User`s manual

ManualsBrandsAsus ManualsComputer equipmentInternet Security Router

Internet Security

Router

User’s Manual

Revision 1.1

Oct. 30, 2003

Summary of content (167 pages)

PAGE 1
Internet Security Router User’s Manual Revision 1.1 Oct.
PAGE 2
Copyright Information No part of this manual, including the products and software described in it, may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means, except documentation kept by the purchaser for backup purposes, without the express written permission of ASUSTeK COMPUTER INC. (“ASUS”).
PAGE 3
Table of Contents 1 2 Introduction............................................... 1 1.1 Features .................................................................................................................. 1 1.2 System Requirements............................................................................................ 1 1.3 Using this Document .............................................................................................. 1 1.3.1 Notational conventions .....................
PAGE 4
3.1.4 3.2 3.3 4 5 Part 2 — Configuring Your Computers............................................................... 11 3.2.1 Before you begin........................................................................................ 11 3.2.2 Windows® XP PCs:................................................................................... 11 3.2.3 Windows® 2000 PCs: ............................................................................... 11 3.2.4 Windows® 95, 98, and Me PCs ................
PAGE 5
.4 6 Assigning DNS Addresses........................................................................ 29 5.3.3 Configuring DNS Relay ............................................................................. 29 Viewing LAN Statistics ......................................................................................... 30 Configuring WAN Settings ..................... 31 6.1 WAN Connection Mode ....................................................................................... 31 6.
PAGE 6
9 Configuring Firewall/NAT Settings......... 45 9.1 Firewall Overview ................................................................................................. 45 9.1.1 Stateful Packet Inspection......................................................................... 45 9.1.2 DoS (Denial of Service) Protection........................................................... 45 9.1.3 Firewall and Access Control List (ACL).................................................... 45 9.1.3.
PAGE 7
9.6 9.5.5 Delete an URL Filter Rule ......................................................................... 59 9.5.6 View Configured URL Filter Rules............................................................ 59 9.5.7 URL Filter Rule Example........................................................................... 59 Configuring Advanced Firewall Features – (Firewall è Advanced)................. 60 9.6.1 9.6.1.1 Self Access Configuration Parameters........................................ 61 9.
PAGE 8
9.7.2.2 Access IP Pool Configuration Page – (Firewall è Policy List è IP Pool) .......................................................................................... 74 9.7.2.3 Add an IP Pool .............................................................................. 74 9.7.2.4 Modify an IP Pool .......................................................................... 74 9.7.2.5 Delete an IP Pool .......................................................................... 75 9.7.2.
PAGE 9
10.4.4 10.5 VPN Statistics ....................................................................................................... 95 10.6 VPN Connection Examples ................................................................................. 96 10.6.1 Intranet Scenario – firewall + VPN and no NAT for VPN traffic.............. 96 10.6.1.1 Configure Rules on Internet Security Router 1 (ISR1) ............... 97 10.6.1.2 Configure Rules on Internet Security Router 2 (ISR2) ............... 98 10.6.
PAGE 10
12 11.7.1 Main Mode Remote Access.................................................................... 118 11.7.2 Aggressive Mode Remote Access ......................................................... 120 System Management ........................... 123 12.1 Configure System Services ............................................................................... 123 12.2 Change the Login Password ............................................................................. 124 12.
PAGE 11
17 Index ..................................................... 149 List of Figures Figure 2.1. Front Panel LEDs..................................................................................................................................... 3 Figure 2.2. Rear Panel Connections.......................................................................................................................... 3 Figure 3.1. Overview of Hardware Connections ...........................................................
PAGE 12
Figure 9.4 NAPT – Map Any Internal PCs to a Single Global IP Address ............................................................ 48 Figure 9.5 Reverse Static NAT – Map a Global IP Address to An Internal PC .................................................... 48 Figure 9.6 Reverse NAPT – Relayed Incoming Packets to the Internal Host Base on the Protocol, Port Number or IP Address .................................................................................................................................
PAGE 13
Figure 10.4. Typical Intranet Network Diagram ...................................................................................................... 97 Figure 10.5. Intranet VPN Policy Configuration on ISR1........................................................................................ 98 Figure 10.6. Intranet VPN Policy Configuration on ISR2........................................................................................ 99 Figure 10.7. Typical Extranet Network Diagram ......................
PAGE 14
Figure 12.5. Default Setting Configuration Page .................................................................................................. 126 Figure 12.6. Backup System Configuration Page................................................................................................. 127 Figure 12.7. Restore System Configuration Page ................................................................................................ 128 Figure 12.8. Windows File Browser ................................
PAGE 15
Table 9.10. Time Range Configuration Parameters ............................................................................................... 80 Table 10.1. Default Connections in the Internet Security Router........................................................................... 85 Table 10.2. Pre-configured IKE proposals in the Internet Security Router ........................................................... 85 Table 10.3. Pre-configured IPSec proposals in the Internet Security Router ............
PAGE 16
PAGE 17
Internet Security Router User’s Manual 1 Chapter 1. Introduction Introduction Congratulations on becoming the owner of the Internet Security Router. Your LAN (local area network) will now be able to access the Internet using your high-speed broadband connection such as those with ADSL or cable modem. This User Manual will show you how to set up the Internet Security Router, and how to customize its configuration to get the most out of this product. 1.
PAGE 18
Chapter 1. Introduction Internet Security Router User’s Manual Note Definition Provides clarification or non-essential information on the current topic. Explains terms or acronyms that may be unfamiliar to many readers. These terms are also included in the Glossary. Provides messages of high importance, including messages relating to personal safety or system integrity.
PAGE 19
Internet Security Router User’s Manual 2 2.1 Chapter 2. Getting to Know the Internet Security Router Getting to Know the Internet Security Router Parts List In addition to this document, your Internet Security Router should come with the following: „ „ „ „ 2.2 The Internet Security Router Power adapter Ethernet cable (“straight-through” type) Optional console port cable (RJ-45) Front Panel The front panel contains LED indicators that show the status of the unit. Figure 2.1.
PAGE 20
Chapter 2. Getting to Know the Internet Security Router Internet Security Router User’s Manual Table 2.2. Rear Panel Labels and LEDs Label Function Switches the unit on and off 2.4 2.4.1 POWER Connects to the supplied power adapter Reset Resets the device CONSOLE RJ-45 serial port for console management WAN Connects to your WAN device, such as ADSL or cable modem.
PAGE 21
Internet Security Router User’s Manual Chapter 2 Getting to Know the Internet Security Router „ Reverse Static – This is inbound mapping that maps a globally valid Internet address to an internal host address. All packets coming to that external address are relayed to the internal address. This is useful when hosting services in an internal machine. „ Reverse NAPT – Also called inbound mapping, port mapping, and virtual server.
PAGE 22
Chapter 2. Getting to Know the Internet Security Router Internet Security Router User’s Manual Flooder 2.4.1.
PAGE 23
Internet Security Router User’s Manual Chapter 2 Getting to Know the Internet Security Router „ Alerts sent to the administrator via e-mail. „ Maintains at a minimum, log details such as, time of packet arrival, description of action taken by Firewall and reason for action. „ Supports the UNIX Syslog format. „ Sends log report e-mails as scheduled by the network administrator or by default when the log file is full. „ All the messages are sent in the WELF format. „ ICMP logging to show code and type. 2.
PAGE 24
Chapter 2. Getting to Know the Internet Security Router Internet Security Router User’s Manual „ Remote Access VPN – Corporations use VPN to establish secure, end-to-end private network connections over a public networking infrastructure. VPN have become the logical solution for remote access connectivity. Deploying a remote access VPN enables corporations to reduce communications expenses by leveraging the local dial-up infrastructure of Internet Service Providers.
