Page 1 Nortel Business Secure Router 222 Configuration — Advanced BSR222 Business Secure Router Document Number: NN47922-501 Document Version: 1.3 Date: March 2007...
Page 2 The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Page 3: Table Of Contents
Getting to know your Nortel Business Secure Router 222 ... . 31 Introducing the Nortel Business Secure Router 222 ......31 Features .
Page 4 IPSec VPN capability ......... . . 33 Nortel Contivity Client Termination ....... . . 33 Certificates .
Page 5 TCP/IP and DHCP ethernet setup menu ....... . 72 Nortel Business Secure Router 222 Configuration — Advanced...
Page 6 IP Alias Setup ........... . 75 Chapter 5 Internet access.
Page 7 Applying Remote Node Filters ........153 Nortel Business Secure Router 222 Configuration — Advanced...
Page 8 Chapter 12 SNMP Configuration ......... . 155 SNMP Configuration .
Page 9 Resetting the Time ..........208 Nortel Business Secure Router 222 Configuration — Advanced...
Page 10 Importing certificates ......... 233 Import Business Secure Router certificates into Netscape Navigator ... . 233 Importing the Business Secure Router Certificate into Internet Explorer .
Page 11 Business Secure Router as a PPPoE client ....... . 250...
Page 12 Log commands ............332 Configuring what you want the Business Secure Router to log ....333 Displaying logs .
Page 13 Index ............345 Nortel Business Secure Router 222 Configuration — Advanced...
Page 14 14 Contents NN47922-501...
Page 15 Menu 11.1: Remote Node profile for PPPoE Encapsulation ... 89 Figure 28 Menu 11.1: Remote Node Profile for PPTP Encapsulation ... 91 Nortel Business Secure Router 222 Configuration — Advanced...
Page 16 Figure 29 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation 93 Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) ... 96 Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) ..96 Figure 32 Menu 11.1: Remote Node Profile .
Page 17 Telnet into Menu 24.6 ........187 Nortel Business Secure Router 222 Configuration — Advanced...
Page 18 Figure 125 Windows XP: Control Panel: Network Connections: Properties ..222 Figure 126 Windows XP: Local Area Connection Properties ....222 Figure 127 Windows XP: Advanced TCP/IP settings .
Page 19 Figure 157 Transport PPP frames over Ethernet ......253 Figure 158 Business Secure Router as a PPTP client ..... . . 254 Figure 159 PPTP protocol overview .
Page 20 Figure 170 SIP Redirect Server ........341 Figure 171 Business Secure Router SIP ALG ......343...
Page 21 Fields in menu 15.1.1 ........115 Nortel Business Secure Router 222 Configuration — Advanced...
Page 22 Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set ..116 Table 31 15.2.1: NAT Server Configuration ......119 Table 32 Menu 15.3: Trigger Port setup description .
Page 23 SIP Call Progression ........338 Nortel Business Secure Router 222 Configuration — Advanced...
Page 24 24 Tables NN47922-501...
Page 25: Preface
Select or Choose means for you to use one of the predefined choices. The SMT menu titles and labels are written in Bold Times New Roman font. Menu choices are written in Bold Arial font. Nortel Business Secure Router 222 Configuration — Advanced...
Page 26: Related Publications
The Fundamentals guide is designed to help you get up and running right away. It contains connection information and instructions on getting started. • Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) The basic manual covers how to use the WebGUI to configure your Business Secure Router.
Page 27: How To Get Help
Technical Support - CTAS Telephone: *European Free phone 00800 800 89009 European Alternative: United Kingdom Africa Israel Calls are not free from all countries in Europe, Middle East, or Africa. +44 (0)870-907-9009 +27-11-808-4000 800-945-9779 Nortel Business Secure Router 222 Configuration — Advanced www.nortel.com/cs.
Page 28: Cala (Caribbean & Latin America)
Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.com Australia China India Indonesia Japan Malaysia New Zealand NN47922-501 1-800-NORTEL (1-800-667-835) 010-6510-7770 011-5154-2210 0018-036-1004 0120-332-533 1800-805-380 0800-449-716...
Page 29 Philippines Singapore South Korea Taiwan Thailand Service Business Centre & Pre-Sales Help Desk Nortel Business Secure Router 222 Configuration — Advanced 1800-1611-0063 800-616-2004 0079-8611-2001 0800-810-500 001-800-611-3007 +61-2-8870-5511...
Page 30 Preface NN47922-501...
Page 31: Getting To Know Your Nortel Business Secure Router 222
Router. Introducing the Nortel Business Secure Router 222 The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN). By integrating Network Address Translation (NAT), firewall and Virtual Private...
Page 32: Physical Features
A combination of switch and router makes your Nortel Business Secure Router 222 a cost effective and viable network solution. You can connect up to four computers or phones to the Business Secure Router without the cost of a switch.
Page 33: Auxiliary Port
Chapter 1 Getting to know your Nortel Business Secure Router 222 33 Auxiliary port The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails.
Page 34: Certificates
34 Chapter 1 Getting to know your Nortel Business Secure Router 222 Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
Page 35: Brute Force Password Guessing Protection
Chapter 1 Getting to know your Nortel Business Secure Router 222 35 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
Page 36: Pptp Encapsulation
36 Chapter 1 Getting to know your Nortel Business Secure Router 222 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.
Page 37: Snmp
Chapter 1 Getting to know your Nortel Business Secure Router 222 37 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network.
Page 38: Full Network Management
• Unix syslog facility support Upgrade Business Secure Router Firmware The firmware of the Business Secure Router can be upgraded via the console port or the LAN. Embedded FTP and TFTP Servers The Business Secure Router’s embedded FTP and TFTP Servers enable fast firmware upgrades, as well as configuration file backups and restoration.
Page 39: Applications For The Nortel Business Secure Router 222
Applications for the Nortel Business Secure Router 222 Secure broadband internet access and VPN You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.
Page 40: Hardware Setup
Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions. NN47922-501...
Page 41: Chapter 2 Introducing The Smt
No parity, 8 data bits, 1 stop bit, flow control set to none Initial screen When you turn on your Business Secure Router, it performs several internal tests as well as line initialization. Nortel Business Secure Router 222 Configuration — Advanced...
Page 42: Logging On To The Smt
Business Secure Router will automatically log you off and display a blank screen. If you see a blank screen, press [ENTER] to bring up the logon screen again. Navigating the SMT interface The SMT is an interface that you use to configure your Business Secure Router. NN47922-501 Figure...
Page 43: Main Menu
After you enter the password, the SMT displays the Business Secure Router Main Menu, as shown in Figure Nortel Business Secure Router 222 Configuration — Advanced Descriptions To move forward to a submenu, type in the number of the desired submenu and press [ENTER].
Page 44: Figure 4 Main Menu
Figure 4 Main menu Business Secure Router Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup...
Page 45: Changing The System Password
Use this menu to exit (necessary for remote configuration). Menu 23.1 – System Security – Change Password Old Password= **** New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: Nortel Business Secure Router 222 Configuration — Advanced...
Page 46: Smt Menus At A Glance
46 Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview NN47922-501...
Page 47: Smt Menu 1 - General Setup
Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Press ENTER to confirm or ESC to cancel: Nortel Business Secure Router 222 Configuration — Advanced Figure 7. Fill in the...
Page 48: Table 4 General Setup Menu Fields
NN47922-501 Figure Description Choose a descriptive name for identification purposes. Nortel recommends you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes - and underscores _ are accepted. Enter the domain name (if you know it) here. If you leave this field blank, the ISP assigns a domain name via DHCP.
Page 49 DNS server IP address in the field to the right. With a private DNS server, you must also configure the first DNS server entry in SMT menu 3.1 to use DNS Relay. Nortel Business Secure Router 222 Configuration — Advanced Example...
Page 50: Configuring Dynamic Dns
DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address.
Page 51: Figure 8 Configure Dynamic Dns
Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider. Nortel Business Secure Router 222 Configuration — Advanced to configure Dynamic DNS parameters. Example www.dyndns.org...
Page 52 DDNS does not work with a private IP address. When both fields are set to No, the Business Secure Router must have a public WAN IP address in order for DDNS to work. Press [SPACE BAR] to select Yes and then press...
Page 53: Wan And Dial Backup Setup
This chapter explains how to configure settings for your WAN port and how to configure the Business Secure Router for a dial backup connection. WAN setup From the main menu, enter 2 to open menu 2 Nortel Business Secure Router 222 Configuration — Advanced...
Page 54: Table 6 Mac Address Cloning In Wan Setup
Figure 9 Menu 2 MAC Address: Dial-Backup: Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 6 describes the MAC address fields in descriptions of the dial-backup fields. Table 6 MAC address cloning in WAN setup Field MAC Address Assigned By...
Page 55: Dial Backup
Refer also to the traffic redirect section for information on an alternate backup WAN connection. Configuring dial backup in menu 2 From the main menu, enter 2 to open menu 2. Nortel Business Secure Router 222 Configuration — Advanced Figure 26 on...
