ZyXEL Communications Prestige 652 User Manual

Zyxel adsl security router user's guide
Hide thumbs Also See for Prestige 652:
Table of Contents

Advertisement

Quick Links

Prestige 652
ADSL Security Router
User's Guide
Version 3.40
August 2002

Advertisement

Table of Contents
loading

Summary of Contents for ZyXEL Communications Prestige 652

  • Page 1 Prestige 652 ADSL Security Router User's Guide Version 3.40 August 2002...
  • Page 2 Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
  • Page 3 Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Certifications Refer to the product page at www.zyxel.com. FCC Statement (FCC) Interference Statement Prestige 652 ADSL Security Router...
  • Page 4 Prestige 652 ADSL Security Router Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective operation and safety requirements. The Industry Canada label does not guarantee that the equipment will operate to a user's satisfaction.
  • Page 5: Zyxel Limited Warranty

    Prestige 652 ADSL Security Router ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and...
  • Page 6: Prestige 652 Adsl Security Router

    Prestige 652 ADSL Security Router Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information. • Warranty Information. • Date that you received your device.
  • Page 7: Table Of Contents

    GETTING STARTED...I Chapter 1 Getting To Know Your Prestige...1-1 Prestige 652 ADSL Security Router ...1-1 Features ...1-1 Applications for the Prestige 652 ...1-6 Chapter 2 Hardware Installation and Initial Setup ...2-1 Front Panel LEDs of the P652...2-1 Rear Panel and Connections...2-2 Additional Installation Requirements...2-3...
  • Page 8 Chapter 5 Remote Node Configuration ...5-1 Remote Node Setup ...5-1 Remote Node Setup ...5-6 Remote Node Filter...5-8 Chapter 6 Remote Node TCP/IP Configuration...6-1 TCP/IP Configuration ...6-1 Chapter 7 Bridging Setup ...7-1 Bridging in General...7-1 Bridge Ethernet Setup ...7-1 Chapter 8 Network Address Translation (NAT)...8-1 Introduction...8-1 Using NAT...8-6 NAT Setup ...8-8...
  • Page 9 Chapter 20 System Maintenance and Information ...20-1 20.1 Command Interpreter Mode ...20-1 20.2 Call Control Support ...20-2 20.3 Time and Date Setting...20-4 Chapter 21 Remote Management ...21-1 21.1 About Telnet Configuration ...21-1 21.2 Telnet Under NAT ...21-1 Table of Contents Prestige 652 ADSL Security Router...
  • Page 10 21.3 Telnet Capabilities ...21-1 21.4 FTP ...21-2 21.5 Web...21-2 21.6 Remote Management ...21-2 21.7 Remote Management and NAT ...21-4 21.8 System Timeout ...21-4 Chapter 22 IP Policy Routing ...22-1 22.1 Introduction...22-1 22.2 Benefits ...22-1 22.3 Routing Policy ...22-1 22.4 IP Routing Policy Setup...22-2 22.5 Applying an IP Policy...22-5 22.6 IP Policy Routing Example...22-7 CALL SCHEDULING, VPN/IPSEC AND INTERNAL SPTGEN ...
  • Page 11 Prestige 652 ADSL Security Router 29.4 Problems with the LAN Interface ...29-2 29.5 Problems with the WAN Interface ...29-2 29.6 Problems with Internet Access ...29-3 29.7 Problems with the Password ...29-3 29.8 Problems with the Web Configurator...29-4 29.9 Problems with Remote Management ...29-4...
  • Page 12 Prestige 652 ADSL Security Router List of Figures Figure 1-1 Internet Access Application...1-7 Figure 1-2 Firewall Application...1-8 Figure 1-3 LAN-to-LAN Application...1-8 Figure 1-4 VPN Application ...1-9 Figure 2-1 Front Panel ...2-1 Figure 2-2 Rear Panel ...2-2 Figure 2-3 Connecting a POTS Splitter ...2-5 Figure 2-4 Connecting a Microfilter ...2-6...
  • Page 13 Prestige 652 ADSL Security Router Figure 4-8 Example of Traffic Shaping... 4-15 Figure 4-9 Internet Access Setup ... 4-15 Figure 5-1 Menu 11 — Remote Node Setup... 5-2 Figure 5-2 Menu 11.1 — Remote Node Profile ... 5-4 Figure 5-3 Remote Node Network Layer Options ... 5-7 Figure 5-4 Menu 11.5 —...
  • Page 14 Prestige 652 ADSL Security Router Figure 8-11 Menu 15.2.1 — NAT Server Setup ...8-18 Figure 8-12 Multiple Servers Behind NAT Example...8-19 Figure 8-13 NAT Example 1...8-20 Figure 8-14 Menu 4 — Internet Access & NAT Example ...8-21 Figure 8-15 NAT Example 2...8-22 Figure 8-16 Menu 15.2.1 —...
  • Page 15 Prestige 652 ADSL Security Router Figure 12-3 Firewall Rules Summary — First Screen ... 12-5 Figure 12-4 Creating/Editing A Firewall Rule ... 12-10 Figure 12-5 Adding/Editing Source and Destination Addresses ... 12-12 Figure 12-6 Timeout Screen... 12-13 Figure 13-1 Customized Services ... 13-1 Figure 13-2 Creating/Editing A Customized Service ...
  • Page 16 Prestige 652 ADSL Security Router Figure 16-18 Filtering Remote Node Traffic ...16-22 Figure 16-19 Filtering Remote Node Traffic with PPPoE ...16-22 Figure 17-1 SNMP Management Model...17-1 Figure 17-2 Menu 22 — SNMP Configuration ...17-3 Figure 18-1 Menu 24 — System Maintenance ...18-1 Figure 18-2 Menu 24.1 —...
  • Page 17 Prestige 652 ADSL Security Router Figure 19-14 Telnet Into Menu 24.7.2 — System Maintenance ...19-11 Figure 19-15 FTP Session Example of Firmware File Upload ... 19-12 Figure 19-16 Menu 24.7.1 as seen using the Console Port ... 19-14 Figure 19-17 Example Xmodem Upload ... 19-14 Figure 19-18 Menu 24.7.2 as seen using the Console Port ...
  • Page 18 Prestige 652 ADSL Security Router Figure 24-2 VPN Application ...24-3 Figure 24-3 IPSec Architecture...24-4 Figure 24-4 Transport and Tunnel Mode IPSec Encapsulation...24-5 Figure 25-1 VPN SMT Menu Tree ...25-1 Figure 25-2 Menu 27 — VPN/IPSec Setup ...25-2 Figure 25-3 IPSec Summary Fields ...25-3 Figure 25-4 Telecommuter’s Prestige Configuration...25-5...
  • Page 19 Prestige 652 ADSL Security Router Diagram 5 Boot Module Commands ... E List of Figures...
  • Page 20 Prestige 652 ADSL Security Router List of Tables Table 2-1 Front Panel LED Description... 2-1 Table 2-2 Main Menu Commands... 2-11 Table 2-3 Main Menu Summary ... 2-12 Table 3-1 General Setup Menu Fields... 3-2 Table 3-2 Configure Dynamic DNS Menu Fields... 3-4 Table 4-1 IP Alias Setup Menu Fields...
  • Page 21 Prestige 652 ADSL Security Router Table 9-3 Legal NetBIOS Commands...9-7 Table 9-4 Legal SMTP Commands ...9-7 Table 10-1 View Firewall Log...10-3 Table 11-1 E-mail ... 11-4 Table 11-2 SMTP Error Messages... 11-5 Table 11-3 Attack Alert... 11-9 Table 12-1 Firewall Rules Summary — First Screen ...12-5 Table 12-2 Predefined Services ...12-7...
  • Page 22 Prestige 652 ADSL Security Router Table 19-3 General Commands for GUI-based TFTP Clients ... 19-6 Table 20-1 Budget Management ... 20-3 Table 20-2 Time and Date Setting Fields ... 20-5 Table 21-1 Menu 24.11 – Remote Management Control ... 21-3 Table 22-1 IP Routing Policy Setup ...
  • Page 23: Related Documentation

    About This User's Guide This User's Guide covers all aspects of the Prestige 652 operations and shows you how to use the SMT to get the best out of its multiple advanced features. It is designed to guide you through the correct configuration of your Prestige 652 for various applications.
  • Page 24: Syntax Conventions

    • The Prestige 652 ADSL Router with VPN and Firewall may be referred to as the P652 or the Prestige in this User’s Guide. The following section offers some background information on DSL. Skip it if you wish to begin working with your router right away.
  • Page 25 Prestige 652 ADSL Security Router What is DSL? DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
  • Page 27: Getting Started

    Getting Started GETTING STARTED This part is structured as a step-by-step guide to help you connect, install and set up your Prestige to operate on your network and to access the Internet. Described are Key Features and Applications, Hardware Installation, Initial Setup and Internet Access.
  • Page 29: Chapter 1 Getting To Know Your Prestige

    The Prestige provides not only ease of installation and high-speed Internet access, but also a complete security solution. The Prestige 652 combines an ADSL router with a robust firewall and VPN capability. The web browser-based Graphical User Interface provides easy management and is totally independent of the operating system platform you use.
  • Page 30 Prestige 652 ADSL Security Router You can configure most features of the Prestige via SMT but we recommend you configure the firewall and content filters using the Prestige Web Configurator. • Content Filtering The Prestige can block specific URLs by using the keyword blocking feature.
  • Page 31: Protocol Support

    ♦ PPP (Point-to-Point Protocol) link layer protocol. ♦ Transparent bridging for unsupported network layer protocols. ♦ RIP I/RIP II ♦ IGMP Proxy Getting To Know Your Prestige Prestige 652 ADSL Security Router...
  • Page 32: Networking Compatibility

    Prestige 652 ADSL Security Router ♦ ICMP support ♦ IP QoS support ♦ MIB II support (RFC 1213) Networking Compatibility Your Prestige is compatible with the major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers, making configuration as simple as possible for you.
  • Page 33: Applications For The Prestige 652

