Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
4. Consult the dealer or an experienced radio/TV technician for help. Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Certifications Refer to the product page at www.zyxel.com. FCC Statement...
Brief description of the problem and the steps you took to solve it. METHOD E-MAIL TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL SUPPORT/SALES LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp., 6 Innovation Road II, Science- www.europe.zyxel.com Based Industrial Park, Hsinchu 300, Taiwan. sales@zyxel.com.tw +886-3-578-2439 ftp.europe.zyxel.com NORTH support@zyxel.com +1-800-255-4101 www.us.zyxel.com AMERICA sales@zyxel.com...
Prestige 652 Series User’s Guide Table of Contents Copyright................................. ii Federal Communications Commission (FCC) Interference Statement.............iii ZyXEL Limited Warranty ..........................iv Customer Support............................v List of Figures .............................. xiv List of Tables ..............................xxi List of Charts .............................. xxv Preface ................................ xxvi What is DSL? ............................xxviii...
Page 7
Prestige 652 Series User’s Guide Chapter 5 LAN Setup ..........................5-1 LAN Overview...........................5-1 DNS Server Address ........................5-1 DNS Server Address Assignment ....................5-2 LAN TCP/IP ..........................5-2 Configuring LAN ........................5-4 Chapter 6 Wireless LAN Setup ........................6-1 Wireless LAN Overview......................6-1 Levels of Security ........................6-3 Data Encryption with WEP ......................6-4 Inserting a PCMCIA Wireless LAN Card..................6-4 Configuring Wireless LAN ......................6-4...
Page 8
Firewall and Content Filters ........................IV Chapter 11 Firewalls..........................11-1 11.1 Firewall Overview ........................11-1 11.2 Types of Firewalls........................11-1 11.3 Introduction to ZyXEL’s Firewall ...................11-2 11.4 Denial of Service ........................11-3 11.5 Stateful Inspection ........................11-7 11.6 Guidelines For Enhancing Security With Your Firewall ............11-11 11.7 Packet Filtering Vs Firewall ....................11-12...
Page 9
18.5 Configuring Remote Management ...................18-3 Chapter 19 Universal Plug-and-Play (UPnP) ..................19-1 19.1 Introducing Universal Plug and Play..................19-1 19.2 UPnP and ZyXEL ........................19-2 19.3 Installing UPnP in Windows Example ..................19-3 19.4 Using UPnP in Windows XP Example ..................19-5 Chapter 20 Logs Screens ...........................20-1 20.1 Logs Overview .........................20-1...
Page 10
Prestige 652 Series User’s Guide 21.4 Wireless Screens ........................21-6 21.5 Diagnostic Screens........................21-8 21.6 Firmware Screen ........................21-11 SMT General Configuration........................VIII Chapter 22 Introducing the SMT ......................22-1 22.1 SMT Introduction ........................22-1 22.2 Navigating the SMT Interface....................22-3 22.3 Changing the System Password ....................22-6 Chapter 23 Menu 1 General Setup......................23-1 23.1 General Setup...........................23-1 23.2 Procedure To Configure Menu 1 .....................23-1...
Page 11
SMT Advanced Management........................IX Chapter 33 Filter Configuration .......................33-1 33.1 About Filtering .........................33-1 33.2 Configuring a Filter Set for the Prestige 652H/HW ..............33-4 33.3 Configuring a Filter Set for the Prestige 652................33-6 33.4 Filter Rules Summary Menus....................33-7 33.5 Configuring a Filter Rule ......................33-8 33.6 Filter Types and NAT ......................33-15...
Page 12
Prestige 652 Series User’s Guide Chapter 37 Firmware and Configuration File Maintenance ..............37-1 37.1 Filename Conventions ......................37-1 37.2 Backup Configuration......................37-2 37.3 Restore Configuration......................37-7 37.4 Uploading Firmware and Configuration Files ...............37-10 Chapter 38 System Maintenance ......................38-1 38.1 Command Interpreter Mode.....................38-1 38.2 Call Control Support ........................38-2 38.3 Time and Date Setting ......................38-4 Chapter 39 Remote Management......................39-1 39.1 Remote Management Overview....................39-1...
Page 13
Prestige 652 Series User’s Guide Appendix C Wireless LAN and IEEE 802.11....................C-1 Appendix D PPPoE .............................D-1 Appendix E Virtual Circuit Topology......................E-1 Appendix F Power Adaptor Specifications ....................F-1 Appendix G Example Internal SPTGEN Screens ................... G-1 Appendix H Setting up Your Computer’s IP Address................H-1 Appendix I Splitters and Microfilters ......................
Page 16
Prestige 652 Series User’s Guide Figure 18-1 Telnet Configuration on a TCP/IP Network ................18-2 Figure 18-2 Remote Management ........................18-3 Figure 19-1 Configuring UPnP........................19-2 Figure 20-1 Log Settings ..........................20-2 Figure 20-2 View Logs ..........................20-4 Figure 20-3 E-mail Log Example .........................20-6 Figure 21-1 System Status ..........................21-2 Figure 21-2 System Status: Show Statistics....................21-4 Figure 21-3 DHCP Table ..........................21-6 Figure 21-4 Association List.........................21-7...
Page 17
Prestige 652 Series User’s Guide Figure 27-4 Menu 3.2.1 IP Alias Setup ......................27-3 Figure 27-5 Menu 1 General Setup ......................27-4 Figure 27-6 Menu 4 Internet Access Setup ....................27-5 Figure 28-1 Menu 11 Remote Node Setup....................28-2 Figure 28-2 Menu 11.1 Remote Node Profile ....................28-3 Figure 28-3 Menu 11.3 Remote Node Network Layer Options ..............
Page 18
Prestige 652 Series User’s Guide Figure 32-1 Menu 21.2 Firewall Setup ......................32-2 Figure 33-1 Outgoing Packet Filtering Process ....................33-2 Figure 33-2 Filter Rule Process ........................33-3 Figure 33-3 Menu 21 Filter Set Configuration (P652H/HW) ...............33-4 Figure 33-4 NetBIOS_WAN Filter Rules Summary (P652H/HW) ..............33-5 Figure 33-5 NetBIOS_LAN Filter Rules Summary (P652H/HW) .
Page 19
Prestige 652 Series User’s Guide Figure 37-5 Backup Configuration Example ....................37-7 Figure 37-6 Successful Backup Confirmation Screen.................. 37-7 Figure 37-7 Telnet into Menu 24.6....................... 37-8 Figure 37-8 Restore Using FTP Session Example ..................37-9 Figure 37-9 System Maintenance : Restore Configuration ................37-9 Figure 37-10 System Maintenance : Starting Xmodem Download Screen ..........
Page 20
Prestige 652 Series User’s Guide Figure 43-1 Configuration Text File Format: Column Descriptions.............44-2 Figure 43-2 Invalid Parameter Entered: Command Line Example...............44-3 Figure 43-3 Valid Parameter Entered: Command Line Example..............44-3 Figure 43-4 Internal SPTGEN FTP Download Example................44-3 Figure 43-5 Internal SPTGEN FTP Upload Example...................44-4 List of Figures...
Page 21
Prestige 652 Series User’s Guide List of Tables Table 3-1 Wizard Screen 1 ..........................3-3 Table 3-2 Internet Connection with PPPoE....................3-7 Table 3-3 Internet Connection with RFC 1483 ....................3-8 Table 3-4 Internet Connection with ENET ENCAP..................3-9 Table 3-5 Internet Connection with PPPoA ....................3-11 Table 3-6 Wizard : LAN Configuration .......................
Page 22
Prestige 652 Series User’s Guide Table 15-1 Content Filter: Keyword ......................15-2 Table 15-2 Content Filter: Schedule ......................15-4 Table 15-3 Content Filter: Trusted........................15-4 Table 16-1 VPN and NAT..........................16-6 Table 17-1 AH and ESP ..........................17-2 Table 17-2 VPN Summary..........................17-4 Table 17-3 Local ID Type and Content Fields ....................17-6 Table 17-4 Peer ID Type and Content Fields ....................17-6 Table 17-5 Matching ID Type and Content Configuration Example ............17-6 Table 17-6 Mismatching ID Type and Content Configuration Example............17-7...
Page 23
Prestige 652 Series User’s Guide Table 25-1 DHCP Ethernet Setup Menu Fields.................... 25-3 Table 25-2 TCP/IP Ethernet Setup Menu Fields ..................25-3 Table 26-1 Menu 3.5 - Wireless LAN Setup ....................26-2 Table 26-2 Menu 3.5.1 WLAN MAC Address Filtering................26-4 Table 27-1 Menu 3.2.1 IP Alias Setup......................
Page 24
Prestige 652 Series User’s Guide Table 41-2 Menu 27.1.1 IPSec Setup......................42-6 Table 41-3 ......................42-12 Menu 27.1.1.1 IKE Setup Table 41-4 Active Protocol: Encapsulation and Security Protocol .............42-13 Table 41-5 Menu 27.1.1.2 Manual Setup....................42-14 Table 42-1 Menu 27.2 SA Monitor .......................43-2 xxiv List of Tables...
Page 25
Prestige 652 Series User’s Guide List of Charts Chart A-1 Troubleshooting the Start-Up of Your Prestige ................A-1 Chart A-2 Troubleshooting the LAN LED.....................A-1 Chart A-3 Troubleshooting the DSL LED......................A-2 Chart A-4 Troubleshooting the LAN Interface....................A-2 Chart A-5 Troubleshooting the WAN Interface....................A-3 Chart A-6 Troubleshooting Internet Access ....................A-3 Chart A-7 Troubleshooting the Password.......................A-4 Chart A-8 Troubleshooting the Web Configurator ..................A-4...
Prestige 652 Series User’s Guide Preface Congratulations on your purchase of the Prestige 652 ADSL Security Router or the Prestige 652H or 652HW ADSL Security/Wireless LAN Router. Don’t forget to register your Prestige online at www.zyxel.com for free future product updates and information.
(ADSL over POTS and ADSL over ISDN) unless specifically identified. • The Prestige models with wireless features will be referred to as the Prestige 652H/HW or the simply the Prestige. The following section offers some background information on DSL. Skip to Chapter 1 if you wish to begin working with your router right away.
Prestige 652 Series User’s Guide What is DSL? DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
Getting Started Part I: Getting Started This part is structured as a step-by-step guide to help you access your Prestige. It covers key features and applications, accessing the web configurator and configuring the wizard screens for initial setup.
Internet access. The Prestige is also a complete security solution with a robust firewall and VPN capability. What’s more, the Prestige 652H/HW provides an optional wireless LAN connectivity allowing users to enjoy the convenience and mobility of working anywhere within the coverage area.
Prestige 652 Series User’s Guide • Firewall The Prestige is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN.
Prestige 652 Series User’s Guide PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the Prestige is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
Prestige 652 Series User’s Guide ADSL Transmission Rate Standards ♦ Full-Rate (ANSI T1.413, Issue 2; G.dmt (G.992.1) with line rate support of up to 8 Mbps downstream and 832 Kbps upstream. ♦ G.lite (G.992.2) with line rate support of up to 1.5Mbps downstream and 512Kbps upstream. ♦...
Prestige 652 Series User’s Guide ♦ Transparent bridging for unsupported network layer protocols. ♦ RIP I/RIP II ♦ IGMP Proxy ♦ ICMP support ♦ ATM QoS support ♦ MIB II support (RFC 1213) Networking Compatibility Your Prestige is compatible with the major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers, making configuration as simple as possible for you.
(for example, T1, OC3, DS3, ATM or Frame Relay). Think of it as the equivalent of a modem rack for ADSL. In addition, for the Prestige 652H/HW, you can insert an optional wireless PCMICA card into the Prestige and allow wireless clients access to your network resources. A typical Internet access application is shown below.
Prestige 652 Series User’s Guide Figure 1-1 Prestige Internet Access Application Internet Single User Account For a SOHO (Small Office/Home Office) environment, your Prestige offers the Single User Account (SUA) feature that allows multiple users on the LAN (Local Area Network) to access the Internet concurrently for the cost of a single IP address.