PAGE 25
Internet Security Router User’s Manual 3 Chapter 3. Quick Start Guide Quick Start Guide This Quick Start Guide provides basic instructions for connecting the Internet Security Router to a computer or a LAN and to the Internet. „ Part 1 provides instructions to set up the hardware. „ Part 2 describes how to configure Internet properties on your computer(s). „ Part 3 shows you how to configure basic settings on the Internet Security Router to get your LAN connected to the Internet.
PAGE 26
Chapter 3. Quick Start Guide 3.1.4 Internet Security Router User’s Manual Step 4. Turn on the Internet Security Router, the ADSL or cable modem and power up your computers. Press the Power switch on the rear panel of the Internet Security Router to the ON position. Turn on your ADSL or cable modem. Turn on and boot up your computer(s) and any LAN devices such as hubs or switches. Figure 3.1. Overview of Hardware Connections You should verify that the LEDs are illuminated as indicated in Table 3.1.
PAGE 27
Internet Security Router User’s Manual Chapter 3. Quick Start Guide If the LEDs illuminate as expected, the Internet Security Router hardware is working properly. 3.2 Part 2 — Configuring Your Computers Part 2 of the Quick Start Guide provides instructions for configuring the Internet settings on your computers to work with the Internet Security Router. 3.2.1 Before you begin By default, the Internet Security Router automatically assigns all required Internet settings to your PCs.
PAGE 28
Chapter 3. Quick Start Guide Internet Security Router User’s Manual You may be prompted to install files from your Windows 2000 installation CD or other media. Follow the instructions to install the files. 7. If prompted, click button to restart your computer with the new settings. Next, configure the PCs to accept IP addresses assigned by the Internet Security Router: 8. In the Control Panel, double-click the Network and Dial-up Connections icon. 9.
PAGE 29
Internet Security Router User’s Manual Chapter 3. Quick Start Guide 1. In the Windows NT task bar, click the button, point to Settings, and then click Control Panel. 2. In the Control Panel window, double click the Network icon. 3. In the Network dialog box, click the Protocols tab. The Protocols tab displays a list of currently installed network protocols. If the list includes TCP/IP Protocol, then the protocol has already been enabled. Skip to step 9. 4.
PAGE 30
Chapter 3. Quick Start Guide 3.3 Internet Security Router User’s Manual Part 3 — Quick Configuration of the Internet Security Router In Part 3, you log into the Configuration Manager on the Internet Security Router and configure basic settings for your Internet connection. Your ISP should provide you with the necessary information to complete this step. Note the intent here is to quickly get the Internet Security Router up and running, instructions are concise.
PAGE 31
Internet Security Router User’s Manual Chapter 3. Quick Start Guide 3. Enter your user name and password, and then click to enter the Configuration Manager. The first time you log into this program, use these defaults: Note Default User Name: admin Default Password: admin You can change the password at any time (see section 12.2 Change the Login Password on page 124). The Setup Wizard home page displays each time you log into the Configuration Manager (shown in Figure 3.3 on page 15). Figure 3.3.
PAGE 32
Chapter 3. Quick Start Guide Internet Security Router User’s Manual 5. Now we are at the System Information setup page; enter the requested information in the spaces provided and click the button to save the changes. Otherwise, proceed to the next configuration page by clicking on the button. Figure 3.5. Setup Wizard – System Identity Configuration Page Time Zone drop-down list Figure 3.6. Setup Wizard – Date/Time Configuration Page 6.
PAGE 33
Internet Security Router User’s Manual Chapter 3. Quick Start Guide Figure 3.7. Setup Wizard – LAN IP Configuration Page Figure 3.8. Setup Wizard – DHCP Server Configuration Page 8. It is recommended that you keep the default settings for DHCP server until after you have completed the rest of the configurations and confirm that your Internet connection is working. Click on the button to proceed to the next configuration page. 9.
PAGE 34
Chapter 3. Quick Start Guide Internet Security Router User’s Manual Connection Mode dropdown list Figure 3.9. Setup Wizard – WAN PPPoE Configuration Page Connection Mode dropdown list Figure 3.10. Setup Wizard – WAN Dynamic IP Configuration Page a) PPPoE Connection Mode (see Figure 3.9) • 18 You don’t need to enter primary/secondary DNS IP addresses as PPPoE is able to automatically obtain this information for you from your ISP.
PAGE 35
Internet Security Router User’s Manual Chapter 3. Quick Start Guide • Host name is optional. You may leave it empty if your ISP did not provide such information. • Enter the user name and password provided by your ISP. • Click on button to save the PPPoE settings. b) Dynamic IP Connection Mode (see Figure 3.10) • You don’t need to enter primary/secondary DNS IP addresses as DHCP client is able to automatically obtain this information for you from your ISP.
PAGE 36
Chapter 3. Quick Start Guide Internet Security Router User’s Manual • Enter at lease the primary DNS IP address provided by your ISP. Secondary DNS IP address is optional. Enter it in the space provided if you have such information from your ISP. • Click to save the static IP settings You have now completed customizing basic configuration settings. Read the following section to determine if you have access to the Internet. 3.3.
PAGE 37
Internet Security Router User’s Manual 4 Chapter 4. Getting Started with the Configuration Manager Getting Started with the Configuration Manager[CT9] The Internet Security Router includes a preinstalled program called the Configuration Manager, which provides an interface to the software installed on the device. It enables you to configure the device settings to meet the needs of your network.
PAGE 38
Chapter 4. Getting Started with the Configuration Manager Note Internet Security Router User’s Manual You can change the password at any time (see section 12.2 Change the Login Password on page 124). The Setup Wizard page displays each time you log into the program (shown in Figure 4.3 on page 23). 4.2 Functional Layout Typical Configuration Manager page consists of two separate frames. The left frame, as shown in Figure 4.2, contains all the menus available for device configuration.
PAGE 39
Internet Security Router User’s Manual Chapter 4. Getting Started with the Configuration Manager Button/Icon Function Adds the existing configuration to the system, e.g. a static route or a firewall ACL rule and etc. Modifies the existing configuration in the system, e.g. a static route or a firewall ACL rule and etc. Deletes the selected item, e.g. a static route or a firewall ACL rule and etc. Launches the online help for the current topic in a separate browser window.
PAGE 40
Chapter 4. Getting Started with the Configuration Manager Figure 4.4.
PAGE 41
Internet Security Router User’s Manual 5 Chapter 5. Configuring LAN Settings Configuring LAN Settings This chapter describes how to configure LAN properties for the LAN interface on the Internet Security Router that communicates with your LAN computers. You’ll learn to configure IP address, DHCP and DNS server for your LAN in this chapter. 5.
PAGE 42
Chapter 5. Configuring LAN Settings Internet Security Router User’s Manual Figure 5.1. LAN IP Address Configuration Page 2. Enter a LAN IP address and subnet mask for the Internet Security Router in the space provided. to save the LAN IP address. 3. Click. If you were using an Ethernet connection for the current session, and changed the IP address, the connection will be terminated. 4.
PAGE 43
Internet Security Router User’s Manual Chapter 5. Configuring LAN Settings On a DHCP-enabled network, the IP information is assigned dynamically rather than statically. A DHCP client can be assigned a different address from the pool each time it reconnects to the network. 5.2.2 Why use DHCP? DHCP allows you to manage and distribute IP addresses throughout your network from the Internet Security Router.
