Page 2
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products. Not all products support all firmware features. Screenshots, graphics and commands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD-based UAGs via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Table of Contents Table of Contents About This CLI Reference Guide......................3 Document Conventions ........................4 Contents Overview ..........................6 Table of Contents ..........................8 Part I: Introduction ..................21 Chapter 1 Command Line Interface........................23 1.1 Overview ............................23 1.1.1 The Configuration File ......................23 1.2 Accessing the CLI ..........................23 1.2.1 Console Port ..........................24 1.2.2 Web Configurator Console ......................24 1.2.3 Telnet ............................27...
Page 9
Table of Contents 1.9 Saving Configuration Changes ......................35 1.10 Logging Out .............................35 Chapter 2 User and Privilege Modes ........................36 2.1 User And Privilege Modes .........................36 2.1.1 Debug Commands ........................37 Part II: Reference ..................... 40 Chapter 3 Object Reference ..........................42 3.1 Object Reference Commands ......................42 3.1.1 Object Reference Command Example ..................43 Chapter 4 Status ..............................44...
Page 10
Table of Contents 7.3.1 SSID Profile Example ......................64 7.4 Security Profile Commands .......................64 7.4.1 Security Profile Example ......................66 7.5 MAC Filter Profile Commands ......................66 7.5.1 MAC Filter Profile Example .....................67 Chapter 8 Interfaces.............................68 8.1 Interface Overview ..........................68 8.1.1 Types of Interfaces ........................68 8.1.2 Relationships Between Interfaces ...................69 8.2 Interface General Commands Summary ...................70 8.2.1 Basic Interface Properties and IP Address Commands ............71...
H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your UAG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the UAG and possibly render it unusable.
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the UAG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your UAG, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
Page 25
Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the UAG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 26
Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your UAG. If your computer is connected to the UAG over the Internet, skip to the next step. Make sure your computer IP address and the UAG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the UAG. See Section 37.2 on page 201 for the appropriate commands.
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the UAG automatically display the full command. [TAB] For example, if you enter and press , the full command of automatically...
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 33
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
Page 34
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- profile name 0-30 alphanumeric or _- first character: letters or _-...
H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the UAG uses.
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified user group show reference object-group username object. [username] Displays which configuration settings reference the specified address show reference object-group address group object. [object_name] Displays which configuration settings reference the specified service show reference object-group service...
H A PT ER Status This chapter explains some commands you can use to display information about the UAG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the UAG’s startup state. show boot status Displays whether the console and auxiliary ports are on or off. show comport status Displays the CPU utilization.
Page 45
Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=8000, limit(lo)=1400, max=6115, min=6115, avg=6115 Router(config)# show mac MAC address: 00:00:AA:80:05:58-00:00:AA:80:05:5C Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 512MB...
Page 46
Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : UAG715 firmware version: V2.50(AACG.0) BM version : 1.22...
H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the UAG for subscription services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your UAG and manage subscription services available for the UAG. To use a subscription service, you have to register the UAG and activate the corresponding service at myZyXEL.com.
Chapter 5 Registration 5.2.2 Maximum Number of Managed APs The UAG is initially configured to support up to one local AP and 8 remote managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 16.
Chapter 5 Registration 5.3.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is registered.
Chapter 5 Registration 5.4.1 Command Examples The following command displays the service registration status and type and how many days remain before the service expires. Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =============================================================================== Extension User Licensed standard External-AP-Control...
Page 51
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Congo, Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia...
Page 52
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands Netherlands Antilles...
Page 53
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu US Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu...
H A PT ER AP Management This chapter shows you how to configure wireless AP management options on your UAG. 6.1 AP Management Overview The UAG allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the UAG automatically handles basic configuration for you.
Page 55
Chapter 6 AP Management The following table describes the commands available for AP management. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 13 Command Summary: AP Management COMMAND DESCRIPTION Adds the specified AP to the UAG for management.
Chapter 6 AP Management 6.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
H A PT ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your UAG. 7.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your UAG do not have on-board configuration files, you must create “profiles”...
Page 58
Chapter 7 Wireless LAN Profiles Table 14 Input Values for General Radio and Monitor Profile Commands (continued) LABEL DESCRIPTION Sets the HT MCS rate. The available rates are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, wlan_mcs_speed 12, 13, 14, 15.
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Fixes the channel bandwidth as 40 MHz. The no command has the [no] dot11n-disable-coexistence AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Page 60
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use the no [no] amsdu parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Disables or sets the 5 GHz support rate. 5g-support-speed {disable | wlan_5g_support_speed} The default is 6.0~54.0. Sets the outgoing chain mask rate. tx-mask chain_mask Sets the incoming chain mask rate. rx-mask chain_mask Activates HT protection for this profile.
Chapter 7 Wireless LAN Profiles It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu...
