In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 4
(for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
Page 5
Consult the dealer or an experienced radio/TV technician for help. Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Certifications Refer to the product page at www.nortelnetworks.com. Contivity 221 VPN Switch User’s Guide...
Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Table of Contents List of Figures ..........................xvii List of Tables ..........................xxvii Preface .............................xxxiii Overview .............................I Chapter 1 Getting to Know Your Contivity 221................1-1 Introducing the Contivity 221..................1-1 Features........................1-1 Applications for the Contivity 221 ................1-6 Hardware Setup ......................1-7 Getting Started........................... II Chapter 2 Introducing the WebGUI.....................2-1...
Page 8
viii Table of Contents Configuring General Setup ..................4-1 Dynamic DNS......................4-3 Configuring Dynamic DNS ..................4-4 Configuring Password....................4-5 Configuring Time Setting ..................4-6 Chapter 5 LAN Screens .......................5-1 LAN Overview ......................5-1 DHCP Setup.......................5-1 LAN TCP/IP ......................5-1 Configuring IP ......................5-3 Configuring Static DHCP ..................5-5 Configuring IP Alias ....................5-7 Chapter 6 WAN Screens ......................6-1 WAN Overview ......................6-1...
Page 10
x Table of Contents 10.7 Predefined Services....................10-16 10.8 Alerts........................10-19 10.9 Configuring Attack Alert ..................10-19 Chapter 11 Content Filtering Screens ..................11-1 11.1 Introduction to Content Filtering ................11-1 11.2 Restrict Web Features ....................11-1 11.3 Days and Times .......................11-1 11.4 Configure Content Filtering..................11-1 VPN/IPSec............................VI Chapter 12 Introduction to IPSec ....................12-1 12.1...
Page 11
15.4 Installing UPnP in Windows Example ..............15-4 15.5 Using UPnP in Windows XP Example..............15-6 Logs............................... VIII Chapter 16 Logs Screens ......................16-1 16.1 Configuring View Log.....................16-1 16.2 Configuring Log Settings ..................16-3 16.3 Configuring Reports ....................16-6 Contivity 221 VPN Switch User’s Guide...
Page 12
Accessing the SMT via the Console Port.............18-1 18.3 Navigating the SMT Interface................18-2 18.4 Changing the System Password ................18-8 18.5 Resetting the Contivity 221..................18-8 Chapter 19 SMT Menu 1 - General Setup .................19-1 19.1 Introduction to General Setup ................19-1 19.2 Configuring General Setup...................19-1 Chapter 20 WAN and Dial Backup Setup..................20-1...
Page 13
Chapter 24 IP Static Route Setup ....................24-1 24.1 IP Static Route Setup ....................24-1 Chapter 25 Network Address Translation (NAT) ..............25-1 25.1 Using NAT ......................25-1 25.2 NAT Setup.......................25-4 25.3 Configuring a Server behind NAT ................25-9 25.4 General NAT Examples..................25-11 Contivity 221 VPN Switch User’s Guide...
Page 14
xiv Table of Contents 25.5 Configuring Trigger Port Forwarding..............25-20 Chapter 26 Introducing the Firewall..................26-1 26.1 Using SMT Menus....................26-1 Chapter 27 Filter Configuration....................27-1 27.1 Introduction to Filters ....................27-1 27.2 Configuring a Filter Set ...................27-4 27.3 Example Filter......................27-13 27.4 Filter Types and NAT ....................27-15 27.5 Firewall Versus Filters...................27-16 27.6...
Page 15
Appendix I Command Interpreter ....................I-1 Appendix J NetBIOS Filter Commands ..................J-1 Appendix K Boot Commands ....................K-1 Appendix L Log Descriptions ....................L-1 Appendix M Brute-Force Password Guessing Protection............M-1 Index.............................. XVI Appendix N Index ........................N-1 Contivity 221 VPN Switch User’s Guide...
Page 20
xx List of Figures Figure 14-7 DNS .........................14-11 Figure 14-8 Security ........................14-12 Figure 15-1 Configuring UPnP......................15-3 Figure 16-1 View Log........................16-2 Figure 16-2 Log Settings .......................16-4 Figure 16-3 Reports ........................16-7 Figure 16-4 Web Site Hits Report Example ..................16-8 Figure 16-5 Protocol/Port Report Example ...................16-9 Figure 16-6 LAN IP Address Report Example ................16-10 Figure 17-1 System Status ......................17-1 Figure 17-2 System Status: Show Statistics ..................17-2...
Page 21
Figure 23-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation ........23-7 Figure 23-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation ..23-8 Figure 23-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)........23-11 Contivity 221 VPN Switch User’s Guide...
Page 22
xxii List of Figures Figure 23-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) ......23-11 Figure 23-8 Menu 11.1: Remote Node Profile ................23-12 Figure 23-9 Menu 11.6: Traffic Redirect Setup................23-13 Figure 24-1 Menu 12: IP Static Route Setup .................24-1 Figure 24-2 Menu 12.
Page 23
Figure 29-5 Menu 24.2.2: System Maintenance: Change Console Port Speed......29-5 Figure 29-6 Menu 24.3: System Maintenance: Log and Trace .............29-6 Figure 29-7 Menu 24.3.2: System Maintenance: Syslog Logging ..........29-6 Figure 29-8 Call-Triggering Packet Example................29-10 Figure 29-9 Menu 24.4: System Maintenance: Diagnostic ............29-11 Contivity 221 VPN Switch User’s Guide...
Page 24
xxiv List of Figures Figure 29-10 WAN & LAN DHCP .....................29-12 Figure 30-1 Telnet into Menu 24.5 ....................30-3 Figure 30-2 FTP Session Example ....................30-4 Figure 30-3 System Maintenance: Backup Configuration ............30-7 Figure 30-4 System Maintenance: Starting Xmodem Download Screen ........30-7 Figure 30-5 Backup Configuration Example.................30-8 Figure 30-6 Successful Backup Confirmation Screen..............30-8 Figure 30-7 Telnet into Menu 24.6 ....................30-9...
Page 25
Figure 32-1 Menu 24.11 – Remote Management Control.............32-2 Figure 33-1 Schedule Setup ......................33-1 Figure 33-2 Schedule Set Setup ....................33-2 Figure 33-3 Applying Schedule Set(s) to a Remote Node (PPPoE)..........33-4 Figure 33-4 Applying Schedule Set(s) to a Remote Node (PPTP)..........33-5 Contivity 221 VPN Switch User’s Guide...
Page 28
xxviii List of Tables Table 7-3 Services and Port Numbers .....................7-6 Table 7-4 SUA/NAT Setup ......................7-9 Table 7-5 Address Mapping......................7-10 Table 7-6 Address Mapping Edit ....................7-12 Table 7-7 Trigger Port........................7-15 Table 8-1 IP Static Route Summary....................8-2 Table 8-2 Edit IP Static Route ......................8-3 Table 9-1 Common IP Ports......................9-4 Table 9-2 ICMP Commands That Trigger Alerts................9-7 Table 9-3 Legal NetBIOS Commands .....................9-7...
Page 29
Table 16-7 Report Specifications ....................16-11 Table 17-1 System Status ......................17-2 Table 17-2 System Status: Show Statistics..................17-3 Table 17-3 DHCP Table.........................17-4 Table 17-4 Restore Configuration ....................17-9 Table 18-1 Main Menu Commands ....................18-2 Table 18-2 Main Menu Summary....................18-4 Contivity 221 VPN Switch User’s Guide...
Page 30
xxx List of Tables Table 19-1 General Setup Menu Field...................19-2 Table 19-2 Configure Dynamic DNS Menu Fields ...............19-3 Table 20-1 MAC Address Cloning in WAN Setup ................20-1 Table 20-2 Menu 2: Dial Backup Setup ..................20-3 Table 20-3 Advanced WAN Port Setup: AT Commands Fields.............20-5 Table 20-4 Advanced WAN Port Setup: Call Control Parameters..........20-5 Table 20-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP)..........20-7 Table 20-6 Remote Node PPP Options Menu Fields..............20-9...
Page 31
Table 31-2 Budget Management ....................31-4 Table 31-3 Call History Fields ......................31-5 Table 31-4 Time and Date Setting Fields ..................31-7 Table 32-1 Menu 24.11 – Remote Management Control ..............32-2 Table 33-1Schedule Set Setup Fields ....................33-2 Contivity 221 VPN Switch User’s Guide...
This manual is designed to guide you through the configuration of your Contivity 221 for its various applications. This manual may refer to the Contivity 221 VPN Switch as the Contivity 221. You may use the System Management Terminal (SMT), WebGUI or command interpreter interface to configure your Contivity 221.
Page 34
“i.e.” for “that is” or “in other words” throughout this manual. How to get help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
This chapter introduces the main features and applications of the Contivity 221. Introducing the Contivity 221 The Contivity 221 VPN Switch is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, Nortel Networks’ Contivity 221 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 38
Contivity 221. You can also set the time manually. Reset Button The Contivity 221 reset button is built into the rear panel. Use this button to restore the factory default password to setup, IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at...
Page 39
The Contivity 221 can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The Contivity 221 can block specific URLs by using the keyword feature. It also allows the administrator to define time periods and days during which content filtering is enabled.
Page 40
IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Contivity 221 supports three logical LAN interfaces via its single physical Ethernet LAN interface with the Contivity 221 itself as the gateway for each LAN network.
Page 41
IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client. The Contivity 221 can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from another DHCP server to the clients.
1-6 Getting to Know Your Contivity 221 Upgrade Contivity 221 Firmware The firmware of the Contivity 221 can be upgraded via the console port or the LAN. Embedded FTP and TFTP Servers The Contivity 221’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
To keep the Contivity 221 operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment. After installing your Contivity 221, continue with the rest of this User’s Guide for configuration instructions. Contivity 221 VPN Switch User’s Guide...
Getting Started Part II: Getting Started This part helps you get to know your Contivity 221, introduces the WebGUI and covers how to configure the Wizard Setup screens.
Chapter 2 Introducing the WebGUI This chapter describes how to access the Contivity 221 WebGUI and provides an overview of its screens. WebGUI Overview The embedded WebGUI allows you to manage the Contivity 221 from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
If you forget your password or cannot access the SMT menu, you will need to reload the factory- default configuration file or use the RESET button the back of the Contivity 221. Uploading this configuration file replaces the current configuration file with the factory-default configuration file.
