Page 1
Version 2.00 Part No. 317516-A Rev 00 December 2003 600 Technology Park Drive Billerica, MA 01821-4130 Contivity 251 VPN Switch User’s Guide...
Page 2
The software license agreement is included in this document. Trademarks Nortel Networks, the Nortel Networks logo, and Contivity are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Check Point and Firewall 1 are trademarks of Check Point Software Technologies Ltd.
Page 3
Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 4
Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
Page 5
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
Page 6
Federal Communications Commission (FCC) interference statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 8
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of Nortel Networks. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Charts ............................xxix Preface............................xxxi What is DSL?..........................xxxiii Getting Started..........................I Chapter 1 Getting to Know Your Contivity 251................1-1 Introducing the Contivity 251..................1-1 Features of the Contivity 251 ..................1-1 Applications for the Contivity 251 ................. 1-6 Hardware Setup......................
Page 10
Configuring IP Static Route ..................8-1 Firewall and Content Filters......................IV Chapter 9 Firewalls........................9-1 Firewall Overview ......................9-1 Types of Firewalls......................9-1 Introduction to Contivity 251’s Firewall .................9-2 Denial of Service......................9-3 Stateful Inspection ......................9-8 Guidelines For Enhancing Security With Your Firewall..........9-13 317516-A Rev 00...
Page 11
15.6 Keep Alive ........................15-7 15.7 NAT Traversal ......................15-8 15.8 ID Type and Content ....................15-9 15.9 Pre-Shared Key ......................15-11 15.10 Connection Type ...................... 15-11 15.11 Configuring a Contivity Client VPN Rule ..............15-11 Contivity 251 VPN Switch User’s Guide...
Page 12
xii Contents 15.12 Configuring a Basic Branch Office VPN Rule............15-13 15.13 Configuring an IP Policy ...................15-21 15.14 IKE Phases .......................15-25 15.15 Configuring Advanced Branch Office Setup .............15-27 15.16 Viewing SA Monitor ....................15-31 15.17 Configuring Global Setting..................15-32 15.18 VPN and Remote Management................15-33 Remote Management, UPnP and Logs ..................VI Chapter 16 Remote Management Configuration ..............16-1 16.1 Remote Management Overview .................16-1...
Page 13
Chapter 29 Enabling the Firewall....................29-1 29.1 Remote Management and the Firewall ..............29-1 29.2 Access Methods ......................29-1 29.3 Enabling the Firewall ....................29-1 SMT Advanced Management......................IX Chapter 30 Filter Configuration....................30-1 Contivity 251 VPN Switch User’s Guide...
Page 14
Contents 30.1 About Filtering......................30-1 30.2 Configuring a Filter Set for the Contivity 251..............30-4 30.3 Filter Rules Summary Menus ..................30-6 30.4 Configuring a Filter Rule .....................30-8 30.5 Filter Types and NAT....................30-15 30.6 Example Filter......................30-15 30.7 Applying Filters and Factory Defaults...............30-18 Chapter 31 SNMP Configuration ....................31-1...
Page 15
Appendix F Setting up Your Computer’s IP Address..............F-1 Appendix G Splitters and Microfilters ..................G-1 Appendix H Log Descriptions ....................H-1 CI Commands Index ........................XI Appendix I Command Interpreter ....................I-1 Appendix J Index .......................... J-1 Contivity 251 VPN Switch User’s Guide...
Page 19
Figure 19-12 Configuration: Restore Successful.................19-15 Figure 19-13 Network Temporarily Disconnected ...............19-15 Figure 20-1 Login Screen ......................20-2 Figure 20-2 Contivity 251 SMT Menu Overview................20-3 Figure 20-3 SMT Main Menu......................20-5 Figure 20-4 Menu 23 System Password ..................20-6 Figure 21-1 Menu 1 General Setup....................21-2 Figure 21-2 Menu 1.1 Configure Dynamic DNS................21-4...
Page 20
xx Figures Figure 22-2 Menu 2.1Traffic Redirect Setup..................22-3 Figure 22-3 Menu 2.2 Dial Backup Setup..................22-5 Figure 22-4 Menu 2.2.1 Advanced Dial Backup Setup..............22-6 Figure 23-1 Menu 3 LAN Setup .....................23-1 Figure 23-2 Menu 3.1 LAN Port Filter Setup .................23-1 Figure 23-3 Menu 3.2 TCP/IP and DHCP Ethernet Setup ............23-2 Figure 24-1 Physical Network......................24-2 Figure 24-2 Partitioned Logical Networks..................24-2 Figure 24-3 Menu 3.2 TCP/IP and DHCP Setup ................24-2...
Page 21
Figure 30-15 Filtering Remote Node Traffic ................30-20 Figure 31-1 SNMP Management Model..................31-1 Figure 31-2 Menu 22 SNMP Configuration ...................31-3 Figure 32-1 Menu 24 System Maintenance ..................32-1 Figure 32-2 Menu 24.1 System Maintenance: Status ..............32-2 Contivity 251 VPN Switch User’s Guide...
Page 22
xxii Figures Figure 32-3 Menu 24.2 System Information and Console Port Speed ..........32-4 Figure 32-4 Menu 24.2.1 System Maintenance: Information ............32-4 Figure 32-5 Menu 24.2.2 System Maintenance: Change Console Port Speed......32-5 Figure 32-6 Menu 24.3 System Maintenance: Log and Trace ............32-6 Figure 32-7 Sample Error and Information Messages..............32-7 Figure 32-8 Menu 24.3.2 System Maintenance: UNIX Syslog ............32-7 Figure 32-9 Menu 24.4 System Maintenance: Diagnostic.............32-9...
Page 23
Figure 36-8 IP Routing Policy Example..................36-9 Figure 36-9 Applying IP Policies Example ..................36-9 Figure 37-1 Menu 26 Schedule Setup...................37-1 Figure 37-2 Menu 26.1 Schedule Set Setup .................37-2 Figure 37-3 Applying Schedule Set(s) to a Remote Node (PPPoE) ..........37-4 Contivity 251 VPN Switch User’s Guide...
Page 27
Table 32-3 Menu 24.3.2 System Maintenance: UNIX Syslog ............32-7 Table 32-4 Menu 24.4 System Maintenance Menu: Diagnostic ............32-9 Table 33-1 Filename Conventions ....................33-2 Table 33-2 General Commands for GUI-based FTP Clients ............33-4 Table 33-3 General Commands for GUI-based TFTP Clients............33-6 Contivity 251 VPN Switch User’s Guide...
Page 28
xxviii Tables Table 34-1 Menu 24.9.1 System Maintenance: Budget Management...........34-3 Table 34-2 Menu 24.10 System Maintenance: Time and Date Setting .........34-5 Table 35-1 Menu 24.11 Remote Management Control..............35-2 Table 36-1 Menu 25.1 IP Routing Policy Setup ................36-3 Table 36-2 Menu 25.1.1 IP Routing Policy ..................36-5 Table 37-1 Menu 26.1 Schedule Set Setup ...................37-2 317516-A Rev 00...
Page 29
Charts Chart A-1 Troubleshooting the Start-Up of Your Contivity 251 ............A-1 Chart A-2 Troubleshooting the LAN LED..................A-1 Chart A-3 Troubleshooting the DSL LED..................A-2 Chart A-4 Troubleshooting the LAN Interface................. A-2 Chart A-5 Troubleshooting the WAN Interface ................A-3 Chart A-6 Troubleshooting Internet Access ..................
This manual is designed to guide you through the configuration of your Contivity 251 for its various applications. This manual may refer to the Contivity 251 VPN Switch as the Contivity 251. You may use the System Management Terminal (SMT), WebGUI or command interpreter interface to configure your Contivity 251.
Page 32
“i.e.” for “that is” or “in other words” throughout this manual. How to get help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Internet session in which more information is downloaded, for example, from Web servers, than is uploaded. ADSL operates in a frequency range that is above the frequency range of voice services, so the two systems can operate over the same cable. Contivity 251 VPN Switch User’s Guide...
Getting Started Part I: Getting Started This part is structured as a step-by-step guide to help you access your Contivity 251. It covers key features and applications, accessing the WebGUI and configuring the wizard screens for initial setup.
1.2 Features of the Contivity 251 Your Contivity 251 is packed with a number of features that give it the flexibility to provide a complete networking solution for almost any user. The Contivity 251 has four LAN ports.
Page 37
• Firewall The Contivity 251 is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The Contivity 251’s firewall supports TCP/UDP inspection, DoS detection and prevention, real...
Page 38
ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the Contivity 251 is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
Page 39
It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The Contivity 251 can now also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Page 40
The Contivity 251 supports VC-based and LLC-based multiplexing. • Encapsulation The Contivity 251 supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC encapsulated routing (ENET encapsulation) as well as PPP over Ethernet (RFC 2516).
Your Contivity 251's compact and ventilated housing minimizes space requirements making it easy to position anywhere in your busy office. 1.3 Applications for the Contivity 251 Here are some example uses for which the Contivity 251 is well suited. 317516-A Rev 00...
Getting to Know Your Contivity 251 1-7 1.3.1 Internet Access The Contivity 251 is the ideal high-speed Internet access solution. Your Contivity 251 supports the TCP/IP protocol, which the Internet uses exclusively. It is compatible with all major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers.
Figure 1-2 Firewall Application 1.3.3 VPN Application The Contivity 251’s VPN feature makes it an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. VPN ensures the privacy and integrity of your data transmissions.
1.3.4 LAN to LAN Application You can use the Contivity 251 to connect two geogr ly dispersed networks aphical over the ADSL line. A typical LAN-to-LAN application for your Contivity 251 is shown as follows. Contivity 251 VPN Switch User’s Guide...
To keep the Contivity 251 operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment. After installing your Contivity 251, continue with the rest of this User’s Guide for configuration instructions. 317516-A Rev 00...
This chapter describes how to access and navigate the WebGUI. 2.1 WebGUI Overview The embedded WebGUI allows you to manage the Contivity 251 from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Figure 2-2 WebGUI: Change Password at Login You should now see the SITE MAP screen. Step 7. The Contivity 251 automatically times out after five minutes of inactivity. Simply log back into the Contivity 251 if this happens to you. 317516-A Rev 00...