Page 63
Chapter 7 Wireless LAN Profiles Table 16 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 macfilterprofile alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Chapter 7 Wireless LAN Profiles 7.3.1 SSID Profile Example The following example creates an SSID profile with the name ‘ZyXEL’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist. Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid ZyXEL Router(config-ssid-radio)# qos wmm Router(config-ssid-radio)# data-forward localbridge...
Page 65
Chapter 7 Wireless LAN Profiles Table 19 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WEP encryption strength (64 or 128) and the default wep <64 | 128> default-key <1..4> key value (1 ~ 4). If you select WEP-64 enter 10 hexadecimal digits in the range of “A-F”, “a-f”...
Chapter 7 Wireless LAN Profiles 7.4.1 Security Profile Example The following example creates a security profile with the name ‘SECURITY01’.. Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)# 7.5 MAC Filter Profile Commands...
Chapter 7 Wireless LAN Profiles 7.5.1 MAC Filter Profile Example The following example creates a MAC filter profile with the name ‘MACFILTER01’.. Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# MAC 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# MAC 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# MAC 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)#...
H A PT ER Interfaces This chapter shows you how to use interface-related commands. 8.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Chapter 8 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 22 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET...
Chapter 8 Interfaces Table 23 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying interface is a member of a bridge.
Chapter 8 Interfaces 8.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 25 interface General Commands: Basic Properties and IP Address Assignment COMMAND DESCRIPTION Displays the connection status of the specified type of interfaces. show interface {ethernet | vlan | bridge | ppp | auxiliary} status Displays information about the specified interface, specified type of...
Chapter 8 Interfaces Table 25 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp-ack|content- specified type of traffic. filter|dns|ipsec-vpn|ssl-vpn} deactivate Specifies the upstream bandwidth for the specified interface. The [no] upstream <0..1048576>...
Page 73
Chapter 8 Interfaces This example shows how to modify the name of interface lan2 to “VIP”. First you have to check the interface system name (ge4 in this example) on the UAG. Then change the name and display the result. Router>...
Chapter 8 Interfaces This example shows how to restart an interface. You can check all interface names on the UAG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 75
Chapter 8 Interfaces Table 26 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the UAG should assign. Use this [no] host ip command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 76
Chapter 8 Interfaces Table 26 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool. The final pool size is limited by the subnet mask. <1..65535>...
Page 77
Chapter 8 Interfaces 8.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Chapter 8 Interfaces 8.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 27 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
Chapter 8 Interfaces Table 28 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified version number. The [no] ip rip {send | receive} version command sets the send or received version to the current global <1..2>...
Page 80
Chapter 8 Interfaces Table 29 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the number of seconds the UAG waits for “hello” messages from [no] ip ospf dead-interval <1..65535> peer routers before it assumes the peer router is not available and deletes associated routing information.
Chapter 8 Interfaces 8.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the UAG stops routing to the gateway.
Chapter 8 Interfaces 8.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Chapter 8 Interfaces Table 32 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The UAG automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Chapter 8 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface lan1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 8.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
Chapter 8 Interfaces Table 35 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
Chapter 8 Interfaces Table 36 USB Storage General Commands (continued) COMMAND DESCRIPTION Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount Sets to have the UAG log or not log any information about the connected USB [no] logging usb-storage storage device(s) for the system log.
Chapter 8 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 37 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Table 24 on page 70 for detailed information about the interface name.
Chapter 8 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 39 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your UAG model supports.
H A PT ER Trunks This chapter shows you how to configure trunks on your UAG. 9.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the UAG sends traffic through another member of the trunk.
Chapter 9 Trunks 9.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 41 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name The name cannot start with a number. This value is case-sensitive. The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface.
Chapter 9 Trunks Table 42 interface-group Commands Summary (continued) COMMAND DESCRIPTION Displays whether the UAG enable SNAT or not. The UAG performs SNAT show system default-snat by default for traffic going to or from the WAN interfaces. Displays the WAN trunk the UAG first attempts to use. show system default-interface-group 9.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces wan1 and...
Chapter 9 Trunks 9.6 Link Sticking You can have the UAG send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Chapter 9 Trunks mode before you can use these commands. See Table 41 on page 91 for details about the values you can input with these commands. Table 43 ip load-balancing link-sticking Commands Summary COMMAND DESCRIPTION Turns link sticking on or off. [no] ip load-balancing link-sticking activate Sets for how many seconds (30-3600) the UAG sends all of each [no] ip load-balancing link-sticking timeout...
HAPTER IP Drop-In This chapter explains some commands you can use to set the UAG interfaces to work in drop-in mode. 10.1 Drop-In Mode Overview When the UAG is in drop-in mode, you can deploy it in your existing network without changing the network architecture and use its multiple WAN feature to connect to more than one ISP.
Chapter 10 IP Drop-In 10.1.1 Drop-In Limitations • The interfaces in drop-in mode cannot join the port group of the interfaces that are not in drop-in mode. But other interfaces can join a drop-in interface’s port group. • The interfaces in drop-in mode cannot be part of a bridge interface. •...