Introducing the WebGUI 2-3 Step 4. Continue to hold the RESET button for about 10 or 15 seconds. The Contivity 221 restarts. Step 5. Release the RESET button and wait for the Contivity 221 to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port Step 1.
Internet Access and WAN IP/DNS Server/MAC address assignment. Use submenus to configure Contivity 221 features. Click MAINTENANCE to view information about your Contivity 221 or upgrade Click LOGOUT at configuration/firmware files. Maintenance includes SYSTEM STATUS (Statistics), DHCP any time to exit the TABLE, F/W (firmware) UPGRADE and CONFIGURATION (Backup, Restore Default).
DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Contivity 221 via DHCP. Click Next to configure the Contivity 221 for Internet access. Contivity 221 VPN Switch User’s Guide...
3-2 Wizard Setup Figure 3-1 Wizard 1 Wizard Setup: Screen 2 The Contivity 221 offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. 317517-A Rev 00...
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/Contivity221 firewall rule that allows access for port 1026 (UDP). The following fields are not applicable (N/A) for the Standard service type. Contivity 221 VPN Switch User’s Guide...
Page 54
3-4 Wizard Setup Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address Next Click Next to continue.
Wizard Setup 3-5 The CONTIVITY 221 supports one PPTP server connection at any given time. Figure 3-3 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen. Table 3-2 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
Page 56
By implementing PPPoE directly on the Contivity 221 (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Contivity 221 does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Nailed Up Select Nailed Up Connection if you do not want the connection to time out. Contivity 221 VPN Switch User’s Guide...
3-8 Wizard Setup Table 3-3 PPPoE Encapsulation LABEL DESCRIPTION Connection Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen.
Page 59
Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your Contivity 221, but make sure that no other device on your network is using that IP address.
LAN even if your ISP does not require MAC address authentication. Your Contivity 221’s WAN Port is set at half-duplex mode as most cable/DSL modems only support half-duplex mode. Make sure your modem is in half-duplex mode. Your Contivity 221 supports full duplex mode on the LAN side.
This field is not available when you select PPPoE encapsulation in the previous wizard screen. Gateway IP Address Enter the gateway IP address in this field if you selected Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in Contivity 221 VPN Switch User’s Guide...
Page 62
The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Contivity 221 uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Click Back to return to the previous screen. Back Finish Click Finish to complete and save the wizard setup. Basic Setup Complete Well done! You have successfully set up your Contivity 221 to operate on your network and access the Internet. Contivity 221 VPN Switch User’s Guide...
There are three places where you can configure DNS setup on the Contivity 221. 1. Use the System General screen to configure the Contivity 221 to use a DNS server to resolve domain names for Contivity 221 system features like VPN, DDNS and the time server.
A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended). Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Contivity 221 uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
4-4 System Screens If you have a private WAN IP address, then you cannot use Dynamic DNS. Configuring Dynamic DNS To change your Contivity 221’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as shown. Figure 4-2 DDNS The following table describes the fields in this screen.
Click Reset to begin configuring this screen afresh. Configuring Password To change your Contivity 221’s password (recommended), click SYSTEM, then the Password tab. The screen appears as shown. This screen allows you to change the Contivity 221’s password. Contivity 221 VPN Switch User’s Guide...
Configuring Time Setting To change your Contivity 221’s time and date, click SYSTEM, then the Time Setting tab. The screen appears as shown. Use this screen to configure the Contivity 221’s time based on your local time zone. 317517-A Rev 00...
Select the time service protocol that your time server sends when you turn on the Contivity 221. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 72
DESCRIPTION Current Time This field displays the time of your Contivity 221. Each time you reload this page, the Contivity 221 synchronizes the time with the time server. New Time This field displays the last updated time from the time server.
5.2.2 DNS Servers Use the LAN IP screen to configure the DNS server information that the Contivity 221 sends to the DHCP client devices on the LAN. LAN TCP/IP The Contivity 221 has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 74
RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The Contivity 221 supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Contivity 221 queries all directly connected networks to gather group membership.
DNS Servers Assigned by DHCP Server The Contivity 221 passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The Contivity 221 only passes this information to the LAN DHCP clients when you select the DHCP Server check box.
DESCRIPTION The subnet mask specifies the network number portion of an IP address. Your Contivity 221 will automatically calculate the subnet mask based on the IP address IP Subnet Mask that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Contivity 221 255.255.255.0.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your Contivity 221’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown. Figure 5-2 Static DHCP The following table describes the fields in this screen.
Ethernet interface. The Contivity 221 supports three logical LAN interfaces via its single physical Ethernet interface with the Contivity 221 itself as the gateway for each LAN network. To change your Contivity 221’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as shown.
Page 80
The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...
Page 81
WAN Screens Contivity 221 VPN Switch User’s Guide...
"1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the Contivity 221’s routes to the Internet. If any two of the default routes have the same metric, the Contivity 221 uses the following pre-defined priorities: 1.
Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. Configuring WAN ISP To change your Contivity 221’s WAN ISP settings, click WAN, then the WAN ISP tab. The screen differs by the encapsulation. 6.4.1 Ethernet Encapsulation The screen shown next is for Ethernet encapsulation.
6.4.2 PPPoE Encapsulation The Contivity 221 supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.
By implementing PPPoE directly on the Contivity 221 (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Contivity 221 does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
This value specifies the time in seconds that elapses before the router automatically disconnects from the PPPoE server. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. 6.4.3...
Internet. The Contivity 221 supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Table 6-4 PPTP Encapsulation LABEL DESCRIPTION Idle Timeout This value specifies the time in seconds that elapses before the Contivity 221 automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Enter the password associated with the login name above. Login Server IP The Contivity 221 will find the Roadrunner Server IP address if this field is left blank. If Address it does not, then you must enter the authentication server IP address.
Enter your WAN IP address in this field if you selected Use Fixed IP Address. IP Subnet Mask Enter the IP subnet mask (if your ISP gave you one) in this field if you selected Use Fixed IP Address. Contivity 221 VPN Switch User’s Guide...
Page 92
When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, the Contivity 221 will incorporate RIP information that it receives. When set to None, the Contivity 221 will not send any RIP packets and will ignore any RIP packets received.
Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. Configuring WAN MAC To change your Contivity 221’s WAN MAC settings, click WAN, then the WAN MAC tab. The screen appears as shown. Contivity 221 VPN Switch User’s Guide...
ROM file. Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Contivity 221 cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the Contivity 221 still provides firewall protection.
LAN. Use IP alias to configure the LAN into two or three logical networks with the Contivity 221 itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Table 6-7 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the Contivity 221 use traffic redirect if the normal WAN connection goes down. Backup Type the IP address of your backup gateway in dotted decimal notation. The Contivity...
Internet before traffic is forwarded to the backup gateway. Period (sec) Type the number of seconds for the Contivity 221 to wait between checks to see if it can connect to the WAN IP address (Check WAN IP Address field) or default gateway.
Type the first (primary) phone number from the ISP for this remote node. If the Phone Number Primary Phone number is busy or does not answer, your Contivity 221 dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls.
Page 100
Select SUA Only or None. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. When you select this option the Contivity 221 will use Address Mapping Set 255 (see your User's Guide for more information).
Page 101
RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, the Contivity 221 will incorporate RIP information that it receives.
Ready) signal is dropped by the DTE. When the “Drop DTR When Hang Up” check box is selected, the Contivity 221 uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command “ATH”.
Answer Type the AT Command string to answer a call. Drop DTR When Select this check box to have the Contivity 221 drop the DTR (Data Hang Up Terminal Ready) signal after the "AT Command String: Drop" is sent out.
Page 104
Type the keyword preceding the connection speed. CONNECT Call Control Dial Timeout Type a number of seconds for the Contivity 221 to try to set up an (sec) outgoing call before timing out (stopping). Retry Count Type a number of times for the Contivity 221 to retry a busy or no- answer phone number before blacklisting the number.
IP address known within another network. 7.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Contivity 221. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 108
Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The Contivity 221 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the Contivity 221 maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Contivity 221 maps multiple local IP addresses to one global IP address.
NAT 7-5 Many One to One: In Many-One-to-One mode, the Contivity 221 maps each local IP address to a unique global IP address. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
If you do not assign a Default Server IP Address, the Contivity 221 discards all packets received for ports that are not specified here or in the remote management setup.
Let's say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35 as shown in the next figure. Figure 7-3 Multiple Servers Behind NAT Example Contivity 221 VPN Switch User’s Guide...
7-8 NAT Configuring SUA Server If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen will be discarded. Click SUA/NAT to open the SUA Server screen. Refer to the firewall chapters for port numbers commonly used for particular services. Figure 7-4 SUA/NAT Setup The following table describes the fields in this screen.
Click Reset to begin configuring this screen afresh. Configuring Address Mapping Ordering your rules is important because the Contivity 221 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 221 takes the corresponding action and the remaining rules are ignored.
7-10 NAT Figure 7-5 Address Mapping The following table describes the fields in this screen. Table 7-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
Click Insert to insert a new mapping rule before an existing one. Configuring Address Mapping To edit an Address Mapping rule, click the Edit button to display the screen shown next. Figure 7-6 Address Mapping Edit The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
1. Jane (A) requests a file from the Real Audio server (port 7070). 2. Port 7070 is a “trigger” port and causes the Contivity 221 to record Jane’s computer IP address. The Contivity 221 associates Jane's computer IP address with the "incoming" port range of 6970- 7170.
LAN can’t trigger it. Configuring Trigger Port Forwarding To change your Contivity 221’s trigger port settings, click SUA/NAT and the Trigger Port tab. The screen appears as shown. Only one LAN computer can use a trigger port (range) at a time.
Type a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Contivity 221 to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Each remote node specifies only the network to which the gateway is directly connected, and the Contivity 221 has no knowledge of the networks beyond. For instance, the Contivity 221 knows about network N2 in the following figure through remote node Router 1. However, the Contivity 221 is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2).
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the remote nodes.
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the Remote Nodes.
Page 126
1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the Contivity 221 will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts.