Prestige 652 Series User’s Guide Figure 1-2 Firewall Application 1.3.3 VPN Application The Prestige’s VPN feature makes it an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. VPN ensures the privacy and integrity of your data transmissions.
Prestige 652 Series User’s Guide Figure 1-3 VPN Application 1.3.4 LAN to LAN Application You can use the Prestige to connect two geogr ly dispersed networks over the ADSL line. A typical aphical LAN-to-LAN application for your Prestige is shown as follows. Getting To Know Your Prestige...
Prestige 652 Series User’s Guide Chapter 2 Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. Web Configurator Overview The embedded web configurator allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.
Prestige 652 Series User’s Guide Figure 2-1 Password Screen Step 6. You should now see the SITE MAP screen. The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you. Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the SITE MAP screen.
Prestige 652 Series User’s Guide Wizard Setup Navigation panel Logout Figure 2-2 Web Configurator SITE MAP Screen Click the icon (located in the top right corner of most screens) to view embedded help. Resetting the Prestige If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the Prestige.
Prestige 652 Series User’s Guide 2.4.2 Uploading a Configuration File Via Console Port Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder. Step 1. Turn off the Prestige, begin a terminal emulation software session and turn on the Prestige again.
Prestige 652 Series User’s Guide Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Introduction Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table of the Compact Guide or Read Me First.
Prestige 652 Series User’s Guide 3.2.4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). The first method allows multiplexing of multiple protocols over a single ATM virtual circuit (LLC-based multiplexing) and the second method assumes that each protocol is carried over a separate ATM virtual circuit (VC-based multiplexing).
Prestige 652 Series User’s Guide Figure 3-1 Wizard Screen 1 The following table describes the fields in this screen. Table 3-1 Wizard Screen 1 LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account.
Prestige 652 Series User’s Guide Table 3-1 Wizard Screen 1 LABEL DESCRIPTION Next Click this button to go to the next wizard screen. The next wizard screen you see depends on what protocol you chose above. Click on the protocol link to see the next wizard screen for that protocol.
Prestige 652 Series User’s Guide 3.7.1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP, then the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.
Prestige 652 Series User’s Guide Nailed-Up Connection (PPP) A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Prestige does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down.
Prestige 652 Series User’s Guide The following table describes the fields in this screen. Table 3-2 Internet Connection with PPPoE LABEL DESCRIPTION Service Name Type the name of your PPPoE service here. User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Prestige 652 Series User’s Guide Figure 3-3 Internet Connection with RFC 1483 The following table describes the fields in this screen. Table 3-3 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field. Type your ISP assigned IP address in this field.
Prestige 652 Series User’s Guide Figure 3-4 Internet Connection with ENET ENCAP The following table describes the fields in this screen. Table 3-4 Internet Connection with ENET ENCAP LABEL DESCRIPTION IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;...
Prestige 652 Series User’s Guide Table 3-4 Internet Connection with ENET ENCAP LABEL DESCRIPTION Network Address Select None, SUA Only or Full Feature from the drop-sown list box. Refer to the NAT Translation chapter for more details. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.
Prestige 652 Series User’s Guide Table 3-5 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you. Password Enter the password associated with the user name above. This option is available if you select Routing in the Mode field. IP Address A static IP address is a fixed IP that your ISP gives you.
Prestige 652 Series User’s Guide 3.11.1 IP Pool Setup The Prestige is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64 for the client machines. This leaves 31 IP addresses, 192.168.1.2 to 192.168.1.32 (excluding the Prestige itself which has a default IP of 192.168.1.1) for other server machines, for example, server for mail, FTP, telnet, web, etc., that you may have.
Prestige 652 Series User’s Guide Figure 3-7 Wizard : LAN Configuration The following table describes the fields in this screen. Table 3-6 Wizard : LAN Configuration LABEL DESCRIPTION LAN IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default).
Prestige 652 Series User’s Guide Table 3-6 Wizard : LAN Configuration LABEL DESCRIPTION Client IP Pool Starting This field specifies the first of the contiguous addresses in the IP address pool. Address Size of Client IP Pool This field specifies the size or count of the IP address pool. Primary DNS Server Enter the IP addresses of the DNS servers.
3.14 Test Your Internet Connection Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User’s Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.
Password, LAN, Wireless LAN and WAN Part II: Password, LAN, Wireless LAN and WAN This part covers the password, LAN (Local Area Network), wireless LAN and WAN setup.
Prestige 652 Series User’s Guide Chapter 4 Password Setup This chapter provides information on the Password screen. Password Overview It is highly recommended that you change the password for accessing the Prestige. Configuring Password To change your Prestige’s password (recommended), click Password. The screen appears as shown. Figure 4-1 Password The following table describes the fields in this screen.
Page 64
Prestige 652 Series User’s Guide Table 4-1 Password LABEL DESCRIPTION Retype to Confirm Type the new password again in this field. Click Apply to save your changes back to the Prestige. Apply Cancel Click Cancel to begin configuring this screen afresh. Password Setup...
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa, for example, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask.
Prestige 652 Series User’s Guide ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank. Some ISP’s choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up.
Prestige 652 Series User’s Guide 5.4.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information. 5.4.3 RIP Setup RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Prestige 652 Series User’s Guide Configuring LAN Click LAN to open the following screen. Figure 5-2 LAN The following table describes the fields in this screen. Table 5-1 LAN LABEL DESCRIPTION DHCP LAN Setup...
Page 69
Prestige 652 Series User’s Guide Table 5-1 LAN LABEL DESCRIPTION If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Page 70
Prestige 652 Series User’s Guide Table 5-1 LAN LABEL DESCRIPTION Cancel Click this button to reset the fields in this screen. LAN Setup...
Wireless LAN Setup This chapter discusses how to configure Wireless LAN on the Prestige. This chapter only applies to the Prestige 652H/HW. Wireless LAN Overview This section introduces the wireless LAN and some basic configurations. Wireless LANs can be as simple as...
Prestige 652 Series User’s Guide 6.1.4 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear”...
Prestige 652 Series User’s Guide Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. 6.1.5 Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the Prestige will fragment the packet into smaller data frames.
Prestige 652 Series User’s Guide Data Encryption with WEP WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption. Your Prestige allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time.
Page 75
Prestige 652 Series User’s Guide Figure 6-3 Wireless The following table describes the fields in this screen. Table 6-1 Wireless LABEL DESCRIPTION The ESSID (Extended Service Set Identification) is a unique name to identify the Prestige in the wireless LAN. Wireless stations associating to the Prestige must have the same ESSID. ESSID Enter a descriptive name (up to 32 characters).
Prestige 652 Series User’s Guide Table 6-1 Wireless LABEL DESCRIPTION The RTS (Request To Send) threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting RTS/CTS this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the Threshold RTS/CTS handshake.
Prestige 652 Series User’s Guide To change your Prestige’s MAC filter settings, click Wireless LAN, MAC Filter to open the MAC Filter screen. The screen appears as shown. Figure 6-4 MAC Address Filter The following table describes the fields in this menu. Wireless LAN Setup...
Prestige 652 Series User’s Guide Table 6-2 MAC Address Filter LABEL DESCRIPTION Active Select Yes from the drop down list box to enable MAC address filtering Action Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny Association to block access to the router, MAC addresses not listed will be allowed to access the router.
Prestige 652 Series User’s Guide • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your Prestige acts as a message relay between the wireless station and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: •...
Prestige 652 Series User’s Guide an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication. Figure 6-5 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.
Prestige 652 Series User’s Guide Table 6-3 802.1x LABEL DESCRIPTION To control wireless stations access to the wired network, select a control method from the drop-down list box. Choose from No Authentication Required, Authentication Required and No Access Allowed. No Authentication Required allows all wireless stations access to the wired network Wireless Port without entering user names and passwords.
Prestige 652 Series User’s Guide Table 6-3 802.1x LABEL DESCRIPTION This field is activated only when you select Authentication Required in the Wireless Port Control field. The authentication database contains wireless station login information. The local user database is the built-in database on the Prestige. The RADIUS is an external server. Use this drop-down list box to select which database the Prestige should use (first) to authenticate a wireless station.
Prestige 652 Series User’s Guide Table 6-4 Local User Database LABEL DESCRIPTION This is the index number of a local user account. Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Prestige 652 Series User’s Guide The following table describes the fields in this screen. Table 6-5 RADIUS LABEL DESCRIPTION Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
Prestige 652 Series User’s Guide Chapter 7 WAN Setup This chapter describes how to configure WAN settings. WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. See the Wizard Setup chapter for more information on the fields in the WAN screens. Metric The metric represents the "cost of transmission".
Prestige 652 Series User’s Guide For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
Prestige 652 Series User’s Guide Figure 7-1 Example of Traffic Shaping Configuring WAN Setup To change your Prestige’s WAN remote node settings, click WAN, WAN Setup. The screen differs by the encapsulation. WAN Setup...
Prestige 652 Series User’s Guide Table 7-1 WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account.
Page 92
Prestige 652 Series User’s Guide Table 7-1 WAN Setup LABEL DESCRIPTION Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535. Login Information (PPPoA and PPPoE encapsulation only) Service Name...
WAN Backup The CON/AUX port on the Prestige 652H/HW or the Dial Backup port on the Prestige 652 can be used in reserve, as a traditional dial-up connection should the WAN port connection fail. To set up the auxiliary port (AUX) for the Prestige 652H/HW for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Compact Guide).
Prestige 652 Series User’s Guide Figure 7-3 Traffic Redirect Setup Example Traffic Redirect on the WAN Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the Prestige still provides firewall protection.
Prestige 652 Series User’s Guide Figure 7-5 Traffic Redirect LAN Setup Configuring WAN Backup To change your Prestige’s WAN backup settings, click WAN, then WAN Backup. The screen appears as shown. WAN Setup...
Prestige 652 Series User’s Guide Figure 7-6 WAN Backup The following table describes the fields in this screen. Table 7-2 WAN Backup LABEL DESCRIPTION Backup Type Select the method that the Prestige uses to check the DSL connection. Select DSL Link to have the Prestige check the DSL connection’s physical layer. Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields.
Page 97
Prestige 652 Series User’s Guide Table 7-2 WAN Backup LABEL DESCRIPTION Check WAN IP Configure this field to test your Prestige's WAN accessibility. Type the IP address Address1-3 of a reliable nearby computer (for example, your ISP's DNS server address). When using a WAN backup connection, the Prestige periodically pings the addresses configured here and uses the other WAN backup connection (if configured) if there is no response.
Prestige 652 Series User’s Guide Table 7-2 WAN Backup LABEL DESCRIPTION Metric This field sets this route's priority among the three routes the Prestige uses (normal, traffic redirect and dial backup). Type a number (1 to 15) to set the priority of the dial backup route for data transmission.
Prestige 652 Series User’s Guide The following table describes the fields in this screen. Advanced WAN Backup Table 7-3 LABEL DESCRIPTION Basic Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
Page 101
Prestige 652 Series User’s Guide Advanced WAN Backup Table 7-3 LABEL DESCRIPTION Enable SUA Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server.
Prestige 652 Series User’s Guide Advanced WAN Backup Table 7-3 LABEL DESCRIPTION Select CISCO PPP from the drop-down list box if your backup WAN device uses Encapsulation Cisco PPP encapsulation; otherwise select Standard PPP. Compression Select this check box to enable stac compression. Connection Nailed-Up Select Nailed-Up Connection when you want your connection up all the time.
Prestige 652 Series User’s Guide 7.12 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the “Drop DTR When Hang Up” check box is selected, the Prestige uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command “ATH”.
Prestige 652 Series User’s Guide Figure 7-8 Advanced Modem Setup The following table describes the fields in this screen. Table 7-4 Advanced Modem Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Example: atdt Drop Type the AT Command string to drop a call.
Page 105
Prestige 652 Series User’s Guide Table 7-4 Advanced Modem Setup LABEL DESCRIPTION AT Response Strings CLID Type the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the Prestige capture the CLID in the AT response string that comes from the WAN device.
