1. Networking
  2. Routers
  3. Nortel
  4. BSR222

Nortel 222 User manual


Add to my manuals
349 Pages

advertisement

Nortel 222 User manual | Manualzz 
Nortel Business Secure Router 222 Configuration —
Advanced
BSR222
Business Secure Router
Document Number: NN47922-501
Document Version: 1.3
Date: March 2007
2
Copyright © Nortel 2005–2006
All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. The information in this document is proprietary to Nortel.
Trademarks
Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.
Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
All other trademarks and registered trademarks are the property of their respective owners.
NN47922-501
3
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
USA and Canada Authorized Distributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Technical Support - GNTS/GNPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Presales Support (CSAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
EMEA (Europe, Middle East, Africa) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Technical Support - CTAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
CALA (Caribbean & Latin America) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Technical Support - CTAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
APAC (Asia Pacific) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Technical Support - GNTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 1
Getting to know your Nortel Business Secure Router 222 . . . . . . . . . . . . 31
Introducing the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Physical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4-Port switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Autonegotiating 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Autonegotiating 10/100 Mb/s Ethernet WAN . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Auxiliary port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nortel Business Secure Router 222 Configuration — Advanced
4 Contents
Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
IEEE 802.1x for network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Central Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
DHCP (Dynamic Host Configuration Protocol) . . . . . . . . . . . . . . . . . . . . . . . . 37
Full network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Road Runner support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Logging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Upgrade Business Secure Router Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Embedded FTP and TFTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Applications for the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . 39
Secure broadband internet access and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
NN47922-501
Contents 5
Chapter 2
Introducing the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Introduction to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Accessing the SMT via the console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Logging on to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Navigating the SMT interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Changing the system password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
SMT menus at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SMT menu 1 - general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Introduction to general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuring general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuring dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 3
WAN and Dial Backup Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Introduction to WAN and dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Dial backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring dial backup in menu 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Advanced WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Remote node profile (Backup ISP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Editing PPP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Editing TCP/IP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Editing logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Remote node filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 4
LAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Introduction to LAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Accessing the LAN menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
LAN port filter setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
TCP/IP and DHCP ethernet setup menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Nortel Business Secure Router 222 Configuration — Advanced
6 Contents
IP Alias Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 5
Internet access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Introduction to internet access setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Ethernet encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring the PPTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring the PPPoE client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Basic setup complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Chapter 6
Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Introduction to Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Remote Node profile setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Outgoing Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Nailed-Up Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Edit IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Remote Node filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 7
IP Static Route Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
IP Static Route Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 8
Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Chapter 9
Network Address Translation (NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Using NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
NN47922-501
Contents 7
SUA (Single User Account) Versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Applying NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
SUA Address Mapping Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
User-Defined Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Ordering Your Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring a server behind NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
General NAT examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Internet access only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Example 2: Internet access with an inside server . . . . . . . . . . . . . . . . . . . . . . . . 123
Example 3: Multiple public IP addresses with inside servers . . . . . . . . . . . . . . . 124
Configuring Trigger Port forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Chapter 10
Introducing the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Using SMT menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Activating the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Chapter 11
Filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Introduction to filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Filter Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring a Filter Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring a Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring a TCP/IP Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring a Generic Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Filter Types and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Firewall Versus Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Applying a Filter
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Applying LAN Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Applying Remote Node Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Nortel Business Secure Router 222 Configuration — Advanced
8 Contents
Chapter 12
SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Chapter 13
System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
System password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring external RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chapter 14
System information and diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Introduction to System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
System information and console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Log and trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Syslog logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Packet triggered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Filter log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
PPP log
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Call-Triggering packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
WAN DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 15
Firmware and configuration file maintenance . . . . . . . . . . . . . . . . . . . . . 179
Filename conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Using the FTP command from the command line . . . . . . . . . . . . . . . . . . . . . . . . 181
NN47922-501
Contents 9
Example of FTP commands from the command line . . . . . . . . . . . . . . . . . . . . . . 182
GUI-based FTP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
TFTP and FTP over WAN Management Limitations . . . . . . . . . . . . . . . . . . . . . . 183
Backup configuration using TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
TFTP command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
GUI-based TFTP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Back up via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Restore Using FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Restore using FTP session example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Restore via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Uploading Firmware and Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Firmware file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuration file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
FTP file upload command from the DOS prompt example . . . . . . . . . . . . . . . . . 191
FTP Session Example of Firmware File Upload . . . . . . . . . . . . . . . . . . . . . . . . . 192
TFTP file upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
TFTP upload command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Uploading via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Uploading Firmware File Via Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Uploading Xmodem firmware using HyperTerminal . . . . . . . . . . . . . . . . . . . . . . 195
Uploading configuration file via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Uploading Xmodem configuration file using HyperTerminal . . . . . . . . . . . . . . . . 197
Chapter 16
System Maintenance menus 8 to 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Command Interpreter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Call control support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Budget management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Time and Date setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Resetting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Nortel Business Secure Router 222 Configuration — Advanced
10 Contents
Chapter 17
Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Remote Management Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Chapter 18
Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Appendix A
Setting up your computer IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Windows 95/98/Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Installing components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Windows 2000/NT/XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Macintosh OS 8/9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Verifying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Macintosh OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Verifying settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Appendix B
Triangle Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The Triangle Route Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
IP aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Appendix C
Importing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Import Business Secure Router certificates into Netscape Navigator . . . . . . . . . . . . 233
Importing the Business Secure Router Certificate into Internet Explorer . . . . . . . . . . 234
Enrolling and Importing SSL Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Using a certificate when accessing the Business Secure Router example . . . . . . . . 247
NN47922-501
Contents 11
Appendix D
PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
PPPoE in action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Benefits of PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Traditional dial-up scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
How PPPoE works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Business Secure Router as a PPPoE client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Appendix E
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
What is PPTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
How can we transport PPP frames from a PC to a broadband modem over
Ethernet? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
PPTP and the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
PPTP protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Control and PPP connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Call connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
PPP data connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Appendix F
Hardware specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Cable pin assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
AC Power Adapter Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Appendix G
IP subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
IP classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Subnet masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Example: two subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Example: four subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Example: eight subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Subnetting with Class A and Class B networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Nortel Business Secure Router 222 Configuration — Advanced
12 Contents
Appendix H
Command Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Exit Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Ethernet Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
IP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
IPSec commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Sys firewall commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Bandwidth management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Certificates commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
IEEE 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
RADIUS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Appendix I
NetBIOS filter commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Display NetBIOS filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
NetBIOS filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Example commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Appendix J
Boot Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Appendix K
Log descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
VPN/IPSec logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Log commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configuring what you want the Business Secure Router to log . . . . . . . . . . . . . . 333
Displaying logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Log command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Appendix L
NN47922-501
Contents 13
Brute force password guessing protection. . . . . . . . . . . . . . . . . . . . . . . . 335
Appendix M
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
SIP Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
SIP Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
SIP Service Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
SIP Call Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
SIP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
SIP User Agent Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
SIP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
SIP Redirect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
SIP Register Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
RTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Nortel Business Secure Router 222 Configuration — Advanced
14 Contents
NN47922-501
15
Figures
Figure 1
Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 39
Figure 2
Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 3
SMT Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 4
Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 5
Menu 23.1 System Security: Change Password . . . . . . . . . . . . . . . . . . . 45
Figure 6
SMT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 7
menu 1: general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 8
Configure dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 9
Menu 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 10
Menu 2: dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 11
Menu 2.1 advanced WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 12
Menu 11.2 remote node profile (Backup ISP) . . . . . . . . . . . . . . . . . . . . . . 60
Figure 13
Menu 11.2.1: Remote node PPP options . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 14
Menu 11.2.2: remote node network layer options . . . . . . . . . . . . . . . . . . . 64
Figure 15
Menu 11.2.3: remote node setup script . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 16
Menu 11.2.4: dial backup remote node filter . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 17
Menu 3: LAN setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 18
Menu 3.1: LAN port filter setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 19
Menu 3: TCP/IP and DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 20
Figure 21-4 menu 3.2: TCP/IP and DHCP Ethernet setup . . . . . . . . . . . . 73
Figure 21
Menu 3.2.1: IP Alias setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 22
Menu 4: internet access setup (Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 23
Internet access setup (PPTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Figure 24
Internet access setup (PPPoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 25
Menu 11 Remote Node Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 26
Menu 11.1: Remote Node profile for Ethernet Encapsulation . . . . . . . . . . 87
Figure 27
Menu 11.1: Remote Node profile for PPPoE Encapsulation . . . . . . . . . . . 89
Figure 28
Menu 11.1: Remote Node Profile for PPTP Encapsulation . . . . . . . . . . . 91
Nortel Business Secure Router 222 Configuration — Advanced
16 Figures
Figure 29
Menu 11.1.2: Remote Node Network Layer Options for Ethernet
Encapsulation 93
Figure 30
Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) . . . . . . . . . . . 96
Figure 31
Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) . . . . . 96
Figure 32
Menu 11.1: Remote Node Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Figure 33
Menu 11.1.5: Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Figure 34
Menu 12: IP Static Route Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Figure 35
Menu 12. 1: Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Figure 36
Menu 14- Dial-in User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 37
Menu 14.1- Edit Dial-in User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Figure 38
Menu 4: Applying NAT for Internet Access . . . . . . . . . . . . . . . . . . . . . . . 108
Figure 39
Menu 11.1.2: Applying NAT to the Remote Node . . . . . . . . . . . . . . . . . . 109
Figure 40
Menu 15: NAT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Figure 41
Menu 15.1: Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Figure 42
Menu 15.1.255: SUA Address Mapping Rules . . . . . . . . . . . . . . . . . . . . 112
Figure 43
Menu 15.1.1: First Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 44
Menu 15.1.1.1: Editing or configuring an individual rule in a set . . . . . . 116
Figure 45
Menu 15.2: NAT Server Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 46
15.2.1: NAT Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Figure 47
Menu 15.2: NAT Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Figure 48
Multiple servers behind NAT example . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 49
NAT Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 50
Menu 4: Internet access & NAT example . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 51
NAT Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 52
Menu 15.2: Specifying an inside server . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 53
NAT example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Figure 54
Example 3: Menu 11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Figure 55
Example 3: Menu 15.1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Figure 56
Example 3: Final Menu 15.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Figure 57
Example 3: Menu 15.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 58
Menu 15.3: Trigger Port Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Figure 59
Menu 21: Filter and Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Figure 60
Menu 21.2: Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Figure 61
Outgoing packet filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Figure 62
Filter rule process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
NN47922-501
Figures 17
Figure 63
Menu 21: Filter and Firewall Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Figure 64
Menu 21.1: Filter Set Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 65
Menu 21.1.1.1: TCP/IP Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Figure 66
Executing an IP filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Figure 67
Menu 21.1.1.1: Generic Filter Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Figure 68
Telnet filter Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 69
Example Filter: Menu 21.1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Figure 70
Example Filter Rules Summary: Menu 21.1.3 . . . . . . . . . . . . . . . . . . . . 150
Figure 71
Protocol and Device Filter Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Figure 72
Filtering LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Figure 73
Filtering Remote Node Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Figure 74
Menu 22: SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 75
Menu 23 System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Figure 76
Menu 23 system security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Figure 77
Menu 23.2 System Security: RADIUS server . . . . . . . . . . . . . . . . . . . . . 160
Figure 78
Menu 23 System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 79
Menu 23.4 System Security: IEEE802.1x . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 80
Menu 24: System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Figure 81
Menu 24.1: System Maintenance: Status
Figure 82
Menu 24.1 — System Maintenance — Status . . . . . . . . . . . . . . . . . . . . 167
Figure 83
System Information and Console Port Speed . . . . . . . . . . . . . . . . . . . . . 169
Figure 84
Menu 24.2.1: System Maintenance Information
Figure 85
Menu 24.2.2: System Maintenance: Change Console Port Speed . . . . 171
Figure 86
Menu 24.3: System Maintenance: Log and Trace . . . . . . . . . . . . . . . . . 171
Figure 87
Menu 24.3.2: System Maintenance: Syslog Logging . . . . . . . . . . . . . . . 172
. . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . 170
Figure 88
Call-Triggering packet example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 89
Menu 24.4: System Maintenance: Diagnostic . . . . . . . . . . . . . . . . . . . . 177
Figure 90
WAN & LAN DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Figure 91
Menu 24.5 - System Maintenance - Backup Configuration . . . . . . . . . . 181
Figure 92
FTP Session Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Figure 93
Menu 24.5 System Maintenance: Backup Configuration . . . . . . . . . . . . 185
Figure 94
Menu 24.5 System Maintenance: Starting Xmodem Download Screen . 185
Figure 95
Backup Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Figure 96
Successful Backup Confirmation Screen . . . . . . . . . . . . . . . . . . . . . . . . 186
Figure 97
Telnet into Menu 24.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Nortel Business Secure Router 222 Configuration — Advanced
18 Figures
Figure 98
Restore using FTP session example . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Figure 99
System Maintenance: Restore Configuration . . . . . . . . . . . . . . . . . . . . . 188
Figure 100 System Maintenance: Starting Xmodem Download Screen . . . . . . . . . . 189
Figure 101 Successful Restoration Confirmation Screen . . . . . . . . . . . . . . . . . . . . . 189
Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware . . . . . . . . . . . . . . . . 190
Figure 103 Telnet Into Menu 24.7.2 System Maintenance
. . . . . . . . . . . . . . . . . . . 191
Figure 104 FTP Session Example of Firmware File Upload . . . . . . . . . . . . . . . . . . . 192
Figure 105 Menu 24.7.1 as seen using the Console Port . . . . . . . . . . . . . . . . . . . . . 194
Figure 106 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Figure 107 Menu 24.7.2 as seen using the Console Port . . . . . . . . . . . . . . . . . . . . 196
Figure 108 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 109 Command mode in Menu 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Figure 110 Valid commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Figure 111 Call Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Figure 112 Budget Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Figure 113 Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Figure 114 Menu 24: System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 115 Menu 24.10 System Maintenance: Time and Date Setting . . . . . . . . . . 206
Figure 116 Menu 24.11 – Remote Management Control . . . . . . . . . . . . . . . . . . . . . 210
Figure 117 Menu 26 Schedule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 118 Menu 26.1 Schedule Set Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Figure 119 Applying Schedule Sets to a Remote Node (PPPoE) . . . . . . . . . . . . . . . 216
Figure 120 WIndows 95/98/Me: network: configuration . . . . . . . . . . . . . . . . . . . . . . 218
Figure 121 Windows 95/98/Me: TCP/IP properties: IP address . . . . . . . . . . . . . . . . 219
Figure 122 Windows 95/98/Me: TCP/IP Properties: DNS configuration . . . . . . . . . . 220
Figure 123 Windows XP: Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 124 Windows XP: Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 125 Windows XP: Control Panel: Network Connections: Properties . . . . . . . 222
Figure 126 Windows XP: Local Area Connection Properties . . . . . . . . . . . . . . . . . . 222
Figure 127 Windows XP: Advanced TCP/IP settings . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 128 Windows XP: Internet Protocol (TCP/IP) properties . . . . . . . . . . . . . . . . 224
Figure 129 Macintosh OS 8/9: Apple Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 130 Macintosh OS 8/9: TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 131 Macintosh OS X: Apple menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 132 Macintosh OS X: Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
NN47922-501
Figures 19
Figure 133 Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Figure 134 Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Figure 135 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 136 Security Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 137 Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Figure 138 Certificate General Information before Import . . . . . . . . . . . . . . . . . . . . 235
Figure 139 Certificate Import Wizard 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 140 Certificate Import Wizard 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 141 Certificate Import Wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Figure 142 Root Certificate Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Figure 143 Certificate General Information after Import . . . . . . . . . . . . . . . . . . . . . . 239
Figure 144 Business Secure Router Trusted CA screen . . . . . . . . . . . . . . . . . . . . . 240
Figure 145 CA certificate example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Figure 146 Personal certificate import wizard 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Figure 147 Personal certificate import wizard 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 148 Personal certificate import wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Figure 149 Personal certificate import wizard 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 150 Personal certificate import wizard 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Figure 151 Personal certificate import wizard 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Figure 152 Access the Business Secure Router via HTTPS . . . . . . . . . . . . . . . . . . 247
Figure 153 SSL client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Figure 154 Business Secure Router secure login screen . . . . . . . . . . . . . . . . . . . . . 248
Figure 155 Single-PC per Router Hardware Configuration . . . . . . . . . . . . . . . . . . . . 250
Figure 156 Business Secure Router as a PPPoE Client . . . . . . . . . . . . . . . . . . . . . 251
Figure 157 Transport PPP frames over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Figure 158 Business Secure Router as a PPTP client . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 159 PPTP protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Figure 160 Example message exchange between PC and an ANT . . . . . . . . . . . . . 256
Figure 161 Console or dial backup port pin layouts . . . . . . . . . . . . . . . . . . . . . . . . . 258
Figure 162 Ethernet cable pin assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Figure 163 NetBIOS Display Filter Settings Command Example . . . . . . . . . . . . . . . 310
Figure 164 Option to Enter Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Figure 165 Boot Module Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 166 Example VPN initiator IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Figure 167 Example VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Nortel Business Secure Router 222 Configuration — Advanced
20 Figures
Figure 168 SIP User Agent Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Figure 169 SIP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 170 SIP Redirect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 171 Business Secure Router SIP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
NN47922-501
21
Tables
Table 1
Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 2
Main menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 3
Main menu summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 4
General setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 5
Configure dynamic DNS menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 6
MAC address cloning in WAN setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 7
Menu 2: dial backup setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 8
Advanced WAN port setup: AT commands fields . . . . . . . . . . . . . . . . . . . 58
Table 9
Fields in menu 11.2 remote node profile (Backup ISP) . . . . . . . . . . . . . . 60
Table 10
Remote node PPP options menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 11
Remote node network layer options menu fields . . . . . . . . . . . . . . . . . . . 64
Table 12
Menu 11.2.3: remote node script menu fields . . . . . . . . . . . . . . . . . . . . . . 68
Table 13
DHCP Ethernet setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 14
LAN TCP/IP setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 15
IP Alias setup menu field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Table 16
Menu 4: internet access setup menu fields . . . . . . . . . . . . . . . . . . . . . . . 80
Table 17
New fields in menu 4 (PPTP) Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 18
New fields in menu 4 (PPPoE) screen . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 19
Fields in menu 11.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 20
Fields in Menu 11.1 (PPPoE Encapsulation Specific) . . . . . . . . . . . . . . . . 90
Table 21
Fields in Menu 11.1 (PPTP Encapsulation) . . . . . . . . . . . . . . . . . . . . . . . 91
Table 22
Remote Node Network Layer Options Menu Fields . . . . . . . . . . . . . . . . . 93
Table 23
Menu 11.1: Remote Node profile (Traffic Redirect Field) . . . . . . . . . . . . . 97
Table 24
Menu 11.1.5: Traffic Redirect setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 25
IP Static Route Menu Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Table 26
Menu 14.1- Edit Dial-in User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 27
Applying NAT in Menus 4 & 11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Table 28
SUA Address Mapping Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Table 29
Fields in menu 15.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Nortel Business Secure Router 222 Configuration — Advanced
22 Tables
Table 30
Menu 15.1.1.1: Editing or configuring an individual rule in a set . . . . . . 116
Table 31
15.2.1: NAT Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 32
Menu 15.3: Trigger Port setup description . . . . . . . . . . . . . . . . . . . . . . . 130
Table 33
Abbreviations used in the Filter Rules Summary Menu . . . . . . . . . . . . . 140
Table 34
Rule abbreviations used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Table 35
TCP/IP Filter Rule Menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Table 36
Generic Filter Rule Menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Table 37
SNMP Configuration Menu Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Table 38
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Table 39
Menu 23.2 System Security: RADIUS Server . . . . . . . . . . . . . . . . . . . . . 161
Table 40
Menu 23.4 System Security: IEEE802.1x . . . . . . . . . . . . . . . . . . . . . . . . 163
Table 41
System Maintenance: Status Menu Fields . . . . . . . . . . . . . . . . . . . . . . . 167
Table 42
Fields in System Maintenance: Information . . . . . . . . . . . . . . . . . . . . . . 170
Table 43
System Maintenance Menu Syslog Parameters . . . . . . . . . . . . . . . . . . . 172
Table 44
System Maintenance menu diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 45
Filename Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table 46
General commands for GUI-based FTP clients . . . . . . . . . . . . . . . . . . . 182
Table 47
General commands for GUI-based TFTP clients . . . . . . . . . . . . . . . . . . 184
Table 48
Valid commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Table 49
Budget management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Table 50
Call History Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Table 51
Time and Date Setting Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Table 52
Menu 24.11 – Remote Management control . . . . . . . . . . . . . . . . . . . . . . 210
Table 53
Menu 26.1 Schedule Set Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 54
General specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Table 55
Console or dial backup port pin assignments . . . . . . . . . . . . . . . . . . . . . 258
Table 57
Allowed IP address range By class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Table 56
Classes of IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Table 58
Natural Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Table 59
Alternative Subnet Mask Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Table 60
Subnet 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Table 61
Subnet 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Table 62
Subnet 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Table 63
Subnet 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Table 66
Eight subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
NN47922-501
Tables 23
Table 64
Subnet 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Table 65
Subnet 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Table 67
Class C subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Table 68
Class B subnet planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Table 69
Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Table 70
Exit Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Table 71
Ether Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Table 72
IP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Table 73
IPSec commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Table 74
Sys firewall commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 75
Bandwidth management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Table 76
Certificates commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Table 77
IEEE 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 78
RADIUS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 79
NetBIOS filter default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 80
System error logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Table 81
System maintenance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Table 82
UPnP logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Table 83
Content filtering logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Table 84
Attack logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Table 85
Access logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Table 86
ACL setting notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Table 87
ICMP notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Table 88
Sys log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 89
Sample IKE key exchange logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Table 90
Sample IPSec logs during packet transmission . . . . . . . . . . . . . . . . . . . 328
Table 91
RFC-2408 ISAKMP payload types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Table 92
PKI logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Table 93
Certificate path verification failure reason codes . . . . . . . . . . . . . . . . . . 330
Table 94
IEEE 802.1X logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Table 95
Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Table 96
Brute force password guessing protection commands . . . . . . . . . . . . . . 335
Table 97
SIP Call Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Nortel Business Secure Router 222 Configuration — Advanced
24 Tables
NN47922-501
25
Preface
Before you begin
This guide is designed to assist you with advanced configuration of your Business
Secure Router for its various applications.
Note: This guide explains how to use the System Management Terminal
(SMT) or the command interpreter interface to configure your Business
Secure Router. See the basic manual for how to use the WebGUI to
configure your Business Secure Router. Not all features can be
configured through all interfaces.
The SMT parts of this manual contain background information solely on features
not configurable by the WebGUI. The WebGUI parts of the basic manual contain
background information on features configurable by the WebGUI and the SMT.
Text conventions
This guide uses the following text conventions:
Enter means for you to type one or more characters and press the [ENTER] key.
Select or Choose means for you to use one of the predefined choices.
The SMT menu titles and labels are written in Bold Times New Roman font.
Menu choices are written in Bold Arial font.
Nortel Business Secure Router 222 Configuration — Advanced
26
Preface
A single keystroke is written in Arial font and enclosed in square brackets, for
instance, [ENTER] means the Enter key; [ESC] means the escape key and
[SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down
arrow keys.
Mouse action sequences are denoted using a comma. For example, “click the
Apple icon, Control Panels and then Modem” means first click the Apple icon,
then point your mouse pointer to Control Panels and then click Modem.
Related publications
For more information about using the Business Secure Router VPN Switch, refer
to the following publications:
•
Nortel Business Secure Router 222 — Fundamentals (NN47922-301)
The Fundamentals guide is designed to help you get up and running right
away. It contains connection information and instructions on getting started.
•
Nortel Business Secure Router 222 Configuration — Basics (NN47922-500)
The basic manual covers how to use the WebGUI to configure your Business
Secure Router.
•
WebGUI Online Help
Embedded WebGUI help for descriptions of individual screens and
supplementary information
Hard-copy technical manuals
You can print selected technical manuals and release notes free, directly from the
Internet. Go to www.nortel.com/documentation. Find the product for which you
need documentation. Then locate the specific category and model or version for
your hardware or software product. Use Adobe Reader to open the manuals and
release notes, search for the sections you need, and print them on most standard
printers. Go to Adobe Systems at www.adobe.com to download a free copy of the
Adobe Reader.
NN47922-501
Preface
27
How to get help
If you do not see an appropriate number in this list, go to www.nortel.com/cs.
USA and Canada Authorized Distributors
Technical Support - GNTS/GNPS
Telephone:
1-800-4NORTEL (1-800-466-7835)
If you already have a PIN Code, you can enter Express Routing Code (ERC) 196#. If you
do not yet have a PIN Code, or for general questions and first line support, you can enter
ERC 338#.
Web Site:
www.nortel.com/cs
Presales Support (CSAN)
Telephone:
1-800-4NORTEL (1-800-466-7835)
Use Express Routing Code (ERC) 1063#
EMEA (Europe, Middle East, Africa)
Technical Support - CTAS
Telephone:
*European Free phone 00800 800 89009
European Alternative:
United Kingdom
+44 (0)870-907-9009
Africa
+27-11-808-4000
Israel
800-945-9779
Calls are not free from all countries in Europe, Middle East, or Africa.
Nortel Business Secure Router 222 Configuration — Advanced
28
Preface
Fax:
44-191-555-7980
E-mail:
[email protected]
CALA (Caribbean & Latin America)
Technical Support - CTAS
Telephone:
1-954-858-7777
E-mail:
[email protected]
APAC (Asia Pacific)
Service Business Centre & Pre-Sales Help Desk:
+61-2-8870-5511 (Sydney)
Technical Support - GNTS
Telephone:
+612 8870 8800
Fax:
+612 8870 5569
E-mail:
[email protected]
Australia
1-800-NORTEL (1-800-667-835)
China
010-6510-7770
India
011-5154-2210
Indonesia
0018-036-1004
Japan
0120-332-533
Malaysia
1800-805-380
New Zealand
0800-449-716
NN47922-501
Preface
Philippines
1800-1611-0063
Singapore
800-616-2004
South Korea
0079-8611-2001
Taiwan
0800-810-500
Thailand
001-800-611-3007
Service Business Centre &
Pre-Sales Help Desk
+61-2-8870-5511
29
Nortel Business Secure Router 222 Configuration — Advanced
30
Preface
NN47922-501
31
Chapter 1
Getting to know your Nortel Business Secure
Router 222
This chapter introduces the main features and applications of the Business Secure
Router.
Introducing the Nortel Business Secure Router 222
The Nortel Business Secure Router 222 is an ideal secure gateway for all data
passing between the Internet and the Local Area Network (LAN).
By integrating Network Address Translation (NAT), firewall and Virtual Private
Network (VPN) capability, the Business Secure Router is a complete security
solution that protects your Intranet and efficiently manages data traffic on your
network.
The embedded WebGUI assists in easy setup and management of the Business
Secure Router via an Internet browser.
Features
This section lists the key features of the Business Secure Router.
Table 1 Feature Specifications
Feature
Specification
Number of static routes
12
Number of NAT sessions
4096
Number of SUA servers
12
Nortel Business Secure Router 222 Configuration — Advanced
32 Chapter 1 Getting to know your Nortel Business Secure Router 222
Table 1 Feature Specifications
Feature
Specification
Number of address mapping rules
10
Maximum number of VPN IP Policies
60
Maximum number of concurrent VPN IPSec Connections
60
Number of IP pools can be used to assign IP addresses to remote users 3
for VPN client termination
Number of configurable split networks for VPN client termination
16
Number of configurable inverse split networks for VPN client termination
16
Number of configurable subnets per split network for VPN client
termination
64
Physical features
4-Port switch
A combination of switch and router makes your Nortel Business Secure Router
222 a cost effective and viable network solution. You can connect up to four
computers or phones to the Business Secure Router without the cost of a switch.
Use a switch to add more than four computers or phones to your LAN.
Autonegotiating 10/100 Mb/s Ethernet LAN
The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s
Ethernet.
Autosensing 10/100 Mb/s Ethernet LAN
The LAN interfaces automatically adjust to either a crossover or straight through
Ethernet cable.
Autonegotiating 10/100 Mb/s Ethernet WAN
The 10/100 Mb/s Ethernet WAN port attaches to the Internet via broadband
modem or router and automatically detects if it is on a 10 or a 100 Mb/s Ethernet.
NN47922-501
Chapter 1 Getting to know your Nortel Business Secure Router 222 33
Auxiliary port
The Business Secure Router uses the same port for console management and for
an auxiliary WAN backup. The AUX port can be used in reserve as a traditional
dial-up connection when or if ever the broadband connection to the WAN port
fails.
Time and date
Using the Business Secure Router, you can get the current time and date from an
external server when you turn on your Business Secure Router. You can also set
the time manually.
Reset button
The Business Secure Router reset button is built into the rear panel. Use this
button to restart the Business Secure Router or restore the factory default
password to PlsChgMe!, IP address to 192.168.1.1, subnet mask to
255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting
at 192.168.1.2.
Nonphysical features
IPSec VPN capability
Establish Virtual Private Network (VPN) tunnels to connect home or office
computers to your company network using data encryption and the Internet; thus
providing secure communications without the expense of leased site-to-site lines.
VPN is based on the IPSec standard and is fully interoperable with other
IPSec-based VPN products.
Nortel Contivity Client Termination
The Business Secure Router supports VPN connections from computers using
Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.
Nortel Business Secure Router 222 Configuration — Advanced
34 Chapter 1 Getting to know your Nortel Business Secure Router 222
Certificates
The Business Secure Router can use certificates (also called digital IDs) to
authenticate users. Certificates are based on public-private key pairs. Certificates
provide a way to exchange public keys for use in authentication.
SSH
The Business Secure Router uses the SSH (Secure Shell) secure communication
protocol to provide secure encrypted communication between two hosts over an
unsecured network.
HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a
web protocol that encrypts and decrypts web sessions. Use HTTPS for secure
WebGUI access to the Business Secure Router.
IEEE 802.1x for network security
The Business Secure Router supports the IEEE 802.1x standard for user
authentication. With the local user profile in the Business Secure Router, you can
configure up 32 user profiles without a network authentication server. In addition,
centralized user and accounting management is possible on an optional network
authentication server.
Firewall
The Business Secure Router has a stateful inspection firewall with DoS (Denial of
Service) protection. By default, when the firewall is activated, all incoming traffic
from the WAN to the LAN is blocked unless it is initiated from the LAN. The
Business Secure Router firewall supports TCP/UDP inspection, DoS detection
and protection, real time alerts, reports and logs.
NN47922-501
Chapter 1 Getting to know your Nortel Business Secure Router 222 35
Brute force password guessing protection
The Business Secure Router has a special protection mechanism to discourage
brute force password guessing attacks on the Business Secure Router’s
management interfaces. You can specify a wait time that must expire before you
can enter a fourth password after entering three incorrect passwords.
Content filtering
The Business Secure Router can block web features such as ActiveX controls,
Java applets, and cookies, as well as disable web proxies. The Business Secure
Router can block specific URLs by using the keyword feature. The administrator
can also define time periods and days during which content filtering is enabled.
Packet filtering
The packet filtering mechanism blocks unwanted traffic from entering or leaving
your network.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the Business Secure Router and other
UPnP-enabled devices can dynamically join a network, obtain an IP address, and
convey its capabilities to other devices on the network.
Call scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve
access to high-speed data networks via a familiar dial-up networking user
interface.
Nortel Business Secure Router 222 Configuration — Advanced
36 Chapter 1 Getting to know your Nortel Business Secure Router 222
PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables
secure transfer of data from a remote client to a private server, creating a Virtual
Private Network (VPN) using a TCP/IP-based network.
PPTP supports on-demand, multiprotocol, and virtual private networking over
public networks, such as the Internet. The Business Secure Router supports one
PPTP server connection at any given time.
Dynamic DNS support
With Dynamic DNS (Domain Name System) support, you can have a static host
name alias for a dynamic IP address, so the host is more easily accessible from
various locations on the Internet. You must register for this service with a
Dynamic DNS service provider.
IP Multicast
The Business Secure Router can use IP multicast to deliver IP packets to a specific
group of hosts. IGMP (Internet Group Management Protocol) is the protocol used
to support multicast groups. The Business Secure Router supports versions 1 and
2.
IP Alias
Using IP Alias, you can partition a physical network into logical networks over
the same Ethernet interface. The Business Secure Router supports three logical
LAN interfaces via its single physical Ethernet LAN interface with the Business
Secure Router itself as the gateway for each LAN network.
Central Network Management
With Central Network Management (CNM), an enterprise or service provider
network administrator can manage your Business Secure Router. The enterprise
or service provider network administrator can configure your Business Secure
Router, perform firmware upgrades, and do troubleshooting for you.
NN47922-501
Chapter 1 Getting to know your Nortel Business Secure Router 222 37
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the
TCP/IP protocol suite. Your Business Secure Router supports SNMP agent
functionality, which means that a manager station can manage and monitor the
Business Secure Router through the network. The Business Secure Router
supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).
Network Address Translation (NAT)
NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP
addresses used within one network to different IP addresses known within another
network.
Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway when the Business
Secure Router cannot connect to the Internet, thus acting as an auxiliary backup
when your regular WAN connection fails.
Port Forwarding
Use this feature to forward incoming service requests to a server on your local
network. You can enter a single port number or a range of port numbers to be
forwarded, and the local IP address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
With DHCP (Dynamic Host Configuration Protocol), individual client computers
can obtain the TCP/IP configuration at start-up from a centralized DHCP server.
The Business Secure Router has built in DHCP server capability, enabled by
default, which means it can assign IP addresses, an IP default gateway, and DNS
servers to all systems that support the DHCP client. The Business Secure Router
can also act as a surrogate DHCP server, where it relays IP address assignment
from another DHCP server to the clients.
Nortel Business Secure Router 222 Configuration — Advanced
38 Chapter 1 Getting to know your Nortel Business Secure Router 222
Full network management
The embedded web configurator is an all platform, web based utility that you can
use to easily manage and configure the Business Secure Router. Most functions of
the Business Secure Router are also software configurable via the SMT (System
Management Terminal) interface. The SMT is a menu driven interface that you
can access from a terminal emulator through the console port or over a Telnet
connection.
Road Runner support
In addition to standard cable modem services, the Business Secure Router
supports Time Warner’s Road Runner Service.
Logging and tracing
The Business Secure Router supports the following logging and tracing functions
to help with management:
•
•
Built in message logging and packet tracing
Unix syslog facility support
Upgrade Business Secure Router Firmware
The firmware of the Business Secure Router can be upgraded via the console port
or the LAN.
Embedded FTP and TFTP Servers
The Business Secure Router’s embedded FTP and TFTP Servers enable fast
firmware upgrades, as well as configuration file backups and restoration.
NN47922-501
Chapter 1 Getting to know your Nortel Business Secure Router 222 39
Applications for the Nortel Business Secure Router 222
Secure broadband internet access and VPN
You can connect a cable, DSL, or other modem to the Nortel Business Secure
Router 222 via Ethernet WAN port for broadband Internet access. The Business
Secure Router also provides IP address sharing and a firewall protected local
network with traffic management.
VPN is an ideal, cost effective way to connect branch offices and business
partners over the Internet without the need (and expense) of leased lines between
sites. The LAN computers can share the VPN tunnels for secure connections to
remote computers.
Figure 1 Secure Internet Access and VPN Application
Business Secure Router
Nortel Business Secure Router 222 Configuration — Advanced
40 Chapter 1 Getting to know your Nortel Business Secure Router 222
Hardware Setup
Refer to Nortel Business Secure Router 222 — Fundamentals (NN47922-301) for
hardware connection instructions.
Note: To keep the Business Secure Router operating at optimal internal
temperature, keep the bottom, sides, and rear clear of obstructions and
away from the exhaust of other equipment.
After installing your Nortel Business Secure Router 222, continue with the rest of
this guide for configuration instructions.
NN47922-501
41
Chapter 2
Introducing the SMT
This chapter explains how to access the System Management Terminal and gives
an overview of its menus.
Introduction to the SMT
The Business Secure Router SMT (System Management Terminal) is a
menu-driven interface that you can access from a terminal emulator through the
console port or over a Telnet connection. This chapter shows you how to access
the SMT (System Management Terminal) menus via the console port, how to
navigate the SMT, and how to configure SMT menus.
Accessing the SMT via the console port
Make sure you have the physical connection properly set up as described in the
hardware installation chapter.
When configuring using the console port, you need a computer equipped with
communications software configured to the following parameters:
•
•
•
VT100 terminal emulation
9 600 baud
No parity, 8 data bits, 1 stop bit, flow control set to none
Initial screen
When you turn on your Business Secure Router, it performs several internal tests
as well as line initialization.
Nortel Business Secure Router 222 Configuration — Advanced
42 Chapter 2 Introducing the SMT
After the tests, the Business Secure Router asks you to press [ENTER] to continue,
as shown in Figure 2.
Figure 2 Initial screen
initialize ch =0, ethernet address: 00:A0:C5:22:1A:03
initialize ch =1, ethernet address: 00:A0:C5:22:1A:04
Press ENTER to continue...
Logging on to the SMT
The logon screen appears after you press [ENTER], prompting you to enter the
username, as shown in Figure 3.
Type the username (nnadmin is the default) and press [ENTER].
The logon screen prompts you to enter the password.
Figure 3 SMT Login
Enter Username : XXXX
Enter Password : XXXX
Type the password (PlsChgMe! is the default) and press [ENTER]. As you type
the password, the screen displays an X for each character you type.
Note that if there is no activity for longer than five minutes after you log on, your
Business Secure Router will automatically log you off and display a blank screen.
If you see a blank screen, press [ENTER] to bring up the logon screen again.
Navigating the SMT interface
The SMT is an interface that you use to configure your Business Secure Router.
NN47922-501
Chapter 2 Introducing the SMT 43
Table 2 lists several operations you must be familiar with before attempting to
modify the configuration.
Table 2 Main menu commands
Operations
Keystrokes
Descriptions
Move down to
another menu
[ENTER]
To move forward to a submenu, type in the
number of the desired submenu and press
[ENTER].
Move up to a
previous menu
[ESC]
Press the [ESC] key to move back to the
previous menu.
Move to a
“hidden” menu
Press [SPACE BAR] Fields beginning with “Edit” lead to hidden
to change No to Yes menus and have a default setting of No. Press
then press [ENTER]. [SPACE BAR] to change No to Yes, and then
press [ENTER] to go to a “hidden” menu.
Move the
cursor
[ENTER] or [UP] or
[DOWN] arrow keys
Within a menu, press [ENTER] to move to the
next field. You can also use the [UP] or [DOWN]
arrow keys to move to the previous or the next
fields, respectively.
When you are at the top of a menu, press the
[UP] arrow key to move to the bottom of a menu.
Entering
information
Fill in, or press
[SPACE BAR], then
press [ENTER] to
select from choices.
There are two types of fields. The first requires
you to type in the appropriate information. The
second allows you to cycle through the available
choices by pressing [SPACE BAR].
Required fields <? >
All fields with the symbol <?> must be filled in
order be able to save the new configuration.
N/A fields
<N/A>
Some of the fields in the SMT will show a <N/A>.
This symbol refers to an option that is Not
Applicable.
Save your
configuration
[ENTER]
Save your configuration by pressing [ENTER] at
the message “Press ENTER to confirm or ESC to
cancel”. Saving the data on the screen will take
you, in most cases, to the previous menu.
Make sure you save your settings in each screen
that you configure.
Exit the SMT
Type 99, then press
[ENTER].
Type 99 at the main menu prompt and press
[ENTER] to exit the SMT interface.
Main menu
After you enter the password, the SMT displays the Business Secure Router Main
Menu, as shown in Figure 4. Not all models have all the features shown.
Nortel Business Secure Router 222 Configuration — Advanced
44 Chapter 2 Introducing the SMT
Figure 4 Main menu
Business Secure Router Main Menu
Getting Started
1.
2.
3.
4.
Advanced Management
General Setup
WAN Setup
LAN Setup
Internet Access Setup
Advanced Applications
11. Remote Node Setup
12. Static Routing Setup
14. Dial-in User Setup
15. NAT Setup
21.
22.
23.
24.
26.
Filter and Firewall Setup
SNMP Configuration
System Security
System Maintenance
Schedule Setup
99.Exit
Enter Menu Selection Number:
Table 3 describes the fields in Figure 4.
Table 3 Main menu summary
NN47922-501
No.
Menu Title
Function
1
General Setup
Use this menu to set up dynamic DNS and
administrative information.
2
WAN Setup
Use this menu to clone a MAC address from a
computer on your LAN and configure the backup WAN
dial-up connection.
3
LAN Setup
Use this menu to apply LAN filters, configure LAN
DHCP and TCP/IP settings.
4
Internet Access Setup
Configure your Internet Access setup (Internet
address, gateway IP address, and logon) with this
menu.
11
Remote Node Setup
Use this menu to configure detailed remote node
settings (your ISP is also a remote node) as well as
apply WAN filters.
12
Static Routing Setup
Configure IP static routes in this menu.
14
Dial-in User Setup
Use this menu to configure the Dial-in User
information
15
NAT Setup
Use this menu to configure Network Address
Translation.
21
Filter and Firewall Setup
Configure filters, activate or deactivate the firewall,
and view the firewall log.
Chapter 2 Introducing the SMT 45
Table 3 Main menu summary
No.
Menu Title
Function
22
SNMP Configuration
Use this menu to configure SNMP-related parameters.
23
System Security
Use this menu to change your password and enable
network user authentication.
24
System Maintenance
From displaying system status to uploading firmware,
this menu provides comprehensive system
maintenance.
26
Schedule Setup
Use this menu to schedule outgoing calls.
99
Exit
Use this menu to exit (necessary for remote
configuration).
Changing the system password
To change the Business Secure Router administrator password:.
1
From the main menu, enter 23 to display Menu 23 – System Security.
2
Enter 1 to display Menu 23.1 – System Security – Change Password.
Figure 5 Menu 23.1 System Security: Change Password
Menu 23.1 – System Security – Change Password
Old Password= ****
New Password= ?
Retype to confirm= ?
Enter here to CONFIRM or ESC to CANCEL:
3
Type your existing system password in the Old Password field, and press
[ENTER].
4
Type your new system password in the New Password field (up to 30
characters), and press [ENTER].
5
Retype your new system password in the Retype to confirm field for
confirmation and press [ENTER].
Note that as you type a password, the screen displays an asterisk * for each
character you type.
Nortel Business Secure Router 222 Configuration — Advanced
46 Chapter 2 Introducing the SMT
SMT menus at a glance
Figure 6 SMT overview
NN47922-501
47
SMT menu 1 - general setup
Introduction to general setup
Menu 1 - general setup contains administrative and system-related information.
Configuring general setup
Enter 1 in the main menu to open Menu 1: general setup.
The Menu 1 - General Setup screen appears, as shown in Figure 7. Fill in the
required fields.
Figure 7 menu 1: general setup
Menu 1 - General Setup
System Name= Business Secure Router
Domain Name= www.nortel.com
First System DNS Server= From ISP
IP Address= N/A
Second System DNS Server= From ISP
IP Address= N/A
Third System DNS Server= From ISP
IP Address= N/A
Edit Dynamic DNS= No
Press ENTER to confirm or ESC to cancel:
Nortel Business Secure Router 222 Configuration — Advanced
48 Chapter 2 SMT menu 1 - general setup
Table 4 describes the fields in Figure 7.
Table 4 General setup menu fields
NN47922-501
Field
Description
Example
System name
Choose a descriptive name for identification purposes. Business
Nortel recommends you enter your computer name in Secure Router
this field. This name can be up to 30 alphanumeric
characters long. Spaces, dashes - and underscores _
are accepted.