Click Main Menu to go to the Site Map screen. Click Logout in the navigation panel when you have finished a Contivity 251 management session. Contivity 251 VPN Switch User’s Guide...
If you forget your password or cannot access the WebGUI screens/SMT menus, you will need to reload the factory-default configuration file or use the RESET button the back of the Contivity 251. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means...
Page 50
Turn off the Contivity 251, begin a terminal emulation software session Step 1. and turn on the Contivity 251 again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.
2-6 Introducing the WebGUI Figure 2-4 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Step 5. After successful firmware upload, enter "atgo" to restart the Contivity 251.
Quick Start Guide. Your ISP may have already configured some of the fields in the wizard screens for you. 3.2 Encapsulation Be sure to use the encapsulation method required by your ISP. The Contivity 251 supports the following methods. 3.2.1 ENET ENCAP The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol.
3-2 Wizard Setup 3.2.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection. The Contivity 251 encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider’s (ISP) DSLAM (digital access multiplexer).
The following table describes the fields in this screen. Table 3-1 Wizard Screen 1 LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Contivity 251 VPN Switch User’s Guide...
If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the Contivity 251. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use;...
IP Address and ENET ENCAP Gateway fields as supplied by your ISP. However for a dynamic IP, the Contivity 251 acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as the DHCP server assigns them to the Contivity 251.
The first is that idle timeout is disabled. The second is that the Contivity 251 will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
The second wizard screen varies depending on what mode and encapsulation type you use. All screens shown are with routing mode. Configure the fields and click Next to continue. Figure 3-2 Internet Connection with PPPoA The following table describes the fields in this screen. Contivity 251 VPN Switch User’s Guide...
3-8 Wizard Setup Table 3-2 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you. Password Enter the password associated with the user name above. This option is available if you select Routing in the Mode field. IP Address A static IP address is a fixed IP that your ISP gives you.
Select None, SUA Only or Full Feature from the drop-sown list box. Refer to the NAT Translation chapter for more details. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen. Contivity 251 VPN Switch User’s Guide...
3-10 Wizard Setup Figure 3-4 Internet Connection with ENET ENCAP The following table describes the fields in this screen. Table 3-4 Internet Connection with ENET ENCAP LABEL DESCRIPTION IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;...
Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen. Figure 3-5 Internet Connection with PPPoE The following table describes the fields in this screen. Contivity 251 VPN Switch User’s Guide...
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Contivity 251 as a DHCP server or disable it. When configured as a 317516-A Rev 00...
DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. 3.11.1 IP Pool Setup The Contivity 251 is pre-configured with a pool of 32 IP addresses starting from 192.168.1.3 to 192.168.1.34 for the client machines. 3.12 Wizard Setup Configuration: Third Screen Step 1.
Page 65
3-14 Wizard Setup Figure 3-6 Wizard Screen 3 Step 2. If you want to change your Contivity 251 LAN settings, click Change LAN Configuration to display the screen as shown next. 317516-A Rev 00...
Enter a subnet mask in dotted decimal notation. DHCP DHCP Server From the DHCP Server drop-down list box, select On to allow your Contivity 251 to assign IP addresses, an IP default gateway and DNS servers to computer systems that support the DHCP client. Select Off to disable DHCP server.
3.13 Wizard Setup Configuration: Connection Tests The Contivity 251 automatically tests the connection to the computer(s) connected to the LAN ports. To test the connection from the Contivity 251 to the ISP and the connected LAN device(s), click Start Diagnose. Otherwise click Return to Main Menu to go back to the Site Map screen.
Refer to the rest of this User’s Guide for more detailed information on the complete range of Contivity 251 features. If you cannot access the Internet, open the WebGUI again to confirm that the Internet settings you configured in the Wizard Setup are correct.
Site Map screen, click System under Advanced Setup to open the main System screen Figure 4-1 System 4.2 Configuring DNS Servers To configure DNS server settings, click General to display the screen as shown. Contivity 251 VPN Switch User’s Guide...
Select From DHCP if your DHCP server dynamically assigns DNS server information (and the Contivity 251's Ethernet IP address). The field to the right displays the (read- only) DNS server IP address that the ISP assigns. If you chose From DHCP, but the Contivity has a fixed Ethernet IP address, From DHCP changes to None after you click Apply.
Type the new password again in this field. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Contivity 251. Cancel Click Cancel to begin configuring this screen afresh. Contivity 251 VPN Switch User’s Guide...
If you have a private WAN IP address, then you cannot use Dynamic DNS. 4.4.2 Configuring Dynamic DNS To change your Contivity 251’s DDNS, click DDNS in the main System screen. The screen appears as shown. 317516-A Rev 00...
Select this check box to activate DDNS. Service Provider Select the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your Contivity 251 by your Dynamic DNS provider. E-mail Address Type your e-mail address. User Type your user name provided.
Click Cancel to begin configuring this screen afresh. 4.5 Configuring Time and Date To change your Contivity 251’s time and date, click Time and Date in the main System screen. The screen appears as shown. Use this screen to configure the Contivity 251’s time based on your local time zone.
Use the drop-down list box to select the time service protocol that your time server sends when you turn on the Contivity 251. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 77
4-8 System Setup Table 4-4 System: Time and Date LABEL DESCRIPTION Back Click Back to go back to the previous screen. Apply Click Apply to save your changes. Cancel Click Cancel to begin configuring this screen afresh. 317516-A Rev 00...
LAN DHCP server and manage IP addresses. 5.1.1 LANs, WANs and the Contivity 251 The actual physical connection determines whether the Contivity 251 ports are LAN or WAN ports. There are two separate IP networks, one inside, the LAN network;...
If the DNS server fields in LAN- LAN Setup screen are not specified, for instance, left as 0.0.0.0, the Contivity 251 tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the Contivity 251, the Contivity 251 forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 80
1. Both - the Contivity 251 will broadcast its routing table periodically and incorporate the RIP information that it receives. 2. In Only - the Contivity 251 will not send any RIP packets but will accept all RIP packets received.
IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The Contivity 251 supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Contivity 251 queries all directly connected networks to gather group membership. After that, the Contivity 251 periodically updates this information.
If set to None, the DHCP server will be disabled. DHCP If set to Relay, the Contivity 251 acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server field in this case.
Remote DHCP Server remote DHCP server here. TCP/IP Enter the IP address of your Contivity 251 in dotted decimal notation, for example, IP Address 192.168.1.1 (factory default). IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
DESCRIPTION IP Alias 1/ 2 Select the check box(es) to activate and configure logical LAN interface(s). Enter the IP address of your Contivity 251 in dotted decimal notation, for example, IP Address 192.168.11 (factory default). Your Contivity 251 will automatically calculate the subnet mask based on the IP IP Subnet Mask address that you assign.
Page 85
Table 5-2 LAN: IP Alias LABEL DESCRIPTION Back Click Back to go back to the previous screen. Apply Click Apply to save these settings back to the Contivity 251. Cancel Click Cancel to reset the fields in this screen. 317516-A Rev 00...
The smaller the number, the lower the "cost". The metric sets the priority for the Contivity 251’s routes to the Internet. If any two of the default routes have the same metric, the Contivity 251 uses the following pre-defined priorities: 1.
By implementing PPPoE directly on the Contivity 251 (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Contivity 251 does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
The following figure illustrates the relationship between PCR, SCR and MBS. Figure 6-1 Example of Traffic Shaping 6.5 Configuring WAN Setup To change your Contivity 251’s WAN remote node settings, click WAN, WAN Setup. The screen differs by the encapsulation. Contivity 251 VPN Switch User’s Guide...
6-4 WAN Setup Figure 6-2 WAN: WAN Setup (Internet Access Setup) The following table describes the labels in this screen. Table 6-1 WAN: WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only.
Page 90
Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535. Login Information (PPPoA and PPPoE encapsulation only) Service Name (PPPoE only) Type the name of your PPPoE service here. Contivity 251 VPN Switch User’s Guide...
Page 91
PPPoE_Client_PC through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Contivity 251. Each host can have a separate (PPPoE account and a public WAN IP address.
Click Cancel to begin configuring this screen afresh. 6.6 Traffic Redirect on the LAN Traffic redirect forwards LAN traffic to a backup gateway when the Contivity 251 cannot connect to the Internet. An example is shown in the figure below.
LAN. Use IP alias to configure the LAN into two or three logical networks with the Contivity 251 itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
DESCRIPTION Backup Type Select the method that the Contivity 251 uses to check the DSL connection. Select DSL Link to have the Contivity 251 check the DSL connection’s physical layer. Select ICMP to have the Contivity 251 periodically ping the IP addresses configured in the Check WAN IP Address fields.
Page 95
Timeout Type the number of seconds (3 recommended) for your Contivity 251 to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request. The WAN connection is considered "down" after the Contivity 251 times out the number of times specified in the Fail Tolerance field.
Select this check box to turn on dial backup. Metric This field sets this route's priority among the three routes the Contivity 251 uses (normal, traffic redirect and dial backup). Type a number (1 to 15) to set the priority of the dial backup route for data transmission. The smaller the number, the higher the priority.
Type the first (primary) phone number from the ISP for this remote node. If the Phone Number primary phone number is busy or does not answer, your Contivity 251 dials the secondary phone number if available. Some areas require dialing the pound sign # before the phone number for local calls.
Page 99
The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the Contivity 251 will broadcast its routing table periodically. When set to Both or In Only, the Contivity 251 will incorporate RIP information that it receives.
10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour). If you set the Period to 0, there is no budget control and the Contivity 251 uses the Connection settings.
(Data Terminal Ready) signal is dropped by the DTE. When the “Drop DTR When Hang Up” check box is selected, the Contivity 251 uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command “ATH”.
Type the AT Command string to answer a call. Example: ata Drop DTR When Select this check box to have the Contivity 251 drop the DTR (Data Terminal Ready) Hang Up signal after the "AT Command String: Drop" is sent out.
Page 103
Type the keyword preceding the connection speed. Example: CONNECT Call Control Dial Timeout Type a number of seconds for the Contivity 251 to try to set up an outgoing call before timing out (stopping). Example: 60 Retry Count Type a number of times for the Contivity 251 to retry a busy or no-answer phone number before blacklisting the number.