PAGE 44
Chapter 5. Configuring LAN Settings Internet Security Router User’s Manual enter the LAN IP or your ISP’s DNS IP in the primary DNS Server IP Address field. Table 5.2 describes the DHCP configuration parameters in detail. Table 5.2. DHCP Configuration Parameters Field Description IP Address Pool Begin/End Specify the lowest and highest addresses in the DHCP address pool. Subnet Mask Enter the subnet mask to be used for the DHCP address pool.
PAGE 45
Internet Security Router User’s Manual 5.3 5.3.1 Chapter 5. Configuring LAN Settings DNS About DNS Domain Name System (DNS) servers map the user-friendly domain names that users type into their Web browsers (e.g., "yahoo.com") to the equivalent numerical IP addresses that are used for Internet routing. When a PC user types a domain name into a browser, the PC must first send a request to a DNS server to obtain the equivalent IP address.
PAGE 46
Chapter 5. Configuring LAN Settings Internet Security Router User’s Manual 2. Configure the LAN PCs to use the IP addresses assigned by the DHCP server on the Internet Security Router, or enter the Internet Security Router's LAN IP address as their DNS server address manually for each PC on your LAN. DNS addresses that are assigned to LAN PCs prior to enabling DNS relay will remain in effect until the PC is rebooted. DNS relay will only take effect when a PC's DNS address is the LAN IP address. Note 5.
PAGE 47
Internet Security Router User’s Manual 6 Chapter 6. Configuring WAN Settings Configuring WAN Settings This chapter describes how to configure WAN settings for the WAN interface on the Internet Security Router that communicates with your ISP. You’ll learn to configure IP address, DHCP and DNS server for your WAN in this chapter. 6.1 WAN Connection Mode Three modes of WAN connection are supported by the Internet Security Router – PPPoE, dynamic IP and static IP.
PAGE 48
Chapter 6. Configuring WAN Settings Internet Security Router User’s Manual Table 6.1. WAN PPPoE Configuration Parameters Setting Description Host Name Host name is optional but may be required by some ISP. User Name and Password Enter the username and password you use to log into your ISP. (Note: this is different from the information you used to log into Configuration Manager.
PAGE 49
Internet Security Router User’s Manual Chapter 6. Configuring WAN Settings Field Description Host Name Host name is optional but may be required by some ISP. Primary/ Secondary DNS IP address of the primary and/or secondary DNS are optional as DHCP client will automatically obtain the DNS IP addresses configured at your ISP. However, if there are other DNS servers you would rather use, enter the IP addresses in the spaces provided.
PAGE 50
Chapter 6. Configuring WAN Settings 6.4 6.4.1 Internet Security Router User’s Manual Static IP WAN Static IP Configuration Parameters Table 6.3 describes the configuration parameters available for static IP connection mode. Table 6.3. WAN Static IP Configuration Parameters Setting Description IP Address WAN IP address provided by your ISP. Subnet Mask WAN subnet mask provided by your ISP. Typically, it is set as 255.255.255.0. Gateway Address Gateway IP address provided by your ISP.
PAGE 51
Internet Security Router User’s Manual Chapter 6. Configuring WAN Settings 5. Enter the IP address of the primary DNS server. This information should be provided by your ISP. Secondary DNS server is optional. 6. Click to save the static IP settings when you are done with the configuration. You’ll see a summary of the WAN configuration at the bottom half of the configuration page. 6.5 Viewing WAN Statistics You can view statistics of your WAN traffic.
PAGE 52
PAGE 53
Internet Security Router User’s Manual 7 Chapter 7. Configuring Routes Configuring Routes You can use Configuration Manager to define specific routes for your Internet and network data communication. This chapter describes basic routing concepts and provides instructions for creating routes. Note that most users do not need to define routes. 7.
PAGE 54
Chapter 7. Configuring Routes 7.2 Internet Security Router User’s Manual Dynamic Routing using RIP (Routing Information Protocol) RIP enables routing information exchange between routers; thus, routes are updated automatically without human intervention. It is recommended that you enable RIP in the System Services Configuration Page as shown in Figure 12.1. 7.2.1 Enabling/Disabling RIP Follow these instructions to enable or disable RIP: 1.
PAGE 55
Internet Security Router User’s Manual 2. Click to delete the selected route. WARNING 7.3.4 Chapter 7. Configuring Routes Do not remove the route for default gateway unless you know what you are doing. Removing the default route will render the Internet unreachable. Viewing the Static Routing Table All IP-enabled computers and routers maintain a table of IP addresses that are commonly accessed by their users.
PAGE 56
PAGE 57
Internet Security Router User’s Manual 8 Chapter 8. Configuring DDNS Configuring DDNS Dynamic DNS is a service that allows computers to use the same domain name, even when the IP address changes from time to time (during reboot or when the ISP's DHCP server resets IP leases). Internet Security Router connects to a Dynamic DNS service whenever the WAN IP address changes. It supports setting up the web services such as Web server, FTP server using a domain name instead of the IP address.
PAGE 58
Chapter 8. Configuring DDNS Internet Security Router User’s Manual Internet HTTP DDNS Server (DynDNS, TokyoDNS) DynDNS sl1000.homeunix.com ISR TokyoDNS sl1000.dns-tokyo.jp Figure 8.2. Network Diagram for HTTP DDNS Whenever IP address of the configured DDNS interface changes, DDNS update is sent to the specified DDNS service provider. Internet Security Router should be configured with the DDNS username and password that are obtained from the DDNS service provider. 8.
PAGE 59
Internet Security Router User’s Manual Field Chapter 8. Configuring DDNS Description HTTP DDNS Specific Settings DDNS Service [For HTTP DDNS only] dyndns Please visit http://www.dyndns.org for more details. zoneedit Please visit http://www.zoneedit.com for more details. dyn-tokyo Please visit http://www.dns-tokyo.jp for more details. DDNS Username [For HTTP DDNS only] Enter the username provided by your DDNS service provider in this field.
PAGE 60
Chapter 8. Configuring DDNS Internet Security Router User’s Manual 4. In the DDNS Configuration page, select “Enable” for the DDNS State and “RFC-2136 DDNS” for the DDNS Type. The RFC-2136 DDNS Configuration page is then displayed as shown in Figure 8.3. 5. Enter the domain name in the DNS Zone Name field. 6. There is no need to change the settings for the primary and secondary DNS servers as they are inherited from the settings in the WAN configuration page.
PAGE 61
Internet Security Router User’s Manual 9 Chapter 9. Configuring Firewall/NAT Settings Configuring Firewall/NAT Settings The Internet Security Router provides built-in firewall/NAT functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and who should be automatically notified.
PAGE 62
Chapter 9. Configuring Firewall/NAT Settings 9.1.3.2 Internet Security Router User’s Manual Tracking Connection State The stateful inspection engine in the firewall keeps track of the state, or progress, of a network connection. By storing information about each connection in a state table, Internet Security Router is able to quickly determine if a packet passing through the firewall belongs to an already established connection.
PAGE 63
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Figure 9.1 Static NAT – Mapping Four Private IP Addresses to Four Globally Valid IP Addresses 9.2.2 Dynamic NAT Dynamic NAT maps an internal host dynamically to a globally valid Internet address (m-to-n). The mapping usually contains a pool of internal IP addresses (m) and a pool of globally valid Internet IP addresses (n) with m usually greater than n.
PAGE 64
Chapter 9. Configuring Firewall/NAT Settings 9.2.3 Internet Security Router User’s Manual NAPT (Network Address and Port Translation) or PAT (Port Address Translation) Also called IP Masquerading, this feature maps many internal hosts to one globally valid Internet address. The mapping contains a pool of network ports to be used for translation. Every packet is translated with the globally valid Internet address and the port number is translated with an un-used port from the pool of network ports.