    Your Prestige's all new compact and ventilated housing minimizes space requirements making it easy to position anywhere in your busy office. Applications for the Prestige 652 1.3.1 Internet Access The Prestige is the ideal high-speed Internet access solution. Your Prestige supports the TCP/IP protocol, which the Internet uses exclusively.
  • Page 34: Figure 1-1 Internet Access Application

    Prestige 652 ADSL Security Router Figure 1-1 Internet Access Application Internet Single User Account For a SOHO (Small Office/Home Office) environment, your Prestige offers the Network Address Translation (NAT) feature that allows multiple users on the LAN (Local Area Network) to access the Internet concurrently for the cost of a single IP address.
  • Page 35: Figure 1-3 Lan-To-Lan Application

    Prestige 652 ADSL Security Router 1.3.3 LAN to LAN Application You can use the Prestige to connect two geogr ly dispersed networks over the ADSL line. A typical aphical LAN-to-LAN application for your Prestige is shown as follows. Figure 1-3 LAN-to-LAN Application 1.3.4 VPN Application...
  • Page 36: Figure 1-4 Vpn Application

    Prestige 652 ADSL Security Router Figure 1-4 VPN Application Getting To Know Your Prestige...
  • Page 37: Chapter 2 Hardware Installation And Initial Setup

    The Prestige is rebooting. The Prestige is not ready or has malfunctioned. The Prestige is not receiving enough power. The Prestige is connected to the PPPoE server. There is no connection to the PPPoE server. Prestige 652 ADSL Security Router Chapter 2 DESCRIPTION...
  • Page 38: Rear Panel And Connections

    Prestige 652 ADSL Security Router COLOR LAN 10M Green LAN 100M Orange This LED is reserved for a feature to be available in the future. xDSL Green Green Rear Panel and Connections The following figure shows the rear panel of your Prestige.
  • Page 39: Additional Installation Requirements

    Prestige 652 ADSL Security Router 2.2.1 xDSL Port Connect the Prestige directly to the wall jack using a DSL cable (telephone wire). Connect a microfilter(s) between the wall jack and your telephone(s). A microfilter acts as low-pass filter (voice transmission takes place in the 0 to 4KHz bandwidth) and is an optional purchase.
  • Page 40: P652 With Pots

    Prestige 652 ADSL Security Router A computer equipped with communications software (for example, Hyper Terminal in Windows 95) configured to the following parameters: VT100 terminal emulation. 9600 baud rate. Parity set to none, 8 data bits, 1 stop bit. Flow control set to none.
  • Page 41: Figure 2-3 Connecting A Pots Splitter

    Connect another cable from the double jack end of the Y-Connector to the Prestige. Step 4. Connect the “phone side” of the microfilter to your telephone as shown in the following figure. Hardware Installation and Initial Setup Figure 2-3 Connecting a POTS Splitter Prestige 652 ADSL Security Router...
  • Page 42: P652 With Isdn

    Prestige 652 ADSL Security Router Figure 2-4 Connecting a Microfilter P652 with ISDN This section relates to people who use their P652 with ADSL over ISDN (digital telephone service) only. The following is an example installation for the P652 with ISDN.
  • Page 43: Turning On Your Prestige

    When you turn on your Prestige, it performs several internal tests as well as line initialization. After the initialization, the Prestige asks you to press [ENTER] to continue, as shown. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch = 0, ethernet address: 00:a0:c5:01:23:45 Wan Channel init ...
  • Page 44: Resetting The Prestige

    Prestige 652 ADSL Security Router Resetting the Prestige If you forget your password or cannot access the Prestige, you will need to reload the factory-default configuration file. Uploading this configuration file replaces the current configuration file with the factory- default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
  • Page 45: Procedure To Use The Reset Button

    10 or 15 seconds. This indicates that the defaults have been restored and the Prestige is now restarting. Release the RESET button and wait for the Prestige to finish restarting. Hardware Installation and Initial Setup Prestige 652 ADSL Security Router...
  • Page 46: Navigating The Smt Interface

    Prestige 652 ADSL Security Router 2.8.3 Prestige 652 SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige. Figure 2-8 SMT Menu Overview Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige.
  • Page 47: Table 2-2 Main Menu Commands

    “Press ENTER to confirm or ESC to cancel”. Saving the data on the screen will take you, in most cases to the previous menu. Type 99 at the main menu prompt and press [ENTER] to exit the SMT interface. Prestige 652 ADSL Security Router DESCRIPTION 2-11...
  • Page 48: Figure 2-9 Smt Main Menu

    Prestige 652 ADSL Security Router Copyright (c) 1994 - 2002 ZyXEL Communications Corp. Getting Started 1. General Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup 2.9.1 System Management Terminal Interface Summary...
  • Page 49: Changing The System Password

    Use this to exit from SMT and return to a blank screen. Menu 23 – System Password Old Password= **** New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: Prestige 652 ADSL Security Router DESCRIPTION 2-13...
  • Page 51: Chapter 3 General Setup

    First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name. General Setup Prestige 652 ADSL Security Router Chapter 3 General Setup...
  • Page 52: General Setup

    Prestige 652 ADSL Security Router To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The Prestige supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service.
  • Page 53: Figure 3-2 Configure Dynamic Dns

    Service Provider= WWW.DynDNS.ORG Active= Yes Host= EMAIL= USER= Password= ******** Enable Wildcard= No General Setup Menu 1.1 - Configure Dynamic DNS Press ENTER to confirm or ESC to cancel: Figure 3-2 Configure Dynamic DNS Prestige 652 ADSL Security Router zyxel.com.tw (default)
  • Page 54: Lan Setup

    Prestige 652 ADSL Security Router Follow the instructions in the next table to configure Dynamic DNS parameters. Table 3-2 Configure Dynamic DNS Menu Fields FIELD Service Provider This is the name of your Dynamic DNS service provider. Press [SPACE BAR] to select Yes and then press [ENTER] to Active enable dynamic DNS.
  • Page 55: Protocol Dependent Ethernet Setup

    Figure 3-3 Menu 3 — Ethernet Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Prestige 652 ADSL Security Router...
  • Page 57: Chapter 4 Internet Access

    The actual physical connection determines whether the Prestige ports are LAN or WAN ports. There are two separate IP networks, one inside, the LAN network; the other outside: the WAN network as shown next: Internet Access Prestige 652 ADSL Security Router Chapter 4 Internet Access...
  • Page 58: Tcp/Ip Parameters

    Prestige 652 ADSL Security Router Figure 4-1 LAN & WAN IPs TCP/IP Parameters 4.3.1 IP Address and Subnet Mask Like houses on a street that share a common street name, the computers on a LAN share one common network number.
  • Page 59: Private Ip Addresses

    RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Internet Access Prestige 652 ADSL Security Router...
  • Page 60: Dhcp Configuration

    Prestige 652 ADSL Security Router 4.3.4 DHCP Configuration DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The Prestige has built-in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client.
  • Page 61: Ip Multicast

    IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. Internet Access Prestige 652 ADSL Security Router...
  • Page 62: Figure 4-2 Physical Network

    Prestige 652 ADSL Security Router Figure 4-2 Physical Network Use menu 3.2.1 to configure IP Alias on your Prestige. 4.6.1 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network.
  • Page 63: Figure 4-5 Menu 3.2.1 - Ip Alias Setup

    ] to select the RIP direction. Choices are None, to select the RIP version. Choices are RIP-1, ENTER ] at the prompt “Press ENTER to Confirm…” to ] at any time to cancel. Prestige 652 ADSL Security Router EXAMPLE 192.168.2.1 255.255.255.0 None...
  • Page 64: Route Ip Setup

    Prestige 652 ADSL Security Router Route IP Setup The first step is to enable the IP routing in Menu 1 - General Setup. To edit menu 1, type in 1 in the main menu and press [ENTER]. Set the Route IP field to Yes by pressing [SPACE BAR].
  • Page 65: Figure 4-7 Menu 3.2 - Tcp/Ip And Dhcp Ethernet Setup

    This field specifies the first of the contiguous addresses in the IP Address address pool. Size of Client IP Pool This field specifies the size or count of the IP address pool. Internet Access Prestige 652 ADSL Security Router DESCRIPTION First address in the IP Pool Size of the IP...
  • Page 66: Table 4-3 Tcp/Ip Ethernet Setup Menu Fields

    Prestige 652 ADSL Security Router FIELD Primary DNS Server Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP clients along with the IP address and Secondary DNS Server the subnet mask. Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here.
  • Page 67: Vpi And Vci

    Prestige 652 ADSL Security Router VPI and VCI Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers supplied by your telephone company. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic).
  • Page 68: Ip Address Assignment

    Prestige 652 ADSL Security Router 4.11.2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP. The Prestige bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates.
  • Page 69: Internet Access Configuration

    PPPoE or PPP server. IP Address Enter if your IP address if it is not dynamically assigned. Network Address Full Feature, SUA Only or None. Translation Internet Access Table 4-4 Internet Account Information DESCRIPTION Prestige 652 ADSL Security Router YOUR INFO 4-13...
  • Page 70: Traffic Shaping

    Prestige 652 ADSL Security Router FIELD DNS Server Primary DNS server Address Secondary DNS server Assignment Enter when using RFC 1483 Encapsulation or a static IP address. ENET ENCAP IP Address Gateway Gateway IP Address Enter when using ENET ENCAP Encapsulation.
  • Page 71: Figure 4-8 Example Of Traffic Shaping

    My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static IP Address= 0.0.0.0 Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Figure 4-9 Internet Access Setup Prestige 652 ADSL Security Router 4-15...
  • Page 72: Table 4-5 Internet Access Setup Menu Fields

    Prestige 652 ADSL Security Router Table 4-5 Internet Access Setup Menu Fields FIELD ISP’s Name Enter the name of your Internet Service Provider. This information is for identification purposes only. Encapsulation Press [ used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP.
  • Page 73 Internet Access DESCRIPTION SPACE BAR ] to select None, SUA Only or Full ENTER ] at the prompt “Press ENTER to Confirm…” to save ] at any time to cancel. Prestige 652 ADSL Security Router EXAMPLE SUA Only 4-17...
  • Page 74: Advanced Applications