Domain name
Enter the domain name (if you know it) here. If you
nortel.com
leave this field blank, the ISP assigns a domain name
via DHCP. You can go to menu 24.8 and type sys
domain name to see the current domain name used by
your router.
The domain name entered by you is given priority over
the ISP-assigned domain name. If you want to clear
this field just press [SPACE BAR] and then [ENTER].
Chapter 2 SMT menu 1 - general setup 49
Table 4 General setup menu fields
Field
Description
Example
First system
DNS server
DNS (Domain Name System) is for mapping a domain
name to its corresponding IP address and vice versa.
The DNS server is extremely important because
Second system without it, you must know the IP address of a machine
before you can access it. The Business Secure Router
DNS server
uses a system DNS server (in the order you specify
here) to resolve domain names for VPN, DDNS and
Third system
the time server.
DNS server
Press [SPACE BAR] and then [ENTER] to select an
option. Select From ISP if your ISP dynamically
assigns DNS server information (and the Business
Secure Router's WAN IP address). The IP Address
field below displays the (read-only) DNS server IP
address that the ISP assigns. If you chose From ISP,
but the Business Secure Router has a fixed WAN IP
address, From ISP changes to None after you save
your changes. If you select From ISP for the second
or third DNS server, but the ISP does not provide a
second or third IP address, From ISP changes to
None after you save your changes.
Select User-Defined if you have the IP address of a
DNS server. The IP address can be public or a private
address on your local LAN. Enter the DNS server's IP
address in the field to the right.
A User-Defined entry with the IP address set to
0.0.0.0 changes to None after you save your changes.
A duplicate User-Defined entry changes to None after
you save your changes.
Select None if you do not want to configure DNS
servers. If you do not configure a system DNS server,
you must use IP addresses when configuring VPN,
DDNS and the time server.
Select Private DNS if the DNS server has a private IP
address and is located behind a VPN peer. Enter the
DNS server IP address in the field to the right.
With a private DNS server, you must also configure
the first DNS server entry in SMT menu 3.1 to use
DNS Relay.
Nortel Business Secure Router 222 Configuration — Advanced
50 Chapter 2 SMT menu 1 - general setup
Table 4 General setup menu fields
Field
Description
Example
You must also configure a VPN branch office rule
since the Business Secure Router uses a VPN tunnel
when it relays DNS queries to the private DNS server.
One of the rule’s IP policies must include the LAN IP
address of the Business Secure Router as a local IP
address and the IP address of the DNS server as a
remote IP address.
A Private DNS entry with the IP address set to 0.0.0.0
changes to None after you click Apply. A duplicate
Private DNS entry changes to None after you save
your changes.
Edit dynamic
DNS
Press [SPACE BAR] and then [ENTER] to select Yes
or No (default). Select Yes to configure Menu 1.1:
Configure Dynamic DNS, discussed next.
No
(default)
After you complete this menu, press [ENTER] at the
prompt “Press ENTER to Confirm…” to save your
configuration, or press [ESC] at any time to cancel.
Configuring dynamic DNS
To configure Dynamic DNS, go to Menu 1: General Setup and press
[SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to
display Menu 1.1— Configure Dynamic DNS (Figure 8). Not all models have
every field shown.
NN47922-501
Chapter 2 SMT menu 1 - general setup 51
Figure 8 Configure dynamic DNS
Menu 1.1 - Configure Dynamic DNS
Service Provider= WWW.DynDNS.ORG
Active= No
DDNS Type= DynamicDNS
Host Name 1=
Host Name 2=
Host Name 3=
Username=
Password= ********
Enable Wildcard Option= No
Enable Off Line Option= N/A
IP Address Update Policy:
DDNS Server Auto Detect IP Address= No
Use Specified IP Address= No
Use IP Address= N/A
Press ENTER to confirm or ESC to cancel:
Follow the instructions in Table 5 to configure Dynamic DNS parameters.
Table 5 Configure dynamic DNS menu fields
Field
Description
Example
Service Provider
This is the name of your Dynamic DNS service
provider.
www.dyndns.org
(default)
Active
Press [SPACE BAR] to select Yes and then press
[ENTER] to make dynamic DNS active.
Yes
DDNS Type
Press [SPACE BAR] and then [ENTER] to select
DynamicDNS
DynamicDNS if you have a dynamic IP address.
(default)
Select StaticDNS if you have a static IP address.
Select CustomDNS to have dyns.org provide DNS
service for a domain name that you already have
from a source other than dyndns.org.
Host1-3
Enter your host names in the fields provided. You
can specify up to two host names separated by a
comma in each field.
me.dyndns.org
EMAIL
Enter your e-mail address.
mail@mailserver
User
Enter your username.
Password
Enter the password assigned to you.
Enable Wildcard
Your Business Secure Router supports DYNDNS
Wildcard. Press [SPACE BAR] and then [ENTER]
to select Yes or No This field is N/A when you
choose DDNS client as your service provider.
Nortel Business Secure Router 222 Configuration — Advanced
52 Chapter 2 SMT menu 1 - general setup
Table 5 Configure dynamic DNS menu fields
Field
Description
Offline
This field is only available when CustomDNS is
selected in the DDNS Type field. Press
[SPACE BAR] and then [ENTER] to select Yes.
When Yes is selected, http://www.dyndns.org/
Example
traffic is redirected to a URL that you have
previously specified (see www.dyndns.org for
details).
IP Address
Update Policy:
You can select Yes in either the DDNS Server
Auto Detect IP Address field (recommended) or
the Use Specified IP Address field, but not both.
With the DDNS Server Auto Detect IP Address
and Use Specified IP Address fields both set to
No, the DDNS server automatically updates the IP
address of the host names with the Business
Secure Router’s WAN IP address.
DDNS does not work with a private IP address.
When both fields are set to No, the Business
Secure Router must have a public WAN IP
address in order for DDNS to work.
DDNS Server
Auto Detect IP
Address
Press [SPACE BAR] to select Yes and then press Yes
[ENTER] to have the DDNS server automatically
update the IP address of the host names with the
public IP address that the Business Secure Router
uses or is behind.
You can set this field to Yes whether the IP
address is public or private, static or dynamic.
Use Specified IP
Address
Press [SPACE BAR] to select Yes and then press
[ENTER] to update the IP address of the host
names to the IP address specified below.
Only select Yes if the Business Secure Router
uses or is behind a static public IP address.
Use IP Address
Enter the static public IP address if you select Yes N/A
in the Use Specified IP Address field.
No
After you complete this menu, press [ENTER] at
the prompt “Press ENTER to Confirm…” to save
your configuration, or press [ESC] at any time to
cancel.
The IP address updates when you reconfigure menu 1 or perform DHCP client
renewal.
NN47922-501
53
Chapter 3
WAN and Dial Backup Setup
This chapter describes how to configure the WAN using menu 2 and dial-backup
using menus 2.1 and 11.1.
Introduction to WAN and dial backup setup
This chapter explains how to configure settings for your WAN port and how to
configure the Business Secure Router for a dial backup connection.
WAN setup
From the main menu, enter 2 to open menu 2
Nortel Business Secure Router 222 Configuration — Advanced
54 Chapter 3 WAN and Dial Backup Setup
Figure 9 Menu 2
Menu 2 - WAN Setup
MAC Address:
Assigned By= Factory default
IP Address= N/A
Dial-Backup:
Active= No
Port Speed= 115200
AT Command String:
Init= at&fs0=0
Edit Advanced Setup= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 6 describes the MAC address fields in Figure 9. See Table 7 for
descriptions of the dial-backup fields.
Table 6 MAC address cloning in WAN setup
Field
Description
Example
MAC Address
Assigned By
Press [SPACE BAR] and then [ENTER] to choose one IP address
of two methods to assign a MAC Address. Choose
attached on
Factory Default to select the factory-assigned default LAN
MAC Address. Choose IP address attached on LAN
to use the MAC Address of that workstation whose IP
you give in the following field.
IP Address
This field is applicable only if you choose the IP
address attached on LAN method in the Assigned
By field. Enter the IP address of the computer on the
LAN whose MAC you are cloning.
After you complete this menu, press [ENTER] at the
prompt “Press ENTER to Confirm…” to save your
configuration, or press [ESC] at any time to cancel.
NN47922-501
192.168.1.35
Chapter 3 WAN and Dial Backup Setup 55
Dial backup
The Dial Backup port or CON/AUX port can be used in reserve as a traditional
dial-up connection if the broadband connection to the WAN port fail. This feature
is not available on all models. To set up the auxiliary port (Dial Backup or CON/
AUX) for use in the event that the regular WAN connection is dropped, first make
sure you have set up the switch and port connection (see the Hardware Installation
chapter), then configure:
•
•
•
Menu 2 - WAN Setup
Menu 2.1 - Advanced WAN Setup
Menu 11.1 - Remote Node Profile (Backup ISP), as shown in Figure 26 on
page 87
Refer also to the traffic redirect section for information on an alternate backup
WAN connection.
Configuring dial backup in menu 2
From the main menu, enter 2 to open menu 2.
Nortel Business Secure Router 222 Configuration — Advanced
56 Chapter 3 WAN and Dial Backup Setup
Figure 10 Menu 2: dial backup setup
Menu 2 - WAN Setup
MAC Address:
Assigned By= Factory default
IP Address= N/A
Dial-Backup:
Active= No
Port Speed= 115200
AT Command String:
Init= at&fs0=0
Edit Advanced Setup= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 7 describes the fields in Figure 10.
Table 7 Menu 2: dial backup setup
Field
Description
Example
Active
Use this field to turn the dial-backup feature on (Yes)
or off (No).
No
Port Speed
Press [SPACE BAR] and then press [ENTER] to
select the speed of the connection between the Dial
Backup port and the external device.
Available speeds are:
9 600, 19 200, 38 400, 57 600, 115 200 or 230 400 b/
s.
115200
Enter the AT command string to initialize the WAN
device. Consult the manual of your WAN device
connected to your Dial Backup port for specific AT
commands.
at&fs0=0
Dial-Backup:
AT Command
String:
Init
NN47922-501
Chapter 3 WAN and Dial Backup Setup 57
Table 7 Menu 2: dial backup setup
Field
Description
Example
Edit Advanced
Setup
To edit the advanced setup for the Dial Backup port,
move the cursor to this field; press the [SPACE BAR]
to select Yes and then press [ENTER] to go to Menu
2.1: Advanced Setup.
Yes
After you complete this menu, press [ENTER] at the
prompt “Press ENTER to Confirm…” to save your
configuration, or press [ESC] at any time to cancel.
Advanced WAN setup
Note: Consult the manual of your WAN device connected to your Dial
Backup port for specific AT commands
To edit the advanced setup for the Dial Backup port, move the cursor to the Edit
Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to
select Yes, and then press [ENTER].
Nortel Business Secure Router 222 Configuration — Advanced
58 Chapter 3 WAN and Dial Backup Setup
Figure 11 Menu 2.1 advanced WAN setup
Menu 2.1 - Advanced WAN Setup
AT Command Strings:
Call Control:
Dial= atdt
Dial Timeout(sec)= 60
Drop= ~~+++~~ath
Retry Count= 0
Answer= ata
Retry Interval(sec)= N/A
Drop Timeout(sec)= 20
Drop DTR When Hang Up= Yes
Call Back Delay(sec)= 15
AT Response Strings:
CLID= NMBR =
Called Id=
Speed= CONNECT
Press ENTER to Confirm or ESC to Cancel:
Table 8 describes the fields in Figure 11.
Table 8 Advanced WAN port setup: AT commands fields
Field
Description
Default
Dial
Enter the AT Command string to make a call.
atdt
Drop
Enter the AT Command string to drop a call. ~
+++ath
represents a one second wait. For example,
~~~+++~~ath can be used if your modem has a slow
response time.
Answer
Enter the AT Command string to answer a call.
Drop DTR When
Hang Up
Press the [SPACE BAR] to choose either Yes or No.
When Yes is selected (the default), the DTR (Data
Yes
Terminal Ready) signal is dropped after the “AT
Command String: Drop” is sent out.
AT Command Strings:
ata
AT Response String:
NN47922-501
CLID (Calling Line
Identification)
Enter the keyword that precedes the CLID (Calling
NMBR =
Line Identification) in the AT response string. This
lets the Business Secure Router capture the CLID in
the AT response string that comes from the WAN
device. CLID is required for CLID authentication.
Called Id
Enter the keyword preceding the dialed number.
TO
Chapter 3 WAN and Dial Backup Setup 59
Table 8 Advanced WAN port setup: AT commands fields
Field
Description
Default
Speed
Enter the keyword preceding the connection speed.
CONNECT
Dial Timeout (sec)
Enter a number of seconds for the Business Secure
Router to keep trying to set up an outgoing call
before timing out (stopping). The Business Secure
Router times out and stops if it cannot set up an
outgoing call within the timeout value.
60
seconds
Retry Count
Enter a number of times for the Business Secure
Router to retry a busy or no-answer phone number
before blacklisting the number.
0 to
disable
the
blacklist
control
Retry Interval (sec)
Enter a number of seconds for the Business Secure
Router to wait before trying another call after a call
has failed. This applies before a phone number is
blacklisted.
Drop Timeout (sec)
Enter a number of seconds for the Business Secure
Router to wait before dropping the DTR signal if it
does not receive a positive disconnect confirmation.
20
seconds
Call Back Delay (sec)
Enter a number of seconds for the Business Secure
Router to wait between dropping a callback request
call and dialing the corresponding callback call.
15
seconds
Call Control
Remote node profile (Backup ISP)
Enter 2 in Menu 11 Remote Node Setup to open Menu 11.2 Remote Node
Profile (Backup ISP) (Figure 12) and configure the setup for your Dial Backup
port connection. This feature is not available on all models.
Nortel Business Secure Router 222 Configuration — Advanced
60 Chapter 3 WAN and Dial Backup Setup
Figure 12 Menu 11.2 remote node profile (Backup ISP)
Menu 11.2 - Remote Node Profile (Backup ISP)
Rem Node Name= GUI
Active= No
Outgoing:
My Login=
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
Pri Phone #= ?
Sec Phone #=
Edit PPP Options= No
Rem IP Addr= 0.0.0.0
Edit IP= No
Edit Script Options= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Nailed-Up Connection= No
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Press ENTER to Confirm or ESC to Cancel:
Press ENTER to Confirm or ESC to Cancel:
Table 10 describes the fields in Figure 12.
Table 9 Fields in menu 11.2 remote node profile (Backup ISP)
Field
Description
Example
Rem Node
Name
Enter a descriptive name for the remote node. This field LAoffice
can be up to eight characters.
Active
Press [SPACE BAR] and then [ENTER] to select Yes to Yes
enable the remote node or No to disable the remote
node.
Outgoing
NN47922-501
My Login
Enter the login name assigned by your ISP for this
remote node.
jim
My Password
Enter the password assigned by your ISP for this remote *****
node.
Retype to
Confirm
Type the password again to make sure you have it
correct.
*****
Chapter 3 WAN and Dial Backup Setup 61
Table 9 Fields in menu 11.2 remote node profile (Backup ISP)
Field
Description
Example
Authen
This field sets the authentication protocol used for
outgoing calls.
Options for this field are:
CHAP/PAP - Your Business Secure Router will accept
either CHAP or PAP when requested by this remote
node.
CHAP - accept CHAP only.
PAP - accept PAP only.
CHAP/PAP
Pri Phone #
Sec Phone #
Enter the first (primary) phone number from the ISP for
this remote node. If the Primary Phone number is busy
or does not answer, your Business Secure Router dials
the Secondary Phone number, if available. Some areas
require dialing the pound sign # before the phone
number for local calls. Include a # symbol at the
beginning of the phone numbers as required.
Edit PPP
Options
Move the cursor to this field and use the space bar to
No
select [Yes] and press [Enter] to edit the PPP options for (default)
this remote node. This brings you to Menu 11.2.1 Remote Node PPP Options (See “Editing PPP options”
on page 62).
Rem IP Addr
Leave the field set to 0.0.0.0 (default) if the remote
gateway has a dynamic IP address. Enter the remote
gateway’s IP address here if it is static.
Edit IP
This field leads to a “hidden” menu. Press [SPACE BAR] No
to select Yes and press [ENTER] to go to Menu 11.2.2 - (default)
Remote Node Network Layer Options. See “Editing
TCP/IP options” on page 63 for more information.
Edit Script
Options
Press [SPACE BAR] to select Yes and press [ENTER] to No
edit the AT script for the dial backup remote node (Menu (default)
11.2.3 - Remote Node Script). See “Editing logon
script” on page 66 for more information.
0.0.0.0
(default)
Telco Option
Allocated
Budget
Enter the maximum number of minutes that this remote 0
node can be called within the time period configured in (default)
the Period field. The default for this field is 0, meaning
there is no budget control and no time limit for accessing
this remote node.
Period(hr)
Enter the time period (in hours) for how often the budget 0
should be reset. For example, to allow calls to this
(default)
remote node for a maximum of 10 minutes every hour,
set the Allocated Budget to 10 (minutes) and the
Period to 1 (hour).
Nortel Business Secure Router 222 Configuration — Advanced
62 Chapter 3 WAN and Dial Backup Setup
Table 9 Fields in menu 11.2 remote node profile (Backup ISP)
Field
Description
Example
Schedules
You can apply up to four schedule sets here. For more
details, refer to Chapter 18, “Call scheduling,” on page
213.
1,3,5
Nailed-Up
Connection
Press [SPACE BAR] to select Yes to set this connection No
to always be on, regardless of whether or not there is
(default)
any traffic. Select No to have this connection act as a
dial-up connection.
Session Options
Edit Filter sets
This field leads to another “hidden” menu. Use
No
[SPACE BAR] to select Yes and press [ENTER] to open (default)
menu 11.2.4 to edit the filter sets. See “Remote node
filter” on page 69 for more details.
Idle Timeout
Enter the number of seconds of idle time (when there is 100
no traffic from the Business Secure Router to the remote seconds
node) that can elapse before the Business Secure
(default)
Router automatically disconnects the PPP connection.
This option only applies when the Business Secure
Router initiates the call.
After you configure this menu, press [ENTER] at the
message “Press ENTER to Confirm...” to save your
configuration, or press [ESC] at any time to cancel.
Editing PPP options
The Business Secure Router dial back-up feature uses PPP. To edit the remote
node PPP options, move the cursor to the [Edit PPP Options] field in Menu 11.2
- Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to
open Menu 11.2.1 as shown in Figure 13.
NN47922-501
Chapter 3 WAN and Dial Backup Setup 63
Figure 13 Menu 11.2.1: Remote node PPP options
Menu 11.2.1 - Remote Node PPP Options
Encapsulation= Standard PPP
Compression= No
Enter here to CONFIRM or ESC to CANCEL:
Press Space Bar to Toggle.
Table 10 describes the Remote Node PPP Options Menu, and contains
instructions about how to configure the PPP options fields.
Table 10 Remote node PPP options menu fields
FIELD
DESCRIPTION
EXAMPLE
Encapsulation
Press [SPACE BAR] and then [ENTER] to select
Standard PPP
CISCO PPP if your Dial Backup WAN device uses (default)
Cisco PPP encapsulation, otherwise select
Standard PPP.
Compression
Press [SPACE BAR] and then [ENTER] to select
Yes to enable or No to disable Stac compression.
No
(default)
Editing TCP/IP options
Move the cursor to the Edit IP field in menu 11.2, then press [SPACE BAR] to
select Yes. Press [ENTER] to open Menu 11.2.2 - Network Layer Options.
Nortel Business Secure Router 222 Configuration — Advanced
64 Chapter 3 WAN and Dial Backup Setup
Figure 14 Menu 11.2.2: remote node network layer options
Menu 11.2.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
Rem IP Addr= 0.0.0.0
Rem Subnet Mask= 0.0.0.0
My WAN Addr= 0.0.0.0
Network Address Translation= None
Metric= 15
Private= No
RIP Direction= Both
Version= RIP-2B
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
Table 11 describes the fields in Figure 14.
Table 11 Remote node network layer options menu fields
Field
Description
IP Address
Assignment
If your ISP did not assign you an explicit IP address, press Dynamic
[SPACE BAR] and then [ENTER] to select Dynamic;
(default)
otherwise select Static and enter the IP address & subnet
mask in the following fields.
Rem IP
Address
Leave this field set to 0.0.0.0 to have the ISP or other
remote router dynamically (automatically) send its IP
address if you do not know it. Enter the remote gateway’s
IP address here if you know it (static).
Rem Subnet
Mask
Leave this field set to 0.0.0.0 to have the ISP or other
0.0.0.0
remote router dynamically send its subnet mask if you do (default)
not know it. Enter the remote gateway’s subnet mask here
if you know it (static).
My WAN Addr Leave the field set to 0.0.0.0 to have the ISP or other
remote router dynamically (automatically) assign your
WAN IP address if you do not know it. Enter your WAN IP
address here if you know it (static).
This is the address assigned to your local Business
Secure Router, not the remote router.
NN47922-501
Example
0.0.0.0
(default)
0.0.0.0
(default)
Chapter 3 WAN and Dial Backup Setup 65
Table 11 Remote node network layer options menu fields
Field
Description
Example
Network
Address
Translation
With Network Address Translation (NAT), you can
None
translate an Internet protocol address used within one
(default)
network (for example a private IP address used in a local
network) to a different IP address known within another
network (for example, a public IP address used on the
Internet).
Press [SPACE BAR] and then [ENTER] to select either
Full Feature, None or SUA Only.
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address.
SUA (Single User Account) is a subset of NAT that
supports two types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP
addresses. Full Feature mapping types include:
One-to-One, Many-to-One (SUA/PAT), Many-to-Many
Overload, Many- One-to-One and Server. When you
select Full Feature you must configure at least one
address mapping set!
See Chapter 9, “Network Address Translation (NAT),” on
page 107 for a full discussion on this feature.
Metric
Enter a number from 1 to 15 to set this route’s priority. The 15
smaller the number, the higher priority the route has.
(default)
Private
This parameter determines if the Business Secure Router No
includes the route to this remote node in its RIP
(default)
broadcasts. If set to Yes, this route is kept private and not
included in RIP broadcasts. If No, the route to this remote
node is propagated to other hosts through RIP broadcasts.
RIP Direction
Press [SPACE BAR] and then [ENTER] to select the RIP
direction from Both/ None/In Only/Out Only and None.
Both
(default)
Version
Press [SPACE BAR] and then [ENTER] to select the RIP
version from RIP-1/RIP-2B/RIP-2M.
RIP-1
Multicast
IGMP (Internet Group Multicast Protocol) is a
None
network-layer protocol used to establish membership in a (default)
Multicast group. The Business Secure Router supports
both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Press the [SPACE BAR] to enable IP Multicasting or select
None to disable it. See Chapter 4, “LAN setup,” on page
71 for more information on this feature.
Once you have completed filling in Menu 11.2.2 Remote
Node Network Layer Options, press [ENTER] at the
message “Press ENTER to Confirm...” to save your
configuration and return to menu 11.2, or press [ESC] at
any time to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
66 Chapter 3 WAN and Dial Backup Setup
Editing logon script
For some remote gateways, text logon is required before PPP negotiation is
started. The Business Secure Router provides a script facility for this purpose. The
script has six programmable sets; each set is composed of an Expect string and a
‘Send’ string. After matching a message from the server to the ‘Expect’ field, the
Business Secure Router returns the set’s Send string to the server.
For instance, a typical logon sequence starts with the server printing a banner, a
logon prompt for you to enter the username and a password prompt to enter the
password:
Welcome to Acme, Inc.
Login: myLogin
Password:
To handle the first prompt, you specify ogin: as the Expect string and myLogin as
the Send string in set 1. The reason for leaving out the leading L is to avoid having
to know exactly whether it is upper or lower case. Similarly, you specify word: as
the Expect string and your password as the Send string for the second prompt in
set 2.
You can use two variables, $USERNAME and $PASSWORD (all upper case), to
represent the actual username and password in the script, so they do not show in
clear text. They are replaced with the outgoing login name and password in the
remote node when the Business Secure Router sees them in a ‘Send’ string. Note
that both variables must be entered exactly as shown. No other characters can
appear before or after, either, i.e., they must be used alone in response to logon
and password prompts.
Note that the ordering of the sets is significant, i.e., starting from set 1, the
Business Secure Router waits until the ‘Expect’ string is matched before it
proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’ and
the ‘Send’ fields of the current set are empty, the Business Secure Router
terminates the script processing and start PPP negotiation. This implies two
things: first, the sets must be contiguous; the sets after an empty one are ignored.
Second, the last set must match the final message sent by the server. For instance,
if the server prints:
NN47922-501
Chapter 3 WAN and Dial Backup Setup 67
login successful.
Starting PPP...
after you enter the password, then you must create a third set to match the final
“PPP...” but without a “Send” string. Otherwise, the Business Secure Router starts
PPP prematurely right after sending your password to the server.
If there are errors in the script and it gets stuck at a set for longer than the “Dial
Timeout” in menu 2 (default 60 seconds), the Business Secure Router times out
and drops the line. To debug a script, go to Menu 24.4 to initiate a manual call and
watch the trace display to see if the sequence of messages and prompts from the
server differs from what you expect.
Nortel Business Secure Router 222 Configuration — Advanced
68 Chapter 3 WAN and Dial Backup Setup
Figure 15 Menu 11.2.3: remote node setup script
Menu 11.2.3 - Remote Node Script
Active= No
Set 1:
Set 5:
Expect=
Expect=
Send=
Send=
Set 2:
Set 6:
Expect=
Expect=
Send=
Send=
Set 3:
Expect=
Send=
Set 4:
Expect=
Send=
Enter here to CONFIRM or ESC to CANCEL:
Press Space Bar to Toggle.
Table 12 describes the fields in Figure 15.
Table 12 Menu 11.2.3: remote node script menu fields
Field
Description
Active
Press [SPACE BAR] and then [ENTER] to select either No
Yes to enable the AT strings or No to disable them.
(default)
Set 1-6:
Expect
Enter an Expect string to match. After matching the
Expect string, the Business Secure Router returns the
string in the Send field.
Set 1-6: Send Enter a string to send out after the Expect string is
matched.
NN47922-501
Example
0.0.0.0
Chapter 3 WAN and Dial Backup Setup 69
Remote node filter
Move the cursor to the field Edit Filter Sets in menu 11.2, and then press
[SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.2.4 Remote Node Filter.
Use menu 11.2.4 to specify the filter sets to apply to the incoming and outgoing
traffic between this remote node and the Business Secure Router to prevent
certain packets from triggering calls. You can specify up to four filter sets
separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces
are accepted in this field. Refer to Chapter 11, “Filter configuration,” on page 135
for more information about defining the filters.
Figure 16 Menu 11.2.4: dial backup remote node filter
Menu 11.2.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL:
Nortel Business Secure Router 222 Configuration — Advanced
70 Chapter 3 WAN and Dial Backup Setup
NN47922-501
71
Chapter 4
LAN setup
This chapter describes how to configure the LAN using Menu 3: LAN Setup.
Introduction to LAN setup
This section describes how to configure the Business Secure Router for LAN
connections.
Accessing the LAN menus
From the main menu, enter 3 to open Menu 3 – LAN setup
Figure 17 Menu 3: LAN setup.
Menu 3 - LAN Setup
1. LAN Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
LAN port filter setup
With Menu 3, you can specify the filter sets that you wish to apply to the LAN
traffic. You seldom need to filter the LAN traffic, however, the filter sets are
useful to block certain packets, reduce traffic, and prevent security breaches.
Nortel Business Secure Router 222 Configuration — Advanced
72 Chapter 4 LAN setup
Figure 18 Menu 3.1: LAN port filter setup
Menu 3.1 – LAN Port Filter Setup
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Press ENTER to Confirm or ESC to Cancel:
TCP/IP and DHCP ethernet setup menu
From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP
(RFC 1155) and DHCP Ethernet setup.
Figure 19 Menu 3: TCP/IP and DHCP setup
Menu 3 - LAN Setup
1. LAN Port Filter Setup
2. TCP/IP and DHCP Setup
Enter Menu Selection Number:
From menu 3, select the submenu option TCP/IP and DHCP Setup and press
[ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet
Setup, as shown in Figure 20.
NN47922-501
Chapter 4 LAN setup 73
Figure 20 Figure 21-4 menu 3.2: TCP/IP and DHCP Ethernet setup
Menu 3.2 - TCP/IP and DHCP Ethernet Setup
DHCP= Server
TCP/IP Setup:
Client IP Pool:
Starting Address= 192.168.1.2
IP Address= 192.168.1.1
Size of Client IP Pool= 126 IP Subnet Mask= 255.255.255.0
First DNS Server= From ISP
RIP Direction= None
IP Address= N/A
Version= N/A
Second DNS Server= From ISP
Multicast= None
IP Address= N/A
Edit IP Alias= No
Third DNS Server= From ISP
IP Address= N/A
DHCP Server Address= N/A
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Follow the instructions in Table 13 to configure the DHCP fields.
Table 13 DHCP Ethernet setup menu fields
Field
Description
Example
DHCP
This field enables and disables the DHCP server.
If set to Server, your Business Secure Router will
act as a DHCP server.
If set to None, the DHCP server will be disabled.
Server
This field specifies the first of the contiguous
addresses in the IP address pool.
192.168.1.2
Configuration:
Client IP Pool
Starting Address
Nortel Business Secure Router 222 Configuration — Advanced
74 Chapter 4 LAN setup
Table 13 DHCP Ethernet setup menu fields
NN47922-501
Field
Description
Example
Size of Client IP
Pool
This field specifies the size or count of the IP
address pool.
126
First DNS Server
Second DNS
Server
Third DNS Server
The Business Secure Router passes a DNS
(Domain Name System) server IP address (in the
order you specify here) to the DHCP clients.
Select From ISP if your ISP dynamically assigns
DNS server information (and the Business Secure
Router's WAN IP address). The IP Address field
below displays the (read-only) DNS server IP
address that the ISP assigns. If you chose From
ISP, but the Business Secure Router has a fixed
WAN IP address, From ISP changes to None after
you save your changes. If you chose From ISP for
the second or third DNS server, but the ISP does
not provide a second or third IP address, From ISP
changes to None after you save your changes.
Select User-Defined if you have the IP address of a
DNS server. Enter the DNS server's IP address in
the IP Address field below. If you chose
User-Defined, but leave the IP address set to
0.0.0.0, User-Defined changes to None after you
save your changes. If you set a second choice to
User-Defined, and enter the same IP address, the
second User-Defined changes to None after you
save your changes.
Select DNS Relay to have the Business Secure
Router act as a DNS proxy. The Business Secure
Router's LAN IP address displays in the IP Address
field below (read-only). The Business Secure Router
tells the DHCP clients on the LAN that the Business
Secure Router itself is the DNS server. When a
computer on the LAN sends a DNS query to the
Business Secure Router, the Business Secure
Router forwards the query to the Business Secure
Router's system DNS server (configured in the
SYSTEM General screen) and relays the response
back to the computer. You can only select DNS
Relay for one of the three servers; if you select DNS
Relay for a second or third DNS server, that choice
changes to None after you save your changes.
Select None if you do not want to configure DNS
servers. If you do not configure a DNS server, you
must know the IP address of a machine in order to
access it.
Chapter 4 LAN setup 75
Use the instructions in Table 14 to configure TCP/IP parameters for the LAN port.
Table 14 LAN TCP/IP setup menu fields
Field
Description
Example
IP Address
Enter the IP address of your Business Secure
Router in dotted decimal notation.
192.168.1.1
(default)
IP Subnet Mask
Your Business Secure Router automatically
calculates the subnet mask based on the IP
address that you assign. Unless you are
implementing subnetting, use the subnet mask
computed by the Business Secure Router.
255.255.255.0
RIP Direction
Press [SPACE BAR] and then [ENTER] to select Both
the RIP direction. Options are: Both, In Only,
(default)
Out Only or None.
Version
Press [SPACE BAR] and then [ENTER] to select RIP-1
the RIP version. Options are:
(default)
RIP-1, RIP-2B or RIP-2M.
Multicast
IGMP (Internet Group Multicast Protocol) is a
None
network-layer protocol used to establish
membership in a Multicast group. The Business
Secure Router supports both IGMP version 1
(IGMP-v1) and version 2 (IGMP-v2). Press
[SPACE BAR] and then [ENTER] to enable IP
Multicasting or select None (default) to disable it.
Edit IP Alias
The Business Secure Router supports three
logical LAN interfaces via its single physical
Ethernet interface with the Business Secure
Router itself as the gateway for each LAN
network. Press [SPACE BAR] to select Yes and
then press [ENTER] to display menu 3.2.1.
TCP/IP Setup:
Yes
IP Alias Setup
You must use menu 3.2 to configure the first network. Move the cursor to the Edit
IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to
configure the second and third network.
Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown in Figure 21.
Nortel Business Secure Router 222 Configuration — Advanced
76 Chapter 4 LAN setup
Figure 21 Menu 3.2.1: IP Alias setup
Menu 3.2.1 - IP Alias Setup
IP Alias 1= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Incoming protocol filters= N/A
Outgoing protocol filters= N/A
IP Alias 2= No
IP Address= N/A
IP Subnet Mask= N/A
RIP Direction= N/A
Version= N/A
Incoming protocol filters= N/A
Outgoing protocol filters= N/A
Enter here to CONFIRM or ESC to CANCEL:
Press Space Bar to Toggle.
Use the instructions in Table 15 to configure IP Alias parameters.s
Table 15 IP Alias setup menu field
NN47922-501
Field
Description
Example
IP Alias
Choose Yes to configure the LAN network for
the Business Secure Router.
Yes
IP Address
Enter the IP address of your Business Secure
Router in dotted decimal notation.
192.168.1.1
IP Subnet Mask
Your Business Secure Router automatically
calculates the subnet mask based on the IP
address that you assign. Unless you are
implementing subnetting, use the subnet mask
computed by the Business Secure Router.
255.255.255.0
Chapter 4 LAN setup 77
Table 15 IP Alias setup menu field
Field
Description
Example
RIP Direction
Press [SPACE BAR] and then [ENTER] to
select the RIP direction. Options are
Both, In Only, Out Only or None.
None
Version
Press [SPACE BAR] and then [ENTER] to
select the RIP version. Options are
RIP-1, RIP-2B or RIP-2M.
RIP-1
Incoming Protocol
Filters
Enter the filter sets you wish to apply to the
incoming traffic between this node and the
Business Secure Router.
1
Outgoing Protocol
Filters
Enter the filter sets you wish to apply to the
outgoing traffic between this node and the
Business Secure Router.
2
Nortel Business Secure Router 222 Configuration — Advanced
78 Chapter 4 LAN setup
NN47922-501
79
Chapter 5
Internet access
This chapter shows you how to configure your Business Secure Router for
Internet access.
Introduction to internet access setup
Use the information from your ISP along with the instructions in this chapter to
set up your Business Secure Router to access the Internet. There are three
different menu 4 screens, depending on whether you chose Ethernet, PPTP or
PPPoE Encapsulation. Contact your ISP to determine which encapsulation type
you should use.
Ethernet encapsulation
If you choose Ethernet in menu 4 you will see Figure 22.
Nortel Business Secure Router 222 Configuration — Advanced
80 Chapter 5 Internet access
Figure 22 Menu 4: internet access setup (Ethernet)
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= Ethernet
Service Type= Standard
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Login Server IP= N/A
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
Table 16 describes the fields in Figure 22.
Table 16 Menu 4: internet access setup menu fields
Field
Description
ISP’s Name
Enter the name of your Internet Service Provider, e.g., myISP.
This information is for identification purposes only.
Encapsulation
Press [SPACE BAR] and then press [ENTER] to choose
Ethernet. The encapsulation method influences your choices
for the IP Address field.
Service Type
Press [SPACE BAR] and then [ENTER] to select Standard,
RR-Toshiba (Road Runner Toshiba authentication method),
RR-Manager (Road Runner Manager authentication method) or
RR-Telstra. Choose a Road Runner flavor if your ISP is Time
Warner's Road Runner; otherwise choose Standard.
DSL users must choose the Standard option only. The My
Login, My Password and Login Server fields are not
applicable in this case.
NN47922-501
My Login
Enter the logon name given to you by your ISP.
My Password
Enter the password associated with the login name above.
Chapter 5 Internet access 81
Table 16 Menu 4: internet access setup menu fields
Field
Description
Retype to Confirm
Enter the password again to make sure that you have entered it
correctly.
Login Server
The Business Secure Router finds the Road Runner Server IP if
this field is left blank. If it does not, then you must enter the
authentication server IP address.
IP Address
Assignment
If your ISP did not assign you a fixed IP address, press
[SPACE BAR] and then [ENTER] to select Dynamic, otherwise
select Static and enter the IP address and subnet mask in the
following fields.
IP Address
Enter the (fixed) IP address assigned to you by your ISP (static
IP address Assignment is selected in the previous field).
IP Subnet Mask
Enter the subnet mask associated with your static IP.
Gateway IP Address
Enter the gateway IP address associated with your static IP.
Network Address
Translation
With the NAT, you can translate an Internet protocol address
used within one network (for example a private IP address used
in a local network) to a different IP address known within
another network (for example a public IP address used on the
Internet).
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address. SUA
(Single User Account) is a subset of NAT that supports two
types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP addresses.
Full Feature mapping types include: One-to-One,
Many-to-One (SUA/PAT), Many-to-Many Overload, ManyOne-to-One and Server. When you select Full Feature you
must configure at least one address mapping set!
See Chapter 9, “Network Address Translation (NAT),” on page
107 for a more detailed discussion on the Network Address
Translation feature.
Configuring the PPTP client
Note: The Business Secure Router supports only one PPTP server
connection at any given time.
To configure a PPTP client, you must configure the My Login and Password
fields for a PPP connection and the PPTP parameters for a PPTP connection.
Nortel Business Secure Router 222 Configuration — Advanced
82 Chapter 5 Internet access
After configuring My Login and Password for PPP connection, press
[SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4
-Internet Access Setup to choose PPTP as your encapsulation option. This
brings up the screen show in Figure 23.
Figure 23 Internet access setup (PPTP)
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= PPTP
Service Type= N/A
My Login= username
My Password= ******
Retype to Confirm= ******
Idle Timeout= 100
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address=N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
Table 17 contains instructions about the new fields when you choose PPTP in the
Encapsulation field in menu 4.
Table 17 New fields in menu 4 (PPTP) Screen
Field
Description
Example
Encapsulation
Press [SPACE BAR] and then press [ENTER] to
choose PPTP. The encapsulation method influences
your choices for the IP Address field.
PPTP
Idle Timeout
This value specifies the time, in seconds, that elapses 100
before the Business Secure Router automatically
(default)
disconnects from the PPTP server.
Configuring the PPPoE client
If you enable PPPoE in menu 4, you will see the screen in figure 24. For more
information about PPPoE, see Appendix E, “PPPoE,” on page 253.
NN47922-501
Chapter 5 Internet access 83
Figure 24 Internet access setup (PPPoE)
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= PPPoE
Service Type= N/A
My Login=
My Password= ********
Retype to Confirm= ******
Idle Timeout= 100
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= Full Feature
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 18 describes the fields in Figure 24.
Table 18 New fields in menu 4 (PPPoE) screen
Field
Description
Example
Encapsulation
Press [SPACE BAR] and then press [ENTER] to
choose PPPoE. The encapsulation method
influences your choices in the IP Address field.
PPPoE
Idle Timeout
This value specifies the time in seconds that
elapses before the Business Secure Router
automatically disconnects from the PPPoE server.
100
(default)
If you need a PPPoE service name to identify and reach the PPPoE server, go to
menu 11 and enter the PPPoE service name provided to you in the Service Name
field.
Nortel Business Secure Router 222 Configuration — Advanced
84 Chapter 5 Internet access
Basic setup complete
Well done! You have successfully connected, installed and set up your Business
Secure Router to operate on your network, as well as access the Internet.
Note: When the firewall is activated, the default policy can
communicate to the Internet if the communication originates from the
LAN, and blocks all traffic to the LAN that originates from the Internet.
You can deactivate the firewall in menu 21.2 or via the Business Secure Router
embedded WebGUI. You can also define additional firewall rules or modify
existing ones, but exercise extreme caution in doing so. See the chapters on
firewalls in Nortel Business Secure Router 222 Configuration — Basics
(NN47922-500) for more information on the firewall.
NN47922-501
85
Chapter 6
Remote Node setup
This chapter shows you how to configure a remote node.
Introduction to Remote Node setup
A remote node is required for placing calls to a remote gateway. A remote node
represents both the remote gateway and the network behind it across a WAN
connection. Note that when you use menu 4 to set up Internet access, you are
actually configuring a remote node. The following describes how to configure
Menu 11.1 Remote Node Profile, Menu 11.1.2 - Remote Node Network Layer
Options and Menu 11.1.4 - Remote Node Filter.
Remote Node setup
From the main menu, select menu option 11 to open Menu 11 Remote Node
Setup (Figure 25).
Enter 1 to open Menu 11.1 Remote Node Profile and configure the setup for
your regular ISP. Enter 2 to open Menu 11.1 Remote Node Profile (Backup
ISP) and configure the setup for your Dial Backup port connection.
Nortel Business Secure Router 222 Configuration — Advanced
86 Chapter 6 Remote Node setup
Figure 25 Menu 11 Remote Node Setup
Menu 11 - Remote Node Setup
1. ChangeMe (ISP, SUA)
2. -GUI (BACKUP_ISP, SUA)
Enter Node # to Edit:
Remote Node profile setup
This section explains how to configure the remote node profile menu.
Ethernet Encapsulation
There are two variations of menu 11.1 depending on whether you choose
Ethernet Encapsulation or PPPoE Encapsulation. You must choose the
Ethernet option when the WAN port is used as a regular Ethernet. The first
menu 11.1 screen you see is for Ethernet encapsulation shown in Figure 26.
NN47922-501
Chapter 6 Remote Node setup 87
Figure 26 Menu 11.1: Remote Node profile for Ethernet Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= Ethernet
Service Type= Standard
Service Name= N/A
Outgoing:
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Server= N/A
Edit IP= No
Session Options:
Edit Filter Sets= No
Edit Traffic Redirect= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 19 describes the fields in Figure 26.
Table 19 Fields in menu 11.1
Field
Description
Example
Rem Node Name Enter a descriptive name for the remote node. This field
can be up to eight characters.
LAoffice
Active
Press [SPACE BAR] and then [ENTER] to select Yes
(activate remote node) or No (deactivate remote node).
Yes
Encapsulation
Ethernet is the default encapsulation. Press
Ethernet
[SPACE BAR] and then [ENTER] to change to PPPoE or
PPTP encapsulation.
Service Type
Press [SPACE BAR] and then [ENTER] to select from
Standard
Standard, RR-Toshiba (Road Runner Toshiba
authentication method) or RR-Manager (Road Runner
Manager authentication method). Choose one of the
Road Runner methods if your ISP is Time Warner's Road
Runner; otherwise choose Standard.
Nortel Business Secure Router 222 Configuration — Advanced
88 Chapter 6 Remote Node setup
Table 19 Fields in menu 11.1
Field
Description
Example
Service Name
If you are using PPPoE encapsulation, then type the
name of your PPPoE service here. Only valid with
PPPoE encapsulation.
poellc
Outgoing
My Login
This field is applicable for PPPoE encapsulation only.
Enter the logon name assigned by your ISP when the
Business Secure Router calls this remote node. Some
ISPs append this field to the Service Name field above
(e.g., jim@poellc) to access the PPPoE server.
jim
My Password
Enter the password assigned by your ISP when the
Business Secure Router calls this remote node. Valid for
PPPoE encapsulation only.