PAGE 65
Internet Security Router User’s Manual 9.2.4 Chapter 9. Configuring Firewall/NAT Settings Reverse Static NAT Reverse static NAT maps a globally valid IP address to an internal host address for the inbound traffic. All packets coming to that globally valid IP address are relayed to the Internal address. This is useful when hosting services in an internal machine. Figure 9.
PAGE 66
Chapter 9. Configuring Firewall/NAT Settings Field Internet Security Router User’s Manual Description ID Add New Rule Number Click on this option to add a new 'basic' Firewall rule. Select a rule from the drop-down list, to modify its attributes. Action Allow Select this button to configure the rule as an allow rule. This rule when bound to the Firewall will allow matching packets to pass through. Deny Select this button to configure the rule as a deny rule.
PAGE 67
Internet Security Router User’s Manual Field Chapter 9. Configuring Firewall/NAT Settings Description IP Address, Subnet, Range and IP Pool Select any of these options and enter details as described in the Source IP section above. Source Port This option allows you to set the source port to which this rule should apply. Use the drop-down list to select one of the following options: Any Select this option if you want this rule to apply to all applications with an arbitrary source port number.
PAGE 68
Chapter 9. Configuring Firewall/NAT Settings Field Internet Security Router User’s Manual Description associate with an inbound ACL rule. Time Ranges Select a pre-configured time range during which the rule is active. Select “Always” to make the rule active at all times. Application Filtering This option allows you to select pre-configured FTP, HTTP, RPC and/or SMTP application filters from the drop-down list.
PAGE 69
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings 4. Make changes to any or all of the following fields: source/destination IP, source/destination port, protocol, port mapping, time ranges, application filtering, log, and VPN. Please see Table 9.1 for explanation of these fields. 5. Assign a priority for this rule by selecting a number from the “Move to” drop-down list. Note that the number indicates the priority of the rule with 1 being the highest.
PAGE 70
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual Figure 9.9. Outbound ACL Configuration Page 9.4.1 Outbound ACL Rule Configuration Parameters Table 9.2 describes the configuration parameters available for firewall outbound ACL rule. Table 9.2. Outbound ACL Rule Configuration Parameters Field Description ID Add New Rule Number Click on this option to add a new 'basic' Firewall rule. Select a rule from the drop-down list, to modify its attributes.
PAGE 71
Internet Security Router User’s Manual Field Chapter 9. Configuring Firewall/NAT Settings Description network. IP Address This option allows you to specify an IP address on which this rule will be applied. IP Address Subnet Specify the appropriate network address This option allows you to include all the computers that are connected in an IP subnet. When this option is selected, the following fields become available for entry: Address Mask Range Enter the appropriate IP address.
PAGE 72
Chapter 9. Configuring Firewall/NAT Settings Field Internet Security Router User’s Manual Description Single, Range Select any of these and enter details as described in the Source Port section above. Service This option allows you to select any of the pre-configured services (selectable from the drop-down list) instead of the destination port.
PAGE 73
Internet Security Router User’s Manual 9.4.3 Chapter 9. Configuring Firewall/NAT Settings Add an Outbound ACL Rule To add an outbound ACL rule, follow the instructions below: 1. Open the Outbound ACL Rule Configuration Page (see section 9.4.2 Access Outbound ACL Rule Configuration Page). 2. Select “Add New” from the “ID” drop-down list. 3. Set desired action (Allow or Deny) from the “Action” drop-down list. 4.
PAGE 74
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual 4. Click on the button to modify this ACL rule. The new settings for this ACL rule will then be displayed in the outbound access control list table at the bottom half of the Outbound ACL Configuration page. 9.4.5 Delete Outbound ACL Rules To delete an outbound ACL rule, just click on the below: in front of the rule to be deleted or follow the instructions 1.
PAGE 75
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Figure 9.11. URL Filter Configuration Page 9.5.3 Add an URL Filter Rule To add an URL Filter, follow the instructions below: 1. Open the URL Configuration page (see section 9.5.2 Access URL Filter Configuration Page). 2. Select “Add New” from the “ID” drop-down list. 3. Enter a keyword to the Keyword field. 4. Click on the button to create the URL Filter rule.
PAGE 76
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual proxy web server is used. If you don’t use a proxy server for your browser, this setting will be ignored. Note that you must disable and then enable the firewall for this change to take effect. Please refer to section 12.1 Configure System Services on details of enabling and disabling firewall services. Figure 9.12. URL Filter Rule Example 9.
PAGE 77
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Figure 9.13. Self Access Rule Configuration Page 9.6.1.1 Self Access Configuration Parameters Table 9.4 describes the configuration parameters available in the Self Access configuration page. Table 9.4. Self Access Configuration Parameters Field Description Protocol Select protocol from drop down list - TCP/ UDP/ICMP Port Enter the Port Number. Direction Select the direction from which the traffic will be allowed.
PAGE 78
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual 2. Select “Add New” from the Self Access rule drop-down list. 3. Select a protocol from the Protocol drop-down list. If you select TCP or UDP protocol, you will need to enter port number as well. button to create the new Self Access rule. The new rule will then be displayed 4. Click on the in the Self Access Rule list table at the bottom half of the Self Access Rule Configuration page. Example Figure 9.
PAGE 79
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Service drop-down list Edit icon Figure 9.14. Service List Configuration Page 9.6.2.1 Service List Configuration Parameters Table 9.5 describes the available configuration parameters for firewall service list. Table 9.5. Service List configuration parameters Field Description Service Name Enter the name of the Service to be added. Note that only alphanumeric characters are allowed in a name.
PAGE 80
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual 5. Click on the button to create the new service. The new service will then be displayed in the service list table at the bottom half of the Service Configuration page. 9.6.2.4 Modify a Service To modify a service, follow the instructions below: 1. Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration Page). 2.
PAGE 81
Internet Security Router User’s Manual Field Chapter 9. Configuring Firewall/NAT Settings Description to get into a "stuck state" where they cannot accept connections from legitimate users. ("SYN" is short for "SYNchronize"; this is the first step in opening an Internet connection). You can select this box if you wish to protect the network from TCP SYN flooding. By default, SYN Flood protection is enabled. Winnuke Check or un-check this option to enable or disable protection against Winnuke attacks.
PAGE 82
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual Field Description Minimum IP Fragment Size Enter the Minimum size of IP fragments to be allowed through Firewall. This limit will not be enforced on the last fragment of the packet. If the Internet traffic is such that it generates many small sized fragments, this value can be decreased.
PAGE 83
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings „ NAT Pools – This option allows you to configure NAT Pools that will ensure mapping of the internal IP address to public IP address. Configure NAT Pools here before attaching them to policies. „ Time Ranges – This option allows you to configure time-windows for user-access to the networks across the Internet Security Router. 9.7.
PAGE 84
Chapter 9. Configuring Firewall/NAT Settings Field Internet Security Router User’s Manual Description CWD Allow or deny of change directory. LIST Allow or deny of Listing of files/directory. MKD Allow or deny of Creating a directory. NLST Allow Short listing of directory contents. PASV Allow initiation of a passive data connection. PORT Allow or deny Port Number to participate in an active data connection. RETR Allow or deny getting a file from the FTP server.
PAGE 85
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Figure 9.16. Application Filter Configuration Page 9.7.1.3 Add an Application Filter The application filter configuration is best explained with a few examples. Note that the configuration for RPC and SMTP is similar to that for FTP and will not be presented here. 9.7.1.3.1 FTP Example: Add a FTP Filter Rule to Block FTP DELETE Command 10.64.2.0 FTP Server 10.64.2.254 Outside FW ISR Inside FW Private Network 192.168.