Firewall and Content Filters Part V: Firewall and Content Filters This part introduces firewalls in general and the Contivity 221 firewall. It also explains how to configure the Contivity 221 firewall and content filtering.
Chapter 9 Firewalls This chapter gives some background information on firewalls and introduces the Contivity 221 firewall. Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
Local Area Network (LAN) to be securely connected to the Internet. The Contivity 221 can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The Contivity 221 also has packet- filtering capabilities.
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Contivity 221 is pre-configured to automatically detect and thwart all known DoS attacks.
9-4 Firewalls When computers communicate on the Internet, they are using the client/server model, where the server "listens" on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Please note that while a computer may be intended for use over a single port, such as Web on port 80, other ports are also active.
ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Contivity 221 VPN Switch User’s Guide...
9-6 Firewalls Figure 9-3 SYN Flood In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
The only legal NetBIOS commands are the following - all others are illegal. Table 9-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Contivity 221 VPN Switch User’s Guide...
The Contivity 221 uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the Contivity 221’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 137
Firewalls 9-9 Figure 9-5 Stateful Inspection The previous figure shows the Contivity 221’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 138
Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Contivity 221 itself (as with the "virtual connections" created for UDP and ICMP).
Page 139
Firewalls 9-11 9.5.3 TCP Security The Contivity 221 uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
Internet would normally be rejected. In order to achieve this, the Contivity 221 inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these; it adds a cache entry for the anticipated data connection.
3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. Contivity 221 VPN Switch User’s Guide...
Page 142
9-14 Firewalls 4. The firewall performs better than filtering if you need to check many rules. 5. Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.
• WAN to WAN/Contivity 221 This prevents computers on the WAN from using the Contivity 221 as a gateway to communicate with other computers on the WAN and/or managing the Contivity 221. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Contivity 221’s default rules. Rule Logic Overview 10.3...
This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/Contivity 221, WAN and WAN/Contivity 221 rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/Contivity 221 means policies for LAN-to-Contivity 221 (the policies for managing the Contivity 221 through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
10-4 Firewall Screens 10.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
The ordering of your rules is very important as rules are applied in turn. Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in the following screen. Contivity 221 VPN Switch User’s Guide...
Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the Contivity 221 firewall ignore the use of triangle Route route topology on the network. See the Appendices for more on triangle route topology.
Page 149
Contivity 221 (the combined total available for all packet directions). Packet Direction Use the drop-down list box to select a direction of travel of packets (LAN to LAN/Contivity 221, LAN to WAN, WAN to WAN/Contivity 221 or WAN to LAN for which you want to configure firewall rules. Block/...
Page 150
Click Delete to delete an existing firewall rule. Note that subsequent firewall rules move up by one when you take this action. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
Active Check the Active check box to have the Contivity 221 use this rule. Leave it unchecked if you do not want the Contivity 221 to use the rule after you apply it Packet Direction Use the drop-down list box to select the direction of packet travel to which you want to apply this firewall rule.
Page 152
(Not Match), both (Both) or no log is created (None). Go to the Log Settings page and select the Access Control logs category to have the Contivity 221 record these logs. Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched.
10.5.3 Configuring Custom Ports Configure customized ports for services not predefined by the Contivity 221 (see section 10.7 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
10-12 Firewall Screens Figure 10-6 Creating/Editing A Custom Port The following table describes the fields in this screen. Table 10-4 Creating/Editing A Custom Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Select Any in the Destination Address box and then click DestDelete. Step 4. Step 5. Click DestAdd under the Source Address box. Configure the Firewall Rule Edit IP screen as follows and click Apply. Step 6. Contivity 221 VPN Switch User’s Guide...
10-14 Firewall Screens Figure 10-8 Firewall Rule Edit IP Example In the firewall rule configuration screen, click Add under Custom Port to open the Edit Step 7. Custom Port screen. Configure it as follows and click Apply. Figure 10-9 Edit Custom Port Example The firewall rule configuration screen displays, use the arrows between Available Step 8.
Rule Summary list box. Click Apply after you’ve created your custom port. Figure 10-10 MyService Rule Configuration This is the address range of the “My Service” servers. This is your “My Service” custom port. Click Apply when finished. Contivity 221 VPN Switch User’s Guide...
The Available Services list box in the Edit Rule screen (see Figure 10-4) displays all predefined services that the Contivity 221 already supports. Next to the name of the service, two fields appear Formatted: Font: Italic 317517-A Rev 00...
The Internet Key Exchange algorithm is used for key distribution and management. IPSEC_TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service. IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Contivity 221 VPN Switch User’s Guide...
Page 160
10-18 Firewall Screens Table 10-5 Predefined Services SERVICE DESCRIPTION IRC(TCP/UDP:6667) This is another popular Internet chat program. Microsoft Networks’ messenger service uses this protocol. Messenger(TCP:1863) MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. NEW-ICQ(TCP:5190) An Internet chat program.
Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you Formatted: Font: Italic, D may choose to generate an alert whenever an attack is detected. For DoS attacks, the Contivity 221 check spelling or grammar Formatted: Font: Italic Contivity 221 VPN Switch User’s Guide...
9-2). For UDP, "half-open" means that the firewall has detected no return traffic. Deleted: Figure 9-2 The Contivity 221 measures both the total number of existing half-open sessions and the rate of Formatted: Font: Italic, Do no session establishment attempts. Both TCP and UDP half-open sessions are counted in the total spelling or grammar number and rate measurements.
Page 163
(TCP Maximum Incomplete), the Contivity 221 starts deleting half-open sessions according to one of the following methods: 1. If the Blocking Period timeout is 0 (the default), then the Contivity 221 deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
10-22 Firewall Screens Figure 10-12 Attack Alert The following table describes the fields in this screen. Table 10-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert A detected attack automatically generates a when attack log entry. Check this box to generate an alert detected (as well as a log) whenever an attack is detected.
Page 165
When the Contivity 221 to start deleting number of existing half-open sessions rises half-open sessions when the above this number, the Contivity 221 deletes number of existing half-open half-open sessions as required to sessions rises above 100, and to accommodate new connection requests.
Page 166
(min) Enter the length of Blocking Period in minutes. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. 317517-A Rev 00...
The Contivity 221 can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. Days and Times 11.3 The Contivity 221 also allows you to define time periods and days during which the Contivity 221 performs content filtering. Configure Content Filtering 11.4 Click Content Filter on the navigation panel, to open the following screen.
11-2 Content Filtering Screens Figure 11-1 Content Filter Table 11-1 Content Filter LABEL DESCRIPTION Restrict Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. A tool for building dynamic and active Web pages and distributed object applications.
Page 169
Clear All Click this button to remove all of the listed keywords. Select check boxes for the days that you want the Contivity 221 to perform content filtering. Day to Block Select the Everyday check box to have content filtering turned on all days of the week.
"ciphertext" (scrambled text) using a "key". The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Contivity 221 VPN Switch User’s Guide...
12.1.4 VPN Applications The Contivity 221 supports the following VPN applications. Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.
AH and ESP protocols. Please see 13.2 for more information. 12.2.2 Key Management Your Contivity 221 uses IKE (ISAKMP) key management in order to set up a VPN. Contivity 221 VPN Switch User’s Guide...
12-4 Introduction to IPSec Encapsulation 12.3 The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 12-3 Transport and Tunnel Mode IPSec Encapsulation 12.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
IPSec and NAT 12.4 Read this section if you are running IPSec on a host computer behind the Contivity 221. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet.
However, ESP is sufficient if only the upper layer protocols need to be authenticated. An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Contivity 221 VPN Switch User’s Guide...
My IP Address 13.3 My IP Address is the WAN IP address of the Contivity 221. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Click VPN to open the Summary screen. This is a read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus. Contivity 221 VPN Switch User’s Guide...
13-4 VPN Screens Figure 13-2 Summary IP Policies The following table describes the fields in this screen. Table 13-2 Summary LABEL DESCRIPTION The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network through a Contivity VPN switch. The Contivity VPN Contivity VPN Client uses the IPSec protocol to establish a secure end-to-end Client...
Page 181
The Private Policy IP Address or Local Policy IP Address field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 221's local network, for which you have configured this VPN rule IP policy.
Page 182
13-6 VPN Screens Table 13-2 Summary LABEL DESCRIPTION The Local Policy IP Address field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen. The Local Policy IP Address field displays a single (static) IP address when the IP policy's Branch Tunnel NAT Address Mapping Rule Type field is configured to One-to-one or Many-to-One in the IP Policy screen.
Page 183
Encap policy if ??? is displayed. This field displays the security protocols used for an SA. IPSec Both AH and ESP increase Contivity 221 processing requirements and communications Algorithm latency (delay). Secure This is the static WAN IP address or URL of the remote VPN switch. This field displays Gateway 0.0.0.0 when you configure the Secure Gateway Address field in the VPN Branch...
If the Contivity 221 has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Contivity 221 because the Contivity 221 never drops the tunnels that are already connected.
With main mode (see section 13.13.1), the ID type and content are encrypted to provide identity protection. In this case the Contivity 221 can only distinguish between up to eight different incoming SAs that connect from remote VPN switches that have dynamic WAN IP addresses. The...
LOCAL ID TYPE= CONTENT= Type the IP address of your computer or leave the field blank to have the Contivity 221 automatically use its own IP address. Type a domain name (up to 31 characters) by which to identify this Contivity 221.
The two Contivity 221s in this example cannot complete their negotiation because Contivity 221 B’s Local ID type is IP, but Contivity 221 A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
VPN rules to inactive. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Contivity 221 automatically reinitiate the SA after the Keep Alive SA lifetime times out, even if there is no traffic. The remote VPN switch must also have keep alive enabled in order for this feature to work.
Table 13-7 VPN Contivity Client Rule Setup LABEL DESCRIPTION Apply Click Apply to save your changes back to the Contivity 221. Cancel Click Cancel to return to the VPN Summary screen without saving your changes. Configuring Branch Office VPN Rule Setup 13.11...
VPN rule is applied. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Contivity 221 automatically reinitiate the SA after the Keep Alive SA lifetime times out, even if there is no traffic. The remote VPN switch must also have keep alive enabled in order for this feature to work.
Page 192
This field displays the IP address of the computer (or a range of computers) on your Contivity 221's local network, for which you have configured this VPN rule. This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy screen.