    Advanced Applications ADVANCED APPLICATIONS This part shows how to configure Remote Nodes, Remote Node TCP/IP and NAT.
  • Page 75: Chapter 5 Remote Node Configuration

    Remote Node Configuration Remote Node Configuration Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ Enter Node # to Edit: Prestige 652 ADSL Security Router Chapter 5...
  • Page 76: Encapsulation And Multiplexing Scenarios

    Prestige 652 ADSL Security Router 5.1.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. Consult your telephone company for information on encapsulation and multiplexing methods for LAN-to-LAN applications, for example between a branch office and corporate headquarters. There must be prior agreement on encapsulation and multiplexing methods because they cannot be automatically determined.
  • Page 77: Figure 5-2 Menu 11.1 - Remote Node Profile

    Allocated Budget(min)= 0 Period (hr)= 0 Schedule Sets= N/A Nailed-Up Connection= N/A Session Options: Edit Filter Sets= No Idle Timeout (sec)= 0 Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 652 ADSL Security Router EXAMPLE ChangeMe PPPoA LLC-based...
  • Page 78 Prestige 652 ADSL Security Router FIELD Service Name When using PPPoE encapsulation, type the name of your PPPoE service here. Incoming: Type the login name that this remote node will use to call your Prestige. The login name and the Rem Password will be used to Rem Login authenticate this node.
  • Page 79: Remote Node Setup

    Step 2. Move the cursor to the Edit IP/Bridge field, press [SPACE BAR] to select Yes, then press [ENTER] to display Menu 11.3 – Remote Node Network Layer Options. Remote Node Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE (default)
  • Page 80: Figure 5-3 Remote Node Network Layer Options

    Prestige 652 ADSL Security Router IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set=2 Metric= 2 Private= No RIP Direction= None Version= RIP-1 Multicast= None...
  • Page 81: Remote Node Filter

    NetBIOS packets. Include this in the call filter sets (call protocol filter = 1) when using PPPoE if you want to prevent NetBIOS packets from triggering calls to a remote node. Remote Node Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE...
  • Page 82: Figure 5-4 Menu 11.5 - Remote Node Filter

    Prestige 652 ADSL Security Router Enter here to CONFIRM or ESC to CANCEL: Figure 5-4 Menu 11.5 — Remote Node Filter Figure 5-5 Menu 11.5 — Remote Node Filter (PPPoE or PPP Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets:...
  • Page 83: Chapter 6 Remote Node Tcp/Ip Configuration

    VCI #= 35 ATM QoS Type= 0 Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBR)= 0 Prestige 652 ADSL Security Router Chapter 6 Separate VPI and VCI numbers must be specified for each protocol.
  • Page 84: Figure 6-2 Menu 11.6 For Llc-Based Multiplexing Or Pppoa Or Pppoe Encapsulation

    Prestige 652 ADSL Security Router LLC-based Multiplexing or PPPoA or PPPoE Encapsulation For LLC-based multiplexing or PPP or PPPoE encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. Menu 11.6 - Remote Node ATM Layer Options...
  • Page 85: Figure 6-3 Sample Ip Addresses For A Tcp/Ip Lan-To-Lan Connection

    Make sure IP is among the protocols in the Route field in Menu 11.1 – Remote Node Profile. Press [SPACE BAR] to select Yes and press [ENTER] to display menu. Edit IP/Bridge Remote Node TCP/IP Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE...
  • Page 86: Figure 6-4 Remote Node Network Layer Options

    Prestige 652 ADSL Security Router IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2...
  • Page 87: Ip Static Route Setup

    For instance, the Prestige knows about network N2 in the following figure through remote node Router 1. However, the Prestige is unable to route a packet to Remote Node TCP/IP Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE...
  • Page 88: Figure 6-5 Sample Static Routing Topology

    Prestige 652 ADSL Security Router network N3 because it does not know that there is a route through remote node Router 1 (via Router 2). The static routes allow you to tell the Prestige about the networks beyond the remote nodes.
  • Page 89: Figure 6-6 Menu 12 - Static Route Setup

    Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: Figure 6-8 Edit IP Static Route Prestige 652 ADSL Security Router...
  • Page 90: Table 6-3 Edit Ip Static Route Menu Fields

    Prestige 652 ADSL Security Router The following table describes the fields for Menu 12.1.1 – Edit IP Static Route Setup. Table 6-3 Edit IP Static Route Menu Fields FIELD Route # This is the index number of the static route that you chose in menu 12.1.
  • Page 91: Chapter 7 Bridging Setup

    Move the cursor to the Edit IP/Bridge field, then press [SPACE BAR] to set the value to Yes and press [ENTER] to edit Menu 11.3 – Remote Node Network Layer Options. Bridging Setup Prestige 652 ADSL Security Router Chapter 7 Bridging Setup...
  • Page 92: Figure 7-1 Menu 11.3 - Remote Node Bridging Options

    Prestige 652 ADSL Security Router IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Figure 7-1 Menu 11.3 —...
  • Page 93: Figure 7-2 Menu 12.3.1 - Edit Bridge Static Route

    [ESC] to cancel and go back to the previous screen. Bridging Setup Menu 12.3.1 - Edit Bridge Static Route Route #: 1 Route Name= Active= No Ether Address= ? IP Address= Gateway Node= 1 Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 652 ADSL Security Router...
  • Page 95: Chapter 8 Network Address Translation (Nat)

    This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. This chapter discusses how to configure NAT on the Prestige. Table 8-1 NAT Definitions DESCRIPTION Prestige 652 ADSL Security Router Chapter 8...
  • Page 96: What Nat Does

    Prestige 652 ADSL Security Router NAT never changes the IP address (either local or global) of an outside host. 8.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
  • Page 97: Figure 8-1 How Nat Works

    Prestige 652 ADSL Security Router Figure 8-1 How NAT Works 8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at...
  • Page 98: Figure 8-2 Nat Application With Ip Alias

    Prestige 652 ADSL Security Router 8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
  • Page 99: Using Nat

    IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 … ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 … Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 Prestige 652 ADSL Security Router SMT ABBREVIATION M:M Ov M:M No OV Server...
  • Page 100: Figure 8-3 Menu 4 - Applying Nat For Internet Access

    Prestige 652 ADSL Security Router The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 8-2. 1. Choose SUA Only if you have just one public WAN IP address for your Prestige.
  • Page 101: Nat Setup

    Prestige); a server rule must be set up inside the NAT Address Mapping set. Please see section 8.4 for Menu 11.3 - Remote Node Network Layer Options Bridge Options: Ethernet Addr Timeout (min)= 0 Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 652 ADSL Security Router OPTIONS Full Feature None SUA Only...
  • Page 102: Figure 8-5 Menu 15 - Nat Setup

    Prestige 652 ADSL Security Router further information on these menus. To configure NAT, enter 15 from the main menu to bring up the following screen. 8.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets.
  • Page 103: Figure 8-7 Menu 15.1.255 - Sua Address Mapping Rules

    Menu 15.1.255 - Address Mapping Rules Local End IP Global Start IP --------------- --------------- 255.255.255.255 0.0.0.0 0.0.0.0 Menu 15.1.255 is read-only. Table 8-4 SUA Address Mapping Rules DESCRIPTION Prestige 652 ADSL Security Router Global End IP Type --------------- ------ Server EXAMPLE (default) 0.0.0.0 255.255.255.255 0.0.0.0...
  • Page 104: Figure 8-8 Menu 15.1.1 - First Set

    Prestige 652 ADSL Security Router FIELD Type These are the mapping types discussed above (see Table 8-2). Server allows us to specify multiple servers of different types behind NAT to this machine. See later for some examples. Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…”...
  • Page 105 Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. An End IP address must be numerically greater than its corresponding IP Start Table 8-5 Fields in Menu 15.1.1 DESCRIPTION address. Prestige 652 ADSL Security Router EXAMPLE NAT_SET Edit 8-11...
  • Page 106: Figure 8-9 Menu 15.1.1.1 - Editing/Configuring An Individual Rule In A Set

    Prestige 652 ADSL Security Router Type= One-to-One Local IP: Global IP: Server Mapping Set= N/A Press Space Bar to Toggle. Figure 8-9 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set Table 8-6 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set...
  • Page 107: Nat Server Sets - Port Forwarding

    Please also refer to the included disk for more examples and details on NAT. ECHO FTP (File Transfer Protocol) Telnet SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger DESCRIPTION Table 8-7 Services & Port Numbers SERVICES Prestige 652 ADSL Security Router EXAMPLE PORT NUMBER 8-13...
  • Page 108: Figure 8-10 Menu 15.2 - Nat Server Setup

    Prestige 652 ADSL Security Router HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 8.4.1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1.
  • Page 109: Figure 8-11 Menu 15.2.1 - Nat Server Setup

    [ESC] at any time to cancel. Start Port No. End Port No. Default Default Press ENTER to Confirm or ESC to Cancel: Prestige 652 ADSL Security Router IP Address 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
  • Page 110: Figure 8-12 Multiple Servers Behind Nat Example

    Prestige 652 ADSL Security Router Figure 8-12 Multiple Servers Behind NAT Example 8-16...
  • Page 111: General Nat Examples

    Sustained Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static IP Address= 0.0.0.0 Network Address Translation= SUA Only Address Mapping Set= Prestige 652 ADSL Security Router 8-17...
  • Page 112: Figure 8-15 Nat Example 2

    Prestige 652 ADSL Security Router From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 8.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
  • Page 113: Figure 8-16 Menu 15.2.1 - Specifying An Inside Server

    Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. --------------------------------------------------- Default Default Press ENTER to Confirm or ESC to Cancel: Prestige 652 ADSL Security Router IP Address 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
  • Page 114: Figure 8-17 Nat Example 3

    Prestige 652 ADSL Security Router Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 8-18.
  • Page 115: Figure 8-18 Example 3: Menu 11.3