NAT, Dynamic DNS and Time Zone Part III: NAT, Dynamic DNS and Time Zone This part covers NAT (Network Address Translation), dynamic DNS (Domain Name Sever) and Time Zone setup.
Prestige 652 Series User’s Guide Chapter 8 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Prestige. NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Prestige 652 Series User’s Guide NAT never changes the IP address (either local or global) of an outside host. 8.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Prestige 652 Series User’s Guide Figure 8-1 How NAT Works 8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXEL’s Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today’s routers).
Prestige 652 Series User’s Guide 5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead.
Prestige 652 Series User’s Guide 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.
Prestige 652 Series User’s Guide Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Prestige 652 Series User’s Guide Figure 8-3 Multiple Servers Behind NAT Example Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. Click NAT to open the following screen.
Prestige 652 Series User’s Guide Table 8-4 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT. Select this radio button if you have just one public WAN IP address for your Prestige. The SUA Only Prestige uses Address Mapping Set 1 in the NAT - Edit SUA NAT Server Set screen. Edit Details Click this link to go to the NAT - Edit SUA NAT Server Set screen.
Prestige 652 Series User’s Guide Figure 8-5 Edit SUA/NAT Server Set The following table describes the fields in this screen. Table 8-5 Edit SUA/NAT Server Set LABEL DESCRIPTION Start Port No. Enter a port number in this field. To forward only one port, enter the port number again in the End Port No. field. To forward a series of ports, enter the start port number here and the end port number in the End Port No.
Prestige 652 Series User’s Guide Table 8-5 Edit SUA/NAT Server Set LABEL DESCRIPTION Server IP Enter your server IP address in this field. Address Save Click Save to save your changes back to the Prestige. Cancel Click Cancel to return to the previous configuration. Configuring Address Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify.
One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 122
Prestige 652 Series User’s Guide Global Start IP This is the starting global IP address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP. Global End IP This is the ending global IP address (IGA). This field is N/A for One-to-One, Many- to-One and Server mapping types.
Prestige 652 Series User’s Guide Chapter 9 Dynamic DNS Setup This chapter discusses how to configure your Prestige to use Dynamic DNS. Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Prestige 652 Series User’s Guide Figure 9-1 DDNS The following table describes the fields in this screen. Table 9-1 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider.
Prestige 652 Series User’s Guide Chapter 10 Time Zone This screen is not available on all models. Use this screen to configure the Prestige’s time and date settings. 10.1 Configuring Time Zone To change your Prestige’s time and date, click Time Zone. The screen appears as shown. Use this screen to configure the Prestige’s time based on your local time zone.
Prestige 652 Series User’s Guide The following table describes the fields in this screen. Table 10-1 Time/Date LABEL DESCRIPTION Time Server Use Time Server Select the time service protocol that your time server sends when you turn on the when Bootup Prestige.
Page 127
Prestige 652 Series User’s Guide Table 10-1 Time/Date LABEL DESCRIPTION Current Time This field displays the time of your Prestige. Each time you reload this page, the Prestige synchronizes the time with the time server. New Time This field displays the last updated time from the time server. When you select None in the Use Time Server when Bootup field, enter the new time in this field and then click Apply.
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
Prestige 652 Series User’s Guide Chapter 11 Firewalls This chapter gives some background information on firewalls and introduces the Prestige firewall. 11.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
See section 11.5 for more information on Stateful Inspection. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. 11.3 Introduction to ZyXEL’s Firewall The Prestige firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator).
Prestige 652 Series User’s Guide Figure 11-1 Prestige Firewall Application 11.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Prestige 652 Series User’s Guide Table 11-1 Common IP Ports Telnet HTTP SMTP POP3 11.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3.
Prestige 652 Series User’s Guide Figure 11-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Prestige 652 Series User’s Guide 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Prestige 652 Series User’s Guide Table 11-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 11-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP...
Prestige 652 Series User’s Guide Denies all sessions originating from the WAN to the LAN. Figure 11-5 Stateful Inspection The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Prestige 652 Series User’s Guide access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected. 5. The outbound packet is forwarded out through the interface. 6. Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet.
Prestige 652 Series User’s Guide 11.5.3 TCP Security The Prestige uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag structure are called "subsequent"...
Prestige 652 Series User’s Guide work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected. In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches for outgoing "PORT"...
Prestige 652 Series User’s Guide 3. Never give out a password or any sensitive information to an unsolicited telephone call or e-mail. 4. Never e-mail sensitive information such as passwords, credit card information, etc., without encrypting the information first. 5. Never submit sensitive information via a web page unless the web site uses secure connections. You can identify a secure connection by looking for a small “key”...
Prestige 652 Series User’s Guide 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
Prestige 652 Series User’s Guide Chapter 12 Firewall Configuration This chapter shows you how to enable and configure the Prestige firewall. 12.1 Remote Management and the Firewall When remote management is configured to allow management (see the Remote Management chapter) and the firewall is enabled: •...
Prestige 652 Series User’s Guide 12.3 Attack Alert Attack alerts are real-time reports of DoS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the Prestige uses thresholds to determine when to drop sessions that do not become fully established.
Prestige 652 Series User’s Guide The Prestige measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests.
Prestige 652 Series User’s Guide Figure 12-2 Attack Alert The following table describes the fields in this screen. Table 12-1 Attack Alert LABEL DESCRIPTION Generate alert Select this check box to generate an alert whenever an attack is detected. when attack detected Denial of Services Thresholds One Minute Low...
Page 149
Prestige 652 Series User’s Guide Table 12-1 Attack Alert LABEL DESCRIPTION Maximum This is the number of existing half-open sessions (default "80") that causes the Incomplete Low firewall to stop deleting half-open sessions. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.
Prestige 652 Series User’s Guide Chapter 13 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules. 13.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
Prestige 652 Series User’s Guide 3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6.
Prestige 652 Series User’s Guide Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 13.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to...
Prestige 652 Series User’s Guide Figure 13-2 WAN to LAN Traffic 13.4 Logs A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 13-4). You can also choose not to create a log for a rule in this screen.
Prestige 652 Series User’s Guide Figure 13-3 Firewall Rules Summary: First Screen The following table describes the fields in this screen. Table 13-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION The default action for Use the drop-down list box to select whether to Block (silently discard) or packets not matching Forward (allow the passage of) packets that do not match the following rules.
Prestige 652 Series User’s Guide Table 13-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. The Move field below allows you to reorder your rules. Click a rule’s number to edit the rule.
24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. ) to IP numbers. www.zyxel.com FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 158
Prestige 652 Series User’s Guide Table 13-2 Predefined Services SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
Prestige 652 Series User’s Guide Table 13-2 Predefined Services SERVICE DESCRIPTION TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System). TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
Prestige 652 Series User’s Guide Figure 13-4 Creating/Editing A Firewall Rule The following table describes the fields in this screen. Table 13-3 Creating/Editing A Firewall Rule LABEL DESCRIPTION Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete Source Address to delete one.
Prestige 652 Series User’s Guide Table 13-3 Creating/Editing A Firewall Rule LABEL DESCRIPTION Destination Click DestAdd to add a new address, DestEdit to edit an existing one or Address DestDelete to delete one. Services Select a service in the Available Services box on the left, then click >> to select. The selected service shows up on the Selected Services box on the right.
Prestige 652 Series User’s Guide Figure 13-5 Adding/Editing Source and Destination Addresses The following table describes the fields in this screen. Table 13-4 Adding/Editing Source and Destination Addresses LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Prestige 652 Series User’s Guide 13.8.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values – see section 12.3.2. Click Timeout for either Local Network or Internet. Figure 13-6 Timeout The following table describes the fields in this screen.
Page 164
Prestige 652 Series User’s Guide Table 13-5 Timeout LABEL DESCRIPTION Back Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Apply Cancel Click Cancel to return to the previous configuration. 13-14 Creating Custom Rules...
Prestige 652 Series User’s Guide Chapter 14 Customized Services This chapter covers creating, viewing and editing custom services. 14.1 Introduction to Customized Services Configure customized services and port numbers not predefined by the Prestige (see Figure 13-4). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
Prestige 652 Series User’s Guide Table 14-1 Customized Services LABEL DESCRIPTION Customized Services This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service.
Prestige 652 Series User’s Guide Table 14-2 Creating/Editing A Customized Service LABEL DESCRIPTION Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define...
Prestige 652 Series User’s Guide Figure 14-3 Configure Source IP Example Step 5. Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 14-4 Customized Service for MyService Example Customized services show up with an “*”...
Prestige 652 Series User’s Guide Step 6. Follow the procedures outlined earlier in this chapter to configure all your rules. Configure the rule configuration screen like the one below and apply it. This is the address range of the MyService computers. This is your MyService custom port.
Prestige 652 Series User’s Guide Step 7. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a MyService connection from the WAN.
Prestige 652 Series User’s Guide Chapter 15 Content Filtering Screens This chapter covers how to configure content filtering. 15.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL.
Prestige 652 Series User’s Guide Figure 15-1 Content Filter: Keyword The following table describes the fields in this screen. Table 15-1 Content Filter: Keyword LABEL DESCRIPTION Enable Keyword Blocking Select this check box to enable this feature. Block Websites that This box contains the list of all the keywords that you have configured the Prestige contain these keywords in to block.
Prestige 652 Series User’s Guide Table 15-1 Content Filter: Keyword LABEL DESCRIPTION Add Keyword Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.
Prestige 652 Series User’s Guide Table 15-2 Content Filter: Schedule LABEL DESCRIPTION Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active.
Page 175
Prestige 652 Series User’s Guide Table 15-3 Content Filter: Trusted LABEL DESCRIPTION Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer.
Prestige 652 Series User’s Guide Chapter 16 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 16.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Prestige 652 Series User’s Guide Figure 16-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Prestige 652 Series User’s Guide Figure 16-2 VPN Application 16.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 16-3...
Prestige 652 Series User’s Guide Figure 16-3 IPSec Architecture 16.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Prestige 652 Series User’s Guide 16.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 16-4 Transport and Tunnel Mode IPSec Encapsulation 16.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Prestige 652 Series User’s Guide A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Prestige 652 Series User’s Guide Chapter 17 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log descriptions. 17.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Prestige 652 Series User’s Guide Table 17-1 AH and ESP Select DES for minimal security and 3DES for maximum. Select MD5 for minimal security and SHA-1 for Select NULL to set up a tunnel without encryption. maximum security. DES (default) MD5 (default) Data Encryption Standard (DES) is a widely used method MD5 (Message Digest 5) produces a 128-bit...
Prestige 652 Series User’s Guide for telecommuters initiating a VPN tunnel to the company network. See section 17.16 for configuration examples. The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 17.5 VPN Summary Screen The following figure helps explain the main fields in the web configurator.
Prestige 652 Series User’s Guide Figure 17-2 VPN Summary The following table describes the fields in this screen. Table 17-2 VPN Summary LABEL DESCRIPTION This is the VPN policy index number. Click a number to edit VPN policies. Name This field displays the identification name for this VPN policy. This field displays whether the VPN policy is active or not.
Prestige 652 Series User’s Guide Table 17-2 VPN Summary LABEL DESCRIPTION Secure Gateway This is the IP address of the remote IPSec router. This must be a fixed, public IP address for traffic going through the Internet. Back Click Back to return to the previous screen. 17.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see section 17.10 for more on the IPSec SA lifetime).
Prestige 652 Series User’s Guide Table 17-3 Local ID Type and Content Fields LOCAL ID TYPE= CONTENT= Type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. Type a domain name (up to 31 characters) by which to identify this Prestige. E-mail Type an e-mail address (up to 31 characters) by which to identify this Prestige.
Prestige 652 Series User’s Guide The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
Prestige 652 Series User’s Guide The following table describes the fields in this screen. Table 17-7 VPN IKE LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. Select either Yes or No from the drop-down list box. Select Yes to have the Prestige automatically reinitiate the SA after the SA lifetime Keep Alive times out, even if there is no traffic.
Page 194
Prestige 652 Series User’s Guide Table 17-7 VPN IKE LABEL DESCRIPTION When the Local Address Type field is configured to Single, enter the IP address in the IP Address Start field again here. When the Local Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on End / Subnet Mask the LAN behind your Prestige.