Page 193
DESCRIPTION This field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 221's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Page 194
When you select IP in the Local ID Type field, type an IP address or leave the field blank to have the Contivity 221 automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Contivity 221.
Page 195
Table 13-8 VPN Branch Office Rule Setup LABEL DESCRIPTION Enter the WAN IP address of your Contivity 221. The Contivity 221 uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field My IP Address as 0.0.0.0.
Page 196
Retype to Confirm Type your pre-shared key again in this field. Apply Click Apply to save your changes back to the Contivity 221 Cancel Click Cancel to return to the VPN Summary screen without saving your changes. 317517-A Rev 00...
Select one of the IP Policies in the VPN Branch Office screen and click Edit to configure the policies settings. The Branch Office – IP Policy setup screen is shown next. Figure 13-6 VPN Branch Office - IP Policy The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Branch Tunnel NAT Address Mapping Rule Enable this feature to have the Contivity 221 use a different (virtual) IP address for the Active VPN connection. When you enable branch tunnel NAT address mapping, you do not configure the local section.
Page 199
Virtual addresses must be static and correspond to the remote VPN switch's configured remote IP addresses. The computers on the Contivity 221's LAN and the remote network can function as if they were on the same subnet when the virtual IP address(es) is on the same subnet as the remote IP address(es).
Page 200
Address Type field is configured to Range Address, enter the end (static) IP Ending IP Address / address, in a range of computers on the LAN behind your Contivity 221. When the Subnet Mask Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Contivity 221.
Address Type field is configured to Range Address, enter the end (static) IP Subnet Mask address, in a range of computers on the LAN behind your Contivity 221. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Contivity 221.
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Contivity 221 automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The Contivity 221 also automatically renegotiates the IPSec SA if both VPN switches have keep alive enabled, even if there is no traffic.
This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Contivity 221. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
Enable replay detection by setting this field to YES. IKE Phase 1 A phase 1 exchange establishes an IKE SA (Security Association). Select Main or Aggressive from the drop-down list box. The Contivity 221's negotiation Negotiation Mode mode should be identical to that on the remote VPN switch.
Page 205
This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select SHA1 or MD5 from the drop-down list box. The Contivity 221's authentication Authentication algorithm should be identical to the remote VPN switch. MD5 (Message Digest 5) and SHA1...
Page 206
LABEL DESCRIPTION Select ESP or AH from the drop-down list box. The Contivity 221's IPSec Protocol should be identical to the remote VPN switch. The ESP (Encapsulation Security Payload) protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If you select...
A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See the section on keep alive to have the Contivity 221 renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.
This field displays Tunnel or Transport mode. This field displays the security protocols used for an SA. IPSec Algorithm Both AH and ESP increase Contivity 221 processing requirements and communications latency (delay). Click Refresh to display the current active VPN connection(s). This button is available Refresh when you have active VPN connections.
Allow Through IPSec Tunnel Select this check box to send NetBIOS packets through the VPN connection. Click Apply to save your changes back to the Contivity 221. Click Reset to begin configuring this screen afresh Contivity 221 VPN Switch User’s Guide...
Remote Management and UPnP Part VII: Remote Management and UPnP This part provides information and configuration instructions for remote management and Universal Plug and Play.
When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules. You may manage your Contivity 221 from a remote location via: Internet (WAN ALL (LAN and WAN)
There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your Contivity 221 automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Remote Management Screens 14-3 Figure 14-1 Telnet Configuration on a TCP/IP Network Configuring TELNET 14.3 Click REMOTE MANAGEMENT to open the TELNET screen. Figure 14-2 Telnet The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
IP Address Contivity 221 using this service. Select All to allow any computer to access the Contivity 221 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Contivity 221 using this service.
IP Address Contivity 221 using this service. Select All to allow any computer to access the Contivity 221 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Contivity 221 using this service.
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Contivity 221 supports SNMP agent functionality, which allows a manager station to manage and monitor the...
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Contivity 221). An agent translates the local management information from the managed device into a form compatible with SNMP.
Trap - Used by the agent to inform the manager of some events. 14.6.1 Supported MIBs The Contivity 221 supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 14.6.2...
Page 220
14.6.3 REMOTE MANAGEMENT: SNMP To change your Contivity 221’s SNMP settings, click REMOTE MANAGEMENT, then the SNMP tab. The screen appears as shown. Figure 14-6 SNMP The following table describes the fields in this screen.
The default is public and allows all requests. Trusted Host If you enter a trusted host, your Contivity 221 will only respond to SNMP messages from this address. 0.0.0.0 (default) means your Contivity 221 will respond to all SNMP messages it receives, regardless of source.
IP Address Contivity 221. Select All to allow any computer to send DNS queries to the Contivity 221. Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the Contivity 221.
To change your Contivity 221’s Security settings, click REMOTE MANAGEMENT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your Contivity 221, an ICMP response packet is automatically returned. This allows the outside user to know the Contivity 221 exists.
Page 224
Contivity 221 unseen. If the firewall blocks a packet from the WAN, the Contivity 221 sends a TCP reset packet. Use the "sys firewall tcprst rst off" command in the command interpreter if you want to stop the Contivity 221 from sending TCP reset packets.
Dynamic port mapping Learning public IP addresses Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the SUA/NAT chapter for further information about NAT. Contivity 221 VPN Switch User’s Guide...
15-2 UPnP 15.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the WebGUI's login screen without entering the Contivity 221's IP address (although you must still enter the password to access the WebGUI). Allow users to make...
FIELD DESCRIPTION Device Name This identifies the device in UPnP applications. Click Apply to save your changes back to the Contivity 221. Click Reset to begin configuring this screen afresh. Installing UPnP in Windows Example 15.4 This section shows how to install UPnP in Windows Me and Windows XP.
Page 230
Click start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. Contivity 221 VPN Switch User’s Guide...
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device. Turn on your computer and the Contivity 221. 317517-A Rev 00...
Page 232
Step 4. In the Internet Connection Properties You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings that were automatically created. manually add port mappings. Contivity 221 VPN Switch User’s Guide...
Page 233
15-8 UPnP When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray Step 6.
Page 234
WebGUI Easy Access With UPnP, you can access the web-based configurator without first finding out its IP address. This is helpful if you do not know the IP address of your Contivity 221. Follow the steps below to access the WebGUI.
Configuring View Log 16.1 The WebGUI allows you to look at all of the Contivity 221’s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see section 16.2). Options include logs about system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks (such as DoS) and IPSec.
Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded. See the chapter on system maintenance and information to configure the Contivity 221’s time and date. 317517-A Rev 00...
To change your Contivity 221’s log settings, click Logs, then the Log Settings tab. The screen appears as shown. Use the Log Settings screen to configure to where the Contivity 221 is to send logs; the schedule for when the Contivity 221 is to send the logs and which logs and/or immediate alerts the Contivity 221 is to send.
Use the drop down list box to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Contivity 221 VPN Switch User’s Guide...
The Contivity 221 records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the Contivity 221 may count these as hits, thus the web hit count is not (yet) 100% accurate.
IP addresses. Start Collection/ The button text shows Start Collection when the Contivity 221 is not recording report Stop Collection data and Stop Collection when the Contivity 221 is recording report data.
In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the Contivity 221 record and display which web sites have been visited the most often and how many times they have been visited.
In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the Contivity 221 record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the Contivity 221 record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
The count starts over at 0 if it passes four billion. Bytes count Up to 2 bytes can be counted per protocol/port or LAN IP address. The count starts limit: over at 0 if it passes 2 bytes. Contivity 221 VPN Switch User’s Guide...
Maintenance Overview 17.1 The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Contivity 221. Status Screen 17.2 Click MAINTENANCE to open the Status screen, where you can use to monitor your Contivity 221.
Nortel Firmware This is the Nortel Networks Firmware version and the date created. Version: Routing Protocols This shows the routing protocol - IP for which the Contivity 221 is configured. WAN Port IP Address This is the WAN port IP address.
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Contivity 221 as a DHCP server or disable it. When configured as a server, the Contivity 221 provides the TCP/IP configuration for the clients.
See the Firmware and Configuration File Maintenance chapter in the SMT User’s Guide for upgrading firmware using FTP/TFTP commands. Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions in this screen to upload firmware to your Contivity 221. 317517-A Rev 00...
Click Upload to begin the upload process. This process may take up to two minutes. Do not turn off the device while firmware upload is in progress! After you see the Firmware Upload in Process screen, wait two minutes before logging into the device again. Contivity 221 VPN Switch User’s Guide...
17-6 Maintenance Figure 17-6 Firmware Upload In Process The device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 17-7 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear.
See the Firmware and Configuration File Maintenance chapter in the SMT User’s Guide for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Contivity 221 VPN Switch User’s Guide...
17.5.1 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Contivity 221 to its factory defaults as shown on the screen. The following warning screen will appear. 317517-A Rev 00...
Maintenance 17-9 Figure 17-10 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your Contivity 221. Refer to the Hardware Installation chapter for more information on the RESET button. 17.5.2 Backup Configuration Backup Configuration allows you to back up (save) the device’s current configuration to a 104KB...
17-10 Maintenance Figure 17-11 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 17-12 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1).
SMT General Configuration Part X: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN and dial backup setup, LAN, and Internet access. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
♦ No parity, 8 data bits, 1 stop bit, flow control set to none. 18.2.1 Initial Screen When you turn on your Contivity 221, it performs several internal tests as well as line initialization. After the tests, the Contivity 221 asks you to press to continue, as shown next.
Enter Password : XXXX Navigating the SMT Interface 18.3 The SMT is an interface that you use to configure your Contivity 221. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Type 99 at the main menu prompt and press [ENTER] to exit the [ENTER]. SMT interface. 18.3.1 Main Menu After you enter the password, the SMT displays the Contivity 221 Main Menu, as shown next. Not all models have all the features shown. Contivity 221 VPN Switch User’s Guide...
18-4 Introducing the SMT Figure 18-3 Main Menu Contivity 221 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Password 4. Internet Access Setup 24.
Page 264
System Maintenance From displaying system status to uploading firmware, this menu provides comprehensive system maintenance. Schedule Setup Use this menu to schedule outgoing calls. Exit Use this menu to exit (necessary for remote configuration). Contivity 221 VPN Switch User’s Guide...