    Press ENTER to Confirm or ESC to Cancel: Figure 8-18 Example 3: Menu 11.3 Menu 15.1.1.1 Address Mapping Rule = N/A = N/A Press ENTER to Confirm or ESC to Cancel: Figure 8-19 Example 3: Menu 15.1.1.1 Prestige 652 ADSL Security Router 8-21...
  • Page 116 Prestige 652 ADSL Security Router Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu.
  • Page 117: Figure 8-21 Nat Example 4

    Start Port No. End Port No. Default Default Press ENTER to Confirm or ESC to Cancel: Example 3: Menu 15.2.1 Figure 8-21 NAT Example 4 Prestige 652 ADSL Security Router (Used for SUA Only) IP Address 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0...
  • Page 118: Figure 8-22 Example 4: Menu 15.1.1.1 - Address Mapping Rule

    Prestige 652 ADSL Security Router Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload Follow the steps outlined in example 3 to configure these two menus as follows.
  • Page 119: Figure 8-23 Example 4: Menu 15.1.1 - Address Mapping Rules

    Menu 15.1.1 - Address Mapping Rules Local End IP Global Start IP --------------- --------------- 192.168.1.12 10.132.50.1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Prestige 652 ADSL Security Router Global End IP Type --------------- ------ 10.132.50.3 M:M NO OV 8-25...
  • Page 120: Firewall And Content Filters

    Firewall and Content Filters Firewall and Content Filters Part III introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
  • Page 122: Chapter 9 Firewalls

    Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts: Firewalls Prestige 652 ADSL Security Router Chapter 9 Firewalls the Prestige firewall.
  • Page 123: Introduction To Zyxel's Firewall

    Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
  • Page 124: Denial Of Service

    Prestige 652 ADSL Security Router Figure 9-1 Prestige Firewall Application Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
  • Page 125: Types Of Dos Attacks

    9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4.
  • Page 126: Figure 9-2 Three-Way Handshake

    (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Firewalls Figure 9-2 Three-Way Handshake Figure 9-3 SYN Flood Prestige 652 ADSL Security Router...
  • Page 127: Figure 9-4 Smurf Attack

    2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
  • Page 128: Stateful Inspection

    Allows all sessions originating from the LAN (local network) to the WAN (Internet). Firewalls Table 9-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: Table 9-4 Legal SMTP Commands ETRN EXPN HELO SAML SEND SOML Prestige 652 ADSL Security Router HELP MAIL NOOP TURN VRFY...
  • Page 129: Figure 9-5 Stateful Inspection

    Denies all sessions originating from the WAN to the LAN. The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
  • Page 130: Stateful Inspection And The Prestige

    Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. Firewalls Prestige 652 ADSL Security Router...
  • Page 131: Tcp Security

    Prestige 652 ADSL Security Router The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.
  • Page 132: Guidelines For Enhancing Security With Your Firewall

    6. Protect against IP spoofing by making sure the firewall is active. 7. Keep the firewall in a secured (locked) room. Firewalls Prestige 652 ADSL Security Router 9-11...
  • Page 133: Packet Filtering Vs Firewall

    9.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks.
  • Page 134: Packet Filtering

    1. To prevent DoS attacks and prevent hackers cracking your network. 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. Firewalls Prestige 652 ADSL Security Router 9-13...
  • Page 135 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
  • Page 136: Chapter 10 Introducing The Prestige Firewall

    Introducing the Prestige Firewall This chapter shows you how to get started with the Prestige firewall. Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup 3. View Firewall Log Prestige 652 ADSL Security Router Chapter 10 10-1...
  • Page 137: Figure 10-2 Menu 21.2 - Firewall Setup

    10.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
  • Page 138: Table 10-1 View Firewall Log

    After viewing the firewall log, ENTER “y” to clear the log or “n” to retain it. With either option you will be returned to Menu 21- Filter and Firewall Setup. Introducing the Prestige Firewall Table 10-1 View Firewall Log DESCRIPTION Prestige 652 ADSL Security Router EXAMPLES mm:dd:yy e.g., Jan 1 00 hh:mm:ss e.g., 00:00:00...
  • Page 140: Chapter 11 Using The Prestige Web Configurator

    Use the help icon (located in the upper right portion of most screens) for explanations of fields and choices. If you forget your password, refer to the Resetting the Prestige section to see how to reset the default configuration file. Using the Prestige Web Configurator Prestige 652 ADSL Security Router Chapter 11 11-1...
  • Page 141: Enabling The Firewall

    Prestige 652 ADSL Security Router 11.2 Enabling the Firewall Click Advanced Setup, Firewall, and then Config to display the following screen. Click the Firewall Enabled check box to enable (or activate) the firewall. Figure 11-1 Enabling the Firewall 11.3 E-mail The E-mail screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent.
  • Page 142: Figure 11-2 E-Mail Screen

    Prestige 652 ADSL Security Router you. Enter the complete e-mail address to which alert messages will be sent in the E-mail Alerts To field and schedule times for sending alerts in the Log Timer fields in the E-mail screen (following screen).
  • Page 143: Table 11-1 E-Mail

    The following table describes the fields in this screen. FIELD Address Info Mail Server Enter the IP address of your mail server in dotted decimal notation. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via e-mail.
  • Page 144: Table 11-2 Smtp Error Messages

    -2 means tcp SYN fail -3 means smtp server OK fail -4 means HELO fail -5 means MAIL FROM fail -6 means RCPT TO fail -7 means DATA fail -8 means mail data send fail Prestige 652 ADSL Security Router 11-5...
  • Page 145: Attack Alert

    Prestige 652 ADSL Security Router Subject: Firewall Alert From Prestige Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 |forward | 09:54:03 |UDP src port:00520 dest port:00520 2|Apr 7 00 |From:192.168.1.131 |forward | 09:54:17 |UDP src port:00520 dest port:00520 3|Apr 7 00 |From:192.168.1.6...
  • Page 146: Tcp Maximum Incomplete And Blocking Time

    This ensures that the number of half- open sessions to a given host will never exceed the threshold. Using the Prestige Web Configurator Prestige 652 ADSL Security Router 11-7...
  • Page 147: Figure 11-4 Attack Alert

    2. If the Blocking Time timeout is greater than 0, then the Prestige blocks all new connection requests to the host giving the server time to handle the present connections. The Prestige continues to block all new connection requests until the Blocking Time expires. The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded.
  • Page 148: Table 11-3 Attack Alert

    When the number of existing half-open sessions rises above this number, the Prestige Using the Prestige Web Configurator Prestige 652 ADSL Security Router Table 11-3 Attack Alert DESCRIPTION DEFAULT VALUES 80 existing half-open sessions.
  • Page 149 FIELD deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number. TCP Maximum This is the number of existing half-open Incomplete TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address.
  • Page 150: Chapter 12 Creating Custom Rules

    “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.” 2. Is the intent of the rule to forward or block traffic? Creating Custom Rules Prestige 652 ADSL Security Router Creating Custom Rules Chapter 12...
  • Page 151: Security Ramifications

    3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
  • Page 152: Connection Direction

    Prestige 652 ADSL Security Router Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 12.3 Connection Direction...
  • Page 153: Rule Summary

    Prestige 652 ADSL Security Router 12.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.
  • Page 154: Figure 12-3 Firewall Rules Summary - First Screen

    Make your choice from the drop down list box. Note that “block” means the firewall silently discards the packet. Click this check box to log all matched rules in the ACL Prestige 652 ADSL Security Router OPTIONS Block Forward...
  • Page 155: Predefined Services

    Table 12-1 Firewall Rules Summary — First Screen FIELD The following fields summarize the rules you have created. Note that these fields are read only. Click the tab at the top of the box to order the rules according to that tab. Source IP Destination IP Service...
  • Page 156: Table 12-2 Predefined Services

    Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. A protocol for news groups. Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments. Prestige 652 ADSL Security Router 12-7...
  • Page 157 SERVICE NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP- TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) 12-8 Table 12-2 Predefined Services DESCRIPTION Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
  • Page 158 Its primary function is to allow users to log into remote host systems. Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). Another videoconferencing solution. Prestige 652 ADSL Security Router 12-9...
  • Page 159: Figure 12-4 Creating/Editing A Firewall Rule

    Prestige 652 ADSL Security Router Figure 12-4 Creating/Editing A Firewall Rule Table 12-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Source Address Click SrcAdd to add a new address, SrcEdit to edit SrcAdd 12-10 Creating Custom Rules...
  • Page 160: Source And Destination Addresses

    To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen. Either action displays the following screen. Creating Custom Rules Prestige 652 ADSL Security Router DESCRIPTION OPTIONS SrcEdit...
  • Page 161: Figure 12-5 Adding/Editing Source And Destination Addresses

    Figure 12-5 Adding/Editing Source and Destination Addresses Table 12-4 Adding/Editing Source and Destination Addresses FIELD Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range...
  • Page 162: Timeout

    Prestige 652 ADSL Security Router 12.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the discussion below refers to both. 12.6.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values –...
  • Page 163: Table 12-5 Timeout Menu

    FIELD TCP Timeout Values Connection Timeout FIN-Wait Timeout Idle Timeout UDP Idle Timeout ICMP Timeout Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Click Reset to return to the previous configuration. Use the Help icon to view field descriptions.
  • Page 164: Chapter 13 Customized Services

    Prestige 652 ADSL Security Router Chapter 13 Customized Services This chapter covers creating, viewing and editing custom services. 13.1 Introduction Configure customized services and port numbers not predefined by the Prestige (see Figure 12-4). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
  • Page 165: Table 13-1 Customized Services

    FIELD Customized Services Name Protocol Port Use the Help icon for field descriptions. When you have finished viewing this screen, click another link to exit. Click Back to return to the previous screen. 13-2 Table 13-1 Customized Services DESCRIPTION This is the number of your customized port. Click a rule’s number to edit the rule.
  • Page 166: Creating/Editing A Customized Service