Page 195
Prestige 652 Series User’s Guide Table 17-7 VPN IKE LABEL DESCRIPTION When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address.
Page 196
Prestige 652 Series User’s Guide Table 17-7 VPN IKE LABEL DESCRIPTION Security Protocol Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered VPN Protocol by AH.
Prestige 652 Series User’s Guide 17.10 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.
Prestige 652 Series User’s Guide 17.10.1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations. Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1).
Prestige 652 Series User’s Guide Figure 17-5 VPN IKE: Advanced The following table describes the fields in this screen. Table 17-8 VPN IKE: Advanced LABEL DESCRIPTION VPN - IKE Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any Protocol protocol.
Page 200
Prestige 652 Series User’s Guide Table 17-8 VPN IKE: Advanced LABEL DESCRIPTION As a VPN setup is processing intensive, the system is vulnerable to Denial of Enable Replay Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
Page 201
Prestige 652 Series User’s Guide Table 17-8 VPN IKE: Advanced LABEL DESCRIPTION Select DES or 3DES from the drop-down list box. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to Encryption Algorithm generate and verify a message authentication code.
Prestige 652 Series User’s Guide Table 17-8 VPN IKE: Advanced LABEL DESCRIPTION Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Authentication SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet Algorithm data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Prestige 652 Series User’s Guide Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 17.13 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen. This is the VPN Manual Key screen as shown next.
Prestige 652 Series User’s Guide Table 17-9 VPN Manual Setup LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Type up to 32 characters to identify this VPN policy. You may use any character, Name including spaces, but the Prestige drops trailing spaces. Select IKE or Manual from the drop-down list box.
Page 205
Prestige 652 Series User’s Guide Table 17-9 VPN Manual Setup LABEL DESCRIPTION Use the drop-down menu to choose Single, Range, or Subnet. Select Single with a Remote Address single IP address. Select Range for a specific range of IP addresses. Select Subnet to Type specify IP addresses on a network by their subnet mask.
Prestige 652 Series User’s Guide Table 17-9 VPN Manual Setup LABEL DESCRIPTION Select DES, 3DES or NULL from the drop-down list box. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to Encapsulation generate and verify a message authentication code.
Prestige 652 Series User’s Guide When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See section 17.6 on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.
Prestige 652 Series User’s Guide Table 17-10 SA Monitor LABEL DESCRIPTION Refresh Click Refresh to display the current active VPN connection(s). 17.15 Configuring Global Setting To change your Prestige’s global settings, click VPN and then Global Setting. The screen appears as shown. Figure 17-8 Global Setting The following table describes the fields in this screen.
Prestige 652 Series User’s Guide 17.16 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters from remote IPSec routers that use dynamic WAN IP addresses. 17.16.1 Telecommuters Sharing One VPN Rule Example Multiple telecommuters can use one VPN rule to simultaneously access a Prestige at headquarters.
Prestige 652 Series User’s Guide Figure 17-9 Telecommuters Sharing One VPN Rule Example 17.16.2 Telecommuters Using Unique VPN Rules Example With aggressive negotiation mode (see section 17.10.1), the Prestige can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters.
Prestige 652 Series User’s Guide Figure 17-10 Telecommuters Using Unique VPN Rules Example 17.17 VPN and Remote Management If a VPN tunnel uses a remote management service port (Telnet, FTP, WWW SNMP, DNS or ICMP) and terminates at the Prestige’s LAN or WAN port, configure remote management to allow access for that service.
Remote Management, UPnP and Logs Part VI: Remote Management, UPnP and Logs This part contains information on how to configure the Prestige for remote management, setting up Universal Plug and Play (UPnP) and setting up and displaying logs.
Prestige 652 Series User’s Guide Chapter 18 Remote Management Configuration This chapter provides information on configuring remote management. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Prestige 652 Series User’s Guide 6. There is a web remote management session running with a Telnet session. A Telnet session will be disconnected if you begin a web session; it will not begin if there already is a web session. 18.1.2 Remote Management and NAT When NAT is enabled: Use the Prestige’s WAN IP address when configuring from the WAN.
Prestige 652 Series User’s Guide 18.4 Web You can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details. 18.5 Configuring Remote Management Click Remote Management to open the following screen. Figure 18-2 Remote Management The following table describes the fields in this screen.
Page 218
Prestige 652 Series User’s Guide Table 18-1 Remote Management LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh. 18-4 Remote Management Configuration...
Prestige 652 Series User’s Guide Chapter 19 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 19.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer- to-peer network connectivity between devices.
UPnP if this is not your intention. 19.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.
Prestige 652 Series User’s Guide Table 19-1 Configuring UPnP DESCRIPTION LABEL Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration changes configure the Prestige so that they can communicate through the Prestige, for through UPnP example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device;...
Page 222
Prestige 652 Series User’s Guide Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4. Click OK to go back to the Add/Remove Programs Properties window and click Next. Step 5.
Prestige 652 Series User’s Guide Step 5. In the Networking Services window, select the Universal Plug and Play check box. Step 6. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 19.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP.
Page 224
Prestige 652 Series User’s Guide Step 3. In the Internet Connection Properties Step 4. You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings there were automatically created. manually add port mappings. When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
Page 225
Prestige 652 Series User’s Guide Step 6. Double-click on the icon to display your current Internet connection status. Web Configurator Easy Access With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first.
Page 226
Prestige 652 Series User’s Guide Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays. Step 6. Right-click on the icon for your Prestige and select Properties.
Prestige 652 Series User’s Guide Chapter 20 Logs Screens This chapter contains information about configuring general log settings and viewing the Prestige’s logs. Refer to the appendices for example log message explanations. 20.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the Prestige log and then display the logs or have the Prestige send them to an administrator (as e-mail) or to a syslog server.
Prestige 652 Series User’s Guide Table 20-1 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Prestige 652 Series User’s Guide Table 20-1 Log Settings LABEL DESCRIPTION Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the Prestige to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.
Prestige 652 Series User’s Guide Table 20-2 View Logs LABEL DESCRIPTION Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet. Note This field displays additional information about the log entry.
Subject: You may edit the Firewall Alert From Prestige subject title Date: Fri, 07 Apr 2000 10:05:42 From: The date format here user@zyxel.com is Day-Month-Year. user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy The date format here |forward is Month-Day-Year.
Prestige 652 Series User’s Guide Chapter 21 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 21.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Prestige.
Prestige 652 Series User’s Guide Figure 21-1 System Status The following table describes the fields in this screen. Table 21-1 System Status LABEL DESCRIPTION System Status 21-2 Maintenance...
Page 237
DESCRIPTION System Name This is the name of your Prestige. It is for identification purposes. ZyNOS Firmware This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. DSL FW Version This is the DSL firmware version associated with your Prestige.
Prestige 652 Series User’s Guide 21.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable.
Page 239
Prestige 652 Series User’s Guide Table 21-2 System Status: Show Statistics LABEL DESCRIPTION Transfer Rate This is the transfer rate in kbps. Upstream Speed This is the upstream speed of your Prestige. Downstream Speed This is the downstream speed of your Prestige. Node-Link This field displays the remote node index number and link type.
Prestige 652 Series User’s Guide 21.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it.
Prestige 652 Series User’s Guide 21.4.1 Association List This screen displays the MAC address(es) of the wireless clients that are currently logged in to the network. Click Wireless LAN and then Association List to open the screen shown next. Figure 21-4 Association List The following table describes the fields in this screen.
Prestige 652 Series User’s Guide Figure 21-5 Channel Usage Table The following table describes the fields in this screen. Table 21-5 Channel Usage Table LABEL DESCRIPTION Channel This is the index number of the channel. IP Address This field displays Yes if another AP or Ad-hoc network is using the channel within the Prestige’s transmission range.
Prestige 652 Series User’s Guide Figure 21-6 Diagnostic General The following table describes the fields in this screen. Table 21-6 Diagnostic General LABEL DESCRIPTION TCP/IP Type the IP address of a computer that you want to ping in order to test a connection. Address Ping Click this button to ping the IP address that you entered.
Prestige 652 Series User’s Guide 21.5.2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the screen shown next. Figure 21-7 Diagnostic DSL Line The following table describes the fields in this screen. Table 21-7 Diagnostic DSL Line LABEL DESCRIPTION Reset ADSL...
Click this button to go back to the main Diagnostic screen. 21.6 Firmware Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "Prestige.bin". The upload process uses FTP (File Transfer Protocol) and may take up to two minutes.
Prestige 652 Series User’s Guide Figure 21-8 Firmware Upgrade The following table describes the fields in this screen. Table 21-8 Firmware Upgrade LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Prestige 652 Series User’s Guide Figure 21-9 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen.
SMT General Configuration Part VIII: SMT General Configuration This part covers System Management Terminal configuration for general setup, WAN backup, LAN setup, wireless LAN setup, Internet access, remote node, static route, NAT and enabling the firewall. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Prestige 652 Series User’s Guide Chapter 22 Introducing the SMT This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus. 22.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Prestige 652 Series User’s Guide Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 22-1 Login Screen 22.1.4 Prestige SMT Menu Overview We use the Prestige 652HW-31 SMT menus in this guide as an example.
Prestige 652 Series User’s Guide Prestige 652HW Main Menu Menu 2 Menu 3 Menu 4 Menu 12 Menu 14 Menu 1 Menu 11 Menu 15 WAN Backup Setup General Setup LAN Setup Internet Access Static Routing Setup Dial-in User Setup NAT Setup Remote Node Setup Setup...
Prestige 652 Series User’s Guide Table 22-1 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to [ENTER] To move forward to a submenu, type in the number of the desired another menu submenu and press [ENTER]. Move up to a [ESC] Press [ESC] to move back to the previous menu.
Static Routing Setup Use this menu to set up static routes. Dial-in User Setup Use this menu to set up local user profiles on the Prestige 652H/HW. NAT Setup Use this menu to specify inside servers when NAT is enabled.
Table 22-2 Main Menu Summary MENU TITLE DESCRIPTION System Security Use this menu to set up wireless security (Prestige 652H/HW only) and change your password. System Maintenance This menu provides system status, diagnostics, software upload, etc. IP Routing Policy Setup Use this menu to configure your IP routing policy.
Prestige 652 Series User’s Guide Chapter 23 Menu 1 General Setup Menu 1 - General Setup contains administrative and system-related information. 23.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Domain Name Enter the domain name (if you know it) here. If you leave this field zyxel.com.tw blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domainname" to see the current domain name used by your gateway.
Prestige 652 Series User’s Guide 23.2.1 Procedure to Configure Dynamic DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. Step 1. To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field.
24.2 Dial Backup To set up the auxiliary port (DIAL BACKUP on the Prestige 652 or AUX on the Prestige 652H/HW) for use in the event that the regular WAN connection is dropped, first make sure you have set up the port...
Prestige 652 Series User’s Guide Menu 2 - Wan Backup Setup Check Mechanism = DSL Link Check WAN IP Address1 = 0.0.0.0 Check WAN IP Address2 = 0.0.0.0 Check WAN IP Address3 = 0.0.0.0 KeepAlive Fail Tolerance = 0 Recovery Interval(sec) = 0 ICMP Timeout(sec) = 0 Traffic Redirect = No Dial Backup = No...
Prestige 652 Series User’s Guide Table 24-1 Menu 2 WAN Backup Setup FIELD DESCRIPTION Recovery When the Prestige is using a lower priority connection (usually a WAN backup Interval(sec) connection), it periodically checks to whether or not it can use a higher priority connection.
Prestige 652 Series User’s Guide The following table describes the fields in this menu. Table 24-2 Menu 2.1Traffic Redirect Setup FIELD DESCRIPTION Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No. When the Active field is Yes, you must configure every field in this screen unless you are using PPPoE encapsulation (except Check WAN IP Address and Timeout).
Prestige 652 Series User’s Guide Menu 2.2 - Dial Backup Setup Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 24-3 Menu 2.2 Dial Backup Setup The following table describes the fields in this menu.