Step 4. Note that as you type a password, the screen displays an “X” for each character you type. Resetting the Contivity 221 18.5 See the chapter that introduces the WebGUI for directions on resetting the Contivity 221. 317517-A Rev 00...
Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
EXAMPLE System Name Choose a descriptive name for identification purposes. It is Contivity 221 recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Follow the instructions in the next table to configure Dynamic DNS parameters. Table 19-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WWW.DynDNS.ORG (default) Contivity 221 VPN Switch User’s Guide...
Page 271
IP address of the host name(s) with the Contivity 221’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the Contivity 221 must have a public WAN IP address in order for DDNS to work.
Page 272
IP address of the host name(s) to the IP address User Specified IP specified below. Address Only select Yes if the Contivity 221 uses or is behind a static public IP address. Enter the static public IP address if you select Yes in the User IP Address Specified IP Addr field.
Introduction to WAN and Dial Backup Setup 20.1 This chapter explains how to configure settings for your WAN port and how to configure the Contivity 221 for a dial backup connection. WAN Setup 20.2 From the main menu, enter 2 to open menu 2.
20-2 WAN and Dial Backup Setup Table 20-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.
9600, 19200, 38400, 57600, 115200 or 230400 bps. AT Command String: Init Enter the AT command string to initialize the WAN device. Consult the at&fs0=0 manual of your WAN device connected to your Dial Backup port for specific AT commands. Contivity 221 VPN Switch User’s Guide...
20-4 WAN and Dial Backup Setup Table 20-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Edit Advanced To edit the advanced setup for the Dial Backup port, move the cursor to Setup this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup.
221 times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the Contivity 221 to retry a busy or no- 0 to disable answer phone number before blacklisting the number.
Table 20-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Retry Interval Enter a number of seconds for the Contivity 221 to wait before (sec) trying another call after a call has failed. This applies before a phone number is blacklisted. Drop Timeout...
This field sets the authentication protocol used for outgoing calls. CHAP/PAP Options for this field are: CHAP/PAP - Your Contivity 221 will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Editing PPP Options 20.7 The Contivity 221’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the cursor to the [Edit PPP Options] field in Menu 11.1 - Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to open Menu 11.2 as shown next.
Standard PPP your Dial Backup WAN device uses Cisco PPP encapsulation, (default) otherwise select Standard PPP. Compression Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. (default) Contivity 221 VPN Switch User’s Guide...
20-10 WAN and Dial Backup Setup Editing TCP/IP Options 20.8 Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 20-6 Menu 11.3: Remote Node Network Layer Options Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= 0.0.0.0...
Page 284
(automatically) assign your WAN IP address if you do not (default) know it. Enter your WAN IP address here if you know it (static). This is the address assigned to your local Contivity 221, not the remote router. Network...
Please note that the ordering of the sets is significant, i.e., starting from set 1, the Contivity 221 will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script.
If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the Contivity 221 will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages...
Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Contivity 221 to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field.
This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN Setup 21.1 This chapter describes how to configure the Contivity 221 for LAN connections. Accessing the LAN Menus 21.2 From the main menu, enter 3 to open Menu 3 – LAN Setup.
21-2 LAN Setup Figure 21-2 Menu 3.1: LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
This field enables/disables the DHCP server. Server If set to Server, your Contivity 221 will act as a DHCP server. If set to None, the DHCP server will be disabled. When set to Server, the following items need to be set:...
21-4 LAN Setup Table 21-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE The Contivity C221 passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the Contivity C221's WAN IP address).
Page 292
LAN Setup 21-5 Table 21-2 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Address Enter the IP address of your Contivity 221 in dotted decimal 192.168.1.1 notation (default) IP Subnet Mask Your Contivity 221 will automatically calculate the subnet mask 255.255.255.0...
Table 21-3 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes to configure the LAN network for the Contivity 221. IP Address Enter the IP address of your Contivity 221 in dotted decimal 192.168.1.1 notation. IP Subnet Mask Your Contivity 221 will automatically calculate the subnet mask 255.255.255.0...
Page 294
Enter the filter set(s) you wish to apply to the outgoing traffic Protocol Filters between this node and the Contivity 221. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
22-1 Chapter 22 Internet Access This chapter shows you how to configure your Contivity 221 for Internet access. Introduction to Internet Access Setup 22.1 Use information from your ISP along with the instructions in this chapter to set up your Contivity 221 to access the Internet.
Enter the password again to make sure that you have entered it correctly. Login Server The Contivity 221 will find the RoadRunner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address.
Configuring the PPTP Client 22.3 The Contivity 221 supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
PPTP encapsulation method influences your choices for the IP Address field. Idle Timeout This value specifies the time, in seconds, that elapses before the Contivity 221 automatically disconnects from the PPTP server. (default) Configuring the PPPoE Client 22.4 If you enable PPPoE in menu 4, you will see the next screen. For more information on PPPoE, please see the Appendix.
Basic Setup Complete 22.5 Well done! You have successfully connected, installed and set up your Contivity 221 to operate on your network as well as access the Internet. When the firewall is activated, the default policy allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
SMT Advanced Applications Part XI: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters and SNMP. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
Then enter 1 to open Menu 11.1 Remote Node Profile and configure the setup for your regular ISP. Enter 2 to open Menu 11.1 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection (see the chapter on WAN). Contivity 221 VPN Switch User’s Guide...
23-2 Remote Node Setup Figure 23-1 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit: Remote Node Profile Setup 23.3 The following explains how to configure the remote node profile menu. 23.3.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet...
PPPoE service here. Only valid with PPPoE encapsulation. Outgoing This field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the Contivity 221 calls this My Login remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server.
The Contivity 221 supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the Contivity 221 with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 307
The Contivity 221 does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Contivity 221 will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
This field sets the authentication protocol used for outgoing calls. CHAP/PAP Options for this field are: CHAP/PAP - Your Contivity 221 will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
“c:id” and “n:name” format. This field is optional and depends on the requirements of your DSL modem. Schedules You can apply up to four schedule sets here. For more details refer to the Call Schedule Setup chapter. Contivity 221 VPN Switch User’s Guide...
23-8 Remote Node Setup Table 23-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] and then [ENTER] to select Yes if you want to Connections make the connection to this remote node a nailed-up connection. Edit IP 23.4 Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes.
Page 311
WAN network number. If this is the case, enter the IP address assigned to the WAN port of your Contivity 221. Note that this is the address assigned to your local Contivity 221, not the remote router. Network...
Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Contivity 221 to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field.
Device filters= Enter here to CONFIRM or ESC to CANCEL: To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1—Remote Node Profile as shown next. Contivity 221 VPN Switch User’s Guide...
Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 23.5.1 Traffic Redirect Setup Configure parameters that determine when the Contivity 221 will forward WAN traffic to the backup gateway using Menu 11.6 — Traffic Redirect Setup. 317517-A Rev 00...
IP Address ISP’s DNS server address) to test your Contivity 221’s WAN accessibility. The Contivity 221 uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PPPoE Encapsulation, enter “0.0.0.0” to configure the Contivity 221 to check the PVC (Permanent Virtual Circuit) or PPTP tunnel.
Page 316
Five to 60 is usually a good number. Timeout (sec) Enter the number of seconds the Contivity 221 waits for a ping response from the IP Address in the Check WAN IP Address field before it times out. The number in this field should be less than the number in the Period field.
24-1 Chapter 24 IP Static Route Setup This chapter shows you how to configure static routes with your Contivity 221. IP Static Route Setup 24.1 Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the remote nodes.
DESCRIPTION Private This parameter determines if the Contivity 221 will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
LAN IP addresses of clients or servers using mapping types as outlined in the WebGUI User’s Guide. 1. Choose SUA Only if you have just one public WAN IP address for your Contivity 221. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Contivity 221.
25-2 NAT Figure 25-1 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only...
When you select this option the SMT will use Address Mapping Set SUA Only 255 (menu 15.1 - see section 25.2.1). Choose SUA Only if you have just one public WAN IP address for your Contivity 221. Contivity 221 VPN Switch User’s Guide...
25-4 NAT NAT Setup 25.2 Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set 1.
Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this screen. Contivity 221 VPN Switch User’s Guide...
25-6 NAT Menu 15.1.255 is read-only. Table 25-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number.
(described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the Contivity 221 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 221 takes the corresponding action and the remaining rules are ignored.
25-8 NAT Table 25-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EXAMPLE Set Name Enter a name for this set of rules. This is a required field. If this field is left NAT_SET blank, the entire set will be deleted. Action The default is Edit.
Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field. Contivity 221 VPN Switch User’s Guide...
25-10 NAT Step 4. Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Step 5.
25.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Contivity 221 VPN Switch User’s Guide...
25-12 NAT Figure 25-10 NAT Example 1 Figure 25-11 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: 25.4.3 Example 3: Multiple Public IP Addresses With Inside Contivity 221 VPN Switch User’s Guide...
Page 334
25-14 NAT Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA. Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA.
Page 335
When finished, menu 15.1.1 should look like as shown in Figure 25-17. Step 7. Formatted: Font: Italic Formatted: Font: Italic Formatted: Font: Italic, D check spelling or grammar Formatted: Font: Italic Deleted: Figure 25-17 Contivity 221 VPN Switch User’s Guide...
Page 336
25-16 NAT Figure 25-15 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL:...
Page 337
Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Contivity 221 VPN Switch User’s Guide...
Page 338
25-18 NAT 25.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Contivity 221 VPN Switch User’s Guide...
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Contivity 221 forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 341
7170 Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Contivity 221 to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers.
From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 26-1 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Contivity 221 VPN Switch User’s Guide...
26-2 Introducing the Firewall 26.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Introduction to Filters 27.1 Your Contivity 221 uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Contivity 221 allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward Drop Drop Packet Accept Packet Contivity 221 VPN Switch User’s Guide...
24 rules active for a single port. Configuring a Filter Set 27.2 The Contivity 221 includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Step 1.
“F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Contivity 221 VPN Switch User’s Guide...
Enter the destination IP Address of the packet you wish to 0.0.0.0 filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Contivity 221 VPN Switch User’s Guide...
Page 352
27-8 Filter Configuration Table 27-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the None...
Page 353
ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following figure illustrates the logic flow of an IP filter. Contivity 221 VPN Switch User’s Guide...
27-10 Filter Configuration Figure 27-7 Executing an IP Filter Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched...
For IP, it is generally easier to use the IP rules directly. For generic rules, the Contivity 221 treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 356
27-12 Filter Configuration Table 27-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Generic Filter Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.
Filter Configuration 27-13 Example Filter 27.3 Let’s look at an example to block outside users from accessing the Contivity 221 via telnet. Please see our included disk for more example filters. Figure 27-9 Telnet Filter Example Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
27-14 Filter Configuration Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Figure 27-10 Example Filter: Menu 21.1.3.1 Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule [ENTER] to choose this filter rule Filter #: 3,1...
Formatted: Font: Italic There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on Contivity 221 VPN Switch User’s Guide...
On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the Contivity 221 is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port.
3, 4, 6, 11. Input filter sets filter incoming traffic to the Contivity 221 and output filter sets filter outgoing traffic from the Contivity 221. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets.
Type the Get community, which is the password for the incoming Public Get- and GetNext requests from the management station. (default) Set Community Type the Set community, which is the password for incoming Set Public requests from the management station. (default) Contivity 221 VPN Switch User’s Guide...
[ESC] to cancel and go back to the previous screen. SNMP Traps 28.2 The Contivity 221 will send traps to the SNMP manager when any one of the following events occurs: Table 28-2 SNMP Traps...
SMT System Maintenance Part XII: SMT System Maintenance This part covers system information and diagnosis; firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
Introduction to System Status 29.1 This chapter covers the diagnostic tools that help you to maintain your Contivity 221. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
FIELD DESCRIPTION Port Identifies a port (WAN, or LAN) on the Contivity 221. Status Shows the port speed and duplex setting if you’re using Ethernet Encapsulation and Down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using PPPoE Encapsulation.
The total time the Contivity 221 has been on. RAS F/W Version The Nortel Networks firmware version and the date created. Name This is the Contivity 221’s system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used.
29-4 System Information and Diagnosis Figure 29-3 Menu 24.2: System Information and Console Port Speed Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: 29.3.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc.
You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your Contivity 221 supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown next.
29-6 System Information and Diagnosis Log and Trace 29.4 The Contivity 221 has a syslog facility for message logging, and a trace function for viewing call- triggering packets. Figure 29-6 Menu 24.3: System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 2.
When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your Contivity 221 sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
Page 373
29-8 System Information and Diagnosis Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 374
Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Contivity 221 VPN Switch User’s Guide...
Press any key to continue... Diagnostic The diagnostic facility allows you to test the different aspects of your Contivity 221 to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown next.
Figure 29-10. LAN DHCP has already been discussed. The Contivity 221 can act either as a WAN DHCP client (IP Address Deleted: Figure 29-10 Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or...
29-12 System Information and Diagnosis Figure 29-10 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your Contivity 221 and associated connections. Table 29-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.
Introduction 30.1 Use the instructions in this chapter to change the Contivity 221’s configuration file or upgrade its firmware. After you configure your Contivity 221, you can backup the configuration file to a computer. That way if you later misconfigure the Contivity 221, you can upload the backed up configuration file to return to your previous settings.
The following table is a summary. Please note that the internal filename refers to the filename on the Contivity 221 and the external filename refers to the filename not on the Contivity 221, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 380
Xmodem protocol to perform the download/upload and you don’t have to rename the files. Please note that terms “download” and “upload” are relative to the computer. Download means to transfer from the Contivity 221 to the computer, while upload means from your computer to the Contivity 221.
30-4 Firmware and Configuration File Maintenance rom-0 config.rom” transfers the configuration file on the Contivity 221 to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. Enter “quit” to exit the ftp prompt.
Page 382
Step 1. Use telnet from your computer to connect to the Contivity 221 and log in. Because TFTP does not have any security checks, the Contivity 221 records the IP address of the telnet client and accepts TFTP requests only from this address.
Enter the IP address of the Contivity 221. 192.168.1.1 is the Contivity 221’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Contivity 221 and “Fetch” to back up the file on your computer. 317517-A Rev 00...
Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. Remote File This is the filename on the Contivity 221. The filename for the firmware is “ras” and for the configuration file, is “rom-0”. Binary Transfer the file in binary mode.
30-8 Firmware and Configuration File Maintenance Figure 30-5 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. After a successful backup you will see the following screen. Press any key to return to Step 4.
Page 386
Enter your password as requested (the default is “setup”). Enter “bin” to set transfer mode to binary. Step 5. Find the “rom” file (on your computer) that you want to restore to your Contivity 221. Step 6. Contivity 221 VPN Switch User’s Guide...
30-10 Firmware and Configuration File Maintenance Step 7. Use “put” to transfer files from the Contivity 221 to the computer, for example, “put config.rom rom-0” transfers the configuration file “config.rom” on your computer to the Contivity 221. See earlier in this chapter for more information on filename conventions.
Then click Send. Step 4. After a successful restoration you will see the following screen. Press any key to restart the Contivity 221 and return to the SMT menu. Figure 30-12 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the Contivity 221, you will see the following screens for uploading firmware and the configuration file using FTP.
Enter “bin” to set transfer mode to binary. Step 5. Step 6. Use “put” to transfer files from the computer to the Contivity 221, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Contivity 221 VPN Switch User’s Guide...
Use telnet from your computer to connect to the Contivity 221 and log in. Because TFTP does not have any security checks, the Contivity 221 records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 392
The file name for the firmware is “ras”. Note that the telnet connection must be active and the Contivity 221 in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
30-16 Firmware and Configuration File Maintenance 30.2.20 Uploading Firmware File Via Console Port Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Step 1. Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. After the firmware upload process has completed, the Contivity 221 will automatically restart. 30.2.22 Uploading Configuration File Via Console Port Step 1.
After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs should be similar. Step 3. Enter “atgo” to restart the Contivity 221. 30.2.23 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen.
Figure 30-19 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. After the configuration upload process has completed, restart the Contivity 221 by entering “atgo”. Contivity 221 VPN Switch User’s Guide...
System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Firmware Update Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Contivity 221 VPN Switch User’s Guide...
31-2 System Maintenance Menus 8 to 10 31.1.1 Command Syntax The command keywords are in courier new font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets [].
The budget management function allows you to set a limit on the total outgoing call time of the Contivity 221 within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
31-4 System Maintenance Menus 8 to 10 Figure 31-4 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.GUI No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
This is the length of time of the shortest telephone call. Total This is the total length of time of all the telephone calls to/from that telephone number. You may enter an entry number to delete it or ‘”0” to exit. Contivity 221 VPN Switch User’s Guide...
There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Contivity 221. Menu 24.10 allows you to update the time and date settings of your Contivity 221. The real time is then displayed in the Contivity 221 error logs and firewall logs.
Enter the time service protocol that your timeserver sends when you turn on the when Bootup Contivity 221. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 405
Resetting the Time The Contivity 221 resets the time in three instances: On leaving menu 24.10 after making changes. When the Contivity 221 starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. 317517-A Rev 00...
Remote Management 32.1 Remote management allows you to determine which services/protocols can access which Contivity 221 interface (if any) from which computers. You may manage your Contivity 221 from a remote location via: Internet (WAN ALL (LAN and WAN) only) LAN only, Neither (Disable).
The default 0.0.0.0 allows any client to use this service or protocol to 0.0.0.0 remotely access the Contivity 221. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Page 408
3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Contivity 221 will disconnect the session immediately. 4. There is an SMT console session running.
SMT Advanced Management Part XIII: SMT Advanced Management This part provides information on how to configure call scheduling. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT. XIII...
For example, if sets 1, 2, 3 and 4 are applied in the remote node, then set 1 will take precedence over set 2, 3 and 4 as the Contivity 221, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle If a connection has been already established, your Contivity 221 will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 414
Enter 11 from the Main Menu and then enter the target remote node index. Press [SPACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field available as shown next. Contivity 221 VPN Switch User’s Guide...
33-4 Call Scheduling Figure 33-3 Applying Schedule Set(s) to a Remote Node (PPPoE) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
PPTP : Edit Filter Sets= No My IP Addr= Idle Timeout(sec)= 100 Server IP Addr= Connection ID/Name= Apply your schedule sets here. Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Contivity 221 VPN Switch User’s Guide...
General Appendices Part XIV: General Appendices This part provides background information about setting up your computer’s IP address, antennas, triangle route, how functions are related, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting and safety warnings.
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet (192.168.1.2 to 192.168.1.254 range with a subnet mask of 255.255.255.0.) as the default Contivity 221’s LAN port IP address (192.168.1.1).
Page 419
A-2 Setting Up Your Computer’s IP Address Windows 95/98/Me 1. Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. 2. The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
Page 420
-To have your computer assigned a dynamic IP address, select Obtain an IP address automatically. -To give your computer a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Contivity 221 VPN Switch User’s Guide...
Page 421
A-4 Setting Up Your Computer’s IP Address Click the DNS Configuration tab. -If you do not know your DNS information, select Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Page 422
Setting Up Your Computer’s IP Address A-5 Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Contivity 221 and restart your computer when prompted. Checking/Modifying Your Computer’s IP Address Click Start and then Run.
Page 423
A-6 Setting Up Your Computer’s IP Address Windows 2000/NT/XP In Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. In Windows XP, click Network Connections. Right-click Local Area Connection and In Windows 2000/NT, click Network and then click Properties.
Page 424
Setting Up Your Computer’s IP Address A-7 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Contivity 221 VPN Switch User’s Guide...
Page 425
A-8 Setting Up Your Computer’s IP Address The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a dynamic IP address, click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 426
Automatic metric check box and type a metric in Metric. -Click Add. -Repeat the previous three steps for each default gateway you want to add. -Click OK when finished. Contivity 221 VPN Switch User’s Guide...
Page 427
IP address is in the correct subnet (192.168.1.2 to 192.168.1.254 if using the default Contivity 221 LAN IP address). Alternatively, to have the Contivity 221 assign your computer a new IP address (from the IP pool), make sure your Contivity 221 is turned on, type "ipconfig/renew" and then press ENTER.
Page 428
Setting Up Your Computer’s IP Address A-11 Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Contivity 221 VPN Switch User’s Guide...
Page 429
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 221 in the Router address box. Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration.
Page 430
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 221 in the Router address box. Click Apply Now and close the window. Turn on your Contivity 221 and restart your computer (if prompted).
Triangle Route The Ideal Setup When the firewall is on, your Contivity 221 acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Contivity 221 to protect your LAN against attacks.
Page 433
Contivity 221 being the gateway for each logical network. By putting your LAN and Gateway B in different subnets, all returning network traffic must pass through the Contivity 221 to your LAN. The following steps describe such a scenario.
Page 434
A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your Contivity 221 to your LAN. Therefore your LAN is protected. Diagram B-4 Gateways on the WAN Side...
Appendix C The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT Contivity 221 VPN Switch User’s Guide...
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial- up networking. Contivity 221 VPN Switch User’s Guide...
Page 439
Contivity 221 as a PPPoE Client When using the Contivity 221 as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 440
PPPoE D-3 Diagram D-2 Contivity 221 as a PPPoE Client Contivity 221 VPN Switch User’s Guide...
Diagram E-1 Transport PPP frames over Ethernet PPTP and the Contivity 221 When the Contivity 221 is deployed in such a setup, it appears as a PC to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and NT clients to an NT server in a remote location.
Page 443
Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the Contivity 221, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server.
Page 444
The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. Contivity 221 VPN Switch User’s Guide...
In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The Contivity 221 is DCE when you connect a computer to the console port. The Contivity 221 is DTE when you connect a modem to the dial backup port.
Page 448
Plug: European Union standards Safety standards: TUV, CE (EN 60950) AC Power Adapter model JAD-121200E Input power: AC230Volts/50Hz, Output power: DC12Volts/1.2A Power consumption: 9 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) Contivity 221 VPN Switch User’s Guide...
Page 449
F-4 Hardware Specifications Chart F-6 UK AC Power Adaptor Specifications AC Power Adapter model AD-1201200DK Input power: AC230Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: United Kingdom standards Safety standards: TUV, CE (EN 60950, BS7002) Chart F-7 Japan AC Power Adaptor Specifications AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A...
–2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Contivity 221 VPN Switch User’s Guide...
Page 451
G-2 IP Subnetting Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
Page 452
192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits Contivity 221 VPN Switch User’s Guide...
Page 453
G-4 IP Subnetting determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet. Chart G-5 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
Page 454
Chart G-9 Subnet 3 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Contivity 221 VPN Switch User’s Guide...
Page 455
G-6 IP Subnetting Chart G-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
2. The maximum recommended ambient temperature for the Contivity 221 is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the Contivity 221 is installed inside a closed rack assembly. The operating ambient temperature of the rack environment might be greater than room temperature.
Command and Log Appendices Part XV: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection.
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Sys Commands Contivity 221 VPN Switch User’s Guide...
Page 462
I-2 Command Interpreter The following chart lists and describes the sys commands. Each of these commands must be preceded by sys when you use them. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Chart I-1 Sys Commands COMMAND...
Page 463
[0:none/1:log] Records the system maintenance logs. Records the packet filter logs. packetfilter [0:none/1:log] ppp [0:none/1:log] Records the PPP logs. Records the remote management remote [0:none/1:log] logs. tcpreset [0:none/1:log] Records the TCP reset logs. Contivity 221 VPN Switch User’s Guide...
Page 464
I-4 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION upnp [0:none/1:log] Records the UPnP logs. urlblocked Records and/or sends alerts for web [0:none/1:log/2:alert/3:b access blocked logs. oth] urlforward [0:none/1:log] Records web access forward logs. clear Clears the log. display [access|attack|error|ipse Displays all logs or specified c|ike|javablocked|mten|ur categories of logs.
Page 465
<none|sua|full_feature> Configure remote node NAT. nailup <no|yes> Configure a remote node connection to be nailed up (always on). <value> Sets the remote node Maximum Transmission Unit. save [entry no.] Save remote node information. Contivity 221 VPN Switch User’s Guide...
Page 466
I-6 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION stdio [minute] Sets or displays the management terminal idle timeout value. time [hour [min [sec]]] Sets or displays the system time. trcdisp parse, brief, disp Sets the level of detail that should be displayed.
Page 467
UPnP settings. config [0:deny/1:permit] Allow users to make configuration changes through UPnP. display Displays UPnP information. firewall [0:deny/1:pass] Allow UPnP to pass through Firewall. load Saves UPnP information. reserve [0:deny/1:permit] save Saves UPnP information. Contivity 221 VPN Switch User’s Guide...
Page 468
I-8 Command Interpreter Exit Command Chart I-2 Exit Command COMMAND DESCRIPTION exit Ends the command interpreter session. Ethernet Commands The following chart lists and describes the ether commands. Each of these commands must be preceded by ether when you use them. For example, type ether config to display information on the LAN configuration.
Page 469
Displays DNS statistics. httpd debug [on|off] Enables or disables the HTTP debug flag. This command does not work currently. icmp status Displays the ICMP statistics counter. Sets the ICMP router discovery flag. discovery <iface> [on|off] Contivity 221 VPN Switch User’s Guide...
Page 470
I-10 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION ifconfig [iface] [ipaddr] Configures a network interface. [broadcast <addr> |mtu <value>|dynamic] ping <hostid> Pings a remote host. route status [if] Displays the routing table. Adds a route. <dest_addr|default >[/<bits>] <gateway> [<metric>] addiface <dest_addr|default Adds an entry to the routing table for the...
Page 471
Telnets to the specified host. telnet <host> tracerout <host> [ttl] Sends ICMP packets to trace the route [wait] [queries] of a remote host. status Displays the UDP status. urlfilter enable [0:no/1:yes] Enables/disables content filtering. Contivity 221 VPN Switch User’s Guide...
Page 472
I-12 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION dropIcmp <?> exemptZone Display Displays content filtering exempt zone information. Enables/disables content filtering actionFlags exempt zone action flags that determine [type(1- to which IP addresses to apply content 3)][enable/disable filtering. add [ip1] [ip2] Sets a range of IP addresses to be in the exempt zone.
Page 473
[on|off] iface Sets IGMP group timeout for the <iface> grouptm <timeout> specified interface. <iface> interval Sets IGMP query interval for the <interval> specified interface. <iface> join Adds an interface to a group. <group> Contivity 221 VPN Switch User’s Guide...
Page 474
I-14 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION <iface> leave Removes an interface from a group. <group> <iface> query Sends an IGMP query on the specified interface. <iface> rsptime Sets the IGMP response time. [time] Turns on IGMP on the specified <iface>...
Page 475
Removes an IP policy. display Displays the IP policies. internal list Displays the IP policies. load <policy Index> Loads an IP policy. local type <0:single|1:range| Sets an IP policy’s local address type. 2:subnet> Contivity 221 VPN Switch User’s Guide...
Page 476
I-16 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION addrStart <IP address> Sets an IP policy’s starting local IP address. endMask <IP address> Sets an IP policy’s ending local IP address or subnet mask. port <port number> Sets an IP policy’s local port number. protocol <0:All|1:ICMP|6:TCP|17 Sets an IP policy’s protocol number.
Page 477
Sets the NetBIOS active flag. group <group index1, Sets the NetBIOS group. group index2…> name <string> Sets a rule’s name. keepAlive <Yes| No> Enables/disables keep alive. lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. Contivity 221 VPN Switch User’s Guide...
Page 478
I-18 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION lcIdContent <string> Sets the local ID content. myIpAddr <IP address> Sets the my IP address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent <string> Sets the peer ID content. secureGwAddr <IP address | Domain Sets the secure gateway IP address or domain...
Page 479
Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. ignore Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. triangle Sets if the firewall will ignore triangle route packets on the lan/wan/dmz/wlan. Contivity 221 VPN Switch User’s Guide...
Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows. Contivity 221 VPN Switch User’s Guide...
Page 482
J-2 NetBIOS Filter Commands Chart J-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN from the LAN to the WAN or from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward...
Page 483
This command forwards WAN to LAN and WAN to LAN NetBIOS packets sys filter netbios config 3 on Command: This command blocks IPSec NetBIOS packets sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. Contivity 221 VPN Switch User’s Guide...
When you start up your Contivity 221, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you...
Page 486
K-2 Boot Commands Diagram K-2 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Someone has failed to log on to the router's SMT interface. SMT Login Fail Someone has logged on to the router's WebGUI interface. WEB Login Successfully Someone has failed to log on to the router's WebGUI interface. WEB Login Fail Contivity 221 VPN Switch User’s Guide...
Page 488
Firewall Chart L-4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR The Contivity 221 allows access to this IP address or IP/Domain domain name and forwarded traffic addressed to the IP Name address or domain name. URLBLK The Contivity 221 blocked access to this IP address or IP/Domain domain name due to a forbidden keyword.
Page 489
- WAN The firewall detected an IGMP IP spoofing attack on the WAN port. ip spoofing - WAN IGMP The firewall detected an ESP IP spoofing attack on the WAN port. ip spoofing - WAN Contivity 221 VPN Switch User’s Guide...
Page 490
The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the Contivity 221 ip spoofing - no did not have a default route. routing entry TCP...
Page 491
LOG MESSAGE DESCRIPTION TCP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: TCP configuration. (set:%d) UDP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 492
LOG MESSAGE DESCRIPTION GRE access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: GRE configuration. (set:%d) OSPF access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 493
Access matched the listed firewall rule and the Contivity 221 blocked Firewall rule or forwarded it according to the rule’s configuration. match: (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: TCP (set:%d, rule:%d)
Page 494
L-8 Log Descriptions Chart L-6 Access Logs LOG MESSAGE DESCRIPTION Access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: (set:%d, rule:%d) TCP access matched a default filter policy and the Contivity 221 Filter default dropped the packet to block access.
Page 495
ICMP access matched the listed filter rule and the Contivity 221 Filter match DROP dropped the packet to block access. <set %d/rule %d> Access matched the listed filter rule and the Contivity 221 dropped the Filter match DROP packet to block access. <set %d/rule %d>...
Page 496
The router blocked a TCP handshake packet that came out of the Out of order TCP proper order handshake packet blocked The Contivity 221 generates this log after it drops an ICMP packet Drop due to one of the following two reasons: unsupported/out-of- order ICMP 1.
Page 497
A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Contivity 221 VPN Switch User’s Guide...
Page 498
L-12 Log Descriptions Chart L-8 ICMP Notes TYPE CODE DESCRIPTION Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
Page 499
Recv:<ID><HASH> 01 Jan 08:02:26 Phase 1 IKE SA process done 01 Jan 08:02:26 Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): Contivity 221 VPN Switch User’s Guide...
Page 500
Chart L-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The Contivity 221 has started negotiation with the peer. Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> The Contivity 221 has received an IKE negotiation request from the peer.
Page 501
Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Contivity 221 has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Page 502
LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The Contivity 221 did not receive a response from the peer and so retransmits the last packet sent. The Contivity 221 cannot send IKE packets due to a !! Failed to send IKE Packet network error.
Page 503
DESCRIPTION !! WAN IP changed to <IP> If the Contivity 221’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 504
Configuring What You Want the Contivity 221 to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Contivity 221 is to record. Use sys logs category followed by a log category and a parameter to...
Page 505
Use the sys logs clear command to erase all of the Contivity 221’s logs. Log Command Example This example shows how to set the Contivity 221 to record the access logs and alerts and then view the results. ras> sys logs load ras>...
(a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. Contivity 221 VPN Switch User’s Guide...
Page 508
Command and Log Appendices Part XV: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection.
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Sys Commands Contivity 221 VPN Switch User’s Guide...
I-2 Command Interpreter The following chart lists and describes the sys commands. Each of these commands must be preceded by sys when you use them. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Chart I-1 Sys Commands COMMAND...
Page 512
[0:none/1:log] Records the system maintenance logs. Records the packet filter logs. packetfilter [0:none/1:log] ppp [0:none/1:log] Records the PPP logs. Records the remote management remote [0:none/1:log] logs. tcpreset [0:none/1:log] Records the TCP reset logs. Contivity 221 VPN Switch User’s Guide...
Page 513
I-4 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION upnp [0:none/1:log] Records the UPnP logs. urlblocked Records and/or sends alerts for web [0:none/1:log/2:alert/3:b access blocked logs. oth] urlforward [0:none/1:log] Records web access forward logs. clear Clears the log. display [access|attack|error|ipse Displays all logs or specified c|ike|javablocked|mten|ur categories of logs.
Page 514
<none|sua|full_feature> Configure remote node NAT. nailup <no|yes> Configure a remote node connection to be nailed up (always on). <value> Sets the remote node Maximum Transmission Unit. save [entry no.] Save remote node information. Contivity 221 VPN Switch User’s Guide...
Page 515
I-6 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION stdio [minute] Sets or displays the management terminal idle timeout value. time [hour [min [sec]]] Sets or displays the system time. trcdisp parse, brief, disp Sets the level of detail that should be displayed.
Page 516
UPnP settings. config [0:deny/1:permit] Allow users to make configuration changes through UPnP. display Displays UPnP information. firewall [0:deny/1:pass] Allow UPnP to pass through Firewall. load Saves UPnP information. reserve [0:deny/1:permit] save Saves UPnP information. Contivity 221 VPN Switch User’s Guide...
Page 517
I-8 Command Interpreter Exit Command Chart I-2 Exit Command COMMAND DESCRIPTION exit Ends the command interpreter session. Ethernet Commands The following chart lists and describes the ether commands. Each of these commands must be preceded by ether when you use them. For example, type ether config to display information on the LAN configuration.
Page 518
Displays DNS statistics. httpd debug [on|off] Enables or disables the HTTP debug flag. This command does not work currently. icmp status Displays the ICMP statistics counter. Sets the ICMP router discovery flag. discovery <iface> [on|off] Contivity 221 VPN Switch User’s Guide...
Page 519
I-10 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION ifconfig [iface] [ipaddr] Configures a network interface. [broadcast <addr> |mtu <value>|dynamic] ping <hostid> Pings a remote host. route status [if] Displays the routing table. Adds a route. <dest_addr|default >[/<bits>] <gateway> [<metric>] addiface <dest_addr|default Adds an entry to the routing table for the...
Page 520
Telnets to the specified host. telnet <host> tracerout <host> [ttl] Sends ICMP packets to trace the route [wait] [queries] of a remote host. status Displays the UDP status. urlfilter enable [0:no/1:yes] Enables/disables content filtering. Contivity 221 VPN Switch User’s Guide...
Page 521
I-12 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION dropIcmp <?> exemptZone Display Displays content filtering exempt zone information. Enables/disables content filtering actionFlags exempt zone action flags that determine [type(1- to which IP addresses to apply content 3)][enable/disable filtering. add [ip1] [ip2] Sets a range of IP addresses to be in the exempt zone.
Page 522
[on|off] iface Sets IGMP group timeout for the <iface> grouptm <timeout> specified interface. <iface> interval Sets IGMP query interval for the <interval> specified interface. <iface> join Adds an interface to a group. <group> Contivity 221 VPN Switch User’s Guide...
Page 523
I-14 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION <iface> leave Removes an interface from a group. <group> <iface> query Sends an IGMP query on the specified interface. <iface> rsptime Sets the IGMP response time. [time] Turns on IGMP on the specified <iface>...
Page 524
Removes an IP policy. display Displays the IP policies. internal list Displays the IP policies. load <policy Index> Loads an IP policy. local type <0:single|1:range| Sets an IP policy’s local address type. 2:subnet> Contivity 221 VPN Switch User’s Guide...
Page 525
I-16 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION addrStart <IP address> Sets an IP policy’s starting local IP address. endMask <IP address> Sets an IP policy’s ending local IP address or subnet mask. port <port number> Sets an IP policy’s local port number. protocol <0:All|1:ICMP|6:TCP|17 Sets an IP policy’s protocol number.
Page 526
Sets the NetBIOS active flag. group <group index1, Sets the NetBIOS group. group index2…> name <string> Sets a rule’s name. keepAlive <Yes| No> Enables/disables keep alive. lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. Contivity 221 VPN Switch User’s Guide...
Page 527
I-18 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION lcIdContent <string> Sets the local ID content. myIpAddr <IP address> Sets the my IP address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent <string> Sets the peer ID content. secureGwAddr <IP address | Domain Sets the secure gateway IP address or domain...
Page 528
Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. ignore Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. triangle Sets if the firewall will ignore triangle route packets on the lan/wan/dmz/wlan. Contivity 221 VPN Switch User’s Guide...
Page 530
Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows. Contivity 221 VPN Switch User’s Guide...
Page 531
J-2 NetBIOS Filter Commands Chart J-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN from the LAN to the WAN or from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward...
Page 532
This command forwards WAN to LAN and WAN to LAN NetBIOS packets sys filter netbios config 3 on Command: This command blocks IPSec NetBIOS packets sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. Contivity 221 VPN Switch User’s Guide...
Page 534
When you start up your Contivity 221, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you...
Page 535
K-2 Boot Commands Diagram K-2 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 536
Someone has failed to log on to the router's SMT interface. SMT Login Fail Someone has logged on to the router's WebGUI interface. WEB Login Successfully Someone has failed to log on to the router's WebGUI interface. WEB Login Fail Contivity 221 VPN Switch User’s Guide...
Page 537
Firewall Chart L-4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR The Contivity 221 allows access to this IP address or IP/Domain domain name and forwarded traffic addressed to the IP Name address or domain name. URLBLK The Contivity 221 blocked access to this IP address or IP/Domain domain name due to a forbidden keyword.
Page 538
- WAN The firewall detected an IGMP IP spoofing attack on the WAN port. ip spoofing - WAN IGMP The firewall detected an ESP IP spoofing attack on the WAN port. ip spoofing - WAN Contivity 221 VPN Switch User’s Guide...
Page 539
The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the Contivity 221 ip spoofing - no did not have a default route. routing entry TCP...
Page 540
LOG MESSAGE DESCRIPTION TCP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: TCP configuration. (set:%d) UDP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 541
LOG MESSAGE DESCRIPTION GRE access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: GRE configuration. (set:%d) OSPF access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 542
Access matched the listed firewall rule and the Contivity 221 blocked Firewall rule or forwarded it according to the rule’s configuration. match: (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: TCP (set:%d, rule:%d)
Page 543
L-8 Log Descriptions Chart L-6 Access Logs LOG MESSAGE DESCRIPTION Access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: (set:%d, rule:%d) TCP access matched a default filter policy and the Contivity 221 Filter default dropped the packet to block access.
Page 544
ICMP access matched the listed filter rule and the Contivity 221 Filter match DROP dropped the packet to block access. <set %d/rule %d> Access matched the listed filter rule and the Contivity 221 dropped the Filter match DROP packet to block access. <set %d/rule %d>...
Page 545
The router blocked a TCP handshake packet that came out of the Out of order TCP proper order handshake packet blocked The Contivity 221 generates this log after it drops an ICMP packet Drop due to one of the following two reasons: unsupported/out-of- order ICMP 1.
Page 546
A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Contivity 221 VPN Switch User’s Guide...
Page 547
L-12 Log Descriptions Chart L-8 ICMP Notes TYPE CODE DESCRIPTION Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
Page 548
Recv:<ID><HASH> 01 Jan 08:02:26 Phase 1 IKE SA process done 01 Jan 08:02:26 Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): Contivity 221 VPN Switch User’s Guide...
Page 549
Chart L-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The Contivity 221 has started negotiation with the peer. Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> The Contivity 221 has received an IKE negotiation request from the peer.
Page 550
Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Contivity 221 has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Page 551
LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The Contivity 221 did not receive a response from the peer and so retransmits the last packet sent. The Contivity 221 cannot send IKE packets due to a !! Failed to send IKE Packet network error.
Page 552
DESCRIPTION !! WAN IP changed to <IP> If the Contivity 221’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 553
Configuring What You Want the Contivity 221 to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Contivity 221 is to record. Use sys logs category followed by a log category and a parameter to...
Page 554
Use the sys logs clear command to erase all of the Contivity 221’s logs. Log Command Example This example shows how to set the Contivity 221 to record the access logs and alerts and then view the results. ras> sys logs load ras>...
Page 556
(a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. Contivity 221 VPN Switch User’s Guide...