    Service Type Customized Services DESCRIPTION Enter a unique name for your custom port. Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. Prestige 652 ADSL Security Router OPTIONS TCP/UDP 13-3...
  • Page 167: Example Dhcp Negotiation And Syslog Connection From The Internet

    Table 13-2 Creating/Editing A Custom Port FIELD Port Configuration Type Port Number Click Back to return to the previous screen. When you have finished, click Apply to save your customized settings and exit this screen, Reset to return to the previously saved settings, Delete to remove this customized service.
  • Page 168: Figure 13-3 Configure Source Ip

    Prestige 652 ADSL Security Router Figure 13-3 Configure Source IP Customized Services 13-5...
  • Page 169: Figure 13-4 Customized Service For Syslog

    Step 5. Click Edit Available Service in the edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 13-4 Customized Service for Syslog Customized services show up with an “*” before their names in the Services list box and the Rule Summary list box.
  • Page 170: Figure 13-5 Syslog Rule Configuration

    This is the address range of the syslog servers. Click Apply when finished. Customized Services Figure 13-5 Syslog Rule Configuration Prestige 652 ADSL Security Router This is your Syslog custom port. 13-7...
  • Page 171: Figure 13-6 Example Rule Summary

    Prestige 652 ADSL Security Router Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige.
  • Page 172: Chapter 14 Logs

    Prestige 652 ADSL Security Router Chapter 14 Logs This chapter contains information about using the log screen to view the results of the rules you have configured. 14.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 12-4).
  • Page 173: Table 14-1 Log Screen

    FIELD This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format.
  • Page 174: Chapter 15 Content Filtering

    15.3 Trusted Configure this screen to exclude a computer or a range of computers from content filtering. 15.4 Logs This screen displays the results of your content filter policies Content Filtering Prestige 652 ADSL Security Router Chapter 15 Content Filtering 15-1...
  • Page 175: Advanced Management

    Advanced Management ADVANCED MANAGEMENT This part discusses Filtering, SNMP, System Information and Diagnosis, Firmware and Configuration File Maintenance, System Maintenance and Information, Remote Management and IP Policy Routing.
  • Page 176: Chapter 16 Filter Configuration

    Drop packet Drop packet if line not up if line not up Send packet but do not reset Idle Timer Prestige 652 ADSL Security Router Chapter 16 Active Data match Initiate call Call Filters if line not up Send packet...
  • Page 177: Figure 16-2 Filter Rule Process

    Prestige 652 ADSL Security Router Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
  • Page 178: Configuring A Filter Set

    Figure 16-4 Menu 21 — Filter and Firewall Setup Step 2. Enter 1 to bring up the following menu. Filter Configuration Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup 3. View Firewall Log Enter Menu Selection Number: Prestige 652 ADSL Security Router 16-3...
  • Page 179: Figure 16-5 Menu 21.1 - Filter Set Configuration

    Prestige 652 ADSL Security Router Filter Set # ------ Figure 16-5 Menu 21.1 — Filter Set Configuration Step 3. Select the filter set you wish to configure ( 1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER].
  • Page 180: Figure 16-6 Netbios_Wan Filter Rules Summary

    Figure 16-7 NetBIOS _LAN Filter Rules Summary Filter Configuration Menu 21.1.2 - Filter Rules Summary Filter Rules Menu 21.1.3 - Filter Rules Summary Filter Rules Prestige 652 ADSL Security Router M m n N D N N D N N D N N D N...
  • Page 181: Figure 16-8 Pppoe Filter Rules Summary

    Prestige 652 ADSL Security Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 2 Y Gen Off=12, Len=2, Mask=ffff, Value=8864 # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23...
  • Page 182: Table 16-1 Filter Rules Summary Menu Abbreviations

    The protocol dependent filter rules abbreviation are listed as follows: FILTER TYPE Filter Configuration DESCRIPTION Table 16-2 Rule Abbreviations Used DESCRIPTION Protocol Source Address Source Port Number Destination Address Destination Port Number Offset Length Prestige 652 ADSL Security Router 16-7...
  • Page 183: Configuring A Filter Rule

    Prestige 652 ADSL Security Router 16.3 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 – Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. There are two types of filter rules: TCP/IP and Generic. Depending on the type of rule, the parameters for each type will be different.
  • Page 184: Table 16-3 Tcp/Ip Filter Rule Menu Fields

    This applies only when the IP Protocol field is 6, TCP. If Yes, the rule matches packets that want to establish TCP connection(s) (SYN=1 and ACK=0); else it is ignored. Filter Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE TCP/IP Filter...
  • Page 185 Prestige 652 ADSL Security Router FIELD More If Yes, a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be N/A.
  • Page 186: Figure 16-11 Executing An Ip Filter

    Drop Packet Filter Configuration Not Matched Not Matched Not Matched Not Matched Check Next Rule Check Next Rule Forward Check Next Rule Figure 16-11 Executing an IP Filter Prestige 652 ADSL Security Router Action Not Matched Drop Forward Accept Packet 16-11...
  • Page 187: Generic Filter Rule

    Prestige 652 ADSL Security Router 16.3.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
  • Page 188: Table 16-4 Generic Filter Rule Menu Fields

    When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Filter Configuration Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE...
  • Page 189: Filter Types And Nat

    Prestige 652 ADSL Security Router 16.4 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets.
  • Page 190: Figure 16-14 Sample Telnet Filter

    Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Filter Configuration Figure 16-14 Sample Telnet Filter Prestige 652 ADSL Security Router 16-15...
  • Page 191: Figure 16-15 Sample Filter - Menu 21.1.9.1

    Prestige 652 ADSL Security Router Menu 21.1.9.1 - TCP/IP Filter Rule Filter #: 9,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop...
  • Page 192: Applying Filters And Factory Defaults

    (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example). Prestige 652 ADSL Security Router M m n N D F 16-17...
  • Page 193: Figure 16-17 Filtering Ethernet Traffic

    Prestige 652 ADSL Security Router FILTER SETS Input Filter Sets: Output Filter Sets: Call Filter Sets: 16.6.1 Ethernet Traffic You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate.
  • Page 194: Figure 16-18 Filtering Remote Node Traffic

    Device filters= Call Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CANCEL: Prestige 652 ADSL Security Router Apply filter 3 to block Tel, FTP and Web traffic from the WAN Apply filter 1 to...
  • Page 196: Chapter 17 Snmp Configuration

    Prestige 652 ADSL Security Router Chapter 17 SNMP Configuration This chapter explains SNMP Configuration menu 22. SNMP is only available if TCP/IP is configured. 17.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
  • Page 197: Supported Mibs

    Prestige 652 ADSL Security Router An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP.
  • Page 198: Figure 17-2 Menu 22 - Snmp Configuration

    Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Hgst= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 652 ADSL Security Router EXAMPLE public public 0.0.0.0 public 0.0.0.0 17-3...
  • Page 199: Snmp Traps

    Prestige 652 ADSL Security Router 17.4 SNMP Traps The Prestige will send traps to the SNMP manager when any one of the following events occurs: TRAP # TRAP NAME coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) linkUp (defined in RFC-1215)
  • Page 200: Chapter 18 System Information And Diagnosis

    [ESC] takes you back to the previous screen. The following table describes the fields present in Menu 24.1 READ-ONLY and meant for diagnostic purposes. System Information and Diagnosis Prestige 652 ADSL Security Router System Maintenance, as shown in the following figure. – Menu 24 - System Maintenance...
  • Page 201 Prestige 652 ADSL Security Router Node-Lnk Status 1-ENET My WAN IP (from ISP) : Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.8% Figure 18-2 Menu 24.1 The following table describes the fields present in Menu 24.1 Table 18-1 System Maintenance...
  • Page 202: System Information And Console Port Speed

    Enter 1 in menu 24.2 to display the screen shown next. System Information and Diagnosis DESCRIPTION Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: Prestige 652 ADSL Security Router 18-3...
  • Page 203: Figure 18-4 Menu 24.2.1 - System Maintenance - Information

    Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version.
  • Page 204: Log And Trace

    System Information and Diagnosis Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: Menu 24.3 - System Maintenance - Log and Trace 1. View Error Log 2. UNIX Syslog Please enter selection Prestige 652 ADSL Security Router 18-5...
  • Page 205: Figure 18-7 Sample Error And Information Messages

    Prestige 652 ADSL Security Router After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure. 59 Thu Jan 01 00:00:03 1970 PP0f...
  • Page 206: Table 18-3 System Maintenance Menu - Syslog Parameters

    Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f70717273 System Information and Diagnosis Prestige 652 ADSL Security Router DESCRIPTION 1 - CDR 2 - Packet Triggered 18-7...
  • Page 207: Diagnostic

    Prestige 652 ADSL Security Router Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000 SdcmdSyslogSend (SYSLOG_FILLOG, SYSLOG_NOTICE, String); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m), drop (D).
  • Page 208: Command Interpreter Mode

    ? at the command prompt. Copyright (c) 1994 - 2002 ZYXEL ras> ? Valid commands are: ipsec System Information and Diagnosis DESCRIPTION exit device config bridge Figure 18-10 Command Mode Prestige 652 ADSL Security Router ether hdap 18-9...
  • Page 210: Chapter 19 Firmware And Configuration File Maintenance

    Prestige 652 ADSL Security Router Chapter 19 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 19.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
  • Page 211: Backup Configuration

    Prestige 652 ADSL Security Router FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 19.2 Backup Configuration The Prestige displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console port or Telnet.
  • Page 212: Figure 19-1 Telnet In Menu 24.5

    “config.rom”. See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 19.2.3 Example of FTP Commands from the Command Line Firmware and Configuration File Maintenance Figure 19-1 Telnet in Menu 24.5 Prestige 652 ADSL Security Router 19-3...
  • Page 213: Figure 19-2 Ftp Session Example

    Prestige 652 ADSL Security Router 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
  • Page 214: Backup Configuration Using Tftp

    TFTP client program. For UNIX, use “get” to transfer from the Prestige to the computer and “binary” to set binary transfer mode. 19.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 19-5...
  • Page 215: Figure 19-3 System Maintenance - Backup Configuration

    Prestige 652 ADSL Security Router where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Prestige IP address, “get” transfers the file source on the Prestige (rom-0, name of the configuration file on the Prestige) to the file destination on the computer and renames it config.rom.
  • Page 216: Restore Configuration

    Firmware and Configuration File Maintenance ** Backup Configuration completed. OK. ### Hit any key to continue.### Prestige 652 ADSL Security Router Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol.
  • Page 217: Figure 19-7 Telnet Into Menu 24.6

    Prestige 652 ADSL Security Router DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. WHEN THE RESTORE CONFIGURATION PROCESS IS COMPLETE, THE PRESTIGE WILL 19.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.
  • Page 218: Figure 19-8 Restore Using Ftp Session Example

    Starting XMODEM download (CRC mode) ... CCCCCCCCC Figure 19-10 System Maintenance — Starting Xmodem Download Screen Step 3. Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen. Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 19-9...
  • Page 219: Uploading Firmware And Configuration Files

    Prestige 652 ADSL Security Router Figure 19-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Figure 19-12 Successful Restoration Confirmation Screen 19.4 Uploading Firmware and Configuration Files...
  • Page 220: Figure 19-13 Telnet Into Menu 24.7.1 - Upload System Firmware

    TFTP), please see your manual. Press ENTER to Exit: Figure 19-14 Telnet Into Menu 24.7.2 — System Maintenance Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 19-11...
  • Page 221: Figure 19-15 Ftp Session Example Of Firmware File Upload

    Prestige 652 ADSL Security Router To upload the firmware and the configuration file, follow these examples 19.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige.
  • Page 222: Tftp Upload Command Example

    Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download/upload. Firmware and Configuration File Maintenance Prestige 652 ADSL Security Router 19-13...
  • Page 223: Figure 19-16 Menu 24.7.1 As Seen Using The Console Port

    Prestige 652 ADSL Security Router 19.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, then follow the instructions as shown in the following screen.
  • Page 224: Figure 19-18 Menu 24.7.2 As Seen Using The Console Port

    Step 3. Enter “atgo” to restart the Prestige. 19.4.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Firmware and Configuration File Maintenance Do You Wish To Proceed:(Y/N) Prestige 652 ADSL Security Router 19-15...
  • Page 225: Figure 19-19 Example Xmodem Upload

    Prestige 652 ADSL Security Router After the configuration upload process has completed, restart the Prestige by entering “atgo”. 19-16 Figure 19-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it.
  • Page 226: Chapter 20 System Maintenance And Information

    Log and Trace Diagnostic Backup Configuration Restore Configuration Firmware Update Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Enter Menu Selection Number: Figure 20-1 Command Mode in Menu 24 Prestige 652 ADSL Security Router Chapter 20 20-1...
  • Page 227: Call Control Support

    Prestige 652 ADSL Security Router Copyright (c) 1994 - 2002 ZyXEL Communications Corp. ras> ? Valid commands are: ipsec ras> 20.2 Call Control Support The Prestige provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
  • Page 228: Figure 20-4 Budget Management

    11.1. The period is the time cycle in hours that the allocation budget is reset (see menu 11.1.) The elapsed time is the time used up within this period. Prestige 652 ADSL Security Router Elapsed Time/Total Period No Budget EXAMPLE...
  • Page 229: Time And Date Setting

    Prestige 652 ADSL Security Router 20.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige.
  • Page 230: Resetting The Time

    On leaving menu 24.10 after making changes. When the Prestige starts up, if there is a time server configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance and Information Table 20-2 Time and Date Setting Fields DESCRIPTION Prestige 652 ADSL Security Router 20-5...
  • Page 232: Chapter 21 Remote Management

    Prestige 652 ADSL Security Router Chapter 21 Remote Management This chapter covers remote management found in SMT menu 24.11. 21.1 About Telnet Configuration Before the Prestige is properly setup for TCP/IP, the only option for configuring it is through the console port.
  • Page 233: Ftp

    Prestige 652 ADSL Security Router 21.4 FTP You can upload and download the Prestige’s firmware and configuration files using FTP, please see the Firmware and Configuration File Maintenance chapter for details. To use this feature, your computer must have an FTP client.
  • Page 234: Figure 21-2 Menu 24.11 - Remote Management Control

    Menu 24.11 - Remote Management Control Server Access = LAN only Server Access = LAN only Server Access = LAN only Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 652 ADSL Security Router EXAMPLE LAN Only (default) 0.0.0.0 (default)
  • Page 235: Remote Management And Nat

    Prestige 652 ADSL Security Router 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2. You have disabled that service in menu 24.11. 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address.
  • Page 236: Chapter 22 Ip Policy Routing

    (and hence the outgoing interface). • setting the TOS and precedence fields in the IP header. IP Policy Routing This chapter covers setting and applying policies used for IP routing. Prestige 652 ADSL Security Router Chapter 22 IP Policy Routing 22-1...
  • Page 237: Ip Routing Policy Setup

    Prestige 652 ADSL Security Router IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set.
  • Page 238: Figure 22-2 Menu 25.1 - Sample Ip Routing Policy Setup

    IP layer 4 protocol number (TCP=6, UDP=17…) Type of service of incoming packet Precedence of incoming packet Gateway IP address Outgoing Type of service Outgoing Precedence Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Prestige 652 ADSL Security Router |GW=192.168.1.1,T=MT,PR=0 22-3...
  • Page 239: Figure 22-3 Ip Routing Policy

    Prestige 652 ADSL Security Router Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test Active= Yes Criteria:...
  • Page 240: Applying An Ip Policy

    From Menu 3 – Ethernet Setup, type 2 to go to Menu 3.2 – TCP/IP and DHCP Ethernet Setup. You can choose up to four IP policy sets (from 12) by typing their numbers separated by commas, for example, 2, 4, 7, 9. IP Policy Routing Prestige 652 ADSL Security Router DESCRIPTION 22-5...
  • Page 241: Figure 22-4 Menu 3.2 - Tcp/Ip And Dhcp Ethernet Setup

    Prestige 652 ADSL Security Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
  • Page 242: Ip Policy Routing Example

    Prestige 652 ADSL Security Router 22.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure.
  • Page 243: Figure 22-7 Ip Routing Policy Example

    Prestige 652 ADSL Security Router Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 - IP Routing Policy as shown next. Policy Set Name= set1 Active= Yes Criteria:...
  • Page 244: Figure 22-8 Ip Routing Policy

    IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None IP Policies= 1,2 Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Figure 22-9 Applying IP Policies Prestige 652 ADSL Security Router Len Comp= N/A 22-9...
  • Page 245: Call Scheduling, Vpn/Ipsec And Internal Sptgen

    Call Scheduling, VPN/IPSec and Internal SPTGEN Part V: Call Scheduling, VPN/IPSec and Internal SPTGEN Part V provides information about Call Scheduling, VPN/IPSec and Internal SPTGEN.
  • Page 247: Chapter 23 Call Scheduling

    Enter Schedule Set Number to Configure= Edit Name= Press ENTER to Confirm or ESC to Cancel: Figure 23-1 Menu 26 - Schedule Setup [DELETE] in the Edit Name field. Prestige 652 ADSL Security Router Chapter 23 Call Scheduling Name ---------------...
  • Page 248: Figure 23-2 Schedule Set Setup

    Prestige 652 ADSL Security Router To set up a schedule set select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Press Space Bar to Toggle If a connection has already been established, your Prestige will not drop it.
  • Page 249 Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE in the Encapsulation field to make the schedule sets field available as shown next. Call Scheduling Table 23-1 Schedule Set Setup Fields DESCRIPTION Prestige 652 ADSL Security Router OPTIONS Forced On Forced Down Enable Dial-...
  • Page 250: Figure 23-3 Applying Schedule Set(S) To A Remote Node (Pppoe)

    Prestige 652 ADSL Security Router Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Multiplexing= LLC-based Service Name= Incoming: Rem Login= Rem Password= ******** Outgoing: My Login= ? My Password= ? Authen= CHAP/PAP Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
  • Page 251: Chapter 24 Introduction To Ipsec

    Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Introduction to IPSec Prestige 652 ADSL Security Router Introduction to IPSec This chapter introduces the basics of IPSec VPNs.
  • Page 252: Figure 24-1 Encryption And Decryption

    Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
  • Page 253: Ipsec Architecture

    Prestige 652 ADSL Security Router Figure 24-2 VPN Application 24.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 24-3...
  • Page 254: Figure 24-3 Ipsec Architecture

    Prestige 652 ADSL Security Router Figure 24-3 IPSec Architecture 24.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
  • Page 255: Encapsulation

    AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Introduction to IPSec Prestige 652 ADSL Security Router 24-5...
  • Page 256: Table 24-1 Vpn And Nat

    A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
  • Page 257: Chapter 25 Vpn/Ipsec Setup

    This is an overview of the VPN menu tree. From the main menu, enter 27 to display the first VPN menu (shown next). VPN/IPSec Setup VPN/IPSec Setup This chapter introduces the VPN SMT menus. Figure 25-1 VPN SMT Menu Tree Prestige 652 ADSL Security Router Chapter 25 25-1...
  • Page 258: Ipsec Algorithms

    25.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence.
  • Page 259: Ipsec Summary

    MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. Figure 25-3 IPSec Summary Fields Prestige 652 ADSL Security Router 25-3...
  • Page 260: My Ip Address

    25.3.1 My IP Address My IP Addr is the WAN IP address of the Prestige. If this field is configured as 0.0.0.0, then the Prestige will use the current Prestige WAN IP address (static or dynamic) to set up the VPN tunnel. If the My IP Addr changes after setup, then the VPN tunnel will have to be rebuilt.
  • Page 261: Figure 25-4 Telecommuter's Prestige Configuration

    Prestige 652 ADSL Security Router Figure 25-4 Telecommuter’s Prestige Configuration Figure 25-5 Headquarters Prestige Configuration The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. A Prestige with Secure Gateway Address set to 0.0.0.0 can receive multiple VPN connection requests using the same VPN rule at the same time.
  • Page 262: Figure 25-6 Menu 27.1 - Ipsec Summary

    Name Local Addr Start Key Mgt Remote Addr Start ------ ----------------- Taiwan 192.168.1.35 172.16.2.40 zw50 1.1.1.1 4.4.4.4 China 192.168.1.40 Select Command= None FIELD This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here.
  • Page 263 SUBNET, this is a (static) IP address on the network behind the remote IPSec router. This field displays N/A when you configure the Secure Gateway Addr field in SMT 27.1.1 to 0.0.0.0. VPN/IPSec Setup Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE Tunnel ESP DES MD5 172.16.2.40...
  • Page 264: Ipsec Setup

    FIELD Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr End Single, this is the same (static) IP address as in the Remote Addr Start field. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
  • Page 265: Figure 25-7 Menu 27.1.1 — Ipsec Setup

    Port Start= 0 Press ENTER to Confirm or ESC to Cancel: Figure 25-7 Menu 27.1.1 — IPSec Setup a VPN. Table 25-4 Menu 27.1.1 — IPSec Setup DESCRIPTION Prestige 652 ADSL Security Router End= N/A End= N/A End= 255.255.0.0 End= N/A EXAMPLE Taiwan 0.0.0.0...
  • Page 266 FIELD The VPN tunnel has to be rebuilt if this IP address changes. Secure Type the WAN IP address or the domain name (up to 31 characters) of the Gateway Addr IPSec router with which you’re making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE, see later).
  • Page 267: Table 25-4 Menu 27.1.1 — Ipsec Setup

    Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. VPN/IPSec Setup Table 25-4 Menu 27.1.1 — IPSec Setup DESCRIPTION Prestige 652 ADSL Security Router EXAMPLE SUBNET 4.4.4.4 255.255.0.0 25-11...
  • Page 268: Ike Setup

    FIELD End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field. Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial Detection...
  • Page 269: Figure 25-8 Two Phases To Set Up The Ipsec Sa

    (phase 1). It uses 6 messages in three round trips (SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number)). This mode features identity protection (your identity is not revealed in the negotiation). VPN/IPSec Setup Prestige 652 ADSL Security Router 25-13...
  • Page 270 Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication.
  • Page 271 Menu 27.1.1.1 - IKE Setup = ESP = DES = SHA1 = Tunnel Press ENTER to Confirm or ESC to Cancel: Figure 25-9 — Menu 27.1.1.1 Table 25-5 — Menu 27.1.1.1 DESCRIPTION Prestige 652 ADSL Security Router IKE Setup IKE Setup EXAMPLE Main 25-15...
  • Page 272 FIELD Press [SPACE BAR] to choose from 3DES or DES and then press [ENTER]. Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slightly slower. Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].
  • Page 273: Manual Setup

    To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. VPN/IPSec Setup Prestige 652 ADSL Security Router SECURITY PROTOCOL 25-17...
  • Page 274: Figure 25-10 Menu 27.1.1.2 - Manual Setup

    Active Protocol= ESP Tunnel ESP Setup AH Setup Figure 25-10 Menu 27.1.1.2 — Manual Setup FIELD Active Protocol Press [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH Transport and then press [ENTER]. Choosing an ESP combination causes the AH Setup fields to be non-applicable (N/A) The ESP Setup fields are N/A if you chose an AH Active Protocol.
  • Page 275 When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. VPN/IPSec Setup Prestige 652 ADSL Security Router DESCRIPTION EXAMPLE SHA1...
  • Page 277: Chapter 26 Sa Monitor

    --------- Tunnel Select Command= Refresh Select Connection= N/A Figure 26-1 Menu 27.2 — SA Monitor Table 26-1 Menu 27.2 — SA Monitor DESCRIPTION Prestige 652 ADSL Security Router Chapter 26 SA Monitor IPSec ALgorithm ---------------- ESP DES MD5 EXAMPLE Taiwan...
  • Page 278 Prestige 652 ADSL Security Router FIELD public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule. In this case, the name is followed by the remote IP address as configured in Menu 27.1.1.
  • Page 279: Chapter 27 Ipsec Log

    01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Figure 27-1 Example VPN Initiator IPSec Log IPSec Log Prestige 652 ADSL Security Router This chapter interprets common IPSec log messages. Log: Send Main Mode request to <192.168.100.101> Send:<SA> Recv:<SA>...
  • Page 280: Figure 27-2 Example Vpn Responder Ipsec Log

    Prestige 652 ADSL Security Router The following figure shows a typical log from the VPN connection peer. Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:08:07 01 Jan 08:08:07 01 Jan 08:08:08 01 Jan 08:08:08 01 Jan 08:08:10 01 Jan 08:08:10 01 Jan 08:08:10...
  • Page 281 !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA IPSec Log Prestige 652 ADSL Security Router DESCRIPTION Phase 2 negotiation is beginning using Quick Mode. The Prestige has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
  • Page 282: Table 27-2 Sample Ipsec Logs During Packet Transmission

    Prestige 652 ADSL Security Router The following table shows sample log messages during packet transmission. Table 27-2 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find Phase 2 SA !! Discard REPLAY packet...
  • Page 283 Table 27-3 RFC-2408 ISAKMP Payload Types NONCE NOTFY IPSec Log LOG DISPLAY PAYLOAD TYPE Nonce Notification Delete Vendor ID Prestige 652 ADSL Security Router 27-5...
  • Page 285: Chapter 28 Internal Sptgen

    Prestige 652 ADSL Security Router Chapter 28 Internal SPTGEN Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file – eliminating the need to navigate and configure individual SMT menus for each Prestige.
  • Page 286: Figure 28-1 Configuration Text File Format - Column Descriptions

    This is the name of the menu. / Menu 1 General Setup 10000000 = Configured 10000001 = System Name 10000002 = Location 10000003 = Contact Person’s Name 10000004 = Route IP 10000005 = Route IPX 10000006 = Bridge This is the Field Identification Number column.
  • Page 287: Internal Sptgen Ftp Download Example

    4. Edit the "rom-t" file using a text editor (do not use a word processor). You must leave this FTP screen to edit. Figure 28-4 Internal SPTGEN FTP Download Example Internal SPTGEN Prestige 652 ADSL Security Router c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.168.1.1:(none)):...
  • Page 288: Internal Sptgen Ftp Upload Example

    You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 28.3 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary.
  • Page 289: Additional Information

    Additional Information ADDITIONAL INFORMATION This part contains Troubleshooting, Appendices and the Index.
  • Page 290: Chapter 29 Troubleshooting

    Check for faulty Ethernet cables. Make sure your computer NIC (Network Interface Card) is working properly. Troubleshooting Prestige 652 ADSL Security Router Troubleshooting CORRECTIVE ACTION VT100 terminal emulation. 9600 bps is the default speed on leaving the factory.
  • Page 291: Problems With The Dsl Led

    Prestige 652 ADSL Security Router 29.3 Problems with the DSL LED PROBLEM The xDSL LED is off. Check the telephone wire and connections between the Prestige DSL port and the wall jack. Make sure that the telephone company has checked your phoneline and set it up for DSL service.
  • Page 292: Problems With Internet Access

    If you have changed the password and have now forgotten it, you will need to upload the default configuration file (Refer to the Resetting the Prestige section). This restores all of the factory defaults including the password. Troubleshooting Prestige 652 ADSL Security Router CORRECTIVE ACTION CORRECTIVE ACTION 29-3...
  • Page 293: Problems With The Web Configurator

    Prestige 652 ADSL Security Router 29.8 Problems with the Web Configurator Table 29-7 Troubleshooting the Web Configurator PROBLEM I cannot access the Type “admin” in the User Name field. The default password is “1234”. Both fields are web configurator. case-sensitive.
  • Page 294: Diagram 1 Single-Pc Per Router Hardware Configuration

    3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial-up networking. Diagram 1 Single-PC per Router Hardware Configuration PPPoE Prestige 652 ADSL Security Router Appendix A PPPoE...
  • Page 295: Diagram 2 Prestige As A Pppoe Client

    Prestige 652 ADSL Security Router How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
  • Page 296: Diagram 3 Virtual Circuit Topology

    Your service provider should supply you with VPI/VCI numbers. Virtual Circuit Topology Virtual Circuit Topology Logical connections between ATM switches A bundle of virtual channels A series of virtual paths between circuit end points Diagram 3 Virtual Circuit Topology Prestige 652 ADSL Security Router Appendix B...
  • Page 297: Diagram 4 Option To Enter Debug Mode

    When you reboot your Prestige, you will be given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file) already discussed in a previous section.
  • Page 298 ROM ATLC upload router configuration file to flash ROM ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode ATSS display system registers Boot Module Commands 8-bit value of address x Diagram 5 Boot Module Commands Prestige 652 ADSL Security Router...
  • Page 299 Prestige 652 ADSL Security Router AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards...
  • Page 300 Select Protocol and then click Add. Select Microsoft from the list of manufacturers. d. Select TCP/IP from the list of network protocols and then click OK. If you need Client for Microsoft Networks: Click Add. TCP/IP Prestige 652 ADSL Security Router Appendix E TCP/IP...
  • Page 301 b. Select Client and then click Add. Select Microsoft from the list of manufacturers. d. Select Client for Microsoft Networks from the list of network clients and then click OK. Restart your computer so the changes you made take effect. Configuring TCP/IP 1.
  • Page 302 3. Under the General tab, select Internet Protocol (TCP/IP) (you may need to scroll down) and click Properties. 4. The Internet Protocol TCP/IP Properties window opens. -If you have a dynamic IP address click Obtain an IP address automatically. TCP/IP Setting up Your Windows XP Computer Prestige 652 ADSL Security Router...
  • Page 303 -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. To configure advanced static address settings for a local area connection, click Advanced, and do one or more of the following to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
  • Page 304 6. Click Save if prompted, to save changes to your configuration. 7. Turn on your Prestige and restart your computer (if prompted). Verifying TCP/IP Properties Check your TCP/IP properties in the TCP/IP Control Panel. TCP/IP Prestige 652 ADSL Security Router...
  • Page 305: Example Internal Sptgen Screens