IP address known within another network. 7.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Contivity 251, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 107
IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The Contivity 251 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored.
7.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Contivity 251 can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the Contivity 251 maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Contivity 251 maps multiple local IP addresses to one global IP address.
IGA1 7.2 SUA (Single User Account) Versus NAT SUA (Single User Account) is the Contivity 251 implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The Contivity 251 also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 7-2.
Choose SUA Only if you have just one public WAN IP address for your Contivity 251. Choose Full Feature if you have multiple public WAN IP addresses for your Contivity 251. 7.3 SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for...
7.4 Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Contivity 251. Click NAT to open the following screen. 317516-A Rev 00...
None Select this radio button to disable NAT. Select this radio button if you have just one public WAN IP address for your Contivity 251. The SUA Only Contivity 251 uses Address Mapping Set 1 in the NAT - Edit SUA/NAT Server Set screen.
7-10 Network Address Translation (NAT) Screens Figure 7-5 NAT: Edit SUA/NAT Server Set The following table describes the labels in this screen. Table 7-5 NAT: Edit SUA/NAT Server Set LABEL DESCRIPTION Start Port No. Enter a port number in this field. To forward only one port, enter the port number again in the End Port No.
Click Cancel to return to the previous configuration. 7.6 Configuring Address Mapping Ordering your rules is important because the Contivity 251 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 251 takes the corresponding action and the remaining rules are ignored.
7-12 Network Address Translation (NAT) Screens Figure 7-6 NAT: Address Mapping Rules The following table describes the labels in this screen. Table 7-6 NAT: Address Mapping Rules LABEL DESCRIPTION Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.
To edit an address mapping rule, click the rule’s link in the NAT-Address Mapping Rules screen to display the screen shown next. Figure 7-7 NAT: Edit Address Mapping Rule The following table describes the labels in this screen. Contivity 251 VPN Switch User’s Guide...
Select a number from 1 to 10 from the drop-down menu to choose a server set. Click Edit Details to configure the server set(s). Refer to Section 7.5 for more information. Apply Click Apply to save your changes back to the Contivity 251. Cancel Click Cancel to return to the previously saved settings. Delete...
Contivity 251 knows about network N2 in the following figure through remote node Router 1. However, the Contivity 251 is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2).
Contivity 251 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 251; over the WAN, the gateway must be the IP address of one of the remote nodes.
Contivity 251 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 251; over the WAN, the gateway must be the IP address of one of the Remote Nodes.
Page 123
Private This parameter determines if the Contivity 251 will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the Contivity 251 firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
1. Packet Filtering Firewalls 2. Application-level Firewalls 3. Stateful Inspection Firewalls 9.2.1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source/destination computer network address of a packet and the type of application. Contivity 251 VPN Switch User’s Guide...
Denial of Service attacks when activated (in SMT menu 21.2 or in the WebGUI). The Contivity 251’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The Contivity 251 can be 317516-A Rev 00...
The Contivity 251 also has packet filtering capabilities. The Contivity 251 is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
9-4 Firewalls device or network so users no longer have access to network resources. The Contivity 251 is pre-configured to automatically detect and thwart all known DoS attacks. 9.4.1 Basics Computers share information over the Internet using a common language called TCP/IP.
ACK (acknowledgment). After this handshake, a connection is established. SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. Contivity 251 VPN Switch User’s Guide...
9-6 Firewalls While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake.
Table 9-2 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. Table 9-3 Legal NetBIOS Commands MESSAGE: REQUEST: Contivity 251 VPN Switch User’s Guide...
To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The Contivity 251 blocks all IP Spoofing attempts.
Page 133
Denies all sessions originating from the WAN to the LAN. Figure 9-5 Stateful Inspection The previous figure shows the Contivity 251’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Page 134
9-10 Firewalls 1. The packet travels from the firewall's LAN to the WAN. 2. The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3.
Page 135
Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Contivity 251 itself (as with the "virtual connections" created for UDP and ICMP).
Page 136
WAN that have matching IP and UDP information will be allowed back in through the firewall. A similar situation exists for ICMP, except that the Contivity 251 is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies.
Internet would normally be rejected. In order to achieve this, the Contivity 251 inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data connection.
Page 138
9-14 Firewalls 9.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 1. Encourage your company or organization to develop a comprehensive security plan.
9.7 Packet Filtering Vs Firewall Below are some comparisons between the Contivity 251’s filtering and firewall functions. 9.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 140
9-16 Firewalls 9.7.2 Firewall The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for othe` layers, from the network layer (IP headers) up to the application layer.
10-1 Chapter 10 Firewall Configuration This chapter shows you how to enable and configure the Contivity 251 firewall. 10.1 Remote Management and the Firewall When remote management is configured to allow management (see the Remote Management chapter) and the firewall is enabled: •...
Attack alerts are real-time reports of DoS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the Contivity 251 uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.
Page 143
Figure 9-2). For UDP, "half-open" means that the firewall has detected no return traffic. The Contivity 251 measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
Page 144
(TCP Maximum Incomplete), the Contivity 251 starts deleting half-open sessions according to one of the following methods: 1. If the Blocking Time timeout is 0 (the default), then the Contivity 251 deletes the oldest existing half-open session for the host for every new connection request to the host.
This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions. The Contivity 251 continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number. "80" is the default.
Page 146
This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Contivity 251 deletes half-open sessions as required to accommodate new connection attempts. The Contivity 251 stops deleting half-open sessions when the number is less than the One Minute Low.
These custom rules work by comparing network traffic’s Source IP address, Destination IP address, IP protocol type to rules set by the administrator. Your customized rules take precedence, and may override the Contivity 251’s default rules. Contivity 251 VPN Switch User’s Guide...
11-2 Creating Custom Rules 11.2 Rule Logic Overview Study these points carefully before configuring rules. 11.2.1 Rule Checklist 1. State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.”...
WAN. When you configure Policy -> LAN to WAN -> Rules, you in essence want to limit some or all users from accessing certain services on the WAN. See the following figure. Contivity 251 VPN Switch User’s Guide...
11-4 Creating Custom Rules Figure 11-1 LAN to WAN Traffic 11.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.
Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Contivity 251 VPN Switch User’s Guide...
11-6 Creating Custom Rules Figure 11-3 Firewall: Rule Summary The following table describes the labels in this screen. Table 11-1 Firewall: Rule Summary LABEL DESCRIPTION The default action for Use the drop-down list box to select whether to Block (silently discard) or packets not matching Forward (allow the passage of) packets that do not match the following rules.
The Available Services list box in the Edit Rule screen (see Figure 11-4) displays all predefined services that the Contivity 251 already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
11-8 Creating Custom Rules Table 11-2 Predefined Services SERVICE DESCRIPTION AIM(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ. BGP(TCP:179) Border Gateway Protocol. BOOTP_CLIENT(UDP:68) DHCP Client. BOOTP_SERVER(UDP:67) DHCP Server. CU-SEEME(TCP/UDP:7648, A popular videoconferencing solution from White Pines Software. 24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g.
Page 155
Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. SSH(TCP/UDP:22) Secure Shell Remote Login Program. STRM WORKS(UDP:1558) Stream Works Protocol. Contivity 251 VPN Switch User’s Guide...
11-10 Creating Custom Rules Table 11-2 Predefined Services SERVICE DESCRIPTION TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System). TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
The following table describes the labels in this screen. Table 11-3 Creating/Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Contivity 251 VPN Switch User’s Guide...
Page 158
Select the Alert check box to determine that this rule generates an alert when the rule is matched. Apply Click Apply to save your changes back to the Contivity 251. Cancel Click Cancel to exit this screen without saving. Click Delete to remove the current rule.
Type the ending IP address in a range here. Subnet Mask Type the Subnet Mask here, if applicable. Apply Click Apply to save your changes back to the Contivity 251. Cancel Click Cancel to return to the previously saved settings. 11.8 Timeout...
DESCRIPTION TCP Timeout Values Connection Timeout Type the number of seconds (default 30) for the Contivity 251 to wait for a TCP session to reach the established state before dropping the session. FIN-Wait Timeout Type the number of seconds (default 60) for a TCP session to remain open after the firewall detects a FIN-exchange (indicating the end of the TCP session).
Page 161
Type the number of seconds (default 60) for an ICMP session to wait for the ICMP response. Back Click Back to return to the previous screen. Apply Click Apply to save your customized settings and exit this screen. Click Cancel to return to the previous configuration. Cancel Contivity 251 VPN Switch User’s Guide...
Section 11.6. To configure a custom service, click Edit Available Service in the Edit Rule screen (see Figure 11-4) to bring up the following screen. Figure 12-1 Firewall: Customized Services The next table describes the labels in this screen. Contivity 251 VPN Switch User’s Guide...
12-2 Customized Services Table 12-1 Firewall: Customized Services LABEL DESCRIPTION Customized Services This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service.
Click a rule number to open the edit rule screen. Step 2. Step 3. Click Any in the Source Address box and then click ScrDelete. Step 4. Click ScrAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Contivity 251 VPN Switch User’s Guide...
12-4 Customized Services Figure 12-3 Configure Source IP Example Click Edit Available Service in the Edit Rule screen and then click a Step 5. rule number to bring up the Firewall - Customized Services - Config screen. Configure as follows. Figure 12-4 Configuring Customized Services for My Service Example Customized services show up with an “*”...
Configure the rule configuration screen like the one below and apply it. Figure 12-5 Syslog Rule Configuration Example This is the IP address range of My Service computers. This is the My Service custom port. Click Apply when finished. Contivity 251 VPN Switch User’s Guide...
Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Contivity 251. Figure 12-6 Rule Summary Example This rule allows a My Service connection to the WAN.
(that you specify) in the URL. You can set a schedule for when the Contivity 251 performs content filtering. You can also specify trusted IP addresses on the LAN for which the Contivity 251 will not perform content filtering.
Block Websites that This box contains the list of all the keywords that you have configured the contain these keywords in Contivity 251 to block. the URL: Delete Highlight a keyword in the box and click Delete to remove it.
Click Cancel to return to the previously saved settings. 13.3 Configuring the Schedule To set the days and times for the Contivity 251 to perform content filtering, click Content Filter and Schedule. The screen appears as shown. Figure 13-2 Content Filter: Schedule The following table describes the labels in this screen.
13-4 Content Filtering Screens Table 13-2 Content Filter: Schedule LABEL DESCRIPTION Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active.
Page 173
Leave this field blank if you want to exclude an individual computer. Back Click Back to return to the previous screen. Click Apply to save your changes back to the Contivity 251. Apply Cancel Click Cancel to return to the previously saved settings.
Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Contivity 251 VPN Switch User’s Guide...
14.1.4 VPN Applications The Contivity 251 supports the following VPN applications. Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.
Introduction to IPSec 14-3 Refer to sections on Contivity 251 application examples for the diagram on VPN application. 14.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 14-2 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
14-4 Introduction to IPSec 14.2.2 Key Management Key management allows you to determine whether to use IKE (ISAKMP) key configuration in order to set up a VPN. 14.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode.
"original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT. Table 14-1 VPN and NAT SECURITY PROTOCOL MODE Transport Contivity 251 VPN Switch User’s Guide...
Page 181
14-6 Introduction to IPSec Table 14-1 VPN and NAT SECURITY PROTOCOL MODE Tunnel Transport Tunnel 317516-A Rev 00...
AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated. Contivity 251 VPN Switch User’s Guide...
15.3 My IP Address My IP Address is the WAN IP address of the Contivity 251. If this field is configured as 0.0.0.0, then the Contivity 251 will use the current Contivity 251 WAN IP address (static or dynamic) to set up the VPN tunnel. The Contivity 251 has to rebuild the VPN tunnel if the My IP Address changes after setup.
Address field if the remote VPN switch has a dynamic WAN IP address and is using DDNS. The Contivity 251 has to rebuild the VPN tunnel each time the remote VPN switch’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote VPN switch’s new WAN IP address).
15-4 VPN Screens Figure 15-2 VPN: Summary IP Policies The following table describes the labels in this screen. Table 15-2 VPN: Summary LABEL DESCRIPTION The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network through a Contivity VPN switch.
Page 186
The Private Policy IP Address or Local Policy IP Address field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 251's local network, for which you have configured this VPN rule IP policy.
Page 187
15-6 VPN Screens Table 15-2 VPN: Summary LABEL DESCRIPTION The Local Policy IP Address field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen. The Local Policy IP Address field displays a single (static) IP address when the IP policy's Branch Tunnel NAT Address Mapping Rule Type field is configured to One-to-one or Many-to-One in the IP Policy screen.
If the Contivity 251 has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Contivity 251 because the Contivity 251 never drops the tunnels that are already connected.
15-8 VPN Screens No matter whether or not keep alive is set, when there is outbound traffic with no inbound traffic, the Contivity automatically drops the tunnel after two minutes. 15.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two VPN switches.
LOCAL ID TYPE= CONTENT= Type the IP address of your computer or leave the field blank to have the Contivity 251 automatically use its own IP address. Type a domain name (up to 31 characters) by which to identify this Contivity 251.
The two Contivity 251s in this example cannot complete their negotiation because Contivity 251 B’s Local ID type is IP, but Contivity 251 A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
15.10 Connection Type The Contivity 251 provides two VPN connection types: Branch Office and Contivity Client. The Brach Office connection type allows you to manually configure a VPN rule. The Contivity Client connection type allows you to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN device.
Enter the password exactly as the Contivity VPN switch administrator gives you. Destination This field specifies the IP address of the Contivity VPN switch. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Contivity 251. 317516-A Rev 00...
Configuring a Basic Branch Office VPN Rule To manually create a VPN rule, click a number (No.) on the Summary screen to edit VPN policies. Select Branch Office in the Connection Type field. A screen displays as shown next. Contivity 251 VPN Switch User’s Guide...
Active Select this check box to activate this VPN policy. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Contivity 251 automatically reinitiate the SA after Keep Alive the SA lifetime times out, even if there is no traffic.
Page 197
This field displays the IP address of the computer (or a range of computers) on your Contivity 251's local network, for which you have configured this VPN rule. This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy screen.
Page 198
DESCRIPTION This field displays the IP address (or range of IP addresses) of the computer (or computers) on your Contivity 251's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Page 199
Delete Delete. Address Information Select IP to identify this Contivity 251 by its IP address. Local ID Type Select DNS to identify this Contivity 251 by a domain name. Select E-mail to identify this Contivity 251 by an e-mail address.
Page 200
Enter the WAN IP address of your Contivity 251. The Contivity 251 uses its current My IP Address WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 201
Advanced Click Advanced to configure more detailed settings of your IKE key management. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Contivity 251. Cancel Click Cancel to begin configuring this screen afresh. 317516-A Rev 00...
Select one of the IP policies in the VPN Branch Office screen and click Edit to configure the policies settings. The basic Branch Office rule setup screen is shown next. Figure 15-6 VPN: Policy Contivity 251 VPN Switch User’s Guide...
Protocol protocol. Branch Tunnel NAT Address Mapping Rule Enable this feature to have the Contivity 251 use a different (virtual) IP address for the Active VPN connection. When you enable branch tunnel NAT address mapping, you do not configure the local section.
Page 204
Virtual addresses must be static and correspond to the remote VPN switch's configured remote IP addresses. The computers on the Contivity 251's LAN and the remote network can function as if they were on the same subnet when the virtual IP address(es) are on the same subnet as the remote IP address(es).
Page 205
When the Address Type field is configured to Single, this field is N/A. When the Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your Contivity 251. When the Address Type End/ Subnet Mask field is configured to Subnet, this is a subnet mask on the LAN behind your Contivity 251.
Figure 15-7 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Contivity 251 VPN Switch User’s Guide...
Page 207
Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Contivity 251 automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires.
This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Contivity 251. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
15-28 VPN Screens Figure 15-8 VPN: IKE (Branch Office): Advanced Setup The following table describes the labels in this screen. Table 15-10 VPN: IKE (Branch Office): Advanced Setup LABEL DESCRIPTION VPN - IKE As a VPN setup is processing intensive, the system is vulnerable to Denial of Enable Replay Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate Protection...
Page 210
SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet Algorithm data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. Contivity 251 VPN Switch User’s Guide...
Page 211
15-30 VPN Screens Table 15-10 VPN: IKE (Branch Office): Advanced Setup LABEL DESCRIPTION Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). SA Life Time A short SA Life Time increases security by forcing the two VPN switches to update (Seconds) the encryption and authentication keys.
Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). Click Apply to save your changes back to the Contivity 251 and return to the VPN Apply - IKE screen.
Refresh Click Refresh to display the current active VPN connection(s). 15.17 Configuring Global Setting To change your Contivity 251’s global settings, click VPN and then Global Setting. The screen appears as shown. Figure 15-10 VPN: Global Setting 317516-A Rev 00...
VPN and Remote Management If a VPN tunnel uses a remote management service port (Telnet, FTP, WWW SNMP, DNS or ICMP) and terminates at the Contivity 251’s LAN or WAN port, configure remote management to allow access for that service.
Remote Management, UPnP and Logs Part VI: Remote Management, UPnP and Logs This part contains information on how to configure the Contivity 251 for remote management, setting up Universal Plug and Play (UPnP) and setting up and displaying logs.
2. You have disabled that service in one of the remote management screens. 3. The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Contivity 251 will disconnect the session immediately.
24.1 or when sys stdio has been changed on the command line. 16.2 Telnet You can configure your Contivity 251 for remote Telnet access as shown next. 317516-A Rev 00...
You can upload and download Contivity 251 firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 16.4 Web You can use the Contivity 251’s embedded WebGUI for configuration and file management. See the online help for details. 16.5 Configuring Remote Management Click Remote Mgnt to open the following screen.
Table 16-1 Remote Management LABEL DESCRIPTION Server Type Each of these labels denotes a service that you may use to remotely manage the Contivity 251. Access Select the access interface. Choices are All, LAN Only, WAN Only and Disable. Status This field shows the port number for the remote management service.
NAT traversal allows the following: Dynamic port mapping Learning public IP addresses Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. Contivity 251 VPN Switch User’s Guide...
17-2 Universal Plug-and-Play (UPnP) See the Network Address Translation (NAT) chapter for further information about NAT. 17.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) Service UPnP application to open the WebGUI's login screen without entering the Contivity 251's IP address (although you must still enter the password to access the WebGUI). Allow users to make...
Page 223
17-4 Universal Plug-and-Play (UPnP) Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box.
UPnP installed in Windows XP and UPnP activated on the Contivity 251. Make sure the computer is connected to a LAN port of the Contivity 251. Turn on your computer and the Contivity 251. Contivity 251 VPN Switch User’s Guide...
Page 225
17-6 Universal Plug-and-Play (UPnP) Auto-discover Your UPnP-enabled Network Device Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. 317516-A Rev 00...
Page 226
When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray Contivity 251 VPN Switch User’s Guide...
Page 227
WebGUI Easy Access With UPnP, you can access the WebGUI on the Contivity 251 without finding out the IP address of the Contivity 251 first. This comes helpful if you do not know the IP address of the Contivity 251.
Page 228
An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Contivity 251 and select Invoke. The WebGUI login screen displays. Step 6. Right-click on the icon for your Contivity 251 and select Properties. A properties window displays with basic information about the Contivity 251.
Use the Log Settings screen to configure to where the Contivity 251 is to send logs; the schedule for when the Contivity 251 is to send the logs and which logs and/or immediate alerts the Contivity 251 is to record.
Page 231
18-2 Logs Screens Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.
Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Contivity 251 sends. Send log to Logs are sent to the e-mail address specified in this field. If this field is left blank, logs will not be sent via e-mail.
Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the Contivity 251 to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field.
Log Settings page. Time This field displays the time the log was recorded. See the chapter on system maintenance and information to configure the Contivity 251’s time and date. Message This field states the reason for the log.
|<1,02> "End of Log" message 128|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match shows that a complete |forward log has been sent. | 10:05:30 |UDP src port:00520 dest port:00520 |<1,02> End of Firewall Log Contivity 251 VPN Switch User’s Guide...
19.2 System Status Screen Click System Status to open the following screen, where you can use to monitor your Contivity 251. Note that these fields are READ-ONLY and are meant to be used for diagnostic purposes. Contivity 251 VPN Switch User’s Guide...
19-2 Maintenance Figure 19-1 System Status The following table describes the fields in this screen. Table 19-1 System Status LABEL DESCRIPTION System Status 317516-A Rev 00...
Page 241
LABEL DESCRIPTION System Name This is the name of your Contivity 251. It is for identification purposes. RAS F/W Version This field displays the version number of the firmware. DSL F/W Version This is the DSL firmware version associated with your Contivity 251.
19-4 Maintenance 19.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable.
Page 243
This is the transfer rate in kbps. Upstream Speed This is the upstream speed of your Contivity 251. Downstream Speed This is the downstream speed of your Contivity 251. Node-Link This field displays the remote node index number and link type. Link types are PPPoA, ENET, RFC 1483 and PPPoE.
TCP/IP configuration at start-up from a server. You can configure the Contivity 251 as a DHCP server or disable it. When configured as a server, the Contivity 251 provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
00:A0:C5:00:00:02. 19.4 Diagnostic Screens These read-only screens display information to help you identify problems with the Contivity 251. 19.4.1 Diagnostic General Screen Click Diagnostic, General to open the screen shown next. Contivity 251 VPN Switch User’s Guide...
Click this button to ping the IP address that you entered. Reset Click this button to reboot the Contivity 251. A warning dialog box is then displayed asking you if you're sure you want to reboot the system. Click OK to proceed.
Click this button to reinitialize the ADSL line. The large text box above then displays the Line progress and results of this operation, for example: "Start to reset ADSL Loading ADSL modem F/W... Reset ADSL Line Successfully!" ATM Status Click this button to view ATM status. Contivity 251 VPN Switch User’s Guide...
Click this button to start the ATM loopback test. Make sure you have configured at least Test one PVC with proper VPIs/VCIs before you begin this test. The Contivity 251 sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the Contivity 251.
The device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 19-7 Network Temporarily Disconnected Contivity 251 VPN Switch User’s Guide...
19-12 Maintenance After about two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen. Figure 19-8 Error Message 19.6 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring...
Backup Configuration Backup Configuration allows you to back up (save) the device’s current configuration to a 104KB file on your computer. Once the Contivity 251 is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
Do not turn off the device while configuration file upload is in progress. After you see a “Restore Configuration successful” screen, wait for about one minute before the Contivity 251 finishes rebooting. You can access the Contivity 251 again when the login screen displays.
IP address. See the appendix for details on how to set up your computer’s IP address. If the upload was not successful, go back to the Restore Configuration screen again. Contivity 251 VPN Switch User’s Guide...
SMT General Configuration Part VIII: SMT General Configuration This part covers System Management Terminal configuration for general setup, WAN backup, LAN setup, Internet access, remote node, static route, NAT and enabling the firewall. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
20.1.1 Procedure for SMT Configuration via Console Port Follow the steps below to access your Contivity 251 via the console port. Configure a terminal emulation communications program as follows: VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, data flow set to none, 9600 bps port speed.
“X” for each character you type. Please note that if there is no activity for longer than five minutes after you log in, your Contivity 251 will automatically log you out. Figure 20-1 Login Screen Enter Password : XXXXX 20.1.4...
Introducing the SMT 20-3 Figure 20-2 Contivity 251 SMT Menu Overview 20.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Contivity 251. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
20-4 Introducing the SMT Table 20-1 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to [ENTER] To move forward to a submenu, type in the number of the desired another menu submenu and press [ENTER]. Move up to a [ESC] Press [ESC] to move back to the previous menu.
Use this menu to set up SNMP related parameters. System Password Use this menu to change your password. System Maintenance This menu provides system status, diagnostics, software upload, etc. IP Routing Policy Setup Use this menu to configure your IP routing policy. Contivity 251 VPN Switch User’s Guide...
Use this to exit from SMT and return to a blank screen. 20.3 Changing the System Password Follow the steps below to change the Contivity 251 default system password. Step 1. Enter 23 in the main menu to display Menu 23 – System Password screen as shown next.
If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Contivity 251 via DHCP. 21.2 Procedure To Configure Menu 1 Step 1.
Page 262
Contact Person's Enter the name (up to 30 characters) of the person in charge of this JohnDoe Name (optional) Contivity 251. Domain Name Enter the domain name (if you know it) here. If you leave this field nortelnetworks blank, the ISP may assign a domain name via DHCP. You can go to .com...
No to turn bridging off. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Contivity 251 VPN Switch User’s Guide...
WWW.DynDNS.ORG (default) Press [SPACE BAR] to select Yes and then press [ENTER] to make Active dynamic DNS active. Host Enter the domain name assigned to your Contivity 251 by your me.dyndns.org Dynamic DNS provider. EMAIL Enter your e-mail address. mail@mailserver USER Enter your user name.
Page 265
Table 21-2 Menu 1.1 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Contivity 251 VPN Switch User’s Guide...
This chapter describes how to configure traffic redirect and dial-backup using menu 2, 2.1, 2.2 and 2.2.1. 22.1 Introduction to WAN Backup Setup This chapter explains how to configure the Contivity 251 for traffic redirect and dial backup connections. 22.2 Dial Backup...
WAN backup connection (if configured) if there is no response. KeepAlive Fail Type the number of times (2 recommended) that your Contivity 251 may ping the IP Tolerance addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection (or a different WAN backup connection).
FIELD DESCRIPTION ICMP Timeout Type the number of seconds (3 recommended) for your Contivity 251 to wait for a (sec) ping response from one of the IP addresses in the Check WAN IP Address fields before timing out the request. The WAN connection is considered "down" after the Contivity 251 times out the number of times specified in the Fail Tolerance field.
Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. Gateway IP The Contivity 251 automatically forwards traffic to this IP address if the Contivity 251’s Address Internet connection terminates. Metric This field sets this route's priority among the routes the Contivity 251 uses.
[ENTER] to go to Menu 2.2.1 Advanced Dial Backup Setup. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Contivity 251 VPN Switch User’s Guide...
22-6 Menu 2 WAN Backup Setup 22.5 Advanced Dial Backup Setup Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. To edit the advanced setup for the dial backup port, move the cursor to the Edit Advanced Setup field in Menu 2.2 Dial Backup Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Figure 23-2 Menu 3.1 LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Contivity 251 VPN Switch User’s Guide...
For bridging Ethernet setup refer to the Bridging Setup chapter. 23.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Contivity 251 for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup.
Table 23-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Setup DHCP If set to Server, your Contivity 251 can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and Server other systems that support the DHCP client. (default) If set to None, the DHCP server will be disabled.
Table 23-2 TCP/IP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE TCP/IP Setup IP Address Enter the (LAN) IP address of your Contivity 251 in dotted decimal 192.168.1.1 notation. IP Subnet Mask Your Contivity 251 will automatically calculate the subnet mask 255.255.255.0 based on the IP address that you assign.
Create policies using SMT menu 25 (see the chapter on IP policy routing) and apply them on the Contivity 251 LAN and/or WAN interfaces using menus 3.2 (LAN) and 11.3 (WAN).
24-2 Menu 3 LAN Setup Figure 24-1 Physical Network Figure 24-2 Partitioned Logical Networks Use menu 3.2.1 to configure IP Alias on your Contivity 251. 24.4 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network.
IP Address Enter the IP address of your Contivity 251 in dotted decimal notation 192.168.1.1 IP Subnet Mask Your Contivity 251 will automatically calculate the subnet mask based 255.255.255.0 on the IP address that you assign. Unless you are implementing...
Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your Contivity 251 for Internet access, you need to collect your Internet account information.
Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table contains instructions on how to configure your Contivity 251 for Internet access. Table 24-2 Menu 4 Internet Access Setup FIELD...
Page 284
[ESC] to cancel and go back to the previous screen. If all your settings are correct your Contivity 251 should connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.
From the main menu, enter 11 to display Menu 11 - Remote Node Setup. When menu 11 appears, as shown in the following figure, type the Step 2. number of the remote node that you want to configure. Contivity 251 VPN Switch User’s Guide...
25-2 Remote Node Configuration Figure 25-1 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. My ISP (ISP, SUA) 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ Enter Node # to Edit: 25.2.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods...
Type a unique, descriptive name of up to eight characters for this myISP node. Active Press [SPACE BAR] and then [ENTER] to select Yes to activate or No to deactivate this node. Inactive nodes are displayed with a minus sign “–“ in SMT menu 11. Contivity 251 VPN Switch User’s Guide...
Page 288
Incoming: Rem Login Type the login name that this remote node will use to call your Contivity 251. The login name and the Rem Password will be used to authenticate this node. Rem Password Type the password used when this remote node calls your Contivity 251.
Page 289
Idle Timeout (sec) Type the number of seconds (0-9999) that can elapse when the Contivity 251 is idle (there is no traffic going to the remote node), before the Contivity 251 automatically disconnects the remote node. 0 means that the session will not timeout.
25-6 Remote Node Configuration 25.2.3 Outgoing Authentication Protocol For obvious reasons, you should employ the strongest authentication protocol possible. However, some vendors’ implementation includes specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
WAN IP addresses for your Contivity 251. Select SUA Only if you have just one public WAN IP address for your Contivity 251. The SMT uses Address Mapping Set 255 (menu 15.1 - see Section 28.4). Select None to disable NAT.
Page 292
My WAN Addr Sample IP Addresses The following figure uses sample IP addresses to help you understand the field of My Wan Addr in menu 11.3. My WAN Addr indicates the local Contivity 251 WAN IP while Rem IP Addr indicates the peer WAN IP.
1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. The Contivity 251 has a prepackaged filter set, NetBIOS_WAN, that blocks NetBIOS packets (call protocol filter = 1).
[SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.6 – Remote Node ATM Layer Options. There are two versions of menu 11.6 for the Contivity 251, depending on whether you chose VC-based/LLC-based multiplexing and PPP encapsulation in menu 11.1.
VCI #= 35 ATM QoS Type= UBR needs to be Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 specified. Maximum Burst Size (MBS)= 0 ENTER here to CONFIRM or ESC to CANCEL: Contivity 251 VPN Switch User’s Guide...
25-12 Remote Node Configuration In this case, only one set of VPI and VCI numbers need be specified for all protocols. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (1 to 31 is reserved for local management of ATM traffic). 25.5.3 Advance Setup Options In menu 11.1, select PPPoE in the Encapsulation field.
PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Contivity 251. Each host can have a separate account and a public WAN IP address.
Contivity 251 knows about network N2 in the following figure through remote node Router 1. However, the Contivity 251 is unable to route a packet to network N3 because it does not know that there is a route through remote node Router 1 (via Router 2).
FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only. Contivity 251 VPN Switch User’s Guide...
Page 302
Type the IP address of the gateway. The gateway is an immediate neighbor of your Contivity 251 that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Contivity 251;...
IP on your network. For IP, enable the routing if you need it; do not bridge what the Contivity 251 can route. 27.2 Bridge Ethernet Setup Basically, all non-local packets are bridged to the WAN. Your Contivity 251 does not support IPX. 27.2.1...
27-2 Bridging Setup parameters, you need to configure Menu 11.3 – Remote Node Network Layer Options. To setup Menu 11.3 – Remote Node Network Layer Options shown in the next figure, follow these steps: In menu 11.1, make sure the Bridge field is set to Yes. Step 1.
Press [SPACE BAR] to select Yes and press [ENTER] to display menu 11.3. 11.1) Ethernet Addr Timeout Type the time (in minutes) for the Contivity 251 to retain the Ethernet Address (min.) (menu 11.3) information in its internal tables while the line is down. If this information is retained, your Contivity 251 will not have to recompile the tables when the line comes back up.
Page 306
27-4 Bridging Setup FIELD DESCRIPTION Route Name Type a name for the bridge static route for identification purposes. Active Indicates whether the static route is active (Yes) or not (No). Ether Address Type the MAC address of the destination computer that you want to bridge the packets to.
28.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a Contivity 251 implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 28.4 for a detailed description of the NAT set for SUA. The Contivity...
Press [SPACE BAR] and then [ENTER] to select Full Feature if you Full Feature have multiple public WAN IP addresses for your Contivity 251. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section 28.4).
28-4 Network Address Translation (NAT) The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. Please see the section on port forwarding in the chapter on NAT WebGUI screens for further information on these menus.
This is the ending global IP address (IGA). Type These are the mapping types. Server allows us to specify Server multiple servers of different types behind NAT to this machine. See later for some examples. Contivity 251 VPN Switch User’s Guide...
15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the Contivity 251 applies the rules in the order that you specify. When a rule matches the current packet, the Contivity 251 takes the corresponding action and the remaining rules are ignored.
Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. An End IP address must be numerically greater than its corresponding IP Start address. Contivity 251 VPN Switch User’s Guide...
28-8 Network Address Translation (NAT) Figure 28-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu.
7. Server Set 7 8. Server Set 8 9. Server Set 9 10. Server Set 10 Enter Set Number to Edit: Enter 1 to go to Menu 15.2.1 NAT Server Setup as follows. Step 3. Contivity 251 VPN Switch User’s Guide...
28-10 Network Address Translation (NAT) Figure 28-9 Menu 15.2.1 NAT Server Setup Menu 15.2.1 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel:...
In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 28-11 NAT Example 1 Contivity 251 VPN Switch User’s Guide...
Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). Rule 3. Contivity 251 VPN Switch User’s Guide...
Page 320
28-14 Network Address Translation (NAT) You also map your third IGA to the web server and mail server on the Rule 4. LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN. The example situation looks somewhat like this: Figure 28-15 NAT Example 3 Step 1.
Figure 28-17 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Contivity 251 VPN Switch User’s Guide...
Page 322
28-16 Network Address Translation (NAT) Figure 28-18 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
Page 323
These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload mapping types. Follow the steps outlined in example 3 to configure these two menus as follows. Contivity 251 VPN Switch User’s Guide...
28-18 Network Address Translation (NAT) Figure 28-20 Example 4: Menu 15.1.1.1 Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
29.2 Access Methods The WebGUI is, by far, the most comprehensive firewall configuration tool your Contivity 251 has to offer. For this reason, it is recommended that you configure your firewall using the WebGUI, see the following chapters for instructions. SMT screens allow you to activate the firewall and view firewall logs.
29-2 Enabling the Firewall Figure 29-1 Menu 21.2 Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2.
SMT Advanced Management Part IX: SMT Advanced Management This part discusses filtering setup, SNMP, system security, system information and diagnosis, firmware and configuration file maintenance, system maintenance, remote management, IP Policy Routing and call scheduling. See the WebGUI parts of this guide for background information on features configurable by WebGUI and SMT.
This chapter shows you how to create and apply filters. 30.1 About Filtering Your Contivity 251 uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
30-2 Filter Configuration Figure 30-1 Outgoing Packet Filtering Process Call Filtering Active Data match Built-in User-defined match match Outgoing Initiate call default Call Filters Data Filtering Packet if line not up Call Filters (if applicable) Send packet and reset Idle Timer Match Match Match...
Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward Drop Drop Packet Accept Packet Contivity 251 VPN Switch User’s Guide...
Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port. For incoming packets, your Contivity 251 applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.
Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N 6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D F Enter Filter Rule Number (1-6) to Configure: Contivity 251 VPN Switch User’s Guide...
30-6 Filter Configuration Figure 30-5 NetBIOS_LAN Filter Rules Summary Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F Enter Filter Rule Number (1-6) to Configure: Figure 30-6 IGMP Filter Rules Summary Menu 21.1.4 - Filter Rules Summary...
“N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Table 30-2 Rule Abbreviations Used FILTER TYPE DESCRIPTION Protocol Source Address Source Port Number Destination Address Destination Port Number Offset Length Contivity 251 VPN Switch User’s Guide...
When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filters field or vice versa, the Contivity 251 will warn you and will not allow you to save.
The majority of IP packets do not have source route. Destination: Type the destination IP address of the packet you want to IP address filter. This field is ignored if it is 0.0.0.0. IP Addr Contivity 251 VPN Switch User’s Guide...
Page 338
30-10 Filter Configuration Table 30-3 Menu 21.1.x.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE IP Mask Type the IP mask to apply to the Destination: IP Addr IP mask field. Port # Type the destination port of the packets you want to filter. 0 to 65535 The field range is 0 to 65535.
Page 339
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. The following figure illustrates the logic flow of an IP filter. Contivity 251 VPN Switch User’s Guide...
30-12 Filter Configuration Figure 30-8 Executing an IP Filter Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched...
For IP, it is generally easier to use the IP rules directly. For generic rules, the Contivity 251 treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
30-14 Filter Configuration Table 30-4 Menu 21.1.5.1 Generic Filter Rule FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule.
On the other hand, the generic (or device) filters are applied to the raw packets that appear on the wire. They are applied at the point where the Contivity 251 is receiving and sending the packets; for instance, the interface. The interface can be an Ethernet, or any other hardware port.
30-16 Filter Configuration Figure 30-11 Sample Telnet Filter Enter 1 in the menu 21 to display Menu 21.1 — Filter Set Step 1. Configuration. Enter the index number of the filter set you want to configure (in this Step 2. case 6) Type a descriptive name or comment in the Edit Comments field (for Step 3.
30-18 Filter Configuration Figure 30-13 Menu 21.1.6.1 Sample Filter Rules Summary Menu 21.1.6 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have M = N means an action can be taken immediately.
See earlier in this chapter for information on filters. Output Filter Sets: Apply filters for traffic leaving the Contivity 251. You may apply filter rules for protocol or device filters. See earlier in this section for information on types of filters.
30-20 Filter Configuration in the protocol filters field under Call Filter Sets in menu 11.5 to block local NetBIOS traffic from triggering calls to the ISP. Figure 30-15 Filtering Remote Node Traffic Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets:...
SNMP is a member of the TCP/IP protocol suite. Your Contivity 251 supports SNMP agent functionality, which allows a manager station to manage and monitor the Contivity 251 through the network. The Contivity 251 supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
Trap - Used by the agent to inform the manager of some events. 31.2 Supported MIBs The Contivity 251 supports RFC-1215 and MIB II as defined in RFC-1213. The focus of the MIBs is to let administrators collect statistic data and monitor status and performance.
(default) Trusted Host If you enter a trusted host, your Contivity 251 will only respond to 0.0.0.0 SNMP messages from this address. A blank (default) field means your Contivity 251 will respond to all SNMP messages it receives, regardless of source.
31-4 Filter Configuration 31.4 SNMP Traps The Contivity 251 will send traps to the SNMP manager when any one of the following events occurs: Table 31-2 SNMP Traps TRAP # TRAP NAME DESCRIPTION coldStart (defined in RFC-1215) A trap is sent after booting (power on).
Enter Menu Selection Number: 32.1 System Status The first selection, System Status gives you information on the status and statistics of the ports, as shown next. System Status is a tool that can be used to Contivity 251 VPN Switch User’s Guide...
32-2 System Information and Diagnosis monitor your Contivity 251. Specifically, it gives you information on your ADSL telephone line status, number of packets sent and received. To get to System Status, type 24 to go to Menu 24 — System Maintenance.
Enter 24 to display Menu 24 — System Maintenance. Step 1. Enter 2 to display Menu 24.2 — System Information. Step 2. From this menu you have two choices as shown in the next figure: Step 3. Contivity 251 VPN Switch User’s Guide...
Refers to the system firmware version. ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version. Standard This refers to the operational protocol the Contivity 251 and the DSLAM (Digital Subscriber Line Access Multiplexer) are using. 317516-A Rev 00...
Contivity 251. 32.3 Log and Trace There are two logging facilities in the Contivity 251. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.
Step 3. to display the error log in the system. After the Contivity 251 finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Clear Error Log (y/n): 32.3.2 Syslog Settings The Contivity 251 uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 — System Maintenance — UNIX Syslog, as shown next.
Page 360
The log facility lets you log the message in different server files. Refer to your UNIX manual. The following are examples of the four types of syslog messages sent by the Contivity 251: 1 - CDR SdcmdSyslogSend ( SYSLOG_CDR, SYSLOG_INFO, String);...
Table 32-4 Menu 24.4 System Maintenance Menu: Diagnostic FIELD DESCRIPTION Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Contivity 251 VPN Switch User’s Guide...
Page 362
Reboot the Contivity 251. Command Mode Type the mode to test and diagnose your Contivity 251 using specified commands. Host IP Address If you typed 12 to Ping Host, now type the address of the computer you want to ping.