Page 98
Chapter 10 IP Drop-In The following example shows you how to set the drop-in WAN interface and LAN interface, set a WAN host, turn on the dop-in mode and show the settings. Router> configure terminal Router(config)# ip drop-in Router(drop-in)# wan-host 10.1.2.3 Router(drop-in)# wan-interface wan1 lan-interface lan1 Router(drop-in)# activate Router(drop-in)# exit...
HAPTER Route This chapter shows you how to configure policies for IP routing and static routes on your UAG. 11.1 Policy Route Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 100
Chapter 11 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 47 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You must globally activate [no] bwm activate bandwidth management to have individual policy routes policies apply bandwidth management.
Page 101
Chapter 11 Route Table 47 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Leaves the sub-command mode. exit Sets the interface on which the incoming packets are received. The no [no] interface interface_name command resets the incoming interface to the default ( means all interfaces.
Chapter 11 Route Table 47 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Gives policy routes priority over NAT virtual server rules (1-1 SNAT). [no] policy controll-virtual-server-rules Use the no command to give NAT virtual server rules priority over activate policy routes. Displays whether or not the global setting for bandwidth management show bwm activation on the UAG is enabled.
Chapter 11 Route through the interface wan1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address. Router(config)# address-object TW_SUBNET 192.168.2.0 255.255.255.0 Router(config)# address-object GW_1 192.168.2.250 Router(config)# policy insert 1 Router(policy-route)# description example Router(policy-route)# destination any Router(policy-route)# interface ge1...
Chapter 11 Route a route through the same gateway R1 (via gateway R2). The static routes are for you to tell the UAG about the networks beyond the network connected to the UAG directly. Figure 15 Example of Static Routing Topology 11.4 Static Route Commands The following table describes the commands available for static route.
Chapter 11 Route 11.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface wan1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 wan1 Router(config)# Router(config)# show ip route-settings Route...
HAPTER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the UAG. 12.1 Routing Protocol Overview Routing protocols give the UAG routing information about the network from other routers. The UAG then stores this routing information in the routing table, which it uses when it makes routing decisions.
Chapter 12 Routing Protocol 12.2.1 RIP Commands This table lists the commands for RIP. Table 52 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
Chapter 12 Routing Protocol 12.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 54 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
Chapter 12 Routing Protocol 12.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 56 ip route Commands: Learned Routing Information COMMAND DESCRIPTION Displays learned routing and other routing show ip route [kernel | connected | static | ospf | rip | information.
HAPTER Zones Set up zones to configure network security and network policies in the UAG. 13.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The UAG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Chapter 13 Zones 13.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 57 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name Use up to 31 characters (a-zA-Z0-9_-).
Chapter 13 Zones 13.2.1 Zone Command Examples The following commands add interfaces vlan123 and vlan234 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface vlan123 Router(zone)# interface vlan234 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the UAG. 14.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Chapter 14 DDNS 14.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 60 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 115
Chapter 14 DDNS Table 61 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the backup WAN interface in the specified DDNS profile. [no] backup-iface interface_name command clears it. Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it.
HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 15.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the UAG that you want to make available outside the private network.
Page 117
Chapter 15 Virtual Servers The following table lists the virtual server commands. Table 63 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
Chapter 15 Virtual Servers Table 63 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
Chapter 15 Virtual Servers 15.2.2 Tutorial - How to Allow Public Access to a Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the wan1 interface and map it to the HTTP server’s private IP address of 192.168.3.7.
HAPTER VPN 1-1 Mapping This chapter shows you how to configure VPN 1-1 mapping on your UAG. 16.1 VPN 1-1 Mapping Overview VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG’s WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address.
Page 121
Chapter 16 VPN 1-1 Mapping The following table describes the commands available for VPN 1-1 mapping. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 65 Command Summary: vpn-1-1-map COMMAND DESCRIPTION Enables VPN 1-1 mapping on the UAG.
Chapter 16 VPN 1-1 Mapping 16.2.1 vpn-1-1-map pool Sub-commands The following table describes the sub-commands for the vpn-1-1-map pool command. Table 66 vpn-1-1-map pool Sub-commands COMMAND DESCRIPTION Configures the name of the IP address object the profile is set to use. address address_object An address object presents the IP address(es), which can be assigned to the matched users by the UAG.
Chapter 16 VPN 1-1 Mapping Table 67 vpn-1-1-map rule Sub-commands (continued) COMMAND DESCRIPTION Sets the name of the pool profile used by this rule. You can associate up [no] pool profile_name to four pool profiles to a VPN 1-1 mapping rule. The no command removes the specified pool file.
HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your UAG. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. 17.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Chapter 17 HTTP Redirect Table 69 Command Summary: HTTP Redirect (continued) COMMAND DESCRIPTION Disables a rule with the specified rule name. ip http-redirect deactivate description Removes a rule with the specified rule name. no ip http-redirect description Clears all HTTP redirect rules. ip http-redirect flush Displays HTTP redirect settings.
