turns on the work-conserving feature. Disables bandwidth management for traffic going out the LAN interface. disable wan enable <bandwidth xxx> Enables bandwidth management for traffic going out the WAN interface. You can also specify the b/s of bandwidth. <wrr|prr> Sets the queueing mechanism to fairness-based (WRR) or priority-based (PRR). <efficient> Turns on the work-conserving feature. Disables bandwidth management for traffic going out the WAN interface. disable class lan NN47922-501 add # bandwidth xxx <name xxx> Adds a class with bandwidth xxx b/s in LAN. The name is for your information. <priority x> Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). Appendix H Command Interpreter 299 Table 75 Bandwidth management commands Command Description <borrow on|off> Deletes the class # and its filter and all its children classes and their filters in LAN. del # mod # wan add # <bandwidth xxx> Modifies the parameters of the class in the LAN. A bandwidth value is optional. <name xxx> Sets the class name. <priority x> Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). The priority is unchanged if you do not set a new value. <borrow on|off> The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. bandwidth xxx <name xxx> Adds a class with bandwidth xxx b/s in WAN. The name is for your information. <priority x> Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). <borrow on|off> The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Deletes the class # and its filter and all its children class and their filters in WAN. del # mod # The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. <bandwidth xxx> Modifies the parameters of the class in the WAN. A bandwidth value is optional. <name xxx> Sets the class name. <priority x> Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). Nortel Business Secure Router 222 Configuration — Advanced 300 Appendix H Command Interpreter Table 75 Bandwidth management commands Command filter Description lan add # <borrow on|off> The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Daddr <mask Dmask> Dport Saddr <mask Smask> Sport protocol Adds a filter for class # in LAN. The filter contains destination address (netmask), destination port, source address (netmask), source port and protocol. Use 0 for items that you do not want the filter to include. Deletes the LAN filter that belongs to the specified LAN class. del # wan show interface class filter statistics NN47922-501 add # Daddr <mask Dmask> Dport Saddr <mask Smask> Sport protocol Adds a filter for class # in WAN. The filter contains destination address (netmask), destination port, source address (netmask), source port and protocol. Use 0 for items that you do not want the filter to include. del # Deletes the LAN filter that belongs to the specified WAN class. lan Displays the LAN interface settings. wan Displays the WAN interface settings. lan Displays the LAN classes. wan Displays the WAN classes. lan Displays the LAN filter settings. wan Displays the WAN filter settings. lan Displays the statistics of the LAN classes. wan Displays the statistics of the LAN classes. Appendix H Command Interpreter 301 Table 75 Bandwidth management commands Command Description lan <#> Displays the bandwidth usage of the specified LAN class (or all of the LAN classes if you do not specify one). The first time you use the command turns it on; the second time turns it off, and so on. wan <#> Displays the bandwidth usage of the specified WAN class (or all of the WAN classes if you do not specify one). The first time you use the command turns it on; the second time turns it off, and so on. moveFilter < channName> <from> config save Saves the BWM configuration. load Loads the BWM configuration. clear Clears the BWM configuration. monitor Changes the filter order. <channName>: LAN, WAN <from>: filter index number <to>: filter index number <to> Certificates commands Table 76 describes the certificate commands. Each of these commands must be preceded by certificates (or cert for short). For example, type cert my_cert list to display all of your certificate names and basic information. All of these commands start with certificates. Table 76 Certificates commands Command Description my_cert create Nortel Business Secure Router 222 Configuration — Advanced 302 Appendix H Command Interpreter Table 76 Certificates commands Command NN47922-501 Description create selfsigned <name> <subject> [key size] Creates a self-signed local host certificate. <name> specifies a descriptive name for the generated certificate. <subject> specifies a subject name (required) and alternative name (required). The format is “subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. create request <name> <subject> [key size] Creates a certificate request and saves it to the router for later manual enrollment. <name> specifies a descriptive name for the generated certification request. <subject> specifies a subject name (required) and alternative name (required). The format is "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. create scep_enroll <name> <CA addr> <CA cert> <auth key> <subject> [key size] Creates a certificate request and enrolls for a certificate immediately online using SCEP protocol. <name> specifies a descriptive name for the enrolled certificate. <CA addr> specifies the CA server address. <CA cert> specifies the name of the CA certificate. <auth key> specifies the key used for user authentication. If the key contains spaces, put it in quotes. To leave it blank, type "". <subject> specifies a subject name (required) and alternative name (required). The format is "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. Appendix H Command Interpreter 303 Table 76 Certificates commands Command Description create cmp_enroll <name> <CA addr> <CA cert> <auth key> <subject> [key size] Creates a certificate request and enrolls for a certificate immediately online using CMP protocol. <name> specifies a descriptive name for the enrolled certificate. <CA addr> specifies the CA server address. <CA cert> specifies the name of the CA certificate. <auth key> specifies the id and key used for user authentication. The format is "id:key". To leave the id and key blank, type ":". <subject> specifies a subject name (required) and alternative name (required). The format is "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. import [name] Imports the PEM-encoded certificate from stdin. [name] specifies the descriptive name (optional) the imported certificate is saved as. For my certificate importation to be successful, a certification request corresponding to the imported certificate must already exist on Business Secure Router. After the importation, the certification request is automatically deleted. If a descriptive name is not specified for the imported