Page 56: Figure 10 Menu 2: Dial Backup Setup
Figure 10 Menu 2: dial backup setup MAC Address: Dial-Backup: Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 7 describes the fields in Table 7 Menu 2: dial backup setup Field Dial-Backup: Active Port Speed AT Command String: Init...
Page 57: Advanced Wan Setup
Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced Example...
Page 58: Figure 11 Menu 2.1 Advanced Wan Setup
Enter the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the Business Secure Router capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication.
Page 59: Remote Node Profile (Backup Isp)
Router to wait between dropping a callback request call and dialing the corresponding callback call. (Figure 12) and configure the setup for your Dial Backup Nortel Business Secure Router 222 Configuration — Advanced Default CONNECT seconds 0 to...
Page 60: Figure 12 Menu 11.2 Remote Node Profile (Backup Isp)
Figure 12 Menu 11.2 remote node profile (Backup ISP) Rem Node Name= GUI Active= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Press ENTER to Confirm or ESC to Cancel: Table 10 describes the fields in Table 9 Fields in menu 11.2 remote node profile (Backup ISP)
Page 61 For example, to allow calls to this remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour). Nortel Business Secure Router 222 Configuration — Advanced “Editing PPP options” “Editing for more information.
Page 62: Editing Ppp Options
Idle Timeout Editing PPP options The Business Secure Router dial back-up feature uses PPP. To edit the remote node PPP options, move the cursor to the [Edit PPP Options] field in Menu 11.2 - Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to open Menu 11.2.1 as shown in...
Page 63: Editing Tcp/Ip Options
CISCO PPP if your Dial Backup WAN device uses Cisco PPP encapsulation, otherwise select Standard PPP. Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. Nortel Business Secure Router 222 Configuration — Advanced EXAMPLE Standard PPP (default) (default)
Page 64: Figure 14 Menu 11.2.2: Remote Node Network Layer Options
IP address here if you know it (static). Leave this field set to 0.0.0.0 to have the ISP or other remote router dynamically send its subnet mask if you do not know it. Enter the remote gateway’s subnet mask here if you know it (static).
Page 65 Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11.2, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced Chapter 4, “LAN setup,” on page Example None...
Page 66: Editing Logon Script
They are replaced with the outgoing login name and password in the remote node when the Business Secure Router sees them in a ‘Send’ string. Note that both variables must be entered exactly as shown. No other characters can appear before or after, either, i.e., they must be used alone in response to logon...
Page 67 To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. Nortel Business Secure Router 222 Configuration — Advanced...
Page 68: Figure 15 Menu 11.2.3: Remote Node Setup Script
Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. Enter an Expect string to match. After matching the Expect string, the Business Secure Router returns the string in the Send field. matched.
Page 69: Remote Node Filter
Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Chapter 11, “Filter configuration,” on page 135 Nortel Business Secure Router 222 Configuration — Advanced Menu 11.2.4 -...
Page 70 70 Chapter 3 WAN and Dial Backup Setup NN47922-501...
Page 71: Chapter 4 Lan Setup
With Menu 3, you can specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets are useful to block certain packets, reduce traffic, and prevent security breaches. Enter Menu Selection Number: Nortel Business Secure Router 222 Configuration — Advanced...
Page 72: Tcp/Ip And Dhcp Ethernet Setup Menu
Figure 18 Menu 3.1: LAN port filter setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 73: Figure 20 Figure 21-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
DHCP server. If set to None, the DHCP server will be disabled. This field specifies the first of the contiguous addresses in the IP address pool. Nortel Business Secure Router 222 Configuration — Advanced Example Server 192.168.1.2...
Page 74 (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you chose From ISP for...
Page 75: Ip Alias Setup
IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown in Nortel Business Secure Router 222 Configuration — Advanced Table 14 to configure TCP/IP parameters for the LAN port.
Page 76: Figure 21 Menu 3.2.1: Ip Alias Setup
Router in dotted decimal notation. Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Business Secure Router. Example 192.168.1.1 255.255.255.0...
Page 77 Business Secure Router. Outgoing Protocol Enter the filter sets you wish to apply to the Filters outgoing traffic between this node and the Business Secure Router. Nortel Business Secure Router 222 Configuration — Advanced Example None RIP-1...
Page 78 78 Chapter 4 LAN setup NN47922-501...
Page 79: Chapter 5 Internet Access
4 screens, depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine which encapsulation type you should use. Ethernet encapsulation If you choose Ethernet in menu 4 you will see Nortel Business Secure Router 222 Configuration — Advanced Figure...
Page 80: Figure 22 Menu 4: Internet Access Setup (Ethernet)
Figure 22 Menu 4: internet access setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 81: Configuring The Pptp Client
One-to-One and Server. When you select Full Feature you must configure at least one address mapping set! Chapter 9, “Network Address Translation (NAT),” on page for a more detailed discussion on the Network Address Translation feature. Nortel Business Secure Router 222 Configuration — Advanced...
Page 82: Configuring The Pppoe Client
Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field. This value specifies the time, in seconds, that elapses before the Business Secure Router automatically disconnects from the PPTP server. Appendix E, “PPPoE,” on page Example...
Page 83: Figure 24 Internet Access Setup (Pppoe)
If you need a PPPoE service name to identify and reach the PPPoE server, go to menu 11 and enter the PPPoE service name provided to you in the Service Name field. Nortel Business Secure Router 222 Configuration — Advanced Figure Example...
Page 84: Basic Setup Complete
WebGUI. You can also define additional firewall rules or modify existing ones, but exercise extreme caution in doing so. See the chapters on firewalls in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for more information on the firewall.
Page 85: Chapter 6 Remote Node Setup
Enter 1 to open Menu 11.1 Remote Node Profile and configure the setup for your regular ISP. Enter 2 to open Menu 11.1 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection. 25). Nortel Business Secure Router 222 Configuration — Advanced...
Page 86: Remote Node Profile Setup
Figure 25 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Remote Node profile setup This section explains how to configure the remote node profile menu. Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation.
Page 87: Figure 26 Menu 11.1: Remote Node Profile For Ethernet Encapsulation
Standard, RR-Toshiba (Road Runner Toshiba authentication method) or RR-Manager (Road Runner Manager authentication method). Choose one of the Road Runner methods if your ISP is Time Warner's Road Runner; otherwise choose Standard. Nortel Business Secure Router 222 Configuration — Advanced Example LAoffice Ethernet Standard...
Page 88: Pppoe Encapsulation
The Business Secure Router supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you are using the Business Secure Router with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, you then see “PPPoE,”...
Page 89: Outgoing Authentication Protocol
Menu 11.1 - Remote Node Profile Route= IP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Nortel Business Secure Router 222 Configuration — Advanced...
Page 90: Nailed-Up Connection
The first is that idle timeout is disabled. The second is that the Business Secure Router tries to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive.
Page 91: Pptp Encapsulation
Enter the IP address of the WAN Ethernet port. Enter the subnet mask of the WAN Ethernet port. Enter the IP address of the ANT modem. Nortel Business Secure Router 222 Configuration — Advanced for information about PPTP. Example PPTP 10.0.0.140...
Page 92: Edit Ip
Table 21 Fields in Menu 11.1 (PPTP Encapsulation) Field Connection ID/ Name Schedules Nailed-Up Connections Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Network Layer Options. NN47922-501 Description Enter the connection ID or connection name in the...
Page 93: Figure 29 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
If you have a Static IP Assignment, enter the IP address assigned to you by your ISP. If you have a Static IP Assignment, enter the subnet mask assigned to you. Nortel Business Secure Router 222 Configuration — Advanced Example Dynamic (default)
Page 94 RIP broadcasts. Press [SPACE BAR] and then [ENTER] to select the RIP direction from Both/ None/In Only/Out Only. The default for RIP on the WAN side is None. Nortel recommends that you do not change this setting. Example...
Page 95: Remote Node Filter
Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11.1, or press [ESC] at any time to cancel. 135. For PPPoE or PPTP Nortel Business Secure Router 222 Configuration — Advanced Example None (default) Menu 11.1.4-...
Page 96: Figure 30 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
Figure 30 Menu 11.1.4: Remote Node filter (Ethernet Encapsulation) Input Filter Sets: protocol filters= Output Filter Sets: protocol filters= Enter here to CONFIRM or ESC to CANCEL: Figure 31 Menu 11.1.4: Remote Node filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= Output Filter Sets:...
Page 97: Figure 32 Menu 11.1: Remote Node Profile
[ESC] at any time to cancel. Menu 11.1 - Remote Node Profile Route= IP Edit IP= No Session Options: Edit Filter Sets= No Edit Traffic Redirect= No Nortel Business Secure Router 222 Configuration — Advanced Example...
Page 98: Traffic Redirect Setup
Traffic Redirect setup Configure parameters that determine when the Business Secure Router forwards WAN traffic to the backup gateway using Menu 11.1.5 — Traffic Redirect Setup. Figure 33 Menu 11.1.5: Traffic Redirect setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0...