PAGE 86
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual Filter Type drop-down list Filter Rule dropdown list Figure 9.18. FTP Filter Example – Configuring FTP Filter Rule 2. Select FTP from the Filter Type drop-down list. 3. Select “Add New Filter” from the Filter Rule drop-down list. 4. Enter a name for this rule – in this example, FTPRule1. 5. Change the port number if necessary. However, it is recommended that you keep the “Default” setting. 6.
PAGE 87
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings FTP filter drop-down list Figure 9.21. FTP Filter Example – Associate FTP Filter Rule to an ACL Rule 11. Associate the newly added FTP application filter rule to a firewall ACL rule (inbound, outbound or group ACL) by selecting a FTP filter from the FTP filter drop-down list (see Figure 9.21) and then click on or button to save the settings. 9.7.1.3.
PAGE 88
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual 7. Check the web application files to block – in this example, Java Applets and Java Archives 8. Enter additional web application files to block. Enter the file extension in the “Deny Following Files” fields if desired. Figure 9.22 shows that flash files (file extension is *.swf) are to be blocked in addition to Java applet and archive files. 9. Click on button to create this HTTP application filter rule. 10.
PAGE 89
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings Filter Type drop-down list Filter Rule dropdown list Figure 9.24. Modify an Application Filter 9.7.1.5 Delete an Application Filter To delete an Application Filter, click on the icon of the filter to be deleted or follow the instruction below: 1. Open the Application Filter Configuration page (see section 9.7.1.2Access Application Filter Configuration Page – (Firewall è Policy List è Application Filter)). 2.
PAGE 90
Chapter 9. Configuring Firewall/NAT Settings Field Description IP Address 9.7.2.2 Internet Security Router User’s Manual Enter the IP Address. Access IP Pool Configuration Page – (Firewall è Policy List è IP Pool) Log into Configuration Manager as admin, click the Firewall menu, click the Policy List submenu and then click the IP Pool submenu. The IP Pool Configuration page displays, as shown in Figure 9.25.
PAGE 91
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings 2. Click on the icon of the IP pool to be modified in the IP Pool List table or select the IP pool from the IP Pool drop-down list. 3. Make desired changes to any or all of the following fields: Pool name, Pool type and IP address. 4. Click on the button to save the new settings. The new settings for this pool will then be displayed in the IP Pool list table. 9.7.2.
PAGE 92
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual Figure 9.27. IP Pool Example – Add Two IP Pools – MISgroup1 and MISgroup2 2. Associate an IP pool to firewall ACL rules – inbound, outbound or group ACL by selecting “IP Pool” from the Source IP Type drop-down list and then choose an IP pool from the IP pool dropdown list. In this example, IP pool is used to associate to source IP; however, it can be used to associate to destination IP as well. As shown in Figure 9.
PAGE 93
Internet Security Router User’s Manual Field Chapter 9. Configuring Firewall/NAT Settings Description Static Select this type of NAT to set a one-to-one Mapping between the Internal Address and the External Address. LAN IP range For the Internal Address Start IP Enter the starting IP address. End IP Enter the ending IP address. Internet IP Range For the External Address Start IP Enter the starting IP address. End IP Enter the ending IP address.
PAGE 94
Chapter 9. Configuring Firewall/NAT Settings 9.7.3.3 Internet Security Router User’s Manual Add a NAT Pool To add a NAT Pool, follow the instructions below: 1. Open the NAT Pool Configuration page (see section 9.7.3.2 Access NAT Pool Configuration Page – (Firewall è Policy List è NAT Pool)). 2. Select “Add New Pool” from the NAT Pool drop-down list. 3. Enter a pool name into the Name field. 4. Select a pool type from the Type drop-down list. 5.
PAGE 95
Internet Security Router User’s Manual Chapter 9. Configuring Firewall/NAT Settings 10.64.2.0/24 Static NAT Pool 10.64.2.1 10.64.2.2 10.64.2.3 WAN Port 10.64.2.254 ISR LAN Port 192.168.1.1 192.168.1.11 192.168.1.12 192.168.1.13 Figure 9.30. Network Diagram for NAT Pool Example 1. Create a NAT pool for static NAT – see Figure 9.31. Figure 9.31. NAT Pool Example – Create a Static NAT Pool 2.
PAGE 96
Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User’s Manual NAT type drop-down list NAT pool drop-down list Figure 9.32. NAT Pool Example – Associate a NAT Pool to an ACL Rule 9.7.4 Configuring Time Range With this option you can configure access time range records for eventual association with ACL rules. ACL rules associated with a time range record will be active only during the scheduled period.
PAGE 97
Internet Security Router User’s Manual 9.7.4.2 Chapter 9. Configuring Firewall/NAT Settings Access Time Range Configuration Page – (Firewall è Policy List è Time Range) Log into Configuration Manager as admin, click the Firewall menu, click the Policy List submenu and then click the Time Range submenu. The Time Range Configuration page displays, as shown in Figure 9.33.
PAGE 98
Chapter 9. Configuring Firewall/NAT Settings 5. Click on the 9.7.4.5 button to save the new settings. Delete a Time Range To delete a Time Range, click on the 9.7.4.6 Internet Security Router User’s Manual icon of the Time Range to be deleted. Delete a Schedule in a Time Range To delete a schedule in a Time Range, follow the instructions below: 1. Open the Time Range Configuration page (see section 9.7.4.2 Access Time Range Configuration Page – (Firewall è Policy List è Time Range)). 2.
PAGE 99
Internet Security Router User’s Manual 9.8 Chapter 9. Configuring Firewall/NAT Settings Firewall Statistics – Firewall è Statistics The Firewall Statistics page displays details regarding the active connections. Figure 9.36 shows a sample firewall statistics for active connections. To see an updated statistics, click on button. Figure 9.36.
PAGE 100
PAGE 101
Internet Security Router User’s Manual 10 Chapter 10. Configuring VPN Configuring VPN The chapter contains instructions for configuring VPN connections using automatic keying and manual keys. 10.1 Default Parameters The Internet Security Router is pre-configured with a default set of proposals/connections. They cover the most commonly used sets of parameters, required for typical deployment scenarios.
PAGE 102
Chapter 10.
PAGE 103
Internet Security Router User’s Manual Chapter 10. Configuring VPN Default lifetime Default lifetime for the pre-configured IKE proposals and IPSec proposals is 3600 seconds. (One hour). It is recommended to set lifetime value greater than 600 seconds, for a new IKE proposal or IPSec proposal. This will reduce quick re-keying which will unnecessarily burden the system. Limits for key length The maximum key length for pre shared key, cipher key and Authentication Key is 50characters.
PAGE 104
Chapter 10. Configuring VPN Options Internet Security Router User’s Manual Description VPN Connection Type Site to site Remote access Click this radio button to add a policy for site-to-site users. Click this radio button to add a policy for remote access users. User Group (only available for Remote Access mode) Select a user group from the User Group drop-down list to which this rule should apply.
PAGE 105
Internet Security Router User’s Manual Options Chapter 10. Configuring VPN Description Xauth (aggressive mode only) Xauth is a user ID and password based authentication. This option is available only when aggressive mode is selected. Preshared Key Enter the shared secret (this should match the secret key at the other end). IKE Encryption / Authentication Select the IKE authentication and encryption from the drop-down list.