*****
Retype to
Confirm
Type your password again to make sure that you have
entered it correctly.
*****
Server IP
This field is valid only when Road Runner is selected in
the Service Type field. The Business Secure Router
finds the Road Runner Server IP automatically if this field
is left blank. If it does not, then you must enter the
authentication server IP address here.
Route
This field refers to the protocol that is routed by your
Business Secure Router.
IP
Edit IP
This field leads to a “hidden” menu. Press [SPACE BAR]
to select Yes and press [ENTER] to go to Menu 11.1.2 Remote Node Network Layer Options.
No
(default)
Session Options
Edit Filter sets
This field leads to another “hidden” menu. Use
[SPACE BAR] to select Yes and press [ENTER] to open
menu 11.1.4 to edit the filter sets. See “Remote Node
filter” on page 95 for more details.
No
(default)
After you configure this menu, press [ENTER] at the
message “Press ENTER to Confirm...” to save your
configuration, or press [ESC] at any time to cancel.
PPPoE Encapsulation
The Business Secure Router supports PPPoE (Point-to-Point Protocol over
Ethernet). You can only use PPPoE encapsulation when you are using the
Business Secure Router with a DSL modem as the WAN device. If you change
the Encapsulation to PPPoE, you then see Figure 27. Please see Appendix E,
“PPPoE,” on page 253 for more information about PPPoE.
NN47922-501
Chapter 6 Remote Node setup 89
Figure 27 Menu 11.1: Remote Node profile for PPPoE Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= PPPoE
Service Type= Standard
Service Name=
Outgoing:
My Login=
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
Edit IP= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Nailed-Up Connection= No
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Edit Traffic Redirect= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Outgoing Authentication Protocol
Generally speaking, you must employ the strongest authentication protocol
possible. However, some vendors’ implementation includes a specific
authentication protocol in the user profile. It disconnects if the negotiated protocol
is different from that in the user profile, even when the negotiated protocol is
stronger than specified. If you encounter a case where the peer disconnects right
after a successful authentication, make sure that you specify the correct
authentication protocol when connecting to such an implementation.
Nortel Business Secure Router 222 Configuration — Advanced
90 Chapter 6 Remote Node setup
Nailed-Up Connection
A nailed-up connection is a dial-up line where the connection is always up,
regardless of traffic demand. The Business Secure Router does two things when
you specify a nailed-up connection. The first is that idle timeout is disabled. The
second is that the Business Secure Router tries to bring up the connection when
turned on and whenever the connection is down. A nailed-up connection can be
very expensive.
Do not specify a nailed-up connection unless your telephone company offers
flat-rate service or you need a constant connection and the cost is of no concern.
Table 20 describes the fields specific to PPPoE encapsulation.
Table 20 Fields in Menu 11.1 (PPPoE Encapsulation Specific)
Field
Description
Example
Authen
This field sets the authentication protocol used for
CHAP/PAP
outgoing calls.
Options for this field are:
CHAP/PAP - Your Business Secure Router accepts either
CHAP or PAP when requested by this remote node.
CHAP - accept CHAP only.
PAP - accept PAP only.
Telco Option
NN47922-501
Allocated
Budget
The field sets a ceiling for outgoing call time for this remote 0
node. The default for this field is 0, meaning no budget
(default)
control.
Period(hr)
This field is the time period in which the budget is reset.
0
For example, if we are allowed to call this remote node for (default)
a maximum of 10 minutes every hour, then the Allocated
Budget is (10 minutes) and the Period(hr) is 1 (hour).
Schedules
You can apply up to four call schedule sets here.
Nailed-Up
Connection
This field specifies if you want to make the connection to
this remote node a nailed-up connection. More details are
given earlier in this section.
Session
Options
Idle Timeout
Type the length of idle time (when there is no traffic from
100
the Business Secure Router to the remote node) in
seconds
seconds that can elapse before the Business Secure
(default)
Router automatically disconnects the PPPoE connection.
This option only applies when the Business Secure Router
initiates the call.
No
(default)
Chapter 6 Remote Node setup 91
PPTP Encapsulation
If you change the Encapsulation to PPTP in menu 11.1, then you will see the next
screen. See Appendix F, “PPTP,” on page 257 for information about PPTP.
Figure 28 Menu 11.1: Remote Node Profile for PPTP Encapsulation
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Encapsulation= PPTP
Service Type= Standard
Service Name= N/A
Outgoing:
My Login=
My Password= ********
Retype to Confirm= ********
Authen= CHAP/PAP
PPTP:
My IP Addr=
My IP Mask=
Server IP Addr=
Connection ID/Name=
Route= IP
Edit IP= No
Telco Option:
Allocated Budget(min)= 0
Period(hr)= 0
Schedules=
Nailed-Up Connection= No
Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Edit Traffic Redirect= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 21 shows how to configure fields in menu 11.1 not previously discussed.
Table 21 Fields in Menu 11.1 (PPTP Encapsulation)
Field
Description
Example
Encapsulation
Press [SPACE BAR] and then [ENTER] to select
PPTP. You must also go to menu 11.1.2 to check
the IP Address setting after you select the
encapsulation method.
PPTP
My IP Addr
Enter the IP address of the WAN Ethernet port.
10.0.0.140
My IP Mask
Enter the subnet mask of the WAN Ethernet port.
255.255.255.0
My Server IP Addr
Enter the IP address of the ANT modem.
10.0.0.138
Nortel Business Secure Router 222 Configuration — Advanced
92 Chapter 6 Remote Node setup
Table 21 Fields in Menu 11.1 (PPTP Encapsulation)
Field
Description
Example
Connection ID/
Name
Enter the connection ID or connection name in the N:My ISP
ANT. It must follow the “c:id” and “n:name” format.
This field is optional and depends on the
requirements of your DSL modem.
Schedules
You can apply up to four call schedule sets here.
Nailed-Up
Connections
Press [SPACE BAR] and then [ENTER] to select
Yes if you want to make the connection to this
remote node a nailed-up connection.
No
Edit IP
Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to
select Yes. Press [ENTER] to open Menu 11.1.2 - Network Layer Options.
NN47922-501
Chapter 6 Remote Node setup 93
Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet
Encapsulation
Menu 11.1.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Addr= N/A
Network Address Translation= SUA Only
Metric= N/A
Private= N/A
RIP Direction= None
Version= N/A
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
Press Space Bar to Toggle.
This menu displays the My WAN Addr field for PPPoE and PPTP
encapsulations and Gateway IP Addr field for Ethernet encapsulation.
Table 22 describes the fields in Figure 29.
Table 22 Remote Node Network Layer Options Menu Fields
Field
Description
Example
IP Address
Assignment
If your ISP did not assign you an explicit IP address, press Dynamic
[SPACE BAR] and then [ENTER] to select Dynamic;
(default)
otherwise select Static and enter the IP address & subnet
mask in the following fields.
(Rem) IP
Address
If you have a Static IP Assignment, enter the IP address
assigned to you by your ISP.
(Rem) IP
Subnet Mask
If you have a Static IP Assignment, enter the subnet mask
assigned to you.
Nortel Business Secure Router 222 Configuration — Advanced
94 Chapter 6 Remote Node setup
Table 22 Remote Node Network Layer Options Menu Fields
NN47922-501
Field
Description
Example
Gateway IP
Addr
This field is applicable to Ethernet encapsulation only.
Enter the gateway IP address assigned to you if you are
using a static IP address.
My WAN Addr
This field is applicable to PPPoE and PPTP
encapsulations only. Some implementations, especially
the UNIX derivatives, require the WAN link to have a
separate IP network number from the LAN and each end
must have a unique address within the WAN network
number. If this is the case, enter the IP address assigned
to the WAN port of your Business Secure Router.
Note that this is the address assigned to your local
Business Secure Router, not the remote router.
Network
Address
Translation
With Network Address Translation (NAT), the device can
SUA Only
translate an Internet protocol address used within one
(default)
network (for example a private IP address used in a local
network) to a different IP address known within another
network (for example a public IP address used on the
Internet).
Choose None to disable NAT.
Choose SUA Only if you have a single public IP address.
SUA (Single User Account) is a subset of NAT that
supports two types of mapping: Many-to-One and Server.
Choose Full Feature if you have multiple public IP
addresses. Full Feature mapping types include:
One-to-One, Many-to-One (SUA/PAT), Many-to-Many
Overload, Many- One-to-One and Server. When you
select Full Feature you must configure at least one
address mapping set!
See Chapter 9, “Network Address Translation (NAT) for a
full discussion on this feature.
Metric
Enter a number from 1 to 15 to set this route’s priority
among the Business Secure Router routes. The smaller
the number, the higher priority the route has.
Private
This field is valid only for PPTP/PPPoE encapsulation.
No
This parameter determines if the Business Secure Router
includes the route to this remote node in its RIP
broadcasts. If set to Yes, this route is kept private and not
included in RIP broadcast. If No, the route to this remote
node is propagated to other hosts through RIP broadcasts.
RIP Direction
Press [SPACE BAR] and then [ENTER] to select the RIP None
direction from Both/ None/In Only/Out Only. The default (default)
for RIP on the WAN side is None. Nortel recommends that
you do not change this setting.
1
Chapter 6 Remote Node setup 95
Table 22 Remote Node Network Layer Options Menu Fields
Field
Description
Example
Version
Press [SPACE BAR] and then [ENTER] to select the RIP
version from RIP-1/RIP-2B/RIP-2M or None.
N/A
Multicast
IGMP (Internet Group Multicast Protocol) is a
None
network-layer protocol used to establish membership in a (default)
Multicast group. The Business Secure Router supports
both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Press [SPACE BAR] to enable IP Multicasting or select
None to disable it.
After you complete filling in Menu 11.1.2 Remote Node
Network Layer Options, press [ENTER] at the message
“Press ENTER to Confirm...” to save your configuration
and return to menu 11.1, or press [ESC] at any time to
cancel.
Remote Node filter
Move the cursor to the field Edit Filter Sets in menu 11.1, and then press
[SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.1.4Remote Node Filter.
Use menu 11.1.4 to specify the filter sets to apply to the incoming and outgoing
traffic between this remote node and the Business Secure Router to prevent
certain packets from triggering calls. You can specify up to 4 filter sets separated
by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are
accepted in this field. For more information about defining the filters, refer to
Chapter 11, “Filter configuration,” on page 135. For PPPoE or PPTP
encapsulation, you have the additional option of specifying remote node call filter
sets.
Nortel Business Secure Router 222 Configuration — Advanced
96 Chapter 6 Remote Node setup
Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation)
Menu 11.1.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Enter here to CONFIRM or ESC to CANCEL:
Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation)
Menu 11.1.4 - Remote Node Filter
Input Filter Sets:
protocol filters=
Device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
protocol filters=
Device filters=
Enter here to CONFIRM or ESC to CANCEL:
To configure the parameters for traffic redirect, enter 11 from the main menu to
display Menu 11.1—Remote Node Profile as shown in Figure 32.
NN47922-501
Chapter 6 Remote Node setup 97
Figure 32 Menu 11.1: Remote Node Profile
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= Ethernet
Service Type= Standard
Service Name= N/A
Outgoing:
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Server= N/A
Edit IP= No
Session Options:
Edit Filter Sets= No
Edit Traffic Redirect= No
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
To configure traffic redirect properties, press [SPACE BAR] to select Yes in the
Edit Traffic Redirect field and then press [ENTER].
Table 23 Menu 11.1: Remote Node profile (Traffic Redirect Field)
Field
Description
Edit
Traffic
Redirect
Press [SPACE BAR] to select Yes or No.
Select No (default) if you do not want to configure this feature.
Select Yes and press [ENTER] to configure Menu 11.1.5 —
Traffic Redirect Setup.
Example
Yes
Press [ENTER] at the message “Press ENTER to Confirm...” to
save your configuration, or press [ESC] at any time to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
98 Chapter 6 Remote Node setup
Traffic Redirect setup
Configure parameters that determine when the Business Secure Router forwards
WAN traffic to the backup gateway using Menu 11.1.5 — Traffic Redirect
Setup.
Figure 33 Menu 11.1.5: Traffic Redirect setup
Menu 11.1.5 - Traffic Redirect Setup
Active= Yes
Configuration:
Backup Gateway IP Address= 0.0.0.0
Metric= 15
Check WAN IP Address= 0.0.0.0
Fail Tolerance= 3
Period (sec)= 5
Timeout (sec)= 3
Press ENTER to Confirm or ESC to Cancel:
Table 24 describes the fields in Figure 33.
Table 24 Menu 11.1.5: Traffic Redirect setup
Field
Description
Example
Active
Press [SPACE BAR] and select Yes (to enable) or No (to
disable) traffic redirect setup. The default is No.
Yes
Configuration:
NN47922-501
Backup
Gateway IP
Address
Enter the IP address of your backup gateway in dotted
0.0.0.0
decimal notation.
The Business Secure Router automatically forwards traffic
to this IP address if the Business Secure Router Internet
connection terminates.
Metric
Enter a number from 1 to 15 to set this route’s priority
among the Business Secure Router routes. The smaller
the number, the higher priority the route has.
15
(default)
Chapter 6 Remote Node setup 99
Table 24 Menu 11.1.5: Traffic Redirect setup
Field
Description
Example
Check WAN IP
Address
Enter the IP address of a reliable nearby computer (for
example, your ISP’s DNS server address) to test your
Business Secure Router’s WAN accessibility.
The Business Secure Router uses the default gateway IP
address if you do not enter an IP address here.
If you are using PPTP or PPPoE Encapsulation, enter
0.0.0.0 to configure the Business Secure Router to check
the PVC (Permanent Virtual Circuit) or PPTP tunnel.
0.0.0.0
Fail Tolerance
Enter the number of times your Business Secure Router
3
can attempt and fail to connect to the Internet before traffic
is forwarded to the backup gateway. A good number is 2 to
5 seconds.
Period (sec)
Enter the time interval (in seconds) between WAN
connection checks. A good number is 5 to 60 seconds.
Timeout (sec)
Enter the number of seconds the Business Secure Router
waits for a ping response from the IP Address in the Check
3
WAN IP Address field before it times out. The number in
this field should be less than the number in the Period
field. A good number is 3 to 50 seconds.
The WAN connection is considered “down” after the
Business Secure Router times out the number of times
specified in the Fail Tolerance field.
5
After you complete this menu, press [ENTER] at the
prompt “Press [ENTER] to confirm or [ESC] to cancel” to
save your configuration or press [ESC] to cancel and go
back to the previous screen.
Nortel Business Secure Router 222 Configuration — Advanced
100 Chapter 6 Remote Node setup
NN47922-501
101
Chapter 7
IP Static Route Setup
This chapter shows you how to configure static routes with your Business Secure
Router.
IP Static Route Setup
Enter 12 from the main menu. Select one of the IP static routes as shown in
Figure 34 to configure IP static routes in menu 12. 1.
Note: The “Reserved” static route entry is for the default WAN route.
You cannot modify or delete a static default route.
Figure 34 Menu 12: IP Static Route Setup
Menu 12 - IP Static Route Setup
1. Reserved
2. ________
3. ________
4. ________
5. ________
6. ________
7. ________
8. ________
9. ________
10. ________
11. ________
Nortel Business Secure Router 222 Configuration — Advanced
102 Chapter 7 IP Static Route Setup
12. ________
Enter selection number:
Now, enter the index number of the static route that you want to configure.
Figure 35 Menu 12. 1: Edit IP Static Route
Menu 12.1 - Edit IP Static Route
Route #: 2
Route Name= ?
Active= No
Destination IP Address= ?
IP Subnet Mask= ?
Gateway IP Address= ?
Metric= 2
Private= No
Press ENTER to CONFIRM or ESC to CANCEL:
Table 25 describes the IP Static Route Menu fields.
Table 25 IP Static Route Menu Fields
NN47922-501
Field
Description
Route #
This is the index number of the static route that you chose in menu 12.
Route Name
Enter a descriptive name for this route. This is for identification
purposes only.
Active
This field allows you to activate or deactivate this static route.
Destination IP
Address
This parameter specifies the IP network address of the final
destination. Routing is always based on network number. If you need to
specify a route to a single host, use a subnet mask of 255.255.255.255
in the subnet mask field to force the network number to be identical to
the host ID.
IP Subnet Mask
Enter the IP subnet mask for this destination.
Gateway IP
Address
Enter the IP address of the gateway. The gateway is an immediate
neighbor of your Business Secure Router that forwards the packet to
the destination. On the LAN, the gateway must be a router on the same
segment as your Business Secure Router; over the WAN, the gateway
must be the IP address of one of the remote nodes.
Chapter 7 IP Static Route Setup 103
Table 25 IP Static Route Menu Fields
Field
Description
Metric
Enter a number from 1 to 15 to set the priority for the route among the
Business Secure Router routes. The smaller the number, the higher
priority the route has.
Private
This parameter determines if the Business Secure Router includes the
route to this remote node in its RIP broadcasts. If set to Yes, this route
is kept private and not included in RIP broadcast. If No, the route to this
remote node is propagated to other hosts through RIP broadcasts.
After you complete filling in this menu, press [ENTER] at the message
“Press ENTER to Confirm…” to save your configuration, or press [ESC]
to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
104 Chapter 7 IP Static Route Setup
NN47922-501
105
Chapter 8
Dial-in User Setup
This chapter shows you how to create user accounts on the Business Secure
Router.
Dial-in User Setup
By storing user profiles locally, your Business Secure Router can authenticate
users without interacting with a network RADIUS server.
Follow the steps below to set up user profiles on your Business Secure Router.
From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.
Figure 36 Menu 14- Dial-in User Setup
Menu 14 - Dial-in User Setup
1.
2.
3.
4.
5.
6.
7.
8.
________
________
________
________
________
________
________
________
9.
10.
11.
12.
13.
14.
15.
16.
________
________
________
________
________
________
________
________
17.
18.
19.
20.
21.
22.
23.
24.
________
________
________
________
________
________
________
________
25.
26.
27.
28.
29.
30.
31.
32.
________
________
________
________
________
________
________
________
Enter Menu Selection Number:
Type a number and press [ENTER] to edit the user profile.
Nortel Business Secure Router 222 Configuration — Advanced
106 Chapter 8 Dial-in User Setup
Figure 37 Menu 14.1- Edit Dial-in User
Menu 14.1 - Edit Dial-in User
User Name= test
Active= Yes
Password= ********
Press ENTER to Confirm or ESC to Cancel:
Leave name field blank to delete profile
Table 26 describes the fields in Figure 37.
Table 26 Menu 14.1- Edit Dial-in User
Field
Description
User Name
Enter a username up to 31 alphanumeric characters long for this
user profile.
This field is case sensitive.
Active
Press [SPACE BAR] to select Yes and press [ENTER] to enable the
user profile.
Password
Enter a password up to 31 characters long for this user profile.
After you complete this menu, press [ENTER] at the prompt “Press
ENTER to confirm or ESC to cancel” to save your configuration or
press [ESC] to cancel and go back to the previous screen.
NN47922-501
107
Chapter 9
Network Address Translation (NAT)
This chapter discusses how to configure NAT on the Business Secure Router.
Using NAT
Note: You must create a firewall rule in addition to setting up SUA/
NAT, to allow traffic from the WAN to be forwarded through the
Business Secure Router.
SUA (Single User Account) Versus NAT
SUA (Single User Account) is an implementation of a subset of NAT that
supports two types of mapping, Many-to-One and Server. For a detailed
description of NAT set for SUA, see“Address Mapping Sets” on page 110. The
Business Secure Router also supports Full Feature NAT to map multiple global
IP addresses to multiple private LAN IP addresses of clients or servers using
mapping types.
Note: Choose SUA Only if you have just one public WAN IP address
for your Business Secure Router.
Choose Full Feature if you have multiple public WAN IP addresses for
your Business Secure Router.
Applying NAT
You apply NAT via menus 4 or 11.1.2 (Figure 39 on page 109). Figure 38 shows
you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu
to go to Menu 4 - Internet Access Setup.
Nortel Business Secure Router 222 Configuration — Advanced
108 Chapter 9 Network Address Translation (NAT)
Figure 38 Menu 4: Applying NAT for Internet Access
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= Ethernet
Service Type= Standard
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Login Server= N/A
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
Press ENTER to Confirm or ESC to Cancel:
Figure 39 shows how you apply NAT to the remote node in menu 11.1.
Enter 11 from the main menu.
Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then
press [ENTER] to bring up Menu 11.1.2 - Remote Node Network Layer
Options.
NN47922-501
Chapter 9 Network Address Translation (NAT) 109
Figure 39 Menu 11.1.2: Applying NAT to the Remote Node
Menu 11.1.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Addr= N/A
Network Address Translation= Full Feature
Metric= N/A
Private= N/A
RIP Direction= None
Version= N/A
Multicast= None
Enter here to CONFIRM or ESC to CANCEL:
Table 27 describes the fields in Figure 39.
Table 27 Applying NAT in Menus 4 & 11.1.2
Field
Description
Options
Network
Address
Translation
When you select this option the SMT uses Address
Mapping Set 1 (menu 15.1 - “Address Mapping Sets” on
page 110 for further discussion). Choose Full Feature if
you have multiple public WAN IP addresses for your
Business Secure Router.
When you select Full Feature you must configure at least
one address mapping set!
Full Feature
NAT is disabled when you select this option.
None
When you select this option the SMT uses Address
Mapping Set 255 (menu 15.1 - “Address Mapping Sets” on
page 110). Choose SUA Only if you have just one public
WAN IP address for your Business Secure Router.
SUA Only
Nortel Business Secure Router 222 Configuration — Advanced
110 Chapter 9 Network Address Translation (NAT)
NAT setup
Use the address mapping sets menus and submenus to create the mapping table
used to assign global addresses to computers on the LAN. You can see two NAT
address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used
for SUA. When you select Full Feature in menu 4 or 11.1.2, the SMT uses Set 1.
When you select SUA Only, the SMT uses the pre-configured Set 255 (read
only).
The server set is a list of LAN servers mapped to external ports. To use this set, a
server rule must be set up inside the NAT address mapping set. To configure
NAT, enter 15 from the main menu to bring up the screen shown in Figure 40.
Figure 40 Menu 15: NAT Setup
Menu 15 — NAT Setup
1. Address Mapping Sets
2. Port Forwarding Setup
3. Trigger Port Setup
Enter Menu Selection Number:
Note: Configure LAN IP addresses in NAT menus 15.1 and 15.2.
Address Mapping Sets
Enter 1 to bring up Menu 15.1—Address Mapping Sets.
NN47922-501
Chapter 9 Network Address Translation (NAT) 111
Figure 41 Menu 15.1: Address Mapping Sets
Menu 15.1 — Address Mapping Sets
1. NAT_SET
255. SUA (read only)
Enter Menu Selection Number:
SUA Address Mapping Set
Enter 255 to display the screen shown in Figure 42 (see “SUA (Single User
Account) Versus NAT” on page 107). The fields in this menu cannot be changed.
Nortel Business Secure Router 222 Configuration — Advanced
112 Chapter 9 Network Address Translation (NAT)
Figure 42 Menu 15.1.255: SUA Address Mapping Rules
Menu 15.1.255 - Address Mapping Rules
Set Name= SUA
Idx
Local Start IP
Local End IP
---
---------------
---------------
0.0.0.0
255.255.255.255
1.
2.
Global Start IP
---------------
Global End IP
Type
---------------
------
0.0.0.0
M-1
0.0.0.0
Server
3.
4.
5.
6.
7.
8.
9.
10.
Press ENTER to Confirm or ESC to Cancel:
Table 28 explains the fields in Figure 42.
Note: Menu 15.1.255 is read-only.
Table 28 SUA Address Mapping Rules
NN47922-501
Field
Description
Example
Set Name
This is the name of the set you selected in menu
15.1 or enter the name of a new set you want to
create.
SUA
Idx
This is the index or rule number.
1
Local Start IP
Local Start IP is the starting local IP address (ILA).
0.0.0.0
Chapter 9 Network Address Translation (NAT) 113
Table 28 SUA Address Mapping Rules
Field
Description
Example
Local End IP
Local End IP is the ending local IP address (ILA). If 255.255.255.255
the rule is for all local IPs, then the start IP is 0.0.0.0
and the end IP is 255.255.255.255.
Global Start IP
This is the starting global IP address (IGA). If you
0.0.0.0
have a dynamic IP, enter 0.0.0.0 as the Global Start
IP.
Global End IP
This is the ending global IP address (IGA).
Type
These are the mapping types discussed above. With Server
Server, you can specify multiple servers of different
types behind NAT to this machine. Examples is
found in the section “General NAT examples” on
page 121.
After you configure a rule in this menu, press
[ENTER] at the message “Press ENTER to
Confirm…” to save your configuration, or press
[ESC] to cancel.
User-Defined Address Mapping Sets
Go to menu 15.1. Enter 1 to bring up the menu shown in figure below. Look at the
differences from the previous menu. Note the extra Action and Select Rule fields
means you can configure rules in this screen. Note also that the [?] in the Set
Name field means that this is a required field and you must enter a name for the
set.
Note: The entire set is deleted if you leave the Set Name field blank and
press [ENTER] at the bottom of the screen.
Nortel Business Secure Router 222 Configuration — Advanced
114 Chapter 9 Network Address Translation (NAT)
Figure 43 Menu 15.1.1: First Set
Menu 15.1.1 - Address Mapping Rules
Set Name= NAT_SET
Idx
Local Start IP
Local End IP
---
---------------
---------------
Global Start IP
---------------
Global End IP
Type
---------------
------
1.
2
3.
4.
5.
6.
7.
8.
9.
10.
Action= Edit
Select Rule=
Press ENTER to Confirm or ESC to Cancel:
Note: The Type, Local and Global Start/End IPs are configured in
menu 15.1.1.1 (described later) and the values are displayed on the
screen shown in Figure 44.
Ordering Your Rules
Ordering your rules is important because the Business Secure Router applies the
rules in the order that you specify. When a rule matches the current packet, the
Business Secure Router takes the corresponding action and the remaining rules
are ignored. If there are any empty rules before your new configured rule, your
configured rule is pushed up by that number of empty rules. For example, if you
NN47922-501
Chapter 9 Network Address Translation (NAT) 115
have already configured rules 1 to 6 in your current set and now you configure
rule number 9. In the set summary screen, the new rule will be rule 7, not 9.
If you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5
becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.
Table 29 Fields in menu 15.1.1
Field
Description
Example
Set Name
Enter a name for this set of rules. This is a required field. If
this field is left blank, the entire set is deleted.
NAT_SET
Action
The default is Edit. Edit means you want to edit a selected
Edit
rule (see following field). Insert Before means to insert a rule
before the rule selected. The rules after the selected rule are
then moved down by one rule. Delete means to delete the
selected rule and all the rules after the selected one advance
one rule. None disables the Select Rule item.
Select Rule When you choose Edit, Insert Before or Delete in the
1
previous field, the cursor jumps to this field so you can select
the rule to apply the action in question.
Note: You must press [ENTER] at the bottom of the screen to save the
whole set. You must do this again if you make any changes to the set –
including deleting a rule. No changes to the set take place until this
action is taken.
Selecting Edit in the Action field and then selecting a rule brings up the menu
shown in Figure 44, Menu 15.1.1.1 - Address Mapping Rule in which you can
edit an individual rule and configure the Type, Local and Global Start/End IPs.
Note: An IP End address must be numerically greater than its
corresponding IP Start address.
Nortel Business Secure Router 222 Configuration — Advanced
116 Chapter 9 Network Address Translation (NAT)
Figure 44 Menu 15.1.1.1: Editing or configuring an individual rule in a set
Menu 15.1.1.1 Address Mapping Rule
Type= One-to-One
Local IP:
Start=
End
= N/A
Global IP:
Start=
End
= N/A
Press ENTER to Confirm or ESC to Cancel:
Table 30 describes the fields in Figure 44.
Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set
Field
Description
Example
Type
Press [SPACE BAR] and then [ENTER] to select from a total
of five types. If you choose Server, you can specify multiple
servers of different types behind NAT to this computer. See
“Example 3: Multiple public IP addresses with inside servers”
on page 124 for an example.
One-to-On
e
Local IP
Only local IP fields are N/A for server; Global IP fields must be
set for Server.
Enter the starting local IP address (ILA).
0.0.0.0
Start
End
NN47922-501
Enter the ending local IP address (ILA). If the rule is for all
N/A
local IPs, then put the Start IP as 0.0.0.0 and the End IP as
255.255.255.255. This field is N/A for One-to-One and Server
types.
Chapter 9 Network Address Translation (NAT) 117
Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set
Field
Global IP
Start
End
Description
Example
Enter the starting global IP address (IGA). If you have a
dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that
Global IP Start can be set to 0.0.0.0 only if the types are
Many-to-One or Server.
0.0.0.0
Enter the ending global IP address (IGA). This field is N/A for N/A
One-to-One, Many-to-One and Server types.
After you finish configuring a rule in this menu, press [ENTER]
at the message “Press ENTER to Confirm…” to save your
configuration, or press [ESC] to cancel.
Configuring a server behind NAT
Note: If you do not assign a Default Server IP address, the Business Secure Router
discards all packets received for ports that are not specified here or in the remote
management setup.
Follow these steps to configure a server behind NAT:
1
Enter 15 in the main menu to go to Menu 15 - NAT Setup.
2
Enter 2 to go to Menu 15.2 - NAT Server Setup.
Nortel Business Secure Router 222 Configuration — Advanced
118 Chapter 9 Network Address Translation (NAT)
Figure 45 Menu 15.2: NAT Server Sets
Menu 15.2 - NAT Server Setup
Default Server: 0.0.0.0
Rule Act.
Start Port
End Port
IP Address
-----------------------------------------------------001
No
0
0
0.0.0.0
002
No
0
0
0.0.0.0
003
No
0
0
0.0.0.0
004
No
0
0
0.0.0.0
005
No
0
0
0.0.0.0
006
No
0
0
0.0.0.0
007
No
0
0
0.0.0.0
008
No
0
0
0.0.0.0
009
No
0
0
0.0.0.0
010
No
0
0
0.0.0.0
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
3
NN47922-501
Select Edit Rule in the Select Command field; type the index number of the
NAT server you want to configure in the Select Rule field and press
[ENTER] to open Menu 15.2.1 - NAT Server Configuration (see the next
figure).
Chapter 9 Network Address Translation (NAT) 119
Figure 46 15.2.1: NAT Server Configuration
15.2.1 - NAT Server Configuration
Index= 1
----------------------------------------------------------------Name=
Active= No
Start port= 0
End port= 0
IP Address= 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
The following table describes the fields in this screen.
Table 31 15.2.1: NAT Server Configuration
Field
Description
Index
This is the index number of an individual port forwarding server entry.
Name
Enter a name to identify this port-forwarding rule.
Active
Press [SPACE BAR] and then [ENTER] to select Yes to enable the NAT
server entry.
Start Port
End Port
Enter a port number in the Start Port field. To forward only one port,
enter it again in the End Port field. To specify a range of ports, enter the
last port to be forwarded in the End Port field.
IP Address
Enter the inside IP address of the server.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to
Confirm…” to save your configuration, or press [ESC] at any time to cancel.
4
Enter a port number in the Start Port field. To forward only one port, enter it
again in the End Port field. To specify a range of ports, enter the last port to
be forwarded in the End Port field.
Nortel Business Secure Router 222 Configuration — Advanced
120 Chapter 9 Network Address Translation (NAT)
5
Enter the inside IP address of the server in the IP Address field. In the
following figure, you have a computer acting as an FTP, Telnet and SMTP
server (ports 21, 23 and 25) at 192.168.1.33.
6
Press [ENTER] at the “Press ENTER to confirm …” prompt to save your
configuration after you define all the servers or press [ESC] at any time to
cancel.
Figure 47 Menu 15.2: NAT Server Setup
Menu 15.2 - NAT Server Setup
Default Server: 0.0.0.0
Rule Act.
Start Port
End Port
IP Address
-----------------------------------------------------001
No
0
0
0.0.0.0
002
Yes
21
25
192.168.1.33
003
No
0
0
0.0.0.0
004
No
0
0
0.0.0.0
005
No
0
0
0.0.0.0
006
No
0
0
0.0.0.0
007
No
0
0
0.0.0.0
008
No
0
0
0.0.0.0
009
No
0
0
0.0.0.0
010
No
0
0
0.0.0.0
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
You assign the private network IP addresses. The NAT network appears as a
single host on the Internet. A is the FTP/Telnet/SMTP server.
NN47922-501
Chapter 9 Network Address Translation (NAT) 121
Figure 48 Multiple servers behind NAT example
Business Secure Router
General NAT examples
The following are some examples of NAT configuration.
Internet access only
In the Internet access example shown in Figure 49, you only need one rule where
all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global
Address) assigned by your ISP.
Figure 49 NAT Example 1
Business Secure Router
Nortel Business Secure Router 222 Configuration — Advanced
122 Chapter 9 Network Address Translation (NAT)
Figure 50 Menu 4: Internet access & NAT example
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
Encapsulation= Ethernet
Service Type= Standard
My Login= N/A
My Password= N/A
Login Server IP= N/A
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Address= N/A
Network Address Translation= SUA Only
Press ENTER to Confirm or ESC to Cancel:
From menu 4 shown above, simply choose the SUA Only option from the
Network Address Translation field. This is the Many-to-One mapping
discussed in section “General NAT examples” on page 121. The SUA Only
read-only option from the Network Address Translation field in menus 4 and
11.1.2 is specifically preconfigured to handle this case.
NN47922-501
Chapter 9 Network Address Translation (NAT) 123
Example 2: Internet access with an inside server
Figure 51 NAT Example 2
Business Secure Router
In this case, you do exactly as shown in Figure 51 (use the convenient
pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside
Server behind the NAT as shown in Figure 52.
Nortel Business Secure Router 222 Configuration — Advanced
124 Chapter 9 Network Address Translation (NAT)
Figure 52 Menu 15.2: Specifying an inside server
Menu 15.2 - NAT Server Setup
Default Server: 192.168.1.10
Rule Act.
Start Port
End Port
IP Address
-----------------------------------------------------001
No
0
0
0.0.0.0
002
No
0
0
0.0.0.0
003
No
0
0
0.0.0.0
004
No
0
0
0.0.0.0
005
No
0
0
0.0.0.0
006
No
0
0
0.0.0.0
007
No
0
0
0.0.0.0
008
No
0
0
0.0.0.0
009
No
0
0
0.0.0.0
010
No
0
0
0.0.0.0
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
Example 3: Multiple public IP addresses with inside servers
In this example, there are 3 IGAs from our ISP. There are many departments but
two have their own FTP server. All departments share the same router. The
example reserves one IGA for each department with an FTP server and all
departments use the other IGA. Map the FTP servers to the first two IGAs and the
other LAN traffic to the remaining IGA. Map the third IGA to an inside web
server and mail server. Four rules need to be configured, two bi-directional and
two uni-directional, as follows.
NN47922-501
1
Map the first IGA to the first inside FTP server for FTP traffic in both
directions (1 : 1 mapping, giving both local and global IP addresses).
2
Map the second IGA to the second internal FTP server for FTP traffic in both
directions (1 : 1 mapping, giving both local and global IP addresses).
3
Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping).
4
You also map your third IGA to the web server and mail server on the LAN. If
you choose type Server, you can specify multiple servers, of different types,
to other computers behind NAT on the LAN.
Chapter 9 Network Address Translation (NAT) 125
The example situation looks like this:
Figure 53 NAT example 3
Business Secure Router
1
In this case you must configure Address Mapping Set 1 from Menu 15.1 Address Mapping Sets. Therefore, you must choose the Full Feature
option from the Network Address Translation field (in menu 4 or menu
11.1.2) (see Figure 54).
2
Enter 15 from the main menu.
3
Enter 1 to configure the Address Mapping Sets.
4
Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit
Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm.
5
Select Type as One-to-One (direct mapping for packets going both ways),
and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1),
the global Start IP as 10.132.50.1 (our first IGA). (see Figure 55).
6
Repeat the previous step for rules 2 to 4 as outlined above.
7
When finished, menu 15.1.1 looks like as shown in Figure 56.
Nortel Business Secure Router 222 Configuration — Advanced
126 Chapter 9 Network Address Translation (NAT)
Figure 54 Example 3: Menu 11.1.2
Menu 11.1.2 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
IP Address= N/A
IP Subnet Mask= N/A
Gateway IP Addr= N/A
Network Address Translation= Full Feature
Metric= N/A
Private= N/A
RIP Direction= None
Version= N/A
Enter here to CONFIRM or ESC to CANCEL:
Figure 55 shows how to configure the first rule.
NN47922-501
Chapter 9 Network Address Translation (NAT) 127
Figure 55 Example 3: Menu 15.1.1.1
Menu 15.1.1.1 Address Mapping Rule
Type= One-to-One
Local IP:
Start= 192.168.1.10
End
= N/A
Global IP:
Start= 10.132.50.1
End
= N/A
Press ENTER to Confirm or ESC to Cancel:
Nortel Business Secure Router 222 Configuration — Advanced
128 Chapter 9 Network Address Translation (NAT)
Figure 56 Example 3: Final Menu 15.1.1
Menu 15.1.1 - Address Mapping Rules
Set Name= Example3
Idx
Local Start IP
Local End IP
---
---------------
---------------
Global Start IP
---------------
Global End IP
Type
---------------
------
1. 192.168.1.10
10.132.50.1
1-1
2
10.132.50.2
1-1
10.132.50.3
M-1
192.168.1.11
3. 0.0.0.0
255.255.255.255
4.
10.132.50.3
Server
5.
6.
7.
8.
9.
10.
Action= Edit
Select Rule=
Now configure the IGA3 to map to our web server and mail server on the LAN.
NN47922-501
8
Enter 15 from the main menu.
9
Now enter 2 from this menu and configure it as shown in Example 3: Menu
15.2.
Chapter 9 Network Address Translation (NAT) 129
Figure 57 Example 3: Menu 15.2
Menu 15.2 - NAT Server Setup
Default Server: 0.0.0.0
Rule Act.
Start Port
End Port
IP Address
-----------------------------------------------------001
Yes
80
80
192.168.1.21
002
Yes
25
25
192.168.1.20
003
No
0
0
0.0.0.0
004
No
0
0
0.0.0.0
005
No
0
0
0.0.0.0
006
No
0
0
0.0.0.0
007
No
0
0
0.0.0.0
008
No
0
0
0.0.0.0
009
No
0
0
0.0.0.0
010
No
0
0
0.0.0.0
Select Command= None
Select Rule= N/A
Press ENTER to Confirm or ESC to Cancel:
Configuring Trigger Port forwarding
Note: Only one LAN computer can use a trigger port (range) at a time.
Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in
Figure 58.
Nortel Business Secure Router 222 Configuration — Advanced
130 Chapter 9 Network Address Translation (NAT)
Figure 58 Menu 15.3: Trigger Port Setup
Menu 15.3 - Trigger Port Setup
Incoming
Rule
Name
Start Port
Trigger
End Port
Start Port
End Port
---------------------------------------------------------------------1. Real Audio
6970
7170
7070
7070
2.
0
0
0
0
3.
0
0
0
0
4.
0
0
0
0
5.
0
0
0
0
6.
0
0
0
0
7.
0
0
0
0
8.
0
0
0
0
9.
0
0
0
0
10.
0
0
0
0
11.
0
0
0
0
12.
0
0
0
0
Press ENTER to Confirm or ESC to Cancel:
Table 32 describes the fields in Figure 58.
Table 32 Menu 15.3: Trigger Port setup description
NN47922-501
Field
Description
Example
Rule
This is the rule index number.
1
Name
Enter a unique name for identification purposes. You can enter
up to 15 characters in this field. All characters are permitted including spaces.
Real
Audio
Incoming
Incoming is a port (or a range of ports) that a server on the WAN uses when
it sends out a particular service. The Business Secure Router forwards the
traffic with this port (or range of ports) to the client computer on the LAN that
requested the service.
Start Port
Enter a port number or the starting port number in a range of
port numbers.
6970
Chapter 9 Network Address Translation (NAT) 131
Table 32 Menu 15.3: Trigger Port setup description
Field
Description
Example
End Port
Enter a port number or the ending port number in a range of port 7170
numbers.
Trigger
The trigger port is a port (or a range of ports) that causes (or
triggers) the Business Secure Router to record the IP address of
the LAN computer that sent the traffic to a server on the WAN.
Start Port
Enter a port number or the starting port number in a range of
port numbers.
End Port
Enter a port number or the ending port number in a range of port 7070
numbers.
7070
Press [ENTER] at the message “Press ENTER to Confirm...” to
save your configuration, or press [ESC] at any time to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
132 Chapter 9 Network Address Translation (NAT)
NN47922-501
133
Chapter 10
Introducing the firewall
This chapter shows you how to get started with the firewall.
Using SMT menus
From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall
Configuration to display the screen shown in Figure 59.
Figure 59 Menu 21: Filter and Firewall Setup
Menu 21 - Filter and Firewall Setup
1. Filter Setup
2. Firewall Setup
Enter Menu Selection Number:
Activating the firewall
Enter option 2 in this menu to bring up the screen shown in Figure 60. Press
[SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the
firewall. The firewall must be active to protect against Denial of Service (DoS)
attacks. Use the WebGUI to configure firewall rules.
Nortel Business Secure Router 222 Configuration — Advanced
134 Chapter 10 Introducing the firewall
Figure 60 Menu 21.2: Firewall Setup
Menu 21.2 - Firewall Setup
The firewall protects against Denial of Service (DoS) attacks when
it is active.
Your network is vulnerable to attacks when the firewall is turned off.
Refer to the User’s Guide for details about the firewall default
policies.
You may define additional Policy rules or modify existing ones but
please exercise extreme caution in doing so.
Active: Yes
You can use the WebGUI to configure the firewall.
Press ENTER to Confirm or ESC to Cancel:
Note: Configure the firewall rules using the WebGUI or CLI
commands.
NN47922-501
135
Chapter 11
Filter configuration
This chapter shows you how to create and apply filters.
Introduction to filters
Your Business Secure Router uses filters to decide whether to allow passage of a
data packet, make a call, or both. There are two types of filter applications: data
filtering and call filtering. Filters are subdivided into device and protocol filters.
Data filtering screens the data to determine if the packet is allowed to pass. Data
filters are divided into incoming and outgoing filters, depending on the direction
of the packet relative to a port. Data filtering can be applied on either the WAN
side or the LAN side. Call filtering is used to determine if a packet is allowed to
trigger a call. Remote node call filtering is only applicable when using PPPoE
encapsulation. Outgoing packets must undergo data filtering before they
encounter call filtering as shown in Figure 61.
Nortel Business Secure Router 222 Configuration — Advanced
136 Chapter 11 Filter configuration
Figure 61 Outgoing packet filtering process
C
all Filtering
A
ctiveD
ata
O
utgoing
P
acket
D
ata
Filtering
N
o
m
atch
M
atch
D
rop
packet
B
uilt-in
default
C
all Filters
N
o
m
atch
U
ser-defined
C
all Filters
(if applicable)
M
atch
D
roppacket
if linenot up
N
o
m
atch
Initiatecall
if linenot up
S
endpacket
andreset
IdleTim
er
M
atch
D
roppacket
if linenot up
O
r
O
r
S
endpacket
but donot reset
IdleTim
er
S
endpacket
but donot reset
IdleTim
er
For incoming packets, your Business Secure Router applies data filters only.
Packets are processed depending upon whether a match is found. The following
sections describe how to configure filter sets.
Filter Structure
A filter set consists of one or more filter rules. Usually, you group related rules,
for example, all the rules for NetBIOS, into a single set and give it a descriptive
name. With the Business Secure Router, you can configure up to twelve filter sets
with six rules in each set, for a total of 72 filter rules in the system. You cannot
mix device filter rules and protocol filter rules within the same set. You can apply
up to four filter sets to a particular port to block multiple types of packets. With
each filter set having up to six rules, you can have a maximum of 24 rules active
for a single port.