certificate, the certificate adopts the descriptive name of the certification request. export <name> Exports the PEM-encoded certificate to stdout for theuser to copy and paste. <name> specifies the name of the certificate to be exported. view <name> Views the information of the specified local host certificate. <name> specifies the name of the certificate to be viewed. verify <name> [timeout] Verifies the certification path of the specified local host certificate. <name> specifies the name of the certificate to be verified. [timeout] specifies the timeout value in seconds (optional). The default timeout value is 20 seconds. delete <name> Deletes the specified local host certificate. <name> specifies the name of the certificate to be deleted. list Lists all my certificate names and basic information. Nortel Business Secure Router 222 Configuration — Advanced 304 Appendix H Command Interpreter Table 76 Certificates commands Command Description rename <old name> <new name> Renames the specified certificate. <old name> specifies the name of the certificate to be renamed. <new name> specifies the new name the certificate is saved as. def_self_sign ed [name] Sets the specified self-signed certificate as the default self-signed certificate. [name] specifies the name of the certificate to be set as the default self-signed certificate. If [name] is not specified, the name of the current self-signed certificate is displayed. Creates a certificate using your device MAC address that is specific to this device. The factory default certificate is a common default certificate for all Business Secure Router models. replace_facto ry ca_trusted import <name> Imports the PEM-encoded certificate from stdin. <name> specifies the name the imported CA certificate is saved as. export <name> Exports the PEM-encoded certificate to stdout for the user to copy and paste. <name> specifies the name of the certificate to be exported. view <name> Views the information of the specified trusted CA certificate. <name> specifies the name of the certificate to be viewed. verify <name> [timeout] Verifies the certification path of the specified trusted CA certificate. <name> specifies the name of the certificate to be verified. [timeout] specifies the timeout value in seconds (optional). The default timeout value is 20 seconds. delete <name> Deletes the specified trusted CA certificate. <name> specifies the name of the certificate to be deleted. Lists all trusted CA certificate names and basic information. list rename NN47922-501 <old name> <new name> Renames the specified trusted CA certificate. <old name> specifies the name of the certificate to be renamed. <new name> specifies the new name the certificate is saved as. Appendix H Command Interpreter 305 Table 76 Certificates commands Command Description crl_issuer <name> [on|off] Specifies whether or not the specified CA issues CRL. <name> specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used. import <name> Imports the PEM-encoded certificate from stdin. <name> specifies the name the imported remote host certificate is saved as. export <name> Exports the PEM-encoded certificate to stdout for the user to copy and paste. <name> specifies the name of the certificate to be exported. view <name> Views the information of the specified trusted remote host certificate. <name> specifies the name of the certificate to be viewed. verify <name> [timeout] Verifies the certification path of the specified trusted remote host certificate. <name> specifies the name of the certificate to be verified. [timeout] specifies the timeout value in seconds (optional). The default timeout value is 20 seconds. delete <name> Deletes the specified trusted remote host certificate. <name> specifies the name of the certificate to be deleted. remote_trusted Lists all trusted remote host certificate names and basic information. list rename <old name> <new name> Renames the specified trusted remote host certificate. <old name> specifies the name of the certificate to be renamed. <new name> specifies the new name the certificate is saved as. dir_server Nortel Business Secure Router 222 Configuration — Advanced 306 Appendix H Command Interpreter Table 76 Certificates commands Command Description add <name> <addr[:port]> [login:pswd] Adds a new directory service. <name> specifies a descriptive name for the directory server. <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]". delete <name> Deletes the specified directory service. <name> specifies the name of the directory server to be deleted. view <name> Views the specified directory service. <name> specifies the name of the directory server to be viewed. Lists all directory service names and basic information. list NN47922-501 rename <old name> <new name> Renames the specified directory service. <old name> specifies the name of the directory server to be renamed. <new name> specifies the new name the directory server is saved as. edit <name> <addr[:port]> [login:pswd] Edits the specified directory service. <name> specifies the name of the directory server to be edited. <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]". Appendix H Command Interpreter 307 IEEE 802.1X commands Table 77 lists and describes the IEEE 802.1x commands. Each of these commands must be preceded by 8021x. For example, type 8021x debug level 1 to set the IEEE 802.1X debug messages to the first level. Table 77 IEEE 802.1X commands Command Description debug level <level> Sets the IEEE 802.1x debug message level trace Displays all supplicants information in the supplicant table. user <user> Displays all supplicants information related to the username. RADIUS commands Table 78 lists and describes the RADIUS commands. Each of these commands must be preceded by radius. For example, type radius auth to display the authentication server settings. Table 78 RADIUS commands Command Description auth Displays the current RADIUS authentication server configuration. acct Displays the current RADIUS accounting server configuration. checkRadID Checks the RADIUS ID pool. debug Enables radius debug messages. Nortel Business Secure Router 222 Configuration — Advanced 308 Appendix H Command Interpreter NN47922-501 309 Appendix I NetBIOS filter commands The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services, such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to do the following: • • • Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. Allow or disallow the sending of NetBIOS packets through VPN connections. Allow or disallow NetBIOS packets to initiate calls. Nortel Business Secure Router 222 Configuration — Advanced 310 Appendix I NetBIOS filter commands Display NetBIOS filter settings Figure 163 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows: Table 79 NetBIOS filter default settings Name