PAGE 106
Chapter 10. Configuring VPN Options Internet Security Router User’s Manual Description Pre-shared Key Specific Options PFS Group PFS stands for perfect forward secrecy.You may choose to use the same keys (generated when the IKE tunnel is created) for all re-negotiations or you can choose to generate new keys for every re-negotiation. Select “None” to use the same keys for all the re-negotiations. Select a specific DH (Diffie-Hellman) group to generate new keys for every re-negotiation.
PAGE 107
Internet Security Router User’s Manual Chapter 10. Configuring VPN 10.3.1 Add a Rule for VPN Connection Using Pre-shared Key VPN Tunnel Configuration Page, as illustrated in the Figure 10.1, is used to configure a rule for VPN connection using pre-shared key To add a rule for a VPN connection, follow the instructions below: 1. Log into Configuration Manager as admin, click the VPN menu, and then click the VPN Tunnel submenu. The VPN Tunnel Configuration page displays, as shown in Figure 10.1.
PAGE 108
Chapter 10. Configuring VPN Internet Security Router User’s Manual 7. Assign a priority for this rule by selecting a number from the “Move to” drop-down list. Note that the number indicates the priority of the rule with two being the highest as one is used by the rule, allow-ike-io, which is needed by IKE. Higher priority rules will be examined prior to the lower priority rules by the VPN. 8. Click on the button to create the new VPN rule.
PAGE 109
Internet Security Router User’s Manual Chapter 10. Configuring VPN 10.4 Establish VPN Connection Using Manual Keys This section describes the steps to establish the VPN tunnel-using manual keying. Manual keying is a method to achieve security when ease of configuration and maintenance is more important or automatic keying is not feasible due to interoperability issues between IKE implementations on the gateways.
PAGE 110
Chapter 10. Configuring VPN Internet Security Router User’s Manual 5. Click on “Enable” or “Disable” radio button to enable or disable this rule. 6. Make changes to any or all of the following fields: local/remote secure group, remote gateway, key management type (select Manual Key), pre-shared key for IKE, encryption/authentication algorithm for IKE, lifetime for IKE, encryption/authentication algorithm for IPSec, operation mode for IPSec, PFS group for IPSec and lifetime for IPSec. Please see Table 10.
PAGE 111
Internet Security Router User’s Manual Chapter 10. Configuring VPN 1. Log into Configuration Manager as admin, click the VPN menu, and then click the VPN Tunnel submenu. 2. The VPN rule table located at the bottom half of the VPN Configuration page shows all the configured VPN rules. 10.5 VPN Statistics Statistics option allows you to view the information about the VPN statistics – Global, IKE SAs and IPSec SAs. Table 10.5 gives description for the VPN statistics parameters. Table 10.5.
PAGE 112
Chapter 10. Configuring VPN Internet Security Router User’s Manual Figure 10.3 shows all the parameters available for VPN connections. To see an updated statistics, click on the button. Figure 10.3. VPN Statistics Page 10.6 VPN Connection Examples Gateways with integrated VPN and Firewall are useful in scenarios where: „ The traffic between branch offices is protected by VPN and „ Traffic destined for public Internet goes through Firewall/NAT.
PAGE 113
Internet Security Router User’s Manual Chapter 10. Configuring VPN 10.6.1.1 Configure Rules on Internet Security Router 1 (ISR1) This section describes the steps to establish the VPN/Firewall for the Internet scenario. Figure 10.4 depicts the typical Intranet connections. Note that ADSL or cable modem is not required if the two networks are connected via Ethernet connections.The setting of each configuration step is illustrated in a figure.
PAGE 114
Chapter 10. Configuring VPN Internet Security Router User’s Manual Figure 10.5. Intranet VPN Policy Configuration on ISR1 Step 1: Configure VPN connection rules Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR1 using automatic keying. Step 2: Configure Firewall rules 1. Configure outbound Firewall rule to allow packets from 192.168.1.0/255.255.255.0 to 192.168.2.0/255.255.255.0 without any NAT 2.
PAGE 115
Internet Security Router User’s Manual Chapter 10. Configuring VPN Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR2 using automatic keying. Figure 10.6. Intranet VPN Policy Configuration on ISR2 Step 2: Configure Firewall rules 1. Configure outbound Firewall rule to allow packets from 192.168.2.0/255.255.255.0 to 192.168.1.0/255.255.255.0 without any NAT. 2. Configure inbound Firewall rule to allow packets from 192.168.1.0/255.255.255.0 to 192.
PAGE 116
Chapter 10. Configuring VPN Internet Security Router User’s Manual Field Value Mask 255.255.255.0 NAT None Action Allow VPN Enable Note: The outbound Un-translated Firewall rule has to be added the existing rule ID 1001. Table 10.9. Inbound Un-translated Firewall Rule for VPN Packets on ISR1 Field Source IP Destination IP Value Type Subnet Address 192.168.1.0 Mask 255.255.255.0 Type Subnet Address 192.168.2.0 Mask 255.255.255.0 NAT None Action Allow VPN Enable 10.6.1.
PAGE 117
Internet Security Router User’s Manual Chapter 10. Configuring VPN ADSL/Cable Modem ADSL/Cable Modem Internet WAN 123.1.1.123 WAN 212.1.1.212 ISR1 LAN 192.168.1.1 192.168.1.10 Mapped to 192.168.11.0 192.168.1.11 192.168.1.12 Mapped to 192.168.12.0 192.168.1.10 ISR2 LAN 192.168.1.1 192.168.1.11 192.168.1.12 Figure 10.7. Typical Extranet Network Diagram Both networks behind the ISR1 and ISR2 are 192.168.1.0/255.255.255.0.
PAGE 118
Chapter 10. Configuring VPN Internet Security Router User’s Manual 5. Save the configuration. 10.6.2.2 Configure VPN Rules on ISR1 Step 1: Configure VPN Rule Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR1 using automatic keying with the following addresses: 1. Use 192.168.11.0/255.255.255.0 for the Local Secure Group 2. Use 192.168.12.0/255.255.255.0 for the Remote Secure Group Figure 10.8.
PAGE 119
Internet Security Router User’s Manual Chapter 10. Configuring VPN Figure 10.9. Extranet Example – Outgoing NAT Pool Configuration on ISR1 2. Configure incoming static NAT pool (reverse-static-NAT) for translating addresses in range 192.168.11.1-192.168.11.254 to 192.168.1.1-192.168.1.254 Figure 10.10. Extranet Example – Incoming NAT Pool Configuration on ISR1 Step 3: Configure Extranet access rules 1. Configure outbound Firewall rules to map the source IP address of outbound packets from 192.168.1.
PAGE 120
Chapter 10. Configuring VPN Internet Security Router User’s Manual Figure 10.11. Extranet Example – Outbound ACL Rule on ISR1 2. Configure inbound Firewall rules to map the destination IP address of inbound packets from 192.168.11.x range to 192.168.1.x (defined by Incoming_NAT pool) range after the packet is processed by VPN. Figure 10.12. Extranet Example – Inbound ACL Rule on ISR1 10.6.2.
PAGE 121
Internet Security Router User’s Manual Chapter 10. Configuring VPN Refer to the section 10.3 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR2 using automatic keying with the following addresses: 1. Use 192.168.12.0/255.255.255.0 as Local Secure Group 2. Use 192.168.11.0/255.255.255.0 as Remote Secure Group Figure 10.13. Extranet Example –VPN Policy Configuration on ISR2 Step 2: Configure Static NAT Pools 1.