HAPTER SMTP Redirect This chapter shows you how to configure SMTP redirection on your UAG. 18.1 SMTP Redirect Overview SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The UAG forwards SMTP traffic using TCP port 25. 18.1.1 SMTP Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
Chapter 18 SMTP Redirect The following table describes the commands available for SMTP redirection. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 71 Command Summary: SMTP Redirect COMMAND DESCRIPTION Enters the smtp-redirect sub-command mode to set a SMTP redirect [no] smtp-redirect <1..16>...
HAPTER This chapter covers how to use the UAG’s ALG feature to allow certain applications to pass through the UAG. 19.1 ALG Introduction The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the UAG’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
Chapter 19 ALG 19.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 73 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity- timeout | signal-port Use inactivity-timeout to have the UAG apply SIP media and signaling...
Chapter 19 ALG 19.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 UAG CLI Reference Guide...
HAPTER UPnP 20.1 UPnP and NAT-PMP Overview The UAG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Chapter 20 UPnP Table 74 ip upnp Commands (continued) COMMAND DESCRIPTION Enables NAT-PMP on the UAG. [no] nat-pmp activate The no command disables NAT-PMP on the UAG. Enables UPnP on the UAG. [no] upnp-igd activate The no command disables UPnP on the UAG. Removes all or a specific port mapping rule.
Page 134
Chapter 20 UPnP The following example displays the UAG’s port mapping entries and removes the entry with the specified port number and protocol type. Router# configure terminal Router(config) # show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp Internal Port: 1122...
HAPTER IP/MAC Binding 21.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Chapter 21 IP/MAC Binding 21.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the lan1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No...
HAPTER Layer 2 Isolation 22.1 Layer 2 Isolation Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the UAG’s local network(s), on which layer-2 isolation is enabled, except the devices in the white list. Note: Layer-2 isolation does not check the wireless traffic.
Chapter 22 Layer 2 Isolation 22.2 Layer 2 Isolation Commands The following table lists the l2-isolation commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 76 l2-isolation Commands COMMAND DESCRIPTION Enters the layer 2 isolation sub-command mode to enable Layer-2 isolation l2-isolation...
Chapter 22 Layer 2 Isolation 22.3 Layer 2 Isolation Commands Example The following example enables Layer-2 isolation on the UAG and interface lan2. It also creates a rule in the white list to allow access to the device with IP address 172.17.0.66. It then displays the Layer-2 isolation settings.
HAPTER IPnP 23.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the UAG are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the UAG’s LAN IP address can connect to the UAG or access the Internet through the UAG.
Chapter 23 IPnP 23.3 IPnP Commands Example The following example enables IPnP on the UAG and interface lan1. It also displays the IPnP settings. Router# configure terminal Router(config)# ip ipnp activate Router(config)# ip ipnp config Router(ipnp)# interface lan1 Router(ipnp)# exit Router(config)# show ip ipnp activation IPnP Status: yes Router(config)# show ip ipnp interface...
HAPTER Web Authentication 24.1 Web Authentication Overview Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Chapter 24 Web Authentication Table 79 web-auth Commands (continued) COMMAND DESCRIPTION Creates a new condition for forcing user authentication at the end of the web-auth policy append current list and enters sub-command mode. See Table 81 on page 145 the sub-commands. Creates a new condition for forcing user authentication at the specified web-auth policy insert <1..1024>...
Page 144
Chapter 24 Web Authentication Table 80 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION [no] internal-welcome-url url Sets the welcome page’s URL when you select to use the default login page built into the UAG; for example, http://IIS server IP Address/welcome.html. You can use up to 255 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%) in quotes.
Chapter 24 Web Authentication 24.2.2 web-auth policy Sub-commands The following table describes the sub-commands for several web-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 81 web-auth policy Sub-commands COMMAND DESCRIPTION Activates the specified condition. The no command deactivates the [no] activate specified condition.
Chapter 24 Web Authentication 24.2.3 web-auth user-agreement Sub-commands The following table describes the sub-commands for several web-auth user-agreement commands. Note that not all rule commands use all the sub-commands listed here. Table 82 web-auth user-agreement Sub-commands COMMAND DESCRIPTION Sets the user agreement page’s URL; for example, http://IIS server IP [no] agreement-url url Address/logout.html.
Page 147
Chapter 24 Web Authentication • endpoint security object: use “EPS-WinXP” and “EPS-WinVista” for the first and second checking EPS objects Router# configure terminal Router(config)# web-auth policy insert 1 Router(config-web-auth-1)# activate Router(config-web-auth-1)# description EPS-on-LAN Router(config-web-auth-1)# source LAN1_SUBNET Router(config-web-auth-1)# destination DMZ_Servers Router(config-web-auth-1)# authentication force Router(config-web-auth-1)# no schedule Router(config-web-auth-1)# eps activate Router(config-web-auth-1)# eps 1 EPS-WinXP...