Description Example Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN or from the WAN to the LAN. Forward IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded. Forward Trigger dial This field displays whether NetBIOS packets are allowed to initiate calls. Disabled means that NetBIOS packets are blocked from initiating calls. Disabled NetBIOS filter configuration Syntax: sys filter netbios config <type> <on|off> where <type> identifies which NetBIOS filter (numbered 0-3) to configure. NN47922-501 Appendix I NetBIOS filter commands 311 • • • 0 = LAN to WAN and WAN to LAN 3 = IPSec packet pass through 4 = Trigger Dial <on|off> is a switch to enable or disable the filter. • • • For type 0, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 3, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection. For type 4, use on to allow NetBIOS packets to initiate dial backup calls. Use off to block NetBIOS packets from initiating dial backup calls. Example commands Command: sys filter netbios config 0 on This command blocks LAN to WAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 1 off This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 3 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. Nortel Business Secure Router 222 Configuration — Advanced 312 Appendix I NetBIOS filter commands NN47922-501 313 Appendix J Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. After you start up your Business Secure Router, you are given a choice to go into debug mode by pressing a key at the prompt shown in screen shown in Figure 164. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file). These are already discussed in Chapter 15, “Firmware and configuration file maintenance” on page 179. Figure 164 Option to Enter Debug Mode Bootbase Version: V1.02 | 08/08/2001 15:40:50 RAM: Size = 16384 Kbytes DRAM Post: Testing: 16384K OK FLASH: Intel 16M RAS Version: V3.50(WB.0)b3 | 08/08/2001 16:21:27 Press any key to enter debug mode within 3 seconds. ................................................. Enter ATHE to view all available Business Secure Router boot module commands, as shown in Figure 165. With ATBAx, you can change the console port speed. The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows; for example ATBA3 will give a console port speed of 9.6 Kb/s. ATSE displays the seed that is used to generate a password to turn on the debug flag in the firmware. The ATSH Nortel Business Secure Router 222 Configuration — Advanced 314 Appendix J Boot Commands command shows product related information such as boot module version, vendor name, product model, RAS code revision, and more. With ATGO, you can continue booting the system. Most other commands aid in advanced troubleshooting and must only be used by qualified engineers. Figure 165 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT dump Boot Module Common Area ATDUx,y dump memory contents from address x for length y ATRBx display the ATRWx display the 16-bit value of address x ATRLx display the 32-bit value of address x ATGO(x) run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program 8-bit value of address x ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations) ATSH dump manufacturer related data in ROM ATDOx,y download from address x for length y to PC via XMODEM ATTD download router configuration to PC via XMODEM ATUR upload router firmware to flash ROM ATLC upload router configuration file to flash ROM ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode ATSR system reboot NN47922-501 315 Appendix K Log descriptions This appendix provides descriptions of log messages. Table 80 System error logs Log Message Description %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per host. Table 81 System maintenance logs Log Message Description Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. DHCP client gets %s A DHCP client got a new IP address from the DHCP server. DHCP client IP expired A DHCP client's IP address has expired. DHCP server assigns %s The DHCP server assigned an IP address to a client. SMT Login Successfully Someone has logged on to the router's SMT interface. SMT Login Fail Someone has failed to log on to the router's SMT interface. WEB Login Successfully Someone has logged on to the router's WebGUI interface. WEB Login Fail Someone has failed to log on to the router's WebGUI interface. TELNET Login Successfully Someone has logged on to the router via Telnet. Nortel Business Secure Router 222 Configuration — Advanced 316 Appendix K Log descriptions Table 81 System maintenance logs Log Message Description TELNET Login Fail Someone has failed to log on to the router via Telnet. FTP Login Successfully Someone has logged on to the router via FTP. FTP Login Fail Someone has failed to log on to the router via FTP. NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full. Table 82 UPnP logs Log Message Description UPnP pass through Firewall UPnP packets can pass through the firewall. Table 83 Content filtering logs NN47922-501 Category Log Message Description URLFOR IP/Domain Name The Business Secure Router allows access to this IP address or domain name and forwards traffic to the IP address or domain name. URLBLK IP/Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword. All web traffic is disabled except for trusted domains, untrusted domains, or the cybernot list. JAVBLK IP/Domain Name The Business Secure Router blocked access to this IP address or domain name because of a forbidden service, such as: ActiveX, a Java applet, a cookie, or a proxy. Appendix K Log descriptions 317 Table 84 Attack logs Log Message Description attack TCP The firewall detected a TCP attack. attack UDP The firewall detected an UDP attack. attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section on ICMP messages for type and code details. land TCP The firewall detected a TCP land attack. land UDP The firewall detected an UDP land attack. land IGMP The firewall detected an IGMP land attack. land ESP The firewall detected an ESP land attack. land GRE The firewall detected a GRE land attack. land OSPF The firewall detected an OSPF land attack. land ICMP (type:%d, code:%d) The firewall detected an ICMP land attack; see the section on ICMP messages for type and code details. ip spoofing - WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port. ip spoofing - WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port. ip spoofing - WAN IGMP The firewall detected an IGMP IP spoofing attack on the WAN port. ip spoofing - WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port. ip spoofing - WAN GRE The firewall detected a GRE IP spoofing attack on the WAN port. ip spoofing - WAN OSPF The firewall detected an OSPF IP spoofing attack on the WAN port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the WAN port. icmp echo ICMP (type:%d, code:%d) The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. Nortel Business Secure Router 222 Configuration — Advanced 318 Appendix K Log descriptions Table 84 Attack logs Log Message Description teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack. ip spoofing - no routing entry TCP The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry UDP The firewall detected an UDP IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry IGMP The firewall detected an IGMP IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry ESP The firewall detected an ESP IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the Business Secure Router did not have a default route. ip spoofing - no routing entry ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack while the Business Secure Router did not have a default route. vulnerability ICMP (type:%d, code:%d) The firewall detected an ICMP vulnerability attack. traceroute ICMP (type:%d, code:%d) The firewall detected an ICMP traceroute attack. See Table 87 for type and code details. NN47922-501 Appendix K Log descriptions 319 Table 85 Access logs Log Message Description Firewall default policy: TCP (set:%d) TCP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: ICMP (set:%d, type:%d, code:%d) ICMP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: IGMP (set:%d) IGMP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: ESP (set:%d) ESP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: GRE (set:%d) GRE access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: OSPF (set:%d) OSPF access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: (set:%d) Access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the ACL set’s configuration. Firewall rule match: TCP (set:%d, rule:%d) TCP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: UDP (set:%d, rule:%d) UDP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: ICMP (set:%d, rule:%d, type:%d, code:%d) ICMP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: IGMP (set:%d, rule:%d) IGMP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Nortel Business Secure Router 222 Configuration — Advanced 320 Appendix K Log descriptions Table 85 Access logs NN47922-501 Log Message Description Firewall rule match: GRE (set:%d, rule:%d) GRE access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: OSPF (set:%d, rule:%d) OSPF access matched the listed a firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: (set:%d, rule:%d) Access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. Firewall rule NOT match: TCP (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: UDP (set:%d, rule:%d) UDP access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: ICMP (set:%d, rule:%d, type:%d, code:%d) ICMP access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: IGMP (set:%d, rule:%d) IGMP access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: ESP (set:%d, rule:%d) ESP access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: GRE (set:%d, rule:%d) GRE ac access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: OSPF (set:%d, rule:%d) OSPF access did not match the listed firewall rule and the Business Secure Router logged it. Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Business Secure Router logged it. Filter default policy DROP! IP address or protocol matched a default filter policy and the Business Secure Router dropped the packet to block access. Filter default policy FORWARD! IP address or protocol matched a default filter policy. Access was allowed and the router forwarded the packet. Filter match DROP <set %d/rule %d> IP address or protocol matched the listed filter rule and the Business Secure Router dropped the packet to block access. Filter match FORWARD <set %d/rule %d> IP address or protocol matched the listed filter rule. Access was allowed and the router forwarded the packet. Appendix K Log descriptions 321 Table 85 Access logs Log Message Description (set:%d) With firewall messages, this is the number of the ACL policy set and denotes the packet's direction (see Table 86). With filter messages, this is the number of the filter set. (rule:%d) With firewall messages, the firewall rule number denotes the number of a firewall rule within an ACL policy set.With filter messages, this is the number of an individual filter rule. Router sent blocked web site message Triangle route packet forwarded The firewall allowed a triangle route session to pass through. Firewall sent TCP packet in response to DoS attack The firewall detected a DoS attack and sent a TCP packet in response. Firewall sent TCP reset packets The firewall sent out TCP reset packets. Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA/NAT table entry. Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order. Drop unsupported/ out-of-order ICMP The Business Secure Router generates this log after it drops an ICMP packet due to one of the following two reasons: 1. The Business Secure Router does not support the ICMP packet's protocol. 2. The ICMP packet is an echo reply for which there was no corresponding echo request. Router sent ICMP response packet (type:%d, code:%d) The router sent an ICMP response packet. This packet automatically bypasses the firewall. See Table 87 for type and code details. Nortel Business Secure Router 222 Configuration — Advanced 322 Appendix K Log descriptions Table 86 ACL setting notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN. 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN. 7 LAN to LAN/Business Secure Router ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router. 8 WAN to WAN/Business Secure Router ACL set 8 for packets traveling from the WAN to the WAN or the Business Secure Router. Table 87 ICMP notes Type Code Echo Reply 0 0 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed Source Quench 4 0 A gateway can discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect 5 NN47922-501 Echo reply message Destination Unreachable 3 8 Description 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host Echo Appendix K Log descriptions 323 Table 87 ICMP notes Type Code Description 0 Echo message Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 88 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname This message is sent by the "RAS" when this syslog is src="<srcIP:srcPort>" generated. The messages and notes are defined in this dst="<dstIP:dstPort>" appendix’s other charts. msg="<msg>" note="<note> VPN/IPSec logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. Figure 166 shows a typical log from the initiator of a VPN connection. Nortel Business Secure Router 222 Configuration — Advanced 324 Appendix K Log descriptions Figure 166 Example VPN initiator IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 002 01 Jan 08:02:22 Send:<SA> 003 01 Jan 08:02:22 Recv:<SA> 