Sets of factory default filter rules are configured in menu 21 to prevent NetBIOS
traffic from triggering calls and to prevent incoming Telnet sessions. A summary
of their filter rules is shown in the figures that follow.
Figure 62 illustrates the logic flow when executing a filter rule. Also see
Figure 66 for the logic flow when executing an IP filter.
NN47922-501
Chapter 11 Filter configuration 137
Figure 62 Filter rule process
Start
Packet into
filter
Fetch First
Filter Set
Filter Set
Fetch Next
Filter Set
Fetch First
Filter Rule
Fetch Next
Filter Rule
Yes
Yes
Next Filter Set
Available?
No
Next filter
Rule
Available?
No
Active?
Yes
No
Check
Next
Rule
Execute
Filter Rule
Forward
Drop
Drop Packet
Accept Packet
You can apply up to four filter sets to a particular port to block multiple types of
packets. With each filter set having up to six rules, you can have a maximum of 24
rules active for a single port.
Nortel Business Secure Router 222 Configuration — Advanced
138 Chapter 11 Filter configuration
Configuring a Filter Set
The Business Secure Router includes filtering for NetBIOS over TCP/IP packets
by default. To configure another filter set, follow the procedure below.
1
Enter 21 in the main menu to open menu 21.
Figure 63 Menu 21: Filter and Firewall Setup
Menu 21 - Filter and Firewall Setup
1. Filter Setup
2. Firewall Setup
Enter Menu Selection
Number:
NN47922-501
Chapter 11 Filter configuration 139
2
Enter 1 to bring up the menu 21.1.
Figure 64 Menu 21.1: Filter Set Configuration
Menu 21.1 - Filter Set Configuration
Filter
Filter
Set #
Comments
Set #
Comments
------
-----------------
------
-----------------
1
_______________
7
_______________
2
_______________
8
_______________
3
_______________
9
_______________
4
_______________
10
_______________
5
_______________
11
_______________
6
_______________
12
_______________
Enter Filter Set Number to Configure= 0
Edit Comments= N/A
Press ENTER to Confirm or ESC to Cancel:
3
Select the filter set you wish to configure (1-12) and press [ENTER].
4
Enter a descriptive name or comment in the Edit Comments field and press
[ENTER].
5
Press [ENTER] at the message “Press ENTER to confirm” to open Menu
21.1.1 - Filter Rules Summary.
The screen shown in Figure 65 shows the summary of the existing rules in the
filter set. Table 33 and Table 34 contain a brief description of the abbreviations
used in the previous menus.
Nortel Business Secure Router 222 Configuration — Advanced
140 Chapter 11 Filter configuration
Table 33 Abbreviations used in the Filter Rules Summary Menu
Field
Description
#
The filter rule number: 1 to 6.
A
Active: “Y” means the rule is active. “N” means the rule is inactive.
Type
The type of filter rule: “GEN” for Generic, “IP” for TCP/IP.
Filter Rules These parameters are displayed here.
M
More:
“Y” means there are more rules to check which form a rule chain with the
present rule. An action cannot be taken until the rule chain is complete.
“N” means there are no more rules to check. You can specify an action to be
taken for example, forward the packet, drop the packet or check the next
rule. For the latter, the next rule is independent of the rule just checked.
m
Action Matched:
“F” means to forward the packet immediately and skip checking the
remaining rules.
“D” means to drop the packet.
“N“ means to check the next rule.
n
Action Not Matched:
“F” means to forward the packet immediately and skip checking the
remaining rules.
“D” means to drop the packet.
“N” means to check the next rule.
Table 34 Rule abbreviations used
Abbreviation
Description
IP
Pr Protocol
SA Source Address
SP Source Port number
DA Destination Address
DP Destination Port number
GEN
Off Offset
Len Length
The next section provides information on configuring the filter rules.
NN47922-501
Chapter 11 Filter configuration 141
Configuring a Filter Rule
To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules
Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
To speed up filtering, all rules in a filter set must be of the same class, for
example, protocol filters or generic filters. The class of a filter set is determined
by the first rule that you create. When applying the filter sets to a port, separate
menu fields are provided for protocol and device filter sets. If you include a
protocol filter set in a device filter field or vice versa, the Business Secure Router
warns you and prevents you from saving.
Configuring a TCP/IP Filter Rule
This section shows you how to configure a TCP/IP filter rule. Using TCP/IP rules,
you can base the rule on the fields in the IP and the upper layer protocol, for
example, UDP and TCP headers.
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field
and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown in
Figure 65.
Nortel Business Secure Router 222 Configuration — Advanced
142 Chapter 11 Filter configuration
Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule
Menu 21.1.1.2 - TCP/IP Filter Rule
Filter #: 1,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0
IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #=
Port # Comp= None
Source: IP Addr=
IP Mask=
Port #=
Port # Comp= None
TCP Estab= N/A
More= No
Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 35 describes how to configure your TCP/IP filter rule.
Table 35 TCP/IP Filter Rule Menu fields
Field
Description
Active
Press [SPACE BAR] and then [ENTER] to select Yes Yes
to activate the filter rule or No to deactivate it.
No
IP Protocol
Protocol refers to the upper layer protocol, for
0-255
example, TCP is 6, UDP is 17 and ICMP is 1. Type a
value between 0 and 255. A value of 0 matches ANY
protocol.
IP Source Route
Press [SPACE BAR] and then [ENTER] to select Yes Yes
to apply the rule to packets with an IP source route
No
option. Otherwise the packets must not have a
source route option. The majority of IP packets do
not have source route.
Destination
NN47922-501
Options
Chapter 11 Filter configuration 143
Table 35 TCP/IP Filter Rule Menu fields
Field
Description
Options
IP Address
Enter the destination IP Address of the packet you
wish to filter. This field is ignored if it is 0.0.0.0.
0.0.0.0
IP Mask
Enter the IP mask to apply to the Destination: IP
Addr.
0.0.0.0
Port #
Enter the destination port of the packets that you
wish to filter. The range of this field is 0 to 65 535.
This field is ignored if it is 0.
0-65535
Port # Comp
Press [SPACE BAR] and then [ENTER] to select the
comparison to apply to the destination port in the
packet against the value given in Destination: Port
#.
None
Less
Greater
Equal
Not Equal
IP Address
Enter the source IP Address of the packet you wish
to filter. This field is ignored if it is 0.0.0.0.
0.0.0.0
IP Mask
Enter the IP mask to apply to the Source: IP Addr.
0.0.0.0
Port #
Enter the source port of the packets that you wish to 0-65535
filter. The range of this field is 0 to 65 535. This field
is ignored if it is 0.
Port # Comp
Press [SPACE BAR] and then [ENTER] to select the None
comparison to apply to the source port in the packet Less
against the value given in Source: Port #.
Greater
Equal
Not Equal
TCP Estab
This field is applicable only when the IP Protocol field Yes
is 6, TCP. Press [SPACE BAR] and then [ENTER] to No
select Yes to have the rule match packets that want
to establish a TCP connection (SYN=1 and ACK=0);
if No, it is ignored.
More
Press [SPACE BAR] and then [ENTER] to select Yes Yes
or No. If Yes, a matching packet is passed to the
No
next filter rule before an action is taken; if No, the
packet is disposed of according to the action fields.
If More is Yes, then Action Matched and Action
Not Matched will be N/A.
Source
Nortel Business Secure Router 222 Configuration — Advanced
144 Chapter 11 Filter configuration
Table 35 TCP/IP Filter Rule Menu fields
Field
Description
Options
Log
Press [SPACE BAR] and then [ENTER] to select a
logging option from the following:
None – No packets are logged.
Action Matched - Only packets that match the rule
parameters are logged.
Action Not Matched - Only packets that do not
match the rule parameters are logged.
Both – All packets are logged.
None
Action
Matched
Action Not
Matched
Both
Action Matched
Press [SPACE BAR] and then [ENTER] to select the Check Next
action for a matching packet.
Rule
Forward
Drop
Action Not Matched
Press [SPACE BAR] and then [ENTER] to select the Check Next
action for a packet not matching the rule.
Rule
Forward
Drop
After you configure Menu 21.1.1.1 - TCP/IP Filter
Rule, press [ENTER] at the message “Press ENTER
to Confirm” to save your configuration, or press
[ESC] to cancel. This data is displayed on Menu
21.1.1 - Filter Rules Summary.
Figure 66 illustrates the logic flow of an IP filter.
NN47922-501
Chapter 11 Filter configuration 145
Figure 66 Executing an IP filter
Packet
into IP Filter
Filter Active?
No
Yes
Apply SrcAddrMask
to Src Addr
Check Src
IP Addr
Not Matched
Matched
Apply DestAddrMask
to Dest Addr
Check Dest
IP Addr
Not Matched
Matched
Check
IP Protocol
Not Matched
Matched
Check Src &
Dest Port
Not Matched
Matched
More?
Yes
No
Action Matched
Drop
Drop Packet
Action Not Matched
Check Next Rule
Check Next Rule
Drop
Forward
Forward
Check Next Rule
Accept Packet
Nortel Business Secure Router 222 Configuration — Advanced
146 Chapter 11 Filter configuration
Configuring a Generic Filter Rule
This section shows you how to configure a generic filter rule. With generic rules
you can filter non-IP packets. For IP packets, it is generally easier to use the IP
rules directly.
For generic rules, the Business Secure Router treats a packet as a byte stream as
opposed to an IP or IPX packet. You specify the portion of the packet to check
with the Offset (from 0) and the Length fields, both in bytes. The Business
Secure Router applies the Mask (using the bit-wise-AND action) to the data
portion before comparing the result against the Value to determine a match. The
Mask and Value are specified in hexadecimal numbers. Note that it takes two
hexadecimal digits to represent a byte, so if the length is 4, the value in either field
will take 8 digits, for example, FFFFFFFF.
To configure a generic rule, select Generic Filter Rule in the Filter Type field
in menu 21.1.4.1 and press [ENTER] to open Generic Filter Rule, as shown in
Figure 67.
Figure 67 Menu 21.1.1.1: Generic Filter Rule
Menu 21.1.1.1 - Generic Filter Rule
Filter #: 1,1
Filter Type= Generic Filter Rule
Active= No
Offset= 0
Length= 0
Mask= N/A
Value= N/A
More= No
Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
NN47922-501
Chapter 11 Filter configuration 147
Table 36 describes the fields in the Generic Filter Rule menu.
Table 36 Generic Filter Rule Menu fields
Field
Description
Options
Filter #
This is the filter set, filter rule coordinates, for example, 2,3
refers to the second filter set and the third rule of that set.
Filter
Type
Use [SPACE BAR] and then [ENTER] to select a rule type.
Parameters displayed below each type will be different. TCP/
IP filter rules are used to filter IP packets while generic filter
rules allow filtering of non-IP packets.
Generic Filter
Rule
TCP/IP Filter
Rule
Active
Select Yes to turn on the filter rule or No to turn it off.
Yes / No
Offset
Enter the starting byte of the data portion in the packet that
you wish to compare. The range for this field is from 0 to
255.
0-255
Length
Enter the byte count of the data portion in the packet that you 0-8
wish to compare. The range for this field is 0 to 8.
Mask
Enter the mask (in Hexadecimal notation) to apply to the
data portion before comparison.
Value
Enter the value (in Hexadecimal notation) to compare with
the data portion.
More
If Yes, a matching packet is passed to the next filter rule
Yes
before an action is taken; or the packet is disposed of
No
according to the action fields.
If More is Yes, then Action Matched and Action Not Matched
are No.
Log
Select the logging option from the following:
None - No packets are logged.
Action Matched - Only packets that match the rule
parameters are logged.
Action Not Matched - Only packets that do not match the
rule parameters are logged.
Both – All packets are logged.
None
Action
Matched
Action Not
Matched
Both
Action
Matched
Select the action for a packet matching the rule.
Check Next
Rule
Forward
Drop
Nortel Business Secure Router 222 Configuration — Advanced
148 Chapter 11 Filter configuration
Table 36 Generic Filter Rule Menu fields
Field
Description
Options
Action
Not
Matched
Select the action for a packet not matching the rule.
Check Next
Rule
Forward
Drop
After you complete filling in Menu 21.1.1.1 - Generic Filter
Rule, press [ENTER] at the message “Press ENTER to
Confirm” to save your configuration, or press [ESC] to
cancel. This data is now be displayed on Menu 21.1.1 Filter Rules Summary.
Example Filter
The example shown in Figure 68 is set to block outside users from accessing the
Business Secure Router via Telnet. See the included disk for more Filter Rules
example.
Figure 68 Telnet filter Example
Business Secure Router
NN47922-501
1
Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
2
Enter 1 to open Menu 21.1 - Filter Set Configuration.
Chapter 11 Filter configuration 149
3
Enter the index of the filter set you wish to configure (for example 3) and
press [ENTER].
4
Enter a descriptive name or comment in the Edit Comments field and press
[ENTER].
5
Press [ENTER] at the message [Press ENTER to confirm] to open Menu
21.1.3 - Filter Rules Summary.
6
Enter 1 to configure the first filter rule (the only filter rule of this set). Make
the entries in this menu as shown in Figure 69.
Figure 69 Example Filter: Menu 21.1.3.1
Menu 21.1.3.1 - TCP/IP Filter Rule
Filter #: 3,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6
IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 23
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No
Log= None
Action Matched= Drop
Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
When you press [ENTER] to confirm, the screen shown in Figure 70 is displayed.
Note that there is only one filter rule in this set. The screen shows you that you
have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for
destination Telnet ports (DP = 23). M = N means an action can be taken
immediately. The action is to drop the packet (m = D) if the action is matched and
to forward the packet immediately (n = F) if the action is not matched, whether or
not there are more rules to be checked (there are none in this example).
Nortel Business Secure Router 222 Configuration — Advanced
150 Chapter 11 Filter configuration
Figure 70 Example Filter Rules Summary: Menu 21.1.3
Menu 21.1.3 - Filter Rules Summary
# A Type
Filter Rules
M m n
- - ---- --------------------------------------------------------------- - 1 Y IP
Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23
N D F
2 N
3 N
4 N
5 N
6 N
Enter Filter Rule Number (1-6) to Configure: 1
After you have created the filter set, you must apply it.
NN47922-501
1
Enter 11 from the main menu to go to menu 11.
2
Then enter 1 to open Menu 11.1 Remote Node Profile.
3
Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press
[ENTER].
4
This brings you to menu 11.1.4. Apply a filter set (our example is filter set 3)
as shown in Figure 73.
5
After you enter the set numbers, press [ENTER] to confirm and leave menu
11.1.4.
Chapter 11 Filter configuration 151
Filter Types and NAT
There are two classes of filter rules, Generic Filter (Device) rules and protocol
filter (TCP/IP) rules. Generic filter rules act on the raw data that’s going through
between LAN and WAN. Protocol filter rules act on the IP packets. Generic and
TCP/IP filter rules are discussed in more detail in the next section. When NAT
(Network Address Translation) is enabled, the inside IP address and port number
are replaced on a connection-by-connection basis, which makes it impossible to
know the exact address and port on the wire. Therefore, the Business Secure
Router applies the protocol filters to the native IP address and port number before
NAT for outgoing packets and after NAT for incoming packets. On the other
hand, the generic, or device filters are applied to the raw packets that appear on
the wire. They are applied at the point when the Business Secure Router is
receiving and sending the packets; for example. the interface. The interface can be
an Ethernet port or any other hardware port, as illustrated in Figure 71.
Figure 71 Protocol and Device Filter Sets
Firewall Versus Filters
Firewall configuration is discussed in Chapter 10, “Introducing the firewall,” on
page 133 chapters of this manual. Further comparisons are also made between
filtering, NAT and the firewall.
Nortel Business Secure Router 222 Configuration — Advanced
152 Chapter 11 Filter configuration
Applying a Filter
This section shows you where to apply the filters after you design them. The
Business Secure Router already has filters to prevent NetBIOS traffic from
triggering calls, and block incoming Telnet, FTP and HTTP connections.
Note: Nortel recommends that you apply filters if you do not activate
the firewall.
Applying LAN Filters
LAN traffic filter sets are useful to block certain packets, reduce traffic and
prevent security breaches. Go to menu 3.1 (shown next) and enter the numbers of
the filter sets that you want to apply, as appropriate. You can choose up to four
filter sets (from twelve) by entering their numbers separated by commas, for
example., 3, 4, 6, 11. Input filter sets filter incoming traffic to the Business Secure
Router and output filter sets filter outgoing traffic from the Business Secure
Router. For PPPoE or PPTP encapsulation, you have the additional option of
specifying remote node call filter sets.
Figure 72 Filtering LAN Traffic
Menu 3.1 – LAN Port Filter Setup
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Ethernet Interface= 10BaseT
Input Filter Sets=
Output Filter Sets=
Press ENTER to Confirm or ESC to Cancel:
NN47922-501
Chapter 11 Filter configuration 153
Applying Remote Node Filters
Go to menu 11.1.4 (shown in Figure 73 – note that call filter sets are only present
for PPPoE encapsulation) and enter the numbers of the filter sets, as appropriate.
You can cascade up to four filter sets by entering their numbers separated by
commas. The Business Secure Router already has filters to prevent NetBIOS
traffic from triggering calls, and to block incoming Telnet, FTP and HTTP
connections.
Figure 73 Filtering Remote Node Traffic
Menu 11.1.4 – Remote Node Filter Setup
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Press ENTER to Confirm or ESC to Cancel:
Nortel Business Secure Router 222 Configuration — Advanced
154 Chapter 11 Filter configuration
NN47922-501
155
Chapter 12
SNMP Configuration
This chapter explains SNMP configuration menu 22.
Note: SNMP is only available if TCP/IP is configured.
SNMP Configuration
To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP
Configuration as shown next. The community for Get, Set and Trap fields is
SNMP terminology for password.
Figure 74 Menu 22: SNMP Configuration
Menu 22 - SNMP Configuration
SNMP:
Get Community= PlsChgMe!RO
Set Community= PlsChgMe!RW
Trusted Host= 0.0.0.0
Trap:
Community=
Destination= 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
Nortel Business Secure Router 222 Configuration — Advanced
156 Chapter 12 SNMP Configuration
Table 37 describes the SNMP configuration parameters.
Table 37 SNMP Configuration Menu Fields
Field
Description
Example
Get Community
Type the Get community, which is the password for
the incoming Get- and GetNext requests from the
management station.
Public
(default)
Set Community
Type the Set community, which is the password for
incoming Set requests from the management
station.
Public
(default)
Trusted Host
If you enter a trusted host, your Business Secure
Router will only respond to SNMP messages from
this address. A blank (default) field means your
Business Secure Router will respond to all SNMP
messages it receives, regardless of source.
0.0.0.0
Trap
Community
Type the Trap community, which is the password
sent with each trap to the SNMP manager.
Public
Destination
Type the IP address of the station to send your
SNMP traps to.
0.0.0.0
After you complete this menu, press [ENTER] at the
prompt “Press [ENTER] to confirm or [ESC] to
cancel” to save your configuration or press [ESC] to
cancel and go back to the previous screen.
SNMP Traps
The Business Secure Router will sends traps to the SNMP manager when any one
of the following events occurs:
Table 38 SNMP Traps
NN47922-501
Trap #
Trap Name
Description
0
coldStart (defined in
RFC-1215)
A trap is sent after booting (power on).
1
warmStart (defined in
RFC-1215)
A trap is sent after booting (software reboot).
4
authenticationFailure (defined A trap is sent to the manager when receiving
in RFC-1215)
any SNMP get or set requirements with the
wrong community (password).
Chapter 12 SNMP Configuration 157
Table 38 SNMP Traps
Trap #
Trap Name
Description
6
whyReboot (defined in MIB)
A trap is sent with the reason of restart
before rebooting when the system is going to
restart (warm start).
6a
For intentional reboot:
A trap is sent with the message "System
reboot by user!" if reboot is done
intentionally, (for example, download new
files, CI command "sys reboot", and others).
6b
For fatal error:
A trap is sent with the message of the fatal
code if the system reboots because of fatal
errors.
Nortel Business Secure Router 222 Configuration — Advanced
158 Chapter 12 SNMP Configuration
NN47922-501
159
Chapter 13
System security
This chapter describes how to configure the system security on the Business
Secure Router.
System security
You can configure the system password, an external RADIUS server and 802.1x
in this menu.
System password
Figure 75 Menu 23 System security
Menu 23 - System Security
1. Change Password
2. RADIUS Server
4. IEEE802.1x
Enter Menu Selection Number:
Nortel recommends you change the default password. If you forget your
password, you have to restore the default configuration file. For more
information, see “Restoring the factory-default configuration settings” in Nortel
Business Secure Router 222 Configuration — Basics (NN47922-500).
Nortel Business Secure Router 222 Configuration — Advanced
160 Chapter 13 System security
Configuring external RADIUS server
Enter 23 in the main menu to display Menu 23 – System security.
Figure 76 Menu 23 system security
Menu 23 - System Security
1. Change Password
2. RADIUS Server
4. IEEE802.1x
Enter Menu Selection Number:
From Menu 23- System Security, enter 2 to display Menu 23.2 – System
Security – RADIUS Server, as shown in Figure 77.
Figure 77 Menu 23.2 System Security: RADIUS server
Menu 23.2 - System Security - RADIUS Server
Authentication Server:
Active= No
Server Address= 0.0.0.0
Port #= 1812
Shared Secret= ********
Accounting Server:
Active= No
Server Address= 0.0.0.0
Port #= 1813
Shared Secret= ********
Press ENTER to Confirm or ESC to Cancel:
NN47922-501
Chapter 13 System security 161
Table 39 describes the fields in Figure 77.
Table 39 Menu 23.2 System Security: RADIUS Server
Field
Description
Authentication
Server
Active
Press [SPACE BAR] to select Yes and press [ENTER] to enable
user authentication through an external authentication server.
Server Address
Enter the IP address of the external authentication server in dotted
decimal notation.
Port #
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator
instructs you to do so with additional information.
Shared Secret
Specify a password (up to 31 alphanumeric characters) as the key
to be shared between the external authentication server and the
Business Secure Router.
The key is not sent over the network. This key must be the same on
the external authentication server and Business Secure Router.
Accounting Server
Active
Press [SPACE BAR] to select Yes and press [ENTER] to enable
user authentication through an external accounting server.
Server Address
Enter the IP address of the external accounting server in dotted
decimal notation.
Port #
The default port of the RADIUS server for accounting is 1813.
You need not change this value unless your network administrator
instructs you to do so with additional information.
Shared Secret
Specify a password (up to 31 alphanumeric characters) as the key
to be shared between the external accounting server and the
Business Secure Router.
The key is not sent over the network. This key must be the same on
the external accounting server and Business Secure Router.
After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or
ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the
previous screen.
Nortel Business Secure Router 222 Configuration — Advanced
162 Chapter 13 System security
IEEE 802.1x
The IEEE 802.1x standards outline enhanced security methods for both the
authentication of users and encryption key management.
Follow the steps below to enable EAP authentication on your Business Secure
Router.
1
From the main menu, enter 23 to display Menu23 – System Security.
Figure 78 Menu 23 System Security
Menu 23 - System Security
1. Change Password
2. RADIUS Server
4. IEEE802.1x
Enter Menu Selection Number:
2
Enter 4 to display Menu 23.4 – System Security – IEEE802.1x.
Figure 79 Menu 23.4 System Security: IEEE802.1x
Menu 23.4 - System Security - IEEE802.1x
Port Control= Authentication Required
ReAuthentication Timer (in second)= 1800
Idle Timeout (in second)= 3600
Authentication Databases= Local User Database Only
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
NN47922-501
Chapter 13 System security 163
Table 40 describes the fields in Figure 79.
Table 40 Menu 23.4 System Security: IEEE802.1x
Field
Description
Port Control
Press [SPACE BAR] and select a security mode.
Select No Authentication Required to allow any computer access
to your network without entering usernames and passwords. This is
the default setting.
Selecting Authentication Required means computers have to enter
usernames and passwords before access to the network is allowed.
Select No Access Allowed to block all computers from accessing
the network.
The following fields are not available when you select No
Authentication Required or No Access Allowed.
ReAuthentication
Timer (in second)
Specify how often a client has to reenter the username and password
to stay connected to the network.
This field is activated only when you select Authentication
Required in the Port Control field. Enter a time interval between 10
and 9 999 (in seconds). The default time interval is 1 800 seconds (or
30 minutes).
Idle Timeout (in
second)
The Business Secure Router automatically disconnects a client from
the network after a period of inactivity. The client needs to enter the
username and password again before access to the network is
allowed.
This field is activated only when you select Authentication
Required in the Port Control field. The default time interval is 3 600
seconds (or 1 hour).
Nortel Business Secure Router 222 Configuration — Advanced
164 Chapter 13 System security
Table 40 Menu 23.4 System Security: IEEE802.1x
Field
Description
Authentication
Databases
The authentication database contains user login information. The
local user database is the built-in database on the Business Secure
Router. The RADIUS is an external server. Use this field to decide
which database the Business Secure Router should use (first) to
authenticate a user.
Before you specify the priority, make sure you have set up the
corresponding database correctly first.
Select Local User Database Only to have the Business Secure
Router just check the built-in user database on the Business Secure
Router for a user's username and password.
Select RADIUS Only to have the Business Secure Router just check
the user database on the specified RADIUS server for a user's
username and password.
Select Local first, then RADIUS to have the Business Secure
Router first check the user database on the Business Secure Router
for a user's username and password. If the user name is not found,
the Business Secure Router then checks the user database on the
specified RADIUS server.
Select RADIUS first, then Local to have the Business Secure
Router first check the user database on the specified RADIUS server
for a user's username and password. If the Business Secure Router
cannot reach the RADIUS server, the Business Secure Router then
checks the local user database on the Business Secure Router. If the
username is not found or the password does not match in the
RADIUS server, the Business Secure Router does not check the
local user database and the authentication fails.
After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or
ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the
previous screen.
After you enable user authentication, you need to specify an external RADIUS
server or create local user accounts on the Business Secure Router for
authentication.
NN47922-501
165
Chapter 14
System information and diagnosis
This chapter covers SMT menus 24.1 to 24.4.
Introduction to System Status
This chapter covers the diagnostic tools that help you to maintain your Business
Secure Router. These tools include updates on system status, port status and log
and trace capabilities.
Select menu 24 in the main menu to open Menu 24 - System Maintenance, as
shown in Figure 80.
Nortel Business Secure Router 222 Configuration — Advanced
166 Chapter 14 System information and diagnosis
Figure 80 Menu 24: System Maintenance
Menu 24 - System Maintenance
1. System Status
2. System Information and Console Port Speed
3. Log and Trace
4. Diagnostic
5. Backup Configuration
6. Restore Configuration
7. Upload Firmware
8. Command Interpreter Mode
9. Call Control
10. Time and Date Setting
11. Remote Management Setup
Enter Menu Selection Number:
System Status
The first selection, System Status, gives you information on the version of your
system firmware and the status and statistics of the ports, as shown in the next
figure. System Status is a tool that can be used to monitor your Business Secure
Router. Specifically, it gives you information on your system firmware version,
number of packets sent, and number of packets received.
To get to the System Status:
NN47922-501
1
Enter number 24 to go to Menu 24 - System Maintenance.
2
In this menu, enter 1 to open System Maintenance - Status.
3
There are three commands in Menu 24.1 - System Maintenance - Status.
Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes
you back to the previous screen.
Chapter 14 System information and diagnosis 167
Figure 81 Menu 24.1: System Maintenance: Status
Figure 82 Menu 24.1 — System Maintenance — Status
Port
WAN
LAN
Port
WAN
LAN
Status
Down
100M/Full
Menu 24.1 - System Maintenance - Status
00:02:07
Thu. Jan. 01, 2004
TxPkts
0
12
Rx B/s
0
64
Ethernet Address
00:13:49:00:00:02
00:13:49:00:00:01
System up Time:
RxPkts
0
7
Cols
0
0
IP Address
0.0.0.0
192.168.1.1
Tx B/s
0
0
IP Mask
0.0.0.0
255.255.255.0
Up Time
0:00:00
0:00:10
DHCP
Client
Server
0:00:15
Name:
Routing: IP
RAS F/W Version: VBSR222_2.6.0.0.003b1 | 07/19/2006
Press Command:
COMMANDS: 1-Drop WAN 9-Reset Counters
ESC-Exit
Table 41 describes the fields present in Menu 24.1 - System Maintenance Status. These fields are read-only and meant for diagnostic purposes. The upper
right corner of the screen shows the time and date according to the format you set
in menu 24.10.
Table 41 System Maintenance: Status Menu Fields
Field
Description
Port
Identifies a port (WAN, or LAN) on the Business Secure Router.
Status
Shows the port speed and duplex setting if you are using Ethernet
Encapsulation and Down (line is down), idle (line (ppp) idle), dial
(starting to trigger a call) or drop (dropping a call) if you are using
PPPoE Encapsulation.
TxPkts
The number of transmitted packets on this port.
RxPkts
The number of received packets on this port.
Cols
The number of collisions on this port.
Tx B/s
Shows the transmission speed in Bytes per second on this port.
Nortel Business Secure Router 222 Configuration — Advanced
168 Chapter 14 System information and diagnosis
Table 41 System Maintenance: Status Menu Fields
Field
Description
Rx B/s
Shows the reception speed in Bytes per second on this port.
Up Time
Total amount of time the line has been up.
Ethernet Address
The Ethernet address of the port listed on the left.
IP Address
The IP address of the port listed on the left.
IP Mask
The IP mask of the port listed on the left.
DHCP
The DHCP setting of the port listed on the left.
System up Time
The total time the Business Secure Router has been on.
RAS F/W Version
The release of firmware currently on the Business Secure Router
and the date the release was created.
Name
This is the Business Secure Router system name + domain name
assigned in menu 1. For example, System Name= xxx; Domain
Name= baboo.mickey.com
Name= xxx.baboo.mickey.com
Routing
Refers to the routing protocol used.
Enter 1 to drop the WAN connection, 9 to reset the counters or
[ESC] to return to menu 24
System information and console port speed
With your system you can choose different console port speeds. To get to the
System Information and Console Port Speed.
NN47922-501
1
Enter 24 to go to Menu 24 – System Maintenance.
2
Enter 2 to open Menu 24.2 - System Information and Console Port Speed.
3
From this menu you have two choices, as shown in Figure 83:
Chapter 14 System information and diagnosis 169
Figure 83 System Information and Console Port Speed
Menu 24.2 - System Information and Console Port Speed
1. System Information
2. Console Port Speed
Please enter selection:
System Information
System Information gives you information about your system, as shown in
Figure 84. More specifically, it gives you information on your routing protocol,
Ethernet address and IP address.
Nortel Business Secure Router 222 Configuration — Advanced
170 Chapter 14 System information and diagnosis
Figure 84 Menu 24.2.1: System Maintenance Information
Menu 24.2.1 - System Maintenance - Information
Name:
Routing: IP
RAS F/W Version: VBSR222_2.6.0.0.003b1 | 07/19/2006
Country Code: 255
LAN
Ethernet Address: 00:13:49:00:00:01
IP Address: 192.168.1.1
IP Mask: 255.255.255.0
DHCP: Server
Press ESC or RETURN to Exit:
Table 42 Fields in System Maintenance: Information
Field
Description
Name
This is the Business Secure Router system name + domain name
assigned in menu 1. For example, System Name= xxx; Domain
Name= baboo.mickey.com
Name= xxx.baboo.mickey.com
Routing
Refers to the routing protocol used.
RAS F/W Version
The release of firmware currently on the Business Secure Router
and the date the release was created.
Ethernet Address
Refers to the Ethernet MAC (Media Access Control) address of
your Business Secure Router.
IP Address
This is the IP address of the Business Secure Router in dotted
decimal notation.
IP Mask
This shows the IP mask of the Business Secure Router.
DHCP
This field shows the DHCP setting of the Business Secure Router.
When finished viewing, press [ESC] or [ENTER] to exit.
NN47922-501
Chapter 14 System information and diagnosis 171
Console port speed
You can change the speed of the console port through Menu 24.2.2 – Console
Port Speed. Your Business Secure Router supports 9 600 (default), 19 200,
38 400, 57 600, and 115 200 b/s for the console port. Press [SPACE BAR] and
then [ENTER] to select the desired speed in menu 24.2.2, as shown in Figure 85.
Figure 85 Menu 24.2.2: System Maintenance: Change Console Port Speed
Menu 24.2.2 – System Maintenance – Change Console Port Speed
Console Port Speed: 115200
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Log and trace
The Business Secure Router has a syslog facility for message logging, and a trace
function for viewing call-triggering packets.
Figure 86 Menu 24.3: System Maintenance: Log and Trace
Menu 24.3 - System Maintenance - Log and Trace
2. Syslog Logging
4. Call-Triggering Packet
Press ENTER to Confirm or ESC to Cancel
Syslog logging
The Business Secure Router uses the syslog facility to log the CDR (Call Detail
Record) and system messages to a syslog server. Syslog and accounting can be
configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as shown
in Figure 87.
Nortel Business Secure Router 222 Configuration — Advanced
172 Chapter 14 System information and diagnosis
Figure 87 Menu 24.3.2: System Maintenance: Syslog Logging
Menu 24.3.2 - System Maintenance - Syslog Logging
Syslog:
Active= No
Syslog Server IP Address= ?
Log Facility= Local 1
Press ENTER to Confirm or ESC to Cancel
Configure the syslog parameters described in Table 43 to activate syslog, and then
choose what you want to log.
Table 43 System Maintenance Menu Syslog Parameters
Parameter
Description
Syslog:
Active
Press [SPACE BAR] and then [ENTER] to turn syslog on or off.
Syslog Server IP
Address
Enter the IP Address of the server that logs the CDR (Call Detail
Record) and system messages. For example, the syslog server.
Log Facility
Press [SPACE BAR] and then [ENTER] to select a Local option.
Using the log facility, you can log the message to different files in
the server. Refer to the documentation of your syslog program for
more details.
After you finish configuring this screen, press [ENTER] to confirm or [ESC] to cancel.
Your Business Secure Router sends five types of syslog messages. Some
examples of these syslog messages with their message formats are shown next:
CDR
CDR Message Format
SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );
String = board xx line xx channel xx, call xx, str
NN47922-501
Chapter 14 System information and diagnosis 173
board = the hardware board ID
line = the WAN ID in a board
Channel = channel ID within the WAN
call = the call reference number which starts from 1 and increments by 1
for each new call
str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.)
L02 Tunnel Connected(L2TP)
C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote
Call Number)
L02 Call Terminated
C02 Call Terminated
Jul 19 11:19:27 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0
40002
Jul 19 11:19:32 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02
OutCall Connected 64000 40002
Jul 19 11:20:06 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02 Call Terminated
Packet triggered
Packet triggered Message Format
SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String );
String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x
Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG)
Data: We will send forty-eight Hex characters to the server
Jul 19 11:28:39 192.168.102.2 RAS: Packet Trigger: Protocol=1,
Data=4500003c100100001f010004c0a86614ca849a7b08004a5c0200010061626364656
66768696a6b6c6d6e6f7071727374
Jul 19 11:28:56 192.168.102.2 RAS: Packet Trigger: Protocol=1,
Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600
220008cd40000020405b4
Jul 19 11:29:06 192.168.102.2 RAS: Packet Trigger: Protocol=1,
Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500
4000077600000
Filter log
Filter log Message Format
SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String );
String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx]
S04>R01mD
Nortel Business Secure Router 222 Configuration — Advanced
174 Chapter 14 System information and diagnosis
IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule
1 (R), match (m) drop (D).
Src: Source Address
Dst: Destination Address
prot: Protocol (“TCP”,”UDP”,”ICMP”)
spo: Source port
dpo: Destination port
Mar 03 10:39:43 202.132.155.97 RAS:
GEN[fffffffffffnordff0080] }S05>R01mF
Mar 03 10:41:29 202.132.155.97 RAS:
GEN[00a0c5f502fnord010080] }S05>R01mF
Mar 03 10:41:34 202.132.155.97 RAS:
IP[Src=192.168.1.33 Dst=202.132.155.93 ICMP]}S04>R01mF
Mar 03 11:59:20 202.132.155.97 RAS:
GEN[00a0c5f502fnord010080] }S05>R01mF
Mar 03 12:00:52 202.132.155.97 RAS:
GEN[ffffffffffff0080] }S05>R01mF
Mar 03 12:00:57 202.132.155.97 RAS:
GEN[00a0c5f502010080] }S05>R01mF
Mar 03 12:01:06 202.132.155.97 RAS:
IP[Src=192.168.1.33 Dst=202.132.155.93 TCP spo=01170 dpo=00021]}S04>R01mF
PPP log
PPP Log Message Format
SdcmdSyslogSend( SYSLOG_PPPLOG, SYSLOG_NOTICE, String );
String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing /
ppp:Proto Shutdown
Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP /
IPXCP
Jul 19 11:42:44 192.168.102.2 RAS: ppp:LCP Closing
Jul 19 11:42:49 192.168.102.2 RAS: ppp:IPCP Closing
Jul 19 11:42:54 192.168.102.2 RAS: ppp:CCP Closing
NN47922-501
Chapter 14 System information and diagnosis 175
Firewall log
Firewall Log Message Format
SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf);
buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot |
rule | action]
Src: Source Address
spo: Source port (empty means no source port information)
Dst: Destination Address
dpo: Destination port (empty means no destination port information)
prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
rule: <a,b> where a means "set" number; b means "rule" number.
Action: nothing(N) block (B) forward (F)
08-01-2000 11:48:41 Local1.Notice 192.168.10.10 RAS: FW
->172.21.1.80 :137 |UDP|default permit:<2,0>|B
08-01-2000 11:48:41 Local1.Notice 192.168.10.10 RAS: FW
:520 ->192.168.77.88 :520 |UDP|default permit:<2,0>|B
08-01-2000 11:48:39 Local1.Notice 192.168.10.10 RAS: FW
->172.21.1.50 |IGMP<2>|default permit:<2,0>|B
08-01-2000 11:48:39 Local1.Notice 192.168.10.10 RAS: FW
->172.21.1.25 |IGMP<2>|default permit:<2,0>|B
172.21.1.80 :137
192.168.77.88
172.21.1.50
172.21.1.25
Call-Triggering packet
Call-Triggering Packet displays information about the packet that triggered a
dial-out call in an easily readable format. Equivalent information is available in
menu 24.1 in hex format. An example is shown in Figure 88.
Figure 88 Call-Triggering packet example
IP Frame: ENET0-RECV Size: 44/ 44 Time: 17:02:44.262
Frame Type:
IP Header:
IP Version = 4
Header Length = 20
Type of Service = 0x00 (0)
Total Length = 0x002C (44)
Identification = 0x0002 (2)
Nortel Business Secure Router 222 Configuration — Advanced
176 Chapter 14 System information and diagnosis
Flags = 0x00
Fragment Offset = 0x00
Time to Live = 0xFE (254)
Protocol = 0x06 (TCP)
Header Checksum = 0xFB20 (64288)
Source IP = 0xC0A80101 (192.168.1.1)
Destination IP = 0x00000000 (0.0.0.0)
TCP Header:
Source Port = 0x0401 (1025)
Destination Port = 0x000D (13)
Sequence Number = 0x05B8D000 (95997952)
Ack Number = 0x00000000 (0)
Header Length = 24
Flags = 0x02 (....S.)
Window Size = 0x2000 (8192)
Checksum = 0xE06A (57450)
Urgent Ptr = 0x0000 (0)
Options =
0000: 02 04 02 00
RAW DATA:
0000: 45 00 00 2C 00 02 00 00-FE 06 FB 20 C0 A8 01 01 E......... ....
0010: 00 00 00 00 04 01 00 0D-05 B8 D0 00 00 00 00 00 ................
0020: 60 02 20 00 E0 6A 00 00-02 04 02 00
Press any key to continue...
With the diagnostic facility, you can test the different aspects of your Business
Secure Router to determine if it is working properly. In Menu 24.4, you can
choose among various types of diagnostic tests to evaluate your system, as shown
in Figure 89.
NN47922-501
Chapter 14 System information and diagnosis 177
Follow the procedure below to get to Menu 24.4 - System Maintenance –
Diagnostic.
1
From the main menu, select option 24 to open Menu 24 - System
Maintenance.
2
From this menu, select option 4. Diagnostic. This opens Menu 24.4 - System
Maintenance - Diagnostic.
Figure 89 Menu 24.4: System Maintenance: Diagnostic
Menu 24.4 - System Maintenance - Diagnostic
TCP/IP
1. Ping Host
2. WAN DHCP Release
3. WAN DHCP Renewal
4. PPPoE/PPTP Setup Test
System
11. Reboot System
Enter Menu Selection Number:
Host IP Address= N/A
WAN DHCP
DHCP functionality can be enabled on the LAN or WAN as shown in WAN &
LAN DHCP. LAN DHCP is discussed in Nortel Business Secure Router 222
Configuration — Basics (NN47922-500). The Business Secure Router can act
either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu
11.1.2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet)
or None, (when you have a static IP). Using the WAN Release and Renewal fields
in menu 24.4, you can release or renew the assigned WAN IP address, subnet
mask and default gateway, or do both. This is similar to using the file winipcfg.
Nortel Business Secure Router 222 Configuration — Advanced
178 Chapter 14 System information and diagnosis
Figure 90 WAN & LAN DHCP
Business Secure Router
Table 44 describes the diagnostic tests available in menu 24.4 for your Business
Secure Router and associated connections.
Table 44 System Maintenance menu diagnostic
Field
Description
Ping Host
Enter 1 to ping any machine (with an IP address) on your
LAN or WAN. Enter its IP address in the Host IP Address
field below.
WAN DHCP Release
Enter 2 to release your WAN DHCP settings.
WAN DHCP Renewal
Enter 3 to renew your WAN DHCP settings.
Internet Setup Test
This feature is only available for dial-up connections using
PPPoE or PPTP encapsulation. Enter 4 to test the Internet
setup. You can also test the Internet setup in Menu 4 Internet Access. Refer to Chapter 5, “Internet access,” on
page 79 for more details.
Reboot System
Enter 11 to reboot the Business Secure Router.
Host IP Address=
If you entered 1 in Ping Host, enter the IP address of the
computer you want to ping in this field.
Enter the number of the selection you want to perform or
press [ESC] to cancel.
NN47922-501
179
Chapter 15
Firmware and configuration file maintenance
This chapter tells you how to backup and restore your configuration file, as well
as upload new firmware and configuration files.
Filename conventions
The configuration file (often called the romfile or rom-0) contains the factory
default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It
comes with a rom filename extension. Once you have customized the Business
Secure Router settings, they can be saved back to your computer under a filename
of your choosing.
The system firmware (sometimes referred to as the ras file) has a bin filename
extension. With many FTP and TFTP clients, the filenames are similar to those
seen next.
Note: Only use firmware for your Business Secure Router specific
model. Refer to the label on the bottom of your Business Secure Router.
ftp> put firmware.bin ras
This is a sample FTP session showing the transfer of the computer file
firmware.bin to the Business Secure Router.
ftp> get rom-0 config.cfg
This is a sample FTP session saving the current configuration to the computer file
config.cfg.
Nortel Business Secure Router 222 Configuration — Advanced
180 Chapter 15 Firmware and configuration file maintenance
If your (T)FTP client does not allow you to have a destination filename different
than the source, you must rename the firmware and config file names as the
Business Secure Router only recognizes rom-0 and ras. Be sure you keep
unaltered copies of both files for later use.