Page 99 After you complete this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced Example 0.0.0.0...
Page 100 100 Chapter 6 Remote Node setup NN47922-501...
Page 101: Ip Static Route Setup
Figure 34 Menu 12: IP Static Route Setup 1. Reserved 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ Menu 12 - IP Static Route Setup Nortel Business Secure Router 222 Configuration — Advanced...
Page 102: Figure 35 Menu 12. 1: Edit Ip Static Route
Enter the IP address of the gateway. The gateway is an immediate neighbor of your Business Secure Router that forwards the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Business Secure Router; over the WAN, the gateway...
Page 103 RIP broadcasts. After you complete filling in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. Nortel Business Secure Router 222 Configuration — Advanced...
Page 104 104 Chapter 7 IP Static Route Setup NN47922-501...
Page 105: Chapter 8 Dial-In User Setup
By storing user profiles locally, your Business Secure Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your Business Secure Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.
Page 106: Figure 37 Menu 14.1- Edit Dial-In User
Figure 37 Menu 14.1- Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 26 describes the fields in Table 26 Menu 14.1- Edit Dial-in User Field User Name...
Page 107: Network Address Translation (Nat)
NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup. see“Address Mapping Sets” on page (Figure 39 on page Nortel Business Secure Router 222 Configuration — Advanced 110. The 109). Figure 38...
Page 108: Figure 38 Menu 4: Applying Nat For Internet Access
Figure 38 Menu 4: Applying NAT for Internet Access ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel:...
Page 109: Figure 39 Menu 11.1.2: Applying Nat To The Remote Node
Figure “Address Mapping Sets” on for further discussion). Choose Full Feature if “Address Mapping Sets” on 110). Choose SUA Only if you have just one public Nortel Business Secure Router 222 Configuration — Advanced Options Full Feature None SUA Only...
Page 110: Nat Setup
NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA.
Page 111: Sua Address Mapping Set
SUA Address Mapping Set Enter 255 to display the screen shown in Figure 42 (see “SUA (Single User Account) Versus NAT” on page 107). The fields in this menu cannot be changed. Nortel Business Secure Router 222 Configuration — Advanced...
Page 112: Figure 42 Menu 15.1.255: Sua Address Mapping Rules
Figure 42 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP --------------- --------------- 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Table 28 explains the fields in Note: Menu 15.1.255 is read-only. Table 28 SUA Address Mapping Rules Field Set Name...
Page 113: User-Defined Address Mapping Sets
Name field means that this is a required field and you must enter a name for the set. Note: The entire set is deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. Nortel Business Secure Router 222 Configuration — Advanced “General NAT examples” on Example 255.255.255.255 0.0.0.0...
Page 114: Ordering Your Rules
Ordering Your Rules Ordering your rules is important because the Business Secure Router applies the rules in the order that you specify. When a rule matches the current packet, the Business Secure Router takes the corresponding action and the remaining rules are ignored.
Page 115: Table 29 Fields In Menu 15.1.1
44, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. Note: An IP End address must be numerically greater than its corresponding IP Start address. Nortel Business Secure Router 222 Configuration — Advanced Example NAT_SET Edit...
Page 116: Figure 44 Menu 15.1.1.1: Editing Or Configuring An Individual Rule In A Set
Figure 44 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Table 30 describes the fields in Table 30 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field...
Page 117: Configuring A Server Behind Nat
Global IP Start Configuring a server behind NAT Note: If you do not assign a Default Server IP address, the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup.
Page 118: Figure 45 Menu 15.2: Nat Server Sets
Figure 45 Menu 15.2: NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port ------------------------------------------------------ Select Command= None Press ENTER to Confirm or ESC to Cancel: Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.1 - NAT Server Configuration (see the next figure).
Page 119: Figure 46 15.2.1: Nat Server Configuration
Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. Nortel Business Secure Router 222 Configuration — Advanced Index= 1 End port= 0...
Page 120: Figure 47 Menu 15.2: Nat Server Setup
Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel.
Page 121: General Nat Examples
49, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 49 NAT Example 1 Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced...
Page 122: Figure 50 Menu 4: Internet Access & Nat Example
Figure 50 Menu 4: Internet access & NAT example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only...
Page 123: Example 2: Internet Access With An Inside Server
In this case, you do exactly as shown in Figure 51 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure Nortel Business Secure Router 222 Configuration — Advanced...
Page 124: Example 3: Multiple Public Ip Addresses With Inside Servers
In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example reserves one IGA for each department with an FTP server and all departments use the other IGA.
Page 125: Figure 53 Nat Example 3
Start IP as 10.132.50.1 (our first IGA). (see Repeat the previous step for rules 2 to 4 as outlined above. When finished, menu 15.1.1 looks like as shown in Nortel Business Secure Router 222 Configuration — Advanced Figure 55).
Page 126: Figure 54 Example 3: Menu 11.1.2
Figure 54 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: Figure 55...
Page 127: Figure 55 Example 3: Menu 15.1.1.1
Figure 55 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced...
Page 128: Figure 56 Example 3: Final Menu 15.1.1
Figure 56 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP --------------- --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Action= Edit Now configure the IGA3 to map to our web server and mail server on the LAN. Enter 15 from the main menu.
Page 129: Configuring Trigger Port Forwarding
Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in Figure Menu 15.2 - NAT Server Setup Start Port End Port Select Rule= N/A Nortel Business Secure Router 222 Configuration — Advanced IP Address 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0...
Page 130: Figure 58 Menu 15.3: Trigger Port Setup
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Business Secure Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 131 Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced Example 7170 7070...
Page 132 132 Chapter 9 Network Address Translation (NAT) NN47922-501...
Page 133: Introducing The Firewall
[SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the WebGUI to configure firewall rules. Enter Menu Selection Number: Nortel Business Secure Router 222 Configuration — Advanced Figure Figure 60. Press...
Page 134: Figure 60 Menu 21.2: Firewall Setup
Figure 60 Menu 21.2: Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies.
Page 135: Chapter 11 Filter Configuration
This chapter shows you how to create and apply filters. Introduction to filters Your Business Secure Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering.
Page 136: Filter Structure
NetBIOS, into a single set and give it a descriptive name. With the Business Secure Router, you can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Page 137: Figure 62 Filter Rule Process
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Nortel Business Secure Router 222 Configuration — Advanced Start Packet into...
Page 138: Configuring A Filter Set
Configuring a Filter Set The Business Secure Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Enter 21 in the main menu to open menu 21. Figure 63 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Page 139: Figure 64 Menu 21.1: Filter Set Configuration
Press [ENTER] at the message “Press ENTER to confirm” to open Menu 21.1.1 - Filter Rules Summary. The screen shown in filter set. Table 33 used in the previous menus. Nortel Business Secure Router 222 Configuration — Advanced Filter Set # ------ ----------------- _______________...
Page 140: Table 33 Abbreviations Used In The Filter Rules Summary Menu
Table 33 Abbreviations used in the Filter Rules Summary Menu Field Type Filter Rules These parameters are displayed here. Table 34 Rule abbreviations used Abbreviation The next section provides information on configuring the filter rules. NN47922-501 Description The filter rule number: 1 to 6. Active: “Y”...
Page 141: Configuring A Filter Rule
When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the Business Secure Router warns you and prevents you from saving.
Page 142: Figure 65 Menu 21.1.1.1: Tcp/Ip Filter Rule
Figure 65 Menu 21.1.1.1: TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 Destination: IP Addr= TCP Estab= N/A More= No Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 143 No, the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be N/A. Nortel Business Secure Router 222 Configuration — Advanced Options 0.0.0.0 0.0.0.0...
Page 144 Table 35 TCP/IP Filter Rule Menu fields Field Action Matched Action Not Matched Figure 66 illustrates the logic flow of an IP filter. NN47922-501 Description Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets are logged. Action Matched - Only packets that match the rule parameters are logged.
Page 145: Figure 66 Executing An Ip Filter
Matched Check Src & Not Matched Dest Port Matched More? Action Matched Check Next Rule Drop Forward Drop Packet Nortel Business Secure Router 222 Configuration — Advanced Action Not Matched Check Next Rule Drop Check Next Rule Forward Accept Packet...
Page 146: Configuring A Generic Filter Rule
For IP packets, it is generally easier to use the IP rules directly. For generic rules, the Business Secure Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 147: Table 36 Generic Filter Rule Menu Fields
Action Not Matched - Only packets that do not match the rule parameters are logged. Both – All packets are logged. Action Select the action for a packet matching the rule. Matched Nortel Business Secure Router 222 Configuration — Advanced Options Generic Filter Rule TCP/IP Filter Rule...
Page 148: Example Filter
Filter Rules Summary. Example Filter The example shown in Business Secure Router via Telnet. See the included disk for more Filter Rules example. Figure 68 Telnet filter Example Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
Page 149: Figure 9 Menu 2
(n = F) if the action is not matched, whether or not there are more rules to be checked (there are none in this example). Nortel Business Secure Router 222 Configuration — Advanced Figure Log= None Figure 70 is displayed.