HAPTER Walled Garden 25.1 Walled Garden Overview A user must log in before the UAG allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.
Chapter 25 Walled Garden 25.2.1 walled-garden rule Sub-commands The following table describes the sub-commands for several walled-garden rule commands. Note that not all rule commands use all the sub-commands listed here. Table 84 walled-garden rule Sub-commands COMMAND DESCRIPTION Enables this entry. The command disables the entry.
HAPTER Advertisement 26.1 Advertisement Overview You can set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. 26.2 Advertisement Commands This table lists the advertisement commands. You must use the command configure terminal to enter the configuration mode before you can use these commands.
HAPTER Firewall This chapter introduces the UAG’s firewall and shows you how to configure your UAG’s firewall. 27.1 Firewall Overview The UAG’s firewall is a stateful inspection firewall. The UAG restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Chapter 27 Firewall 27.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 86 Input Values for General Firewall Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
Page 153
Chapter 27 Firewall Table 87 Command Summary: Firewall (continued) COMMAND DESCRIPTION Removes a direction specific through-Device rule or firewall profile_name {zone_object|Device} delete to-Device rule. <1..5000> <1..5000>: the index number in a direction specific firewall rule list. Removes all direction specific through-Device rule or firewall profile_name {zone_object|Device} flush to-Device rules.
Chapter 27 Firewall 27.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 88 firewall Sub-commands COMMAND DESCRIPTION Sets the action the UAG takes when packets match this action {allow|deny|reject} rule. Enables a firewall rule. The no command disables the [no] activate firewall rule.
Chapter 27 Firewall The following example shows you how to add an IPv4 firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. • Create an IP address object. •...
Page 156
Chapter 27 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 90 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/firewall sessions per host.
HAPTER Billing 28.1 Billing Overview You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method or configure a discount price plan. 28.2 Billing Commands This table lists the billing commands.
Chapter 28 Billing Table 91 billing Commands (continued) COMMAND DESCRIPTION Creates a new discount level by setting the duration of the billing period [no] billing discount unit <2..10> that should be reached before the UAG charges users at this level and price price defining this level’s charge per time unit.
Chapter 28 Billing 28.2.2 Billing Command Example This example sets the accounting method to time-to-finish and configures the idle timeout that elapses before the UAG disconnects a user. Router# configure terminal Router(config)# billing accounting-method time-to-finish Router(config)# billing accumulation idle-detection timeout 30 Router(config)# This example enables and creates a custom discount pricing plan.
Page 160
Chapter 28 Billing plan settings, that is, the billing profile settings for button A when it is selected as the button to assign the base charge. Router# configure terminal Router(config)# printer-manager button a billing_1hour Router(config)# show billing discount default rule Conditions Unit Unit price...
HAPTER Payment Service 29.1 Payment Service Overview The online payment service allows users to purchase access time online with a credit card. You must register with the supported credit card service before you can configure the UAG to handle credit card transactions. 29.2 Payment-service Commands The following table identifies the values required for many of these commands.
Page 162
Chapter 29 Payment Service Table 94 payment-service Commands (continued) COMMAND DESCRIPTION Sets the UAG to use a custom online payment service page. [no] payment-service page- customization You can customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time The no command sets the UAG to use the default online payment service page built into the device.
Chapter 29 Payment Service 29.2.1 Payment-Service Provider Paypal Sub-commands The following table describes the sub-commands for the payment-service provider paypal command. Table 95 payment-service provider paypal Sub-commands COMMAND DESCRIPTION Sets your PayPal account name. You should already have a PayPal account [no] account e-mail to receive credit card payments.
HAPTER Printer Manager 30.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the UAG, and that there is printing paper in the printer. Refer to the printer’s documentation for details.
Chapter 30 Printer Manager Table 96 printer-manager Commands (continued) COMMAND DESCRIPTION Displays settings of all or the specified printer that can be managed by the show printer-manager printer [<1..10>] UAG. Displays information about the printers that are connected and can be show printer-manager printer-status managed by the UAG.
HAPTER Free Time 31.1 Free Time Overview With Free Time, the UAG can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 31.2 Free-Time Commands The following table lists the free-time commands. You must use the configure terminal command to enter the configuration mode before you can use these commands.
Chapter 31 Free Time 31.3 Free-Time Commands Example The following example enables the free time feature and sets the UAG to provide user account information in the web screen and also sent account information via SMS text messages. It then displays the free time settings.
HAPTER 32.1 SMS Overview The UAG supports Short Message Service (SMS) to send short text messages to mobile phone devices. At the time of writing, the UAG uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a Vianett account in order to use the SMS service. 32.2 SMS Commands The following table lists the sms-service commands.
Chapter 32 SMS 32.3 SMS Commands Example The following example enables the SMS service on the UAG to provide and configures the ViaNett account information. It then displays the SMS settings. Router# configure terminal Router(config)# sms-service activate Router(config)# sms-service provider vianett Router(sms-service-vianett)# username test@example.com Router(sms-service-vianett)# password 12345 Router(sms-service-vianett)# exit...
HAPTER Bandwidth Management 33.1 Bandwidth Management Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 33.1.1 BWM Type The UAG supports two types of bandwidth management: shared and per-user.
Chapter 33 Bandwidth Management Table 100 bwm Commands (continued) COMMAND DESCRIPTION Moves a policy to the number that you specified. bwm move <1..127> to <1..127> Displays whether bandwidth management is enabled. show bwm activation Displays all bandwidth management policies. show bwm all Displays the default bandwidth management policy.
Page 172
Chapter 33 Bandwidth Management Table 101 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the source interface of the traffic to which this policy [no] incoming-interface {interface applies. interface_name | trunk group_name} interface_name: The name of the interface. This depends on the UAG model. See Table 24 on page 70 for detailed information about the interface name.
Page 173
Chapter 33 Bandwidth Management Table 101 bwm Sub-commands (continued) COMMAND DESCRIPTION Specifies a service or service group to identify the type of [no] service service-object {service_name | traffic to which this policy applies. any} any: the policy is effective for every service. The no command resets the service to the default (any).
Chapter 33 Bandwidth Management 33.3 Bandwidth Management Commands Example The following example adds a new bandwidth management policy for trial-users to limit incoming and outgoing bandwidth and sets the traffic priority to 3. It then displays the policy settings. Router# configure terminal Router(config)# bwm append Router(config-bwm append 6)# activate Router(config-bwm append 6)# description example...
HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the UAG. 34.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Chapter 34 IPSec VPN and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 21 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Chapter 34 IPSec VPN Table 102 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_name characters. Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation...
Chapter 34 IPSec VPN Table 103 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the DHx group to the specified group. group1 group2 group5 Enables NAT traversal. The command disables NAT traversal. [no] natt Sets the local gateway address to the specified IP address, domain local-ip {ip {ip | domain_name} | name, or interface.
Page 179
Chapter 34 IPSec VPN Table 104 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Renames the specified IPSec SA (first map_name) to the specified crypto map rename map_name map_name name (second map_name). crypto map map_name Activates or deactivates the specified IPSec SA. activate deactivate Set a specific number of bytes for the Maximum Segment Size...
Page 180
Chapter 34 IPSec VPN Table 104 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Automatically re-negotiates the SA as needed. The command [no] nail-up does not. Enables replay detection. The command disables it. [no] replay-detection Enables NetBIOS broadcasts through the IPSec SA. The [no] netbios-broadcast command disables NetBIOS broadcasts through the IPSec SA.
Chapter 34 IPSec VPN 34.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 105 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), authentication key and set session-key {ah <256..4095>...
Chapter 34 IPSec VPN Table 106 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
Chapter 34 IPSec VPN 34.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 108 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 35.1 SSL Access Policy An SSL access policy allows the UAG to perform the following tasks: • limit user access to specific applications or files on the network. •...
Chapter 35 SSL VPN Table 109 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 35 SSL VPN Table 110 SSL VPN Commands COMMAND DESCRIPTION Sets the number of minutes to have the UAG repeat the endpoint security [no] eps periodical-check check at a regular interval. The no command disables this setting. <1..1440> Use this to configure for a VPN tunnel between the authenticated users and [no] network-extension {activate | the internal network.
Page 187
Chapter 35 SSL VPN First of all, configure 10.1.1.254/24 for the IP address of interface wan1 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface lan2 which is an internal network. Router(config)# interface wan1 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 188
Chapter 35 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1...
HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 36.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Chapter 36 Content Filtering 36.5 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 111 Content Filter Command Input Values LABEL DESCRIPTION The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the UAG model supports.
Chapter 36 Content Filtering Table 111 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
Page 192
Chapter 36 Content Filtering mode to be able to use these commands. See Table 111 on page 190 for details about the values you can input with these commands. Table 112 content-filter General Commands COMMAND DESCRIPTION Turns on content filtering. The command turns it off.
Chapter 36 Content Filtering Table 112 content-filter General Commands (continued) COMMAND DESCRIPTION Adds or removes a common trusted or forbidden web site entry. [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} ipv4: IPv4 address <W.X.Y.Z> ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 <W.X.Y.Z>/<1..32>...
Page 194
Chapter 36 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Enters the sub-command for configuring the content content-filter profile filtering_profile custom-list filtering profile’s list of forbidden keywords. This has the keyword content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL.
Chapter 36 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Sets a content filtering profile to use the external web [no] content-filter profile filtering_profile url filtering service. The command has the profile not use url-server the external web filtering service. Sets how many seconds the UAG is to wait for a response [no] content-filter service-timeout service_timeout from the external content filtering server.
Chapter 36 Content Filtering Use the command to enter the configuration mode to be able to use these configure terminal commands. See Table 111 on page 190 for details about the values you can input with these commands. Table 114 content-filter url-cache Commands COMMAND DESCRIPTION Sets how long to keep a content filtering URL cache entry...
Chapter 36 Content Filtering 36.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics. Router(config)# content-filter statistics collect Router(config)# show content-filter statistics summary total web pages inspected web pages warned by category service : 0 web pages blocked by category service: 0 web pages blocked by custom service restricted web features...
Page 199
Chapter 36 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the UAG. You can also set up rules that control when users have to log in to the UAG before the UAG routes traffic for them (see Chapter 24 on page 142).
Chapter 37 User/Group 37.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 117 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
Chapter 37 User/Group Table 118 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the reauthentication time for the specified user. Set it to username username [no] logon-re-auth-time zero to set unlimited reauthentication time. The command <0..1440> sets the reauthentication time to thirty minutes (regardless of the current default setting for new users).
Chapter 37 User/Group 37.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication. Table 120 username/groupname Commands Summary: Settings COMMAND DESCRIPTION Displays the default lease and reauthentication times for the show users default-setting {all | user-type specified type of user accounts.
Chapter 37 User/Group Table 120 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Enables the limit on the number of simultaneous logins by users of [no] users simultaneous-logon {administration the specified account-type. The command disables the limit, or | access | billing-account} enforce allows an unlimited number of simultaneous logins.
Page 205
Chapter 37 User/Group 37.2.4.1 Additional User Command Examples The following commands display the users that are currently logged in to the UAG and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No: 0 Name: admin Type: admin...
Page 206
Chapter 37 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer ===========================================================================1 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5...
HAPTER Addresses This chapter describes how to set up addresses and address groups for the UAG. 38.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Chapter 38 Addresses 38.2.1 Address Object Commands This table lists the commands for address objects. Table 123 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type. service-object | schedule-object} [object_name] Creates the specified IPv4 address object using the specified...
Page 209
Chapter 38 Addresses Table 124 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Adds the specified address to the specified address group. The no [no] address-object object_name command removes the specified address from the specified group. Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name).
HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 39.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 39.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 212
Chapter 39 Services Table 127 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command removes the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified service group from the first group_name to the object-group service rename group_name second group_name.
HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. 40.1 Schedule Overview The UAG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the UAG.
Chapter 40 Schedules Table 129 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
HAPTER AAA Server This chapter introduces and shows you how to configure the UAG to use external authentication servers. 41.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the UAG supports. •...
Chapter 41 AAA Server Table 130 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the UAG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
Chapter 41 AAA Server 41.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 132 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
Chapter 41 AAA Server Table 133 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
Chapter 41 AAA Server Table 134 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
Chapter 41 AAA Server Table 135 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the descriptive information for the RADIUS server group.
HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 42.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the UAG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Chapter 42 Authentication Objects Table 136 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. [no] aaa authentication profile-name member1 [member2] = group ad, group ldap, group radius, or local. member [member3] [member4] Note: You must specify at least one member for each profile.
Page 223
Chapter 42 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the UAG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
HAPTER Certificates This chapter explains how to use the Certificates. 43.1 Certificates Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Chapter 43 Certificates Table 138 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 226
Chapter 43 Certificates Table 139 ca Commands Summary (continued) COMMAND DESCRIPTION Enters the sub command mode for validation of ca validation remote_certificate certificates signed by the specified remote (trusted) certificates. Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the UAG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be...
Page 227
Chapter 43 Certificates Table 139 ca Commands Summary (continued) COMMAND DESCRIPTION Displays the certification path of the specified local (my show ca category {local|remote} name certificate_name certificates) or remote (trusted certificates) certificate. certpath Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}]...
Chapter 43 Certificates 43.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE and PPTP interfaces. 44.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, or PPTP. 44.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 230
Chapter 44 ISP Accounts Table 140 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the PPTP server for the specified PPTP ISP account. The command [no] server ip clears the server name. Sets the encryption for the specified PPTP ISP account. The command [no] encryption {nomppe | mppe-40 sets the encryption to nomppe.
HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 45.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
Chapter 45 SSL Application Table 141 SSL Application Object Commands COMMAND DESCRIPTION Sets this to create a link to a web site you specified that you expect the SSL server-type weblink url url VPN users to commonly use. url: Enter the fully qualified domain name (FQDN) or IP address of the application server.
HAPTER Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 46.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 46 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 46.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands.
Page 235
Chapter 46 Endpoint Security Table 143 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, [no] personal-firewall use this command for each of them. Use the list signature personal-firewall personal_firewall_softwar command to view the available personal firewall software package options.
Page 236
Chapter 46 Endpoint Security Table 143 Endpoint Security Object Commands COMMAND DESCRIPTION If you set windows as the operating system (using the os-type command), use this windows-version {windows- command to set the version of Windows. 2000 | windows-xp | windows-2003 | windows- 2008 | windows-vista | windows-7 | windows- 2008r2}...
Chapter 46 Endpoint Security 46.1.3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS-Example. Only the computers that match the following criteria can access the company’s SSL VPN: • Operating system: Windows XP •...