Table 45 is a summary. Note that the internal filename refers to the filename on
the Business Secure Router and the external filename refers to the filename not on
the Business Secure Router, that is, on your computer, local network or FTP site
and so the name (but not the extension) can vary. After uploading new firmware,
see the F/W version field in Menu 24.2.1 – System Maintenance – Information
to confirm that you have uploaded the correct firmware version. The AT
command is the command you enter after you press y when prompted in the SMT
menu to go into debug mode.
Table 45 Filename Conventions
File Type
Internal Name
External Name
Description
Configuration Rom-0
File
This is the configuration filename on
the Business Secure Router.
Uploading the rom-0 file replaces the
entire ROM file system, including your
Business Secure Router
configurations, system-related data
(including the default password), the
error log and the trace log.
*.rom
Firmware
This is the name for the firmware on
the Contivity.
*.bin
Ras
Backup configuration
Note: The Business Secure Router displays different messages
explaining different ways to backup, restore and upload files in menus
24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console
port or Telnet.
Using Option 5 from Menu 24 – System Maintenance, you can back up the
current Business Secure Router configuration to your computer. Backup is highly
recommended once your Business Secure Router is functioning properly. FTP is
the preferred method for backing up your current configuration to your computer
NN47922-501
Chapter 15 Firmware and configuration file maintenance 181
since it is faster. You can also perform backup and restore using menu 24 through
the console port. Any serial communications program should work fine; however,
you must use Xmodem protocol to perform the download or upload and you do
not have to rename the files.
Note that terms download and upload are relative to the computer. Download
means to transfer from the Business Secure Router to the computer, while upload
is a transfer from your computer to the Business Secure Router.
Backup configuration
Follow the instructions as shown in Menu 24.5 (Figure 91).
Figure 91 Menu 24.5 - System Maintenance - Backup Configuration
Menu 24.5 - System Maintenance - Backup Configuration
To transfer the configuration file to your workstation, follow the
procedure below:
1. Launch the FTP client on your workstation.
2. Type "open" and the IP address of your Business Secure Router. Then type
"nnadmin" and SMT password as requested.
3. Locate the 'rom-0' file.
4. Type 'get rom-0' to back up the current Business Secure Router
configuration to
your workstation.
For details on FTP commands, please consult the documentation of your FTP
client program. For details on backup using TFTP (note that you must remain
in this menu to back up using TFTP), please see your Business Secure Router
manual.
Press ENTER to Exit:
Using the FTP command from the command line
1
Launch the FTP client on your computer.
2
Enter open, followed by a space and the IP address of your Business Secure
Router.
3
Press [ENTER] when prompted for a username.
4
Enter your password as requested (the default password is PlsChgMe!).
Nortel Business Secure Router 222 Configuration — Advanced
182 Chapter 15 Firmware and configuration file maintenance
5
Enter bin to set transfer mode to binary.
6
Use get to transfer files from the Business Secure Router to the computer, for
example, get rom-0 config.rom transfers the configuration file on the
Business Secure Router to your computer and renames it config.rom. See
earlier in this chapter for more information on filename conventions.
7
Enter quit to exit the ftp prompt.
Example of FTP commands from the command line
Figure 92 FTP Session Example
331 Enter PASS command
Password:
230 Logged in
ftp> bin
200 Type I OK
ftp> get rom-0 config.rom
200 Port command okay
150 Opening data connection for STOR ras
226 File received OK
ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ftp> quit
GUI-based FTP clients
Table 46 describes some of the commands that you can see in GUI-based FTP
clients.
Table 46 General commands for GUI-based FTP clients
NN47922-501
Command
Description
Host Address
Enter the address of the host server.
Logon Type
Anonymous.
This is when a user ID and password is automatically supplied
to the server for anonymous access. Anonymous logons will
work only if your ISP or service administrator has enabled this
option.
Normal.
The server requires a unique User ID and Password to log on.
Transfer Type
Transfer files in either ASCII (plain text format) or in binary
mode.
Chapter 15 Firmware and configuration file maintenance 183
Table 46 General commands for GUI-based FTP clients
Command
Description
Initial Remote Directory
Specify the default remote directory (path).
Initial Local Directory
Specify the default local directory (path).
TFTP and FTP over WAN Management Limitations
TFTP, FTP and Telnet over WAN do not work when:
•
•
•
•
You disable Telnet service in menu 24.11.
You apply a filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) to block
Telnet service.
The IP address in the Secured Client IP field in menu 24.11 does not match
the client IP. If it does not match, the Business Secure Router disconnects the
Telnet session immediately.
You are running an SMT console session.
Backup configuration using TFTP
The Business Secure Router supports the uploading and downloading of the
firmware and the configuration file using TFTP (Trivial File Transfer Protocol)
over LAN. Nortel does not recommend using TFTP over WAN, although it can
work.
To use TFTP, your computer must have both Telnet and TFTP clients. To back up
the configuration file, follow the procedure shown next.
1
Use Telnet from your computer to connect to the Business Secure Router and
log on. Because TFTP does not have any security checks, the Business Secure
Router records the IP address of the Telnet client and accepts TFTP requests
only from this address.
2
Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –
System Maintenance.
3
Enter command “sys stdio 0” to disable the SMT timeout, so the TFTP
transfer is not interrupted. Enter command “sys stdio 5” to restore the
five-minute SMT timeout (default) after the file transfer is complete.
Nortel Business Secure Router 222 Configuration — Advanced
184 Chapter 15 Firmware and configuration file maintenance
4
Launch the TFTP client on your computer and connect to the Business Secure
Router. Set the transfer mode to binary before starting data transfer.
5
Use the TFTP client (see the example below) to transfer files between the
Business Secure Router and the computer. The file name for the configuration
file is “rom-0” (rom-zero, not capital o).
Note: Telnet connection must be active and the SMT must be in CI
mode before and during the TFTP transfer. For details on TFTP
commands (see “TFTP command example” on page 184), consult the
documentation of your TFTP client program. For UNIX, use “get” to
transfer from the Business Secure Router to the computer and “binary”
to set binary transfer mode.
TFTP command example
The following is an example TFTP command:
tftp [-i] host get rom-0 config.rom
where “i” specifies binary image transfer mode (use this mode when transferring
binary files), “host” is the Business Secure Router IP address, “get” transfers the
file source on the Business Secure Router (rom-0, name of the configuration file
on the Business Secure Router) to the file destination on the computer and
renames it config.rom.
GUI-based TFTP clients
Table 47 describes some of the fields that appear in GUI-based TFTP clients.
Table 47 General commands for GUI-based TFTP clients
NN47922-501
Command
Description
Host
Enter the IP address of the Business Secure Router. 192.168.1.1 is the
Business Secure Router’s default IP address when shipped.
Send/Fetch
Use Send to upload the file to the Business Secure Router and Fetch to
back up the file on your computer.
Local File
Enter the path and name of the firmware file (*.bin extension) or
configuration file (*.rom extension) on your computer.
Chapter 15 Firmware and configuration file maintenance 185
Table 47 General commands for GUI-based TFTP clients
Command
Description
Remote File
This is the filename on the Business Secure Router. The filename for the
firmware is “ras” and for the configuration file, is “rom-0”.
Binary
Transfer the file in binary mode.
Abort
Stop transfer of the file.
Refer to Chapter 17, “Remote Management,” on page 209 for information about
configurations that disallow TFTP and FTP over WAN.
Back up via console port
Back up configuration via the console port by following the HyperTerminal
procedure. Procedures using other serial communications programs are similar.
Display menu 24.5 and enter “y” at the screen shown in Figure 93.
Figure 93 Menu 24.5 System Maintenance: Backup Configuration
Ready to backup Configuration via Xmodem.
Do you want to continue (y/n):
Figure 94 shows the screen which indicates that the Xmodem download has
started.
Figure 94 Menu 24.5 System Maintenance: Starting Xmodem Download Screen
You can enter ctrl-x to terminate operation any time.
Starting XMODEM download...
Run the HyperTerminal program by clicking Transfer, then Receive File as
shown in Figure 95.
Nortel Business Secure Router 222 Configuration — Advanced
186 Chapter 15 Firmware and configuration file maintenance
Figure 95 Backup Configuration Example
Type a location for
storing the configuration
file or click Browse to
look for one.
Choose the Xmodem
protocol.
Click Receive.
After a successful backup, the screen shown in Figure 96 appears. Press any key
to return to the SMT menu.
Figure 96 Successful Backup Confirmation Screen
** Backup Configuration completed. OK.
### Hit any key to continue.###
Restore configuration
This section shows you how to restore a previously saved configuration. Note that
this function erases the current configuration before restoring a previous back up
configuration; do not attempt to restore unless you have a backup configuration
file stored on disk.
FTP is the preferred method for restoring your current computer configuration to
your Business Secure Router since FTP is faster. note that you must wait for the
system to automatically restart after the file transfer is complete.
Warning: Do not interrupt the file transfer process as this can
permanently damage your Business Secure Router.
NN47922-501
Chapter 15 Firmware and configuration file maintenance 187
Restore Using FTP
For details about back up using FTP and TFTP, refer to “Backup configuration”
on page 180.
Figure 97 Telnet into Menu 24.6
Menu 24.6 -- System Maintenance - Restore Configuration
To transfer the firmware and configuration file to your workstation,
follow the procedure below:
1. Launch the FTP client on your workstation.
2. Type "open" and the IP address of your Business Secure Router. Then type
"nnadmin" and SMT password as requested.
3. Type "put backupfilename rom-0" where backupfilename is the name of
your backup configuration file on your workstation and rom-0 is the
remote file name on the Business Secure Router. This restores the
configuration to your Business Secure Router.
4. The system reboots automatically after a successful file transfer
For details on FTP commands, please consult the documentation of your FTP
client program. For details on backup using TFTP (note that you must remain
in this menu to back up using TFTP), please see your Business Secure Router
manual.
Press ENTER to Exit:
1
Launch the FTP client on your computer.
2
Enter open, followed by a space and the IP address of your Business Secure
Router.
3
Press [ENTER] when prompted for a username.
4
Enter your password as requested (the default is “PlsChgMe!”).
5
Enter bin to set transfer mode to binary.
6
Find the rom file (on your computer) that you want to restore to your Business
Secure Router.
7
Use put to transfer files from the Business Secure Router to the computer, for
example, “put config.rom rom-0” transfers the configuration file config.rom
on your computer to the Business Secure Router. See “Filename conventions”
on page 179 for more information about filename conventions.
Nortel Business Secure Router 222 Configuration — Advanced
188 Chapter 15 Firmware and configuration file maintenance
8
Enter quit to exit the ftp prompt. The Business Secure Router automatically
restarts after a successful restore process.
Restore using FTP session example
Figure 98 Restore using FTP session example
ftp> put config.rom rom-0
200 Port command okay
150 Opening data connection for STOR rom-0
226 File received OK
221 Goodbye for writing flash
ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
ftp>quit
Refer to Chapter 17, “Remote Management,” on page 209 to read about
configurations that disallow TFTP and FTP over WAN.
Restore via console port
Restore configuration via console port by following the HyperTerminal
procedure. Procedures using other serial communications programs are similar.
Display menu 24.6 and enter y at the prompt.
Figure 99 System Maintenance: Restore Configuration
Ready to restore Configuration via Xmodem.
Do you want to continue (y/n):
Figure 100 indicates that the Xmodem download has started.
NN47922-501
Chapter 15 Firmware and configuration file maintenance 189
Figure 100 System Maintenance: Starting Xmodem Download Screen
Type the configuration
file’s location, or click
Browse to search for it.
Choose the Xmodem
protocol.
Click Send.
Run the HyperTerminal program by clicking Transfer, then Send File.
Starting XMODEM download (CRC mode) ...
CCCCCCCCC
After a successful restoration, the screen shown in Figure 101 appears. Press any
key to restart the Business Secure Router and return to the SMT menu.
Figure 101 Successful Restoration Confirmation Screen
Save to ROM
Hit any key to start system reboot.
Uploading Firmware and Configuration Files
This section shows you how to upload firmware and configuration files. You can
upload configuration files by following the procedure “Restore configuration” on
page 186, or by following the instructions in Menu 24.7.2 – System
Maintenance – Upload System Configuration File.
Warning: Do not interrupt the file transfer process as this can
permanently damage your Business Secure Router.
Nortel Business Secure Router 222 Configuration — Advanced
190 Chapter 15 Firmware and configuration file maintenance
Firmware file upload
FTP is the preferred method for uploading the firmware and configuration. To use
this feature, your computer must have an FTP client.
When you use Telnet to access the Business Secure Router, the screens for
uploading firmware and the configuration file using FTP appear.
Figure 102 Telnet Into Menu 24.7.1 Upload System Firmware
Menu 24.7.1 - System Maintenance - Upload System Firmware
To upload the system firmware, follow the procedure below:
1. Launch the FTP client on your workstation.
2. Type "open" and the IP address of your system. Then type "nnadmin" and
SMT password as requested.
3. Type "put firmwarefilename ras" where "firmwarefilename" is the name
of your firmware upgrade file on your workstation and "ras" is the
remote file name on the system.
4. The system reboots automatically after a successful firmware upload.
For details on FTP commands, please consult the documentation of your FTP
client program. For details on uploading system firmware using TFTP (note
that you must remain on this menu to upload system firmware using TFTP),
please see your manual.
Press ENTER to Exit:
NN47922-501
Chapter 15 Firmware and configuration file maintenance 191
Configuration file upload
The screen shown in Figure 103 appears when you access menu 24.7.2 via Telnet.
Figure 103 Telnet Into Menu 24.7.2 System Maintenance
Menu 24.7.2 - System Maintenance - Upload System Configuration File
To upload the system configuration file, follow the procedure below:
1. Launch the FTP client on your workstation.
2. Type "open" and the IP address of your system. Then type "nnadmin" and
SMT password as requested.
3. Type "put configurationfilename rom-0" where "configurationfilename"
is the name of your system configuration file on your workstation,
which
will be transferred to the "rom-0" file on the system.
4. The system reboots automatically after the upload system configuration
file process is complete.
For details on FTP commands, please consult the documentation of your FTP
client program. For details on uploading system firmware using TFTP (note
that you must remain on this menu to upload system firmware using TFTP),
please see your manual.
Press ENTER to Exit:
To upload the firmware and the configuration files, follow the examples in the rest
of this chapter:
FTP file upload command from the DOS prompt example
1
Launch the FTP client on your computer.
2
Enter “open”, followed by a space and the IP address of your Business Secure
Router.
3
Press [ENTER] when prompted for a username.
4
Enter your password as requested (the default is “PlsChgMe!”).
5
Enter “bin” to set transfer mode to binary.
6
Use “put” to transfer files from the computer to the Business Secure Router,
for example, “put firmware.bin ras” transfers the firmware on your computer
(firmware.bin) to the Business Secure Router and renames it “ras”. Similarly,
“put config.rom rom-0” transfers the configuration file on your computer
Nortel Business Secure Router 222 Configuration — Advanced
192 Chapter 15 Firmware and configuration file maintenance
(config.rom) to the Business Secure Router and renames it rom-0. Likewise
get rom-0 config.rom transfers the configuration file on the Business Secure
Router to your computer and renames it “config.rom.” See “Filename
conventions” on page 179 for more information about filename conventions.
7
Enter “quit” to exit the ftp prompt.
Note: The Business Secure Router automatically restarts after a
successful file upload.
FTP Session Example of Firmware File Upload
Figure 104 FTP Session Example of Firmware File Upload
331 Enter PASS command
Password:
230 Logged in
ftp> bin
200 Type I OK
ftp> put firmware.bin ras
200 Port command okay
150 Opening data connection for STOR ras
226 File received OK
ftp: 1103936 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ftp> quit
More commands (found in GUI-based FTP clients) are listed earlier in this
chapter.
Refer to the “Remote Management” on page 209 section to read about
configurations that disallow TFTP and FTP over WAN.
TFTP file upload
The Business Secure Router also supports the uploading of firmware files using
TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP also works over
WAN, Nortel does not recommend doing this.
1
NN47922-501
To use TFTP, your computer must have both Telnet and TFTP clients. To
transfer the firmware and the configuration file, follow the procedure shown
next.
Chapter 15 Firmware and configuration file maintenance 193
2
Use Telnet from your computer to connect to the Business Secure Router and
log on. Because TFTP does not have any security checks, the Business Secure
Router records the IP address of the Telnet client and accepts TFTP requests
only from this address.
3
Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –
System Maintenance.
4
Enter the command sys stdio 0 to disable the management timeout, so the
TFTP transfer is not interrupted. Enter command sys stdio 5 to restore the
five-minute management timeout (default) when the file transfer is complete.
5
Launch the TFTP client on your computer and connect to the Business Secure
Router. Set the transfer mode to binary before starting data transfer.
6
Use the TFTP client (see the example below) to transfer files between the
Business Secure Router and the computer. The file name for the firmware is
ras.
Note that the telnet connection must be active and the Business Secure Router
must be in CI mode before and during the TFTP transfer. For details about TFTP
commands (see “TFTP upload command example” on page 193), consult the
documentation of your TFTP client program. For UNIX, use get to transfer from
the Business Secure Router to the computer, put to transfer from the computer to
the Business Secure Router, and binary to set binary transfer mode.
TFTP upload command example
The following is an example TFTP command:
tftp [-i] host put firmware.bin ras
where “i” specifies binary image transfer mode (use this mode when transferring
binary files), “host” is the Business Secure Router’s IP address and “put” transfers
the file source on the computer (firmware.bin – name of the firmware on the
computer) to the file destination on the remote host (ras - name of the firmware on
the Business Secure Router).
Commands that appear in GUI-based TFTP clients are listed earlier in this
chapter.
Nortel Business Secure Router 222 Configuration — Advanced
194 Chapter 15 Firmware and configuration file maintenance
Uploading via console port
FTP or TFTP are the preferred methods for uploading firmware to your Business
Secure Router. However, in the event of your network being down, uploading
files is only possible with a direct connection to your Business Secure Router via
the console port. Under normal conditions, Nortel does not recommend uploading
files via the console port, as FTP or TFTP are faster. Any serial communications
program should work fine; however, you must use the Xmodem protocol to
perform the download or upload.
Uploading Firmware File Via Console Port
Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display
Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow
the instructions as shown in Figure 105.
Figure 105 Menu 24.7.1 as seen using the Console Port
Menu 24.7.1 - System Maintenance - Upload System Firmware
To
1.
2.
3.
upload system firmware:
Enter "y" at the prompt below to go into debug mode.
Enter "atur" after "Enter Debug Mode" message.
Wait for "Starting XMODEM upload" message before activating
Xmodem upload on your terminal.
4. After successful firmware upload, enter "atgo" to restart the
Business Secure Router.
Warning: Proceeding with the upload will erase the current system
firmware.
Do You Wish To Proceed:(Y/N)
After the "Starting Xmodem upload" message appears, activate the Xmodem
protocol on your computer. Follow the procedure as shown previously for the
HyperTerminal program. The procedure for other serial communications
programs is similar.
NN47922-501
Chapter 15 Firmware and configuration file maintenance 195
Uploading Xmodem firmware using HyperTerminal
1
Click Transfer, and then Send File to display the screen in Figure 106.
Figure 106 Example Xmodem Upload
Type the configuration
file’s location, or click
Browse to search for it.
Choose the Xmodem
protocol
Click Send.
2
After the configuration upload process is complete, restart the Business
Secure Router by entering atgo.
Uploading configuration file via console port
1
Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to
display Menu 24.7.2 – System Maintenance – Upload System
Configuration File. Follow the instructions as shown in Figure 107.
Nortel Business Secure Router 222 Configuration — Advanced
196 Chapter 15 Firmware and configuration file maintenance
Figure 107 Menu 24.7.2 as seen using the Console Port
Menu 24.7.2 - System Maintenance - Upload System Configuration File
To
1.
2.
3.
upload system configuration file:
Enter "y" at the prompt below to go into debug mode.
Enter "atlc" after "Enter Debug Mode" message.
Wait for "Starting XMODEM upload" message before activating
Xmodem upload on your terminal.
4. After successful firmware upload, enter "atgo" to restart the
system.
Warning:
1. Proceeding with the upload will erase the current
configuration file.
2. The system’s console port speed (Menu 24.2.2) may change
when it is restarted; please adjust your terminal's speed
accordingly. The password may change (menu 23), also.
3. When uploading the DEFAULT configuration file, the console
port speed will be reset to 9600 bps and the password to
"setup".
Do You Wish To Proceed:(Y/N)
NN47922-501
2
After the "Starting Xmodem upload" message appears, activate the Xmodem
protocol on your computer. Follow the procedure in “Uploading Xmodem
firmware using HyperTerminal” on page 195. The procedure for other serial
communications programs is similar.
3
Enter atgo to restart the Business Secure Router.
Chapter 15 Firmware and configuration file maintenance 197
Uploading Xmodem configuration file using HyperTerminal
1
Click Transfer, then Send File to display the screen shown in Figure 108.
Figure 108 Example Xmodem Upload
Type the configuration
file’s location, or click
Browse to search for it.
Choose the Xmodem
protocol.
Click Send.
2
After the configuration upload process is complete, restart the Business
Secure Router by entering atgo.
Nortel Business Secure Router 222 Configuration — Advanced
198 Chapter 15 Firmware and configuration file maintenance
NN47922-501
199
Chapter 16
System Maintenance menus 8 to 10
This chapter leads you through SMT menus 24.8 to 24.10.
Command Interpreter mode
The Command Interpreter (CI) is a part of the main router firmware. The CI
provides much of the same functionality as the SMT, while adding some
low-level setup and diagnostic functions. Enter the CI from the SMT by selecting
menu 24.8. Access can be by Telnet or by a serial connection to the console port,
although some commands are only available with a serial connection. See the
included disk or www.nortel.com for more detailed information about CI
commands. Enter 8 from Menu 24 - System Maintenance.
Note: Use of undocumented commands or misconfiguration can
damage the unit and possibly render it unusable.
Nortel Business Secure Router 222 Configuration — Advanced
200 Chapter 16 System Maintenance menus 8 to 10
Figure 109 Command mode in Menu 24
Menu 24 - System Maintenance
1. System Status
2. System Information and Console Port Speed
3. Log and Trace
4. Diagnostic
5. Backup Configuration
6. Restore Configuration
7. Firmware Update
8. Command Interpreter Mode
9. Call Control
10. Time and Date Setting
11. Remote Management Setup
Enter Menu Selection Number:
Command syntax
The command keywords are in Courier New font.
Enter the command keywords exactly as shown, do not abbreviate.
The required fields in a command are enclosed in angle brackets <>.
The optional fields in a command are enclosed in square brackets [].
The | symbol means “or”.
For example,
sys filter netbios config <type> <on|off>
NN47922-501
Chapter 16 System Maintenance menus 8 to 10 201
means that you must specify the type of netbios filter and whether to turn it on or
off.
Command usage
A list of commands can be found by typing help or ? at the command prompt.
Always type the full command. Type exit to return to the SMT main menu when
finished.
Figure 110 Valid commands
ras> ?
Valid commands are:
sys
ipsec
8021x
exit
bm
ether
certificates
ip
radius
Table 48 Valid commands
Command
Description
sys
The system commands display device information and configure device
settings.
exit
This command returns you to the SMT main menu.
ether
This commands display Ethernet information and configure Ethernet
settings.
ip
This commands display IP information and configure IP settings.
ipsec
This commands display IPSec information and configure IPSec settings.
bm
This commands display bandwidth management information and
configure bandwidth management settings.
certificates
This commands display certificate information and configure certificate
settings.
radius
This commands display RADIUS information.
8021x
This commands display IEEE 802.1x information.
Nortel Business Secure Router 222 Configuration — Advanced
202 Chapter 16 System Maintenance menus 8 to 10
Call control support
The Business Secure Router provides two call control functions: budget
management and call history. Note that this menu is only applicable when
Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
With the budget management function, you can set a limit on the total outgoing
call time of the Business Secure Router within certain times. When the total
outgoing call time exceeds the limit, the current call is dropped and any future
outgoing calls are blocked.
Call history chronicles preceding incoming and outgoing calls.
To access the call control menu, select option 9 in menu 24 to go to Menu 24.9 System Maintenance - Call Control, as shown in Figure 111.
Figure 111 Call Control
Menu 24.9 - System Maintenance - Call Control
1.Budget Management
2.Call History
Enter Menu Selection Number:
Budget management
Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1
from Menu 24.9 - System Maintenance - Call Control to bring up the Budget
Management menu (Figure 112).
NN47922-501
Chapter 16 System Maintenance menus 8 to 10 203
Figure 112 Budget Management
Menu 24.9.1 - Budget Management
Remote Node
1.ChangeMe
Connection Time/Total Budget
No Budget
Elapsed Time/Total Period
No Budget
2.GUI
No Budget
No Budget
Reset Node (0 to update screen):
The total budget is the time limit on the accumulated time for outgoing calls to a
remote node. When this limit is reached, the call is dropped and further outgoing
calls to that remote node is blocked. After each period, the total budget is reset.
The default for the total budget is 0 minutes and the period is 0 hours, meaning no
budget control. You can reset the accumulated connection time in this menu by
entering the index of a remote node. Enter 0 to update the screen. The budget and
the reset period can be configured in menu 11.1 for the remote node.
Table 49 Budget management
Field
Description
Example
Remote Node
Enter the index number of the remote 1
node you want to reset (just one in this
case)
Connection Time/
Total Budget
This is the total connection time that
has gone by (within the allocated
budget that you set in menu 11.1).
5/10 means that 5
minutes out of a total
allocation of 10 minutes
have lapsed.
Elapsed Time/Total
Period
The period is the time cycle in hours
that the allocation budget is reset (see
menu 11.1.) The elapsed time is the
time used up within this period.
0.5/1 means that 30
minutes out of the
1-hour time period has
lapsed.
Enter “0” to update the screen or press
[ESC] to return to the previous screen.
Nortel Business Secure Router 222 Configuration — Advanced
204 Chapter 16 System Maintenance menus 8 to 10
Call History
This is the second option in Menu 24.9 - System Maintenance - Call Control. It
displays information about past incoming and outgoing calls. Enter 2 from Menu
24.9 - System Maintenance - Call Control.
Figure 113 Call History
Menu 24.9.2 - Call History
Phone Number
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Dir
Rate
#call
Max
Min
Total
Enter Entry to Delete(0 to exit):
Table 50 describes the fields in Figure 113.
Table 50 Call History Fields
Field
Description
Phone Number
The PPPoE service names are shown here.
Dir
This shows whether the call is incoming or outgoing.
Rate
This is the transfer rate of the call.
#call
This is the number of calls made to or received from that telephone
number.
Max
This is the length of time of the longest telephone call.
Min
This is the length of time of the shortest telephone call.
Total
This is the total length of time of all the telephone calls to and from
that telephone number.
Enter an entry number to delete it or 0 to exit.
NN47922-501
Chapter 16 System Maintenance menus 8 to 10 205
Time and Date setting
There is a software mechanism to set the time manually or get the current time
and date from an external server when you turn on your Business Secure Router.
With Menu 24.10, you can update the time and date settings of your Business
Secure Router. The real time is then displayed in the Business Secure Router error
logs and firewall logs.
Select menu 24 in the main menu to open Menu 24 - System Maintenancet.
Figure 114 Menu 24: System Maintenance
Menu 24 - System Maintenance
1. System Status
2. System Information and Console Port Speed
3. Log and Trace
4. Diagnostic
5. Backup Configuration
6. Restore Configuration
7. Upload Firmware
8. Command Interpreter Mode
9. Call Control
10. Time and Date Setting
11. Remote Management Setup
Enter Menu Selection Number:
Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to
update the time and date settings of your Business Secure Router, as shown in
Figure 115.
Nortel Business Secure Router 222 Configuration — Advanced
206 Chapter 16 System Maintenance menus 8 to 10
Figure 115 Menu 24.10 System Maintenance: Time and Date Setting
Menu 24.10 - System Maintenance - Time and Date Setting
Time Protocol= NTP (RFC-1305)
Time Server Address= a.ntp.alphazed.net
Current Time:
New Time (hh:mm:ss):
01 : 07 : 41
N/A N/A N/A
Current Date:
New Date (yyyy-mm-dd):
2000 - 01 - 01
N/A
N/A N/A
Time Zone= GMT
Daylight Saving= No
Start Date (mm-nth-week-hr):
End Date (mm-nth-week-hr):
Jan. - 1st
Jan. - 1st
- Sat. - Sat. -
00
00
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 51 describes the fields in Figure 115.
Table 51 Time and Date Setting Fields
NN47922-501
Field
Description
Time Protocol
Enter the time service protocol that your time server uses. Not all
time servers support all protocols, so check with your ISP or network
administrator or use trial and error to find a protocol that works. The
main differences between the time protocols are the format.
Daytime (RFC 867) format is the day/month/year/time zone of the
server.
Time (RFC-868) format displays a 4-byte integer giving the total
number of seconds since 1970/1/1 at 0:0:0.
The default, NTP (RFC-1305), is similar to Time (RFC-868).
Select Manual to enter the new time and new date manually.
Time Server
Address
Enter the IP address or domain name of your timeserver. Check with
your ISP or network administrator if you are unsure of this
information. The default is a.ntp.alphazed.net.
Current Time
This field displays an updated time only when you reenter this menu.
New Time
Enter the new time in hour, minute and second format. This field is
available when you select Manual in the Time Protocol field.
Chapter 16 System Maintenance menus 8 to 10 207
Table 51 Time and Date Setting Fields
Field
Description
Current Date
This field displays an updated date only when you reenter this menu.
New Date
Enter the new date in year, month and day format. This field is
available when you select Manual in the Time Protocol field.
Time Zone
Press [SPACE BAR] and then [ENTER] to set the time difference
between your time zone and Greenwich Mean Time (GMT).
Daylight Saving
Time
Daylight Saving Time is a period from late spring to early fall when
many countries set their clocks ahead of normal local time by one
hour to give more daylight time in the evenings. If you use daylight
savings time, then choose Yes.
Start Date
Configure the day and time when Daylight Saving Time starts if you
(mm-nth-week-hr) select Yes in the Daylight Saving field. The hr field uses the
24-hour format. Here are a couple of examples:
Daylight Saving Time starts in most parts of the United States on the
first Sunday of April. Each time zone in the United States starts
using Daylight Saving Time at 2 a.m. local time. So, in the United
States, select Apr., 1st, Sun. and type 02 in the hr field.
Daylight Saving Time starts in the European Union on the last
Sunday of March. All of the time zones in the European Union start
using Daylight Saving Time at the same moment (1 a.m. GMT or
UTC). So, in the European Union, select Mar., Last, Sun. The time
you type in the hr field depends on your time zone. In Germany, for
instance, type 02 because Germany's time zone is one hour ahead
of GMT or UTC (GMT+1).
End Date
Configure the day and time when Daylight Saving Time ends if you
(mm-nth-week-hr) select Yes in the Daylight Saving field. The hr field uses the 24
hour format. Here are a couple of examples:
Daylight Saving Time ends in the United States on the last Sunday
of October. Each time zone in the United States stops using Daylight
Saving Time at 2 a.m. local time. So, in the United States, select
Oct., Last, Sun. and type 02 in the hr field.
Daylight Saving Time ends in the European Union on the last
Sunday of October. All of the time zones in the European Union stop
using Daylight Saving Time at the same moment (1 a.m. GMT or
UTC). So, in the European Union, select Oct., Last, Sun. The time
you type in the hr field depends on your time zone. In Germany, for
instance, type 02 because Germany's time zone is one hour ahead
of GMT or UTC (GMT+1).
After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or
ESC to Cancel“ to save your configuration, or press [ESC] to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
208 Chapter 16 System Maintenance menus 8 to 10
Resetting the Time
The Business Secure Router resets the time in three instances:
•
•
•
NN47922-501
After you make changes to and leave menu 24.10
After starting up the Business Secure Router starts up, if a time server
configured in menu 24.10
After starting the Business Secure Router, in 24-hour intervals
209
Chapter 17
Remote Management
This chapter covers remote management found in SMT menu 24.11.
Remote Management
With remote management, you can determine which services and protocols can
access which Business Secure Router interface (if any) from which computers.
You can manage your Business Secure Router from a remote location via:
•
•
•
•
Internet (WAN only)
ALL (LAN and WAN)
LAN only
Neither (Disable)
Note: When you Choose WAN only or ALL (LAN & WAN), you still
need to configure a firewall rule to allow access.
To disable remote management of a service, select Disable in the corresponding
Server Access field.
Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management
Control.
Nortel Business Secure Router 222 Configuration — Advanced
210 Chapter 17 Remote Management
Figure 116 Menu 24.11 – Remote Management Control
Menu 24.11 - Remote Management Control
TELNET Server:
FTP Server:
SSH Server:
HTTPS Server:
HTTP Server:
SNMP Service:
DNS Service:
Port = 23
Access = Disable
Secure Client IP = 0.0.0.0
Port = 21
Access = Disable
Secure Client IP = 0.0.0.0
Certificate = auto_generated_self_signed_cert
Port = 22
Access = Disable
Secure Client IP = 0.0.0.0
Certificate = auto_generated_self_signed_cert
Authenticate Client Certificates = No
Port = 443
Access = Disable
Secure Client IP = 0.0.0.0
Port = 80
Access = LAN only
Secure Client IP = 0.0.0.0
Port = 161
Access = Disable
Secure Client IP = 0.0.0.0
Port = 53
Access = LAN only
Secure Client IP = 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
Table 52 describes the fields in Figure 116.
Table 52 Menu 24.11 – Remote Management control
NN47922-501
Field
Description
Telnet Server
FTP Server SSH
Server
HTTPS Server
HTTP Server
SNMP Service
DNS Service
Each of these read-only labels denotes a service that you can use
to remotely manage the Business Secure Router.
Port
This field shows the port number for the service or protocol. You
can change the port number if needed, but you must use the same
port number to access the Business Secure Router.
Access
Select the access interface (if any) by pressing [SPACE BAR], then
[ENTER] to choose from: LAN only, WAN only, ALL or Disable.
Secure Client IP
The default 0.0.0.0 allows any client to use this service to remotely
manage the Business Secure Router. Enter an IP address to restrict
access to a client with a matching IP address.
Chapter 17 Remote Management 211
Table 52 Menu 24.11 – Remote Management control
Field
Description
Certificate
Press [SPACE BAR] and then [ENTER] to select the certificate that
the Business Secure Router uses to identify itself. The Business
Secure Router is the SSL server and must always authenticate itself
to the SSL client (the computer that requests the HTTPS connection
with the Business Secure Router).
Authenticate Client
Certificates
Select Yes by pressing [SPACE BAR], then [ENTER] to require the
SSL client to authenticate itself to the Business Secure Router by
sending the Business Secure Router a certificate. To do that, the
SSL client must have a CA-signed certificate from a CA that has
been imported as a trusted CA on the Business Secure Router (see
Appendix C, “Importing certificates,” on page 233 for details).
After you fill this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC
to Cancel" to save your configuration, or press [ESC] to cancel.
Remote Management Limitations
Remote management over LAN or WAN does not work when:
1
A filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a
Telnet, FTP, or Web service.
2
You disable that service in menu 24.11.
3
The IP address in the Secured Client IP field (menu 24.11) does not match
the client IP address. If it does not match, the Business Secure Router
disconnects the session immediately.
4
There is an SMT console session running.
5
There is already another remote management session of the same type (web,
FTP or Telnet) running. Only one remote management session of the same
type can run at one time.
6
There is a web remote management session running with a Telnet session. A
Telnet session is disconnected if you begin a web session; it does not begin if
a Web session is already running.
7
There is a firewall rule that blocks remote management.
Nortel Business Secure Router 222 Configuration — Advanced
212 Chapter 17 Remote Management
NN47922-501
213
Chapter 18
Call scheduling
Using call scheduling (applicable only for PPPoA or PPPoE encapsulation), you
can dictate when a remote node is called and for how long.
Introduction
Using the call scheduling feature, the Business Secure Router can manage a
remote node and dictate when a remote node is called and for how long. This
feature is similar to the scheduler in a video cassette recorder (you can specify a
time period for the VCR to record). You can apply up to 4 schedule sets in Menu
11.1 — Remote Node Profile. From the main menu, enter 26 to access Menu 26
— Schedule Setup as shown in Figure 117.
Figure 117 Menu 26 Schedule Setup
Menu 26 - Schedule Setup
Schedule
Set #
Name
------ ----------------1
AlwaysOn
2
_______________
3
_______________
4
_______________
5
_______________
6
_______________
Schedule
Set #
Name
------ ----------------7
_______________
8
_______________
9
_______________
10
_______________
11
_______________
12
_______________
Enter Schedule Set Number to Configure= 0
Edit Name= N/A
Press ENTER to Confirm or ESC to Cancel:
Nortel Business Secure Router 222 Configuration — Advanced
214 Chapter 18 Call scheduling
Lower numbered sets take precedence over higher numbered sets, thereby
avoiding scheduling conflicts. For example, if sets 1, 2, 3, and 4 are applied in the
remote node then set 1 takes precedence over sets 2, 3, and 4 as the Business
Secure Router, by default, applies the lowest numbered set first. Set 2 takes
precedence over sets 3 and 4, and so on.
You can design up to 12 schedule sets, but you can only apply up to four schedule
sets for a remote node.
Note: To delete a schedule set, enter the set number and press
[SPACE BAR] and then [ENTER] (or delete) in the Edit Name field.
To set up a schedule set, select the schedule set you want to setup from menu 26
(1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown in
Figure 118.
Figure 118 Menu 26.1 Schedule Set Setup
Menu 26.1 - Schedule Set Setup
Active= Yes
Start Date(yyyy/mm/dd) = 2000 – 01 - 01
How Often= Once
Once:
Date(yyyy/mm/dd)= 2000 – 01 - 01
Weekdays:
Sunday= N/A
Monday= N/A
Tuesday= N/A
Wednesday= N/A
Thursday= N/A
Friday= N/A
Saturday= N/A
Start Time (hh:mm)= 00 : 00
Duration (hh:mm)= 00 : 00
Action= Forced On
Press ENTER to Confirm or ESC to Cancel
NN47922-501
Chapter 18 Call scheduling 215
If a connection is already established, your Business Secure Router does not drop
it. After the connection is dropped manually or it times out, then that remote node
cannot be triggered until the end of the Duration.
Table 53 Menu 26.1 Schedule Set Setup
Field
Description
Example
Active
Press [SPACE BAR] to select Yes or No. Choose Yes and
press [ENTER] to activate the schedule set.
Yes
Start Date
Enter the start date when you wish the set to take effect in 2000-01-01
year-month-date format. Valid dates are from the present to
2036-February-5.
How Often
Press the [SPACE BAR] and then [ENTER] to select Once Once
or Weekly. Both these options are mutually exclusive. If
Once is selected, then all weekday settings are N/A. After
Once is selected, the schedule rule deletes automatically
after the scheduled time elapses.
Once:
Date
If you selected Once in the How Often field above, enter
the date the set should activate here in year-month-date
format.
Weekday:
Day
If you selected Weekly in the How Often field above, select Yes
the days when the set should activate (and recur) by going No
to that days and pressing [SPACE BAR] to select Yes. After
N/A
you complete this menu, press [ENTER] to exit.
Start Time
Enter the start time when you wish the schedule set to take 09:00
effect in hour-minute format.
Duration
Enter the maximum length of time this connection is
allowed, in hour-minute format.
Action
Forced On means that the connection is maintained
Forced On
whether or not there is a demand call on the line and
persists for the time period specified in the Duration field.
Forced Down means that the connection is blocked
whether or not there is a demand call on the line.
Enable Dial-On-Demand means that this schedule permits
a demand call on the line. Disable Dial-On-Demand
means that this schedule prevents a demand call on the
line.
2000-01-01
08:00
After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”
to save your configuration, or press [ESC] at any time to cancel.
Nortel Business Secure Router 222 Configuration — Advanced
216 Chapter 18 Call scheduling
After you configure your schedule sets, you must apply them to the desired
remote nodes. Enter 11 from the Main Menu and then enter the target remote
node index. Using [SPACE BAR], select PPPoE or PPPoA in the
Encapsulation field and then press [ENTER] to make the schedule sets field
available, as shown in Figure 119.
Figure 119 Applying Schedule Sets to a Remote Node (PPPoE)
Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe
Active= Yes
Route= IP
Encapsulation= Ethernet
Service Type= Standard
Service Name= N/A
Outgoing:
My Login= N/A
My Password= N/A
Retype to Confirm= N/A
Server= N/A
Edit IP= No
Session Options:
Edit Filter Sets= No
Edit Traffic Redirect= No
Press ENTER to Confirm or ESC to Cancel:
Press ENTER to Confirm or ESC to Cancel:
You can apply up to four schedule sets, separated by commas, for one remote
node. Change the schedule set numbers to your preferences.
NN47922-501
217
Appendix A
Setting up your computer IP address
All computers must have a 10M or 100M Ethernet adapter card and TCP/IP
installed.
Windows 95/98/Me/NT/2000/XP, and Macintosh OS 7 and later operating
systems and all versions of UNIX/LINUX include the software components you
need to install and use TCP/IP on your computer. Windows 3.1 requires the
purchase of a third-party TCP/IP application package.
TCP/IP is already installed on computers using Windows NT/2000/XP, or
Macintosh OS 7 and later operating systems.
After the appropriate TCP/IP components are installed, configure the TCP/IP
settings in order to communicate with your network.
If you manually assign IP information instead of using dynamic assignment, make
sure that your computers have IP addresses that place them in the same subnet as
the Business Secure Router LAN port.
Windows 95/98/Me
Click Start, Settings, Control Panel and double-click the Network icon to open
the Network window
Nortel Business Secure Router 222 Configuration — Advanced
218 Appendix A Setting up your computer IP address
Figure 120 WIndows 95/98/Me: network: configuration
Installing components
The Network window Configuration tab displays a list of installed components.
You need a network adapter, the TCP/IP protocol and Client for Microsoft
Networks.
If you need the adapter:
a
In the Network window, click Add.
b
Select Adapter and click Add.
c
Select the manufacturer and model of your network adapter and click
OK.
If you need TCP/IP:
a
In the Network window, click Add.
b
Select Protocol and click Add.
c
Select Microsoft from the list of manufacturers.
d
Select TCP/IP from the list of network protocols and click OK.
If you need Client for Microsoft Networks:
NN47922-501
Appendix A Setting up your computer IP address 219
a
Click Add.
b
Select Client and click Add.
c
Select Microsoft from the list of manufacturers.
d
Select Client for Microsoft Networks from the list of network clients
and click OK.
e
Restart your computer so your changes take effect.
Configuring
1
In the Network window Configuration tab, select your network adapter's
TCP/IP entry and click Properties
2
Click the IP Address tab.
— If your IP address is dynamic, select Obtain an IP address
automatically.
— If you have a static IP address, select Specify an IP address and type
your information into the IP Address and Subnet Mask fields.
Figure 121 Windows 95/98/Me: TCP/IP properties: IP address
3
Click the DNS Configuration tab.
— If you do not know your DNS information, select Disable DNS.
Nortel Business Secure Router 222 Configuration — Advanced
220 Appendix A Setting up your computer IP address
— If you know your DNS information, select Enable DNS and type the
information in the fields below (you do not need to fill them all in).
Figure 122 Windows 95/98/Me: TCP/IP Properties: DNS configuration
4
Click the Gateway tab.
— If you do not know your gateway’s IP address, remove previously
installed gateways.
— If you have a gateway IP address, type it in the New gateway field and
click Add.
5
Click OK to save and close the TCP/IP Properties window.
6
Click OK to close the Network window. Insert the Windows CD if prompted.
7
Turn on your Business Secure Router and restart your computer when
prompted.
Verifying Settings
NN47922-501
1
Click Start and then Run.
2
In the Run window, type winipcfg and click OK to open the IP
Configuration window.
3
Select your network adapter. Your computer IP address, subnet mask, and
default gateway will be displayed.
Appendix A Setting up your computer IP address 221
Windows 2000/NT/XP
1
For Windows XP, click Start, Control Panel. In Windows 2000/NT, click
Start, Settings, Control Panel.
Figure 123 Windows XP: Start menu
2
For Windows XP, click Network Connections. For Windows 2000/NT, click
Network and Dial-up Connections.
Figure 124 Windows XP: Control Panel
Nortel Business Secure Router 222 Configuration — Advanced
222 Appendix A Setting up your computer IP address
3
Right-click Local Area Connection and then click Properties.
Figure 125 Windows XP: Control Panel: Network Connections: Properties
4
Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and
click Properties.
Figure 126 Windows XP: Local Area Connection Properties
NN47922-501
Appendix A Setting up your computer IP address 223
5
The Internet Protocol TCP/IP Properties window appears (the General tab
in Windows XP).
— If you have a dynamic IP address, click Obtain an IP address
automatically.
— If you have a static IP address, click Use the following IP Address and
fill in the IP address, Subnet mask, and Default gateway fields. Click
Advanced.
Figure 127 Windows XP: Advanced TCP/IP settings
6
If you do not know your gateway IP address, remove any previously installed
gateways in the IP Settings tab and click OK.
Ë Do one or more of the following if you want to configure additional IP
addresses:
— In the IP Settings tab, in IP addresses, click Add.
— In TCP/IP Address, type an IP address in IP address and a subnet mask
in Subnet mask, and then click Add.
— Repeat the above two steps for each IP address you want to add.
— Configure additional default gateways in the IP Settings tab by clicking
Add in Default gateways.
Nortel Business Secure Router 222 Configuration — Advanced
224 Appendix A Setting up your computer IP address
— In TCP/IP Gateway Address, type the IP address of the default gateway
in Gateway. To manually configure a default metric (the number of
transmission hops), clear the Automatic metric check box and type a
metric in Metric.
— Click Add.
— Repeat the previous three steps for each default gateway you want to add.
— Click OK when finished.
7
In the Internet Protocol TCP/IP Properties window (the General tab in
Windows XP):
— Click Obtain DNS server address automatically if you do not know
your DNS server IP addresses.
— If you know your DNS server IP addresses, click Use the following DNS
server addresses, and type them in the Preferred DNS server and
Alternate DNS server fields.
If you have previously configured DNS servers, click Advanced and then
the DNS tab to order them.
Figure 128 Windows XP: Internet Protocol (TCP/IP) properties
NN47922-501
8
Click OK to close the Internet Protocol (TCP/IP) Properties window.
9
Click OK to close the Local Area Connection Properties window.
Appendix A Setting up your computer IP address 225
10 Turn on your Business Secure Router and restart your computer (if
prompted).
Verifying Settings
1
Click Start, All Programs, Accessories and then Command Prompt.
2
In the Command Prompt window, type ipconfig and press [ENTER]. You
can also open Network Connections, right-click a network connection, click
Status and then click the Support tab.
Macintosh OS 8/9
1
Click the Apple menu, Control Panel and double-click TCP/IP to open the
TCP/IP Control Panel.
Figure 129 Macintosh OS 8/9: Apple Menu
Nortel Business Secure Router 222 Configuration — Advanced
226 Appendix A Setting up your computer IP address
2
Select Ethernet built-in from the Connect via list.
Figure 130 Macintosh OS 8/9: TCP/IP
3
For dynamically assigned settings, select Using DHCP Server from the
Configure: list.
4
For statically assigned settings, do the following:
—
—
—
—
From the Configure box, select Manually.
Type your IP address in the IP Address box.
Type your subnet mask in the Subnet mask box.
Type the IP address of your Business Secure Router in the Router
address box.
5
Close the TCP/IP Control Panel.
6
Click Save if prompted, to save changes to your configuration.
7
Turn on your Business Secure Router and restart your computer (if
prompted).
Verifying Settings
Check your TCP/IP properties in the TCP/IP Control Panel window.
NN47922-501
Appendix A Setting up your computer IP address 227
Macintosh OS X
1
Click the Apple menu, and click System Preferences to open the System
Preferences window.
Figure 131 Macintosh OS X: Apple menu
2
Click Network in the icon bar.
— Select Automatic from the Location list.
— Select Built-in Ethernet from the Show list.
— Click the TCP/IP tab.
3
For dynamically assigned settings, select Using DHCP from the Configure
list.
Figure 132 Macintosh OS X: Network
Nortel Business Secure Router 222 Configuration — Advanced
228 Appendix A Setting up your computer IP address
4
For statically assigned settings, do the following:
—
—
—
—
From the Configure box, select Manually.
Type your IP address in the IP Address box.
Type your subnet mask in the Subnet mask box.
Type the IP address of your Business Secure Router in the Router
address box.
5
Click Apply Now and close the window.
6
Turn on your Business Secure Router and restart your computer (if
prompted).
Verifying settings
Check your TCP/IP properties in the Network window.
NN47922-501
229
Appendix B
Triangle Route
The Ideal Setup
When the firewall is on, your Business Secure Router acts as a secure gateway
between your LAN and the Internet. In an ideal network topology, all incoming
and outgoing network traffic passes through the Business Secure Router to protect
your LAN against attacks.
Figure 133 Ideal Setup
Business Secure Router
The Triangle Route Problem
You can have more than one connection to the Internet (through one or more
ISPs). If an alternate gateway is on the LAN (and its IP address is in the same
subnet as the Business Secure Router LAN IP address), the triangle route (also
called asymmetrical route) problem can occur. The steps below describe the
triangle route problem.
A traffic route is a path for sending or receiving data packets between two
Ethernet devices. Some companies have more than one alternate route to one or
more ISPs. If the LAN and ISP are in the same subnet, the triangle route problem
can occur. The steps below describe the triangle route problem.
Nortel Business Secure Router 222 Configuration — Advanced
230 Appendix B Triangle Route
1
A computer on the LAN initiates a connection by sending out a SYN packet
to a receiving server on the WAN.
2
The Business Secure Router reroutes the SYN packet through Gateway B on
the LAN to the WAN.
3
The reply from the WAN goes directly to the computer on the LAN without
going through the Business Secure Router.
As a result, the Business Secure Router resets the connection, as the connection is
not acknowledged.
Figure 134 Triangle Route Problem
Business Secure Router
The Triangle Route Solutions
IP aliasing
Using IP alias, you can partition your network into logical sections over the same
Ethernet interface. Your Business Secure Router supports up to three logical LAN
interfaces with the Business Secure Router being the gateway for each logical
network. By putting your LAN and Gateway B in different subnets, all returning
network traffic must pass through the Business Secure Router to your LAN. The
following steps describe such a scenario.
1
NN47922-501
A computer on the LAN initiates a connection by sending a SYN packet to a
receiving server on the WAN.
Appendix B Triangle Route 231
2
The Business Secure Router reroutes the packet to Gateway B, which is in
Subnet 2.
3
The reply from WAN goes to the Business Secure Router.
4
The Business Secure Router ends the response to the computer in Subnet 1.
Figure 135 IP Alias
WAN
Business Secure Router
Nortel Business Secure Router 222 Configuration — Advanced
232 Appendix B Triangle Route
NN47922-501
233
Appendix C
Importing certificates
This appendix shows examples for importing certificates.
Import Business Secure Router certificates into
Netscape Navigator
In Netscape Navigator, you can permanently trust the Business Secure Router
server certificate by importing it into your operating system as a trusted
certification authority.
Select Accept This Certificate Permanently in Figure 136 to do this.
Figure 136 Security Certificate
Nortel Business Secure Router 222 Configuration — Advanced
234 Appendix C Importing certificates
Importing the Business Secure Router Certificate into
Internet Explorer
For Internet Explorer to trust a self-signed certificate from the Business Secure
Router, simply import the self-signed certificate into your operating system as a
trusted certification authority.
To have Internet Explorer trust a Business Secure Router certificate issued by a
certificate authority, import the certificate authority’s certificate into your
operating system as a trusted certification authority.
The following example procedure shows how to import the Business Secure
Router’s (self-signed) server certificate into your operating system as a trusted
certification authority.
1
In Internet Explorer, double click the lock shown in Figure 137.
Figure 137 Login Screen
NN47922-501
Appendix C Importing certificates 235
2
Click Install Certificate to open the Install Certificate wizard.
Figure 138 Certificate General Information before Import
Nortel Business Secure Router 222 Configuration — Advanced
236 Appendix C Importing certificates
3
Click Next to begin the Install Certificate wizard.
Figure 139 Certificate Import Wizard 1
NN47922-501
Appendix C Importing certificates 237
4
Select where you want to store the certificate and click Next.
Figure 140 Certificate Import Wizard 2
Nortel Business Secure Router 222 Configuration — Advanced
238 Appendix C Importing certificates
5
Click Finish to complete the Import Certificate wizard.
Figure 141 Certificate Import Wizard 3
6
Click Yes to add the Business Secure Router certificate to the root store.
Figure 142 Root Certificate Store
NN47922-501
Appendix C Importing certificates 239
Figure 143 Certificate General Information after Import
Enrolling and Importing SSL Client Certificates
The SSL client needs a certificate if Authenticate Client Certificates is selected
on the Business Secure Router.
You must have imported at least one trusted CA to the Business Secure Router in
order for the Authenticate Client Certificates to be active (see “Certificates” in
Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for
details).
Apply for a certificate from a Certification Authority (CA) that is trusted by the
Business Secure Router (see the Business Secure Router’s Trusted CA WebGUI
screen—Figure 144).
Nortel Business Secure Router 222 Configuration — Advanced
240 Appendix C Importing certificates
Figure 144 Business Secure Router Trusted CA screen
The CA sends you a package containing the CA’s trusted certificate, your
personal certificates and a password to install the personal certificates.
NN47922-501
Appendix C Importing certificates 241
Installing the CA’s certificate
1
Double click the CA’s trusted certificate to produce a screen similar to the one
shown in Figure 145.
Figure 145 CA certificate example
2
Click Install Certificate and follow the wizard as shown earlier in this
appendix.
Installing your personal certificates
You need a password in advance. The CA can issue the password or you can
specify it during the enrollment. Double-click the personal certificate given to you
by the CA to produce a screen similar to Figure 146
Nortel Business Secure Router 222 Configuration — Advanced
242 Appendix C Importing certificates
1
Click Next to begin the wizard.
Figure 146 Personal certificate import wizard 1
NN47922-501
Appendix C Importing certificates 243
2
The file name and path of the certificate you double-clicked automatically
appears in the File name text box. Click Browse if you wish to import a
different certificate.
Figure 147 Personal certificate import wizard 2
Nortel Business Secure Router 222 Configuration — Advanced
244 Appendix C Importing certificates
3
Enter the password given to you by the CA.
Figure 148 Personal certificate import wizard 3
NN47922-501
Appendix C Importing certificates 245
4
Have the wizard determine where the certificate should be saved on your
computer or select Place all certificates in the following store and choose a
different location.
Figure 149 Personal certificate import wizard 4
Nortel Business Secure Router 222 Configuration — Advanced
246 Appendix C Importing certificates
5
Click Finish to complete the wizard and begin the import process.
Figure 150 Personal certificate import wizard 5
6
Figure 151 shows the screen that appears when the certificate is correctly
installed on your computer.
Figure 151 Personal certificate import wizard 6
NN47922-501
Appendix C Importing certificates 247
Using a certificate when accessing the Business Secure
Router example
Use the following procedure to access the Business Secure Router via HTTPS.
1
Enter https://Business Secure Router IP Address/ in your browser’s web
address field.
Figure 152 Access the Business Secure Router via HTTPS
2
When Authenticate Client Certificates is selected on the Business Secure
Router, you are asked to select a personal certificate to send to the Business
Secure Router. This screen displays even if you only have a single certificate,
as shown in Figure 153.
Figure 153 SSL client authentication
Nortel Business Secure Router 222 Configuration — Advanced
248 Appendix C Importing certificates
3
The Business Secure Router login screen appears.
Figure 154 Business Secure Router secure login screen
NN47922-501
249
Appendix D
PPPoE
PPPoE in action
An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC
2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects
to a DSL Access Concentrator where the PPP session terminates (see Figure 155).
One PVC can support any number of PPP sessions from your LAN. PPPoE
provides access control and billing functionality in a manner similar to dial-up
services using PPP.
Benefits of PPPoE
PPPoE offers the following benefits:
•
•
•
It provides you with a familiar dial-up networking (DUN) user interface.
It lessens the burden on the carriers of provisioning virtual circuits all the way
to the ISP on multiple switches for thousands of users. For GSTN (PSTN and
ISDN), the switching fabric is already in place.
It allows the ISP to use the existing dial-up model to authenticate and
(optionally) to provide differentiated services.
Traditional dial-up scenario
Figure 155 depicts a typical hardware configuration where the PCs use traditional
dial-up networking.
Nortel Business Secure Router 222 Configuration — Advanced
250 Appendix D PPPoE
Figure 155 Single-PC per Router Hardware Configuration
Business Secure Router
How PPPoE works
The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC
runs PPP over it, while the modem bridges the Ethernet frames to the Access
Concentrator (AC). Between the AC and an ISP, the AC acts as an L2TP (Layer 2
Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP
frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and
is between the modem and the AC, as opposed to all the way to the ISP.
However, the PPP negotiation is between the PC and the ISP.
Business Secure Router as a PPPoE client
When using the Business Secure Router as a PPPoE client, the PCs on the LAN
see only Ethernet and are not aware of PPPoE. This alleviates the administrator
from having to manage the PPPoE clients on the individual PCs.
NN47922-501
Appendix D PPPoE 251
Figure 156 Business Secure Router as a PPPoE Client
Business Secure Router
Nortel Business Secure Router 222 Configuration — Advanced
252 Appendix D PPPoE
NN47922-501
253
Appendix E
PPTP
What is PPTP?
PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol
(RFC 2637 for PPTP is informational only) to tunnel PPP frames.
How can we transport PPP frames from a PC to a broadband
modem over Ethernet?
A solution is to build PPTP into the ANT (ADSL Network Termination) where
PPTP is used only over the short haul between the PC and the modem over
Ethernet. For the rest of the connection, the PPP frames are transported with PPP
over AAL5 (RFC 2364) The PPP connection, however, is still between the PC and
the ISP. The various connections in this setup are depicted in the following
diagram. The drawback of this solution is that it requires one separate ATM VC
per destination.
Figure 157 Transport PPP frames over Ethernet
Nortel Business Secure Router 222 Configuration — Advanced
254 Appendix E PPTP
PPTP and the Business Secure Router
When the Business Secure Router is deployed in such a setup, it appears as a PC
to the ANT.
In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created
from Windows 95, 98, and NT clients to an NT server in a remote location. Using
the pass-through feature, users on the network can access a different remote server
using the Business Secure Router's Internet connection. In SUA/NAT mode, the
Business Secure Router is able to pass the PPTP packets to the internal PPTP
server (for example, NT server) behind the NAT. You must configure port
forwarding for port 1723 to have the Business Secure Router forward PPTP
packets to the server. In the case above as the remote PPTP Client initializes the
PPTP connection, the user must configure the PPTP clients. The Business Secure
Router initializes the PPTP connection hence; there is no need to configure the
remote PPTP clients.
Figure 158 Business Secure Router as a PPTP client
Business Secure Router
PPTP protocol overview
PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F
(Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP,
namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator)
and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP
stacks and forms one end of the PPTP tunnel. The PAC is the box that dials or
answers the phone calls and relays the PPP frames to the PNS. The PPTP user is
not necessarily a PPP client, it can also be a PPP server. Both the PNS and the
NN47922-501
Appendix E PPTP 255
PAC must have IP connectivity; however, the PAC must also have dial-up
capability. The phone call is between the user and the PAC and the PAC tunnels
the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the
PAC and the PNS.
Figure 159 PPTP protocol overview
Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s
implementation, the PC, and hence the Business Secure Router, is the PNS that
requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364
server.
Control and PPP connections
Each PPTP session has distinct control connection and PPP data connection.
Call connection
The control connection runs over TCP. Similar to L2TP, a tunnel control
connection is first established before call control messages can be exchanged.
Note that a tunnel control connection supports multiple call sessions.
Figure 160 depicts the message exchange of a successful call setup between a PC
and an ANT.
Nortel Business Secure Router 222 Configuration — Advanced
256 Appendix E PPTP
Figure 160 Example message exchange between PC and an ANT
PPP data connection
The PPP frames are tunneled between the PNS and PAC over GRE (General
Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are
distinguished using the Call ID field in the GRE header.
NN47922-501
257
Appendix F
Hardware specifications
Cable pin assignments
Table 54 General specifications
Power Specification
I/P AC 120V / 60Hz; O/P DC 12V 1200 mA
MTBF
416 107 hrs (Mean Time Between Failures)
Operation Temperature
0º C ~ 40º C
Ethernet Specification for
WAN
10/100Mb/s Half / Full autonegotiation
Ethernet Specification for
LAN/ VPN Ports
10/100Mb/s Half / Full autonegotiation, autosensing
In a serial communications connection, generally a computer is DTE
(DataTerminal Equipment) and a modem is DCE (Data Circuit-terminating
Equipment). The Business Secure Router is DCE when you connect a computer to
the console port. The Business Secure Router is DTE when you connect a modem
to the dial backup port.
Nortel Business Secure Router 222 Configuration — Advanced
258 Appendix F Hardware specifications
Figure 161 Console or dial backup port pin layouts 1
P
i
n
5
P
i
n
1
P
i
n
9
P
i
n
6
Table 55 Console or dial backup port pin assignments
1
CONSOLE Port RS – 232 (Female) DB-9F
DIAL BACKUP RS – 232 (Male)
DB-9M
Pin 1 = NON
Pin 1 = NON
Pin 2 = DCE-TXD
Pin 2 = DTE-RXD
Pin 3 = DCE –RXD
Pin 3 = DTE-TXD
Pin 4 = DCE –DSR
Pin 4 = DTE-DTR
Pin 5 = GND
Pin 5 = GND
Pin 6 = DCE –DTR
Pin 6 = DTE-DSR
Pin 7 = DCE –CTS
Pin 7 = DTE-RTS
Pin 8 = DCE –RTS
Pin 8 = DTE-CTS
PIN 9 = NON
PIN 9 = NON.
The CON/AUX port also has these pin
assignments. The CON/AUX switch changes the
setting in the firmware only and does not change
the CON/AUX port’s pin assignments.
Business Secure Routers with a
CON/AUX port also have a 9-pin
adapter for the console cable with
these pin assignments on the male
end.
Products without flow control only use pins 2, 3, and 5.
NN47922-501
Appendix F Hardware specifications 259
Figure 162 Ethernet cable pin assignments
WAN/LAN Ethernet Cable Pin Layout:
Straight-Through
Crossover
(Switch)
1 IRD +
(Adapter)
1 OTD +
(Switch)
1 IRD +
2
IRD -
2
OTD -
2
IRD -
2
3
OTD +
3
IRD +
3
OTD +
3 OTD +
6
OTD -
6
IRD -
6
OTD -
6 OTD -
(Switch)
1 IRD +
IRD -
AC Power Adapter Specifications
Use only power supplies listed in the user instructions.
Phihong, Model PSA21R-180
Note: Not to remove the plug and plug into a wall outlet by itself; always attach
the plug to the power supply first before insert into the wall.
Leader, Model MU18-2180100-XX (XX can be A1, A2, A3, B2 or C5 for the
different plugs used)
Nortel Business Secure Router 222 Configuration — Advanced
260 Appendix F Hardware specifications
NN47922-501
261
Appendix G
IP subnetting
IP addressing
Routers route based on the network number. The router that delivers the data
packet to the correct destination host uses the host ID.
IP classes
An IP address is made up of four octets (eight bits), written in dotted decimal
notation, for example, 192.168.1.1. IP addresses are categorized into different
classes. The class of an address depends on the value of its first octet.
•
•
•
•
Class A addresses have a 0 in the left-most bit. In a class A address, the first
octet is the network number and the remaining three octets make up the host
ID.
Class B addresses have a 1 in the left-most bit and a 0 in the next left most bit.
In a class B address, the first two octets make up the network number and the
two remaining octets make up the host ID.
Class C addresses begin (starting from the left) with 1 1 0. In a class C
address, the first three octets make up the network number and the last octet is
the host ID.
Class D addresses begin with 1 1 1 0. Class D addresses are used for
multicasting. (There is also a class “E” address, which is reserved for future
use.)
Nortel Business Secure Router 222 Configuration — Advanced
262 Appendix G IP subnetting
Table 56 Classes of IP addresses
IP Address:
Octet 1
Octet 2
Octet 3
Octet 4
Class A
0
Network number
Host ID
Host ID
Host ID
Class B
10
Network number
Network number
Host ID
Host ID
Class C
110
Network number
Network number
Network number
Host ID
Note: Host IDs of all zeros or all ones are not allowed.
Therefore:
A class C network (8 host bits) can have 28 –2 or 254 hosts.
A class B address (16 host bits) can have 216 –2 or 65 534 hosts.
A class A address (24 host bits) can have 224 –2 hosts (approximately 16 million
hosts).
Since the first octet of a class A IP address must contain a 0, the first octet of a
class A address can have a value of 0 to 127.
Similarly the first octet of a class B must begin with 10, therefore the first octet of
a class B address has a valid range of 128 to 191. The first octet of a class C
address begins with 110, and therefore has a range of 192 to 223.
Table 57 Allowed IP address range By class
Class
Allowed Range of First Octet (Binary)
Allowed Range of First Octet (decimal)
Class A
00000000 to 01111111
0 to 127
Class B
10000000 to 10111111
128 to 191
Class C
11000000 to 11011111
192 to 223
Class D
11100000 to 11101111
224 to 239
NN47922-501
Appendix G IP subnetting 263
Subnet masks
A subnet mask is used to determine which bits are part of the network number,
and which bits are part of the host ID (using a logical AND operation). A subnet
mask contains 32 bits. If there is a 1 in the bit, then the corresponding bit of the IP
address is part of the network number. If a bit in the subnet mask is 0 then the
corresponding bit in the IP address is part of the host ID.
Subnet masks are expressed in dotted decimal notation just as IP addresses are.
The natural masks for class A, B, and C IP addresses are as follows.
Table 58
Natural Masks
Class
Natural mask
A
255.0.0.0
B
255.255.0.0
C
255.255.255.0
Subnetting
With subnetting, the class arrangement of an IP address is ignored. For example, a
class C address no longer has to have 24 bits of network number and 8 bits of host
ID. With subnetting, some of the host ID bits are converted into network number
bits. By convention, subnet masks always consist of a continuous sequence of
ones beginning from the left most bit of the mask, followed by a continuous
sequence of zeros, for a total number of 32 bits.
Since the mask is always a continuous number of ones beginning from the left,
followed by a continuous number of zeros for the remainder of the 32-bit mask,
you can simply specify the number of ones instead of writing the value of each
octet. This is usually specified by writing a / followed by the number of bits in the
mask after the address.
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask
255.255.255.128.
Nortel Business Secure Router 222 Configuration — Advanced
264 Appendix G IP subnetting
Table 59 shows all possible subnet masks for a class C address using both
notations.
Table 59 Alternative Subnet Mask Notation
Subnet mask IP address
Subnet mask 1 Bits
Last octet bit value
255.255.255.0
/24
0000 0000
255.255.255.128
/25
1000 0000
255.255.255.192
/26
1100 0000
255.255.255.224
/27
1110 0000
255.255.255.240
/28
1111 0000
255.255.255.248
/29
1111 1000
255.255.255.252
/30
1111 1100
The first mask shown is the class C natural mask. Normally, if no mask is
specified, it is understood that the natural mask is being used.
Example: two subnets
As an example, you have a class C address 192.168.1.0 with subnet mask of
255.255.255.0.
Network number
Host ID
IP Address
192.168.1.
0
IP Address (Binary)
11000000.10101000.00000001.
00000000
Subnet Mask
255.255.255.
0
Subnet Mask (Binary)
11111111.11111111.11111111.
00000000
The first three octets of the address make up the network number (class C). You
want to have two separate networks.
NN47922-501
Appendix G IP subnetting 265
Divide the network 192.168.1.0 into two separate subnets by converting one of
the host ID bits of the IP address to a network number bit. The borrowed host ID
bit can be either 0 or 1, thus giving two subnets; 192.168.1.0 with mask
255.255.255.128 and 192.168.1.128 with mask 255.255.255.128.
Note: In the following charts, shaded or bolded last-octet bit values
indicate host ID bits borrowed to form network ID bits. The number of
borrowed host ID bits determines the number of subnets you can have.
The remaining number of host ID bits (after borrowing) determines the
number of hosts you can have on each subnet.
Table 60 Subnet 1
Network number
Last Octet bit value
IP Address
192.168.1.
0
IP Address (Binary)
11000000.10101000.00000001.
00000000
Subnet Mask
255.255.255.
128
Subnet Mask (Binary)
11111111.11111111.11111111.
10000000
Subnet Address: 192.168.1.0
Lowest Host ID: 192.168.1.1
Broadcast Address:
192.168.1.127
Highest Host ID: 192.168.1.126
Table 61 Subnet 2
Network number
Last octet bit value
IP Address
192.168.1.
128
IP Address (Binary)
11000000.10101000.00000001.
10000000
Subnet Mask
255.255.255.
128
Subnet Mask (Binary)
11111111.11111111.11111111.
10000000
Subnet Address: 192.168.1.128
Lowest Host ID: 192.168.1.129
Broadcast Address:
192.168.1.255
Highest Host ID: 192.168.1.254
The remaining 7 bits determine the number of hosts each subnet can have. Host
IDs of all zeros represent the subnet itself and host IDs of all ones are the
broadcast address for that subnet, so the actual number of hosts available on each
subnet in the example above is 27 – 2 or 126 hosts for each subnet.
Nortel Business Secure Router 222 Configuration — Advanced
266 Appendix G IP subnetting
192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127
with mask 255.255.255.128 is the directed broadcast address for the first subnet.
Therefore, the lowest IP address that can be assigned to an actual host for the first
subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID
range for the second subnet is 192.168.1.129 to 192.168.1.254.
Example: four subnets
The above example illustrated using a 25-bit subnet mask to divide a class C
address space into two subnets. Similarly to divide a class C address into four
subnets, you need to borrow two host ID bits to give four possible combinations
of 00, 01, 10 and 11. The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet
contains 6 host ID bits, giving 26-2 or 62 hosts for each subnet (all 0s is the subnet
itself, all 1s is the broadcast address on the subnet).
Table 62 Subnet 1
Network number
Last octet bit value
IP Address
192.168.1.
0
IP Address (Binary)
11000000.10101000.00000001.
00000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address: 192.168.1.0
Lowest Host ID: 192.168.1.1
Broadcast Address: 192.168.1.63
Highest Host ID: 192.168.1.62
Table 63 Subnet 2
Network number
Last octet bit value
IP Address
192.168.1.
64
IP Address (Binary)
11000000.10101000.00000001.
01000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address: 192.168.1.64
Lowest Host ID: 192.168.1.65
Broadcast Address:
192.168.1.127
Highest Host ID: 192.168.1.126
NN47922-501
Appendix G IP subnetting 267
Table 64 Subnet 3
Network number
Last Octet Bit Value
IP Address
192.168.1.
128
IP Address (Binary)
11000000.10101000.00000001.
10000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address: 192.168.1.128
Lowest Host ID: 192.168.1.129
Broadcast Address:
192.168.1.191
Highest Host ID: 192.168.1.190
Table 65 Subnet 4
Network number
Last Octet Bit Value
IP Address
192.168.1.
192
IP Address (Binary)
11000000.10101000.00000001.
11000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address: 192.168.1.192
Lowest Host ID: 192.168.1.193
Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254
Example: eight subnets
Similarly, use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
Table 66 shows class C IP address last-octet values for each subnet.
Table 66 Eight subnets
Subnet
Subnet Address
First Address
Last Address
Broadcast Address
1
0
1
30
31
2
32
33
62
63
3
64
65
94
95
4
96
97
126
127
5
128
129
158
159
6
160
161
190
191
Nortel Business Secure Router 222 Configuration — Advanced
268 Appendix G IP subnetting
Table 66 Eight subnets
Subnet
Subnet Address
First Address
Last Address
Broadcast Address
7
192
193
222
223
8
224
225
254
255
Table 67 is a summary for class C subnet planning.
Table 67 Class C subnet planning
No. Borrowed Host Bits
Subnet Mask
No. Subnets
No. Hosts per Subnet
1
255.255.255.128 (/25)
2
126
2
255.255.255.192 (/26)
4
62
3
255.255.255.224 (/27)
8
30
4
255.255.255.240 (/28)
16
14
5
255.255.255.248 (/29)
32
6
6
255.255.255.252 (/30)
64
2
7
255.255.255.254 (/31)
128
1
Subnetting with Class A and Class B networks.
For class A and class B addresses the subnet mask also determines which bits are
part of the network number and which are part of the host ID.
A class B address has two host ID octets available for subnetting and a class A
address has three host ID octets (see Table 56) available for subnetting.
Table 68 is a summary for class B subnet planning.
Table 68 Class B subnet planning
No. “Borrowed” Host Bits
Subnet Mask
No. Subnets
No. Hosts per Subnet
1
255.255.128.0 (/17)
2
32 766
2
255.255.192.0 (/18)
4
16 382
3
255.255.224.0 (/19)
8
8 190
4
255.255.240.0 (/20)
16
4 094
NN47922-501
Appendix G IP subnetting 269
Table 68 Class B subnet planning
No. “Borrowed” Host Bits
Subnet Mask
No. Subnets
No. Hosts per Subnet
5
255.255.248.0 (/21)
32
2 046
6
255.255.252.0 (/22)
64
1 022
7
255.255.254.0 (/23)
128
510
8
255.255.255.0 (/24)
256
254
9
255.255.255.128 (/25)
512
126
10
255.255.255.192 (/26)
1 024
62
11
255.255.255.224 (/27)
2 048
30
12
255.255.255.240 (/28)
4 096
14
13
255.255.255.248 (/29)
8 192
6
14
255.255.255.252 (/30)
16 384
2
15
255.255.255.254 (/31)
32 768
1
Nortel Business Secure Router 222 Configuration — Advanced
270 Appendix G IP subnetting
NN47922-501
271
Appendix H
Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main
menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 Command Interpreter Mode. See the included disk or www.nortel.com for
more detailed information on these commands.
Note: Use of undocumented commands or misconfiguration can
damage the unit and possibly render it unusable.
Command Syntax
•
•
•
•
•
The command keywords are in Courier New font.
Enter the command keywords exactly as shown. Do not abbreviate.
The required fields in a command are enclosed in angle brackets <>.
The optional fields in a command are enclosed in square brackets [].
The |symbol means or.
For example,
sys filter netbios config <type> <on|off>
means that you must specify the type of netbios filter and whether to turn it on
or off.
Command usage
A list of valid commands can be found by typing help or ? at the command
prompt. Always type the full command. Type exit to return to the SMT main
menu when you are finished.
Nortel Business Secure Router 222 Configuration — Advanced
272 Appendix H Command Interpreter
Sys commands
Table 69 lists and describes the system commands. Each of these commands must
be preceded by sys. For example, type sys stdio 60 to set the management
session inactivity timeout to 60 minutes.
Table 69 Sys commands
Command
Description
atsh
Displays the MRD field.
callhist
Displays the call history.
display
remove
<index>
Removes an entry from the call history.
name
[name]
Sets or displays the client logon name.
password
[password]
Sets or displays the client logon
password.
[countrycode]
Sets or displays the country code.
date
[year month date]
Sets or displays the system’s current
date.
time
[hour [min [sec]]]
Sets or displays the system time.
period
[day]
Sets how often the Business Secure
Router gets the date and time from the
time server.
client
countrycode
datetime
Gets the date and time from the time
server.
sync
Displays the domain name that the
device sends to the LAN DHCP clients.
domainname
edit
<filename>
Maintains extra phone numbers for
outgoing (dial backup) calls.
extraphnum
add
<set 1-3> <1st phone num>
[2nd phone num]
node
Adds extra phone numbers.
Displays the extra phone numbers.
display
NN47922-501
Edits the system preset text files such
as autoexec.net.
<num>
Sets all extra phone numbers to remote
node <num>.
Appendix H Command Interpreter 273
Table 69 Sys commands
Command
Description
remove
<set 1-3>
Removes extra phone numbers.
Resets node and mask.
reset
feature
Displays a list of the device’s major
features.
firmware
Displays the ISDN firmware type.
firewall
See “Sys firewall commands” on
page 297 for information about the
system firewall commands.
hostname
[hostname]
Sets or displays the system name.
8021x
Records logs for IEEE 802.1X.
access [0:none/1:log/
2:alert/3:both]
Records, sends alerts, or both for
access control logs.
attack [0:none/1:log/
2:alert/3:both]
Records, sends alerts, or both for
firewall attack logs.
cdr [0:none/1:log]
Records Call Detail Record logs.
display
Displays the category settings.
error [0:none/1:log/
2:alert/3:both]
Records, sends alerts, or both for
system error logs.
icmp [0:none/1:log]
Records ICMP logs.
ike [0:none/1:log/2:alert/
3:both]
Records, sends alerts or both for
access control logs.
ipsec [0:none/1:log/
2:alert/3:both]
Records the access control logs
javablocked [0:none/1:log]
Records the java blocked logs.
mten [0:none/1:log]
Records the system maintenance logs.
packetfilter [0:none/
1:log]
Records the packet filter logs.
ppp [0:none/1:log]
Records the PPP logs.
remote [0:none/1:log]
Records the remote management logs.
tcpreset [0:none/1:log]
Records the TCP reset logs.
upnp [0:none/1:log]
Records the UPnP logs.
logs
category
Nortel Business Secure Router 222 Configuration — Advanced
274 Appendix H Command Interpreter
Table 69 Sys commands
Command
Description
urlblocked [0:none/1:log/
2:alert/3:both]
Records and/or sends alerts for web
access blocked logs.
urlforward [0:none/1:log]
Records web access forward logs.
Clears the log.
clear
display
[access|attack|error|ike|i
psec|javablocked|mten|pack
etfilter|pki|
tcpreset|tls|upnp|urlblock
ed|urlforward]
Displays all logs or specifies a category
of logs.
clear
Clears the error log.
disp
Displays the error log.
online
Turns the error log online display on or
off.
errlog
Loads the log settings buffer. Use this
command before you configure the log
settings. Use sys logs save after
you configure the log settings.
load
mail
alertAddr [mail address]
Sends alerts to this e-mail address.
clearLog [0:no/1:yes]
Enables the switch to clear the log after
sending logs via e-mail.
display
Displays the logs and alerts mail
settings.
logAddr [mail address]
Sends logs to this e-mail address.
schedule display
Displays the mail schedule.
schedule hour [0-23]
Sets the hour to send logs.
schedule minute [0-59]
Sets the minute to send the logs.
schedule policy [0:full/
1:hourly/2:daily/3:weekly/
4:none]
Sets the mail schedule policy.
schedule week [0:sun/1:mon/ Sets the day of the week to send
2:tue/3:wed/4:thu/5:fri/
weekly logs.
6:sat]
server [domainName/IP]
NN47922-501
Sets the domain name or IP address of
the mail server to which the logs are
sent.
Appendix H Command Interpreter 275
Table 69 Sys commands
Command
Description
subject [mail subject]
Sets the log e-mail’s subject.
auth
Enables or disables SMTP
authentication.
user
Sets the SMTP authentication
username.
passwd
Sets the SMTP authentication
password.
Saves the log settings from the buffer.
save
syslog
active [0:no/1:yes]
Enables or disables syslog logging.
display
Displays the syslog settings.
facility [Local ID(1-7)]
Specifies the file to which the device
logs the syslog messages.
server [domainName/IP]
Specifies the IP address of the syslog
server the syslogs are sent.
switch <0:on|1:off>
Turns log consolidation on or off.
period
Sets the consolidation period (in
seconds).
msglist
Displays the consolidated messages.
<minute>
Sets how often to resolve the mail and
syslog server domain name to an IP
address.
bmlog <0:no|1:yes>
Turns the broadcast or multicast log on
or off.
display
Displays switch settings.
trilog <0:no|1:yes>
Turns triangle route logging on or off.
[0:cold boot/1: immediate
reboot/2: bootModule debug
mode]
Restarts the device.
load
<entry no.>
Loads remote node information.
disp
<entry no.>(0:working
buffer)
Displays remote node information.
consolidate
updateSvrIP
switch
reboot
rn
Nortel Business Secure Router 222 Configuration — Advanced
276 Appendix H Command Interpreter
Table 69 Sys commands
Command
Description
nat
<none|sua|full_feature>
Configures remote node NAT.
nailup
<no|yes>
Configures a remote node connection
to be nailed up (always on).
mtu
<value>
Sets the remote node Maximum
Transmission Unit.
Blocks access to a remote node.
accessblock
save
stdio
[entry no.]
Saves remote node information.
[minute]
Sets or displays the management
terminal idle timeout value.
tos
display
Shows all runtime Temporarily Open
Sessions.
debug
Turns TOS debug message on or off.
listPerHost
Displays all hosts session counts.
sessPerHost
Sets the session per host limit.
timeout
NN47922-501
display
Displays all TOS (Temporarily Open
Session) timeout information.
icmp
Sets the ICMP session idle timeout
value.
igmp
Sets the IGMP session idle timeout
value.
tcpsyn
Sets the SYN TCP session idle timeout
value.
tcp
Sets the TCP session idle timeout
value.
tcpfin
Sets the TCP FIN session idle timeout
value.
udp
Sets the UDP-session idle-timeout
value.
gre
Sets the GRE-session idle-timeout
value.
esp
Sets the ESP-session idle-timeout
value.
ah
Sets the AH-session idle-timeout value.
Appendix H Command Interpreter 277
Table 69 Sys commands
Command
Description
others
Sets the idle-timeout value for other
sessions.
parse, brief, disp
Sets the level of detail that should be
displayed. “parse” displays the most
detail and “disp” displays the least.
switch
[on|off]
Enables or disables the system trace
log or displays the current setting.
online
[on|off]
Enables or disables the trace log
onscreen display (for example, in the
Telnet management window).
level
[level]
Sets the level (1-10) of trace logs (1
shows the least) to display.
type
<bitmap>
Uses hexadecimal characters to set the
type of trace logs to record.
trcdisp
trclog
disp
Shows the trace log.
clear
Erases the trace log.
call
Shows call events.
encapmask
[mask]
Shows which type of encapsulation the
trace log records, or sets the
encapsulation if you specify the
encapsulation’s hexadecimal character.
Uses trace packets to capture parts of
packets in order to see the packet flow
from one interface to another.
trcpacket
create
<entry> <size>
Removes the packet trace buffer.
destroy
channel
Creates a packet trace buffer.
<name> [none|incoming|
outgoing|bothway]
Sets the packet trace direction for a
given channel.
string
[on|off]
Enables or disables the sending of a
log to the trace packet buffer when
configuration changes are made or
displays the current setting if neither
on/off is specified.
switch
[on|off]
Enables or disables packet trace or
displays the current setting if neither on
nor off is specified.
disp
Displays the trace packets.
Nortel Business Secure Router 222 Configuration — Advanced
278 Appendix H Command Interpreter
Table 69 Sys commands
Command
Description
Sends the trace packets to another
system using UDP.
udp
udp switch
[on|off]
Enables or disables the sending of the
trace packets to another system using
UDP or displays the current setting.
udp addr
<addr>
Sets the target IP address for sending
trace packets using UDP.
udp port
<port>
Sets the UDP port (should match that
of the target IP address) for sending
trace packets using UDP.
parse
[[start_idx], end_idx]
Displays detailed packet details of the
packet range specified.
Displays a brief listing of packet
contents.
brief
Displays the RAS code and driver
versions.
version
<filename>
Displays the specified text file.
switch
[on|off]
Turns the watchdog firmware
protection feature on or off.
cnt
[value]
Sets (0-34 463) or displays the current
watchdog count (in 1.6 sec units).
view
wdog
Restores the factory default
configuration file.
romreset
Use these commands to configure
remote server management.
server
NN47922-501
access
<telnet|ftp|web|icmp|snmp|
dns> <value>
Sets the server access type.
load
Loads server information.
disp
Displays server information.
port <telnet|ftp|web|snmp>
<port>
Sets the server port.
save
Saves server information.
secureip <telnet|ftp|
web|icmp|snmp|dns> <ip>
Sets server secure IP address.
Appendix H Command Interpreter 279
Table 69 Sys commands
Command
Description
[minute]
Sets or displays the password error
blocking timeout value.
active
[0:no/1:yes]
Activates or deactivates the saved
UPnP settings.
config
[0:deny/1:permit]
Allows users to make configuration
changes through UPnP.
pwderrtm
upnp
Displays UPnP information
display
firewall
[0:deny/1:pass]
Saves UPnP information.
load
reserve
Allows UPnP to pass through the
firewall.
[0:deny/1:permit]
Saves UPnP information.
save
Displays the system socket’s ID #,
type, control block address (PCB), IP
address and port number of peer
device connected to the socket
(Remote Socket) and task control block
(Owner).
socket
filter
netbios
disp
Displays the current NetBIOS filter
modes.
config <0:Between LAN and
Sets NetBIOS filters.
WAN/ 3: IPSec Pass through/
4: Trigger Dial> <on|off>
roadrunner
debug
<level>
Enables or disables Road Runner
service.
0: disable (default)1: enable
display
<iface name>
Displays Road Runner information
iface-name: enif0, wanif0
restart
<iface name>
Restarts Road Runner.
debug
<level>
Enables or disables DDNS service.
display
<iface name>
Displays DDNS information.
ddns
Nortel Business Secure Router 222 Configuration — Advanced
280 Appendix H Command Interpreter
Table 69 Sys commands
Command
Description
restart
Restarts DDNS.
logout
This command has no effect.
display
Displays the CPU utilization.
cpu
Exit Command
Table 70 Exit Command
Command
Description
exit
Ends the command interpreter session.
Ethernet Commands
Table 71 lists and describes the Ethernet commands. Each of these commands
must be preceded by ether. For example, type ether config to display
information on the LAN configuration.
Table 71 Ether Commands
Command
Description
config
Displays LAN configuration information.
driver
cnt
status
disp <name>
Displays the Ethernet driver counters.
<ch_name>
Shows the LAN status.
Displays the Ethernet device type.
version
edit
load
mtu
NN47922-501
<1:LAN>
<value>
Loads Ethernet (1:LAN) data from the System
Parameters Table.
Sets the Ethernet data Maximum Transmission
Unit.
Appendix H Command Interpreter 281
Table 71 Ether Commands
Command
Description
accessblock
<0:disable 1:enable>
Blocks Internet access.
speed
<auto|10/half|10/
full|100/half|100/
full>
Sets the Ethernet data speed and duplex.
save
Saves Ethernet data to the System Parameters
Table.
dump
Displays the relationship between physical port
and channel.
dynamic
Port
set
<port> <type>
Sets physical port to a specific channel.
Displays channel setting stored in SPT.
spt
IP commands
Table 72 lists and describes the IP commands. Each of these commands must be
preceded by ip. For example, type ip address to display the host IP address.
Table 72 IP commands
Command
Description
address
[addr]
Displays the host IP address.
alias
<iface>
Sets an alias for the specified interface.
aliasdis
<0|1>
Disables or enables the alias for the specified
interface.
status
<iface>
Displays an interface’s IP Address Resolution
Protocol status.
attpret
<on|off>
Allows or disallows the device to receive ARP
from a different network or not.
force
<on|off>
Enables or disables the ARP timeout function.
arp
dhcp
<iface>
client
release
Releases the DHCP client IP address.