Prestige 652 Series User’s Guide 24.5 Advanced Dial Backup Setup Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. To edit the advanced setup for the dial backup port, move the cursor to the Edit Advanced Setup field in Menu 2.2 Dial Backup Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Prestige 652 Series User’s Guide Table 24-4 Menu 2.2.1 Advanced Dial Backup Setup: AT Commands Fields FIELD DESCRIPTION EXAMPLE Drop DTR When Hang Press the [SPACE BAR] to choose either Yes or No. When Yes is selected (the default), the DTR (Data Terminal Ready) signal is dropped after the “AT Command String: Drop”...
Prestige 652 Series User’s Guide 24.6 Remote Node Profile (Backup ISP) Enter 8 in Menu 11 Remote Node Setup to open Menu 11.1 Remote Node Profile (Backup ISP) (shown below) and configure the setup for your dial backup port connection. Menu 11.1 - Remote Node Profile (Backup ISP) Rem Node Name= ? Edit PPP Options= No...
Page 269
Prestige 652 Series User’s Guide Table 24-6 Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Authen This field sets the authentication protocol used for outgoing calls. CHAP/PAP Options for this field are: CHAP/PAP - Your Prestige will accept either CHAP or PAP when requested by this remote node.
Prestige 652 Series User’s Guide Table 24-6 Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] to select Yes to set this connection to always be on, regardless of whether or not there is any traffic. Select No to have Connection (default) this connection act as a dial-up connection.
Prestige 652 Series User’s Guide Figure 24-7 Menu 11.2 Remote Node PPP Options FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then [ENTER] to select CISCO PPP if Standard PPP your Dial Backup WAN device uses Cisco PPP encapsulation, (default) otherwise select Standard PPP.
Page 272
Prestige 652 Series User’s Guide Table 24-7 Menu 11.3 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE Rem IP Leave this field set to 0.0.0.0 to have the ISP or other remote router 0.0.0.0 Subnet dynamically send its subnet mask if you do not know it. Enter the remote (default) Mask gateway’s subnet mask here if you know it (static).
Prestige 652 Series User’s Guide 24.9 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The Prestige provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expect’ string and a ‘Send’...
Prestige 652 Series User’s Guide Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 24-9 Menu 11.4 Remote Node Setup Script The following table describes the fields in this menu.
Prestige 652 Series User’s Guide Menu 11.1 - Remote Node Profile (Backup ISP) Rem Node Name= ? Edit PPP Options= No Active= Yes Rem IP Addr= ? Edit IP= No Outgoing: Edit Script Options= No My Login= My Password= ******** Telco Option: Authen= CHAP/PAP Allocated Budget(min)= 0...
Prestige 652 Series User’s Guide Chapter 25 Menu 3 LAN Setup This chapter covers how to configure your wired Local Area Network (LAN) settings. 25.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3.
Prestige 652 Series User’s Guide 25.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. For TCP/IP Ethernet setup refer to the Internet Access Application chapter. For bridging Ethernet setup refer to the Bridging Setup chapter. 25.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP.
Prestige 652 Series User’s Guide Table 25-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Setup DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and Server other systems that support the DHCP client.
Page 280
Prestige 652 Series User’s Guide Table 25-2 TCP/IP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol None used to establish membership in a Multicast group. The Prestige (default) supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). SPACE BAR] Press the [ to enable IP Multicasting or select None...
Wireless LAN Setup This chapter covers how to configure wireless LAN settings in SMT menu 3.5. This chapter only applies to the Prestige 652H/HW. 26.1 Wireless LAN Overview Refer to the chapter on the wireless LAN screens for wireless LAN background information.
Prestige 652 Series User’s Guide Menu 3.5- Wireless LAN Setup ESSID= Wireless Hide ESSIS = No Channel ID= CH01 2412MHz RTS Threshold= 2432 Frag. Threshold= 2432 WEP= Disable Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Edit MAC Address Filter= No Press ENTER to Confirm or ESC to Cancel: Figure 26-1 Menu 3.5 - Wireless LAN Setup The following table describes the fields in this menu.
Prestige 652 Series User’s Guide Table 26-1 Menu 3.5 - Wireless LAN Setup FIELD DESCRIPTION EXAMPLE WEP (Wired Equivalent Privacy) provides data encryption to prevent wireless Disable stations from accessing data transmitted over the wireless network. Select Disable allows wireless stations to communicate with the access points without any data encryption.
Prestige 652 Series User’s Guide Chapter 27 Internet Access This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access 27.1 Internet Access Overview Refer to the chapters on the web configurator’s wizard, LAN and WAN screens for more background information on fields in the SMT screens covered in this chapter.
Prestige 652 Series User’s Guide Figure 27-1 Physical Network Figure 27-2 Partitioned Logical Networks Use menu 3.2.1 to configure IP Alias on your Prestige. 27.4 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network.
Prestige 652 Series User’s Guide Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup: DHCP= Server Client IP Pool Starting Addres= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0...
Prestige 652 Series User’s Guide Table 27-1 Menu 3.2.1 IP Alias Setup FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation 192.168.2.1 IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on 255.255.255.0...
Prestige 652 Series User’s Guide 27.6 Internet Access Configuration Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your Prestige for Internet access, you need to collect your Internet account information.
Page 290
Prestige 652 Series User’s Guide Table 27-2 Menu 4 Internet Access Setup FIELD DESCRIPTION EXAMPLE Multiplexing SPACE BAR LLC-based Press [ ] to select the method of multiplexing used by your ISP. Choices are VC-based or LLC-based. VPI # Enter the Virtual Path Identifier (VPI) assigned to you. VCI # Enter the Virtual Channel Identifier (VCI) assigned to you.
Page 291
Prestige 652 Series User’s Guide Table 27-2 Menu 4 Internet Access Setup FIELD DESCRIPTION EXAMPLE Network Address SPACE BAR SUA Only Press [ ] to select None, SUA Only or Full Translation Feature. Please see the NAT Chapter for more details on the SUA (Single User Account) feature.
Prestige 652 Series User’s Guide Chapter 28 Remote Node Configuration This chapter covers remote node configuration. 28.1 Remote Node Setup Overview This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Prestige 652 Series User’s Guide Menu 11 - Remote Node Setup 1. My ISP (ISP, SUA) 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ Enter Node # to Edit: Figure 28-1 Menu 11 Remote Node Setup 28.2.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP.
Prestige 652 Series User’s Guide Menu 11.1 - Remote Node Profile Edit IP/Bridge Options Rem Node Name= ChangeMe Route= IP in menu 11.3. Active= Yes Bridge= No Encapsulation= ENET ENCAP Edit IP/Bridge= No Multiplexing= LLC-based Edit ATM Options= No Edit ATM Options in Service Name= N/A Incoming: Telco Option:...
Page 296
Prestige 652 Series User’s Guide Table 28-1 Menu 11.1 Remote Node Profile FIELD DESCRIPTION EXAMPLE Rem Login Type the login name that this remote node will use to call your Prestige. The login name and the Rem Password will be used to authenticate this node.
Prestige 652 Series User’s Guide Table 28-1 Menu 11.1 Remote Node Profile FIELD DESCRIPTION EXAMPLE (min) default for this field is 0 meaning no budget control. Period (hr) This field is the time period that the budget should be reset. For example, if we are allowed to call this remote node for a maximum of 10 minutes every hour, then the Allocated Budget is (10 minutes) and the Period (hr) is 1 (hour).
Prestige 652 Series User’s Guide 28.3 Remote Node Network Layer Options For the TCP/IP parameters, perform the following steps to edit Menu 11.3 – Remote Node Network Layer Options as shown next. Step 1. In menu 11.1, make sure IP is among the protocols in the Route field. Step 2.
Page 299
Prestige 652 Series User’s Guide Table 28-2 Menu 11.3 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE My WAN Some implementations, especially UNIX derivatives, require separate IP Addr network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number.
Prestige 652 Series User’s Guide Table 28-2 Menu 11.3 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 28.3.1 My WAN Addr Sample IP Addresses The following figure uses sample IP addresses to help you understand the field of My Wan Addr in menu 11.3.
Prestige 652 Series User’s Guide Use Menu 11.5 – Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by comma, for example, 1, 5, 9, 12, in each filter field.
Prestige 652 Series User’s Guide There are two versions of menu 11.6 for the Prestige, depending on whether you chose VC-based/LLC- based multiplexing and PPP encapsulation in menu 11.1. 28.5.1 VC-based Multiplexing (non-PPP Encapsulation) For VC-based multiplexing, by prior agreement, a protocol is assigned a specific virtual circuit, for example, VC1 will carry IP.
Prestige 652 Series User’s Guide In this case, only one set of VPI and VCI numbers need be specified for all protocols. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (1 to 31 is reserved for local management of ATM traffic).
Prestige 652 Series User’s Guide Table 28-3 Menu 11.8 Advance Setup Options FIELD DESCRIPTION PPPoE+ Press [SPACE BAR] to select Yes and press [ENTER] to enable PPPoE pass PPPoE_Client_PC through. In addition to the Prestige's built-in PPPoE client, you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige.
Prestige 652 Series User’s Guide Chapter 29 Static Route Setup This chapter shows how to setup IP static routes. 29.1 IP Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
Prestige 652 Series User’s Guide 29.2 Configuration Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next). Menu 12 - Static Route Setup 1. IP Static Route 3. Bridge Static Route Please enter selection: Figure 29-2 Menu 12 Static Route Setup Step 2.
Prestige 652 Series User’s Guide Menu 12.1.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: Figure 29-4 Menu12.1.1 Edit IP Static Route The following table describes the fields for Menu 12.1.1 –...
Page 308
Prestige 652 Series User’s Guide Table 29-1 Menu12.1.1 Edit IP Static Route FIELD DESCRIPTION Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and is not included in RIP broadcasts.
Prestige 652 Series User’s Guide Chapter 30 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige. 30.1 Bridging in General Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address.
Prestige 652 Series User’s Guide Table 30-1 Remote Node Network Layer Options : Bridge Fields FIELD DESCRIPTION Bridge (menu 11.1) Make sure this field is set to Yes. Edit IP/Bridge (menu Press [SPACE BAR] to select Yes and press [ENTER] to display menu 11.3. 11.1) Ethernet Addr Timeout Type the time (in minutes) for the Prestige to retain the Ethernet Address...
Page 312
Prestige 652 Series User’s Guide FIELD DESCRIPTION Active Indicates whether the static route is active (Yes) or not (No). Ether Address Type the MAC address of the destination computer that you want to bridge the packets to. IP Address If available, type the IP address of the destination computer that you want to bridge the packets to.
Prestige 652 Series User’s Guide Chapter 31 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 31.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. 31.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Prestige 652 Series User’s Guide Menu 11.3 - Remote Node Network Layer Options IP Options: Bridge Options: IP Address Assignment = Dynamic Ethernet Addr Timeout(min)= N/A Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= N/A NAT= SUA Only Address Mapping Set= N/A Metric= 2 Private= No...
Prestige 652 Series User’s Guide The server set is a list of LAN and DMZ servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. Please see the section on port forwarding in the chapter on NAT web configurator screens for further information on these menus.
Prestige 652 Series User’s Guide Menu 15.1.255 - Address Mapping Rules Set Name= Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: Figure 31-5 Menu 15.1.255 SUA Address Mapping Rules The following table explains the fields in this menu.
Prestige 652 Series User’s Guide Table 31-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. User-Defined Address Mapping Sets Now let’s look at option 1 in menu 15.1.
Prestige 652 Series User’s Guide up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.
Prestige 652 Series User’s Guide Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 31-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set The following table explains the fields in this menu.
Prestige 652 Series User’s Guide Table 31-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Server Only available when Type is set to Server. Type a number from 1 to 10 to Mapping Set choose a server set from menu 15.2. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel”...
Prestige 652 Series User’s Guide Menu 15.2.1 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 31-9 Menu 15.2.1 NAT Server Setup Step 8.
Prestige 652 Series User’s Guide Figure 31-10 Multiple Servers Behind NAT Example 31.5 General NAT Examples The following are some examples of NAT configuration. 31.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Prestige 652 Series User’s Guide 31.5.2 Example 2: Internet Access with an Inside Server Figure 31-13 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No.
Prestige 652 Series User’s Guide 31.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
Prestige 652 Series User’s Guide Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 31-16. Step 2.
Prestige 652 Series User’s Guide Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 31-17 Example 3: Menu 15.1.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3...
Prestige 652 Series User’s Guide Menu 15.2.1 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Example 3: Menu 15.2.1 31.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation.
Prestige 652 Series User’s Guide Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload mapping types. Follow the steps outlined in example 3 to configure these two menus as follows.
Prestige 652 Series User’s Guide Chapter 32 Enabling the Firewall This chapter shows you how to get started with the Prestige firewall. 32.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: •...
Prestige 652 Series User’s Guide Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active: Yes...
SMT Advanced Management Part IX: SMT Advanced Management This part discusses filtering setup, SNMP, system security, system information and diagnosis, firmware and configuration file maintenance, system maintenance, remote management, IP Policy Routing and call scheduling. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Prestige 652 Series User’s Guide Chapter 33 Filter Configuration This chapter shows you how to create and apply filters. 33.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Prestige 652 Series User’s Guide Call Filtering Active Data match Built-in User-defined match match Outgoing Initiate call default Call Filters Data Packet if line not up Call Filters (if applicable) Send packet and reset Idle Timer Match Match Match Drop Drop packet Drop packet packet...
Prestige 652 Series User’s Guide Start Packet intoFilter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward Drop...
NetBIOS, into a single set and give it a descriptive name. You can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. 33.2 Configuring a Filter Set for the Prestige 652H/HW To configure a filter set, follow the steps shown next.
Prestige 652 Series User’s Guide Menu 21.1.2 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N 3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139...
Prestige 652 Series User’s Guide 33.3 Configuring a Filter Set for the Prestige 652 To configure a filter set, follow the steps shown next. Step 1. Enter 21 in the main menu to display Menu 21 – Filter and Firewall Setup. Step 2.
Prestige 652 Series User’s Guide Menu 21.1.4 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 N F N 2 Y Gen Off=12, Len=2, Mask=ffff, Value=8864 N F D Enter Filter Rule Number (1-6) to Configure: Figure 33-8 PPPoE Filter Rules Summary (P652)
Prestige 652 Series User’s Guide Table 33-1 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION More. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N”...
Prestige 652 Series User’s Guide There are two types of filter rules: TCP/IP and Generic. Depending on the type of rule, the parameters for each type will be different. Use [SPACE BAR] to select the type of rule that you want to create in the Filter Type field and press [ENTER] to open the respective menu.
Prestige 652 Series User’s Guide Table 33-3 Menu 21.1.x.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third filter rule of that set.
Page 345
Prestige 652 Series User’s Guide Table 33-3 Menu 21.1.x.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE TCP Estab This applies only when the IP Protocol field is 6, TCP. If Yes, the rule matches packets that want to establish TCP (default) connection(s) (SYN=1 and ACK=0);...
Prestige 652 Series User’s Guide Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Prestige 652 Series User’s Guide 33.5.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet.
Prestige 652 Series User’s Guide Table 33-4 Menu 21.1.5.1 Generic Filter Rule FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule.
Prestige 652 Series User’s Guide 33.6 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire.
Prestige 652 Series User’s Guide Figure 33-14 Sample Telnet Filter Step 1. Enter 1 in the menu 21 to display Menu 21.1 — Filter Set Configuration. Step 2. Enter the index number of the filter set you want to configure (in this case 6) Step 3.
Prestige 652 Series User’s Guide Step 4. Press [ENTER] at the message Press [ENTER] to confirm or [ESC] to cancel” to open Menu “ 21.1.6 — Filter Rules Summary. Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next. When you press [ENTER] to confirm, the following screen appears.
Prestige 652 Series User’s Guide Menu 21.1.6 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have M = N means an action can be taken immediately.
Prestige 652 Series User’s Guide Table 33-5 Filter Sets Table FILTER SETS DESCRIPTION Input Filter Sets: Apply filters for incoming traffic. You may apply protocol or device filter rules. See earlier in this chapter for information on filters. Output Filter Sets: Apply filters for traffic leaving the Prestige.
Prestige 652 Series User’s Guide Chapter 34 SNMP Configuration This chapter explains SNMP Configuration menu 22. 34.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Trap - Used by the agent to inform the manager of some events. 34.2 Supported MIBs The Prestige supports RFC-1215 and MIB II as defined in RFC-1213 as well as ZyXEL private MIBs. The focus of the MIBs is to let administrators collect statistic data and monitor status and performance.
Prestige 652 Series User’s Guide Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 34-2 Menu 22 SNMP Configuration The following table describes the SNMP configuration parameters. Table 34-1 Menu 22 SNMP Configuration FIELD DESCRIPTION...
A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Prestige 652 Series User’s Guide Chapter 35 System Security This chapter describes how to configure the system security on the Prestige. This chapter only applies to the P652H/HW. 35.1 System Security You can configure the system password, an external RADIUS server and IEEE802.1x in menu 23. 35.1.1 System Password Enter 23 in the main menu to display Menu 23 –...
Prestige 652 Series User’s Guide Menu 23.2 - System Security - RADIUS Server Authentication Server: Active= No Server Address= 10.11.12.13 Port #= 1812 Shared Secret= ******** Accounting Server: Active= No Server Address= 10.11.12.13 Port #= 1813 Shared Secret= ******** Press ENTER to Confirm or ESC to Cancel: Figure 35-3 Menu 23.2 System Security : RADIUS Server The following table describes the fields in this menu.
Prestige 652 Series User’s Guide Table 35-1 Menu 23.2 System Security : RADIUS Server FIELD DESCRIPTION EXAMPLE Port The default port of the RADIUS server for accounting is 1813. 1813 You need not change this value unless your network administrator instructs you to do so with additional information. Shared Secret Specify a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the...
Prestige 652 Series User’s Guide Menu 23.4 - System Security - IEEE802.1x Wireless Port Control= Authentication Required ReAuthentication Timer (in second)= 1800 Idle Timeout (in second)= 3600 Authentication Databases= Local User Database Only Press ENTER to Confirm or ESC to Cancel: Figure 35-5 Menu 23.4 System Security : IEEE802.1x The following table describes the fields in this menu.
Prestige 652 Series User’s Guide Table 35-2 Menu 23.4 System Security : IEEE802.1x FIELD DESCRIPTION Authentication This field is activated only when you select Authentication Required in the Wireless Port Control field. Databases The authentication database contains wireless station login information. The local user database is the built-in database on the Prestige.
Prestige 652 Series User’s Guide Chapter 36 System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software.
Prestige 652 Series User’s Guide Menu 24.1 - System Maintenance – Status hh:mm:ss Sat. Jan. 01, 2000 Up Time Node-Lnk Status TxPkts RxPkts Errors Tx B/s Rx B/s 1-ENET 0:26:20 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 My WAN IP (from ISP) : Ethernet: WAN: Status: 10M/Half Duplex...
Prestige 652 Series User’s Guide Table 36-1 Menu 24.1 System Maintenance : Status FIELD DESCRIPTION Status This shows the current status of the LAN. Tx Pkts This is the number of transmitted packets to the LAN. Rx Pkts This is the number of received packets from the LAN. Collision This is the number of collisions.
Menu 1 – General Setup. Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. ADSL Chipset Vendor Displays the vendor of the ADSL chipset and DSL version.
Prestige 652 Series User’s Guide 36.2.2 Console Port Speed You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200, 38400, 57600 and 115200 bps. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure.
Prestige 652 Series User’s Guide Step 3. Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system. After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Prestige 652 Series User’s Guide The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 36-4 Menu 24.4 System Maintenance Menu : Diagnostic FIELD DESCRIPTION Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working.
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the Prestige's settings, they can be saved back to your computer under a filename of your choosing.
Prestige 652 Series User’s Guide Table 37-1 Filename Conventions FILE TYPE INTERNAL NAME EXTERNAL NAME DESCRIPTION Configuration Rom-0 This is the configuration filename on the *.rom File Prestige. Uploading the rom-0 file replaces the entire ROM file system, including your Prestige configurations, system-related data (including the default password), the error log and the trace log.
Prestige 652 Series User’s Guide 37.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Prestige 652 Series User’s Guide 3. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the Prestige will disconnect the Telnet session immediately. 4. You have an SMT console session running. 37.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Prestige 652 Series User’s Guide 37.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 37-3 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped.
Prestige 652 Series User’s Guide Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen. Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive.
Prestige 652 Series User’s Guide WARNING! DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. 37.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.
Prestige 652 Series User’s Guide 37.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 37-8 Restore Using FTP Session Example Refer to section 37.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Prestige 652 Series User’s Guide Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 37-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu.
Prestige 652 Series User’s Guide Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Prestige 652 Series User’s Guide 37.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username.
Prestige 652 Series User’s Guide To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address.
Prestige 652 Series User’s Guide 37.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in the following screen.
Prestige 652 Series User’s Guide 37.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen.
Prestige 652 Series User’s Guide Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 37-19 Example Xmodem Upload After the configuration upload process has completed, restart the Prestige by entering “atgo”. 37-16 Firmware and Configuration File Maintenance...
SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands. Enter 8 from Menu 24 — System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt.
Prestige 652 Series User’s Guide Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether config bridge hdap show ras> Figure 38-2 Valid Commands 38.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1.
Prestige 652 Series User’s Guide Menu 24.9.1 - System Maintenance - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.-------- 3.-------- 4.-------- 5.-------- 6.-------- 7.-------- 8.-------- Reset Node (0 to update screen): Figure 38-4 Menu 24.9.1 System Maintenance : Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Prestige 652 Series User’s Guide 38.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige.
Prestige 652 Series User’s Guide Table 38-2 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Use Time Server Enter the time service protocol that your time server sends when you turn on the when Bootup Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Prestige 652 Series User’s Guide Chapter 39 Remote Management This chapter covers remote management (SMT menu 24.11). 39.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Prestige 652 Series User’s Guide Enter 11, from menu 24, to display Menu 24.11 — Remote Management Control (shown next). Menu 24.11 - Remote Management Control TELNET Server: Server Port = 23 Server Access = LAN only Secured Client IP = 0.0.0.0 FTP Server: Server Port = 21 Server Access = LAN only...
Prestige 652 Series User’s Guide 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2. You have disabled that service in menu 24.11. 3. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately.
Prestige 652 Series User’s Guide Chapter 40 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 40.1 IP Policy Routing Overview Traditionally, routing is based on the destination address only and the IAD takes the shortest path to forward a packet.
Prestige 652 Series User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set.
Prestige 652 Series User’s Guide Menu 25.1 - IP Routing Policy Setup Criteria/Action - - -------------------------------------------------------------------------- 1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 |GW=192.168.1.1,T=MT,PR=0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __________________________________________________________________________ __________________________________________________________________________ 4 N __________________________________________________________________________ __________________________________________________________________________ 5 N __________________________________________________________________________ __________________________________________________________________________ 6 N __________________________________________________________________________ __________________________________________________________________________ Enter Policy Rule Number (1-6) to Configure: Figure 40-2 Menu 25.1 IP Routing Policy Setup...
Prestige 652 Series User’s Guide Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Menu 25.1.1 - IP Routing Policy Policy Set Name= test Active= Yes Criteria: IP Protocol...
Prestige 652 Series User’s Guide Table 40-2 Menu 25.1.1 IP Routing Policy FIELD DESCRIPTION Len Comp Press [SPACE BAR] and then [ENTER] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source: addr start / end Source IP address range from start to end.
Prestige 652 Series User’s Guide Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: Type IP IP Address= 192.168.1.1...
Prestige 652 Series User’s Guide 40.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Figure 40-6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next.
Prestige 652 Series User’s Guide Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 — IP Routing Policy as shown next. Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol...
Prestige 652 Series User’s Guide Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 0.0.0.0 end= N/A port start= 0 end= N/A Destination:...
Prestige 652 Series User’s Guide Chapter 41 Call Scheduling Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a remote node should be called and for how long. 41.1 Introduction The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long.