004 01 Jan 08:02:24 Send:<KE><NONCE> 005 01 Jan 08:02:24 Recv:<KE><NONCE> 006 01 Jan 08:02:26 Send:<ID><HASH> 007 01 Jan 08:02:26 Recv:<ID><HASH> 008 01 Jan 08:02:26 Phase 1 IKE SA process done 009 01 Jan 08:02:26 Start Phase 2: Quick Mode 010 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 011 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 012 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): NN47922-501 Appendix K Log descriptions 325 VPN responder IPSec log Figure 167 shows a typical log from the VPN connection peer. Figure 167 Example VPN responder IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.100> 002 01 Jan 08:08:07 Recv:<SA> 003 01 Jan 08:08:08 Send:<SA> 004 01 Jan 08:08:08 Recv:<KE><NONCE> 005 01 Jan 08:08:10 Send:<KE><NONCE> 006 01 Jan 08:08:10 Recv:<ID><HASH> 007 01 Jan 08:08:10 Send:<ID><HASH> 008 01 Jan 08:08:10 Phase 1 IKE SA process done 009 01 Jan 08:08:10 Recv:<HASH><SA><NONCE><ID><ID> 010 01 Jan 08:08:10 Start Phase 2: Quick Mode 011 01 Jan 08:08:10 Send:<HASH><SA><NONCE><ID><ID> 012 01 Jan 08:08:10 Recv:<HASH> Clear IPSec Log (y/n): This menu is useful for troubleshooting. A log index number, the date and time the log was created, and a log message are displayed. Note: Double exclamation marks (!!) denote an error or warning message. Table 89 shows sample log messages during IKE key exchange. Note: A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-shared key. Nortel Business Secure Router 222 Configuration — Advanced 326 Appendix K Log descriptions Table 89 Sample IKE key exchange logs NN47922-501 Log Message Description Send <Symbol> Mode request to <IP>Send <Symbol> Mode request to <IP> The Business Secure Router has started negotiation with the peer. Recv <Symbol> Mode request from <IP>Recv <Symbol> Mode request from <IP> The Business Secure Router has received an IKE negotiation request from the peer. Recv:<Symbol> IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data. Each ISAKMP packet contains payloads of different types that show in the log (see Table 91). Phase 1 IKE SA process done Phase 1 negotiation is finished. Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Business Secure Router has begun negotiation with the peer for the connection already, but the IKE key exchange is not finished yet. !! Duplicate requests with the same cookie The Business Secure Router has received multiple requests from the same peer but it is still processing the first IKE packet from that peer. !! No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match. Check all protocols and settings for these phases. For example, one party is using 3DES encryption, but the other party is using DES encryption, so the connection fails. !! Verifying Local ID failed!! Verifying Remote ID failed During IKE Phase 2 negotiation, both parties exchange policy details, including local and remote IP address ranges. If these ranges differ, the connection fails. !! Local / remote IPs of incoming request conflict with rule <#d> If the security gateway is 0.0.0.0, the Business Secure Router uses the peer Local Addr as its Remote Addr. If this IP (range) conflicts with a previously configured rule then the connection is not allowed. !! Invalid IP <IP start>/<IP end> The Local IP Addr range for the peer is invalid. !! Remote IP <IP start> / <IP end> conflicts If the security gateway is 0.0.0.0, the Business Secure Router uses Local Addr for the peer as its Remote Addr. If a peer Local Addr range conflicts with other connections, the Business Secure Router does not accept VPN connection requests from this peer. Appendix K Log descriptions 327 Table 89 Sample IKE key exchange logs Log Message Description !! Active connection allowed exceeded The Business Secure Router limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded. !! IKE Packet Retransmit The Business Secure Router did not receive a response from the peer and so retransmits the last packet sent. !! Failed to send IKE Packet The Business Secure Router cannot send IKE packets due to a network error. !! Too many errors! Deleting SA The Business Secure Router deletes an SA when too many errors occur. !! Phase 1 ID type mismatch The ID type of an incoming packet does not match the local's peer ID type. !! Phase 1 ID content mismatch The ID content of an incoming packet does not match the local's peer ID content. !! No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type. Peer ID: IP address type <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router. The log displays the IP address type and IP address of the incoming packet. vs. My Remote <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router. The log displays this router’s configured remote IP address type or IP address that the incoming packet did not match. vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router. The log displays the configured local IP address type of the router or IP address that the incoming packet did not match. -> <symbol> Error ID Info The router sent a payload type of IKE packet. The parameters configured for Phase 1 ID content do not match or the parameters configured for the Phase 2 ID (IP address of single, range or subnet) do not match. Check all protocols and settings for these phases. Nortel Business Secure Router 222 Configuration — Advanced 328 Appendix K Log descriptions Table 90 shows sample log messages during packet transmission. Table 90 Sample IPSec logs during packet transmission LOG MESSAGE DESCRIPTION !! WAN IP changed to <IP> If the Business Secure Router’s WAN IP changes, all configured “My IP Addr” are changed to “0.0.0.0”. If this field is configured as 0.0.0.0, the Business Secure Router uses the current Business Secure Router WAN IP address (static or dynamic) to set up the VPN tunnel. !! Cannot find IPSec SA The Business Secure Router cannot find a phase 2 SA that corresponds with the SPI of an inbound packet (from the peer); the packet is dropped. !! Cannot find outbound SA for rule <%d> The packet matches the rule index number (#d), but Phase 1 or Phase 2 negotiation for outbound (from the VPN initiator) traffic is not finished yet. !! Discard REPLAY packet If the Business Secure Router receives a packet with the wrong sequence number it discards it. !! Inbound packet authentication failed The authentication configuration settings are incorrect. Check them. !! Inbound packet decryption failed The decryption configuration settings are incorrect. Check them. Rule <#d> idle time out, disconnect If an SA has no packets transmitted for a period of time (configurable via CI command), the Business Secure Router drops the connection. Table 91 shows RFC-2408 ISAKMP payload types that the log displays. Refer to the RFC for detailed information on each type. Table 91 RFC-2408 ISAKMP payload types NN47922-501 Log Display Payload Type SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate Appendix K Log descriptions 329 Table 91 RFC-2408 ISAKMP payload types CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 92 PKI logs Log Message Description Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port. Failed to resolve <SCEP CA server url> The SCEP online certificate enrollment failed because the certification authority server’s address cannot be resolved. Enrollment successful The CMP online certificate enrollment was successful. The Destination field records the certification authority server’s IP address and port. Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port. Failed to resolve <CMP CA server url> The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved. Rcvd ca cert: <subject name> The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd user cert: <subject name> The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd CRL <size>: <issuer name> The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd ARL <size>: <issuer name> The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field. Nortel Business Secure Router 222 Configuration — Advanced 330 Appendix K Log descriptions Table 92 PKI logs Log Message Description Failed to decode the received ca cert The router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received CRL The router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received ARL The router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field. Rcvd data <size> too large! Max size allowed: <max size> The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded. Cert trusted: <subject name> The router has verified the path of the certificate with the listed subject name. Due to <reason codes>, cert not trusted: <subject name> Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. See Table 93 for the corresponding descriptions of the codes. Table 93 Certificate path verification failure reason codes NN47922-501 Code Description 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere). Appendix K Log descriptions 331 Table 93 Certificate path verification failure reason codes Code Description 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere). 19 CRL was not added to the cache. 20 CRL decoding failed. 21 CRL is not currently valid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time interval is not continuous. 24 Time information not available. 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 94 IEEE 802.1X logs Log Message Description Local User Database accepts user. A user was authenticated by the local user database. Local User Database reports user credential error. A user was not authenticated by the local user database because of an incorrect user password. Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database. RADIUS accepts user. A user was authenticated by the RADIUS Server. RADIUS rejects user. Pls check RADIUS Server. A user was not authenticated by the RADIUS Server. Check the RADIUS Server. Nortel Business Secure Router 222 Configuration — Advanced 332 Appendix K Log descriptions Table 94 IEEE 802.1X logs Log Message Description Local User Database does not support authentication method. The local user database only supports the EAP-MD5 method. A user tried to use another authentication method and was not authenticated. User logout because of session timeout expired. The router logged off a user whose session expired. User logout because of user deassociation. The router logged off a user who ended the session. User logout because of no authentication response from user. The router logged off a user from which there was no authentication response. User logout because of idle timeout expired. The router logged off a user whose idle timeout period expired. User logout because of user request. A user logged off. Local User Database does not support authentication mothed. A user tried to use an authentication method that the local user database does not support (it only supports EAP-MD5). No response from RADIUS. Pls check RADIUS Server. There is no response message from the RADIUS server, check the RADIUS server. Use Local User Database to authenticate user. The local user database is operating as the authentication server. Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server. No Server to authenticate user. There is no authentication server to authenticate a user. Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database. Log commands Go to the command interpreter interface (see Appendix H, “Command Interpreter” on page 271 for information on how to access and use the commands). NN47922-501 Appendix K Log descriptions 333 Configuring what you want the Business Secure Router to log Use the sys logs load command to load the log setting buffer that is used to configure which logs the Business Secure Router is to record. Use sys logs category followed by a log category and a parameter to decide what to record. Table 95 Log categories and available settings Log Categories Available Parameters access 0, 1, 2, 3 attack 0, 1, 2, 3 error 0, 1, 2, 3 ike 0, 1, 2, 3 ipsec 0, 1, 2, 3 javablocked 0, 1, 2, 3 mten 0, 1 upnp 0, 1 urlblocked 0, 1, 2, 3 urlforward 0, 1 Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Use the sys logs save command to store the settings in the Business Secure Router (you must do this in order to record logs). Displaying logs Use the sys logs display command to show all of the logs in the Business Secure Router’s log. Use the sys logs category display command to show the log settings for all of the log categories. Nortel Business Secure Router 222 Configuration — Advanced 334 Appendix K Log descriptions Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs. Log command example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys logs logs logs logs load category access 3 save display access .time source message 0|11/11/2002 15:10:12 |172.22.3.80:137 Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 Firewall default policy: UDP(set:8) 4|11/11/2002 15:10:10 |192.168.10.1:520 Firewall default policy: UDP(set:8) 5|11/11/2002 15:10:10 |172.21.4.67:137 NN47922-501 destination notes |172.22.255.255:137 |ACCESS BLOCK |172.21.255.255:138 |ACCESS BLOCK |224.0.1.60 |ACCESS BLOCK |172.22.255.255:137 |ACCESS BLOCK |192.168.10.255:520 |ACCESS BLOCK |172.21.255.255:137 |ACCESS BLOCK 335 Appendix L Brute force password guessing protection Table 96 describes the commands for enabling, disabling and configuring the brute force password guessing protection mechanism for the password. Table 96 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute-force guessing password protection settings. sys pwderrtm 0 This command turns off the password’s protection from brute-force guessing. The brute-force password guessing protection is turned