Nortel Business Secure Router 222 Configuration — Advanced
282 Appendix H Command Interpreter
Table 72 IP commands
Command
Description
renew
Renews the DHCP client IP address.
status
[option]
Displays the DHCP status.
query
address <ip
address>
Displays the domain name of an IP address.
name <host name>
Displays the IP address of a domain name.
dns
Configures the system DNS server settings.
system
lan
httpd
display
Shows the system DNS server settings.
edit <0: first|1:
second|2: third>
<0:from
ISP|1:usr-def|2:n
one> [IP addr
ess if choosing
1]
Configures the system DNS server settings.
edit <0: first|1:
second|2: third>
<0:from
ISP|1:usr-def|2:D
NS Relay|3: n
one> [IP address
if choosing 1]
Configures the LAN DNS server settings.
display
Shows the LAN DNS server settings.
debug [on|off]
Enables or disables the HTTP debug flag.
This command currently does not work.
icmp
Displays the ICMP statistics counter.
status
<iface> [on|off]
Sets the ICMP router discovery flag.
ifconfig
[iface] [ipaddr]
[broadcast <addr>
|mtu
<value>|dynamic]
Configures a network interface.
ping
<hostid>
Pings a remote host.
[if]
Displays the routing table.
discovery
route
status
NN47922-501
Appendix H Command Interpreter 283
Table 72 IP commands
Command
Description
add
<dest_addr|defaul
t>[/<bits>]
<gateway>
[<metric>]
Adds a route.
addiface
<dest_addr|defaul
t>[/<bits>]
<gateway>
[<metric>]
Adds an entry to the routing table for the
specified interface.
addprivate
<dest_addr|defaul
t>[/<bits>]
<gateway>
[<metric>]
Adds a private route.
drop
<host addr> [/
<bits>]
Drops a route.
Displays IP statistic counters.
status
udp
Displays the UDP status.
status
These are the Routing Information Protocol
commands.
rip
accept
<gateway>
Drops an entry from the RIP refuse list.
Enables RIP.
activate
merge
[on|off]
Sets the RIP merge flag.
refuse
<gateway>
Adds an entry to the RIP refuse list.
request
<addr> [port]
Sends a RIP request to the specified address
and port.
reverse
[on|off]
RIP Poisoned Reverse.
status
Displays RIP statistic counters.
trace
Enables the RIP debug trace.
mode
dialin_user
tcp
status
<iface> in [mode]
Sets the Business Secure Router to use the
RIP information it receives.
<iface> out
[mode]
Sets the Business Secure Router to broadcast
its routing table.
[show|in|out|both
|none]
Shows the dial-in user RIP direction.
Displays the TCP statistic counters.
Nortel Business Secure Router 222 Configuration — Advanced
284 Appendix H Command Interpreter
Table 72 IP commands
Command
Description
telnet
<host> [port]
Creates a Telnet connection to the specified
host.
tftp
support
Displays whether or not TFTP is supported.
stats
Displays the TFTP statistics.
<host> [ttl]
[wait] [queries]
Sends ICMP packets to trace the route of a
remote host.
join
<iface1>
[<iface2>]
Add iface2 to the iface1’s group.
break
<iface>
Remove the specified interface from the
ipxparent group.
enable
[0:no/1:yes]
Enables or disables content filtering.
display
Displays content filtering exempt zone
information.
actionFlags
[type(1-3)][enabl
e/disable]
Enables or disables content filtering exempt
zone action flags that determine to which IP
addresses content filtering applies.
add [ip1] [ip2]
Sets a range of IP addresses to be in the
exempt zone.
delete [ip1]
[ip2]
Removes a range of IP addresses from the
exempt zone.
reset
Returns the exempt zone settings to the
previous configuration.
traceroute
xparent
urlfilter
exemptZone
Uses the customize commands to configure
content filtering for trusted Web sites,
forbidden Web sites and keyword blocking.
customize
NN47922-501
display
Displays the content filtering customize action
flags.
actionFlags
[act(1-7)]
[enable/disable]
Sets the content filtering customize action
flags.
logFlags
[type(1-3)][enabl
e/disable]
Sets the content filtering customize log flags.
Appendix H Command Interpreter 285
Table 72 IP commands
Command
Description
add [string]
[trust/untrust/
keyword]
Adds a trusted Web site, forbidden Web site
or keyword blocking string.
delete [string]
[trust/untrust/
keyword]
Deletes a trusted Web site, forbidden Web
site or keyword blocking string.
reset
Returns to the default configuration.
failcount
<count>
Sets the number of times that the device can
ping the target without a response before
forwarding traffic to the backup gateway.
partner
<ipaddr>
Sets the traffic redirect backup gateway IP
address.
target
<ipaddr>
Sets the IP address that the device uses to
test WAN accessibility.
timeout
<timeout>
Sets the number of seconds the device waits
for a response from the target.
checktime
<period>
Sets the number of seconds the device waits
between attempts to connect to the target.
active
<on|off>
Enables or disables traffic redirect.
tredir
save
Saves traffic redirect configuration.
disp
Displays the traffic redirect configuration.
debug
<value>
Sets the traffic redirect debug value.
active
[1:yes|0:no]
Enables or disables the reports.
rpt
start
Starts recording reports data.
stop
Stops recording reports data.
url
Records the most visited Web sites.
ip
Records the LAN IP addresses that sent and
received the most traffic.
srv
Records the most heavily used protocols or
service ports.
stroute
display
[rule # | buf]
Displays the list of static routes or detailed
information on a specified rule.
Nortel Business Secure Router 222 Configuration — Advanced
286 Appendix H Command Interpreter
Table 72 IP commands
Command
Description
load
<rule #>
Loads the specified static route rule into the
buffer.
Saves a rule from the buffer to the System
Parameters Table.
save
config
name <site name>
Sets the name for a static route.
destination <dest
addr>[/<bits>]
<gateway>
[<metric>]
Sets a static route’s destination IP address
and gateway.
mask <IP subnet
mask>
Sets a static route’s subnet mask.
gateway <IP
address>
Sets a static route’s gateway IP address.
metric <metric #>
Sets a static route’s metric number.
private <yes|no>
Turns private mode on or off.
active <yes|no>
Enables or disables a static route rule.
[0|1]
Sets whether or not the device allows ICMP
fragment packets.
debug
[level]
Sets IGMP debug level.
forwardall
[on|off]
Activates or deactivates IGMP forwarding to
all interfaces flag.
querier
[on|off]
Turns on or off IGMP stop query flag.
<iface> grouptm
<timeout>
Sets IGMP group timeout for the specified
interface.
<iface> interval
<interval>
Sets IGMP query interval for the specified
interface.
<iface> join
<group>
Adds an interface to a group.
<iface> leave
<group>
Removes an interface from a group.
<iface> query
Sends an IGMP query on the specified
interface.
dropIcmp
igmp
iface
NN47922-501
Appendix H Command Interpreter 287
Table 72 IP commands
Command
Description
robustness
<iface> rsptime
[time]
Sets the IGMP response time.
<iface> start
Turns on IGMP on the specified interface.
<iface> stop
Turns off IGMP on the specified interface.
<iface> ttl
<threshold>
Sets the IGMP Time To Live threshold.
<iface> v1compat
[on|off]
Turns on or off IGMP version 1 compatibility
on the specified interface.
<num>
Sets the IGMP robustness variable.
status
Displays the IGMP status.
display
Shows whether the Application Layer
Gateway is enabled or disabled.
alg
siptimeout
<timeout in
second> or 0 for
no timeout
Sets the SIP timeout period.
enable
<ALG_FTP|ALG_H323
|ALG_SIP>
Turns on the ALG.
disable
<ALG_FTP|ALG_H323
|ALG_SIP>
Turns off the ALG.
Nortel Business Secure Router 222 Configuration — Advanced
288 Appendix H Command Interpreter
IPSec commands
Table 73 lists and describes the IP Sec commands. Each of these commands must
be preceded by ipsec. For example, type ipsec display 3 to display the third
IPSec rule, if you have it configured.
Table 73 IPSec commands
Command
debug
switch
Description
type
<0:Disable |
1:Original
on|off | 2:IKE
on|off | 3:
IPSec
[SPI]|on|off |
4:XAUTHon|off |
5:CERT on|off |
6: All>
Turns the trace for IPsec debug
information on or off.
level
<0:None |
1:User | 2:Low
| 3:High>
Sets the debug level. The higher the
number, the more detailed.
display
Shows debugging information, including
type and level.
<on|off>
As long as there is one active IPSec rule,
all packets go into the IPSec process to
check against the SPD. When this switch
is turned on, packets are not be put
through the IPSec process, even if there
are active IPSec rules.
timer
NN47922-501
chk_conn.
<0~255>
Sets the idle timeout for IPSec
connections. The system disconnects an
IPSec connection with no traffic for the
timeout period. The interval is in minutes
(2 default) and 0 means the connection
never times out.
dpdTime
<minutes>
Sets the idle timeout for IPSec
connections where the Business Secure
Router is waiting for a response from the
peer.
update_peer
<0~255>
Sets the autotimer for updating IPSec
rules that use a domain name as the
secure gateway IP address. The interval
is in minutes (30 default) and 0 means it
never updates.
Appendix H Command Interpreter 289
Table 73 IPSec commands
Command
Description
chk_input
show_runtime
<0~255>
Adjusts autotimer to check if any inbound
IPsec traffic has passed during the
specified period. If not, the Business
Secure Router disconnects the tunnel.
sa
Displays runtime phase 1 and phase 2
SA information.
spd
When a dynamic rule accepts a request
and a tunnel is established, a runtime
SPD is created according to the peer’s
local IP address. This command displays
these runtime SPDs.
Forces the system to immediately update
IPSec rules that use a domain name as
the secure gateway IP address.
updatePeerIp
display
<rule index>
Displays the specified IPSec rule.
policyDisplay
<rule index>
Displays the specified IPSec rule’s IP
policies.
dial
<rule index>
<policy index>
Triggers the specified phase two
connection.
route
lan
<on|off>
After IPSec processes a packet and
sends it to the LAN side, this switch
controls whether or not IPSec can be
applied to the packet again.
wan
<on|off>
After IPSec processes a packet and
sends it to the WAN side, this switch
controls whether or not IPSec can be
applied to the packet again.
load
Edit an IPSec branch office rule with the
specified rule number.
<rule index>
save
Saves the IPSec branch office rule.
config
Uses these commands to configure the
IPSec rule.
name
<name>
Sets the name of the rule.
active
<Yes|No>
Turns the rule on or off.
negotiationMode
<0:Main |
1:Aggressive>
Sets the negotiation mode.
natTraversal
<Yes|No>
Turns NAT traversal on or off.
p1MultiPro
<Yes|No>
Turns phase 1 multiple proposal on or off.
Nortel Business Secure Router 222 Configuration — Advanced
290 Appendix H Command Interpreter
Table 73 IPSec commands
Command
NN47922-501
Description
lcIdType
<0:IP | 1:DNS |
2:Email>
Sets the local ID type.
lcIdContent
<content>
Sets the local ID content.
myIpAddr
<IP address>
Sets the My IP Address.
peerIdType
<0:IP | 1:DNS |
2:Email>
Sets the peer ID type.
peerIdContent
<content>
Sets the peer ID content.
secureGwAddr
<IP address |
Domain name>
Sets the secure gateway address.
authMethod
<0:PreSharedKey
|1:
RSASignature>
Sets the authentication method.
certificate
<certificate
name>
Specifies the certificate to use for
authentication.
preShareKey
<ASCII | 0xHEX>
Types 8 to 32 case-sensitive ASCII
characters or 16 to 62 hexadecimal (0-9,
A-F) characters (preceded by 0x (zero x),
which is not counted as part of the 16 to
62 characters).
p1EncryAlgo
<0:DES | 1:3DES
| 2:AES>
Sets the phase 1 encryption algorithm.
p1AuthAlgo
<0:MD5 |
1:SHA1>
Sets the phase 1 authentication
algorithm.
p1SaLifeTime
<seconds>
Sets the phase 1 SA lifetime.
keyGroup
<0:DH1 | 1:DH2>
Sets the key group for phase 1 IKE setup.
nailUp
<Yes|No>
Turns nailed up feature on or off.
activeProtocol
<0:AH | 1:ESP>
Sets the protocol.
p2MultiPro
<Yes|No>
Turns phase 2 multiple proposal on or off.
p2EncryAlgo
<0:Null | 1:DES
| 2:3DES |
3:AES>
Sets the phase 2 encryption algorithm.
p2EncryKeyLen
<0:128 | 1:192
| 2:256>
Sets the phase 2 encryption key length
(with AES encryption).
p2AuthAlgo
<0:MD5 |
1:SHA1>
Sets the phase 2 authentication
algorithm.
p2SaLifeTime
<seconds>
Sets the phase 2 SA lifetime.
Appendix H Command Interpreter 291
Table 73 IPSec commands
Command
ikeList
Description
encap
<0:Tunnel |
1:Transport>
Sets the encapsulation mode.
pfs
<0:None | 1:DH1
| 2:DH2>
Sets Perfect Forward Secrecy.
antiReplay
<Yes | No>
Turns replay detection on or off.
connType
<0:Branch
Office |
1:Contivity
Client>
Specifies whether the rule is for a branch
office or Contivity Client VPN connection.
authOptions
<0:Username
Password |
1:Group ID &
Password
Sets the Business Secure Router to
either send just the username and
password to the remote Contivity VPN
switch, or a group ID and password as
well.
onDemand
<on | off>
Sets whether or not outgoing packets can
automatically trigger a VPN connection to
the remote Contivity VPN switch.
ODService
[netbios] [ntp]
[none]...
Sets which specific services can
automatically trigger a VPN connection to
the remote Contivity VPN switch.
groupID
<group ID>
Sets the Contivity Client tunnel’s user’s
group ID.
groupPasswd
<group
password>
Sets the Contivity Client tunnel’s user’s
group password.
username
<name>
Sets the Contivity Client tunnel’s user’s
username.
password
<password>
Sets the Contivity Client tunnel’s user’s
password.
exUseMode
[enable|disable
]
Turns the exclusive use mode for the
Contivity Client tunnel on or off.
exUseMac
[MAC address]
Specifies which MAC address is allowed
to use the Contivity Client tunnel with
exclusive use mode.
clientFailOver
<IP address>
<IP address>
<IP address>
Sets the Contivity Client fail over IP
addresses (of back up remote Contivity
VPN switches).
keepAlive
<Yes|No>
Turns the Keep Alive feature on or off.
Displays a summary of the IKE (phase 1)
rules.
Nortel Business Secure Router 222 Configuration — Advanced
292 Appendix H Command Interpreter
Table 73 IPSec commands
Command
Description
ikeDelete
<rule index>
Deletes the specified IPSec rule.
policyEdit
<rule index>
Edits the specified IP policy.
policySave
Saves the IP policy.
ipsecList
Displays a summary of the IPSec (phase
2) rules.
policyList
Displays the IP policies.
policyDelete
Deletes the specified IP policy.
<rule index>
Uses these commands to configure an IP
policy for an IPSec office tunnel rule.
policyConfig
NN47922-501
saIndex
<rule index>
Binds the IP policy to an IPSec rule.
active
<Yes|No>
Turns the IP policy on or off.
lcAddrStart
<IP>
Sets the local starting IP address.
protocol
<1:ICMP | 6:TCP
| 17:UDP>
Sets the IP policy’s protocol.
controlPing
<Yes|No>
Turns control ping on or off.
controlPingAddr
<IP>
Sets the control ping IP address.
lcAddrType
<0:single |
1:range |
2:subnet>
Sets the local address type.
lcAddrEndMask
<IP>
Sets the local ending IP address or
subnet mask.
lcPortStart
<port>
Sets the local starting port number.
lcPortEnd
<port>
Sets the local ending port number.
rmAddrType
<0:single |
1:range |
2:subnet>
Sets the remote address type.
rmAddrStart
<IP>
Sets the remote starting IP address.
rmAddrEndMask
<IP>
Sets the remote ending IP address or
subnet mask.
rmPortStart
<port>
Sets the remote starting port number.
rmPortEnd
<port>
Sets the remote ending port number.
btNatActive
<Yes | No>
Turns branch tunnel NAT address
mapping on or off.
Appendix H Command Interpreter 293
Table 73 IPSec commands
Command
Description
btNatType
<0:single |
1:range |
2:all>
Sets the type of NAT address mapping.
btNatAddrStart
<IP address>
Sets the branch tunnel NAT starting IP
address.
btNatArEnd
<IP address>
Sets the branch tunnel NAT ending IP
address or subnet mask.
swSkipOverlapIP
<on|off>
Turn this option on to have the device
allow rules with overlapping source and
destination IP addresses.
adjTcpMss
<off|auto|user
defined value>
Sets the adjust TCP Maximum Segment
Size.
contivityDial
Initiates the Contivity Client VPN
connection.
contivityDrop
Ends the Contivity Client VPN
connection.
contivityState
Displays information about the Contivity
Client VPN connection.
contivitySplit
contivityTimecnt
Sets the Contivity Client keep-alive
interval (in seconds).
<0~65535>
Uses the exemptHost commands to
configure specific IP addresses that are
not to be part of a VPN tunnel.
exemptHost
display
Displays the exempt host settings.
load <index>
Loads an exempt host.
active <Yes|No>
Enables or disables an exempt host.
sourceStart
Sets the exempt host’s source start IP
address.
sourceEnd
Sets the exempt host’s source end IP
address.
destStart
<IP address>
Sets the exempt host’s destination start
IP address.
destEnd
<IP address>
Sets the exempt host’s destination end IP
address.
save
btNatList
Saves an exempt host.
Displays the branch tunnel NAT entries.
Nortel Business Secure Router 222 Configuration — Advanced
294 Appendix H Command Interpreter
Table 73 IPSec commands
Command
Description
clientTerm
Loads client termination configuration
from ROM to working buffer, you must
execute this command before configuring
client termination.
load
active
<yes | no>
Enables or disables client termination.
display
[user | cfg]
Displays configuration and/or remote
user logon status of client termination,
unless a parameter is specified, displays
all.
Saves any client termination
configuration changes to ROM.
save
local <on |
off>
Enables or disables Local User Database
authentication method.
local psk <on |
off>
Enables or disables the Pre-Shared Key
authentication method for the Local User
Database.
radius <on |
off>
Enables or disables the RADIUS Server
authentication method.
radius groupId
Configures Group ID fields for RADIUS
Server authentication method.
radius groupPwd
Configures Group Password fields for
RADIUS Server authentication method.
radius psk <on
| off>
Enables or disables Pre-Shared Key
authentication type for RADIUS Server.
encr
<128AES_SHA1 |
3DES_SHA1 |
3DES_MD5 |
DES_SHA1 |
DES_MD5 |
AH_SHA1 |
AH_MD5> <on |
off>
Enables or disables the specified
encryption algorithm.
DHG
<DES_DH1 |
3DES_DH2 |
128AES_DH5 >
<on | off>
Enables or disables the specified
Diffie-Hellman encryption level.
aci
static <on |
off>
Enables or disables the Use Static
Address option.
auth
NN47922-501
Appendix H Command Interpreter 295
Table 73 IPSec commands
Command
Description
ipPool
natt
ipPool <index>
Select which IP pool, index is based on 1,
and inactive IP pool cannot be selected.
load <index>
Before you configure an IP pool for client
termination, you must load the specified
IP pool. Currently 3 IP pools are
supported, so the valid index is: 1~3
save
After changing the IP pool configuration,
use the save command to save the
modification to the ROM.
active
Enables or disables the loaded IP pool.
poolName
Sets the IP pool’s name.
startAddr
Sets the IP pool’s starting IP address.
subnet
Sets the IP pool’s subnet.
size
Sets the number of IP addresses in the IP
pool.
status
Displays the current runtime IP pool
status of Client Termination.
active <yes |
no>
Enables or disables NAT Traversal.
portSwitch
<enable |
disable>
Enables or disables Client IKE Source
Port Switching.
portNum
Sets the NAT Traversal UDP port, valid
UDP port: 1025 ~ 65535.
failover
<1 | 2 | 3> <IP> Sets the client failover IP address.
keepalive
active <yes |
no>
Enables or disables client failover tuning
(keep-alive).
interval
<hh:mm:ss>
Sets the keep-alive interval, valid interval
00:00:10 ~ 23:59:59.
maxRetrans
Sets the keep-alive max retransmissions,
valid range 0~255
pfs
<enable |
disable>
Enables or disables Perfect Forward
Secrecy.
idleTo
<hh:mm:ss>
Sets the Idle Timeout, the valid value is:
00:00:00~23:59:59, 00:00:00 means no
idle timeout.
aicp
<on | off>
Enable or disables Accept Initial Contact
Payload.
Nortel Business Secure Router 222 Configuration — Advanced
296 Appendix H Command Interpreter
Table 73 IPSec commands
Command
Description
rekeyTo
NN47922-501
<hh:mm:ss>
Sets the lifetime of a single key used for
data encryption.
rekeyDc
Sets how much data you expect to
transmit via the tunnel with a single key. A
setting of 0 kb disables the Rekey Data
Count, rekey data count must be more
than 5.
domain
Sets the domain name for client
termination.
dns
<primary |
secondary> <IP>
Sets primary or secondary DNS server IP
addresses to be assigned to remote
users.
wins
<primary |
secondary> <IP>
Sets primary or secondary WINS server
IP addresses to be assigned to remote
users.
banner
<on | off>
[banner text]
Sets whether or not the banner appears
when a remote user logs on to the
gateway. Also sets the banner text if
specified (up to 256 characters).
password
clientStorage
<on | off>
Sets whether or not the Contivity VPN
clients can save their logon passwords
instead of always having to manually
enter them.
manage <on |
off>
Enables or disables the password
management facilities, including
maximum password age, minimum
password length, and allow
alpha-numeric passwords only.
anpr <on | off>
Enables or disables the requirement of a
alpha-numeric password.
age <days>
Sets the maximum password age after
which the login password expires, valid
value: 0~180 days, and 0 means no
expiration.
minLen
Sets the minimum password length.
Appendix H Command Interpreter 297
Sys firewall commands
Table 74 lists and describes the system firewall commands. Each of these
commands must be preceded by sys firewall. For example, type sys
firewall active yes to turn on the firewall.
Table 74 Sys firewall commands
Command
Description
acl
active
disp
Displays ACLs or a specific ACL set # and rule #.
<yes|no>
Activates or deactivates firewall
Enables or disables the firewall.
disp
Displays the firewall log type and count.
clear
Clears the firewall log count.
display
Displays the firewall’s dynamic rules.
rst
Turns TCP reset sending on or off.
rst113
Turns TCP reset sending for port 113 on or off.
display
Displays the TCP reset sending settings.
smtp
Enables or disables the SMTP DoS defender.
display
Displays the SMTP DoS defender setting.
ignore
Sets if the firewall ignores DoS attacks on the LAN or WAN.
dos
Sets if the firewall ignores DoS attacks on the LAN or WAN.
logBroadcast
Displays the status of the broadcast log.
triangle
Sets if the firewall ignores triangle route packets on the LAN or WAN.
cnt
dynamicrule
tcprst
dos
ignore
Nortel Business Secure Router 222 Configuration — Advanced
298 Appendix H Command Interpreter
Bandwidth management commands
Table 75 lists and describes the bandwidth management commands. Each of these
commands must be preceded by bm. For example, type bm show lan to display
the LAN port’s bandwidth management settings.
Table 75 Bandwidth management commands
Command
interface
Description
lan
enable
<bandwidth
xxx>
Enables bandwidth
management (BWM) for traffic
going out the LAN interface.
You can also specify the b/s of
bandwidth.
<wrr|prr>
Sets the queueing mechanism
to fairness-based (WRR) or
priority-based (PRR).
<efficient>
Turns on the work-conserving
feature.
Disables bandwidth
management for traffic going
out the LAN interface.
disable
wan
enable
<bandwidth
xxx>
Enables bandwidth
management for traffic going
out the WAN interface. You
can also specify the b/s of
bandwidth.
<wrr|prr>
Sets the queueing mechanism
to fairness-based (WRR) or
priority-based (PRR).
<efficient>
Turns on the work-conserving
feature.
Disables bandwidth
management for traffic going
out the WAN interface.
disable
class
lan
NN47922-501
add #
bandwidth xxx
<name xxx>
Adds a class with bandwidth
xxx b/s in LAN. The name is
for your information.
<priority
x>
Sets the class priority. The
range is between 0 (the
lowest) to 7 (the highest).
Appendix H Command Interpreter 299
Table 75 Bandwidth management commands
Command
Description
<borrow
on|off>
Deletes the class # and its
filter and all its children
classes and their filters in LAN.
del #
mod #
wan
add #
<bandwidth
xxx>
Modifies the parameters of the
class in the LAN. A bandwidth
value is optional.
<name xxx>
Sets the class name.
<priority x>
Sets the class priority. The
range is between 0 (the
lowest) to 7 (the highest). The
priority is unchanged if you do
not set a new value.
<borrow
on|off>
The class can borrow
bandwidth from its parent
class when borrowing is
turned on, and vice versa.
bandwidth xxx
<name xxx>
Adds a class with bandwidth
xxx b/s in WAN. The name is
for your information.
<priority
x>
Sets the class priority. The
range is between 0 (the
lowest) to 7 (the highest).
<borrow
on|off>
The class can borrow
bandwidth from its parent
class when borrowing is
turned on, and vice versa.
Deletes the class # and its
filter and all its children class
and their filters in WAN.
del #
mod #
The class can borrow
bandwidth from its parent
class when borrowing is
turned on, and vice versa.
<bandwidth
xxx>
Modifies the parameters of the
class in the WAN. A bandwidth
value is optional.
<name xxx>
Sets the class name.
<priority x>
Sets the class priority. The
range is between 0 (the
lowest) to 7 (the highest).
Nortel Business Secure Router 222 Configuration — Advanced
300 Appendix H Command Interpreter
Table 75 Bandwidth management commands
Command
filter
Description
lan
add #
<borrow
on|off>
The class can borrow
bandwidth from its parent
class when borrowing is
turned on, and vice versa.
Daddr <mask
Dmask> Dport
Saddr <mask
Smask> Sport
protocol
Adds a filter for class # in LAN.
The filter contains destination
address (netmask),
destination port, source
address (netmask), source
port and protocol. Use 0 for
items that you do not want the
filter to include.
Deletes the LAN filter that
belongs to the specified LAN
class.
del #
wan
show
interface
class
filter
statistics
NN47922-501
add #
Daddr <mask
Dmask> Dport
Saddr <mask
Smask> Sport
protocol
Adds a filter for class # in
WAN. The filter contains
destination address
(netmask), destination port,
source address (netmask),
source port and protocol. Use
0 for items that you do not
want the filter to include.
del #
Deletes the LAN filter that
belongs to the specified WAN
class.
lan
Displays the LAN interface
settings.
wan
Displays the WAN interface
settings.
lan
Displays the LAN classes.
wan
Displays the WAN classes.
lan
Displays the LAN filter
settings.
wan
Displays the WAN filter
settings.
lan
Displays the statistics of the
LAN classes.
wan
Displays the statistics of the
LAN classes.
Appendix H Command Interpreter 301
Table 75 Bandwidth management commands
Command
Description
lan
<#>
Displays the bandwidth usage
of the specified LAN class (or
all of the LAN classes if you do
not specify one). The first time
you use the command turns it
on; the second time turns it off,
and so on.
wan
<#>
Displays the bandwidth usage
of the specified WAN class (or
all of the WAN classes if you
do not specify one). The first
time you use the command
turns it on; the second time
turns it off, and so on.
moveFilter
<
channName>
<from>
config
save
Saves the BWM configuration.
load
Loads the BWM configuration.
clear
Clears the BWM configuration.
monitor
Changes the filter order.
<channName>: LAN, WAN
<from>: filter index number
<to>: filter index number
<to>
Certificates commands
Table 76 describes the certificate commands. Each of these commands must be
preceded by certificates (or cert for short). For example, type cert
my_cert list to display all of your certificate names and basic information.
All of these commands start with certificates.
Table 76 Certificates commands
Command
Description
my_cert
create
Nortel Business Secure Router 222 Configuration — Advanced
302 Appendix H Command Interpreter
Table 76 Certificates commands
Command
NN47922-501
Description
create
selfsigned
<name>
<subject>
[key size]
Creates a self-signed local host certificate.
<name> specifies a descriptive name for the
generated certificate.
<subject> specifies a subject name (required) and
alternative name (required). The format is
“subject-name-dn;{ip,dns,email}=value". If the name
contains spaces, put it in quotes.
[key size] specifies the key size. It has to be an
integer from 512 to 2 048. The default is 1 024 bits.
create
request
<name>
<subject>
[key size]
Creates a certificate request and saves it to the
router for later manual enrollment.
<name> specifies a descriptive name for the
generated certification request.
<subject> specifies a subject name (required) and
alternative name (required). The format is
"subject-name-dn;{ip,dns,email}=value". If the name
contains spaces, put it in quotes.
[key size] specifies the key size. It has to be an
integer from 512 to 2 048. The default is 1 024 bits.
create
scep_enroll
<name> <CA
addr> <CA
cert> <auth
key>
<subject>
[key size]
Creates a certificate request and enrolls for a
certificate immediately online using SCEP protocol.
<name> specifies a descriptive name for the enrolled
certificate.
<CA addr> specifies the CA server address.
<CA cert> specifies the name of the CA certificate.
<auth key> specifies the key used for user
authentication. If the key contains spaces, put it in
quotes. To leave it blank, type "".
<subject> specifies a subject name (required) and
alternative name (required). The format is
"subject-name-dn;{ip,dns,email}=value". If the name
contains spaces, put it in quotes.
[key size] specifies the key size. It has to be an
integer from 512 to 2 048. The default is 1 024 bits.
Appendix H Command Interpreter 303
Table 76 Certificates commands
Command
Description
create
cmp_enroll
<name> <CA
addr> <CA
cert> <auth
key>
<subject>
[key size]
Creates a certificate request and enrolls for a
certificate immediately online using CMP protocol.
<name> specifies a descriptive name for the enrolled
certificate.
<CA addr> specifies the CA server address.
<CA cert> specifies the name of the CA certificate.
<auth key> specifies the id and key used for user
authentication. The format is "id:key". To leave the id
and key blank, type ":".
<subject> specifies a subject name (required) and
alternative name (required). The format is
"subject-name-dn;{ip,dns,email}=value". If the name
contains spaces, put it in quotes.
[key size] specifies the key size. It has to be an
integer from 512 to 2 048. The default is 1 024 bits.
import
[name]
Imports the PEM-encoded certificate from stdin.
[name] specifies the descriptive name (optional) the
imported certificate is saved as. For my certificate
importation to be successful, a certification request
corresponding to the imported certificate must
already exist on Business Secure Router. After the
importation, the certification request is automatically
deleted. If a descriptive name is not specified for the
imported certificate, the certificate adopts the
descriptive name of the certification request.
export
<name>
Exports the PEM-encoded certificate to stdout for
theuser to copy and paste.
<name> specifies the name of the certificate to be
exported.
view
<name>
Views the information of the specified local host
certificate.
<name> specifies the name of the certificate to be
viewed.
verify
<name>
[timeout]
Verifies the certification path of the specified local
host certificate.
<name> specifies the name of the certificate to be
verified.
[timeout] specifies the timeout value in seconds
(optional). The default timeout value is 20 seconds.
delete
<name>
Deletes the specified local host certificate.
<name> specifies the name of the certificate to be
deleted.
list
Lists all my certificate names and basic information.
Nortel Business Secure Router 222 Configuration — Advanced
304 Appendix H Command Interpreter
Table 76 Certificates commands
Command
Description
rename
<old name>
<new name>
Renames the specified certificate.
<old name> specifies the name of the certificate to
be renamed.
<new name> specifies the new name the certificate
is saved as.
def_self_sign
ed
[name]
Sets the specified self-signed certificate as the
default self-signed certificate.
[name] specifies the name of the certificate to be set
as the default self-signed certificate. If [name] is not
specified, the name of the current self-signed
certificate is displayed.
Creates a certificate using your device MAC address
that is specific to this device. The factory default
certificate is a common default certificate for all
Business Secure Router models.
replace_facto
ry
ca_trusted
import
<name>
Imports the PEM-encoded certificate from stdin.
<name> specifies the name the imported CA
certificate is saved as.
export
<name>
Exports the PEM-encoded certificate to stdout for the
user to copy and paste.
<name> specifies the name of the certificate to be
exported.
view
<name>
Views the information of the specified trusted CA
certificate.
<name> specifies the name of the certificate to be
viewed.
verify
<name>
[timeout]
Verifies the certification path of the specified trusted
CA certificate.
<name> specifies the name of the certificate to be
verified.
[timeout] specifies the timeout value in seconds
(optional). The default timeout value is 20 seconds.
delete
<name>
Deletes the specified trusted CA certificate.
<name> specifies the name of the certificate to be
deleted.
Lists all trusted CA certificate names and basic
information.
list
rename
NN47922-501
<old name>
<new name>
Renames the specified trusted CA certificate.
<old name> specifies the name of the certificate to
be renamed.
<new name> specifies the new name the certificate
is saved as.
Appendix H Command Interpreter 305
Table 76 Certificates commands
Command
Description
crl_issuer
<name>
[on|off]
Specifies whether or not the specified CA issues
CRL.
<name> specifies the name of the CA certificate.
[on|off] specifies whether or not the CA issues CRL.
If [on|off] is not specified, the current crl_issuer status
of the CA is used.
import
<name>
Imports the PEM-encoded certificate from stdin.
<name> specifies the name the imported remote
host certificate is saved as.
export
<name>
Exports the PEM-encoded certificate to stdout for the
user to copy and paste.
<name> specifies the name of the certificate to be
exported.
view
<name>
Views the information of the specified trusted remote
host certificate.
<name> specifies the name of the certificate to be
viewed.
verify
<name>
[timeout]
Verifies the certification path of the specified trusted
remote host certificate.
<name> specifies the name of the certificate to be
verified.
[timeout] specifies the timeout value in seconds
(optional). The default timeout value is 20 seconds.
delete
<name>
Deletes the specified trusted remote host certificate.
<name> specifies the name of the certificate to be
deleted.
remote_trusted
Lists all trusted remote host certificate names and
basic information.
list
rename
<old name>
<new name>
Renames the specified trusted remote host
certificate.
<old name> specifies the name of the certificate to
be renamed.
<new name> specifies the new name the certificate
is saved as.
dir_server
Nortel Business Secure Router 222 Configuration — Advanced
306 Appendix H Command Interpreter
Table 76 Certificates commands
Command
Description
add
<name>
<addr[:port]>
[login:pswd]
Adds a new directory service.
<name> specifies a descriptive name for the
directory server.
<addr[:port]> specifies the server address (required)
and port (optional). The format is
"server-address[:port]". The default port is 389.
[login:pswd] specifies the logon name and password,
if required. The format is "[login:password]".
delete
<name>
Deletes the specified directory service.
<name> specifies the name of the directory server to
be deleted.
view
<name>
Views the specified directory service.
<name> specifies the name of the directory server to
be viewed.
Lists all directory service names and basic
information.
list
NN47922-501
rename
<old name>
<new name>
Renames the specified directory service.
<old name> specifies the name of the directory
server to be renamed.
<new name> specifies the new name the directory
server is saved as.
edit
<name>
<addr[:port]>
[login:pswd]
Edits the specified directory service.
<name> specifies the name of the directory server to
be edited.
<addr[:port]> specifies the server address (required)
and port (optional). The format is
"server-address[:port]". The default port is 389.
[login:pswd] specifies the logon name and password,
if required. The format is "[login:password]".
Appendix H Command Interpreter 307
IEEE 802.1X commands
Table 77 lists and describes the IEEE 802.1x commands. Each of these commands
must be preceded by 8021x. For example, type 8021x debug level 1 to set
the IEEE 802.1X debug messages to the first level.
Table 77 IEEE 802.1X commands
Command
Description
debug
level <level>
Sets the IEEE 802.1x debug message level
trace
Displays all supplicants information in the supplicant table.
user <user>
Displays all supplicants information related to the username.
RADIUS commands
Table 78 lists and describes the RADIUS commands. Each of these commands
must be preceded by radius. For example, type radius auth to display the
authentication server settings.
Table 78 RADIUS commands
Command
Description
auth
Displays the current RADIUS authentication server configuration.
acct
Displays the current RADIUS accounting server configuration.
checkRadID
Checks the RADIUS ID pool.
debug
Enables radius debug messages.
Nortel Business Secure Router 222 Configuration — Advanced
308 Appendix H Command Interpreter
NN47922-501
309
Appendix I
NetBIOS filter commands
The following describes the NetBIOS packet filter commands.
Introduction
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN.
For some dial-up services, such as PPPoE or PPTP, NetBIOS packets cause
unwanted calls.
You can configure NetBIOS filters to do the following:
•
•
•
Allow or disallow the sending of NetBIOS packets from the LAN to the
WAN and from the WAN to the LAN.
Allow or disallow the sending of NetBIOS packets through VPN connections.
Allow or disallow NetBIOS packets to initiate calls.
Nortel Business Secure Router 222 Configuration — Advanced
310 Appendix I NetBIOS filter commands
Display NetBIOS filter settings
Figure 163 NetBIOS Display Filter Settings Command Example
============== NetBIOS Filter Status ===============
Between LAN and WAN: Block
IPSec Packets: Forward
Trigger Dial: Disabled
Syntax:
sys filter netbios disp
This command gives a read-only list of the current NetBIOS filter modes.
The filter types and their default settings are as follows:
Table 79 NetBIOS filter default settings
Name
Description
Example
Between LAN and
WAN
This field displays whether NetBIOS packets are
blocked or forwarded from the LAN to the WAN or
from the WAN to the LAN.
Forward
IPSec Packets
This field displays whether NetBIOS packets sent
through a VPN connection are blocked or
forwarded.
Forward
Trigger dial
This field displays whether NetBIOS packets are
allowed to initiate calls. Disabled means that
NetBIOS packets are blocked from initiating calls.
Disabled
NetBIOS filter configuration
Syntax:
sys filter netbios config <type> <on|off>
where
<type> identifies which NetBIOS filter (numbered 0-3) to configure.
NN47922-501
Appendix I NetBIOS filter commands 311
•
•
•
0 = LAN to WAN and WAN to LAN
3 = IPSec packet pass through
4 = Trigger Dial
<on|off> is a switch to enable or disable the filter.
•
•
•
For type 0, use on to enable the filter and block NetBIOS packets. Use off
to disable the filter and forward NetBIOS packets.
For type 3, use on to block NetBIOS packets from being sent through a
VPN connection. Use off to allow NetBIOS packets to be sent through a
VPN connection.
For type 4, use on to allow NetBIOS packets to initiate dial backup calls.
Use off to block NetBIOS packets from initiating dial backup calls.
Example commands
Command:
sys filter netbios config 0 on
This command blocks LAN to WAN and WAN to LAN NetBIOS packets
Command:
sys filter netbios config 1 off
This command forwards WAN to LAN and WAN to LAN NetBIOS packets
Command:
sys filter netbios config 3 on
This command blocks IPSec NetBIOS packets
Command:
sys filter netbios config 4 off
This command stops NetBIOS commands from initiating calls.
Nortel Business Secure Router 222 Configuration — Advanced
312 Appendix I NetBIOS filter commands
NN47922-501
313
Appendix J
Boot Commands
The BootModule AT commands execute from within the router’s bootup
software, when debug mode is selected before the main router firmware is started.
After you start up your Business Secure Router, you are given a choice to go into
debug mode by pressing a key at the prompt shown in screen shown in
Figure 164. In debug mode you have access to a series of boot module commands,
for example ATUR (for uploading firmware) and ATLC (for uploading the
configuration file). These are already discussed in Chapter 15, “Firmware and
configuration file maintenance” on page 179.
Figure 164 Option to Enter Debug Mode
Bootbase Version: V1.02 | 08/08/2001 15:40:50
RAM: Size = 16384 Kbytes
DRAM Post: Testing:
16384K OK
FLASH: Intel 16M
RAS Version: V3.50(WB.0)b3 | 08/08/2001 16:21:27
Press any key to enter debug mode within 3 seconds.
.................................................
Enter ATHE to view all available Business Secure Router boot module
commands, as shown in Figure 165. With ATBAx, you can change the console
port speed. The x denotes the number preceding the colon to give the console port
speed following the colon in the list of numbers that follows; for example ATBA3
will give a console port speed of 9.6 Kb/s. ATSE displays the seed that is used to
generate a password to turn on the debug flag in the firmware. The ATSH
Nortel Business Secure Router 222 Configuration — Advanced
314 Appendix J Boot Commands
command shows product related information such as boot module version, vendor
name, product model, RAS code revision, and more. With ATGO, you can
continue booting the system. Most other commands aid in advanced
troubleshooting and must only be used by qualified engineers.
Figure 165 Boot Module Commands
AT
just answer OK
ATHE
print help
ATBAx
change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)
set BootExtension Debug Flag (y=password)
ATSE
show the seed of password generator
ATTI(h,m,s)
change system time to hour:min:sec or show current time
ATDA(y,m,d)
change system date to year/month/day or show current date
ATDS
dump RAS stack
ATDT
dump Boot Module Common Area
ATDUx,y
dump memory contents from address x for length y
ATRBx
display the
ATRWx
display the 16-bit value of address x
ATRLx
display the 32-bit value of address x
ATGO(x)
run program at addr x or boot router
ATGR
boot router
ATGT
run Hardware Test Program
8-bit value of address x
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH
dump manufacturer related data in ROM
ATDOx,y
download from address x for length y to PC via XMODEM
ATTD
download router configuration to PC via XMODEM
ATUR
upload router firmware to flash ROM
ATLC
upload router configuration file to flash ROM
ATXSx
xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATSR
system reboot
NN47922-501
315
Appendix K
Log descriptions
This appendix provides descriptions of log messages.
Table 80 System error logs
Log Message
Description
%s exceeds the max. number of
session per host!
This attempt to create a SUA/NAT session exceeds
the maximum number of SUA/NAT session table
entries allowed to be created per host.
Table 81 System maintenance logs
Log Message
Description
Time calibration is successful The router has adjusted its time based on
information from the time server.
Time calibration failed
The router failed to get information from the time
server.
DHCP client gets %s
A DHCP client got a new IP address from the DHCP
server.
DHCP client IP expired
A DHCP client's IP address has expired.
DHCP server assigns %s
The DHCP server assigned an IP address to a
client.
SMT Login Successfully
Someone has logged on to the router's SMT
interface.
SMT Login Fail
Someone has failed to log on to the router's SMT
interface.
WEB Login Successfully
Someone has logged on to the router's WebGUI
interface.
WEB Login Fail
Someone has failed to log on to the router's
WebGUI interface.
TELNET Login Successfully
Someone has logged on to the router via Telnet.
Nortel Business Secure Router 222 Configuration — Advanced
316 Appendix K Log descriptions
Table 81 System maintenance logs
Log Message
Description
TELNET Login Fail
Someone has failed to log on to the router via
Telnet.
FTP Login Successfully
Someone has logged on to the router via FTP.
FTP Login Fail
Someone has failed to log on to the router via FTP.
NAT Session Table is Full!
The maximum number of SUA/NAT session table
entries has been exceeded and the table is full.
Table 82 UPnP logs
Log Message
Description
UPnP pass through Firewall
UPnP packets can pass through the firewall.
Table 83 Content filtering logs
NN47922-501
Category
Log Message
Description
URLFOR
IP/Domain Name
The Business Secure Router allows
access to this IP address or domain
name and forwards traffic to the IP
address or domain name.
URLBLK
IP/Domain Name
The Business Secure Router blocked
access to this IP address or domain
name due to a forbidden keyword. All
web traffic is disabled except for trusted
domains, untrusted domains, or the
cybernot list.
JAVBLK
IP/Domain Name
The Business Secure Router blocked
access to this IP address or domain
name because of a forbidden service,
such as: ActiveX, a Java applet, a
cookie, or a proxy.
Appendix K Log descriptions 317
Table 84 Attack logs
Log Message
Description
attack TCP
The firewall detected a TCP attack.
attack UDP
The firewall detected an UDP attack.
attack IGMP
The firewall detected an IGMP attack.
attack ESP
The firewall detected an ESP attack.
attack GRE
The firewall detected a GRE attack.
attack OSPF
The firewall detected an OSPF attack.
attack ICMP (type:%d,
code:%d)
The firewall detected an ICMP attack; see the section on
ICMP messages for type and code details.
land TCP
The firewall detected a TCP land attack.
land UDP
The firewall detected an UDP land attack.
land IGMP
The firewall detected an IGMP land attack.
land ESP
The firewall detected an ESP land attack.
land GRE
The firewall detected a GRE land attack.
land OSPF
The firewall detected an OSPF land attack.
land ICMP (type:%d,
code:%d)
The firewall detected an ICMP land attack; see the section
on ICMP messages for type and code details.
ip spoofing - WAN TCP
The firewall detected a TCP IP spoofing attack on the
WAN port.
ip spoofing - WAN UDP
The firewall detected an UDP IP spoofing attack on the
WAN port.
ip spoofing - WAN IGMP
The firewall detected an IGMP IP spoofing attack on the
WAN port.
ip spoofing - WAN ESP
The firewall detected an ESP IP spoofing attack on the
WAN port.
ip spoofing - WAN GRE
The firewall detected a GRE IP spoofing attack on the
WAN port.
ip spoofing - WAN OSPF
The firewall detected an OSPF IP spoofing attack on the
WAN port.
ip spoofing - WAN ICMP
(type:%d, code:%d)
The firewall detected an ICMP IP spoofing attack on the
WAN port.
icmp echo ICMP (type:%d,
code:%d)
The firewall detected an ICMP echo attack.
syn flood TCP
The firewall detected a TCP syn flood attack.
ports scan TCP
The firewall detected a TCP port scan attack.
Nortel Business Secure Router 222 Configuration — Advanced
318 Appendix K Log descriptions
Table 84 Attack logs
Log Message
Description
teardrop TCP
The firewall detected a TCP teardrop attack.
teardrop UDP
The firewall detected an UDP teardrop attack.
teardrop ICMP (type:%d,
code:%d)
The firewall detected an ICMP teardrop attack.
illegal command TCP
The firewall detected a TCP illegal command attack.
NetBIOS TCP
The firewall detected a TCP NetBIOS attack.
ip spoofing - no routing
entry TCP
The firewall detected a TCP IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry UDP
The firewall detected an UDP IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry IGMP
The firewall detected an IGMP IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry ESP
The firewall detected an ESP IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry GRE
The firewall detected a GRE IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry OSPF
The firewall detected an OSPF IP spoofing attack while the
Business Secure Router did not have a default route.
ip spoofing - no routing
entry ICMP (type:%d,
code:%d)
The firewall detected an ICMP IP spoofing attack while the
Business Secure Router did not have a default route.
vulnerability ICMP
(type:%d, code:%d)
The firewall detected an ICMP vulnerability attack.
traceroute ICMP
(type:%d, code:%d)
The firewall detected an ICMP traceroute attack.
See Table 87 for type and code details.
NN47922-501
Appendix K Log descriptions 319
Table 85 Access logs
Log Message
Description
Firewall default
policy: TCP (set:%d)
TCP access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: UDP (set:%d)
UDP access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: ICMP (set:%d,
type:%d, code:%d)
ICMP access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: IGMP (set:%d)
IGMP access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: ESP (set:%d)
ESP access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: GRE (set:%d)
GRE access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: OSPF (set:%d)
OSPF access matched the default policy of the listed ACL
set and the Business Secure Router blocked or forwarded
it according to the ACL set’s configuration.
Firewall default
policy: (set:%d)
Access matched the default policy of the listed ACL set and
the Business Secure Router blocked or forwarded it
according to the ACL set’s configuration.
Firewall rule match: TCP
(set:%d, rule:%d)
TCP access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match: UDP
(set:%d, rule:%d)
UDP access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match:
ICMP (set:%d, rule:%d,
type:%d, code:%d)
ICMP access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match:
IGMP (set:%d, rule:%d)
IGMP access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match: ESP
(set:%d, rule:%d)
ESP access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Nortel Business Secure Router 222 Configuration — Advanced
320 Appendix K Log descriptions
Table 85 Access logs
NN47922-501
Log Message
Description
Firewall rule match: GRE
(set:%d, rule:%d)
GRE access matched the listed firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match:
OSPF (set:%d, rule:%d)
OSPF access matched the listed a firewall rule and the
Business Secure Router blocked or forwarded it according
to the rule’s configuration.
Firewall rule match:
(set:%d, rule:%d)
Access matched the listed firewall rule and the Business
Secure Router blocked or forwarded it according to the
rule’s configuration.
Firewall rule NOT match:
TCP (set:%d, rule:%d)
TCP access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
UDP (set:%d, rule:%d)
UDP access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
ICMP (set:%d, rule:%d,
type:%d, code:%d)
ICMP access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
IGMP (set:%d, rule:%d)
IGMP access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
ESP (set:%d, rule:%d)
ESP access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
GRE (set:%d, rule:%d)
GRE ac access did not match the listed firewall rule and
the Business Secure Router logged it.
Firewall rule NOT match:
OSPF (set:%d, rule:%d)
OSPF access did not match the listed firewall rule and the
Business Secure Router logged it.
Firewall rule NOT match:
(set:%d, rule:%d)
Access did not match the listed firewall rule and the
Business Secure Router logged it.
Filter default policy
DROP!
IP address or protocol matched a default filter policy and
the Business Secure Router dropped the packet to block
access.
Filter default policy
FORWARD!
IP address or protocol matched a default filter policy.
Access was allowed and the router forwarded the packet.
Filter match DROP <set
%d/rule %d>
IP address or protocol matched the listed filter rule and the
Business Secure Router dropped the packet to block
access.
Filter match FORWARD
<set %d/rule %d>
IP address or protocol matched the listed filter rule. Access
was allowed and the router forwarded the packet.
Appendix K Log descriptions 321
Table 85 Access logs
Log Message
Description
(set:%d)
With firewall messages, this is the number of the ACL
policy set and denotes the packet's direction (see
Table 86).
With filter messages, this is the number of the filter set.
(rule:%d)
With firewall messages, the firewall rule number denotes
the number of a firewall rule within an ACL policy set.With
filter messages, this is the number of an individual filter
rule.
Router sent blocked web
site message
Triangle route packet
forwarded
The firewall allowed a triangle route session to pass
through.
Firewall sent TCP packet
in response to DoS
attack
The firewall detected a DoS attack and sent a TCP packet
in response.
Firewall sent TCP reset
packets
The firewall sent out TCP reset packets.
Packet without a NAT
table entry blocked
The router blocked a packet that did not have a
corresponding SUA/NAT table entry.
Out of order TCP
handshake packet
blocked
The router blocked a TCP handshake packet that came out
of the proper order.
Drop unsupported/
out-of-order ICMP
The Business Secure Router generates this log after it
drops an ICMP packet due to one of the following two
reasons:
1. The Business Secure Router does not support the ICMP
packet's protocol.
2. The ICMP packet is an echo reply for which there was
no corresponding echo request.
Router sent ICMP
response packet
(type:%d, code:%d)
The router sent an ICMP response packet. This packet
automatically bypasses the firewall.
See Table 87 for type and code details.
Nortel Business Secure Router 222 Configuration — Advanced
322 Appendix K Log descriptions
Table 86 ACL setting notes
ACL Set
Number
Direction
Description
1
LAN to WAN
ACL set 1 for packets traveling from the
LAN to the WAN.
2
WAN to LAN
ACL set 2 for packets traveling from the
WAN to the LAN.
7
LAN to LAN/Business Secure
Router
ACL set 7 for packets traveling from the
LAN to the LAN or the Business Secure
Router.
8
WAN to WAN/Business Secure
Router
ACL set 8 for packets traveling from the
WAN to the WAN or the Business
Secure Router.
Table 87 ICMP notes
Type
Code
Echo Reply
0
0
0
Net unreachable
1
Host unreachable
2
Protocol unreachable
3
Port unreachable
4
A packet that needed fragmentation was dropped because it was
set to Don't Fragment (DF)
5
Source route failed
Source Quench
4
0
A gateway can discard internet datagrams if it does not have the
buffer space needed to queue the datagrams for output to the
next network on the route to the destination network.
Redirect
5
NN47922-501
Echo reply message
Destination Unreachable
3
8
Description
0
Redirect datagrams for the Network
1
Redirect datagrams for the Host
2
Redirect datagrams for the Type of Service and Network
3
Redirect datagrams for the Type of Service and Host
Echo
Appendix K Log descriptions 323
Table 87 ICMP notes
Type
Code
Description
0
Echo message
Time Exceeded
11
0
Time to live exceeded in transit
1
Fragment reassembly time exceeded
Parameter Problem
12
0
Pointer indicates the error
Timestamp
13
0
Timestamp request message
Timestamp Reply
14
0
Timestamp reply message
Information Request
15
0
Information request message
Information Reply
16
0
Information reply message
Table 88 Sys log
LOG MESSAGE
DESCRIPTION
Mon dd hr:mm:ss hostname This message is sent by the "RAS" when this syslog is
src="<srcIP:srcPort>"
generated. The messages and notes are defined in this
dst="<dstIP:dstPort>"
appendix’s other charts.
msg="<msg>" note="<note>
VPN/IPSec logs
To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER]
to display the IPSec log as shown next. Figure 166 shows a typical log from the
initiator of a VPN connection.
Nortel Business Secure Router 222 Configuration — Advanced
324 Appendix K Log descriptions
Figure 166 Example VPN initiator IPSec log
Index:
Date/Time:
Log:
-----------------------------------------------------------001
01 Jan 08:02:22
Send Main Mode request to <192.168.100.101>
002
01 Jan 08:02:22
Send:<SA>
003
01 Jan 08:02:22
Recv:<SA>
004
01 Jan 08:02:24
Send:<KE><NONCE>
005
01 Jan 08:02:24
Recv:<KE><NONCE>
006
01 Jan 08:02:26
Send:<ID><HASH>
007
01 Jan 08:02:26
Recv:<ID><HASH>
008
01 Jan 08:02:26
Phase 1 IKE SA process done
009
01 Jan 08:02:26
Start Phase 2: Quick Mode
010
01 Jan 08:02:26
Send:<HASH><SA><NONCE><ID><ID>
011
01 Jan 08:02:26
Recv:<HASH><SA><NONCE><ID><ID>
012
01 Jan 08:02:26
Send:<HASH>
Clear IPSec Log (y/n):
NN47922-501
Appendix K Log descriptions 325
VPN responder IPSec log
Figure 167 shows a typical log from the VPN connection peer.
Figure 167 Example VPN responder IPSec log
Index:
Date/Time:
Log:
-----------------------------------------------------------001
01 Jan 08:08:07
Recv Main Mode request from <192.168.100.100>
002
01 Jan 08:08:07
Recv:<SA>
003
01 Jan 08:08:08
Send:<SA>
004
01 Jan 08:08:08
Recv:<KE><NONCE>
005
01 Jan 08:08:10
Send:<KE><NONCE>
006
01 Jan 08:08:10
Recv:<ID><HASH>
007
01 Jan 08:08:10
Send:<ID><HASH>
008
01 Jan 08:08:10
Phase 1 IKE SA process done
009
01 Jan 08:08:10
Recv:<HASH><SA><NONCE><ID><ID>
010
01 Jan 08:08:10
Start Phase 2: Quick Mode
011
01 Jan 08:08:10
Send:<HASH><SA><NONCE><ID><ID>
012
01 Jan 08:08:10
Recv:<HASH>
Clear IPSec Log (y/n):
This menu is useful for troubleshooting. A log index number, the date and time
the log was created, and a log message are displayed.
Note: Double exclamation marks (!!) denote an error or warning
message.
Table 89 shows sample log messages during IKE key exchange.
Note: A PYLD_MALFORMED packet usually means that the two ends
of the VPN tunnel are not using the same pre-shared key.
Nortel Business Secure Router 222 Configuration — Advanced
326 Appendix K Log descriptions
Table 89 Sample IKE key exchange logs
NN47922-501
Log Message
Description
Send <Symbol> Mode request to
<IP>Send <Symbol> Mode
request to <IP>
The Business Secure Router has started negotiation
with the peer.
Recv <Symbol> Mode request
from <IP>Recv <Symbol> Mode
request from <IP>
The Business Secure Router has received an IKE
negotiation request from the peer.
Recv:<Symbol>
IKE uses the ISAKMP protocol (refer to RFC2408 –
ISAKMP) to transmit data. Each ISAKMP packet
contains payloads of different types that show in the
log (see Table 91).
Phase 1 IKE SA process done
Phase 1 negotiation is finished.
Start Phase 2: Quick Mode
Phase 2 negotiation is beginning using Quick Mode.
!! IKE Negotiation is in
process
The Business Secure Router has begun negotiation
with the peer for the connection already, but the IKE
key exchange is not finished yet.
!! Duplicate requests with
the same cookie
The Business Secure Router has received multiple
requests from the same peer but it is still processing
the first IKE packet from that peer.
!! No proposal chosen
The parameters configured for Phase 1 or Phase 2
negotiations do not match. Check all protocols and
settings for these phases. For example, one party is
using 3DES encryption, but the other party is using
DES encryption, so the connection fails.
!! Verifying Local ID
failed!! Verifying Remote ID
failed
During IKE Phase 2 negotiation, both parties
exchange policy details, including local and remote
IP address ranges. If these ranges differ, the
connection fails.
!! Local / remote IPs of
incoming request conflict
with rule <#d>
If the security gateway is 0.0.0.0, the Business
Secure Router uses the peer Local Addr as its
Remote Addr. If this IP (range) conflicts with a
previously configured rule then the connection is not
allowed.
!! Invalid IP <IP start>/<IP
end>
The Local IP Addr range for the peer is invalid.
!! Remote IP <IP start> / <IP
end> conflicts
If the security gateway is 0.0.0.0, the Business
Secure Router uses Local Addr for the peer as its
Remote Addr. If a peer Local Addr range conflicts
with other connections, the Business Secure Router
does not accept VPN connection requests from this
peer.
Appendix K Log descriptions 327
Table 89 Sample IKE key exchange logs
Log Message
Description
!! Active connection allowed
exceeded
The Business Secure Router limits the number of
simultaneous Phase 2 SA negotiations. The IKE key
exchange process fails if this limit is exceeded.
!! IKE Packet Retransmit
The Business Secure Router did not receive a
response from the peer and so retransmits the last
packet sent.
!! Failed to send IKE Packet
The Business Secure Router cannot send IKE
packets due to a network error.
!! Too many errors! Deleting
SA
The Business Secure Router deletes an SA when
too many errors occur.
!! Phase 1 ID type mismatch
The ID type of an incoming packet does not match
the local's peer ID type.
!! Phase 1 ID content
mismatch
The ID content of an incoming packet does not
match the local's peer ID content.
!! No known phase 1 ID type
found
The ID type of an incoming packet does not match
any known ID type.
Peer ID: IP address type <IP
address>
The IP address type or IP address of an incoming
packet does not match the peer IP address type or IP
address configured on the local router. The log
displays the IP address type and IP address of the
incoming packet.
vs. My Remote <IP address>
The IP address type or IP address of an incoming
packet does not match the peer IP address type or IP
address configured on the local router. The log
displays this router’s configured remote IP address
type or IP address that the incoming packet did not
match.
vs. My Local <IP address>
The IP address type or IP address of an incoming
packet does not match the peer IP address type or IP
address configured on the local router. The log
displays the configured local IP address type of the
router or IP address that the incoming packet did not
match.
-> <symbol>
Error ID Info
The router sent a payload type of IKE packet.
The parameters configured for Phase 1 ID content
do not match or the parameters configured for the
Phase 2 ID (IP address of single, range or subnet) do
not match. Check all protocols and settings for these
phases.
Nortel Business Secure Router 222 Configuration — Advanced
328 Appendix K Log descriptions
Table 90 shows sample log messages during packet transmission.
Table 90 Sample IPSec logs during packet transmission
LOG MESSAGE
DESCRIPTION
!! WAN IP changed to <IP>
If the Business Secure Router’s WAN IP
changes, all configured “My IP Addr” are
changed to “0.0.0.0”. If this field is configured as
0.0.0.0, the Business Secure Router uses the
current Business Secure Router WAN IP
address (static or dynamic) to set up the VPN
tunnel.
!! Cannot find IPSec SA
The Business Secure Router cannot find a
phase 2 SA that corresponds with the SPI of an
inbound packet (from the peer); the packet is
dropped.
!! Cannot find outbound SA for
rule <%d>
The packet matches the rule index number (#d),
but Phase 1 or Phase 2 negotiation for outbound
(from the VPN initiator) traffic is not finished yet.
!! Discard REPLAY packet
If the Business Secure Router receives a packet
with the wrong sequence number it discards it.
!! Inbound packet authentication
failed
The authentication configuration settings are
incorrect. Check them.
!! Inbound packet decryption
failed
The decryption configuration settings are
incorrect. Check them.
Rule <#d> idle time out,
disconnect
If an SA has no packets transmitted for a period
of time (configurable via CI command), the
Business Secure Router drops the connection.
Table 91 shows RFC-2408 ISAKMP payload types that the log displays. Refer to
the RFC for detailed information on each type.
Table 91 RFC-2408 ISAKMP payload types
NN47922-501
Log Display
Payload Type
SA
Security Association
PROP
Proposal
TRANS
Transform
KE
Key Exchange
ID
Identification
CER
Certificate
Appendix K Log descriptions 329
Table 91 RFC-2408 ISAKMP payload types
CER_REQ
Certificate Request
HASH
Hash
SIG
Signature
NONCE
Nonce
NOTFY
Notification
DEL
Delete
VID
Vendor ID
Table 92 PKI logs
Log Message
Description
Enrollment successful
The SCEP online certificate enrollment was successful. The
Destination field records the certification authority server IP
address and port.
Enrollment failed
The SCEP online certificate enrollment failed. The
Destination field records the certification authority server’s IP
address and port.
Failed to resolve
<SCEP CA server url>
The SCEP online certificate enrollment failed because the
certification authority server’s address cannot be resolved.
Enrollment successful
The CMP online certificate enrollment was successful. The
Destination field records the certification authority server’s IP
address and port.
Enrollment failed
The CMP online certificate enrollment failed. The Destination
field records the certification authority server’s IP address and
port.
Failed to resolve
<CMP CA server url>
The CMP online certificate enrollment failed because the
certification authority server’s IP address cannot be resolved.
Rcvd ca cert:
<subject name>
The router received a certification authority certificate, with
subject name as recorded, from the LDAP server whose IP
address and port are recorded in the Source field.
Rcvd user cert:
<subject name>
The router received a user certificate, with subject name as
recorded, from the LDAP server whose IP address and port
are recorded in the Source field.
Rcvd CRL <size>:
<issuer name>
The router received a CRL (Certificate Revocation List), with
size and issuer name as recorded, from the LDAP server
whose IP address and port are recorded in the Source field.
Rcvd ARL <size>:
<issuer name>
The router received an ARL (Authority Revocation List), with
size and issuer name as recorded, from the LDAP server
whose address and port are recorded in the Source field.
Nortel Business Secure Router 222 Configuration — Advanced
330 Appendix K Log descriptions
Table 92 PKI logs
Log Message
Description
Failed to decode the
received ca cert
The router received a corrupted certification authority
certificate from the LDAP server whose address and port are
recorded in the Source field.
Failed to decode the
received user cert
The router received a corrupted user certificate from the
LDAP server whose address and port are recorded in the
Source field.
Failed to decode the
received CRL
The router received a corrupted CRL (Certificate Revocation
List) from the LDAP server whose address and port are
recorded in the Source field.
Failed to decode the
received ARL
The router received a corrupted ARL (Authority Revocation
List) from the LDAP server whose address and port are
recorded in the Source field.
Rcvd data <size> too
large! Max size
allowed: <max size>
The router received directory data that was too large (the size
is listed) from the LDAP server whose address and port are
recorded in the Source field. The maximum size of directory
data that the router allows is also recorded.
Cert trusted:
<subject name>
The router has verified the path of the certificate with the
listed subject name.
Due to <reason
codes>, cert not
trusted: <subject
name>
Due to the reasons listed, the certificate with the listed subject
name has not passed the path verification. The recorded
reason codes are only approximate reasons for not trusting
the certificate. See Table 93 for the corresponding
descriptions of the codes.
Table 93 Certificate path verification failure reason codes
NN47922-501
Code
Description
1
Algorithm mismatch between the certificate and the search constraints.
2
Key usage mismatch between the certificate and the search constraints.
3
Certificate was not valid in the time interval.
4
(Not used)
5
Certificate is not valid.
6
Certificate signature was not verified correctly.
7
Certificate was revoked by a CRL.
8
Certificate was not added to the cache.
9
Certificate decoding failed.
10
Certificate was not found (anywhere).
Appendix K Log descriptions 331
Table 93 Certificate path verification failure reason codes
Code
Description
11
Certificate chain looped (did not find trusted root).
12
Certificate contains critical extension that was not handled.
13
Certificate issuer was not valid (CA specific information missing).
14
(Not used)
15
CRL is too old.
16
CRL is not valid.
17
CRL signature was not verified correctly.
18
CRL was not found (anywhere).
19
CRL was not added to the cache.
20
CRL decoding failed.
21
CRL is not currently valid, but in the future.
22
CRL contains duplicate serial numbers.
23
Time interval is not continuous.
24
Time information not available.
25
Database method failed due to timeout.
26
Database method failed.
27
Path was not verified.
28
Maximum path length reached.
Table 94 IEEE 802.1X logs
Log Message
Description
Local User Database accepts
user.
A user was authenticated by the local user
database.
Local User Database reports
user credential error.
A user was not authenticated by the local user
database because of an incorrect user password.
Local User Database does not
find user`s credential.
A user was not authenticated by the local user
database because the user is not listed in the
local user database.
RADIUS accepts user.
A user was authenticated by the RADIUS Server.
RADIUS rejects user. Pls check
RADIUS Server.
A user was not authenticated by the RADIUS
Server. Check the RADIUS Server.
Nortel Business Secure Router 222 Configuration — Advanced
332 Appendix K Log descriptions
Table 94 IEEE 802.1X logs
Log Message
Description
Local User Database does not
support authentication method.
The local user database only supports the
EAP-MD5 method. A user tried to use another
authentication method and was not authenticated.
User logout because of session
timeout expired.
The router logged off a user whose session
expired.
User logout because of user
deassociation.
The router logged off a user who ended the
session.
User logout because of no
authentication response from
user.
The router logged off a user from which there was
no authentication response.
User logout because of idle
timeout expired.
The router logged off a user whose idle timeout
period expired.
User logout because of user
request.
A user logged off.
Local User Database does not
support authentication mothed.
A user tried to use an authentication method that
the local user database does not support (it only
supports EAP-MD5).
No response from RADIUS. Pls
check RADIUS Server.
There is no response message from the RADIUS
server, check the RADIUS server.
Use Local User Database to
authenticate user.
The local user database is operating as the
authentication server.
Use RADIUS to authenticate
user.
The RADIUS server is operating as the
authentication server.
No Server to authenticate user. There is no authentication server to authenticate
a user.
Local User Database does not
find user`s credential.
A user was not authenticated by the local user
database because the user is not listed in the
local user database.
Log commands
Go to the command interpreter interface (see Appendix H, “Command
Interpreter” on page 271 for information on how to access and use the
commands).
NN47922-501
Appendix K Log descriptions 333
Configuring what you want the Business Secure Router to
log
Use the sys logs load command to load the log setting buffer that is used to
configure which logs the Business Secure Router is to record.
Use sys logs category followed by a log category and a parameter to decide what
to record.
Table 95 Log categories and available settings
Log Categories
Available Parameters
access
0, 1, 2, 3
attack
0, 1, 2, 3
error
0, 1, 2, 3
ike
0, 1, 2, 3
ipsec
0, 1, 2, 3
javablocked
0, 1, 2, 3
mten
0, 1
upnp
0, 1
urlblocked
0, 1, 2, 3
urlforward
0, 1
Use 0 to not record logs for that category, 1 to record only logs for
that category, 2 to record only alerts for that category, and 3 to
record both logs and alerts for that category.
Use the sys logs save command to store the settings in the Business Secure Router
(you must do this in order to record logs).
Displaying logs
Use the sys logs display command to show all of the logs in the Business Secure
Router’s log.
Use the sys logs category display command to show the log settings for all of the
log categories.
Nortel Business Secure Router 222 Configuration — Advanced
334 Appendix K Log descriptions
Use the sys logs display [log category] command to show the logs in an individual
Business Secure Router log category.
Use the sys logs clear command to erase all of the Business Secure Router’s logs.
Log command example
This example shows how to set the Business Secure Router to record the access
logs and alerts and then view the results.
ras>
ras>
ras>
ras>
#
sys
sys
sys
sys
logs
logs
logs
logs
load
category access 3
save
display access
.time
source
message
0|11/11/2002 15:10:12 |172.22.3.80:137
Firewall default policy: UDP(set:8)
1|11/11/2002 15:10:12 |172.21.4.17:138
Firewall default policy: UDP(set:8)
2|11/11/2002 15:10:11 |172.17.2.1
Firewall default policy: IGMP(set:8)
3|11/11/2002 15:10:11 |172.22.3.80:137
Firewall default policy: UDP(set:8)
4|11/11/2002 15:10:10 |192.168.10.1:520
Firewall default policy: UDP(set:8)
5|11/11/2002 15:10:10 |172.21.4.67:137
NN47922-501
destination
notes
|172.22.255.255:137
|ACCESS BLOCK
|172.21.255.255:138
|ACCESS BLOCK
|224.0.1.60
|ACCESS BLOCK
|172.22.255.255:137
|ACCESS BLOCK
|192.168.10.255:520
|ACCESS BLOCK
|172.21.255.255:137
|ACCESS BLOCK
335
Appendix L
Brute force password guessing protection
Table 96 describes the commands for enabling, disabling and configuring the
brute force password guessing protection mechanism for the password.
Table 96 Brute force password guessing protection commands
Command
Description
sys pwderrtm
This command displays the brute-force guessing password
protection settings.
sys pwderrtm 0
This command turns off the password’s protection from brute-force
guessing. The brute-force password guessing protection is turned
off by default.
sys pwderrtm N
This command sets the password protection to block all access
attempts for N (a number from 1 to 60) minutes after the third time
an incorrect password is entered.
Example
sys pwderrtm 5
This command sets the password protection to block all access attempts for five
minutes after the third time an incorrect password is entered.
Nortel Business Secure Router 222 Configuration — Advanced
336 Appendix L Brute force password guessing protection
NN47922-501
337
Appendix M
SIP
The Session Initiation Protocol (SIP) is an application-layer control (signaling)
protocol that handles the setting up, altering, and tearing down of voice and
multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the
sending of voice signals over the Internet Protocol.
SIP signaling is separate from the media for which it handles sessions. The media
that is exchanged during the session can use a different path from that of the
signaling. SIP handles telephone calls and can interface with traditional
circuit-switched telephone networks.
SIP Identities
A SIP account uses an identity (sometimes referred to as a SIP address). A
complete SIP identity is called a SIP URI (Uniform Resource Identifier). The URI
of a SIP account identifies the SIP account in a way similar to the way an e-mail
address identifies an e-mail account. The format of a SIP identity is
SIP-Number@SIP-Service-Domain.
SIP Number
The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP
number can use letters like in an e-mail address ([email protected], for
example) or numbers like a telephone number ([email protected],
for example).
Nortel Business Secure Router 222 Configuration — Advanced
338 Appendix M SIP
SIP Service Domain
The SIP service domain of the VoIP service provider is the domain name in a SIP
URI. For example, if the SIP address is [email protected], then
VoIP-provider.com is the SIP service domain.
SIP Call Progression
Table 97 displays the basic steps in the setup and tear down of a SIP call. A calls
B.
Table 97 SIP Call Progression
A
B
1. INVITE
2. Ringing
3. OK
4. ACK
5.Dialogue (voice traffic)
6. BYE
7. OK
NN47922-501
1
A sends a SIP INVITE request to B. This message is an invitation for B to
participate in a SIP telephone call.
2
B sends a response indicating that the telephone is ringing.
3
B sends an OK response after the call is answered.
4
A then sends an ACK message to acknowledge that B has answered the call.
5
Now A and B exchange voice media (talk).
6
After talking, A hangs up and sends a BYE request.
7
B replies with an OK response confirming receipt of the BYE request and the
call is terminated.
Appendix M SIP 339
SIP Servers
SIP is a client-server protocol. A SIP client is an application program or device
that sends SIP requests. A SIP server responds to the SIP requests.
When you use SIP to make a VoIP call, it originates at a client and terminates at a
server. A SIP client could be a computer or a SIP phone. One device can act as
both a SIP client and a SIP server.
SIP User Agent Server
A SIP user agent server can make and receive VoIP telephone calls. This means
that SIP can be used for peer-to-peer communications even though it is a
client-server protocol. In Figure 168, either A or B can act as a SIP user agent
client to initiate a call. A and B can also both act as a SIP user agent server to
receive the call.
Figure 168 SIP User Agent Server
SIP Proxy Server
A SIP proxy server receives requests from clients and forwards them to another
server.
In the following example, client device A calls someone who is using client
device C.
1
The client device (A in the figure) sends a call invitation to the SIP proxy
server (B).
2
The SIP proxy server forwards the call invitation to C.
Nortel Business Secure Router 222 Configuration — Advanced
340 Appendix M SIP
Figure 169 SIP Proxy Server
SIP Redirect Server
A SIP redirect server accepts SIP requests, translates the destination address to an
IP address and sends the translated IP address back to the device that sent the
request. Then the client device that originally sent the request can send requests to
the IP address that it received back from the redirect server. Redirect servers do
not initiate SIP requests.
In the following example, client device A calls someone who is using client
device C.
NN47922-501
1
Client device A sends a call invitation for C to the SIP redirect server (B).
2
The SIP redirect server sends the invitation back to A with C’s IP address (or
domain name).
3
Client device A then sends the call invitation to client device C.
Appendix M SIP 341
Figure 170 SIP Redirect Server
SIP Register Server
A SIP register server maintains a database of SIP identity-to-IP address (or
domain name) mapping. The register server checks your username and password
when you register.
RTP
When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is
used to handle voice data transfer. See RFC 1889 for details on RTP.
Nortel Business Secure Router 222 Configuration — Advanced
342 Appendix M SIP
SIP ALG
Some NAT routers can include a SIP Application Layer Gateway (ALG). A SIP
ALG allows VoIP calls to pass through NAT by examining and translating IP
addresses embedded in the data stream. When a VoIP device (SIP client) behind
the SIP ALG registers with the SIP register server, the SIP ALG translates the
device’s private IP address inside the SIP data stream to a public IP address. You
do not need to use STUN if your VoIP device is behind the SIP ALG.
STUN
Using STUN (Simple Traversal of User Datagram Protocol (UDP) through
Network Address Translators), the VoIP device can the presence and types of
NAT routers, firewalls, or both between it and the public Internet. With STUN,
the VoIP device can also find the public IP address that NAT assigned, so the
VoIP device can embed it in the SIP data stream. See “STUN - Simple Traversal
of User Datagram Protocol (UDP) Through Network Address Translators
(NATs)” (RFC 3489) for details on STUN.
Business Secure Router SIP ALG
•
•
•
•
NN47922-501
SIP clients must be connected to the LAN. A SIP server must be on the WAN.
You can make and receive calls between the LAN and the WAN. You cannot
make a call between the LAN and the LAN.
The SIP ALG forwards UDP packets with a port 5060 destination to pass
through.
The Business Secure Router forwards SIP audio connections.
Appendix M SIP 343
Figure 171 Business Secure Router SIP ALG
Signaling session
over UDP port 5060
Audio session using RTP
SIP ALG and NAT
The Business Secure Router dynamically creates an implicit port forwarding rule
for SIP traffic from the WAN to the LAN.
The SIP ALG on the Business Secure Router supports all NAT mapping types,
including One to One, Many to One, Many to Many Overload and Many One
to One.
SIP ALG and firewall
The Business Secure Router creates an implicit temporary firewall rule for the
dynamic RTP port on the WAN to the SIP client device on the LAN. The firewall
rule is created for both directions to allow voice packets. The firewall rule is
deleted when the call is terminated.
SIP ALG and Multiple WAN
When the Business Secure Router has two WAN ports and uses the second
highest priority WAN port as a back up, it drops SIP connections when the
primary WAN port connection fails. The Business Secure Router does not
automatically change the SIP connection to the secondary WAN port.
Nortel Business Secure Router 222 Configuration — Advanced
344 Appendix M SIP
If the primary WAN connection fails, the SIP client needs to re-register with the
SIP server through the secondary WAN port to have the SIP connection go
through the secondary WAN port.
When the Business Secure Router uses both of the WAN ports at the same time,
you can configure a routing policy to have the voice traffic from any IP address
with UDP port 5060 and the RTP ports go over a specified WAN port.
Enabling or disabling the SIP ALG
The Business Secure Router SIP ALG is turned off by default to avoid
retranslating the IP address of an existing SIP device that is using STUN. If you
want to use a SIP client device (a SIP phone or IP phone for example) behind the
Business Secure Router without STUN, use the ip alg enable ALG_SIP
command to activate the SIP ALG.
Signaling session timeout
Most SIP clients have an expire mechanism indicating the lifetime of signaling
sessions. The SIP UA sends registration packets to the SIP server periodically and
keeps the session alive in the Business Secure Router.
If the SIP client does not have this mechanism and makes no call during the
Business Secure Router SIP timeout default (60 minutes), the Business Secure
Router SIP ALG drops any incoming calls after the timeout period. You can use
the ip alg siptimeout command to change the timeout value.
Audio session timeout
If no voice packets go through the SIP ALG before the timeout period default (5
minutes) expires, the SIP ALG does not drop the call but blocks all voice traffic
and deletes the audio session. You cannot hear anything and you must make a new
call to continue your conversation.
NN47922-501
345
Index
Numbers
Call Control 202
Call History 204
10/100 Mb/s Ethernet WAN 32
ACK Message 338
Call Scheduling 35, 213
Maximum Number of Schedule Sets 213
PPPoE 216
Precedence 214
Precedence Example 214
Active 60, 63, 87
Call-Triggering Packet 175
ALG 342
Central Network Management 36
Allocated Budget 61, 90
CHAP 61, 90
Alternative Subnet Mask Notation 264
Client-server Protocol 339
Application Layer Gateway 342
Command Interpreter Mode 199
Applications 39
Community 155
AT command 56, 58, 180
Conditions that prevent TFTP and FTP from
working over WAN 183
4-Port Switch 32
A
Authen 61, 90
Connection ID/Name 92
Authentication 61, 89, 90
Console Port 168, 169, 171, 258
Authentication Protocol 89
Autonegotiating 10/100 Mb/s Ethernet LAN 32
Autosensing 10/100 Mb/s Ethernet LAN 32
Content Filtering 35
Contivity VPN Client Software 33
conventions, text 25
Auxiliary 33
copyright 2
B
D
Backup 180
Brute Force Password Guessing Protection 35
Budget Management 202
BYE Request 338
DDNS
Configuration 50
DDNS Type 51
Denial of Service 133
C
DHCP 73
Call Back Delay 59
DHCP Ethernet Setup 72
DHCP (Dynamic Host Configuration Protocol) 37
Nortel Business Secure Router 222 Configuration — Advanced
346 Index
Diagnostic 176
DIAL BACKUP 258
Dial Timeout 59
Filters
Executing a Filter Rule 136
IP Filter Logic Flow 144
DoS (Denial of Service) 34
Firewall 34
Activating 133
SMT Menus 133
Drop Timeout 59
Flow Control 41
DSL Modem 39, 88
FTP 211
DTR 58
FTP File Transfer 190
Dynamic DNS Support 36
FTP Restrictions 183, 211
Domain Name 168, 170
E
FTP Server 38, 125
Full Network Management 38
Edit IP 61, 88
EMAIL 51
G
E-mail Address 51
Gateway IP Addr 94
Enable Wildcard 51
Gateway IP Address 81, 102
Encapsulation 80, 87, 91
General Setup 47
Entering Information 43
Ethernet Encapsulation 79, 86, 87, 91, 96
H
Ethernet Specification for WAN 257
Hardware Setup 40
F
Hidden Menus 43
Host 51
F/W Version 180
Host IDs 262
Factory Default 54
HTTPS 34
Fail Tolerance 99
HyperTerminal program 185, 188
Features 31
Filename Conventions 179
I
Filter 69, 95
Applying 152
Configuration 135
Configuring 138
Example 148
Generic Filter Rule 146
Generic Rule 147
NAT 151
Remote Node 153
Structure 136
TCP/IP Rule 142
Idle Timeout 62, 90
NN47922-501
IEEE 802.1x 34
Incoming Protocol Filters 77
Initial Screen 41
Internet Access 79
ISP's Name 80
Internet Access Setup 79, 80, 108
Introduction to Filters 135
IP Address 61, 64, 75, 76, 81, 93
Index 347
Multicast 65, 75, 95
Remote 64
IP Address Assignment 64, 81, 93
Multimedia 337
IP Addressing 261
My IP Addr 91
IP Alias 36, 76
My Login 60, 88
IP Alias Setup 75, 76
My Login Name 80
IP Classes 261
My Password 60, 80, 81, 88
IP Multicast 36
Internet Group Management Protocol
(IGMP) 36
My Server IP Addr 91
IP Pool 73, 74
N
IP Static Route 101, 102
Active 102
Destination IP Address 102
IP Subnet Mask 102
Name 102
Route Number 102
My WAN Address 64
Nailed-Up Connection 62, 90
Nailed-up Connection 90
Nailed-Up Connections 92
IPSec VPN Capability 33, 34
NAT 65, 94, 151
Applying NAT in the SMT Menus 107
Configuring 110
Examples 121
Ordering Rules 114
ISP’s Name 80
NAT Routers 342
IP Subnet Mask 64, 76
Remote 64
Network Address Translation 81
L
Network Address Translation (NAT) 37, 107
LAN Port Filter Setup 71
Network Address Translators 342
LAN Setup 71, 72
Log 171
O
Log Facility 172
Offline 52
Logging 38
OK Response 338
Logging In to the SMT 42
Operation Temperature 257
Login Name 80
Outgoing Protocol Filters 77
Login Screen 42
P
M
Packet Filtering 35
MAC Address 54
PAP 61, 90
Main Menu 43
Password 42, 45, 80, 81, 155
Mean Time Between Failures 257
Period(hr) 61, 90
Metric 65, 90, 94, 103
Ping 178
MTBF 257
Port Forwarding 37
Nortel Business Secure Router 222 Configuration — Advanced
348 Index
PPP 62
RoadRunner Support 38
PPPoE 35, 249
Route 88
PPPoE Encapsulation 79, 83, 86, 88, 90, 96
RTP 341
PPTP 253
Client 81, 82
Configuring a Client 81, 82
S
PPTP Encapsulation 36, 91
Schedule Sets
Duration 215
Private 65, 94, 103
Schedules 90, 92
Protocol Filters 77
Incoming 77
Outgoing 77
Server 80, 81, 88, 110, 113, 116, 117, 123, 124,
206
publications
hard copy 26
related 26
Service Name 88
Server IP 88
Service Type 80, 87
Session Initiation Protocol 337
R
setup a schedule 214
RAS F/W Version 170
SIP Account 337
Real time Transport Protocol 341
SIP ALG 342
regulatory information 2
SIP Application Layer Gateway 342
Rem IP Address 64
SIP Client 339
Rem Node Name 60, 63, 87
SIP INVITE Request 338
Remote Management 209
SIP Redirect Server 340
Remote Management Limitations 211
SIP Register Server 341
Remote Node 85
Profile (Traffic Redirect Field) 97
SIP Servers 339
Remote Node Filter 69, 95
SIP User Agent Server 339
Required fields 43
SMT 42
Reset Button 33
SNMP 37
Community 156
Configuration 155
Trusted Host 156
Resetting the Time 208
Restore Configuration 186
retry count 59
SIP URI 337
retry interval 59
SNMP (Simple Network Management
Protocol) 37
RFC 1889 341
SSH 34
RFC 3489 342
Stateful Inspection 34
RIP 65, 75, 77, 94
Direction 77
Version 77, 95
SUA (Single User Account) 107
NN47922-501
Subnet Mask 64, 75, 81, 93, 102
Index 349
U
Subnet Masks 263
Subnetting 263
Uniform Resource Identifier 337
Syslog 171, 172
Universal Plug and Play 35
Syslog IP Address 172
Upgradeable Firmware 38
System Information 165, 168, 169
Upload Firmware 189
System Maintenance 165, 166, 167, 168, 170, 171,
172, 177, 178, 180, 183, 193, 194, 199, 202, 204,
206
UPnP 35
User Name 51
System Management Terminal 42
User Profiles 105
System Name 48
Username 42
System Status 166
V
T
VT100 41
TCP/IP 63, 72, 75, 92, 141, 142, 144, 147, 151
Setup 75
W
TCP/IP and DHCP Setup 72
WAN DHCP 177, 178
TCP/IP filter rule 141
WAN Setup 53, 54
technical publications 26
WebGUI 134
Terminal Emulation 41
www.dyndns.org 52
text conventions 25
TFTP File Transfer 192
X
TFTP Restrictions 183, 211
XMODEM protocol 181
Time and Date 33
Time and Date Setting 205, 206
Time Zone 207
Timeout 62, 82, 83, 90
Trace 171
Tracing 38
trademarks 2
Traffic Redirect 37
Setup 98
Triangle 229
Triangle Route Solutions 230
Trigger Port Forwarding 129
Nortel Business Secure Router 222 Configuration — Advanced

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Avaya Business Secure Router 222 Configuration - Basics Configuration manual

Avaya

Business Secure Router 222 Configuration - Basics

  • Configuration manual
Nortel Networks Network Router BSR222 User manual

Nortel Networks

Network Router BSR222

  • User manual
Nortel 222 Datasheet

Nortel

NT5S20AAE6

  • Datasheet
Nortel Contivity 221 User manual

Nortel

Contivity 221

  • User manual
Avaya Business Secure Router 222 Release Notes

Avaya

Business Secure Router 222

  • Release Notes
Nortel 252 Configuration

Nortel

252

  • Configuration
Avaya BCM50e Configuration manual

Avaya

BCM50e

  • Configuration manual
Avaya BCM50e Configuration manual

Avaya

BCM50e

  • Configuration manual
Avaya Business Secure Router 252 Configuration - Basics Configuration manual

Avaya

Business Secure Router 252 Configuration - Basics

  • Configuration manual
Epson WorkForce WF-7110 Administrator's Guide

Epson

WorkForce WF-7110

  • Administrator's Guide
ZyXEL ZyWALL 2 Plus User's Guide

ZyXEL

ZyWALL 2 Plus

  • User's Guide
ZyXEL Communications 5 Series Network Router User`s guide

ZyXEL Communications

ZyWALL 5 Series

  • User`s guide

advertisement