Prestige 652 Series User’s Guide To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 —...
Page 413
Prestige 652 Series User’s Guide Table 41-1 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Should this schedule set recur weekly or be used just once Once Often only? Press the [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A.
Prestige 652 Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Bridge= No Encapsulation= PPPoE Edit IP/Bridge= No Multiplexing=VC-based Edit ATM Options= No Service Name= Telco Option: Incoming Allocated Budget(min)= 0 Rem Login= Period(hr)= 0 Apply your schedule Rem Password= ********...
SMT VPN/IPSec and Internal SPTGEN Part X: SMT VPN/IPSec and Internal SPTGEN This part provides information about configuring VPN/IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Prestige 652 Series User’s Guide Chapter 42 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 42.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
172.16.2.40 172.16.2.46 193.81.13.2 zw50 1.1.1.1 1.1.1.1 Tunnel AH SHA1 4.4.4.4 255.255.0.0 zw50test.zyxel. China 192.168.1.40 192.168.1.42 Tunnel ESP DES MD5 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Figure 42-3 Menu 27.1 IPSec Summary...
Page 419
Prestige 652 Series User’s Guide Table 42-1 Menu 27.1 IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here.
Page 420
Prestige 652 Series User’s Guide Table 42-1 Menu 27.1 IPSec Summary FIELD DESCRIPTION EXAMPLE IPSec This field displays the security protocols used for an SA. ESP provides ESP DES MD5 Algorithm confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets.
Page 421
Prestige 652 Series User’s Guide Table 42-1 Menu 27.1 IPSec Summary FIELD DESCRIPTION EXAMPLE Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.46 Addr End Single, this is the same (static) IP address as in the Remote Addr Start field.
Name= Taiwan Active= Yes Keep Alive= No Local ID type Content: My IP Addr= 0.0.0.0 Peer ID type Content: Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1 End/Subnet Mask= N/A Port Start= 0 End= N/A...
Page 423
Prestige 652 Series User’s Guide Table 42-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE Keep Alive Press [SPACE BAR] to choose either Yes or No. Choose Yes and press [ENTER] to have the Prestige automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
Page 424
Prestige 652 Series User’s Guide Table 42-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
Page 425
Prestige 652 Series User’s Guide Table 42-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP 192.168.1.35 address on the LAN behind your Prestige. When the Addr Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your Prestige.
Page 426
Prestige 652 Series User’s Guide Table 42-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP 4.4.4.4 address on the network behind the remote IPSec router. When the Addr Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Prestige 652 Series User’s Guide Table 42-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to choose either IKE or Manual and then press Management [ENTER]. Manual is useful for troubleshooting if you have problems using IKE key management. Press [SPACE BAR] to change the default No to Yes and then press Edit Key Management...
Page 428
Prestige 652 Series User’s Guide The following table describes the fields in this menu. Table 42-3 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Press [SPACE BAR] to choose from Main or Aggressive and then press Main Mode [ENTER].
Prestige 652 Series User’s Guide Table 42-3 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION EXAMPLE Phase 2 Active Protocol Press [SPACE BAR] to choose from ESP or AH and then press [ENTER]. See earlier for a discussion of these protocols. Encryption Press [SPACE BAR] to choose from NULL, 3DES or DES and then press Algorithm [ENTER].
Page 430
Prestige 652 Series User’s Guide 42.5.2 Security Parameter Index (SPI) To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. Menu 27.1.1.2 –...
Page 431
Prestige 652 Series User’s Guide Table 42-5 Menu 27.1.1.2 Manual Setup FIELD DESCRIPTION EXAMPLE Key2 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated).
Prestige 652 Series User’s Guide Chapter 43 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 43.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 434
Prestige 652 Series User’s Guide The following table describes the fields in this menu. Table 43-1 Menu 27.2 SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
Prestige 652 Series User’s Guide Chapter 44 Internal SPTGEN 44.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file –...
Page 436
Prestige 652 Series User’s Guide This is the name of This is the Field Name column. One “=” sign, followed by one the menu. This is the name of the field as seen in space, must precede the corresponding SMT screen. everything you input.
Prestige 652 Series User’s Guide field value is not legal error:-1 ROM-t is not saved, error Line ID:10000000 reboot to get the original configuration Bootbase Version: V2.02 | 2/22/2001 13:33:11 RAM: Size = 8192 Kbytes FLASH: Intel 8M *2 Figure 44-2 Invalid Parameter Entered: Command Line Example The Prestige will display the following if you enter parameter(s) that are valid.
Prestige 652 Series User’s Guide You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 44.4 Internal SPTGEN FTP Upload Example c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 1.
Prestige 652 Series User’s Guide Appendix A Troubleshooting This chapter covers potential problems and the corresponding remedies. Problems Starting Up the Prestige Chart A-1 Troubleshooting the Start-Up of Your Prestige PROBLEM CORRECTIVE ACTION None of the Make sure that the Prestige’s power adaptor is connected to the Prestige and plugged in to LEDs turn on an appropriate power source.
Prestige 652 Series User’s Guide Chart A-3 Troubleshooting the DSL LED PROBLEM CORRECTIVE ACTION The DSL LED is off. Check the telephone wire and connections between the Prestige DSL port and the wall jack. Make sure that the telephone company has checked your phone line and set it up for DSL service.
Prestige 652 Series User’s Guide Problems with the WAN Interface Chart A-5 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION I cannot get a WAN The ISP provides the WAN IP address after authenticating you. Authentication may IP address from the be through the user name and password, the MAC address or the host name.
Prestige 652 Series User’s Guide Problems with the Password Chart A-7 Troubleshooting the Password PROBLEM CORRECTIVE ACTION I cannot access the The username is “admin”. The default password is “1234”. The Password and Prestige. Username fields are case-sensitive. Make sure that you enter the correct password and username using the proper casing.
Prestige 652 Series User’s Guide Problems with Remote Management Chart A-9 Troubleshooting Remote Management PROBLEM CORRECTIVE ACTION I cannot remotely Refer to the Remote Management Limitations section in the Firmware and manage the Configuration File Management chapter (SMT) for scenarios when remote Prestige from the management may not be possible.
Prestige 652 Series User’s Guide Appendix B IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Prestige 652 Series User’s Guide A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Prestige 652 Series User’s Guide of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
Prestige 652 Series User’s Guide Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets;...
Prestige 652 Series User’s Guide actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets.
Prestige 652 Series User’s Guide Chart B-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 454
Prestige 652 Series User’s Guide Chart B-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET (/25) 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254 32768 (/31) IP Subnetting...
Page 455
Prestige 652 Series User’s Guide Appendix C Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the any expensive network cabling infrastructure.
Prestige 652 Series User’s Guide Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS). In the most basic form, a wireless LAN connects a set of computers with wireless adapters.
Page 457
Prestige 652 Series User’s Guide Diagram C-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Prestige 652 Series User’s Guide Appendix D PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure).
Page 460
Prestige 652 Series User’s Guide How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Prestige 652 Series User’s Guide Appendix E Virtual Circuit Topology ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate. The terminology for virtual circuits is as follows: • Virtual Channel Logical connections between ATM switches •...
Prestige 652 Series User’s Guide Appendix F Power Adaptor Specifications Prestige 652R-11; Prestige 652R-13 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model DV-1215A Input Power AC120Volts/60Hz/30W Output Power AC12Volts/1.25A Power Consumption 11 W Safety Standards UL, CUL, CSA (UL 1310, CSA C22.2 No.223) NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA-121A25...
Page 464
Prestige 652 Series User’s Guide Prestige 652H-31/-33/-37; Prestige 652H/HW-31/-33/-37 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model DV-1215A Input Power AC120Volts/60Hz/30W Output Power AC12Volts/1.25A Power Consumption 14 W Safety Standards UL, CUL, CSA (UL 1310, CSA C22.2 No.223) NORTH AMERICAN PLUG STANDARDS...
Prestige 652 Series User’s Guide Appendix G Example Internal SPTGEN Screens This appendix covers Prestige Internal SPTGEN screens. Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION MEANING Field Identification Number (not seen in SMT screens) Field Name Parameter Values Allowed INPUT An example of what you may enter Applies to the P652H/HW.
Page 466
Prestige 652 Series User’s Guide / MENU 3.1 GENERAL ETHERNET SETUP (SMT MENU 3.1) INPUT 30100001 = Input Protocol filters Set 1 30100002 = Input Protocol filters Set 2 = 256 30100003 = Input Protocol filters Set 3 = 256 The valid 30100004 = Input Protocol filters Set 4...
Page 467
Prestige 652 Series User’s Guide 30200008 = IP Address = 172.21.2.200 30200009 = IP Subnet Mask = 16 This 30200010 = RIP Direction <0(None) | 1(Both) | value 2(In Only) | 3(Out must be Only)> between 0-32. 30200011 = Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)>...
Page 468
Prestige 652 Series User’s Guide 30201010 = IP Alias #1 Outgoing protocol filters = 256 Set 1 30201011 = IP Alias #1 Outgoing protocol filters = 256 Set 2 30201012 = IP Alias #1 Outgoing protocol filters = 256 Set 3 30201013 = IP Alias #1 Outgoing protocol filters = 256...
Page 470
Prestige 652 Series User’s Guide 40000005 = Multiplexing <1(LLC-based) | This 2(VC-based) value 40000006 = VPI # must be between 40000007 = VCI # = 35 0-32. 40000008 = Service Name <Str> = any This value 40000009 = My Login <Str>...
Page 471
Prestige 652 Series User’s Guide 40000031= RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> 40000032= RIP Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> 40000033= Nailed-up Connection <0(No) |1(Yes)> / MENU 12.1.1 IP STATIC ROUTE SETUP (SMT MENU 12.1.1) INPUT 120101001 = IP Static Route set #1, Name <Str>...
Page 472
Prestige 652 Series User’s Guide 120103002 = IP Static Route set #3, Active <0(No) |1(Yes)> 120103003 = IP Static Route set #3, Destination IP = 0.0.0.0 address 120103004 = IP Static Route set #3, Destination IP subnetmask 120103005 = IP Static Route set #3, Gateway = 0.0.0.0 120103006 = IP Static Route set #3, Metric...
Page 473
Prestige 652 Series User’s Guide / MENU 12.1.6 IP STATIC ROUTE SETUP (SMT MENU 12.1.6) INPUT 120106001 = IP Static Route set #6, Name <Str> 120106002 = IP Static Route set #6, Active <0(No) |1(Yes)> 120106003 = IP Static Route set #6, Destination IP = 0.0.0.0 address 120106004 =...
Page 474
Prestige 652 Series User’s Guide 120108005 = IP Static Route set #8, Gateway = 0.0.0.0 120108006 = IP Static Route set #8, Metric 120108007 = IP Static Route set #8, Private <0(No) |1(Yes)> */ MENU 12.1.9 IP STATIC ROUTE SETUP (SMT MENU 12.1.9) INPUT 120109001 = IP Static Route set #9, Name...
Page 475
Prestige 652 Series User’s Guide 120111003 = IP Static Route set #11, Destination = 0.0.0.0 IP address 120111004 = IP Static Route set #11, Destination IP subnetmask 120111005 = IP Static Route set #11, Gateway = 0.0.0.0 120111006 = IP Static Route set #11, Metric 120111007 = IP Static Route set #11, Private <0(No) |1(Yes)>...
Page 476
Prestige 652 Series User’s Guide INPUT 120114001 = IP Static Route set #14, Name <Str> 120114002 = IP Static Route set #14, Active <0(No) |1(Yes)> 120114003 = IP Static Route set #14, Destination = 0.0.0.0 IP address 120114004 = IP Static Route set #14, Destination IP subnetmask 120114005 = IP Static Route set #14, Gateway...
Page 477
Prestige 652 Series User’s Guide 120116006 = IP Static Route set #16, Metric 120116007 = IP Static Route set #16, Private <0(No) |1(Yes)> / MENU 15 SUA SERVER SETUP (SMT MENU 15) INPUT 150000001 = SUA Server IP address for default = 0.0.0.0 port 150000002 =...