off by default. sys pwderrtm N This command sets the password protection to block all access attempts for N (a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. Nortel Business Secure Router 222 Configuration — Advanced 336 Appendix L Brute force password guessing protection NN47922-501 337 Appendix M SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering, and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks. SIP Identities A SIP account uses an identity (sometimes referred to as a SIP address). A complete SIP identity is called a SIP URI (Uniform Resource Identifier). The URI of a SIP account identifies the SIP account in a way similar to the way an e-mail address identifies an e-mail account. The format of a SIP identity is SIP-Number@SIP-Service-Domain. SIP Number The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address ([email protected], for example) or numbers like a telephone number ([email protected], for example). Nortel Business Secure Router 222 Configuration — Advanced 338 Appendix M SIP SIP Service Domain The SIP service domain of the VoIP service provider is the domain name in a SIP URI. For example, if the SIP address is [email protected], then VoIP-provider.com is the SIP service domain. SIP Call Progression Table 97 displays the basic steps in the setup and tear down of a SIP call. A calls B. Table 97 SIP Call Progression A B 1. INVITE 2. Ringing 3. OK 4. ACK 5.Dialogue (voice traffic) 6. BYE 7. OK NN47922-501 1 A sends a SIP INVITE request to B. This message is an invitation for B to participate in a SIP telephone call. 2 B sends a response indicating that the telephone is ringing. 3 B sends an OK response after the call is answered. 4 A then sends an ACK message to acknowledge that B has answered the call. 5 Now A and B exchange voice media (talk). 6 After talking, A hangs up and sends a BYE request. 7 B replies with an OK response confirming receipt of the BYE request and the call is terminated. Appendix M SIP 339 SIP Servers SIP is a client-server protocol. A SIP client is an application program or device that sends SIP requests. A SIP server responds to the SIP requests. When you use SIP to make a VoIP call, it originates at a client and terminates at a server. A SIP client could be a computer or a SIP phone. One device can act as both a SIP client and a SIP server. SIP User Agent Server A SIP user agent server can make and receive VoIP telephone calls. This means that SIP can be used for peer-to-peer communications even though it is a client-server protocol. In Figure 168, either A or B can act as a SIP user agent client to initiate a call. A and B can also both act as a SIP user agent server to receive the call. Figure 168 SIP User Agent Server SIP Proxy Server A SIP proxy server receives requests from clients and forwards them to another server. In the following example, client device A calls someone who is using client device C. 1 The client device (A in the figure) sends a call invitation to the SIP proxy server (B). 2 The SIP proxy server forwards the call invitation to C. Nortel Business Secure Router 222 Configuration — Advanced 340 Appendix M SIP Figure 169 SIP Proxy Server SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server. Redirect servers do not initiate SIP requests. In the following example, client device A calls someone who is using client device C. NN47922-501 1 Client device A sends a call invitation for C to the SIP redirect server (B). 2 The SIP redirect server sends the invitation back to A with C’s IP address (or domain name). 3 Client device A then sends the call invitation to client device C. Appendix M SIP 341 Figure 170 SIP Redirect Server SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your username and password when you register. RTP When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. Nortel Business Secure Router 222 Configuration — Advanced 342 Appendix M SIP SIP ALG Some NAT routers can include a SIP Application Layer Gateway (ALG). A SIP ALG allows VoIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When a VoIP device (SIP client) behind the SIP ALG registers with the SIP register server, the SIP ALG translates the device’s private IP address inside the SIP data stream to a public IP address. You do not need to use STUN if your VoIP device is behind the SIP ALG. STUN Using STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators), the VoIP device can the presence and types of NAT routers, firewalls, or both between it and the public Internet. With STUN, the VoIP device can also find the public IP address that NAT assigned, so the VoIP device can embed it in the SIP data stream. See “STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)” (RFC 3489) for details on STUN. Business Secure Router SIP ALG • • • • NN47922-501 SIP clients must be connected to the LAN. A SIP server must be on the WAN. You can make and receive calls between the LAN and the WAN. You cannot make a call between the LAN and the LAN. The SIP ALG forwards UDP packets with a port 5060 destination to pass through. The Business Secure Router forwards SIP audio connections. Appendix M SIP 343 Figure 171 Business Secure Router SIP ALG Signaling session over UDP port 5060 Audio session using RTP SIP ALG and NAT The Business Secure Router dynamically creates an implicit port forwarding rule for SIP traffic from the WAN to the LAN. The SIP ALG on the Business Secure Router supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One. SIP ALG and firewall The Business Secure Router creates an implicit temporary firewall rule for the dynamic RTP port on the WAN to the SIP client device on the LAN. The firewall rule is created for both directions to allow voice packets. The firewall rule is deleted when the call is terminated. SIP ALG and Multiple WAN When the Business Secure Router has two WAN ports and uses the second highest priority WAN port as a back up, it drops SIP connections when the primary WAN port connection fails. The Business Secure Router does not automatically change the SIP connection to the secondary WAN port. Nortel Business Secure Router 222 Configuration — Advanced 344 Appendix M SIP If the primary WAN connection fails, the SIP client needs to re-register with the SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the Business Secure Router uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port. Enabling or disabling the SIP ALG The Business Secure Router SIP ALG is turned off by default to avoid retranslating the IP address of an existing SIP device that is using STUN. If you want to use a SIP client device (a SIP phone or IP phone for example) behind the Business Secure Router without STUN, use the ip alg enable ALG_SIP command to activate the SIP ALG. Signaling session timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions. The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the Business Secure Router. If the SIP client does not have this mechanism and makes no call during the Business Secure Router SIP timeout default (60 minutes), the Business Secure Router SIP ALG drops any incoming calls after the timeout period. You can use the ip alg siptimeout command to change the timeout value. Audio session timeout If no voice packets go through the SIP ALG before the timeout period default (5 minutes) expires, the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session. You cannot hear anything and you must make a new call to continue your conversation. NN47922-501 345 Index Numbers Call Control 202 Call History 204 10/100 Mb/s Ethernet WAN 32 ACK Message 338 Call Scheduling 35, 213 Maximum Number of Schedule Sets 213 PPPoE 216 Precedence 214 Precedence Example 214 Active 60, 63, 87 Call-Triggering Packet 175 ALG 342 Central Network Management 36 Allocated Budget 61, 90 CHAP 61, 90 Alternative Subnet Mask Notation 264 Client-server Protocol 339 Application Layer Gateway 342 Command Interpreter Mode 199 Applications 39 Community 155 AT command 56, 58, 180 Conditions that prevent TFTP and FTP from working over WAN 183 4-Port Switch 32 A Authen 61, 90 Connection ID/Name 92 Authentication 61, 89, 90 Console Port 168, 169, 171, 258 Authentication Protocol 89 Autonegotiating 10/100 Mb/s Ethernet LAN 32 Autosensing 10/100 Mb/s Ethernet LAN 32 Content Filtering 35 Contivity VPN Client Software 33 conventions, text 25 Auxiliary 33 copyright 2 B D Backup 180 Brute Force Password Guessing Protection 35 Budget Management 202 BYE Request 338 DDNS Configuration 50 DDNS Type 51 Denial of Service 133 C DHCP 73 Call Back Delay 59 DHCP Ethernet Setup 72 DHCP (Dynamic Host Configuration Protocol) 37 Nortel Business Secure Router 222 Configuration — Advanced 346 Index Diagnostic 176 DIAL BACKUP 258 Dial Timeout 59 Filters Executing a Filter Rule 136 IP Filter Logic Flow 144 DoS (Denial of Service) 34 Firewall 34 Activating 133 SMT Menus 133 Drop Timeout 59 Flow Control 41 DSL Modem 39, 88 FTP 211 DTR 58 FTP File Transfer 190 Dynamic DNS Support 36 FTP Restrictions 183, 211 Domain Name 168, 170 E FTP Server 38, 125 Full Network Management 38 Edit IP 61, 88 EMAIL 51 G E-mail Address 51 Gateway IP Addr 94 Enable Wildcard 51 Gateway IP Address 81, 102 Encapsulation 80, 87, 91 General Setup 47 Entering Information 43 Ethernet Encapsulation 79, 86, 87, 91, 96 H Ethernet Specification for WAN 257 Hardware Setup 40 F Hidden Menus 43 Host 51 F/W Version 180 Host IDs 262 Factory Default 54 HTTPS 34 Fail Tolerance 99 HyperTerminal program 185, 188 Features 31 Filename Conventions 179 I Filter 69, 95 Applying 152 Configuration 135 Configuring 138 Example 148 Generic Filter Rule 146 Generic Rule 147 NAT 151 Remote Node 153 Structure 136 TCP/IP Rule 142 Idle Timeout 62, 90 NN47922-501 IEEE 802.1x 34 Incoming Protocol Filters 77 Initial Screen 41 Internet Access 79 ISP's Name 80 Internet Access Setup 79, 80, 108 Introduction to Filters 135 IP Address 61, 64, 75, 76, 81, 93 Index 347 Multicast 65, 75, 95 Remote 64 IP Address Assignment 64, 81, 93 Multimedia 337 IP Addressing 261 My IP Addr 91 IP Alias 36, 76 My Login 60, 88 IP Alias Setup 75, 76 My Login Name 80 IP Classes 261 My Password 60, 80, 81, 88 IP Multicast 36 Internet Group Management Protocol (IGMP) 36 My Server IP Addr 91 IP Pool 73, 74 N IP Static Route 101, 102 Active 102 Destination IP Address 102 IP Subnet Mask 102 Name 102 Route Number 102 My WAN Address 64 Nailed-Up Connection 62, 90 Nailed-up Connection 90 Nailed-Up Connections 92 IPSec VPN Capability 33, 34 NAT 65, 94, 151 Applying NAT in the SMT Menus 107 Configuring 110 Examples 121 Ordering Rules 114 ISP’s Name 80 NAT Routers 342 IP Subnet Mask 64, 76 Remote 64 Network Address Translation 81 L Network Address Translation (NAT) 37, 107 LAN Port Filter Setup 71 Network Address Translators 342 LAN Setup 71, 72 Log 171 O Log Facility 172 Offline 52 Logging 38 OK Response 338 Logging In to the SMT 42 Operation Temperature 257 Login Name 80 Outgoing Protocol Filters 77 Login Screen 42 P M Packet Filtering 35 MAC Address 54 PAP 61, 90 Main Menu 43 Password 42, 45, 80, 81, 155 Mean Time Between Failures 257 Period(hr) 61, 90 Metric 65, 90, 94, 103 Ping 178 MTBF 257 Port Forwarding 37 Nortel Business Secure Router 222 Configuration — Advanced 348 Index PPP 62 RoadRunner Support 38 PPPoE 35, 249 Route 88 PPPoE Encapsulation 79, 83, 86, 88, 90, 96 RTP 341 PPTP 253 Client 81, 82 Configuring a Client 81, 82 S PPTP Encapsulation 36, 91 Schedule Sets Duration 215 Private 65, 94, 103 Schedules 90, 92 Protocol Filters 77 Incoming 77 Outgoing 77 Server 80, 81, 88, 110, 113, 116, 117, 123, 124, 206 publications hard copy 26 related 26 Service Name 88 Server IP 88 Service Type 80, 87 Session Initiation Protocol 337 R setup a schedule 214 RAS F/W Version 170 SIP Account 337 Real time Transport Protocol 341 SIP ALG 342 regulatory information 2 SIP Application Layer Gateway 342 Rem IP Address 64 SIP Client 339 Rem Node Name 60, 63, 87 SIP INVITE Request 338 Remote Management 209 SIP Redirect Server 340 Remote Management Limitations 211 SIP Register Server 341 Remote Node 85 Profile (Traffic Redirect Field) 97 SIP Servers 339 Remote Node Filter 69, 95 SIP User Agent Server 339 Required fields 43 SMT 42 Reset Button 33 SNMP 37 Community 156 Configuration 155 Trusted Host 156 Resetting the Time 208 Restore Configuration 186 retry count 59 SIP URI 337 retry interval 59 SNMP (Simple Network Management Protocol) 37 RFC 1889 341 SSH 34 RFC 3489 342 Stateful Inspection 34 RIP 65, 75, 77, 94 Direction 77 Version 77, 95 SUA (Single User Account) 107 NN47922-501 Subnet Mask 64, 75, 81, 93, 102 Index 349 U Subnet Masks 263 Subnetting 263 Uniform Resource Identifier 337 Syslog 171, 172 Universal Plug and Play 35 Syslog IP Address 172 Upgradeable Firmware 38 System Information 165, 168, 169 Upload Firmware 189 System Maintenance 165, 166, 167, 168, 170, 171, 172, 177, 178, 180, 183, 193, 194, 199, 202, 204, 206 UPnP 35 User Name 51 System Management Terminal 42 User Profiles 105 System Name 48 Username 42 System Status 166 V T VT100 41 TCP/IP 63, 72, 75, 92, 141, 142, 144, 147, 151 Setup 75 W TCP/IP and DHCP Setup 72 WAN DHCP 177, 178 TCP/IP filter rule 141 WAN Setup 53, 54 technical publications 26 WebGUI 134 Terminal Emulation 41 www.dyndns.org 52 text conventions 25 TFTP File Transfer 192 X TFTP Restrictions 183, 211 XMODEM protocol 181 Time and Date 33 Time and Date Setting 205, 206 Time Zone 207 Timeout 62, 82, 83, 90 Trace 171 Tracing 38 trademarks 2 Traffic Redirect 37 Setup 98 Triangle 229 Triangle Route Solutions 230 Trigger Port Forwarding 129 Nortel Business Secure Router 222 Configuration — Advanced
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement