Page 1 Version 2.00 Part No. 317517-A Rev 00 November 2003 600 Technology Park Drive Billerica, MA 01821-4130 Contivity 221 VPN Switch User’s Guide...
Page 2: Restricted Rights Legend
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 4 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
Page 5 Consult the dealer or an experienced radio/TV technician for help. Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Certifications Refer to the product page at www.nortelnetworks.com. Contivity 221 VPN Switch User’s Guide...
Page 6: Information For Canadian Users
Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 7: Table Of Contents
Table of Contents List of Figures ..........................xvii List of Tables ..........................xxvii Preface .............................xxxiii Overview .............................I Chapter 1 Getting to Know Your Contivity 221................1-1 Introducing the Contivity 221..................1-1 Features........................1-1 Applications for the Contivity 221 ................1-6 Hardware Setup ......................1-7 Getting Started........................... II Chapter 2 Introducing the WebGUI.....................2-1...
Page 8 viii Table of Contents Configuring General Setup ..................4-1 Dynamic DNS......................4-3 Configuring Dynamic DNS ..................4-4 Configuring Password....................4-5 Configuring Time Setting ..................4-6 Chapter 5 LAN Screens .......................5-1 LAN Overview ......................5-1 DHCP Setup.......................5-1 LAN TCP/IP ......................5-1 Configuring IP ......................5-3 Configuring Static DHCP ..................5-5 Configuring IP Alias ....................5-7 Chapter 6 WAN Screens ......................6-1 WAN Overview ......................6-1...
Page 9 Packet Filtering Vs Firewall ..................9-12 Chapter 10 Firewall Screens......................10-1 10.1 Access Methods.......................10-1 10.2 Firewall Policies Overview..................10-1 10.3 Rule Logic Overview....................10-2 10.4 Connection Direction Examples ................10-3 10.5 Configuring Firewall ....................10-5 10.6 Example Firewall Rule ..................10-12 Contivity 221 VPN Switch User’s Guide...
Page 10 x Table of Contents 10.7 Predefined Services....................10-16 10.8 Alerts........................10-19 10.9 Configuring Attack Alert ..................10-19 Chapter 11 Content Filtering Screens ..................11-1 11.1 Introduction to Content Filtering ................11-1 11.2 Restrict Web Features ....................11-1 11.3 Days and Times .......................11-1 11.4 Configure Content Filtering..................11-1 VPN/IPSec............................VI Chapter 12 Introduction to IPSec ....................12-1 12.1...
Page 11 15.4 Installing UPnP in Windows Example ..............15-4 15.5 Using UPnP in Windows XP Example..............15-6 Logs............................... VIII Chapter 16 Logs Screens ......................16-1 16.1 Configuring View Log.....................16-1 16.2 Configuring Log Settings ..................16-3 16.3 Configuring Reports ....................16-6 Contivity 221 VPN Switch User’s Guide...
Page 12 Accessing the SMT via the Console Port.............18-1 18.3 Navigating the SMT Interface................18-2 18.4 Changing the System Password ................18-8 18.5 Resetting the Contivity 221..................18-8 Chapter 19 SMT Menu 1 - General Setup .................19-1 19.1 Introduction to General Setup ................19-1 19.2 Configuring General Setup...................19-1 Chapter 20 WAN and Dial Backup Setup..................20-1...
Page 13 Chapter 24 IP Static Route Setup ....................24-1 24.1 IP Static Route Setup ....................24-1 Chapter 25 Network Address Translation (NAT) ..............25-1 25.1 Using NAT ......................25-1 25.2 NAT Setup.......................25-4 25.3 Configuring a Server behind NAT ................25-9 25.4 General NAT Examples..................25-11 Contivity 221 VPN Switch User’s Guide...
Page 14 xiv Table of Contents 25.5 Configuring Trigger Port Forwarding..............25-20 Chapter 26 Introducing the Firewall..................26-1 26.1 Using SMT Menus....................26-1 Chapter 27 Filter Configuration....................27-1 27.1 Introduction to Filters ....................27-1 27.2 Configuring a Filter Set ...................27-4 27.3 Example Filter......................27-13 27.4 Filter Types and NAT ....................27-15 27.5 Firewall Versus Filters...................27-16 27.6...
Page 15 Appendix I Command Interpreter ....................I-1 Appendix J NetBIOS Filter Commands ..................J-1 Appendix K Boot Commands ....................K-1 Appendix L Log Descriptions ....................L-1 Appendix M Brute-Force Password Guessing Protection............M-1 Index.............................. XVI Appendix N Index ........................N-1 Contivity 221 VPN Switch User’s Guide...
Page 17: List Of Figures
Figure 6-2 Ethernet Encapsulation ....................6-3 Figure 6-3 PPPoE Encapsulation ....................6-4 Figure 6-4 PPTP Encapsulation.......................6-6 Figure 6-5 RR Service Type ......................6-7 Figure 6-6 IP Setup..........................6-9 Figure 6-7 MAC Setup ........................6-12 Figure 6-8 Traffic Redirect WAN Setup..................6-12 Contivity 221 VPN Switch User’s Guide...
Page 18 Figure 8-1 Example of Static Routing Topology ................8-1 Figure 8-2 Static Route Screen ......................8-2 Figure 8-3 Edit IP Static Route......................8-3 Figure 9-1 Contivity 221 Firewall Application ................9-3 Figure 9-2 Three-Way Handshake....................9-5 Figure 9-3 SYN Flood ........................9-6 Figure 9-4 Smurf Attack ........................9-7 Figure 9-5 Stateful Inspection ......................9-9...
Page 19 Figure 13-10 VPN Global Setting ....................13-33 Figure 14-1 Telnet Configuration on a TCP/IP Network...............14-3 Figure 14-2 Telnet .........................14-3 Figure 14-3 FTP ..........................14-5 Figure 14-4 WWW ........................14-6 Figure 14-5 SNMP Management Model ..................14-7 Figure 14-6 SNMP ........................14-9 Contivity 221 VPN Switch User’s Guide...
Page 20 xx List of Figures Figure 14-7 DNS .........................14-11 Figure 14-8 Security ........................14-12 Figure 15-1 Configuring UPnP......................15-3 Figure 16-1 View Log........................16-2 Figure 16-2 Log Settings .......................16-4 Figure 16-3 Reports ........................16-7 Figure 16-4 Web Site Hits Report Example ..................16-8 Figure 16-5 Protocol/Port Report Example ...................16-9 Figure 16-6 LAN IP Address Report Example ................16-10 Figure 17-1 System Status ......................17-1 Figure 17-2 System Status: Show Statistics ..................17-2...
Page 21 Figure 23-4 Menu 11.1: Remote Node Profile for PPTP Encapsulation ........23-7 Figure 23-5 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation ..23-8 Figure 23-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)........23-11 Contivity 221 VPN Switch User’s Guide...
Page 22 xxii List of Figures Figure 23-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) ......23-11 Figure 23-8 Menu 11.1: Remote Node Profile ................23-12 Figure 23-9 Menu 11.6: Traffic Redirect Setup................23-13 Figure 24-1 Menu 12: IP Static Route Setup .................24-1 Figure 24-2 Menu 12.
Page 23 Figure 29-5 Menu 24.2.2: System Maintenance: Change Console Port Speed......29-5 Figure 29-6 Menu 24.3: System Maintenance: Log and Trace .............29-6 Figure 29-7 Menu 24.3.2: System Maintenance: Syslog Logging ..........29-6 Figure 29-8 Call-Triggering Packet Example................29-10 Figure 29-9 Menu 24.4: System Maintenance: Diagnostic ............29-11 Contivity 221 VPN Switch User’s Guide...
Page 24 xxiv List of Figures Figure 29-10 WAN & LAN DHCP .....................29-12 Figure 30-1 Telnet into Menu 24.5 ....................30-3 Figure 30-2 FTP Session Example ....................30-4 Figure 30-3 System Maintenance: Backup Configuration ............30-7 Figure 30-4 System Maintenance: Starting Xmodem Download Screen ........30-7 Figure 30-5 Backup Configuration Example.................30-8 Figure 30-6 Successful Backup Confirmation Screen..............30-8 Figure 30-7 Telnet into Menu 24.6 ....................30-9...
Page 25 Figure 32-1 Menu 24.11 – Remote Management Control.............32-2 Figure 33-1 Schedule Setup ......................33-1 Figure 33-2 Schedule Set Setup ....................33-2 Figure 33-3 Applying Schedule Set(s) to a Remote Node (PPPoE)..........33-4 Figure 33-4 Applying Schedule Set(s) to a Remote Node (PPTP)..........33-5 Contivity 221 VPN Switch User’s Guide...
Page 27: List Of Tables
Table 6-5 RR Service Type......................6-8 Table 6-6 IP Setup ...........................6-9 Table 6-7 Traffic Redirect ......................6-14 Table 6-8 Dial Backup Setup......................6-17 Table 6-9 Advanced Setup......................6-21 Table 7-1 NAT Definitions ......................7-1 Table 7-2 NAT Mapping Types .......................7-5 Contivity 221 VPN Switch User’s Guide...
Page 28 xxviii List of Tables Table 7-3 Services and Port Numbers .....................7-6 Table 7-4 SUA/NAT Setup ......................7-9 Table 7-5 Address Mapping......................7-10 Table 7-6 Address Mapping Edit ....................7-12 Table 7-7 Trigger Port........................7-15 Table 8-1 IP Static Route Summary....................8-2 Table 8-2 Edit IP Static Route ......................8-3 Table 9-1 Common IP Ports......................9-4 Table 9-2 ICMP Commands That Trigger Alerts................9-7 Table 9-3 Legal NetBIOS Commands .....................9-7...
Page 29 Table 16-7 Report Specifications ....................16-11 Table 17-1 System Status ......................17-2 Table 17-2 System Status: Show Statistics..................17-3 Table 17-3 DHCP Table.........................17-4 Table 17-4 Restore Configuration ....................17-9 Table 18-1 Main Menu Commands ....................18-2 Table 18-2 Main Menu Summary....................18-4 Contivity 221 VPN Switch User’s Guide...
Page 30 xxx List of Tables Table 19-1 General Setup Menu Field...................19-2 Table 19-2 Configure Dynamic DNS Menu Fields ...............19-3 Table 20-1 MAC Address Cloning in WAN Setup ................20-1 Table 20-2 Menu 2: Dial Backup Setup ..................20-3 Table 20-3 Advanced WAN Port Setup: AT Commands Fields.............20-5 Table 20-4 Advanced WAN Port Setup: Call Control Parameters..........20-5 Table 20-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP)..........20-7 Table 20-6 Remote Node PPP Options Menu Fields..............20-9...
Page 31 Table 31-2 Budget Management ....................31-4 Table 31-3 Call History Fields ......................31-5 Table 31-4 Time and Date Setting Fields ..................31-7 Table 32-1 Menu 24.11 – Remote Management Control ..............32-2 Table 33-1Schedule Set Setup Fields ....................33-2 Contivity 221 VPN Switch User’s Guide...
Page 33: Preface
This manual is designed to guide you through the configuration of your Contivity 221 for its various applications. This manual may refer to the Contivity 221 VPN Switch as the Contivity 221. You may use the System Management Terminal (SMT), WebGUI or command interpreter interface to configure your Contivity 221.
Page 34 “i.e.” for “that is” or “in other words” throughout this manual. How to get help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Page 35: Overview
Overview Part I: Overview This part covers Getting to Know Your Contivity 221...
Page 37: Introducing The Contivity 221
This chapter introduces the main features and applications of the Contivity 221. Introducing the Contivity 221 The Contivity 221 VPN Switch is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, Nortel Networks’ Contivity 221 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 38 Contivity 221. You can also set the time manually. Reset Button The Contivity 221 reset button is built into the rear panel. Use this button to restore the factory default password to setup, IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at...
Page 39 The Contivity 221 can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The Contivity 221 can block specific URLs by using the keyword feature. It also allows the administrator to define time periods and days during which content filtering is enabled.
Page 40 IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Contivity 221 supports three logical LAN interfaces via its single physical Ethernet LAN interface with the Contivity 221 itself as the gateway for each LAN network.
Page 41 IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client. The Contivity 221 can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from another DHCP server to the clients.
Page 42: Applications For The Contivity 221
1-6 Getting to Know Your Contivity 221 Upgrade Contivity 221 Firmware The firmware of the Contivity 221 can be upgraded via the console port or the LAN. Embedded FTP and TFTP Servers The Contivity 221’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
Page 43: Hardware Setup
To keep the Contivity 221 operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment. After installing your Contivity 221, continue with the rest of this User’s Guide for configuration instructions. Contivity 221 VPN Switch User’s Guide...
Page 46: Getting Started
Getting Started Part II: Getting Started This part helps you get to know your Contivity 221, introduces the WebGUI and covers how to configure the Wizard Setup screens.
Page 47: Chapter 2 Introducing The Webgui
Chapter 2 Introducing the WebGUI This chapter describes how to access the Contivity 221 WebGUI and provides an overview of its screens. WebGUI Overview The embedded WebGUI allows you to manage the Contivity 221 from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Page 48: Figure 2-1 Change Password Screen
If you forget your password or cannot access the SMT menu, you will need to reload the factory- default configuration file or use the RESET button the back of the Contivity 221. Uploading this configuration file replaces the current configuration file with the factory-default configuration file.
Page 49: Navigating The Contivity 221 Webgui
Introducing the WebGUI 2-3 Step 4. Continue to hold the RESET button for about 10 or 15 seconds. The Contivity 221 restarts. Step 5. Release the RESET button and wait for the Contivity 221 to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port Step 1.
Page 50: Figure 2-3 The Main Menu Screen Of The Webgui
Internet Access and WAN IP/DNS Server/MAC address assignment. Use submenus to configure Contivity 221 features. Click MAINTENANCE to view information about your Contivity 221 or upgrade Click LOGOUT at configuration/firmware files. Maintenance includes SYSTEM STATUS (Statistics), DHCP any time to exit the TABLE, F/W (firmware) UPGRADE and CONFIGURATION (Backup, Restore Default).
Page 51: Chapter 3 Wizard Setup
DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Contivity 221 via DHCP. Click Next to configure the Contivity 221 for Internet access. Contivity 221 VPN Switch User’s Guide...
Page 52: Wizard Setup: Screen 2
3-2 Wizard Setup Figure 3-1 Wizard 1 Wizard Setup: Screen 2 The Contivity 221 offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. 317517-A Rev 00...
Page 53: Figure 3-2 Wizard 2: Ethernet Encapsulation
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/Contivity221 firewall rule that allows access for port 1026 (UDP). The following fields are not applicable (N/A) for the Standard service type. Contivity 221 VPN Switch User’s Guide...
Page 54 3-4 Wizard Setup Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address Next Click Next to continue.
Page 55: Figure 3-3 Wizard 2: Pptp Encapsulation
Wizard Setup 3-5 The CONTIVITY 221 supports one PPTP server connection at any given time. Figure 3-3 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen. Table 3-2 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
Page 56 By implementing PPPoE directly on the Contivity 221 (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Contivity 221 does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Page 57: Figure 3-4 Wizard2: Pppoe Encapsulation
Type the user name given to you by your ISP. Password Type the password associated with the user name above. Nailed Up Select Nailed Up Connection if you do not want the connection to time out. Contivity 221 VPN Switch User’s Guide...
Page 58: Table 3-4 Private Ip Address Ranges
3-8 Wizard Setup Table 3-3 PPPoE Encapsulation LABEL DESCRIPTION Connection Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen.
Page 59 Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your Contivity 221, but make sure that no other device on your network is using that IP address.
Page 60: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
LAN even if your ISP does not require MAC address authentication. Your Contivity 221’s WAN Port is set at half-duplex mode as most cable/DSL modems only support half-duplex mode. Make sure your modem is in half-duplex mode. Your Contivity 221 supports full duplex mode on the LAN side.
Page 61: Table 3-6 Wan Setup
This field is not available when you select PPPoE encapsulation in the previous wizard screen. Gateway IP Address Enter the gateway IP address in this field if you selected Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in Contivity 221 VPN Switch User’s Guide...
Page 62 The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Contivity 221 uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Page 63: Basic Setup Complete
Click Back to return to the previous screen. Back Finish Click Finish to complete and save the wizard setup. Basic Setup Complete Well done! You have successfully set up your Contivity 221 to operate on your network and access the Internet. Contivity 221 VPN Switch User’s Guide...
Page 64: System Lan And Wan
System LAN and WAN Part III: System LAN and WAN This part covers configuration of the system LAN and WAN screens.
Page 65: Chapter 4 System Screens
There are three places where you can configure DNS setup on the Contivity 221. 1. Use the System General screen to configure the Contivity 221 to use a DNS server to resolve domain names for Contivity 221 system features like VPN, DDNS and the time server.
Page 66: Figure 4-1 System General Setup
A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended). Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
Page 67: Dynamic Dns
The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Contivity 221 uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Page 68: Configuring Dynamic Dns
4-4 System Screens If you have a private WAN IP address, then you cannot use Dynamic DNS. Configuring Dynamic DNS To change your Contivity 221’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as shown. Figure 4-2 DDNS The following table describes the fields in this screen.
Page 69: Configuring Password
Click Reset to begin configuring this screen afresh. Configuring Password To change your Contivity 221’s password (recommended), click SYSTEM, then the Password tab. The screen appears as shown. This screen allows you to change the Contivity 221’s password. Contivity 221 VPN Switch User’s Guide...
Page 70: Configuring Time Setting
Configuring Time Setting To change your Contivity 221’s time and date, click SYSTEM, then the Time Setting tab. The screen appears as shown. Use this screen to configure the Contivity 221’s time based on your local time zone. 317517-A Rev 00...
Page 71: Figure 4-4 Time Setting
Select the time service protocol that your time server sends when you turn on the Contivity 221. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 72 DESCRIPTION Current Time This field displays the time of your Contivity 221. Each time you reload this page, the Contivity 221 synchronizes the time with the time server. New Time This field displays the last updated time from the time server.
Page 73: Chapter 5 Lan Screens
5.2.2 DNS Servers Use the LAN IP screen to configure the DNS server information that the Contivity 221 sends to the DHCP client devices on the LAN. LAN TCP/IP The Contivity 221 has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 74 RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
Page 75: Configuring Ip
224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The Contivity 221 supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Contivity 221 queries all directly connected networks to gather group membership.
Page 76: Table 5-1 Ip
DNS Servers Assigned by DHCP Server The Contivity 221 passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The Contivity 221 only passes this information to the LAN DHCP clients when you select the DHCP Server check box.
Page 77: Configuring Static Dhcp
DESCRIPTION The subnet mask specifies the network number portion of an IP address. Your Contivity 221 will automatically calculate the subnet mask based on the IP address IP Subnet Mask that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Contivity 221 255.255.255.0.
Page 78: Figure 5-2 Static Dhcp
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your Contivity 221’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown. Figure 5-2 Static DHCP The following table describes the fields in this screen.
Page 79: Configuring Ip Alias
Ethernet interface. The Contivity 221 supports three logical LAN interfaces via its single physical Ethernet interface with the Contivity 221 itself as the gateway for each LAN network. To change your Contivity 221’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as shown.
Page 80 The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...
Page 81 WAN Screens Contivity 221 VPN Switch User’s Guide...
Page 83: Chapter 6 Wan Screens
"1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the Contivity 221’s routes to the Internet. If any two of the default routes have the same metric, the Contivity 221 uses the following pre-defined priorities: 1.
Page 84: Configuring Wan Isp
Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. Configuring WAN ISP To change your Contivity 221’s WAN ISP settings, click WAN, then the WAN ISP tab. The screen differs by the encapsulation. 6.4.1 Ethernet Encapsulation The screen shown next is for Ethernet encapsulation.
Page 85: Figure 6-2 Ethernet Encapsulation
6.4.2 PPPoE Encapsulation The Contivity 221 supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.
Page 86: Figure 6-3 Pppoe Encapsulation
By implementing PPPoE directly on the Contivity 221 (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Contivity 221 does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
Page 87: Table 6-3 Pppoe Encapsulation
This value specifies the time in seconds that elapses before the router automatically disconnects from the PPPoE server. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. 6.4.3...
Page 88: Figure 6-4 Pptp Encapsulation
Internet. The Contivity 221 supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 89: Figure 6-5 Rr Service Type
Table 6-4 PPTP Encapsulation LABEL DESCRIPTION Idle Timeout This value specifies the time in seconds that elapses before the Contivity 221 automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.
Page 90: Configuring Wan Ip
Enter the password associated with the login name above. Login Server IP The Contivity 221 will find the Roadrunner Server IP address if this field is left blank. If Address it does not, then you must enter the authentication server IP address.
Page 91: Figure 6-6 Ip Setup
Enter your WAN IP address in this field if you selected Use Fixed IP Address. IP Subnet Mask Enter the IP subnet mask (if your ISP gave you one) in this field if you selected Use Fixed IP Address. Contivity 221 VPN Switch User’s Guide...
Page 92 When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, the Contivity 221 will incorporate RIP information that it receives. When set to None, the Contivity 221 will not send any RIP packets and will ignore any RIP packets received.
Page 93: Configuring Wan Mac
Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. Configuring WAN MAC To change your Contivity 221’s WAN MAC settings, click WAN, then the WAN MAC tab. The screen appears as shown. Contivity 221 VPN Switch User’s Guide...
Page 94: Traffic Redirect
ROM file. Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Contivity 221 cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the Contivity 221 still provides firewall protection.
Page 95: Configuring Traffic Redirect
LAN. Use IP alias to configure the LAN into two or three logical networks with the Contivity 221 itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Page 96: Figure 6-10 Traffic Redirect
Table 6-7 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the Contivity 221 use traffic redirect if the normal WAN connection goes down. Backup Type the IP address of your backup gateway in dotted decimal notation. The Contivity...
Page 97: Configuring Dial Backup
Internet before traffic is forwarded to the backup gateway. Period (sec) Type the number of seconds for the Contivity 221 to wait between checks to see if it can connect to the WAN IP address (Check WAN IP Address field) or default gateway.
Page 98: Figure 6-11 Dial Backup Setup
6-16 WAN Screens Figure 6-11 Dial Backup Setup 317517-A Rev 00...
Page 99: Table 6-8 Dial Backup Setup
Type the first (primary) phone number from the ISP for this remote node. If the Phone Number Primary Phone number is busy or does not answer, your Contivity 221 dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls.
Page 100 Select SUA Only or None. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. When you select this option the Contivity 221 will use Address Mapping Set 255 (see your User's Guide for more information).
Page 101 RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the Contivity 221 will broadcast its routing table periodically. When set to Both or In Only, the Contivity 221 will incorporate RIP information that it receives.
Page 102: Advanced Modem Setup
Ready) signal is dropped by the DTE. When the “Drop DTR When Hang Up” check box is selected, the Contivity 221 uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command “ATH”.
Page 103: Figure 6-12 Advanced Setup
Answer Type the AT Command string to answer a call. Drop DTR When Select this check box to have the Contivity 221 drop the DTR (Data Hang Up Terminal Ready) signal after the "AT Command String: Drop" is sent out.
Page 104 Type the keyword preceding the connection speed. CONNECT Call Control Dial Timeout Type a number of seconds for the Contivity 221 to try to set up an (sec) outgoing call before timing out (stopping). Retry Count Type a number of times for the Contivity 221 to retry a busy or no- answer phone number before blacklisting the number.
Page 106: Nat And Static Route
NAT and Static Route Part IV: NAT and Static Route This part covers Network Address Translation and setting up static routes.
Page 107: Chapter 7 Network Address Translation (Nat) Screens
IP address known within another network. 7.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Contivity 221. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 108 Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The Contivity 221 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
Page 109: Figure 7-1 How Nat Works
NAT 7-3 Figure 7-1 How NAT Works Contivity 221 VPN Switch User’s Guide...
Page 110: Figure 7-2 Nat Application With Ip Alias
NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the Contivity 221 maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Contivity 221 maps multiple local IP addresses to one global IP address.
Page 111: Using Nat
NAT 7-5 Many One to One: In Many-One-to-One mode, the Contivity 221 maps each local IP address to a unique global IP address. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 112: Sua Server
If you do not assign a Default Server IP Address, the Contivity 221 discards all packets received for ports that are not specified here or in the remote management setup.
Page 113: Figure 7-3 Multiple Servers Behind Nat Example
Let's say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35 as shown in the next figure. Figure 7-3 Multiple Servers Behind NAT Example Contivity 221 VPN Switch User’s Guide...
Page 114: Configuring Sua Server
7-8 NAT Configuring SUA Server If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen will be discarded. Click SUA/NAT to open the SUA Server screen. Refer to the firewall chapters for port numbers commonly used for particular services. Figure 7-4 SUA/NAT Setup The following table describes the fields in this screen.
Page 115: Configuring Address Mapping
Click Reset to begin configuring this screen afresh. Configuring Address Mapping Ordering your rules is important because the Contivity 221 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 221 takes the corresponding action and the remaining rules are ignored.
Page 116: Figure 7-5 Address Mapping
7-10 NAT Figure 7-5 Address Mapping The following table describes the fields in this screen. Table 7-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
Page 117: Figure 7-6 Address Mapping Edit
Click Insert to insert a new mapping rule before an existing one. Configuring Address Mapping To edit an Address Mapping rule, click the Edit button to display the screen shown next. Figure 7-6 Address Mapping Edit The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Page 118: Trigger Port Forwarding
This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
Page 119: Figure 7-7 Trigger Port Forwarding Process: Example
1. Jane (A) requests a file from the Real Audio server (port 7070). 2. Port 7070 is a “trigger” port and causes the Contivity 221 to record Jane’s computer IP address. The Contivity 221 associates Jane's computer IP address with the "incoming" port range of 6970- 7170.
Page 120: Configuring Trigger Port Forwarding
LAN can’t trigger it. Configuring Trigger Port Forwarding To change your Contivity 221’s trigger port settings, click SUA/NAT and the Trigger Port tab. The screen appears as shown. Only one LAN computer can use a trigger port (range) at a time.
Page 121: Table 7-7 Trigger Port
Type a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Contivity 221 to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Page 123: Chapter 8 Static Route Screens
Each remote node specifies only the network to which the gateway is directly connected, and the Contivity 221 has no knowledge of the networks beyond. For instance, the Contivity 221 knows about network N2 in the following figure through remote node Router 1. However, the Contivity 221 is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2).
Page 124: Figure 8-2 Static Route Screen
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 125: Figure 8-3 Edit Ip Static Route
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the Remote Nodes.
Page 126 1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the Contivity 221 will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts.
Page 127: Firewall And Content Filters
Firewall and Content Filters Part V: Firewall and Content Filters This part introduces firewalls in general and the Contivity 221 firewall. It also explains how to configure the Contivity 221 firewall and content filtering.
Page 129: Chapter 9 Firewalls
Chapter 9 Firewalls This chapter gives some background information on firewalls and introduces the Contivity 221 firewall. Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
Page 130: Introduction To Nortel Networks Firewall
Local Area Network (LAN) to be securely connected to the Internet. The Contivity 221 can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The Contivity 221 also has packet- filtering capabilities.
Page 131: Denial Of Service
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Contivity 221 is pre-configured to automatically detect and thwart all known DoS attacks.
Page 132: Table 9-1 Common Ip Ports
9-4 Firewalls When computers communicate on the Internet, they are using the client/server model, where the server "listens" on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Please note that while a computer may be intended for use over a single port, such as Web on port 80, other ports are also active.
Page 133: Figure 9-2 Three-Way Handshake
ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Contivity 221 VPN Switch User’s Guide...
Page 134: Figure 9-3 Syn Flood
9-6 Firewalls Figure 9-3 SYN Flood In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 135: Figure 9-4 Smurf Attack
The only legal NetBIOS commands are the following - all others are illegal. Table 9-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Contivity 221 VPN Switch User’s Guide...
Page 136: Stateful Inspection
The Contivity 221 uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the Contivity 221’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 137 Firewalls 9-9 Figure 9-5 Stateful Inspection The previous figure shows the Contivity 221’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 138 Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Contivity 221 itself (as with the "virtual connections" created for UDP and ICMP).
Page 139 Firewalls 9-11 9.5.3 TCP Security The Contivity 221 uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
Page 140: Guidelines For Enhancing Security With Your Firewall
Internet would normally be rejected. In order to achieve this, the Contivity 221 inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these; it adds a cache entry for the anticipated data connection.
Page 141: Packet Filtering
3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. Contivity 221 VPN Switch User’s Guide...
Page 142 9-14 Firewalls 4. The firewall performs better than filtering if you need to check many rules. 5. Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.
Page 143: Access Methods
• WAN to WAN/Contivity 221 This prevents computers on the WAN from using the Contivity 221 as a gateway to communicate with other computers on the WAN and/or managing the Contivity 221. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
Page 144: Rule Logic Overview
These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Contivity 221’s default rules. Rule Logic Overview 10.3...
Page 145: Connection Direction Examples
This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/Contivity 221, WAN and WAN/Contivity 221 rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/Contivity 221 means policies for LAN-to-Contivity 221 (the policies for managing the Contivity 221 through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 146: Figure 10-1 Lan To Wan Traffic
10-4 Firewall Screens 10.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 147: Configuring Firewall
The ordering of your rules is very important as rules are applied in turn. Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in the following screen. Contivity 221 VPN Switch User’s Guide...
Page 148: Figure 10-3 Enabling The Firewall
Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the Contivity 221 firewall ignore the use of triangle Route route topology on the network. See the Appendices for more on triangle route topology.
Page 149 Contivity 221 (the combined total available for all packet directions). Packet Direction Use the drop-down list box to select a direction of travel of packets (LAN to LAN/Contivity 221, LAN to WAN, WAN to WAN/Contivity 221 or WAN to LAN for which you want to configure firewall rules. Block/...
Page 150 Click Delete to delete an existing firewall rule. Note that subsequent firewall rules move up by one when you take this action. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh.
Page 151: Figure 10-4 Creating/Editing A Firewall Rule
Active Check the Active check box to have the Contivity 221 use this rule. Leave it unchecked if you do not want the Contivity 221 to use the rule after you apply it Packet Direction Use the drop-down list box to select the direction of packet travel to which you want to apply this firewall rule.
Page 152 (Not Match), both (Both) or no log is created (None). Go to the Log Settings page and select the Access Control logs category to have the Contivity 221 record these logs. Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched.
Page 153: Figure 10-5 Adding/Editing Source And Destination Addresses
10.5.3 Configuring Custom Ports Configure customized ports for services not predefined by the Contivity 221 (see section 10.7 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Page 154: Example Firewall Rule
10-12 Firewall Screens Figure 10-6 Creating/Editing A Custom Port The following table describes the fields in this screen. Table 10-4 Creating/Editing A Custom Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 155: Figure 10-7 Firewall Edit Rule Screen
Select Any in the Destination Address box and then click DestDelete. Step 4. Step 5. Click DestAdd under the Source Address box. Configure the Firewall Rule Edit IP screen as follows and click Apply. Step 6. Contivity 221 VPN Switch User’s Guide...
Page 156: Figure 10-8 Firewall Rule Edit Ip Example
10-14 Firewall Screens Figure 10-8 Firewall Rule Edit IP Example In the firewall rule configuration screen, click Add under Custom Port to open the Edit Step 7. Custom Port screen. Configure it as follows and click Apply. Figure 10-9 Edit Custom Port Example The firewall rule configuration screen displays, use the arrows between Available Step 8.
Page 157: Figure 10-10 Myservice Rule Configuration
Rule Summary list box. Click Apply after you’ve created your custom port. Figure 10-10 MyService Rule Configuration This is the address range of the “My Service” servers. This is your “My Service” custom port. Click Apply when finished. Contivity 221 VPN Switch User’s Guide...
Page 158: Predefined Services
The Available Services list box in the Edit Rule screen (see Figure 10-4) displays all predefined services that the Contivity 221 already supports. Next to the name of the service, two fields appear Formatted: Font: Italic 317517-A Rev 00...
Page 159: Table 10-5 Predefined Services
The Internet Key Exchange algorithm is used for key distribution and management. IPSEC_TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service. IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Contivity 221 VPN Switch User’s Guide...
Page 160 10-18 Firewall Screens Table 10-5 Predefined Services SERVICE DESCRIPTION IRC(TCP/UDP:6667) This is another popular Internet chat program. Microsoft Networks’ messenger service uses this protocol. Messenger(TCP:1863) MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. NEW-ICQ(TCP:5190) An Internet chat program.
Page 161: Alerts
Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you Formatted: Font: Italic, D may choose to generate an alert whenever an attack is detected. For DoS attacks, the Contivity 221 check spelling or grammar Formatted: Font: Italic Contivity 221 VPN Switch User’s Guide...
Page 162: Threshold Values
9-2). For UDP, "half-open" means that the firewall has detected no return traffic. Deleted: Figure 9-2 The Contivity 221 measures both the total number of existing half-open sessions and the rate of Formatted: Font: Italic, Do no session establishment attempts. Both TCP and UDP half-open sessions are counted in the total spelling or grammar number and rate measurements.
Page 163 (TCP Maximum Incomplete), the Contivity 221 starts deleting half-open sessions according to one of the following methods: 1. If the Blocking Period timeout is 0 (the default), then the Contivity 221 deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
Page 164: Figure 10-12 Attack Alert
10-22 Firewall Screens Figure 10-12 Attack Alert The following table describes the fields in this screen. Table 10-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert A detected attack automatically generates a when attack log entry. Check this box to generate an alert detected (as well as a log) whenever an attack is detected.
Page 165 When the Contivity 221 to start deleting number of existing half-open sessions rises half-open sessions when the above this number, the Contivity 221 deletes number of existing half-open half-open sessions as required to sessions rises above 100, and to accommodate new connection requests.
Page 166 (min) Enter the length of Blocking Period in minutes. Apply Click Apply to save your changes back to the Contivity 221. Reset Click Reset to begin configuring this screen afresh. 317517-A Rev 00...
Page 167: Chapter 11 Content Filtering Screens
The Contivity 221 can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. Days and Times 11.3 The Contivity 221 also allows you to define time periods and days during which the Contivity 221 performs content filtering. Configure Content Filtering 11.4 Click Content Filter on the navigation panel, to open the following screen.
Page 168: Figure 11-1 Content Filter
11-2 Content Filtering Screens Figure 11-1 Content Filter Table 11-1 Content Filter LABEL DESCRIPTION Restrict Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. A tool for building dynamic and active Web pages and distributed object applications.
Page 169 Clear All Click this button to remove all of the listed keywords. Select check boxes for the days that you want the Contivity 221 to perform content filtering. Day to Block Select the Everyday check box to have content filtering turned on all days of the week.
Page 170: Vpn/Ipsec
VPN/IPSec Part VI: VPN/IPSec This part provides information on how to configure VPN/IPSec.
Page 171: Chapter 12 Introduction To Ipsec
"ciphertext" (scrambled text) using a "key". The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Contivity 221 VPN Switch User’s Guide...
Page 172: Figure 12-1 Encryption And Decryption
12.1.4 VPN Applications The Contivity 221 supports the following VPN applications. Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.
Page 173: Ipsec Architecture
AH and ESP protocols. Please see 13.2 for more information. 12.2.2 Key Management Your Contivity 221 uses IKE (ISAKMP) key management in order to set up a VPN. Contivity 221 VPN Switch User’s Guide...
Page 174: Encapsulation
12-4 Introduction to IPSec Encapsulation 12.3 The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 12-3 Transport and Tunnel Mode IPSec Encapsulation 12.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 175: Ipsec And Nat
IPSec and NAT 12.4 Read this section if you are running IPSec on a host computer behind the Contivity 221. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet.
Page 177: Chapter 13 Vpn Screens
However, ESP is sufficient if only the upper layer protocols need to be authenticated. An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Contivity 221 VPN Switch User’s Guide...
Page 178: My Ip Address
My IP Address 13.3 My IP Address is the WAN IP address of the Contivity 221. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 179: Summary Screen
Click VPN to open the Summary screen. This is a read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus. Contivity 221 VPN Switch User’s Guide...
Page 180: Figure 13-2 Summary
13-4 VPN Screens Figure 13-2 Summary IP Policies The following table describes the fields in this screen. Table 13-2 Summary LABEL DESCRIPTION The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network through a Contivity VPN switch. The Contivity VPN Contivity VPN Client uses the IPSec protocol to establish a secure end-to-end Client...
Page 181 The Private Policy IP Address or Local Policy IP Address field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 221's local network, for which you have configured this VPN rule IP policy.
Page 182 13-6 VPN Screens Table 13-2 Summary LABEL DESCRIPTION The Local Policy IP Address field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen. The Local Policy IP Address field displays a single (static) IP address when the IP policy's Branch Tunnel NAT Address Mapping Rule Type field is configured to One-to-one or Many-to-One in the IP Policy screen.
Page 183 Encap policy if ??? is displayed. This field displays the security protocols used for an SA. IPSec Both AH and ESP increase Contivity 221 processing requirements and communications Algorithm latency (delay). Secure This is the static WAN IP address or URL of the remote VPN switch. This field displays Gateway 0.0.0.0 when you configure the Secure Gateway Address field in the VPN Branch...
Page 184: Keep Alive
If the Contivity 221 has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Contivity 221 because the Contivity 221 never drops the tunnels that are already connected.
Page 185: Id Type And Content
With main mode (see section 13.13.1), the ID type and content are encrypted to provide identity protection. In this case the Contivity 221 can only distinguish between up to eight different incoming SAs that connect from remote VPN switches that have dynamic WAN IP addresses. The...
Page 186: Table 13-3 Local Id Type And Content Fields
LOCAL ID TYPE= CONTENT= Type the IP address of your computer or leave the field blank to have the Contivity 221 automatically use its own IP address. Type a domain name (up to 31 characters) by which to identify this Contivity 221.
Page 187: Pre-Shared Key
The two Contivity 221s in this example cannot complete their negotiation because Contivity 221 B’s Local ID type is IP, but Contivity 221 A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
Page 188: Figure 13-4 Vpn Contivity Client Rule Setup
VPN rules to inactive. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Contivity 221 automatically reinitiate the SA after the Keep Alive SA lifetime times out, even if there is no traffic. The remote VPN switch must also have keep alive enabled in order for this feature to work.
Page 189: Configuring Branch Office Vpn Rule Setup
Table 13-7 VPN Contivity Client Rule Setup LABEL DESCRIPTION Apply Click Apply to save your changes back to the Contivity 221. Cancel Click Cancel to return to the VPN Summary screen without saving your changes. Configuring Branch Office VPN Rule Setup 13.11...
Page 190: Figure 13-5 Vpn Branch Office Rule Setup
13-14 VPN Screens Figure 13-5 VPN Branch Office Rule Setup 317517-A Rev 00...
Page 191: Table 13-8 Vpn Branch Office Rule Setup
VPN rule is applied. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Contivity 221 automatically reinitiate the SA after the Keep Alive SA lifetime times out, even if there is no traffic. The remote VPN switch must also have keep alive enabled in order for this feature to work.
Page 192 This field displays the IP address of the computer (or a range of computers) on your Contivity 221's local network, for which you have configured this VPN rule. This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy screen.
Page 193 DESCRIPTION This field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 221's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Page 194 When you select IP in the Local ID Type field, type an IP address or leave the field blank to have the Contivity 221 automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Contivity 221.
Page 195 Table 13-8 VPN Branch Office Rule Setup LABEL DESCRIPTION Enter the WAN IP address of your Contivity 221. The Contivity 221 uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field My IP Address as 0.0.0.0.
Page 196 Retype to Confirm Type your pre-shared key again in this field. Apply Click Apply to save your changes back to the Contivity 221 Cancel Click Cancel to return to the VPN Summary screen without saving your changes. 317517-A Rev 00...
Page 197: Configuring An Ip Policy
Select one of the IP Policies in the VPN Branch Office screen and click Edit to configure the policies settings. The Branch Office – IP Policy setup screen is shown next. Figure 13-6 VPN Branch Office - IP Policy The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Page 198: Table 13-9 Vpn Branch Office - Ip Policy
Branch Tunnel NAT Address Mapping Rule Enable this feature to have the Contivity 221 use a different (virtual) IP address for the Active VPN connection. When you enable branch tunnel NAT address mapping, you do not configure the local section.
Page 199 Virtual addresses must be static and correspond to the remote VPN switch's configured remote IP addresses. The computers on the Contivity 221's LAN and the remote network can function as if they were on the same subnet when the virtual IP address(es) is on the same subnet as the remote IP address(es).
Page 200 Address Type field is configured to Range Address, enter the end (static) IP Ending IP Address / address, in a range of computers on the LAN behind your Contivity 221. When the Subnet Mask Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Contivity 221.
Page 201: Ike Phases
Address Type field is configured to Range Address, enter the end (static) IP Subnet Mask address, in a range of computers on the LAN behind your Contivity 221. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your Contivity 221.
Page 202: Negotiation Mode
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Contivity 221 automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The Contivity 221 also automatically renegotiates the IPSec SA if both VPN switches have keep alive enabled, even if there is no traffic.
Page 203: Configuring Advanced Branch Office Setup
This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Contivity 221. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
Page 204: Figure 13-8 Vpn Branch Office Advanced Rule Setup
Enable replay detection by setting this field to YES. IKE Phase 1 A phase 1 exchange establishes an IKE SA (Security Association). Select Main or Aggressive from the drop-down list box. The Contivity 221's negotiation Negotiation Mode mode should be identical to that on the remote VPN switch.
Page 205 This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select SHA1 or MD5 from the drop-down list box. The Contivity 221's authentication Authentication algorithm should be identical to the remote VPN switch. MD5 (Message Digest 5) and SHA1...
Page 206 LABEL DESCRIPTION Select ESP or AH from the drop-down list box. The Contivity 221's IPSec Protocol should be identical to the remote VPN switch. The ESP (Encapsulation Security Payload) protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If you select...
Page 207: Sa Monitor
A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See the section on keep alive to have the Contivity 221 renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.
Page 208: Global Settings
This field displays Tunnel or Transport mode. This field displays the security protocols used for an SA. IPSec Algorithm Both AH and ESP increase Contivity 221 processing requirements and communications latency (delay). Click Refresh to display the current active VPN connection(s). This button is available Refresh when you have active VPN connections.
Page 209: Figure 13-10 Vpn Global Setting
Allow Through IPSec Tunnel Select this check box to send NetBIOS packets through the VPN connection. Click Apply to save your changes back to the Contivity 221. Click Reset to begin configuring this screen afresh Contivity 221 VPN Switch User’s Guide...
Page 210: Remote Management And Upnp
Remote Management and UPnP Part VII: Remote Management and UPnP This part provides information and configuration instructions for remote management and Universal Plug and Play.
Page 212: Chapter 14 Remote Management Screens
When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules. You may manage your Contivity 221 from a remote location via: Internet (WAN ALL (LAN and WAN)
Page 213: Telnet
There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your Contivity 221 automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 214: Configuring Telnet
Remote Management Screens 14-3 Figure 14-1 Telnet Configuration on a TCP/IP Network Configuring TELNET 14.3 Click REMOTE MANAGEMENT to open the TELNET screen. Figure 14-2 Telnet The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Page 215: Configuring Ftp
IP Address Contivity 221 using this service. Select All to allow any computer to access the Contivity 221 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Contivity 221 using this service.
Page 216: Configuring Www
IP Address Contivity 221 using this service. Select All to allow any computer to access the Contivity 221 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Contivity 221 using this service.
Page 217: Configuring Snmp
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Contivity 221 supports SNMP agent functionality, which allows a manager station to manage and monitor the...
Page 218: Figure 14-5 Snmp Management Model
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Contivity 221). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 219: Supported Mibs
Trap - Used by the agent to inform the manager of some events. 14.6.1 Supported MIBs The Contivity 221 supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 14.6.2...
Page 220 14.6.3 REMOTE MANAGEMENT: SNMP To change your Contivity 221’s SNMP settings, click REMOTE MANAGEMENT, then the SNMP tab. The screen appears as shown. Figure 14-6 SNMP The following table describes the fields in this screen.
Page 221: Configuring Dns
The default is public and allows all requests. Trusted Host If you enter a trusted host, your Contivity 221 will only respond to SNMP messages from this address. 0.0.0.0 (default) means your Contivity 221 will respond to all SNMP messages it receives, regardless of source.
Page 222: Figure 14-7 Dns
IP Address Contivity 221. Select All to allow any computer to send DNS queries to the Contivity 221. Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the Contivity 221.
Page 223: Configuring Security
To change your Contivity 221’s Security settings, click REMOTE MANAGEMENT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your Contivity 221, an ICMP response packet is automatically returned. This allows the outside user to know the Contivity 221 exists.
Page 224 Contivity 221 unseen. If the firewall blocks a packet from the WAN, the Contivity 221 sends a TCP reset packet. Use the "sys firewall tcprst rst off" command in the command interpreter if you want to stop the Contivity 221 from sending TCP reset packets.
Page 226: Chapter 15 Upnp
Dynamic port mapping Learning public IP addresses Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the SUA/NAT chapter for further information about NAT. Contivity 221 VPN Switch User’s Guide...
Page 227: Upnp Implementation
15-2 UPnP 15.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 228: Figure 15-1 Configuring Upnp
Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the WebGUI's login screen without entering the Contivity 221's IP address (although you must still enter the password to access the WebGUI). Allow users to make...
Page 229: Installing Upnp In Windows Example
FIELD DESCRIPTION Device Name This identifies the device in UPnP applications. Click Apply to save your changes back to the Contivity 221. Click Reset to begin configuring this screen afresh. Installing UPnP in Windows Example 15.4 This section shows how to install UPnP in Windows Me and Windows XP.
Page 230 Click start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. Contivity 221 VPN Switch User’s Guide...
Page 231: Using Upnp In Windows Xp Example
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device. Turn on your computer and the Contivity 221. 317517-A Rev 00...
Page 232 Step 4. In the Internet Connection Properties You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings that were automatically created. manually add port mappings. Contivity 221 VPN Switch User’s Guide...
Page 233 15-8 UPnP When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray Step 6.
Page 234 WebGUI Easy Access With UPnP, you can access the web-based configurator without first finding out its IP address. This is helpful if you do not know the IP address of your Contivity 221. Follow the steps below to access the WebGUI.
Page 235: Logs
Logs Part VIII: Logs This part provides information and instructions for the logs and reports. VIII...
Page 236: Chapter 16 Logs Screens
Configuring View Log 16.1 The WebGUI allows you to look at all of the Contivity 221’s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see section 16.2). Options include logs about system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks (such as DoS) and IPSec.
Page 237: Figure 16-1 View Log
Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded. See the chapter on system maintenance and information to configure the Contivity 221’s time and date. 317517-A Rev 00...
Page 238: Configuring Log Settings
To change your Contivity 221’s log settings, click Logs, then the Log Settings tab. The screen appears as shown. Use the Log Settings screen to configure to where the Contivity 221 is to send logs; the schedule for when the Contivity 221 is to send the logs and which logs and/or immediate alerts the Contivity 221 is to send.
Page 239: Figure 16-2 Log Settings
16-4 Log Screens Figure 16-2 Log Settings 317517-A Rev 00...
Page 240: Table 16-2 Log Settings Screen
Use the drop down list box to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Contivity 221 VPN Switch User’s Guide...
Page 241: Configuring Reports
The Contivity 221 records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the Contivity 221 may count these as hits, thus the web hit count is not (yet) 100% accurate.
Page 242: Figure 16-3 Reports
IP addresses. Start Collection/ The button text shows Start Collection when the Contivity 221 is not recording report Stop Collection data and Stop Collection when the Contivity 221 is recording report data.
Page 243: Figure 16-4 Web Site Hits Report Example
In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the Contivity 221 record and display which web sites have been visited the most often and how many times they have been visited.
Page 244: Figure 16-5 Protocol/Port Report Example
In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the Contivity 221 record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Page 245: Figure 16-6 Lan Ip Address Report Example
In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the Contivity 221 record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Page 246: Table 16-7 Report Specifications
The count starts over at 0 if it passes four billion. Bytes count Up to 2 bytes can be counted per protocol/port or LAN IP address. The count starts limit: over at 0 if it passes 2 bytes. Contivity 221 VPN Switch User’s Guide...
Page 247: Maintenance
Maintenance Part IX: Maintenance This part covers the maintenance screens. Contivity 221 VPN Switch User’s Guide...
Page 249: Chapter 17 Maintenance
Maintenance Overview 17.1 The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Contivity 221. Status Screen 17.2 Click MAINTENANCE to open the Status screen, where you can use to monitor your Contivity 221.
Page 250: Figure 17-2 System Status: Show Statistics
Nortel Firmware This is the Nortel Networks Firmware version and the date created. Version: Routing Protocols This shows the routing protocol - IP for which the Contivity 221 is configured. WAN Port IP Address This is the WAN port IP address.
Page 251: Dhcp Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Contivity 221 as a DHCP server or disable it. When configured as a server, the Contivity 221 provides the TCP/IP configuration for the clients.
Page 252: Figure 17-3 Dhcp Table
See the Firmware and Configuration File Maintenance chapter in the SMT User’s Guide for upgrading firmware using FTP/TFTP commands. Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions in this screen to upload firmware to your Contivity 221. 317517-A Rev 00...
Page 253: Figure 17-4 Firmware Upload
Click Upload to begin the upload process. This process may take up to two minutes. Do not turn off the device while firmware upload is in progress! After you see the Firmware Upload in Process screen, wait two minutes before logging into the device again. Contivity 221 VPN Switch User’s Guide...
Page 254: F/W Upload Screen
17-6 Maintenance Figure 17-6 Firmware Upload In Process The device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 17-7 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear.
Page 255: Configuration Screen
See the Firmware and Configuration File Maintenance chapter in the SMT User’s Guide for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Contivity 221 VPN Switch User’s Guide...
Page 256: Figure 17-9 Configuration
17.5.1 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Contivity 221 to its factory defaults as shown on the screen. The following warning screen will appear. 317517-A Rev 00...
Page 257: Figure 17-10 Reset Warning Message
Maintenance 17-9 Figure 17-10 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your Contivity 221. Refer to the Hardware Installation chapter for more information on the RESET button. 17.5.2 Backup Configuration Backup Configuration allows you to back up (save) the device’s current configuration to a 104KB...
Page 258: Figure 17-11 Configuration Upload Successful
17-10 Maintenance Figure 17-11 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 17-12 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1).
Page 259: Smt General Configuration
SMT General Configuration Part X: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN and dial backup setup, LAN, and Internet access. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
Page 260: Chapter 18 Introducing The Smt
♦ No parity, 8 data bits, 1 stop bit, flow control set to none. 18.2.1 Initial Screen When you turn on your Contivity 221, it performs several internal tests as well as line initialization. After the tests, the Contivity 221 asks you to press to continue, as shown next.
Page 261: Navigating The Smt Interface
Enter Password : XXXX Navigating the SMT Interface 18.3 The SMT is an interface that you use to configure your Contivity 221. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 262: Main Menu
Type 99 at the main menu prompt and press [ENTER] to exit the [ENTER]. SMT interface. 18.3.1 Main Menu After you enter the password, the SMT displays the Contivity 221 Main Menu, as shown next. Not all models have all the features shown. Contivity 221 VPN Switch User’s Guide...
Page 263: Figure 18-3 Main Menu
18-4 Introducing the SMT Figure 18-3 Main Menu Contivity 221 Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Password 4. Internet Access Setup 24.
Page 264 System Maintenance From displaying system status to uploading firmware, this menu provides comprehensive system maintenance. Schedule Setup Use this menu to schedule outgoing calls. Exit Use this menu to exit (necessary for remote configuration). Contivity 221 VPN Switch User’s Guide...
Page 265: Figure 18-4 Getting Started And Advanced Applications Smt Menus
18-6 Introducing the SMT 18.3.2 SMT Menus at a Glance Figure 18-4 Getting Started and Advanced Applications SMT Menus 317517-A Rev 00...
Page 266: Figure 18-5 Advanced Management Smt Menus
Introducing the SMT 18-7 Figure 18-5 Advanced Management SMT Menus Contivity 221 VPN Switch User’s Guide...
Page 267: Changing The System Password
Step 4. Note that as you type a password, the screen displays an “X” for each character you type. Resetting the Contivity 221 18.5 See the chapter that introduces the WebGUI for directions on resetting the Contivity 221. 317517-A Rev 00...
Page 268: Chapter 19 Smt Menu 1 - General Setup
Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Page 269: Table 19-1 General Setup Menu Field
EXAMPLE System Name Choose a descriptive name for identification purposes. It is Contivity 221 recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Page 270: Figure 19-2 Configure Dynamic Dns
Follow the instructions in the next table to configure Dynamic DNS parameters. Table 19-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WWW.DynDNS.ORG (default) Contivity 221 VPN Switch User’s Guide...
Page 271 IP address of the host name(s) with the Contivity 221’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the Contivity 221 must have a public WAN IP address in order for DDNS to work.
Page 272 IP address of the host name(s) to the IP address User Specified IP specified below. Address Only select Yes if the Contivity 221 uses or is behind a static public IP address. Enter the static public IP address if you select Yes in the User IP Address Specified IP Addr field.
Page 274: Chapter 20 Wan And Dial Backup Setup
Introduction to WAN and Dial Backup Setup 20.1 This chapter explains how to configure settings for your WAN port and how to configure the Contivity 221 for a dial backup connection. WAN Setup 20.2 From the main menu, enter 2 to open menu 2.
Page 275: Dial Backup
20-2 WAN and Dial Backup Setup Table 20-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.
Page 276: Figure 20-2 Menu 2: Dial Backup Setup
9600, 19200, 38400, 57600, 115200 or 230400 bps. AT Command String: Init Enter the AT command string to initialize the WAN device. Consult the at&fs0=0 manual of your WAN device connected to your Dial Backup port for specific AT commands. Contivity 221 VPN Switch User’s Guide...
Page 277: Advanced Wan Setup
20-4 WAN and Dial Backup Setup Table 20-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Edit Advanced To edit the advanced setup for the Dial Backup port, move the cursor to Setup this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup.
Page 278: Table 20-3 Advanced Wan Port Setup: At Commands Fields
221 times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the Contivity 221 to retry a busy or no- 0 to disable answer phone number before blacklisting the number.
Page 279: Remote Node Profile (Backup Isp)
Table 20-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Retry Interval Enter a number of seconds for the Contivity 221 to wait before (sec) trying another call after a call has failed. This applies before a phone number is blacklisted. Drop Timeout...
Page 280: Table 20-5 Fields In Menu 11.1 Remote Node Profile (Backup Isp)
This field sets the authentication protocol used for outgoing calls. CHAP/PAP Options for this field are: CHAP/PAP - Your Contivity 221 will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Page 281: Editing Ppp Options
Editing PPP Options 20.7 The Contivity 221’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the cursor to the [Edit PPP Options] field in Menu 11.1 - Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to open Menu 11.2 as shown next.
Page 282: Figure 20-5 Menu 11.2: Remote Node Ppp Options
Standard PPP your Dial Backup WAN device uses Cisco PPP encapsulation, (default) otherwise select Standard PPP. Compression Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. (default) Contivity 221 VPN Switch User’s Guide...
Page 283: Editing Tcp/Ip Options
20-10 WAN and Dial Backup Setup Editing TCP/IP Options 20.8 Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 20-6 Menu 11.3: Remote Node Network Layer Options Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= 0.0.0.0...
Page 284 (automatically) assign your WAN IP address if you do not (default) know it. Enter your WAN IP address here if you know it (static). This is the address assigned to your local Contivity 221, not the remote router. Network...
Page 285: Editing Login Script
Please note that the ordering of the sets is significant, i.e., starting from set 1, the Contivity 221 will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script.
Page 286: Figure 20-7 Menu 11.4: Remote Node Setup Script
If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the Contivity 221 will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages...
Page 287: Remote Node Filter
Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Contivity 221 to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field.
Page 288: Chapter 21 Lan Setup
This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN Setup 21.1 This chapter describes how to configure the Contivity 221 for LAN connections. Accessing the LAN Menus 21.2 From the main menu, enter 3 to open Menu 3 – LAN Setup.
Page 289: Figure 21-2 Menu 3.1: Lan Port Filter Setup
21-2 LAN Setup Figure 21-2 Menu 3.1: LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 290: Figure 21-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
This field enables/disables the DHCP server. Server If set to Server, your Contivity 221 will act as a DHCP server. If set to None, the DHCP server will be disabled. When set to Server, the following items need to be set:...
Page 291: Table 21-2 Lan Tcp/Ip Setup Menu Fields
21-4 LAN Setup Table 21-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE The Contivity C221 passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the Contivity C221's WAN IP address).
Page 292 LAN Setup 21-5 Table 21-2 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Address Enter the IP address of your Contivity 221 in dotted decimal 192.168.1.1 notation (default) IP Subnet Mask Your Contivity 221 will automatically calculate the subnet mask 255.255.255.0...
Page 293: Figure 21-5 Menu 3.2.1: Ip Alias Setup
Table 21-3 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes to configure the LAN network for the Contivity 221. IP Address Enter the IP address of your Contivity 221 in dotted decimal 192.168.1.1 notation. IP Subnet Mask Your Contivity 221 will automatically calculate the subnet mask 255.255.255.0...
Page 294 Enter the filter set(s) you wish to apply to the outgoing traffic Protocol Filters between this node and the Contivity 221. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
Page 296: Chapter 22 Internet Access
22-1 Chapter 22 Internet Access This chapter shows you how to configure your Contivity 221 for Internet access. Introduction to Internet Access Setup 22.1 Use information from your ISP along with the instructions in this chapter to set up your Contivity 221 to access the Internet.
Page 297: Table 22-1 Menu 4: Internet Access Setup Menu Fields
Enter the password again to make sure that you have entered it correctly. Login Server The Contivity 221 will find the RoadRunner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address.
Page 298: Configuring The Pptp Client
Configuring the PPTP Client 22.3 The Contivity 221 supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 299: Configuring The Pppoe Client
PPTP encapsulation method influences your choices for the IP Address field. Idle Timeout This value specifies the time, in seconds, that elapses before the Contivity 221 automatically disconnects from the PPTP server. (default) Configuring the PPPoE Client 22.4 If you enable PPPoE in menu 4, you will see the next screen. For more information on PPPoE, please see the Appendix.
Page 300: Basic Setup Complete
Basic Setup Complete 22.5 Well done! You have successfully connected, installed and set up your Contivity 221 to operate on your network as well as access the Internet. When the firewall is activated, the default policy allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 301: Smt Advanced Applications
SMT Advanced Applications Part XI: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters and SNMP. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
Page 303: Chapter 23 Remote Node Setup
Then enter 1 to open Menu 11.1 Remote Node Profile and configure the setup for your regular ISP. Enter 2 to open Menu 11.1 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection (see the chapter on WAN). Contivity 221 VPN Switch User’s Guide...
Page 304: Remote Node Profile Setup
23-2 Remote Node Setup Figure 23-1 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit: Remote Node Profile Setup 23.3 The following explains how to configure the remote node profile menu. 23.3.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet...
Page 305: Figure 23-2 Menu 11.1: Remote Node Profile For Ethernet Encapsulation
PPPoE service here. Only valid with PPPoE encapsulation. Outgoing This field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the Contivity 221 calls this My Login remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server.
Page 306: Figure 23-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
The Contivity 221 supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the Contivity 221 with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 307 The Contivity 221 does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Contivity 221 will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 308: Table 23-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
This field sets the authentication protocol used for outgoing calls. CHAP/PAP Options for this field are: CHAP/PAP - Your Contivity 221 will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Page 309: Figure 23-4 Menu 11.1: Remote Node Profile For Pptp Encapsulation
“c:id” and “n:name” format. This field is optional and depends on the requirements of your DSL modem. Schedules You can apply up to four schedule sets here. For more details refer to the Call Schedule Setup chapter. Contivity 221 VPN Switch User’s Guide...
Page 310: Edit Ip
23-8 Remote Node Setup Table 23-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] and then [ENTER] to select Yes if you want to Connections make the connection to this remote node a nailed-up connection. Edit IP 23.4 Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes.
Page 311 WAN network number. If this is the case, enter the IP address assigned to the WAN port of your Contivity 221. Note that this is the address assigned to your local Contivity 221, not the remote router. Network...
Page 312: Remote Node Filter
Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Contivity 221 to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field.
Page 313: Figure 23-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)
Device filters= Enter here to CONFIRM or ESC to CANCEL: To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1—Remote Node Profile as shown next. Contivity 221 VPN Switch User’s Guide...
Page 314: Figure 23-8 Menu 11.1: Remote Node Profile
Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 23.5.1 Traffic Redirect Setup Configure parameters that determine when the Contivity 221 will forward WAN traffic to the backup gateway using Menu 11.6 — Traffic Redirect Setup. 317517-A Rev 00...
Page 315: Figure 23-9 Menu 11.6: Traffic Redirect Setup
IP Address ISP’s DNS server address) to test your Contivity 221’s WAN accessibility. The Contivity 221 uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PPPoE Encapsulation, enter “0.0.0.0” to configure the Contivity 221 to check the PVC (Permanent Virtual Circuit) or PPTP tunnel.
Page 316 Five to 60 is usually a good number. Timeout (sec) Enter the number of seconds the Contivity 221 waits for a ping response from the IP Address in the Check WAN IP Address field before it times out. The number in this field should be less than the number in the Period field.
Page 317: Figure 24-1 Menu 12: Ip Static Route Setup
24-1 Chapter 24 IP Static Route Setup This chapter shows you how to configure static routes with your Contivity 221. IP Static Route Setup 24.1 Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
Page 318: Chapter 24 Ip Static Route Setup
Contivity 221 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 221; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 319: Ip Static Route Setup
DESCRIPTION Private This parameter determines if the Contivity 221 will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 321: Chapter 25 Network Address Translation (Nat)
LAN IP addresses of clients or servers using mapping types as outlined in the WebGUI User’s Guide. 1. Choose SUA Only if you have just one public WAN IP address for your Contivity 221. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Contivity 221.
Page 322: Figure 25-1 Menu 4: Applying Nat For Internet Access
25-2 NAT Figure 25-1 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only...
Page 323: Figure 25-2 Menu 11.3: Applying Nat To The Remote Node
When you select this option the SMT will use Address Mapping Set SUA Only 255 (menu 15.1 - see section 25.2.1). Choose SUA Only if you have just one public WAN IP address for your Contivity 221. Contivity 221 VPN Switch User’s Guide...
Page 324: Nat Setup
25-4 NAT NAT Setup 25.2 Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set 1.
Page 325: Figure 25-4 Menu 15.1: Address Mapping Sets
Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this screen. Contivity 221 VPN Switch User’s Guide...
Page 326: Table 25-2 Sua Address Mapping Rules
25-6 NAT Menu 15.1.255 is read-only. Table 25-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number.
Page 327: Figure 25-6 Menu 15.1.1: First Set
(described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the Contivity 221 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 221 takes the corresponding action and the remaining rules are ignored.
Page 328: Figure 25-7 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
25-8 NAT Table 25-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EXAMPLE Set Name Enter a name for this set of rules. This is a required field. If this field is left NAT_SET blank, the entire set will be deleted. Action The default is Edit.
Page 329: Configuring A Server Behind Nat
Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field. Contivity 221 VPN Switch User’s Guide...
Page 330: Figure 25-8 Menu 15.2: Nat Server Setup
25-10 NAT Step 4. Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Step 5.
Page 331: General Nat Examples
25.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Contivity 221 VPN Switch User’s Guide...
Page 332: Figure 25-11 Menu 4: Internet Access & Nat Example
25-12 NAT Figure 25-10 NAT Example 1 Figure 25-11 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 333: Figure 25-13 Menu 15.2: Specifying An Inside Server
Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: 25.4.3 Example 3: Multiple Public IP Addresses With Inside Contivity 221 VPN Switch User’s Guide...
Page 334 25-14 NAT Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA. Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA.
Page 335 When finished, menu 15.1.1 should look like as shown in Figure 25-17. Step 7. Formatted: Font: Italic Formatted: Font: Italic Formatted: Font: Italic, D check spelling or grammar Formatted: Font: Italic Deleted: Figure 25-17 Contivity 221 VPN Switch User’s Guide...
Page 336 25-16 NAT Figure 25-15 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL:...
Page 337 Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Contivity 221 VPN Switch User’s Guide...
Page 338 25-18 NAT 25.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 339: Figure 25-20 Example 4: Menu 15.1.1.1: Address Mapping Rule
Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Contivity 221 VPN Switch User’s Guide...
Page 340: Configuring Trigger Port Forwarding
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Contivity 221 forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 341 7170 Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the Contivity 221 to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers.
Page 342 xxii NAT xxii Index...
Page 343: Chapter 26 Introducing The Firewall
From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 26-1 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Contivity 221 VPN Switch User’s Guide...
Page 344: Figure 26-2 Menu 21.2: Firewall Setup
26-2 Introducing the Firewall 26.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Page 345: Chapter 27 Filter Configuration
Introduction to Filters 27.1 Your Contivity 221 uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 346: Figure 27-1 Outgoing Packet Filtering Process
A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Contivity 221 allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 347: Figure 27-2 Filter Rule Process
Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward Drop Drop Packet Accept Packet Contivity 221 VPN Switch User’s Guide...
Page 348: Configuring A Filter Set
24 rules active for a single port. Configuring a Filter Set 27.2 The Contivity 221 includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Step 1.
Page 349: Table 27-1 Abbreviations Used In The Filter Rules Summary Menu
“F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Contivity 221 VPN Switch User’s Guide...
Page 350: Table 27-2 Rule Abbreviations Used
If you include a protocol filter set in a device filter field or vice versa, the Contivity 221 will warn you and will not allow you to save.
Page 351: Figure 27-6 Menu 21.1.1.1: Tcp/Ip Filter Rule
Enter the destination IP Address of the packet you wish to 0.0.0.0 filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Contivity 221 VPN Switch User’s Guide...
Page 352 27-8 Filter Configuration Table 27-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the None...
Page 353 ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following figure illustrates the logic flow of an IP filter. Contivity 221 VPN Switch User’s Guide...
Page 354: Figure 27-7 Executing An Ip Filter
27-10 Filter Configuration Figure 27-7 Executing an IP Filter Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched...
Page 355: Figure 27-8 Menu 21.1.1.1: Generic Filter Rule
For IP, it is generally easier to use the IP rules directly. For generic rules, the Contivity 221 treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 356 27-12 Filter Configuration Table 27-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Generic Filter Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.
Page 357: Example Filter
Filter Configuration 27-13 Example Filter 27.3 Let’s look at an example to block outside users from accessing the Contivity 221 via telnet. Please see our included disk for more example filters. Figure 27-9 Telnet Filter Example Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
Page 358: Figure 27-10 Example Filter: Menu 21.1.3.1
27-14 Filter Configuration Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Figure 27-10 Example Filter: Menu 21.1.3.1 Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule [ENTER] to choose this filter rule Filter #: 3,1...
Page 359: Filter Types And Nat
Formatted: Font: Italic There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on Contivity 221 VPN Switch User’s Guide...
Page 360: Firewall Versus Filters
On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the Contivity 221 is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port.
Page 361: Figure 27-13 Filtering Lan Traffic
3, 4, 6, 11. Input filter sets filter incoming traffic to the Contivity 221 and output filter sets filter outgoing traffic from the Contivity 221. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets.
Page 362: Figure 27-14 Filtering Remote Node Traffic
27-18 Filter Configuration Figure 27-14 Filtering Remote Node Traffic Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 3317517-A Rev 00...
Page 363: Chapter 28 Snmp Configuration
Type the Get community, which is the password for the incoming Public Get- and GetNext requests from the management station. (default) Set Community Type the Set community, which is the password for incoming Set Public requests from the management station. (default) Contivity 221 VPN Switch User’s Guide...
Page 364: Snmp Traps
[ESC] to cancel and go back to the previous screen. SNMP Traps 28.2 The Contivity 221 will send traps to the SNMP manager when any one of the following events occurs: Table 28-2 SNMP Traps...
Page 365: Smt System Maintenance
SMT System Maintenance Part XII: SMT System Maintenance This part covers system information and diagnosis; firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
Page 366: Chapter 29 System Information & Diagnosis
Introduction to System Status 29.1 This chapter covers the diagnostic tools that help you to maintain your Contivity 221. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Page 367: Figure 29-2 Menu 24.1: System Maintenance: Status
FIELD DESCRIPTION Port Identifies a port (WAN, or LAN) on the Contivity 221. Status Shows the port speed and duplex setting if you’re using Ethernet Encapsulation and Down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using PPPoE Encapsulation.
Page 368: System Information And Console Port Speed
The total time the Contivity 221 has been on. RAS F/W Version The Nortel Networks firmware version and the date created. Name This is the Contivity 221’s system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used.
Page 369: Figure 29-3 Menu 24.2: System Information And Console Port Speed
29-4 System Information and Diagnosis Figure 29-3 Menu 24.2: System Information and Console Port Speed Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: 29.3.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc.
Page 370: Figure 29-5 Menu 24.2.2: System Maintenance: Change Console Port Speed
You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your Contivity 221 supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown next.
Page 371: Log And Trace
29-6 System Information and Diagnosis Log and Trace 29.4 The Contivity 221 has a syslog facility for message logging, and a trace function for viewing call- triggering packets. Figure 29-6 Menu 24.3: System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 2.
Page 372: Table 29-3 System Maintenance Menu Syslog Parameters
When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your Contivity 221 sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
Page 373 29-8 System Information and Diagnosis Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 374 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Contivity 221 VPN Switch User’s Guide...
Page 375: Figure 29-8 Call-Triggering Packet Example
Press any key to continue... Diagnostic The diagnostic facility allows you to test the different aspects of your Contivity 221 to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown next.
Page 376: Figure 29-9 Menu 24.4: System Maintenance: Diagnostic
Figure 29-10. LAN DHCP has already been discussed. The Contivity 221 can act either as a WAN DHCP client (IP Address Deleted: Figure 29-10 Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or...
Page 377: Figure 29-10 Wan & Lan Dhcp
29-12 System Information and Diagnosis Figure 29-10 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your Contivity 221 and associated connections. Table 29-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.
Page 378: Chapter 30 Firmware And Configuration File Maintenance
Introduction 30.1 Use the instructions in this chapter to change the Contivity 221’s configuration file or upgrade its firmware. After you configure your Contivity 221, you can backup the configuration file to a computer. That way if you later misconfigure the Contivity 221, you can upload the backed up configuration file to return to your previous settings.
Page 379: 33.1 Backup Configuration
The following table is a summary. Please note that the internal filename refers to the filename on the Contivity 221 and the external filename refers to the filename not on the Contivity 221, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 380 Xmodem protocol to perform the download/upload and you don’t have to rename the files. Please note that terms “download” and “upload” are relative to the computer. Download means to transfer from the Contivity 221 to the computer, while upload means from your computer to the Contivity 221.
Page 381: Figure 30-2 Ftp Session Example
30-4 Firmware and Configuration File Maintenance rom-0 config.rom” transfers the configuration file on the Contivity 221 to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. Enter “quit” to exit the ftp prompt.
Page 382 Step 1. Use telnet from your computer to connect to the Contivity 221 and log in. Because TFTP does not have any security checks, the Contivity 221 records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 383: Table 30-3 General Commands For Gui-Based Tftp Clients
Enter the IP address of the Contivity 221. 192.168.1.1 is the Contivity 221’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Contivity 221 and “Fetch” to back up the file on your computer. 317517-A Rev 00...
Page 384: Figure 30-3 System Maintenance: Backup Configuration
Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. Remote File This is the filename on the Contivity 221. The filename for the firmware is “ras” and for the configuration file, is “rom-0”. Binary Transfer the file in binary mode.
Page 385: 33.2 Restore Configuration
30-8 Firmware and Configuration File Maintenance Figure 30-5 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. After a successful backup you will see the following screen. Press any key to return to Step 4.
Page 386 Enter your password as requested (the default is “setup”). Enter “bin” to set transfer mode to binary. Step 5. Find the “rom” file (on your computer) that you want to restore to your Contivity 221. Step 6. Contivity 221 VPN Switch User’s Guide...
Page 387: Figure 30-8 Restore Using Ftp Session Example
30-10 Firmware and Configuration File Maintenance Step 7. Use “put” to transfer files from the Contivity 221 to the computer, for example, “put config.rom rom-0” transfers the configuration file “config.rom” on your computer to the Contivity 221. See earlier in this chapter for more information on filename conventions.
Page 388: 33.3 Uploading Firmware And Configuration Files
Then click Send. Step 4. After a successful restoration you will see the following screen. Press any key to restart the Contivity 221 and return to the SMT menu. Figure 30-12 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
Page 389: Figure 30-13 Telnet Into Menu 24.7.1: Upload System Firmware
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the Contivity 221, you will see the following screens for uploading firmware and the configuration file using FTP.
Page 390: Figure 30-14 Telnet Into Menu 24.7.2: System Maintenance
Enter “bin” to set transfer mode to binary. Step 5. Step 6. Use “put” to transfer files from the computer to the Contivity 221, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Contivity 221 VPN Switch User’s Guide...
Page 391: Figure 30-15 Ftp Session Example Of Firmware File Upload
Use telnet from your computer to connect to the Contivity 221 and log in. Because TFTP does not have any security checks, the Contivity 221 records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 392 The file name for the firmware is “ras”. Note that the telnet connection must be active and the Contivity 221 in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
Page 393: Figure 30-16 Menu 24.7.1 As Seen Using The Console Port
30-16 Firmware and Configuration File Maintenance 30.2.20 Uploading Firmware File Via Console Port Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Step 1. Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Page 394: Figure 30-17 Example Xmodem Upload
Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. After the firmware upload process has completed, the Contivity 221 will automatically restart. 30.2.22 Uploading Configuration File Via Console Port Step 1.
Page 395: Figure 30-18 Menu 24.7.2 As Seen Using The Console Port
After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs should be similar. Step 3. Enter “atgo” to restart the Contivity 221. 30.2.23 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen.
Page 396: Figure 30-19 Example Xmodem Upload
Figure 30-19 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. After the configuration upload process has completed, restart the Contivity 221 by entering “atgo”. Contivity 221 VPN Switch User’s Guide...
Page 398: Command Interpreter Mode
System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Firmware Update Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Contivity 221 VPN Switch User’s Guide...
Page 399: Figure 31-2 Valid Commands
31-2 System Maintenance Menus 8 to 10 31.1.1 Command Syntax The command keywords are in courier new font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets [].
Page 400: Call Control Support
The budget management function allows you to set a limit on the total outgoing call time of the Contivity 221 within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
Page 401: Figure 31-4 Budget Management
31-4 System Maintenance Menus 8 to 10 Figure 31-4 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.GUI No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 402: Table 31-3 Call History Fields
This is the length of time of the shortest telephone call. Total This is the total length of time of all the telephone calls to/from that telephone number. You may enter an entry number to delete it or ‘”0” to exit. Contivity 221 VPN Switch User’s Guide...
Page 403: Time And Date Setting
There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Contivity 221. Menu 24.10 allows you to update the time and date settings of your Contivity 221. The real time is then displayed in the Contivity 221 error logs and firewall logs.
Page 404: Figure 31-7 Menu 24.10 System Maintenance: Time And Date Setting
Enter the time service protocol that your timeserver sends when you turn on the when Bootup Contivity 221. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 405 Resetting the Time The Contivity 221 resets the time in three instances: On leaving menu 24.10 after making changes. When the Contivity 221 starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. 317517-A Rev 00...
Page 406: Chapter 32 Remote Management
Remote Management 32.1 Remote management allows you to determine which services/protocols can access which Contivity 221 interface (if any) from which computers. You may manage your Contivity 221 from a remote location via: Internet (WAN ALL (LAN and WAN) only) LAN only, Neither (Disable).
Page 407: Figure 32-1 Menu 24.11 - Remote Management Control
The default 0.0.0.0 allows any client to use this service or protocol to 0.0.0.0 remotely access the Contivity 221. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Page 408 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Contivity 221 will disconnect the session immediately. 4. There is an SMT console session running.
Page 409: Remote Management
iv Remote Management Index...
Page 410: Smt Advanced Management
SMT Advanced Management Part XIII: SMT Advanced Management This part provides information on how to configure call scheduling. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT. XIII...
Page 412: Chapter 33 Call Scheduling
For example, if sets 1, 2, 3 and 4 are applied in the remote node, then set 1 will take precedence over set 2, 3 and 4 as the Contivity 221, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.
Page 413: Figure 33-2 Schedule Set Setup
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle If a connection has been already established, your Contivity 221 will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 414 Enter 11 from the Main Menu and then enter the target remote node index. Press [SPACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field available as shown next. Contivity 221 VPN Switch User’s Guide...
Page 415: Figure 33-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
33-4 Call Scheduling Figure 33-3 Applying Schedule Set(s) to a Remote Node (PPPoE) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
Page 416: Figure 33-4 Applying Schedule Set(S) To A Remote Node (Pptp)
PPTP : Edit Filter Sets= No My IP Addr= Idle Timeout(sec)= 100 Server IP Addr= Connection ID/Name= Apply your schedule sets here. Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Contivity 221 VPN Switch User’s Guide...
Page 417: General Appendices
General Appendices Part XIV: General Appendices This part provides background information about setting up your computer’s IP address, antennas, triangle route, how functions are related, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting and safety warnings.
Page 418: Appendix A Setting Up Your Computer's Ip Address
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet (192.168.1.2 to 192.168.1.254 range with a subnet mask of 255.255.255.0.) as the default Contivity 221’s LAN port IP address (192.168.1.1).
Page 419 A-2 Setting Up Your Computer’s IP Address Windows 95/98/Me 1. Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. 2. The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
Page 420 -To have your computer assigned a dynamic IP address, select Obtain an IP address automatically. -To give your computer a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Contivity 221 VPN Switch User’s Guide...
Page 421 A-4 Setting Up Your Computer’s IP Address Click the DNS Configuration tab. -If you do not know your DNS information, select Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Page 422 Setting Up Your Computer’s IP Address A-5 Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Contivity 221 and restart your computer when prompted. Checking/Modifying Your Computer’s IP Address Click Start and then Run.
Page 423 A-6 Setting Up Your Computer’s IP Address Windows 2000/NT/XP In Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. In Windows XP, click Network Connections. Right-click Local Area Connection and In Windows 2000/NT, click Network and then click Properties.
Page 424 Setting Up Your Computer’s IP Address A-7 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Contivity 221 VPN Switch User’s Guide...
Page 425 A-8 Setting Up Your Computer’s IP Address The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a dynamic IP address, click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 426 Automatic metric check box and type a metric in Metric. -Click Add. -Repeat the previous three steps for each default gateway you want to add. -Click OK when finished. Contivity 221 VPN Switch User’s Guide...
Page 427 IP address is in the correct subnet (192.168.1.2 to 192.168.1.254 if using the default Contivity 221 LAN IP address). Alternatively, to have the Contivity 221 assign your computer a new IP address (from the IP pool), make sure your Contivity 221 is turned on, type "ipconfig/renew" and then press ENTER.
Page 428 Setting Up Your Computer’s IP Address A-11 Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Contivity 221 VPN Switch User’s Guide...
Page 429 -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 221 in the Router address box. Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration.
Page 430 -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 221 in the Router address box. Click Apply Now and close the window. Turn on your Contivity 221 and restart your computer (if prompted).
Page 432: Appendix B Triangle Route
Triangle Route The Ideal Setup When the firewall is on, your Contivity 221 acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Contivity 221 to protect your LAN against attacks.
Page 433 Contivity 221 being the gateway for each logical network. By putting your LAN and Gateway B in different subnets, all returning network traffic must pass through the Contivity 221 to your LAN. The following steps describe such a scenario.
Page 434 A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your Contivity 221 to your LAN. Therefore your LAN is protected. Diagram B-4 Gateways on the WAN Side...
Page 436: Appendix C The Big Picture
Appendix C The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT Contivity 221 VPN Switch User’s Guide...
Page 438: Appendix Dpppoe
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial- up networking. Contivity 221 VPN Switch User’s Guide...
Page 439 Contivity 221 as a PPPoE Client When using the Contivity 221 as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 440 PPPoE D-3 Diagram D-2 Contivity 221 as a PPPoE Client Contivity 221 VPN Switch User’s Guide...
Page 442: Appendix Epptp
Diagram E-1 Transport PPP frames over Ethernet PPTP and the Contivity 221 When the Contivity 221 is deployed in such a setup, it appears as a PC to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and NT clients to an NT server in a remote location.
Page 443 Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the Contivity 221, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server.
Page 444 The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. Contivity 221 VPN Switch User’s Guide...
Page 446: Appendix F Hardware Specifications
In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The Contivity 221 is DCE when you connect a computer to the console port. The Contivity 221 is DTE when you connect a modem to the dial backup port.
Page 447 F-2 Hardware Specifications Chart F-2 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M Pin 1 = NON Pin 1 = NON Pin 2 = DCE-TXD Pin 2 = DTE-RXD Pin 3 = DCE –RXD Pin 3 = DTE-TXD Pin 4 = DCE –DSR...
Page 448 Plug: European Union standards Safety standards: TUV, CE (EN 60950) AC Power Adapter model JAD-121200E Input power: AC230Volts/50Hz, Output power: DC12Volts/1.2A Power consumption: 9 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) Contivity 221 VPN Switch User’s Guide...
Page 449 F-4 Hardware Specifications Chart F-6 UK AC Power Adaptor Specifications AC Power Adapter model AD-1201200DK Input power: AC230Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: United Kingdom standards Safety standards: TUV, CE (EN 60950, BS7002) Chart F-7 Japan AC Power Adaptor Specifications AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A...
Page 450: Appendix Gip Subnetting
–2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Contivity 221 VPN Switch User’s Guide...
Page 451 G-2 IP Subnetting Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
Page 452 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits Contivity 221 VPN Switch User’s Guide...
Page 453 G-4 IP Subnetting determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet. Chart G-5 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
Page 454 Chart G-9 Subnet 3 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Contivity 221 VPN Switch User’s Guide...
Page 455 G-6 IP Subnetting Chart G-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
Page 456 NO. HOSTS PER SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) Contivity 221 VPN Switch User’s Guide...
Page 457 G-8 IP Subnetting Chart G-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254 32768 (/31) 317517-A Rev 00...
Page 458: Appendix H Safety Warnings And Instructions
2. The maximum recommended ambient temperature for the Contivity 221 is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the Contivity 221 is installed inside a closed rack assembly. The operating ambient temperature of the rack environment might be greater than room temperature.
Page 459: Command And Log Appendices
Command and Log Appendices Part XV: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection.
Page 461: Appendix I Command Interpreter
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Sys Commands Contivity 221 VPN Switch User’s Guide...
Page 462 I-2 Command Interpreter The following chart lists and describes the sys commands. Each of these commands must be preceded by sys when you use them. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Chart I-1 Sys Commands COMMAND...
Page 463 [0:none/1:log] Records the system maintenance logs. Records the packet filter logs. packetfilter [0:none/1:log] ppp [0:none/1:log] Records the PPP logs. Records the remote management remote [0:none/1:log] logs. tcpreset [0:none/1:log] Records the TCP reset logs. Contivity 221 VPN Switch User’s Guide...
Page 464 I-4 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION upnp [0:none/1:log] Records the UPnP logs. urlblocked Records and/or sends alerts for web [0:none/1:log/2:alert/3:b access blocked logs. oth] urlforward [0:none/1:log] Records web access forward logs. clear Clears the log. display [access|attack|error|ipse Displays all logs or specified c|ike|javablocked|mten|ur categories of logs.
Page 465 <none|sua|full_feature> Configure remote node NAT. nailup <no|yes> Configure a remote node connection to be nailed up (always on). <value> Sets the remote node Maximum Transmission Unit. save [entry no.] Save remote node information. Contivity 221 VPN Switch User’s Guide...
Page 466 I-6 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION stdio [minute] Sets or displays the management terminal idle timeout value. time [hour [min [sec]]] Sets or displays the system time. trcdisp parse, brief, disp Sets the level of detail that should be displayed.
Page 467 UPnP settings. config [0:deny/1:permit] Allow users to make configuration changes through UPnP. display Displays UPnP information. firewall [0:deny/1:pass] Allow UPnP to pass through Firewall. load Saves UPnP information. reserve [0:deny/1:permit] save Saves UPnP information. Contivity 221 VPN Switch User’s Guide...
Page 468 I-8 Command Interpreter Exit Command Chart I-2 Exit Command COMMAND DESCRIPTION exit Ends the command interpreter session. Ethernet Commands The following chart lists and describes the ether commands. Each of these commands must be preceded by ether when you use them. For example, type ether config to display information on the LAN configuration.
Page 469 Displays DNS statistics. httpd debug [on|off] Enables or disables the HTTP debug flag. This command does not work currently. icmp status Displays the ICMP statistics counter. Sets the ICMP router discovery flag. discovery <iface> [on|off] Contivity 221 VPN Switch User’s Guide...
Page 470 I-10 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION ifconfig [iface] [ipaddr] Configures a network interface. [broadcast <addr> |mtu <value>|dynamic] ping <hostid> Pings a remote host. route status [if] Displays the routing table. Adds a route. <dest_addr|default >[/<bits>] <gateway> [<metric>] addiface <dest_addr|default Adds an entry to the routing table for the...
Page 471 Telnets to the specified host. telnet <host> tracerout <host> [ttl] Sends ICMP packets to trace the route [wait] [queries] of a remote host. status Displays the UDP status. urlfilter enable [0:no/1:yes] Enables/disables content filtering. Contivity 221 VPN Switch User’s Guide...
Page 472 I-12 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION dropIcmp <?> exemptZone Display Displays content filtering exempt zone information. Enables/disables content filtering actionFlags exempt zone action flags that determine [type(1- to which IP addresses to apply content 3)][enable/disable filtering. add [ip1] [ip2] Sets a range of IP addresses to be in the exempt zone.
Page 473 [on|off] iface Sets IGMP group timeout for the <iface> grouptm <timeout> specified interface. <iface> interval Sets IGMP query interval for the <interval> specified interface. <iface> join Adds an interface to a group. <group> Contivity 221 VPN Switch User’s Guide...
Page 474 I-14 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION <iface> leave Removes an interface from a group. <group> <iface> query Sends an IGMP query on the specified interface. <iface> rsptime Sets the IGMP response time. [time] Turns on IGMP on the specified <iface>...
Page 475 Removes an IP policy. display Displays the IP policies. internal list Displays the IP policies. load <policy Index> Loads an IP policy. local type <0:single|1:range| Sets an IP policy’s local address type. 2:subnet> Contivity 221 VPN Switch User’s Guide...
Page 476 I-16 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION addrStart <IP address> Sets an IP policy’s starting local IP address. endMask <IP address> Sets an IP policy’s ending local IP address or subnet mask. port <port number> Sets an IP policy’s local port number. protocol <0:All|1:ICMP|6:TCP|17 Sets an IP policy’s protocol number.
Page 477 Sets the NetBIOS active flag. group <group index1, Sets the NetBIOS group. group index2…> name <string> Sets a rule’s name. keepAlive <Yes| No> Enables/disables keep alive. lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. Contivity 221 VPN Switch User’s Guide...
Page 478 I-18 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION lcIdContent <string> Sets the local ID content. myIpAddr <IP address> Sets the my IP address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent <string> Sets the peer ID content. secureGwAddr <IP address | Domain Sets the secure gateway IP address or domain...
Page 479 Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. ignore Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. triangle Sets if the firewall will ignore triangle route packets on the lan/wan/dmz/wlan. Contivity 221 VPN Switch User’s Guide...
Page 480 I-20 Command Interpreter 317517-A Rev 00...
Page 481: Appendix J Netbios Filter Commands
Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows. Contivity 221 VPN Switch User’s Guide...
Page 482 J-2 NetBIOS Filter Commands Chart J-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN from the LAN to the WAN or from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward...
Page 483 This command forwards WAN to LAN and WAN to LAN NetBIOS packets sys filter netbios config 3 on Command: This command blocks IPSec NetBIOS packets sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. Contivity 221 VPN Switch User’s Guide...
Page 485: Appendix K Boot Commands
When you start up your Contivity 221, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you...
Page 486 K-2 Boot Commands Diagram K-2 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 487: Appendix L Log Descriptions
Someone has failed to log on to the router's SMT interface. SMT Login Fail Someone has logged on to the router's WebGUI interface. WEB Login Successfully Someone has failed to log on to the router's WebGUI interface. WEB Login Fail Contivity 221 VPN Switch User’s Guide...
Page 488 Firewall Chart L-4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR The Contivity 221 allows access to this IP address or IP/Domain domain name and forwarded traffic addressed to the IP Name address or domain name. URLBLK The Contivity 221 blocked access to this IP address or IP/Domain domain name due to a forbidden keyword.
Page 489 - WAN The firewall detected an IGMP IP spoofing attack on the WAN port. ip spoofing - WAN IGMP The firewall detected an ESP IP spoofing attack on the WAN port. ip spoofing - WAN Contivity 221 VPN Switch User’s Guide...
Page 490 The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the Contivity 221 ip spoofing - no did not have a default route. routing entry TCP...
Page 491 LOG MESSAGE DESCRIPTION TCP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: TCP configuration. (set:%d) UDP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 492 LOG MESSAGE DESCRIPTION GRE access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: GRE configuration. (set:%d) OSPF access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 493 Access matched the listed firewall rule and the Contivity 221 blocked Firewall rule or forwarded it according to the rule’s configuration. match: (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: TCP (set:%d, rule:%d)
Page 494 L-8 Log Descriptions Chart L-6 Access Logs LOG MESSAGE DESCRIPTION Access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: (set:%d, rule:%d) TCP access matched a default filter policy and the Contivity 221 Filter default dropped the packet to block access.
Page 495 ICMP access matched the listed filter rule and the Contivity 221 Filter match DROP dropped the packet to block access. <set %d/rule %d> Access matched the listed filter rule and the Contivity 221 dropped the Filter match DROP packet to block access. <set %d/rule %d>...
Page 496 The router blocked a TCP handshake packet that came out of the Out of order TCP proper order handshake packet blocked The Contivity 221 generates this log after it drops an ICMP packet Drop due to one of the following two reasons: unsupported/out-of- order ICMP 1.
Page 497 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Contivity 221 VPN Switch User’s Guide...
Page 498 L-12 Log Descriptions Chart L-8 ICMP Notes TYPE CODE DESCRIPTION Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
Page 499 Recv:<ID><HASH> 01 Jan 08:02:26 Phase 1 IKE SA process done 01 Jan 08:02:26 Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): Contivity 221 VPN Switch User’s Guide...
Page 500 Chart L-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The Contivity 221 has started negotiation with the peer. Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> The Contivity 221 has received an IKE negotiation request from the peer.
Page 501 Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Contivity 221 has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Page 502 LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The Contivity 221 did not receive a response from the peer and so retransmits the last packet sent. The Contivity 221 cannot send IKE packets due to a !! Failed to send IKE Packet network error.
Page 503 DESCRIPTION !! WAN IP changed to <IP> If the Contivity 221’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 504 Configuring What You Want the Contivity 221 to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Contivity 221 is to record. Use sys logs category followed by a log category and a parameter to...
Page 505 Use the sys logs clear command to erase all of the Contivity 221’s logs. Log Command Example This example shows how to set the Contivity 221 to record the access logs and alerts and then view the results. ras> sys logs load ras>...
Page 506 L-20 Log Descriptions .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |224.0.1.60 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8)
Page 507: Appendix M Brute-Force Password Guessing Protection
(a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. Contivity 221 VPN Switch User’s Guide...
Page 508 Command and Log Appendices Part XV: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection.
Page 510: Sys Commands
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Sys Commands Contivity 221 VPN Switch User’s Guide...
Page 511: Index
I-2 Command Interpreter The following chart lists and describes the sys commands. Each of these commands must be preceded by sys when you use them. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Chart I-1 Sys Commands COMMAND...
Page 512 [0:none/1:log] Records the system maintenance logs. Records the packet filter logs. packetfilter [0:none/1:log] ppp [0:none/1:log] Records the PPP logs. Records the remote management remote [0:none/1:log] logs. tcpreset [0:none/1:log] Records the TCP reset logs. Contivity 221 VPN Switch User’s Guide...
Page 513 I-4 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION upnp [0:none/1:log] Records the UPnP logs. urlblocked Records and/or sends alerts for web [0:none/1:log/2:alert/3:b access blocked logs. oth] urlforward [0:none/1:log] Records web access forward logs. clear Clears the log. display [access|attack|error|ipse Displays all logs or specified c|ike|javablocked|mten|ur categories of logs.
Page 514 <none|sua|full_feature> Configure remote node NAT. nailup <no|yes> Configure a remote node connection to be nailed up (always on). <value> Sets the remote node Maximum Transmission Unit. save [entry no.] Save remote node information. Contivity 221 VPN Switch User’s Guide...
Page 515 I-6 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION stdio [minute] Sets or displays the management terminal idle timeout value. time [hour [min [sec]]] Sets or displays the system time. trcdisp parse, brief, disp Sets the level of detail that should be displayed.
Page 516 UPnP settings. config [0:deny/1:permit] Allow users to make configuration changes through UPnP. display Displays UPnP information. firewall [0:deny/1:pass] Allow UPnP to pass through Firewall. load Saves UPnP information. reserve [0:deny/1:permit] save Saves UPnP information. Contivity 221 VPN Switch User’s Guide...
Page 517 I-8 Command Interpreter Exit Command Chart I-2 Exit Command COMMAND DESCRIPTION exit Ends the command interpreter session. Ethernet Commands The following chart lists and describes the ether commands. Each of these commands must be preceded by ether when you use them. For example, type ether config to display information on the LAN configuration.
Page 518 Displays DNS statistics. httpd debug [on|off] Enables or disables the HTTP debug flag. This command does not work currently. icmp status Displays the ICMP statistics counter. Sets the ICMP router discovery flag. discovery <iface> [on|off] Contivity 221 VPN Switch User’s Guide...
Page 519 I-10 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION ifconfig [iface] [ipaddr] Configures a network interface. [broadcast <addr> |mtu <value>|dynamic] ping <hostid> Pings a remote host. route status [if] Displays the routing table. Adds a route. <dest_addr|default >[/<bits>] <gateway> [<metric>] addiface <dest_addr|default Adds an entry to the routing table for the...
Page 520 Telnets to the specified host. telnet <host> tracerout <host> [ttl] Sends ICMP packets to trace the route [wait] [queries] of a remote host. status Displays the UDP status. urlfilter enable [0:no/1:yes] Enables/disables content filtering. Contivity 221 VPN Switch User’s Guide...
Page 521 I-12 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION dropIcmp <?> exemptZone Display Displays content filtering exempt zone information. Enables/disables content filtering actionFlags exempt zone action flags that determine [type(1- to which IP addresses to apply content 3)][enable/disable filtering. add [ip1] [ip2] Sets a range of IP addresses to be in the exempt zone.
Page 522 [on|off] iface Sets IGMP group timeout for the <iface> grouptm <timeout> specified interface. <iface> interval Sets IGMP query interval for the <interval> specified interface. <iface> join Adds an interface to a group. <group> Contivity 221 VPN Switch User’s Guide...
Page 523 I-14 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION <iface> leave Removes an interface from a group. <group> <iface> query Sends an IGMP query on the specified interface. <iface> rsptime Sets the IGMP response time. [time] Turns on IGMP on the specified <iface>...
Page 524 Removes an IP policy. display Displays the IP policies. internal list Displays the IP policies. load <policy Index> Loads an IP policy. local type <0:single|1:range| Sets an IP policy’s local address type. 2:subnet> Contivity 221 VPN Switch User’s Guide...
Page 525 I-16 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION addrStart <IP address> Sets an IP policy’s starting local IP address. endMask <IP address> Sets an IP policy’s ending local IP address or subnet mask. port <port number> Sets an IP policy’s local port number. protocol <0:All|1:ICMP|6:TCP|17 Sets an IP policy’s protocol number.
Page 526 Sets the NetBIOS active flag. group <group index1, Sets the NetBIOS group. group index2…> name <string> Sets a rule’s name. keepAlive <Yes| No> Enables/disables keep alive. lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. Contivity 221 VPN Switch User’s Guide...
Page 527 I-18 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION lcIdContent <string> Sets the local ID content. myIpAddr <IP address> Sets the my IP address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent <string> Sets the peer ID content. secureGwAddr <IP address | Domain Sets the secure gateway IP address or domain...
Page 528 Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. ignore Sets if the firewall will ignore DoS attacks on the lan/wan/dmz/wlan. triangle Sets if the firewall will ignore triangle route packets on the lan/wan/dmz/wlan. Contivity 221 VPN Switch User’s Guide...
Page 529 I-20 Command Interpreter 317517-A Rev 00...
Page 530 Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows. Contivity 221 VPN Switch User’s Guide...
Page 531 J-2 NetBIOS Filter Commands Chart J-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN from the LAN to the WAN or from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward...
Page 532 This command forwards WAN to LAN and WAN to LAN NetBIOS packets sys filter netbios config 3 on Command: This command blocks IPSec NetBIOS packets sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. Contivity 221 VPN Switch User’s Guide...
Page 534 When you start up your Contivity 221, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you...
Page 535 K-2 Boot Commands Diagram K-2 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 536 Someone has failed to log on to the router's SMT interface. SMT Login Fail Someone has logged on to the router's WebGUI interface. WEB Login Successfully Someone has failed to log on to the router's WebGUI interface. WEB Login Fail Contivity 221 VPN Switch User’s Guide...
Page 537 Firewall Chart L-4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR The Contivity 221 allows access to this IP address or IP/Domain domain name and forwarded traffic addressed to the IP Name address or domain name. URLBLK The Contivity 221 blocked access to this IP address or IP/Domain domain name due to a forbidden keyword.
Page 538 - WAN The firewall detected an IGMP IP spoofing attack on the WAN port. ip spoofing - WAN IGMP The firewall detected an ESP IP spoofing attack on the WAN port. ip spoofing - WAN Contivity 221 VPN Switch User’s Guide...
Page 539 The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the Contivity 221 ip spoofing - no did not have a default route. routing entry TCP...
Page 540 LOG MESSAGE DESCRIPTION TCP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: TCP configuration. (set:%d) UDP access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 541 LOG MESSAGE DESCRIPTION GRE access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s policy: GRE configuration. (set:%d) OSPF access matched the default policy of the listed ACL set and the Firewall default Contivity 221 blocked or forwarded it according to the ACL set’s...
Page 542 Access matched the listed firewall rule and the Contivity 221 blocked Firewall rule or forwarded it according to the rule’s configuration. match: (set:%d, rule:%d) TCP access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: TCP (set:%d, rule:%d)
Page 543 L-8 Log Descriptions Chart L-6 Access Logs LOG MESSAGE DESCRIPTION Access did not match the listed firewall rule and the Contivity 221 Firewall rule NOT logged it. match: (set:%d, rule:%d) TCP access matched a default filter policy and the Contivity 221 Filter default dropped the packet to block access.
Page 544 ICMP access matched the listed filter rule and the Contivity 221 Filter match DROP dropped the packet to block access. <set %d/rule %d> Access matched the listed filter rule and the Contivity 221 dropped the Filter match DROP packet to block access. <set %d/rule %d>...
Page 545 The router blocked a TCP handshake packet that came out of the Out of order TCP proper order handshake packet blocked The Contivity 221 generates this log after it drops an ICMP packet Drop due to one of the following two reasons: unsupported/out-of- order ICMP 1.
Page 546 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Contivity 221 VPN Switch User’s Guide...
Page 547 L-12 Log Descriptions Chart L-8 ICMP Notes TYPE CODE DESCRIPTION Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
Page 548 Recv:<ID><HASH> 01 Jan 08:02:26 Phase 1 IKE SA process done 01 Jan 08:02:26 Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): Contivity 221 VPN Switch User’s Guide...
Page 549 Chart L-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The Contivity 221 has started negotiation with the peer. Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> The Contivity 221 has received an IKE negotiation request from the peer.
Page 550 Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Contivity 221 has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Page 551 LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The Contivity 221 did not receive a response from the peer and so retransmits the last packet sent. The Contivity 221 cannot send IKE packets due to a !! Failed to send IKE Packet network error.
Page 552 DESCRIPTION !! WAN IP changed to <IP> If the Contivity 221’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the Contivity 221 will use the current Contivity 221 WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 553 Configuring What You Want the Contivity 221 to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Contivity 221 is to record. Use sys logs category followed by a log category and a parameter to...
Page 554 Use the sys logs clear command to erase all of the Contivity 221’s logs. Log Command Example This example shows how to set the Contivity 221 to record the access logs and alerts and then view the results. ras> sys logs load ras>...
Page 555 L-20 Log Descriptions .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |224.0.1.60 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8)
Page 556 (a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. Contivity 221 VPN Switch User’s Guide...

Nortel Contivity 221 User Manual

Chapter 1 Getting to Know Your Contivity 221

Chapter 2 Introducing the Webgui

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 WAN Screens

Chapter 7 Network Address Translation (NAT) Screens

Chapter 8 Static Route Screens

Chapter 9 Firewalls

Chapter 10 Firewall Screens

Chapter 11 Content Filtering Screens

Chapter 12 Introduction to Ipsec

Chapter 13 VPN Screens

Chapter 14 Remote Management Screens

Chapter 15 Upnp

Chapter 16 Logs Screens

Chapter 17 Maintenance

Quick Links

Related Manuals for Nortel Contivity 221

Summary of Contents for Nortel Contivity 221