Page 150: Figure 70 Example Filter Rules Summary: Menu 21.1.3
Figure 70 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Enter Filter Rule Number (1-6) to Configure: 1 After you have created the filter set, you must apply it. Enter 11 from the main menu to go to menu 11.
Page 151: Filter Types And Nat
Therefore, the Business Secure Router applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire.
Page 152: Applying A Filter
This section shows you where to apply the filters after you design them. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and block incoming Telnet, FTP and HTTP connections. Note: Nortel recommends that you apply filters if you do not activate the firewall. Applying LAN Filters LAN traffic filter sets are useful to block certain packets, reduce traffic and prevent security breaches.
Page 153: Applying Remote Node Filters
Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced Figure 73 – note that call filter sets are only present...
Page 154 154 Chapter 11 Filter configuration NN47922-501...
Page 155: Chapter 12 Snmp Configuration
Figure 74 Menu 22: SNMP Configuration SNMP: Get Community= PlsChgMe!RO Set Community= PlsChgMe!RW Trusted Host= 0.0.0.0 Trap: Community= Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Menu 22 - SNMP Configuration Nortel Business Secure Router 222 Configuration — Advanced...
Page 156: Snmp Traps
Set Community Trusted Host Trap Community Destination SNMP Traps The Business Secure Router will sends traps to the SNMP manager when any one of the following events occurs: Table 38 SNMP Traps Trap # Trap Name coldStart (defined in RFC-1215)
Page 157 Trap Name whyReboot (defined in MIB) For intentional reboot: For fatal error: Nortel Business Secure Router 222 Configuration — Advanced Description A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
Page 158 158 Chapter 12 SNMP Configuration NN47922-501...
Page 159: Chapter 13 System Security
System password Figure 75 Menu 23 System security Nortel recommends you change the default password. If you forget your password, you have to restore the default configuration file. For more information, see “Restoring the factory-default configuration settings” in Nortel Business Secure Router 222 Configuration —...
Page 160: Configuring External Radius Server
Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 76 Menu 23 system security From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security – RADIUS Server, as shown in Figure 77 Menu 23.2 System Security: RADIUS server NN47922-501 Menu 23 - System Security...
Page 161: Table 39 Menu 23.2 System Security: Radius Server
After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced Figure...
Page 162: Ieee 802.1X
The IEEE 802.1x standards outline enhanced security methods for both the authentication of users and encryption key management. Follow the steps below to enable EAP authentication on your Business Secure Router. From the main menu, enter 23 to display Menu23 – System Security. Figure 78 Menu 23 System Security Enter 4 to display Menu 23.4 –...
Page 163: Table 40 Menu 23.4 System Security: Ieee802.1X
This field is activated only when you select Authentication Required in the Port Control field. The default time interval is 3 600 seconds (or 1 hour). Nortel Business Secure Router 222 Configuration — Advanced Figure...
Page 164 ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. After you enable user authentication, you need to specify an external RADIUS server or create local user accounts on the Business Secure Router for authentication. NN47922-501 Description The authentication database contains user login information.
Page 165: System Information And Diagnosis
Secure Router. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown in Figure Nortel Business Secure Router 222 Configuration — Advanced...
Page 166: System Status
System Status is a tool that can be used to monitor your Business Secure Router. Specifically, it gives you information on your system firmware version, number of packets sent, and number of packets received.
Page 167: Figure 81 Menu 24.1: System Maintenance: Status
The number of received packets on this port. The number of collisions on this port. Shows the transmission speed in Bytes per second on this port. Nortel Business Secure Router 222 Configuration — Advanced 00:02:07 Thu. Jan. 01, 2004 Rx B/s...
Page 168: System Information And Console Port Speed
The release of firmware currently on the Business Secure Router and the date the release was created. This is the Business Secure Router system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com...
Page 169: System Information
Please enter selection: System Information System Information gives you information about your system, as shown in Figure 84. More specifically, it gives you information on your routing protocol, Ethernet address and IP address. Nortel Business Secure Router 222 Configuration — Advanced...
Page 170: Figure 84 Menu 24.2.1: System Maintenance Information
Refers to the Ethernet MAC (Media Access Control) address of your Business Secure Router. This is the IP address of the Business Secure Router in dotted decimal notation. This shows the IP mask of the Business Secure Router.
Page 171: Console Port Speed
Menu 24.2.2 – System Maintenance – Change Console Port Speed Log and trace The Business Secure Router has a syslog facility for message logging, and a trace function for viewing call-triggering packets. Figure 86 Menu 24.3: System Maintenance: Log and Trace...
Page 172: Cdr
Log Facility After you finish configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your Business Secure Router sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
Page 173: Packet Triggered
Jul 19 11:28:56 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600 220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500 4000077600000 Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD Nortel Business Secure Router 222 Configuration — Advanced...
Page 174: Ppp Log
IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port dpo: Destination port Mar 03 10:39:43 202.132.155.97 RAS: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF...
Page 175: Firewall Log
IP Frame: ENET0-RECV Size: 44/ 44 Time: 17:02:44.262 Frame Type: IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Nortel Business Secure Router 222 Configuration — Advanced Figure...
Page 176 With the diagnostic facility, you can test the different aspects of your Business Secure Router to determine if it is working properly. In Menu 24.4, you can choose among various types of diagnostic tests to evaluate your system, as shown...
Page 177: Wan Dhcp
WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in WAN & LAN DHCP. LAN DHCP is discussed in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500). The Business Secure Router can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.1.2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet)
Page 178: Figure 90 Wan & Lan Dhcp
Chapter 5, “Internet access,” on page 79 for more details. Enter 11 to reboot the Business Secure Router. If you entered 1 in Ping Host, enter the IP address of the computer you want to ping in this field. Enter the number of the selection you want to perform or...
Page 179: Firmware And Configuration File Maintenance
DHCP Setup and TCP/IP Setup. It comes with a rom filename extension. Once you have customized the Business Secure Router settings, they can be saved back to your computer under a filename of your choosing.
Page 180: Backup Configuration
Note that the internal filename refers to the filename on the Business Secure Router and the external filename refers to the filename not on the Business Secure Router, that is, on your computer, local network or FTP site and so the name (but not the extension) can vary.
Page 181: Backup Configuration
To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Business Secure Router. Then type "nnadmin" and SMT password as requested. 3. Locate the 'rom-0' file.
Page 182: Example Of Ftp Commands From The Command Line
Enter bin to set transfer mode to binary. Use get to transfer files from the Business Secure Router to the computer, for example, get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it config.rom. See earlier in this chapter for more information on filename conventions.
Page 183: Tftp And Ftp Over Wan Management Limitations
The Business Secure Router supports the uploading and downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Nortel does not recommend using TFTP over WAN, although it can work. To use TFTP, your computer must have both Telnet and TFTP clients. To back up the configuration file, follow the procedure shown next.
Page 184: Tftp Command Example
Enter the IP address of the Business Secure Router. 192.168.1.1 is the Business Secure Router’s default IP address when shipped. Use Send to upload the file to the Business Secure Router and Fetch to back up the file on your computer.
Page 185: Back Up Via Console Port
Figure 94 Menu 24.5 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Run the HyperTerminal program by clicking Transfer, then Receive File as shown in Figure Nortel Business Secure Router 222 Configuration — Advanced for information about Figure...
Page 186: Restore Configuration
FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster. note that you must wait for the system to automatically restart after the file transfer is complete.
Page 187: Restore Using Ftp
1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Business Secure Router. Then type "nnadmin" and SMT password as requested. 3. Type "put backupfilename rom-0" where backupfilename is the name of your backup configuration file on your workstation and rom-0 is the remote file name on the Business Secure Router.
Page 188: Restore Using Ftp Session Example
Enter quit to exit the ftp prompt. The Business Secure Router automatically restarts after a successful restore process. Restore using FTP session example Figure 98 Restore using FTP session example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0...
Page 189: Uploading Firmware And Configuration Files
Maintenance – Upload System Configuration File. Warning: Do not interrupt the file transfer process as this can permanently damage your Business Secure Router. Nortel Business Secure Router 222 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 190: Firmware File Upload
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the Business Secure Router, the screens for uploading firmware and the configuration file using FTP appear.
Page 191: Configuration File Upload
“put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Business Secure Router and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer Nortel Business Secure Router 222 Configuration — Advanced Figure 103 appears when you access menu 24.7.2 via Telnet.
Page 192: Ftp Session Example Of Firmware File Upload
TFTP and FTP over WAN. TFTP file upload The Business Secure Router also supports the uploading of firmware files using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP also works over WAN, Nortel does not recommend doing this.
Page 193: Tftp Upload Command Example
“TFTP upload command example” on page documentation of your TFTP client program. For UNIX, use get to transfer from the Business Secure Router to the computer, put to transfer from the computer to the Business Secure Router, and binary to set binary transfer mode.
Page 194: Uploading Via Console Port
Secure Router. However, in the event of your network being down, uploading files is only possible with a direct connection to your Business Secure Router via the console port. Under normal conditions, Nortel does not recommend uploading files via the console port, as FTP or TFTP are faster. Any serial communications program should work fine;...
Page 195: Uploading Xmodem Firmware Using Hyperterminal
Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in Nortel Business Secure Router 222 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 196: Figure 107 Menu 24.7.2 As Seen Using The Console Port
The password may change (menu 23), also. port speed will be reset to 9600 bps and the password to "setup". Do You Wish To Proceed:(Y/N) to restart the Business Secure Router. “Uploading Xmodem 195. The procedure for other serial...
Page 197: Uploading Xmodem Configuration File Using Hyperterminal
Click Transfer, then Send File to display the screen shown in Figure 108 Example Xmodem Upload After the configuration upload process is complete, restart the Business Secure Router by entering Nortel Business Secure Router 222 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 198 198 Chapter 15 Firmware and configuration file maintenance NN47922-501...
Page 199: System Maintenance Menus 8 To 10
24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or www.nortel.com for more detailed information about CI commands. Enter 8 from Menu 24 - System Maintenance.
Page 200: Command Syntax
Figure 109 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Firmware Update 8. Command Interpreter Mode 9.
Page 201: Command Usage
This commands display bandwidth management information and configure bandwidth management settings. certificates This commands display certificate information and configure certificate settings. radius This commands display RADIUS information. 8021x This commands display IEEE 802.1x information. Nortel Business Secure Router 222 Configuration — Advanced exit ether certificates radius...
Page 202: Call Control Support
With the budget management function, you can set a limit on the total outgoing call time of the Business Secure Router within certain times. When the total outgoing call time exceeds the limit, the current call is dropped and any future outgoing calls are blocked.
Page 203: Figure 112 Budget Management
11.1.) The elapsed time is the time used up within this period. Enter “0” to update the screen or press [ESC] to return to the previous screen. Nortel Business Secure Router 222 Configuration — Advanced Elapsed Time/Total Period No Budget No Budget...
Page 204: Call History
Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 113 Call History Menu 24.9.2 - Call History Phone Number Enter Entry to Delete(0 to exit):...
Page 205: Time And Date Setting
There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Business Secure Router. With Menu 24.10, you can update the time and date settings of your Business Secure Router.
Page 206: Figure 115 Menu 24.10 System Maintenance: Time And Date Setting
Figure 115 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): Current Date: New Date (yyyy-mm-dd): Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr):...
Page 207 GMT or UTC (GMT+1). After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. Nortel Business Secure Router 222 Configuration — Advanced...
Page 208: Resetting The Time
The Business Secure Router resets the time in three instances: • After you make changes to and leave menu 24.10 • After starting up the Business Secure Router starts up, if a time server configured in menu 24.10 • After starting the Business Secure Router, in 24-hour intervals...
Page 209: Chapter 17 Remote Management
To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Nortel Business Secure Router 222 Configuration — Advanced...
Page 210: Figure 116 Menu 24.11 - Remote Management Control
[ENTER] to choose from: LAN only, WAN only, ALL or Disable. The default 0.0.0.0 allows any client to use this service to remotely manage the Business Secure Router. Enter an IP address to restrict access to a client with a matching IP address.
Page 211: Remote Management Limitations
Telnet session is disconnected if you begin a web session; it does not begin if a Web session is already running. There is a firewall rule that blocks remote management. Nortel Business Secure Router 222 Configuration — Advanced for details).
Page 212 212 Chapter 17 Remote Management NN47922-501...
Page 213: Chapter 18 Call Scheduling
_______________ _______________ _______________ _______________ _______________ Enter Schedule Set Number to Configure= 0 Edit Name= N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 222 Configuration — Advanced Schedule Set # Name ------ ----------------- _______________ _______________ _______________...
Page 214: Figure 118 Menu 26.1 Schedule Set Setup
For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the Business Secure Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on.
Page 215: Table 53 Menu 26.1 Schedule Set Setup
After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 222 Configuration — Advanced Example 2000-01-01 Once...
Page 216: Figure 119 Applying Schedule Sets To A Remote Node (Pppoe)
After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure 119 Applying Schedule Sets to a Remote Node (PPPoE) Menu 11.1 - Remote Node Profile...
Page 217: Setting Up Your Computer Ip Address
IP addresses that place them in the same subnet as the Business Secure Router LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window Nortel Business Secure Router 222 Configuration — Advanced...
Page 218: Installing Components
Figure 120 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. b Select Adapter and click Add.
Page 219: Configuring
IP Address and Subnet Mask fields. Figure 121 Windows 95/98/Me: TCP/IP properties: IP address Click the DNS Configuration tab. — If you do not know your DNS information, select Disable DNS. Nortel Business Secure Router 222 Configuration — Advanced...
Page 220: Verifying Settings
Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Business Secure Router and restart your computer when prompted. Verifying Settings Click Start and then Run.
Page 221: Windows 2000/Nt/Xp
For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 123 Windows XP: Start menu For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 124 Windows XP: Control Panel Nortel Business Secure Router 222 Configuration — Advanced...
Page 222: Figure 125 Windows Xp: Control Panel: Network Connections: Properties
Right-click Local Area Connection and then click Properties. Figure 125 Windows XP: Control Panel: Network Connections: Properties Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 126 Windows XP: Local Area Connection Properties NN47922-501...
Page 223: Figure 127 Windows Xp: Advanced Tcp/Ip Settings
Subnet mask, and then click Add. — Repeat the above two steps for each IP address you want to add. — Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. Nortel Business Secure Router 222 Configuration — Advanced...
Page 224: Figure 128 Windows Xp: Internet Protocol (Tcp/Ip) Properties
— In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. — Click Add. —...
Page 225: Verifying Settings
Status and then click the Support tab. Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 129 Macintosh OS 8/9: Apple Menu Nortel Business Secure Router 222 Configuration — Advanced...
Page 226: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your Business Secure Router in the Router address box. Close the TCP/IP Control Panel.
Page 227: Macintosh Os X
— Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 132 Macintosh OS X: Network Nortel Business Secure Router 222 Configuration — Advanced...
Page 228: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your Business Secure Router in the Router address box. Click Apply Now and close the window.
Page 229: Appendix B Triangle Route
Triangle Route The Ideal Setup When the firewall is on, your Business Secure Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Business Secure Router to protect your LAN against attacks.
Page 230: The Triangle Route Solutions
The reply from the WAN goes directly to the computer on the LAN without going through the Business Secure Router. As a result, the Business Secure Router resets the connection, as the connection is not acknowledged. Figure 134 Triangle Route Problem...
Page 231: Figure 135 Ip Alias
Subnet 2. The reply from WAN goes to the Business Secure Router. The Business Secure Router ends the response to the computer in Subnet 1. Figure 135 IP Alias Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced...
Page 232 232 Appendix B Triangle Route NN47922-501...
Page 233: Importing Certificates
In Netscape Navigator, you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in Figure 136 Security Certificate Nortel Business Secure Router 222 Configuration — Advanced Figure 136 to do this.
Page 234: Importing The Business Secure Router Certificate Into Internet Explorer
Router, simply import the self-signed certificate into your operating system as a trusted certification authority. To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certification authority.
Page 235: Figure 138 Certificate General Information Before Import
Appendix C Importing certificates 235 Click Install Certificate to open the Install Certificate wizard. Figure 138 Certificate General Information before Import Nortel Business Secure Router 222 Configuration — Advanced...
Page 236: Figure 139 Certificate Import Wizard 1
236 Appendix C Importing certificates Click Next to begin the Install Certificate wizard. Figure 139 Certificate Import Wizard 1 NN47922-501...
Page 237: Figure 140 Certificate Import Wizard 2
Appendix C Importing certificates 237 Select where you want to store the certificate and click Next. Figure 140 Certificate Import Wizard 2 Nortel Business Secure Router 222 Configuration — Advanced...
Page 238: Figure 141 Certificate Import Wizard 3
Click Finish to complete the Import Certificate wizard. Figure 141 Certificate Import Wizard 3 Click Yes to add the Business Secure Router certificate to the root store. Figure 142 Root Certificate Store NN47922-501...
Page 239: Enrolling And Importing Ssl Client Certificates
You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active (see “Certificates” in Nortel Business Secure Router 222 Configuration — Basics (NN47922-500) for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the Business Secure Router (see the Business Secure Router’s Trusted CA WebGUI...
Page 240: Figure 144 Business Secure Router Trusted Ca Screen
240 Appendix C Importing certificates Figure 144 Business Secure Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificate, your personal certificates and a password to install the personal certificates. NN47922-501...
Page 241: Figure 145 Ca Certificate Example
You need a password in advance. The CA can issue the password or you can specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to Figure 145. Figure 146 Nortel Business Secure Router 222 Configuration — Advanced...
Page 242: Figure 146 Personal Certificate Import Wizard 1
242 Appendix C Importing certificates Click Next to begin the wizard. Figure 146 Personal certificate import wizard 1 NN47922-501...
Page 243: Figure 147 Personal Certificate Import Wizard 2
The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate. Figure 147 Personal certificate import wizard 2 Nortel Business Secure Router 222 Configuration — Advanced...
Page 244: Figure 148 Personal Certificate Import Wizard 3
244 Appendix C Importing certificates Enter the password given to you by the CA. Figure 148 Personal certificate import wizard 3 NN47922-501...
Page 245: Figure 149 Personal Certificate Import Wizard 4
Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 149 Personal certificate import wizard 4 Nortel Business Secure Router 222 Configuration — Advanced...
Page 246: Figure 150 Personal Certificate Import Wizard 5
Click Finish to complete the wizard and begin the import process. Figure 150 Personal certificate import wizard 5 Figure 151 installed on your computer. Figure 151 Personal certificate import wizard 6 NN47922-501 shows the screen that appears when the certificate is correctly...
Page 247: Using A Certificate When Accessing The Business Secure Router Example
Figure 152 Access the Business Secure Router via HTTPS When Authenticate Client Certificates is selected on the Business Secure Router, you are asked to select a personal certificate to send to the Business Secure Router. This screen displays even if you only have a single certificate,...
Page 248: Figure 154 Business Secure Router Secure Login Screen
248 Appendix C Importing certificates The Business Secure Router login screen appears. Figure 154 Business Secure Router secure login screen NN47922-501...
Page 249: Appendix Dpppoe
It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional dial-up scenario Figure 155 dial-up networking. depicts a typical hardware configuration where the PCs use traditional Nortel Business Secure Router 222 Configuration — Advanced Figure 155).
Page 250: How Pppoe Works
However, the PPP negotiation is between the PC and the ISP. Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 251: Figure 156 Business Secure Router As A Pppoe Client
Appendix D PPPoE 251 Figure 156 Business Secure Router as a PPPoE Client Business Secure Router Nortel Business Secure Router 222 Configuration — Advanced...
Page 252 252 Appendix D PPPoE NN47922-501...
Page 253: Appendix Epptp
ISP. The various connections in this setup are depicted in the following diagram. The drawback of this solution is that it requires one separate ATM VC per destination. Figure 157 Transport PPP frames over Ethernet Nortel Business Secure Router 222 Configuration — Advanced...
Page 254: Pptp And The Business Secure Router
PPTP and the Business Secure Router When the Business Secure Router is deployed in such a setup, it appears as a PC to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98, and NT clients to an NT server in a remote location. Using the pass-through feature, users on the network can access a different remote server using the Business Secure Router's Internet connection.
Page 255: Control And Ppp Connections
Note that a tunnel control connection supports multiple call sessions. Figure 160 depicts the message exchange of a successful call setup between a PC and an ANT. Nortel Business Secure Router 222 Configuration — Advanced...
Page 256: Ppp Data Connection
256 Appendix E PPTP Figure 160 Example message exchange between PC and an ANT PPP data connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 257: Hardware Specifications
(DataTerminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The Business Secure Router is DCE when you connect a computer to the console port. The Business Secure Router is DTE when you connect a modem to the dial backup port.
Page 258: Figure 161 Console Or Dial Backup Port Pin Layouts
Figure 161 Console or dial backup port pin layouts i n 5 i n 9 Table 55 Console or dial backup port pin assignments CONSOLE Port RS – 232 (Female) DB-9F Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 = DCE –DTR...
Page 259: Ac Power Adapter Specifications
Crossover (Adapter) (Switch) OTD + IRD + OTD - IRD - IRD + OTD + IRD - OTD - Nortel Business Secure Router 222 Configuration — Advanced (Switch) IRD + IRD - 3 OTD + 6 OTD -...
Page 260 260 Appendix F Hardware specifications NN47922-501...
Page 261: Appendix Gip Subnetting
ID. • Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting. (There is also a class “E” address, which is reserved for future use.) Nortel Business Secure Router 222 Configuration — Advanced...
Page 262: Table 57 Allowed Ip Address Range By Class
Table 56 Classes of IP addresses IP Address: Octet 1 Class A Network number Class B Network number Class C Network number Note: Host IDs of all zeros or all ones are not allowed. Therefore: A class C network (8 host bits) can have 2 A class B address (16 host bits) can have 2 A class A address (24 host bits) can have 2 hosts).
Page 263: Subnet Masks
This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. Natural mask 255.0.0.0 255.255.0.0 255.255.255.0 Nortel Business Secure Router 222 Configuration — Advanced...
Page 264: Example: Two Subnets
Table 59 shows all possible subnet masks for a class C address using both notations. Table 59 Alternative Subnet Mask Notation Subnet mask IP address 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 The first mask shown is the class C natural mask. Normally, if no mask is specified, it is understood that the natural mask is being used.
Page 265 192.168.1. 11000000.10101000.00000001. 255.255.255. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.254 – 2 or 126 hosts for each subnet. Nortel Business Secure Router 222 Configuration — Advanced Last Octet bit value 00000000 10000000 Last octet bit value 10000000 10000000...
Page 266: Example: Four Subnets
192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Page 267: Example: Eight Subnets
Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 Network number 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.193 First Address Last Address Nortel Business Secure Router 222 Configuration — Advanced Last Octet Bit Value 10000000 11000000 Last Octet Bit Value 11000000 11000000 Broadcast Address...
Page 268: Subnetting With Class A And Class B Networks
Table 66 Eight subnets Subnet Subnet Address Table 67 is a summary for class C subnet planning. Table 67 Class C subnet planning No. Borrowed Host Bits Subnetting with Class A and Class B networks. For class A and class B addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Page 269 255.255.255.192 (/26) 1 024 255.255.255.224 (/27) 2 048 255.255.255.240 (/28) 4 096 255.255.255.248 (/29) 8 192 255.255.255.252 (/30) 16 384 255.255.255.254 (/31) 32 768 Nortel Business Secure Router 222 Configuration — Advanced No. Hosts per Subnet 2 046 1 022...
Page 270 270 Appendix G IP subnetting NN47922-501...
Page 271: Appendix H Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands.
Page 272: Sys Commands
Sets or displays the system’s current date. Sets or displays the system time. Sets how often the Business Secure Router gets the date and time from the time server. Gets the date and time from the time server. Displays the domain name that the device sends to the LAN DHCP clients.
Page 273 [0:none/ 1:log] ppp [0:none/1:log] remote [0:none/1:log] tcpreset [0:none/1:log] upnp [0:none/1:log] Nortel Business Secure Router 222 Configuration — Advanced Description Removes extra phone numbers. Resets node and mask. Displays a list of the device’s major features. Displays the ISDN firmware type.
Page 274 Table 69 Sys commands Command clear display errlog load mail NN47922-501 urlblocked [0:none/1:log/ 2:alert/3:both] urlforward [0:none/1:log] [access|attack|error|ike|i psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] clear disp online alertAddr [mail address] clearLog [0:no/1:yes] display logAddr [mail address] schedule display schedule hour [0-23] schedule minute [0-59] schedule policy [0:full/ 1:hourly/2:daily/3:weekly/ 4:none]...
Page 275 <0:no|1:yes> [0:cold boot/1: immediate reboot/2: bootModule debug mode] <entry no.> <entry no.>(0:working buffer) Nortel Business Secure Router 222 Configuration — Advanced Description Sets the log e-mail’s subject. Enables or disables SMTP authentication. Sets the SMTP authentication username. Sets the SMTP authentication password.
Page 276 Table 69 Sys commands Command nailup accessblock save stdio display debug listPerHost sessPerHost timeout NN47922-501 <none|sua|full_feature> <no|yes> <value> [entry no.] [minute] display icmp igmp tcpsyn tcpfin Description Configures remote node NAT. Configures a remote node connection to be nailed up (always on). Sets the remote node Maximum Transmission Unit.
Page 277 [mask] <entry> <size> <name> [none|incoming| outgoing|bothway] [on|off] [on|off] Nortel Business Secure Router 222 Configuration — Advanced Description Sets the idle-timeout value for other sessions. Sets the level of detail that should be displayed. “parse” displays the most detail and “disp” displays the least.
Page 278 Table 69 Sys commands Command udp switch udp addr udp port parse brief version view wdog switch romreset server NN47922-501 [on|off] <addr> <port> [[start_idx], end_idx] <filename> [on|off] [value] access <telnet|ftp|web|icmp|snmp| dns> <value> load disp port <telnet|ftp|web|snmp> <port> save secureip <telnet|ftp| web|icmp|snmp|dns>...
Page 279 4: Trigger Dial> <on|off> <level> <iface name> <iface name> <level> <iface name> Nortel Business Secure Router 222 Configuration — Advanced Description Sets or displays the password error blocking timeout value. Activates or deactivates the saved UPnP settings. Allows users to make configuration changes through UPnP.
Page 280: Exit Command
Table 69 Sys commands Command restart logout display Exit Command Table 70 Exit Command Command exit Ethernet Commands Table 71 lists and describes the Ethernet commands. Each of these commands must be preceded by information on the LAN configuration. Table 71 Ether Commands Command config driver...
Page 281: Ip Commands
Allows or disallows the device to receive ARP <on|off> from a different network or not. Enables or disables the ARP timeout function. <on|off> <iface> Releases the DHCP client IP address. release Nortel Business Secure Router 222 Configuration — Advanced to display the host IP address.
Page 282 Shows the LAN DNS server settings. display Enables or disables the HTTP debug flag. debug [on|off] This command currently does not work. Displays the ICMP statistics counter. Sets the ICMP router discovery flag. <iface> [on|off] Configures a network interface. [iface] [ipaddr] [broadcast <addr> |mtu <value>|dynamic]...
Page 283 <iface> in [mode] RIP information it receives. Sets the Business Secure Router to broadcast <iface> out its routing table. [mode] Shows the dial-in user RIP direction. [show|in|out|both |none] Displays the TCP statistic counters. Nortel Business Secure Router 222 Configuration — Advanced...
Page 284 Table 72 IP commands Command telnet tftp support stats traceroute xparent join break urlfilter enable exemptZone customize NN47922-501 Description Creates a Telnet connection to the specified <host> [port] host. Displays whether or not TFTP is supported. Displays the TFTP statistics. Sends ICMP packets to trace the route of a <host>...
Page 285 Records the LAN IP addresses that sent and received the most traffic. Records the most heavily used protocols or service ports. Displays the list of static routes or detailed [rule # | buf] information on a specified rule. Nortel Business Secure Router 222 Configuration — Advanced...
Page 286 Table 72 IP commands Command load save config dropIcmp igmp debug forwardall querier iface NN47922-501 Description Loads the specified static route rule into the <rule #> buffer. Saves a rule from the buffer to the System Parameters Table. Sets the name for a static route. name <site name>...
Page 287 Shows whether the Application Layer Gateway is enabled or disabled. Sets the SIP timeout period. <timeout in second> or 0 for no timeout Turns on the ALG. <ALG_FTP|ALG_H323 |ALG_SIP> Turns off the ALG. <ALG_FTP|ALG_H323 |ALG_SIP> Nortel Business Secure Router 222 Configuration — Advanced...
Page 288: Ipsec Commands
(2 default) and 0 means the connection never times out. Sets the idle timeout for IPSec <minutes> connections where the Business Secure Router is waiting for a response from the peer. Sets the autotimer for updating IPSec <0~255> rules that use a domain name as the secure gateway IP address.
Page 289 Sets the name of the rule. <name> Turns the rule on or off. <Yes|No> Sets the negotiation mode. <0:Main | 1:Aggressive> Turns NAT traversal on or off. <Yes|No> Turns phase 1 multiple proposal on or off. <Yes|No> Nortel Business Secure Router 222 Configuration — Advanced...
Page 290 Table 73 IPSec commands Command lcIdType lcIdContent myIpAddr peerIdType peerIdContent secureGwAddr authMethod certificate preShareKey p1EncryAlgo p1AuthAlgo p1SaLifeTime keyGroup nailUp activeProtocol p2MultiPro p2EncryAlgo p2EncryKeyLen p2AuthAlgo p2SaLifeTime NN47922-501 Description Sets the local ID type. <0:IP | 1:DNS | 2:Email> Sets the local ID content. <content>...
Page 291 <IP address> addresses (of back up remote Contivity <IP address> VPN switches). <IP address> Turns the Keep Alive feature on or off. <Yes|No> Displays a summary of the IKE (phase 1) rules. Nortel Business Secure Router 222 Configuration — Advanced...
Page 292 Table 73 IPSec commands Command ikeDelete <rule index> policyEdit <rule index> policySave ipsecList policyList policyDelete <rule index> policyConfig saIndex active lcAddrStart protocol controlPing controlPingAddr lcAddrType lcAddrEndMask lcPortStart lcPortEnd rmAddrType rmAddrStart rmAddrEndMask rmPortStart rmPortEnd btNatActive NN47922-501 Description Deletes the specified IPSec rule. Edits the specified IP policy.
Page 293 Sets the exempt host’s source end IP address. Sets the exempt host’s destination start <IP address> IP address. Sets the exempt host’s destination end IP <IP address> address. Saves an exempt host. Displays the branch tunnel NAT entries. Nortel Business Secure Router 222 Configuration — Advanced...
Page 294 Table 73 IPSec commands Command clientTerm load active display save auth encr NN47922-501 Description Loads client termination configuration from ROM to working buffer, you must execute this command before configuring client termination. Enables or disables client termination. <yes | no> Displays configuration and/or remote [user | cfg] user logon status of client termination,...
Page 295 Enables or disables Perfect Forward <enable | Secrecy. disable> Sets the Idle Timeout, the valid value is: <hh:mm:ss> 00:00:00~23:59:59, 00:00:00 means no idle timeout. Enable or disables Accept Initial Contact <on | off> Payload. Nortel Business Secure Router 222 Configuration — Advanced...
Page 296 Table 73 IPSec commands Command rekeyTo rekeyDc domain wins banner password NN47922-501 Description Sets the lifetime of a single key used for <hh:mm:ss> data encryption. Sets how much data you expect to transmit via the tunnel with a single key. A setting of 0 kb disables the Rekey Data Count, rekey data count must be more than 5.
Page 297: Sys Firewall Commands
Sets if the firewall ignores DoS attacks on the LAN or WAN. Displays the status of the broadcast log. Sets if the firewall ignores triangle route packets on the LAN or WAN. Nortel Business Secure Router 222 Configuration — Advanced . For example, type...
Page 298: Bandwidth Management Commands
Bandwidth management commands Table 75 lists and describes the bandwidth management commands. Each of these commands must be preceded by the LAN port’s bandwidth management settings. Table 75 Bandwidth management commands Command interface enable disable enable disable class add # NN47922-501 .
Page 299 <borrow on|off> <bandwidth xxx> <name xxx> <priority x> Nortel Business Secure Router 222 Configuration — Advanced Description The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Deletes the class # and its filter and all its children classes and their filters in LAN.
Page 300 Table 75 Bandwidth management commands Command filter add # del # add # del # show interface class filter statistics NN47922-501 <borrow on|off> Daddr <mask Dmask> Dport Saddr <mask Smask> Sport protocol Daddr <mask Dmask> Dport Saddr <mask Smask> Sport protocol Description The class can borrow...
Page 301: Certificates Commands
Description Nortel Business Secure Router 222 Configuration — Advanced Description Displays the bandwidth usage of the specified LAN class (or all of the LAN classes if you do not specify one).
Page 302 [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. Creates a certificate request and saves it to the request router for later manual enrollment. <name> <name> specifies a descriptive name for the <subject>...
Page 303 (optional). The default timeout value is 20 seconds. Deletes the specified local host certificate. <name> <name> specifies the name of the certificate to be deleted. Lists all my certificate names and basic information. Nortel Business Secure Router 222 Configuration — Advanced...
Page 304 Creates a certificate using your device MAC address that is specific to this device. The factory default certificate is a common default certificate for all Business Secure Router models. Imports the PEM-encoded certificate from stdin. <name> <name> specifies the name the imported CA certificate is saved as.
Page 305 Renames the specified trusted remote host <old name> certificate. <new name> <old name> specifies the name of the certificate to be renamed. <new name> specifies the new name the certificate is saved as. Nortel Business Secure Router 222 Configuration — Advanced...
Page 306 Table 76 Certificates commands Command delete view list rename edit NN47922-501 Description Adds a new directory service. <name> <name> specifies a descriptive name for the <addr[:port]> directory server. [login:pswd] <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]".
Page 307: Ieee 802.1X Commands
Displays all supplicants information in the supplicant table. Displays all supplicants information related to the username. . For example, type radius Nortel Business Secure Router 222 Configuration — Advanced to set 8021x debug level 1 to display the radius auth...
Page 308 308 Appendix H Command Interpreter NN47922-501...
Page 309: Netbios Filter Commands
Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. • Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. Nortel Business Secure Router 222 Configuration — Advanced...
Page 310: Display Netbios Filter Settings
Display NetBIOS filter settings Figure 163 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows: Table 79 NetBIOS filter default settings Name...
Page 311: Example Commands
This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 3 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. Nortel Business Secure Router 222 Configuration — Advanced...
Page 312 312 Appendix I NetBIOS filter commands NN47922-501...
Page 313: Appendix J Boot Commands
After you start up your Business Secure Router, you are given a choice to go into debug mode by pressing a key at the prompt shown in screen shown in Figure 164.