Page 478
Prestige 652 Series User’s Guide 150000021 = SUA Server #5 Local IP address = 0.0.0.0 150000022 = SUA Server #6 Active <0(No) | 1(Yes)> = 0 150000023 = SUA Server #6 Protocol <0(All)|6(TCP)|17(U DP)> 150000024 = SUA Server #6 Port Start 150000025 = SUA Server #6 Port End 150000026 =...
Page 479
Prestige 652 Series User’s Guide 150000046 = SUA Server #10 Local IP address = 0.0.0.0 150000047 = SUA Server #11 Active <0(No) | 1(Yes)> 150000048 = SUA Server #11 Protocol <0(All)|6(TCP)|17(U DP)> 150000049 = SUA Server #11 Port Start 150000050 = SUA Server #11 Port End 150000051 = SUA Server #11 Local IP address...
Page 480
Prestige 652 Series User’s Guide 210101009 = IP Filter Set 1,Rule 1 Src Subnet Mask 210101010 = IP Filter Set 1,Rule 1 Src Port 210101011 = IP Filter Set 1,Rule 1 Src Port Comp <0(none)|1(equal)|2( equal)|3(less)|4(great er)> 210101013 = IP Filter Set 1,Rule 1 Act Match <1(check next)|2(forward)|3(dr op)>...
Page 481
Prestige 652 Series User’s Guide 210102013 = IP Filter Set 1,Rule 2 Act Match <1(check next)|2(forward)|3(dr op)> 210102014 = IP Filter Set 1,Rule 2 Act Not Match <1(check next)|2(forward)|3(dr op)> / MENU 21.1.1.3 SET #1, RULE #3 (SMT MENU 21.1.1.3) INPUT 210103001 = IP Filter Set 1,Rule 3 Type...
Page 482
Prestige 652 Series User’s Guide INPUT 210104001 = IP Filter Set 1,Rule 4 Type <2(TCP/IP)> 210104002 = IP Filter Set 1,Rule 4 Active <0(No)|1(Yes)> 210104003 = IP Filter Set 1,Rule 4 Protocol = 17 210104004 = IP Filter Set 1,Rule 4 Dest IP address = 0.0.0.0 210104005 = IP Filter Set 1,Rule 4 Dest Subnet...
Page 483
Prestige 652 Series User’s Guide 210105006 = IP Filter Set 1,Rule 5 Dest Port = 138 210105007 = IP Filter Set 1,Rule 5 Dest Port Comp <0(none)|1(equal)|2( equal)|3(less)|4(great er)> 210105008 = IP Filter Set 1,Rule 5 Src IP Address = 0.0.0.0 210105009 = IP Filter Set 1,Rule 5 Src Subnet Mask...
Page 484
Prestige 652 Series User’s Guide 210106010 = IP Filter Set 1,Rule 6 Src Port 210106011 = IP Filter Set 1,Rule 6 Src Port Comp <0(none)|1(equal)|2( equal)|3(less)|4(great er)> 210106013 = IP Filter Set 1,Rule 6 Act Match <1(check next)|2(forward)|3(dr op)> 210106014 = IP Filter Set 1,Rule 6 Act Not Match <1(check next)|2(forward)|3(dr...
Page 485
Prestige 652 Series User’s Guide 210201011 = IP Filter Set 2, Rule 1 Src Port Comp <0(none)|1(equal)|2( equal)|3(less)|4(great er)> 210201013 = IP Filter Set 2, Rule 1 Act Match <1(check next)|2(forward)|3(dr op)> 210201014 = IP Filter Set 2, Rule 1 Act Not Match <1(check next)|2(forward)|3(dr op)>...
Page 486
Prestige 652 Series User’s Guide 210202014 = IP Filter Set 2, Rule 2 Act Not Match <1(check next)|2(forward)|3(dr op)> / MENU 21.1.2.3 FILTER SET #2, RULE #3 (SMT MENU 21.1.2.3) INPUT 210203001 = IP Filter Set 2, Rule 3 Type <0(none)|2(TCP/IP)>...
Page 487
Prestige 652 Series User’s Guide 210204002 = IP Filter Set 2, Rule 4 Active <0(No)|1(Yes)> = 1 210204003 = IP Filter Set 2, Rule 4 Protocol = 17 210204004 = IP Filter Set 2, Rule 4 Dest IP = 0.0.0.0 address 210204005 = IP Filter Set 2, Rule 4 Dest Subnet...
Page 488
Prestige 652 Series User’s Guide 210205006 = IP Filter Set 2, Rule 5 Dest Port = 138 210205007 = IP Filter Set 2, Rule 5 Dest Port <0(none)|1(equal)|2( Comp equal)|3(less)|4(great er)> 210205008 = IP Filter Set 2, Rule 5 Src IP address = 0.0.0.0 210205009 = IP Filter Set 2, Rule 5 Src Subnet...
Page 489
Prestige 652 Series User’s Guide 210206009 = IP Filter Set 2, Rule 6 Src Subnet Mask 210206010 = IP Filter Set 2, Rule 6 Src Port 210206011 = IP Filter Set 2, Rule 6 Src Port Comp <0(none)|1(equal)|2( equal)|3(less)|4(great er)> 210206013 = IP Filter Set 2,Rule 6 Act Match <1(check...
Prestige 652 Series User’s Guide 230400003 = Idle Timeout (in second) = 999 230400004 = Authentication Databases <0(Local User Database Only) |1(RADIUS Only) |2(Local,RADIUS) |3(RADIUS,Local)> / MENU 24.11 REMOTE MANAGEMENT CONTROL (SMT MENU 24.11) INPUT These 241100001 = TELNET Server Port = 23 values must be...
Prestige 652 Series User’s Guide Appendix H Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Prestige 652 Series User’s Guide Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 493
Prestige 652 Series User’s Guide Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
Prestige 652 Series User’s Guide Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 495
Prestige 652 Series User’s Guide Windows 2000/NT/XP For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections.
Page 496
Prestige 652 Series User’s Guide Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 497
Prestige 652 Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 498
Prestige 652 Series User’s Guide In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 499
Prestige 652 Series User’s Guide Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Setting up Your Computer’s IP Address...
Page 500
Prestige 652 Series User’s Guide For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Prestige in the Router address box.
Page 501
Prestige 652 Series User’s Guide Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Prestige 652 Series User’s Guide Appendix I Splitters and Microfilters This appendix tells you how to install a POTS splitter or a telephone microfilter. Connecting a POTS Splitter When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals.
Page 504
Prestige 652 Series User’s Guide Step 2. Connect a cable from the double jack end of the Y-Connector to the “wall side” of the microfilter. Step 3. Connect another cable from the double jack end of the Y-Connector to the Prestige. Step 4.
Prestige 652 Series User’s Guide Appendix J Log Descriptions This appendix provides descriptions of example log messages Chart J-1 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time server.
Prestige 652 Series User’s Guide Chart J-2 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through UPnP packets can pass through the firewall. Firewall For the content filtering logs “(Destination)” means the destination IP address or domain name. Chart J-3 Content Filtering Logs MESSAGE NOTE DESCRIPTION...
Prestige 652 Series User’s Guide Chart J-4 Attack Logs LOG MESSAGE DESCRIPTION attack (Protocol) The firewall detected an attack. The log may also display the protocol (for example TCP or UDP). land Protocol) The firewall detected a land attack. The log may also display the protocol (for example TCP or UDP).
Prestige 652 Series User’s Guide Chart J-5 Access Logs LOG MESSAGE DESCRIPTION Firewall default Access matched the default policy and the Prestige blocked or forwarded it according to the configuration of the default firewall policy (Protocol, policy. Direction) Firewall rule match Access matched a firewall rule and the Prestige blocked or forwarded it according to the rule’s configuration.
Prestige 652 Series User’s Guide Chart J-5 Access Logs LOG MESSAGE DESCRIPTION Out of order TCP The router blocked a TCP handshake packet that came out of the proper order handshake packet blocked (Protocol) Unsupported/out-of- The Prestige generates this log after it drops an ICMP packet due to one of the following two reasons: order ICMP (Protocol) 1.
Page 510
Prestige 652 Series User’s Guide Chart J-7 ICMP Notes TYPE CODE DESCRIPTION A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 511
Prestige 652 Series User’s Guide Chart J-7 ICMP Notes TYPE CODE DESCRIPTION Information reply message VPN/IPSec logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Index: Date/Time: Log:...
Prestige 652 Series User’s Guide Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.100> 01 Jan 08:08:07 Recv:<SA> 01 Jan 08:08:08 Send:<SA> 01 Jan 08:08:08 Recv:<KE><NONCE> 01 Jan 08:08:10 Send:<KE><NONCE> 01 Jan 08:08:10 Recv:<ID><HASH> 01 Jan 08:08:10 Send:<ID><HASH>...
Page 513
Prestige 652 Series User’s Guide Chart J-8 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The Prestige has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.
Prestige 652 Series User’s Guide Chart J-8 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Too many errors! Deleting SA The Prestige deletes an SA when too many errors occur. !! ID type mismatch The ID type of an incoming packet does not match the local's peer ID type.
Prestige 652 Series User’s Guide Chart J-9 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION !! Discard REPLAY packet If the Prestige receives a packet with the wrong sequence number it will discard it. !! Inbound packet The authentication configuration settings are incorrect. Please authentication failed check them.
Prestige 652 Series User’s Guide Appendix K Index PPPoE............41-3 Precedence..........41-1 Action for Matched Packets ......13-11 Precedence Example....See precedence Active..........24-8, 24-11 CDR............... 36-7 Address Assignment ........5-2 CDR (Call Detail Record)......36-6 Ad-hoc Configuration ........C-2 Channel ID.............
Page 518
Prestige 652 Series User’s Guide dial timeout ............ 24-7 Extended Service Set........C-2 Digital Subscriber Line Access Multiplexer..1-6 Direct Sequence Spread Spectrum....C-1 Factory LAN Defaults ........5-2 Distribution System .........C-2 FCC ..............iii DNS ............... 25-3 FHSS .. See Frequency-Hopping Spread Spectrum Domain Name...........
Page 519
Prestige 652 Series User’s Guide Guidelines For Enhancing Security ..11-11 ICMP echo............. 11-6 Introduction ..........11-2 Idle Timeout ..........24-10 LAN to WAN Rules ........13-3 IEEE 802.11.............C-1 Logs ............13-4 IEEE 802.11b..........1-2 Policies............13-1 IGMP ............... 5-3 Remote Management ......
Page 520
Prestige 652 Series User’s Guide Gateway............. 40-5 Main Menu .............22-5 IP Pool Setup ..........3-12 Management Information Base (MIB) ...34-2 IP Ports ..........42-9, 42-10 Max-incomplete High........12-3 IP Protocol ............. 40-4 Max-incomplete Low ........12-3 IP Routing Policy (IPPR)....... 40-1 MBS ......See Maximum Burst Size Benefits............
Page 521
Prestige 652 Series User’s Guide ..........Rem IP Address 24-11 Error............36-2 Rem Node Name......... 24-8, 24-11 Received ............ 36-3 Remote DHCP Server........25-3 Transmitted ..........36-3 Remote Management Packet Filtering ..........11-12 Firewall..........12-1, 32-1 Packet Filtering Firewalls ......11-1 Remote Management and NAT .....
Page 522
Prestige 652 Series User’s Guide Sample IP Addresses ........28-8 Subnet Masks ..........B-2 Saving the State ..........11-7 Subnetting............B-2 Schedule Sets Supporting Disk..........xxvi Duration............. 41-2 SYN Flood..........11-4, 11-5 SCR........See Sustain Cell Rate SYN-ACK ............11-5 script ............24-13 Syntax Conventions........xxvii Security Association ........
Page 523
UNIX syslog parameters ........ 36-6 ZyNOS..........37-1, 37-2 Upload Firmware ......... 37-10 ZyNOS F/W Version ........37-1 UPnP ......See Universal Plug and Play ZyXEL Limited Warranty Upper Layer Protocols ......... 11-10 Note ..............iv User Name ............9-2 ZyXEL’s Firewall User Profiles..........