    Example Internal SPTGEN Screens Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION Field Identification Number (not seen in SMT screens) Field Name Parameter Values Allowed INPUT This is an example of what you may enter The following are Internal SPTGEN screens associated with the SMT screens of your Prestige. Example Internal SPTGEN Screens Table / MENU 1 GENERAL SETUP (SMT MENU 1) 10000000 =...
  • Page 306 Size of Client IP Pool 30200004 = Primary DNS Server 30200005 = Secondary DNS Server 30200006 = Remote DHCP Server Example Internal SPTGEN Screens Prestige 652 ADSL Security Router INPUT = 256 = 256 = 256 = 256 = 256 = 256...
  • Page 307 30200008 = IP Address 30200009 = IP Subnet Mask 30200010 = RIP Direction 30200011 = Version 30200012 = Multicast 30200013 = IP Policies Set 1 (1~12) 30200014 = IP Policies Set 2 (1~12) 30200015 = IP Policies Set 3 (1~12) 30200016 = IP Policies Set 4 (1~12) / MENU 3.2.1 IP ALIAS SETUP...
  • Page 308 IP Alias #2 Outgoing protocol filters Set 3 30201026 = IP Alias #2 Outgoing protocol filters Set 4 Example Internal SPTGEN Screens Prestige 652 ADSL Security Router = 256 = 256 = 256 = 256 = 0.0.0.0 <0(None) | 1(Both) | 2(In Only) | 3(Out Only)>...
  • Page 309 / MENU 4 INTERNET ACCESS SETUP 40000000 = Configured 40000001 = 40000002 = Active 40000003 = ISP's Name 40000004 = Encapsulation 40000005 = Multiplexing 40000006 = VPI # 40000007 = VCI # 40000008 = Service Name 40000009 = My Login 40000010 = My Password 40000011 =...
  • Page 310 IP Static Route set #2, Gateway 120102006 = IP Static Route set #2, Metric 120102007 = IP Static Route set #2, Private Example Internal SPTGEN Screens Prestige 652 ADSL Security Router <0(No) | 1(Yes)> <0(No) | 1(Yes)> <0(CBR) | (1 (UBR)> (SMT MENU 12.1.1) <Str>...
  • Page 311 / MENU 12.1.3 IP STATIC ROUTE SETUP 120103001 = IP Static Route set #3, Name 120103002 = IP Static Route set #3, Active 120103003 = IP Static Route set #3, Destination IP address 120103004 = IP Static Route set #3, Destination IP subnetmask 120103005 = IP Static Route set #3, Gateway...
  • Page 312 / MENU 12.1.8 IP STATIC ROUTE SETUP (SMT MENU 12.1.8) 120108001 = IP Static Route set #8, Name 120108002 = IP Static Route set #8, Active Example Internal SPTGEN Screens Prestige 652 ADSL Security Router = 0.0.0.0 <0(No) |1(Yes)> INPUT <Str> <0(No) |1(Yes)>...
  • Page 313 120108003 = IP Static Route set #8, Destination IP address 120108004 = IP Static Route set #8, Destination IP subnetmask 120108005 = IP Static Route set #8, Gateway 120108006 = IP Static Route set #8, Metric 120108007 = IP Static Route set #8, Private / MENU 15 SUA SERVER SETUP (SMT MENU 15) 150000001 = SUA Server IP address for default...
  • Page 314 IP Filter Set 1,Rule 1 Dest IP address 210101005 = IP Filter Set 1,Rule 1 Dest Subnet Mask 210101006 = IP Filter Set 1,Rule 1 Dest Port Example Internal SPTGEN Screens Prestige 652 ADSL Security Router = 0.0.0.0 = 0.0.0.0 = 0.0.0.0 = 0.0.0.0 = 0.0.0.0 INPUT <Str>...
  • Page 315 210101007 = IP Filter Set 1,Rule 1 Dest Port Comp 210101008 = IP Filter Set 1,Rule 1 Src IP address 210101009 = IP Filter Set 1,Rule 1 Src Subnet Mask 210101010 = IP Filter Set 1,Rule 1 Src Port 210101011 = IP Filter Set 1,Rule 1 Src Port Comp 210101013 = IP Filter Set 1,Rule 1 Act Match...
  • Page 316 IP Filter Set 1,Rule 3 Src Port 210103011 = IP Filter Set 1,Rule 3 Src Port Comp 210103013 = IP Filter Set 1,Rule 3 Act Match Example Internal SPTGEN Screens Prestige 652 ADSL Security Router <0(none)|1(equal)|2( equal)|3(less)|4(great er)> <1(check next)|2(forward)|3(dr op)>...
  • Page 317 210103014 = IP Filter Set 1,Rule 3 Act Not Match / MENU 21.1.4 SET #1, RULE #4 (SMT MENU 21.1.4) 210104001 = IP Filter Set 1,Rule 4 Type 210104002 = IP Filter Set 1,Rule 4 Active 210104003 = IP Filter Set 1,Rule 4 Protocol 210104004 = IP Filter Set 1,Rule 4 Dest IP address 210104005 =...
  • Page 318 IP Filter Set 1,Rule 6 Dest IP address 210106005 = IP Filter Set 1,Rule 6 Dest Subnet Mask 210106006 = IP Filter Set 1,Rule 6 Dest Port Example Internal SPTGEN Screens Prestige 652 ADSL Security Router = 17 = 0.0.0.0 = 138 <0(none)|1(equal)|2( equal)|3(less)|4(great er)>...
  • Page 319 210106007 = IP Filter Set 1,Rule 6 Dest Port Comp 210106008 = IP Filter Set 1,Rule 6 Src IP address 210106009 = IP Filter Set 1,Rule 6 Src Subnet Mask 210106010 = IP Filter Set 1,Rule 6 Src Port 210106011 = IP Filter Set 1,Rule 6 Src Port Comp 210106013 = IP Filter Set 1,Rule 6 Act Match...
  • Page 320 FTP Server Secured IP address 241100007 = WEB Server Port 241100008 = WEB Server Access 241100009 = WEB Server Secured IP address Example Internal SPTGEN Screens Prestige 652 ADSL Security Router INPUT = 23 <0(all)|1(none)|2(Lan )|3(Wan)> = 0.0.0.0 = 21 <0(all)|1(none)|2(Lan )|3(Wan)>...
  • Page 322 Ether Address ... 7-3 Ethernet... 7-1 Ethernet Addr Timeout ... 7-2 Remote Node ... 7-1 Static Route Setup... 7-2 Index Prestige 652 ADSL Security Router Brute-force Attack, ... 9-6 Budget Management... 20-2, 20-3 Call Control ... 20-2 Call Filtering... 16-1 Call Filters Built-In ...
  • Page 323 Power Adapter... 2-3 Rear Panel ... 2-2 Console Port ... 18-3 Content Filtering... 15-1 Days and Times ... 15-1 Keywords ... 15-1 Log Records ... 15-1 Update List ... 15-1 Copyright ...ii Cost Of Transmission ... 5-8, 6-6, 6-10 Country Code... 18-4 CPU Load ...
  • Page 324 Remote Node Filters ... 16-20 Sample ... 16-18 SUA ... 16-16 TCP/IP Filter Rule ... 16-9 Index Prestige 652 ADSL Security Router Filter Log ... 18-7, 18-8 Filter Rule ... 16-10 Filter Rule Process... 16-3 Filter Rule Setup ... 16-9 Filter Rules Summary Sample ...
  • Page 325 Logs... 11-3 Policies ... 12-1 Remote Management... 10-1 Rule Checklist ... 12-1 Rule Logic ... 12-1 Rule Precedence ... 12-4 Rule Security Ramifications... 12-2 Services ... 12-6 SMT Menus... 10-1 Types ... 9-1 When To Use... 9-13 Frame Relay... 1-6 Front Panel Illustration ...
  • Page 326 IP Spoofing ...9-4, 9-7 IP Static Route ... 6-7 IP Static Route Setup ... 6-8 IPSec standard... 1-2 Index Prestige 652 ADSL Security Router ISDN... 2-6 Key Fields For Configuring Rules... 12-2 LAN... 18-3 LAN to WAN Rules ... 12-3 LAND ...
  • Page 327 Media Access Control... 7-1 Message Logging... 18-5 Metric... 5-8, 6-6, 6-10 Multicast ... 5-8, 6-6 Multiplexing LLC-based ... 4-11 VC-based ... 4-11 Multiplexing ...1-5, 4-11, 4-16, 5-2 Multiprotocol Encapsulation... 4-12 My WAN Address ... 5-7, 6-5 Nailed-Up Connection ... 5-3 NAT...
  • Page 328 Remote Node Index Number ... 18-2 Remote Node Traffic ... 16-22 Required fields ... 2-11 RESET Button ... 2-3 Index Prestige 652 ADSL Security Router Restore Configuration... 19-7 Return address ... 11-4 RFC-1483 ... 5-2 RFC-2364 ... 5-2, 5-4 RIP... 4-10, 5-8, 6-6. See Routing Information Protocol Routing Information Protocol...
  • Page 329 Security Association ... 26-1 Security In General ... 9-12 Security Ramifications... 12-2 Server8-5, 8-9, 8-12, 8-15, 8-16, 8-17, 8-18, 8-22, 8-24, 20-5 Service ... v, 12-2 Service Type ... 13-3 setup a schedule ... 23-2 Single User Account ... 4-17 SMT Menu Overview ...
  • Page 330 Traceroute ... 9-7 Transfer Rate... 18-3 Transmission Rates ... xxiv, 1-1 Type of Service ... 22-1, 22-3, 22-4, 22-5 Index Prestige 652 ADSL Security Router UDP/ICMP Security ... 9-10 UNIX Syslog ... 18-5, 18-7 UNIX syslog parameters... 18-6 Upload Firmware ... 19-10 Upper Layer Protocols ...

Table of Contents