Page 314: Figure 165 Boot Module Commands
ATRWx display the 16-bit value of address x ATRLx display the 32-bit value of address x ATGO(x) run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
Page 315: Appendix K Log Descriptions
Someone has failed to log on to the router's SMT interface. Someone has logged on to the router's WebGUI interface. Someone has failed to log on to the router's WebGUI interface. Someone has logged on to the router via Telnet. Nortel Business Secure Router 222 Configuration — Advanced...
Page 316: Table 82 Upnp Logs
Someone has failed to log on to the router via Telnet. Someone has logged on to the router via FTP. Someone has failed to log on to the router via FTP. The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Page 317: Table 84 Attack Logs
The firewall detected an ICMP echo attack. icmp echo ICMP (type:%d, code:%d) The firewall detected a TCP syn flood attack. syn flood TCP The firewall detected a TCP port scan attack. ports scan TCP Nortel Business Secure Router 222 Configuration — Advanced...
Page 318 The firewall detected a TCP NetBIOS attack. The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route. The firewall detected an UDP IP spoofing attack while the Business Secure Router did not have a default route.
Page 319: Table 85 Access Logs
IGMP (set:%d, rule:%d) to the rule’s configuration. ESP access matched the listed firewall rule and the Firewall rule match: ESP Business Secure Router blocked or forwarded it according (set:%d, rule:%d) to the rule’s configuration. Nortel Business Secure Router 222 Configuration — Advanced...
Page 320 Business Secure Router blocked or forwarded it according to the rule’s configuration. Access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. TCP access did not match the listed firewall rule and the Business Secure Router logged it.
Page 321 The router sent an ICMP response packet. This packet Router sent ICMP automatically bypasses the firewall. response packet (type:%d, code:%d) Table 87 for type and code details. Nortel Business Secure Router 222 Configuration — Advanced 86).
Page 322: Table 86 Acl Setting Notes
ACL set 2 for packets traveling from the WAN to the LAN. ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router. ACL set 8 for packets traveling from the WAN to the WAN or the Business Secure Router.
Page 323: Vpn/Ipsec Logs
DESCRIPTION This message is sent by the "RAS" when this syslog is generated. The messages and notes are defined in this appendix’s other charts. Figure 166 Nortel Business Secure Router 222 Configuration — Advanced shows a typical log from the...
Page 324: Figure 166 Example Vpn Initiator Ipsec Log
Figure 166 Example VPN initiator IPSec log Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n):...
Page 325: Vpn Responder Ipsec Log
VPN tunnel are not using the same pre-shared key. Log: Recv Main Mode request from <192.168.100.100> Recv:<SA> Send:<SA> Recv:<KE><NONCE> Send:<KE><NONCE> Recv:<ID><HASH> Send:<ID><HASH> Phase 1 IKE SA process done Recv:<HASH><SA><NONCE><ID><ID> Start Phase 2: Quick Mode Send:<HASH><SA><NONCE><ID><ID> Recv:<HASH> Nortel Business Secure Router 222 Configuration — Advanced...
Page 326: Table 89 Sample Ike Key Exchange Logs
The Local IP Addr range for the peer is invalid. If the security gateway is 0.0.0.0, the Business Secure Router uses Local Addr for the peer as its Remote Addr. If a peer Local Addr range conflicts with other connections, the Business Secure Router does not accept VPN connection requests from this peer.
Page 327 My Remote <IP address> vs. My Local <IP address> -> <symbol> Error ID Info Nortel Business Secure Router 222 Configuration — Advanced Description The Business Secure Router limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded.
Page 328: Table 90 Sample Ipsec Logs During Packet Transmission
The packet matches the rule index number (#d), but Phase 1 or Phase 2 negotiation for outbound (from the VPN initiator) traffic is not finished yet. If the Business Secure Router receives a packet with the wrong sequence number it discards it. The authentication configuration settings are incorrect.
Page 329: Table 92 Pki Logs
The router received an ARL (Authority Revocation List), with Rcvd ARL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose address and port are recorded in the Source field. Nortel Business Secure Router 222 Configuration — Advanced...
Page 330: Table 93 Certificate Path Verification Failure Reason Codes
List) from the LDAP server whose address and port are recorded in the Source field. The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.
Page 331: Table 94 Ieee 802.1X Logs
RADIUS accepts user. RADIUS rejects user. Pls check RADIUS Server. Nortel Business Secure Router 222 Configuration — Advanced Description A user was authenticated by the local user database. A user was not authenticated by the local user database because of an incorrect user password.
Page 332: Log Commands
The router logged off a user whose session expired. The router logged off a user who ended the session. The router logged off a user from which there was no authentication response. The router logged off a user whose idle timeout period expired.
Page 333: Configuring What You Want The Business Secure Router To Log
Use the sys logs save command to store the settings in the Business Secure Router (you must do this in order to record logs). Displaying logs Use the sys logs display command to show all of the logs in the Business Secure Router’s log.
Page 334: Log Command Example
Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs. Log command example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results.
Page 335: Appendix L
This command sets the password protection to block all access attempts for N (a number from 1 to 60) minutes after the third time an incorrect password is entered. Nortel Business Secure Router 222 Configuration — Advanced...
Page 336 336 Appendix L Brute force password guessing protection NN47922-501...
Page 337: Sip
The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address (johndoe@your-ITSP.com, for example) or numbers like a telephone number (1122334455@VoIP-provider.com, for example). Nortel Business Secure Router 222 Configuration — Advanced...
Page 338: Sip Service Domain
SIP Service Domain The SIP service domain of the VoIP service provider is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-provider.com is the SIP service domain. SIP Call Progression Table 97 displays the basic steps in the setup and tear down of a SIP call.
Page 339: Sip Servers
The client device (A in the figure) sends a call invitation to the SIP proxy server (B). The SIP proxy server forwards the call invitation to C. Figure 168, either A or B can act as a SIP user agent Nortel Business Secure Router 222 Configuration — Advanced...
Page 340: Sip Redirect Server
Figure 169 SIP Proxy Server SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server.
Page 341: Sip Register Server
The register server checks your username and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. Nortel Business Secure Router 222 Configuration — Advanced...
Page 342: Sip Alg
You can make and receive calls between the LAN and the WAN. You cannot make a call between the LAN and the LAN. • The SIP ALG forwards UDP packets with a port 5060 destination to pass through. • The Business Secure Router forwards SIP audio connections. NN47922-501...
Page 343: Figure 171 Business Secure Router Sip Alg
WAN port as a back up, it drops SIP connections when the primary WAN port connection fails. The Business Secure Router does not automatically change the SIP connection to the secondary WAN port. Audio session using RTP Nortel Business Secure Router 222 Configuration — Advanced...
Page 344: Signaling Session Timeout
SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the Business Secure Router uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Page 345: Index
Contivity VPN Client Software 33 conventions, text 25 copyright 2 DDNS Configuration 50 DDNS Type 51 Denial of Service 133 DHCP 73 DHCP (Dynamic Host Configuration Protocol) 37 DHCP Ethernet Setup 72 Nortel Business Secure Router 222 Configuration — Advanced...
Page 346 Diagnostic 176 DIAL BACKUP 258 Dial Timeout 59 Domain Name 168, 170 DoS (Denial of Service) 34 Drop Timeout 59 DSL Modem 39, 88 DTR 58 Dynamic DNS Support 36 Edit IP 61, 88 EMAIL 51 E-mail Address 51 Enable Wildcard 51 Encapsulation 80, 87, 91 Entering Information 43 Ethernet Encapsulation 79, 86, 87, 91, 96...
Page 347 Offline 52 OK Response 338 Operation Temperature 257 Outgoing Protocol Filters 77 Packet Filtering 35 PAP 61, 90 Password 42, 45, 80, 81, 155 Period(hr) 61, 90 Ping 178 Port Forwarding 37 Nortel Business Secure Router 222 Configuration — Advanced...
Page 348 PPP 62 PPPoE 35, 249 PPPoE Encapsulation 79, 83, 86, 88, 90, 96 PPTP 253 Client 81, 82 Configuring a Client 81, 82 PPTP Encapsulation 36, 91 Private 65, 94, 103 Protocol Filters 77 Incoming 77 Outgoing 77 publications hard copy 26 related 26 RAS F/W Version 170 Real time Transport Protocol 341...
Page 349 Upgradeable Firmware 38 Upload Firmware 189 UPnP 35 User Name 51 User Profiles 105 Username 42 VT100 41 WAN DHCP 177, 178 WAN Setup 53, 54 WebGUI 134 www.dyndns.org 52 XMODEM protocol 181 Nortel Business Secure Router 222 Configuration — Advanced...

This manual is also suitable for:

Bsr222

Nortel 222 User Manual

Chapter 2 Introducing the SMT

Chapter 4 LAN Setup

Chapter 5 Internet Access

Chapter 6 Remote Node Setup

Chapter 8 Dial-In User Setup

Chapter 11 Filter Configuration

Chapter 12 SNMP Configuration

Chapter 13 System Security

Quick Links

Related Manuals for Nortel 222

Summary of Contents for Nortel 222