PAGE 122
Chapter 10. Configuring VPN Internet Security Router User’s Manual 2. Configure incoming static NAT pool (reverse-static-NAT) for translating addresses in range 192.168.12.1-192.168.12.254 to 192.168.1.1-192.168.1.254 Figure 10.15. Extranet Example – Incoming NAT Pool Configuration on ISR2 Step 3: Configure Extranet rules 1. Configure outbound Firewall rules to map the source IP address of outbound packets from 192.168.1.x range to 192.168.12.
PAGE 123
Internet Security Router User’s Manual Chapter 10. Configuring VPN Figure 10.17. Extranet Example – Inbound ACL Rule on ISR2 10.6.2.4 Establish Tunnel and Verify „ Start continuous ping from a host on the LAN behind ISR1 to a host on the LAN behind ISR2. The first few pings would fail. After a few seconds, The host on the LAN behind ISR1 should start getting ping response. „ Ping from a host on the LAN behind ISR2 to a host on the LAN behind ISR1. Ping should be successful.
PAGE 124
PAGE 125
Internet Security Router User’s Manual 11 Chapter 11. Configuring Remote Access Configuring Remote Access 11.1 Remote Access The Internet Security Router firewall allows telecommuters to securely access their corporate network using the Remote Access mechanism based on the notions of groups, users and access policies. Each group is associated with a set of access policies that are activated when a user belonging to that group logs in.
PAGE 126
Chapter 11. Configuring Remote Access Field Internet Security Router User’s Manual Description User Name Enter a unique User name for the user that you would like to add. User State Click on the Enable or Disable radio button to enable or disable the user. Disabling the user will force the user to be disconnected. Further login from that specific user will be disabled. Enabling the user will allow the specific user to log in. Password Enter the User’s password.
PAGE 127
Internet Security Router User’s Manual Chapter 11. Configuring Remote Access 6. If you want to add a user to this newly created group, continue with the following steps; otherwise, jump to step 12 to complete the configuration. 7. Select “Add New User” from the user drop-down list. 8. Enter a unique user name in the User Name field. 9. Click on the “Enable” or “Disable” radio in the User State field to enable or disable this user. 10. Enter the password in the Password field for this user. 11.
PAGE 128
Chapter 11. Configuring Remote Access Internet Security Router User’s Manual 3. Click on the button to delete this user group. Note that a user group cannot be deleted unless all the users belong to the group are deleted first. To delete a user, simply click on the icon of the user in the Remote User List table in the User Group Configuration page or follow the instruction below: 1. Open the User Group Configuration page (see section 11.2.
PAGE 129
Internet Security Router User’s Manual Field Chapter 11. Configuring Remote Access Description Outbound Select this if this rule is for outbound traffic. Group Select from the group drop-down list to which this rule should apply. Note that to configure a group ACL rule, a user group must be configured first. Please refer to 11.2 for the configuration of user groups. 11.3.
PAGE 130
Chapter 11. Configuring Remote Access Internet Security Router User’s Manual Figure 11.4. Login Console After a successful login, the screen appears as in Figure 11.5. Figure 11.5. Login Status Screen User Name: Richard Group Name: RoadWarrior User Name: Gloria Group Name: RoadWarrior Internet WAN Port 61.222.32.38 ISR LAN Port 192.168.1.1 FTP Server: 192.168.1.200 Private Network 192.168.1.0/24 Figure 11.6.
PAGE 131
Internet Security Router User’s Manual Chapter 11. Configuring Remote Access 11.5 Configure Firewall for Remote Access Remote Access is usually used to support mobile users of a company to access their corporate network without compromising on security. The steps required for configuring the Internet Security Router for remote access is best explained with an example.
PAGE 132
Chapter 11. Configuring Remote Access Internet Security Router User’s Manual 2. Create an inbound group ACL rule (see Figure 11.8) to allow remote access users, Richard and Gloria, to access FTP server in the corporate network. 3. Remote users, Richard and Gloria, can then login into the Internet Security Router to access the FTP server by entering the following URL in the browser: http://61.222.32.38/login 11.
PAGE 133
Internet Security Router User’s Manual Chapter 11. Configuring Remote Access 5. An IP address (in the IP Address field) is automatically assigned for the selected user. However, you may change it to any desired value. 6. Click to save the virtual IP settings. Note that a list of existing virtual IP assignments is displayed at the bottom half of the VPN Virtual IP Configuration page. 11.6.
PAGE 134
Chapter 11. Configuring Remote Access Internet Security Router User’s Manual 11.7 Configure VPN for Remote Access Remote Access VPN is used primarily by telecommuters/road-warriors to securely access resources behind the Internet Security Router located at a head-office or a central site. The steps required for configuring the Internet Security Router and the VPN client on a remote user’s machine to provide remote access are explained in the following sections.
PAGE 135
Internet Security Router User’s Manual Chapter 11. Configuring Remote Access Figure 11.12. Main Mode Remote Access Example – Configure the Virtual IP address 3. Create a VPN policy for Richard and Gloria. The settings for this policy are illustrated in Figure 11.13. Note that only one policy is needed for both Richard and Gloria because they belong to the same group, RoadWarrior. If Richard and Gloria belong to different groups, one VPN policy is required for each user. Figure 11.13.
PAGE 136
Chapter 11. Configuring Remote Access Internet Security Router User’s Manual 11.7.2 Aggressive Mode Remote Access Aggressive Mode remote access with Xauth is a mechanism where the remote access client is prompted for an additional login (the Xauth login). This form of remote access is more secure since an intruder cannot access the corporate resources through a connected Laptop, which belongs to a valid employee.
PAGE 137
Internet Security Router User’s Manual Chapter 11. Configuring Remote Access 3. Create a VPN policy for Richard and Gloria. The settings for this policy are illustrated in Figure 11.16. Note that only one policy is needed for both Richard and Gloria because they belong to the same group, RoadWarrior. If Richard and Gloria belong to different groups, one VPN policy is required for each user. Figure 11.16.
PAGE 138
PAGE 139
Internet Security Router User’s Manual 12 Chapter 12. System Management System Management This chapter describes the following administrative tasks that you can perform using Configuration Manager: „ Configure system services „ Modify password „ Modify system Information „ Modify system date and time „ Reset, backup and restore system configuration „ Update firmware „ Logout of Configuration Manager You can access these tasks from the System Management menu. 12.
PAGE 140
Chapter 12. System Management Internet Security Router User’s Manual 12.2 Change the Login Password The first time you log into the Configuration Manager, you use the default username and password (admin and admin). The system allows two types of users – administrator (username: admin) and guest (username: guest). Administrator has the privilege to modify the system settings while guest can only view the system settings. Passwords of both the admin and guest accounts can be changed by the administrator.
PAGE 141
Internet Security Router User’s Manual Chapter 12. System Management Figure 12.3. System Information Configuration Page 12.4 Setup Date and Time The Internet Security Router keeps a record of the current date and time, which it uses to calculate and report various performance data. Note Changing the Internet Security Router date and time does not affect the date and time on your PCs. Figure 12.4. Date and Time Configuration Page There is no real time clock inside the Internet Security Router.
PAGE 142
Chapter 12. System Management Internet Security Router User’s Manual address of time servers and the desired update interval. Select your time zone from the “Time Zone” dropdown list, change the IP address of the time servers and the update interval if desired and then click on button to save the changes. 12.4.1 View the System Date and Time To view the updated system date and time, log into Configuration Manager as admin, click the System Management menu, and then click the Date/Time Setup submenu. 12.
PAGE 143
Internet Security Router User’s Manual Chapter 12. System Management 12.5.2 Backup System Configuration Follow the steps below to backup system configuration: 1. Log into Configuration Manager as admin, click the System Management menu, click the Configuration submenu and then click the Backup submenu. The Backup Configuration page displays, as shown in Figure 12.6. 2. Click on button to backup the system configuration. Figure 12.6. Backup System Configuration Page 12.5.
PAGE 144
Chapter 12. System Management Internet Security Router User’s Manual Figure 12.7. Restore System Configuration Page 2. Enter the path and name of the system configuration file that you want to restore in the “Configuration File” text box. Alternatively, you may click on the button to search for the system configuration file on your hard drive. A window similar to the one shown in Figure 12.8 will pop up for you to select the configuration file to restore. Figure 12.8. Windows File Browser 3.
PAGE 145
Internet Security Router User’s Manual Chapter 12. System Management 1. Log into Configuration Manager, click the System Management menu and then click the Firmware Upgrade submenu. The Firmware Upgrade page displays, as shown in Figure 12.9. Figure 12.9. Firmware Upgrade Page 2. In the Firmware text box, enter the path and name of the firmware image file. Alternatively, you may click on button to search for it on your hard drive. 3. Click on button to update the firmware.
PAGE 146
Chapter 12. System Management Internet Security Router User’s Manual 12.8 Logout Configuration Manager To logout of Configuration Manager, click on the button in the Configuration Manager Logout page. If you are using IE as your browser, a window similar to the one shown in Figure 12.12 will prompt for confirmation before closing your browser. Figure 12.11. Configuration Manager Logout Page Figure 12.12. Confirmation for Closing Browser (IE) .
PAGE 147
Internet Security Router User’s Manual 13 Chapter 13. ALG Configuration ALG Configuration Table 13.1 lists all the supported ALGs (Application Layer Gateway). Table 13.1. Supported ALG ALG/Application Name Protocol and Port Predefined Service Name Tested Software Version PCAnywhere UDP/22 PC-ANYWHERE pcAnywhere 9.0.
PAGE 148
Chapter 13.
PAGE 149
Internet Security Router User’s Manual ALG/Application Name Diablo II (BATTLENET-TCP, BATTLENET-UDP) Chapter 13.
PAGE 150
PAGE 151
Internet Security Router User’s Manual 14 Chapter 14. IP Addresses, Network Masks, and Subnets IP Addresses, Network Masks, and Subnets 14.1 IP Addresses This section pertains only to IP addresses for IPv4 (version 4 of the Internet Protocol). IPv6 addresses are not covered. Note This section assumes basic knowledge of binary numbers, bits, and bytes. For details on this subject, see Appendix 13.
PAGE 152
Chapter 14. IP Addresses, Network Masks, and Subnets Internet Security Router User’s Manual Class A networks are the Internet's largest networks, each with room for over 16 million hosts. Up to 126 of these huge networks can exist, for a total of over 2 billion hosts. Because of their huge size, these networks are used for WANs and by organizations at the infrastructure level of the Internet, such as your ISP. Class B networks are smaller but still quite large, each able to hold over 65,000 hosts.
PAGE 153
Internet Security Router User’s Manual Chapter 14. IP Addresses, Network Masks, and Subnets Class C: 255.255.255.0 These are called default because they are used when a network is initially configured, at which time it has no subnets.
PAGE 154
PAGE 155
Internet Security Router User’s Manual 15 Appendix 15. Troubleshooting Troubleshooting This appendix suggests solutions for problems you may encounter in installing or using the Internet Security Router, and provides instructions for using several IP utilities to diagnose problems. Contact Customer Support if these suggestions do not resolve the problem. Problem Troubleshooting Suggestion LEDs Power LED does not illuminate after product is turned on.
PAGE 156
Appendix 15. Troubleshooting Internet Security Router User’s Manual Problem Troubleshooting Suggestion PCs cannot display web pages on the Internet. addresses within a predefined pool Verify that the DNS server specified on the PCs is correct for your ISP, as discussed in the item above. You can use the ping utility, discussed in the following section, to test connectivity with your ISP’s DNS server. Configuration Manager Program You forgot/lost your Configuration Manager user ID or password.
PAGE 157
Internet Security Router User’s Manual Appendix 15. Troubleshooting Figure 15.1. Using the ping Utility If the target computer cannot be located, you will receive the message “Request timed out.” Using the ping command, you can test whether the path to the Internet Security Router is working (using the preconfigured default LAN IP address 192.168.1.1) or another address you assigned. You can also test whether access to the Internet is working by typing an external address, such as that for www.yahoo.
PAGE 158
Appendix 15. Troubleshooting Internet Security Router User’s Manual Figure 15.2. Using the nslookup Utility There may be several addresses associated with an Internet name. This is common for web sites that receive heavy traffic; they use multiple, redundant servers to carry the same information. To exit from the nslookup utility, type exit and press at the command prompt.
PAGE 159
Internet Security Router User’s Manual 16 Appendix 16. Glossary Glossary 10BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 10 Mbps. Also known as Category 3 (CAT 3) wiring. See also data rate, Ethernet. 100BASE-T A designation for the type of wiring used by Ethernet networks with a data rate of 100 Mbps. Also known as Category 5 (CAT 5) wiring. See also data rate, Ethernet.
PAGE 160
Appendix 16. Glossary Internet Security Router User’s Manual element of URLs, which identify a specific file at a web site, e.g., http://www.asus.com. See also DNS. download To transfer data in the downstream direction, i.e., from the Internet to the user. DSL Digital Subscriber Line A technology that allows both digital data and analog voice signals to travel over existing copper telephone lines. Ethernet The most commonly installed computer network technology, usually using twisted pair wiring.
PAGE 161
Internet Security Router User’s Manual Appendix 16. Glossary from 0 to 255, separated by periods, e.g., 209.191.4.240. An IP address consists of a network ID that identifies the particular network the host belongs to, and a host ID uniquely identifying the host itself on that network. A network mask is used to define the network ID and the host ID. Because IP addresses are difficult to remember, they usually have an associated domain name that can be specified instead. See also domain name, network mask.
PAGE 162
Appendix 16. Glossary Internet Security Router User’s Manual between your ISP and your computer. The WAN interface on the Internet Security Router uses two forms of PPP called PPPoA and PPPoE. See also PPPoA, PPPoE. PPPoE Point-to-Point Protocol over Ethernet One of the two types of PPP interfaces you can define for a Virtual Circuit (VC), the other type being PPPoA. You can define one or more PPPoE interfaces per VC. protocol A set of rules governing the transmission of data.
PAGE 163
Internet Security Router User’s Manual Appendix 16. Glossary twisted pair The ordinary copper telephone wiring long used by telephone companies. It contains one or more wire pairs twisted together to reduce inductance and noise. Each telephone line uses one pair. In homes, it is most often installed with two pairs. For Ethernet LANs, a higher grade called Category 3 (CAT 3) is used for 10BASE-T networks, and an even higher grade called Category 5 (CAT 5) is used for 100BASE-T networks.
PAGE 164
PAGE 165
Internet Security Router User’s Manual 17 Appendix 16. Glossary Index 100BASE-T, 143 defined, 29 10BASE-T, 143 relay, 29 ADSL, 143 Domain name, 143 authenticate, 143 Domain Name System.
PAGE 166
Appendix 17. Index Inbound ACL Configuration page, 49 Internet, 144 troubleshooting access to, 139 Internet Security Router User’s Manual MAC addresses, 145 in DHCP Address Table, 28 Mask.
PAGE 167
Internet Security Router User’s Manual Routing Configuration, 37 Setup Wizard, 15, 23 Appendix 17. Index Static routes adding, 38 User Password Configuration, 124 Statically assigned IP addresses, 27 WAN Statistics, 35 Subnet, 146 Pages Inbound ACL Configuration, 49 Subnet mask.