If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the Contivity 251 only recognizes “rom-0” and “ras”. Be sure you keep unaltered copies of both files for later use.
33-2 Firmware and Configuration File Maintenance not on the Contivity 251, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the F/W version field in Menu 24.2.1 – System Maintenance – Information to confirm that you have uploaded the correct firmware version.
Page 365
To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Contivity 251. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file.
33-4 Firmware and Configuration File Maintenance 33.2.3 Example of FTP Commands from the Command Line Figure 33-2 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 config.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 367
Telnet service. 3. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the Contivity 251 will disconnect the Telnet session immediately. 4. You have an SMT console session running.
Enter the IP address of the Contivity 251. 192.168.1.1 is the Contivity 251’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Contivity 251 and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom...
This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk. Contivity 251 VPN Switch User’s Guide...
Page 370
33-8 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your Contivity 251 since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete.
Firmware and Configuration File Maintenance 33-9 Use “put” to transfer files from the Contivity 251 to the computer, for Step 7. example, “put config.rom rom-0” transfers the configuration file “config.rom” on your computer to the Contivity 251. See earlier in this chapter for more information on filename conventions.
Then click Send. After a successful restoration you will see the following screen. Press Step 4. any key to restart the Contivity 251 and return to the SMT menu. Figure 33-12 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot.
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the Contivity 251, you will see the following screens for uploading firmware and the configuration file using FTP.
Enter “bin” to set transfer mode to binary. Step 5. Step 6. Use “put” to transfer files from the computer to the Contivity 251, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Contivity 251 and renames it “ras”.
Step 1. Use telnet from your computer to connect to the Contivity 251 and log in. Because TFTP does not have any security checks, the Contivity 251 records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 376
Contivity 251 and the computer. The file name for the firmware is “ras”. Note that the telnet connection must be active and the Contivity 251 in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs should be similar. 33.4.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Contivity 251 VPN Switch User’s Guide...
Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. After the configuration upload process has completed, restart the Contivity 251 by entering “atgo”. 33.4.10 Uploading Configuration File Via Console Port Step 1.
HyperTerminal program. The procedure for other serial communications programs should be similar. Step 3. Enter “atgo” to restart the Contivity 251. 33.4.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen.
Figure 33-19 Example Xmodem Upload Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. After the configuration upload process has completed, restart the Contivity 251 by entering “atgo”. 317516-A Rev 00...
System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Enter Menu Selection Number: Contivity 251 VPN Switch User’s Guide...
The budget management function allows you to set a limit on the total outgoing call time of the Contivity 251 within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
30 minutes out of elapsed time is the time used up within this period. the 1 hour time period has lapsed. Enter “0” to update the screen or press [ESC] to return to the previous screen. Contivity 251 VPN Switch User’s Guide...
Enter Menu Selection Number: Then enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your Contivity 251 as shown in the following screen. 317516-A Rev 00...
Enter the time service protocol that your time server sends when you turn on the when Bootup Contivity 251. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 386
34.3.1 Resetting the Time The Contivity 251 resets the time in three instances: On leaving menu 24.10 after making changes. When the Contivity 251 starts up, if there is a time server configured in menu 24.10. iii. 24-hour intervals after starting.
Enter 11 from menu 24 to display Menu 24.11 — Remote Management Control. 35.2.1 Remote Management Setup You may manage your Contivity 251 from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
DESCRIPTION EXAMPLE Telnet Server Each of these read-only labels denotes a service that you may use FTP Server to remotely manage the Contivity 251. Web Server SNMP Service DNS Service Port This field shows the port number for the remote management service.
2. You have disabled that service in menu 24.11. 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Contivity 251 will disconnect the session immediately.
35.4 System Timeout There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your Contivity 251 will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
The action is taken only when all the criteria are met. The criteria includes the source address and port, IP protocol (ICMP, UDP, TCP, etc.), Contivity 251 VPN Switch User’s Guide...
36-2 IP Policy Routing destination address and port, TOS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, for example, telnet, tend to have short packets, while bulk traffic, for example, file transfer, tends to have large packets.
Table 36-1 Menu 25.1 IP Routing Policy Setup ABBREVIATION MEANING Criterion Source IP Address Source Port Destination IP Address Destination Port IP layer 4 protocol number (TCP=6, UDP=17…) Type of service of incoming packet Contivity 251 VPN Switch User’s Guide...
36-4 IP Policy Routing Table 36-1 Menu 25.1 IP Routing Policy Setup ABBREVIATION MEANING Precedence of incoming packet Action Gateway IP address Outgoing Type of service Outgoing Precedence Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure).
Defines the outgoing gateway address. The gateway must be on the same subnet as the Contivity 251 if it is on the LAN, otherwise, the gateway must be the IP address of a remote node. The default gateway is specified as 0.0.0.0.
36-6 IP Policy Routing Table 36-2 Menu 25.1.1 IP Routing Policy FIELD DESCRIPTION Press [SPACE BAR] and then [ENTER] to select Yes to make an entry in the system log when a policy is executed. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel”...
If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Figure 36-6 Example of IP Policy Routing Contivity 251 VPN Switch User’s Guide...
36-8 IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Contivity 251, follow the steps as shown next. Create a routing policy set in menu 25.
IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None IP Policies= 1,2 Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Contivity 251 VPN Switch User’s Guide...
1 will take precedence over set 2, 3 and 4 as the Contivity 251, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle If a connection has been already established, your Contivity 251 will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 403
Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available as shown next. Contivity 251 VPN Switch User’s Guide...
PROBLEM CORRECTIVE ACTION None of the Make sure that the Contivity 251’s power adaptor is connected to the Contivity 251 and LEDs turn on plugged in to an appropriate power source. Check that the Contivity 251 and the power when I turn on source are both turned on.
Page 408
Troubleshooting the LAN LED. LAN. Make sure that the IP address and the subnet mask of the Contivity 251 and your computer(s) are on the same subnet. If the 10M/100M LEDs on the front panel are both off, refer to Chart A-2 I cannot ping any Troubleshooting the LAN LED.
Page 409
PROBLEM CORRECTIVE ACTION I cannot access Make sure the Contivity 251 is turned on and connected to the network. the Internet. If the DSL LED is off, refer to Chart A-3 Troubleshooting the DSL LED. Verify your WAN settings. Refer to the WAN Setup chapter (WebGUI) or the Internet Access chapter (SMT).
Page 410
Your computer’s and the Contivity 251’s IP addresses must be on the same subnet for LAN access. If you changed the Contivity 251’s LAN IP address, then enter the new one as the URL. Remove any filters in SMT menu 3.1 (LAN) or menu 11.5 (WAN) that block web service.
Page 411
Contivity 251 from management may not be possible. the LAN or the Use the Contivity 251’s WAN IP address when configuring from the WAN. WAN. Use the Contivity 251’s LAN IP address when configuring from the LAN. Refer to Chart A-4 Troubleshooting the LAN Interface for instructions on checking your LAN connection.
OCTET 3 OCTET 4 Class A Network number Host ID Host ID Host ID Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID Contivity 251 VPN Switch User’s Guide...
Page 414
B-2 IP Subnetting Host IDs of all zeros or all ones are not allowed. Therefore: A class “C” network (8 host bits) can have 2 –2 or 254 hosts. A class “B” address (16 host bits) can have 2 –2 or 65534 hosts. A class “A”...
Page 415
Chart B-4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK “1” BITS LAST OCTET BIT VALUE 255.255.255.0 0000 0000 255.255.255.128 1000 0000 255.255.255.192 1100 0000 255.255.255.224 1110 0000 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 Contivity 251 VPN Switch User’s Guide...
Page 416
B-4 IP Subnetting The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used. Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.255.0.
Page 417
-2 or 62 hosts for each subnet (all 0’s is the subnet itself, all 1’s is the broadcast address on the subnet). Chart B-7 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Contivity 251 VPN Switch User’s Guide...
Page 418
B-6 IP Subnetting Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.63 Highest Host ID: 192.168.1.62 Chart B-8 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.64 Lowest Host ID: 192.168.1.65 Broadcast Address: 192.168.1.127...
Page 419
ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Chart B-1) available for subnetting. Contivity 251 VPN Switch User’s Guide...
Page 420
B-8 IP Subnetting The following table is a summary for class “B” subnet planning. Chart B-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094...
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial-up networking. Contivity 251 VPN Switch User’s Guide...
Page 422
PPP negotiation is between the PC and the ISP. Contivity 251 as a PPPoE Client When using the Contivity 251 as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 423
PPPoE C-3 Diagram C-2 Contivity 251 as a PPPoE Client Contivity 251 VPN Switch User’s Guide...
The VPI and VCI identify a virtual path, that is, termination points between ATM switches. A series of virtual paths make up a virtual circuit. Your service provider should supply you with VPI/VCI numbers. Contivity 251 VPN Switch User’s Guide...
Output Power AC12Volts/1.3A Power Consumption Safety Standards ITS-GS, CE (EN 60950) UNITED KINGDOM PLUG STANDARDS AC Power Adapter Model AA-121A3D Input Power AC230Volts/50Hz/140mA Output Power AC12Volts/1.3A Power Consumption Safety Standards ITS-GS, CE (EN 60950) Contivity 251 VPN Switch User’s Guide...
"communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the Contivity 251's LAN port. Contivity 251 VPN Switch User’s Guide...
Page 430
F-2 Setting up Your Computer’s IP Address Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
Page 431
-If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Contivity 251 VPN Switch User’s Guide...
Page 432
F-4 Setting up Your Computer’s IP Address Click the DNS Configuration tab. -If you do not know your DNS information, select Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Page 433
Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Contivity 251 and restart your computer when prompted. Verifying Settings Click Start and then Run.
Page 434
F-6 Setting up Your Computer’s IP Address For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. 317516-A Rev 00...
Page 435
-If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Contivity 251 VPN Switch User’s Guide...
Page 436
F-8 Setting up Your Computer’s IP Address -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 437
Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. Turn on your Contivity 251 and restart your computer (if prompted). Verifying Settings Click Start, All Programs, Accessories and then Command Prompt.
Page 438
F-10 Setting up Your Computer’s IP Address Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. 317516-A Rev 00...
Page 439
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 251 in the Router address box. Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration.
Page 440
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Contivity 251 in the Router address box. Click Apply Now and close the window. Turn on your Contivity 251 and restart your computer (if prompted).
Diagram G-1 Connecting a POTS Splitter Connect the side labeled “Phone” to your telephone. Step 1. Step 2. Connect the side labeled “Modem” to your Contivity 251. Step 3. Connect the side labeled “Line” to the telephone wall jack. Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz.
Page 442
Diagram G-2 Connecting a Microfilter Contivity 251 With ISDN This section relates to people who use their Contivity 251 with ADSL over ISDN (digital telephone service) only. The following is an example installation for the Contivity 251 with ISDN.
Page 443
Splitters and Microfilters G-3 Diagram G-3 Contivity 251 with ISDN Contivity 251 VPN Switch User’s Guide...
Someone has failed to log on to the router via telnet. TELNET Login Fail At the time of writing, the Contivity 251 did not support the generation of all of the logs shown here. Contivity 251 VPN Switch User’s Guide...
Page 446
The Contivity 251 blocked access to an address or domain (Destination) name that had a forbidden keyword. Keyword Block Blocking The Contivity 251 blocked access to an IP address or domain (Destination) name that contains ActiveX because the content filter is set to Contains Block forbid ActiveX.
Page 447
TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected an IP spoofing attack while the Contivity 251 did ip spoofing - no not have a default route. The log may also display the protocol (for routing entry example TCP or UDP).
Page 448
Firewall rule match forwarded it according to the rule’s configuration. (Protocol, Direction, Rule) Access did not match a firewall rule and the Contivity 251 logged it. Firewall rule NOT match: (Protocol, Direction, Rule) Access did not match a firewall rule’s destination port and the dest port Contivity 251 logged it.
Page 449
The firewall allowed a triangle route session to pass through. Triangle route packet forwarded (Protocol) The Contivity 251 sent or received an ICMP source quench packet to ICMP Source Quench tell a host to slow down data transmission. The Contivity 251 sent or received an ICMP Time Exceed packet ICMP Time Exceed because a packet with zero Time To Live (TTL) was dropped.
Page 450
H-6 Log Descriptions Chart H-6 TCP Reset Logs LOG MESSAGE DESCRIPTION The firewall sent out TCP reset packets. Firewall sent TCP reset packets Chart H-7 ICMP Notes TYPE CODE DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't...
Page 451
To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Contivity 251 VPN Switch User’s Guide...
Page 452
H-8 Log Descriptions Diagram H-1 Example VPN Initiator IPSec Log Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE> 01 Jan 08:02:26 Send:<ID><HASH>...
Page 453
Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Contivity 251 has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Page 454
Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded. The Contivity 251 did not receive a response from the !! IKE Packet Retransmit peer and so retransmits the last packet sent. !! Failed to send IKE Packet The Contivity 251 cannot send IKE packets due to a network error.
Page 455
DESCRIPTION !! WAN IP changed to <IP> If the Contivity 251’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the Contivity 251 will use the current Contivity 251 WAN IP address (static or dynamic) to set up the VPN tunnel.
A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Sys Commands Contivity 251 VPN Switch User’s Guide...
Page 460
I-2 Command Interpreter The following chart lists and describes the sys commands. Each of these commands must be preceded by sys when you use them. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Chart I-1 Sys Commands COMMAND...
Page 461
Record the UPnP logs. Records and/or sends alerts for web urlblocked [0:none/1:log/2:alert/3:b access blocked logs. oth] urlforward [0:none/1:log] Records web access forward logs. Clear the log. clear display Display all logs. errlog clear Clears log error. Contivity 251 VPN Switch User’s Guide...
Page 462
I-4 Command Interpreter Chart I-1 Sys Commands COMMAND DESCRIPTION disp Displays log error. Turns on/off error log online online display. load Loads the log settings buffer. Use this command before you configure the log settings. Use sys logs save after you configure the log settings.
Page 463
Displays the system socket’s ID #, socket type, control block address (PCB), IP address and port number of peer device connected to the socket (Remote Socket) and task control block (Owner). filter <set> Displays a filter rule. netbios Contivity 251 VPN Switch User’s Guide...
Page 465
<iface> Displays an interface’s IP Address Resolution Protocol status. dhcp <iface> client release Releases the DHCP client IP address. renew Renews the DHCP client IP address. status [option] Displays the DHCP status. Contivity 251 VPN Switch User’s Guide...
Page 466
I-8 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION query stats clear Clears DNS statistics. disp Displays DNS statistics. icmp status Displays the ICMP statistics counter. Sets the ICMP router discovery flag. discovery <iface> [on|off] ifconfig [iface] [ipaddr] Configures a network interface. [broadcast <addr>...
Page 467
Adds an entry to the routing table for the >[/<bits>] specified interface. <gateway> [<metric>] addprivate <dest_addr|default Adds a private route. >[/<bits>] <gateway> [<metric>] drop <host addr> Drops a route. [/<bits>] status Displays IP statistic counters. status [tcp][<interval>] Displays TCP statistic counters. Contivity 251 VPN Switch User’s Guide...
Page 468
I-10 Command Interpreter Chart I-4 IP Commands COMMAND DESCRIPTION telnet <host>[port] Telnets to a remote host. tracerout <host>[ttl][wait][ Sends packets to trace the route to a queries] remote host. status Displays the UDP status. xparent IPSec Commands The following chart lists and describes the ipsec commands. Each of these commands must be preceded by ipsec when you use them.
Page 469
Removes an IP policy. display Displays the IP policies. internal list Displays the IP policies. load <policy Index> Loads an IP policy. local type Sets an IP policy’s local address type. <0:single|1:range 2:subnet> Contivity 251 VPN Switch User’s Guide...
Page 470
I-12 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION addrStart <IP Sets an IP policy’s starting local IP address> address. endMask <IP Sets an IP policy’s ending local IP address address> or subnet mask. port <port Sets an IP policy’s local port number. number>...
Page 471
(30 default) and 0 means it never updates. updatePeerI Forces the system to immediately update IPSec rules which use a domain name as the secure gateway IP address. display <rule #> Displays the specified IPSec rule. Contivity 251 VPN Switch User’s Guide...
Page 472
I-14 Command Interpreter Chart I-5 IPSec Commands COMMAND DESCRIPTION load <rule #> Loads an IPSec rule. save Saves IPSec rules. config netbios active <on|off> Sets the NetBIOS active flag. group <group Sets the NetBIOS group. index1, group index2…> name <string> Sets a rule’s name.
Page 473
Displays ACLs or a specific ACL set # and rule #. active <yes|no> Active firewall or deactivate firewall Enables/disables the firewall. disp Displays the firewall log type and count. clear Clears the firewall log count. Contivity 251 VPN Switch User’s Guide...
Page 474
I-16 Command Interpreter Chart I-6 Sys Firewall Commands COMMAND DESCRIPTION dynamicrule Displays the temporary firewall rules that the device dynamically created. tcprst Turns TCP reset sending on/off. rst113 Turns TCP reset sending for port 113 on/off. display Displays the TCP reset sending settings. smtp Enables/disables the SMTP DoS defender.
Page 475
Resets ADSL modem (you must reload the modem code again). selftest Performs ADSL long loop test. Long short Performs ADSL short loop test. ADSL status (ex: up, down or wait status for init). version Displays ADSL version information. Contivity 251 VPN Switch User’s Guide...
Page 476
I-18 Command Interpreter Chart I-7 WAN Commands COMMAND DESCRIPTION vendorid Displays ADSL vendor information. utopia Shows ADSL utopia information. cellcnt Shows ADSL cell counter. display shutdown Shows the counter of rate adaptive mechanism. Shows the real status when rate rateup adaptive mechanism happened.
Page 477
DSLAM side. Send current error second errorsecond sendes information immediately. dygasprecover dygasprecover Level [value] The default is 100. After receiving 100 dying gasp signals, the system will reboot. dygasprecover Active [on|off| Turn on/off this mechanism. Contivity 251 VPN Switch User’s Guide...
Page 478
I-20 Command Interpreter Chart I-7 WAN Commands COMMAND DESCRIPTION rsploss [1|0] Turn on means to response signal loss of CTRLE immediately, default is off. watchdog [1|0] Watchdog for DSP. test [fix|rand|period|oam|loopback] Generates ATM traffic. hwsar disp Displays hwsar packets incoming/outgoing information. clear Clears hwsar packets information.
Default Server IP Address ....... 7-6 Call Scheduling..........37-1 Denial of Service ....9-2, 10-3, 10-4, 29-1 Maximum Number of Schedule Sets ..37-1 Denials of Service..........9-3 PPPoE ............37-3 Destination Address......11-3, 11-12 Contivity 251 VPN Switch User’s Guide...
Page 481
IANA ............... 3-6 IP Routing Policy Setup......... 36-3 ICMP echo ............9-6 IP Spoofing ..........9-4, 9-8 IGMP ............... 5-4 IP Static Route ..........26-1 IGMP support..........25-8 IP Static Route Setup ........26-2 Install UPnP Contivity 251 VPN Switch User’s Guide...
Page 482
J-4 Index IPSec standard ..........1-2 Multiprotocol Encapsulation ......3-2 IPSec VPN capability ........1-1 My WAN Address..........25-7 ISDN..............G-2 Nailed-Up Connection........3-6 Key Fields For Configuring Rules....11-3 NAT..........3-4, 7-6, 30-15 Application ...........7-3 Applying NAT in the SMT Menus.....28-1 Configuring ..........28-3 LAN...............
Page 483
Remote Node Profile........25-3 Services............7-6 Remote Node Setup ........25-1 Services and Port Numbers......7-7 Remote Node Index Number ......32-2 setup a schedule ..........37-2 Remote Node Traffic ........30-20 SMT Menu Overview ........20-2 Contivity 251 VPN Switch User’s Guide...
Page 484
J-6 Index SMTP............... 7-7 System Status ..........32-1 SMTP Error Messages........18-6 System Information ........32-3 Smurf ............9-6, 9-7 System Information & Diagnosis ....32-1 SNMP .............. 7-7 System Maintenance..32-1, 32-3, 33-2, 33-5, 33- Community ..........31-3 13, 33-15, 34-1, 34-2, 34-5 Configuration..........