Page 238
Chapter 46 Endpoint Security Then he also needs to check the personal firewall software name defined on the UAG. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection =============================================================================== Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 239
Chapter 46 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2011...
HAPTER Dynamic Guest Accounts 47.1 Dynamic Guest Accounts Overview Dynamic guest accounts are guest accounts, but are created dynamically and stored in the UAG’s local user database. A dynamic guest account has a dynamically-created user name and password. A dynamic guest account user can access the UAG’s services only within a given period of time and will become invalid after the expiration date/time.
Chapter 47 Dynamic Guest Accounts Table 144 dynamic-guest Commands (continued) COMMAND DESCRIPTION Creates a dynamic guest account (billing-user) with the specified user [no] dynamic-guest user_name name and enters the dynamic-guest sub-command mode to set the password and timeout settings. See Table 145 on page 241 for the sub- commands.
HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 48.1 System Overview Use these commands to configure general UAG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which UAG zones (if any) from which computers.
Page 244
Chapter 48 System Figure 23 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Chapter 48 System Table 146 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
Chapter 48 System 48.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 148 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Chapter 48 System 48.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 48.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
Chapter 48 System Table 151 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which UAG zones (if any) from which computers. Note: To access the UAG from a specified computer using a service, make sure no service control rules or to-Device firewall rules block that traffic. 49.1 Remote Management Overview You may manage your UAG from a remote location via: •...
Chapter 49 System Remote Management 49.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 152 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 251
Chapter 49 System Remote Management Table 153 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
Chapter 49 System Remote Management 49.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Chapter 49 System Remote Management 49.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 154 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the UAG CLI.
Chapter 49 System Remote Management 49.5 Telnet You can configure your UAG for remote Telnet access. 49.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 155 Command Summary: Telnet COMMAND...
Chapter 49 System Remote Management 49.7 Configuring FTP You can upload and download the UAG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 49.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Chapter 49 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 49.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Chapter 49 System Remote Management 49.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 158 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the UAG.
Chapter 49 System Remote Management The following command sets the password (secret) for read-write ( ) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.16.15.84 and the password (sent with each trap) to qwerty.
HAPTER File Manager This chapter covers how to work with the UAG’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files. 50.1 File Directories The UAG stores files in the following directories. Table 160 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Chapter 50 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 24 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1...
Chapter 50 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface wan1 # this interface is a DHCP client Lines 1 and 2 are comments.
Chapter 50 File Manager • When the UAG reboots, if the startup-config.conf file passes the error check, the UAG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Chapter 50 File Manager 50.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 163 File Manager Commands Summary COMMAND DESCRIPTION Has the UAG use a specific configuration file. You must still use the apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash (“non- write...
Chapter 50 File Manager Table 163 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Has the UAG ignore any errors in the startup-config.conf file and apply all setenv-startup stop-on-error off of the valid commands.
Chapter 50 File Manager The firmware update can take up to five minutes. Do not turn off or reset the UAG while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 50.8 on page 267 to recover the firmware.
Chapter 50 File Manager 50.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the UAG and saves it on the computer as current.conf. Figure 26 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Chapter 50 File Manager 50.8 Notification of a Damaged Recovery Image or Firmware The UAG’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the UAG notifies you of a damaged recovery image or firmware file.
Chapter 50 File Manager If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 50.10 on page 270 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
Page 269
Chapter 50 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 32 atuk Command for Restoring the Recovery Image > atuk This command is for restoring the "recovery image" (xxx.ri). Use This command only when 1) the console displays "Invalid Recovery Image"...
Chapter 50 File Manager Enter atgo. The UAG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 50.10 on page 270 to recover the firmware.
Page 271
Chapter 50 File Manager Enter “quit” to exit the ftp prompt. Figure 38 FTP Firmware Transfer Complete 200 PORT command successful 150 Opening BINARY mode data connection for 250AACG0C0.bin 226-firmware verifying... 226-firmware updating... 226-Please Wait about 5 minutes!! 226-Do not poweroff or reset, 226-system will reboot automatically after finished updating.
HAPTER Logs This chapter provides information about the UAG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the UAG. 51.1 Log Commands Summary The following table describes the values required for many log commands.
Chapter 51 Logs 51.1.2 System Log Commands This table lists the commands for the system log settings. Table 166 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged in the system log and logging system-log category module_name debugging log for the specified category.
Chapter 51 Logs 51.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 167 logging Commands: Debug Log Settings COMMAND DESCRIPTION Displays the current settings for the debug log. show logging debug status Displays the specified entries in the system log. show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] pri: alert | crit | debug | emerg | error | info | notice | warn...
Chapter 51 Logs 51.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 169 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION Displays the current settings for the e-mail profiles. show logging status mail Enables the specified e-mail profile. The command disables [no] logging mail <1..2>...
HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the UAG using commands. It also covers the daily report e-mail feature. 52.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 52.1.1 Report Commands This table lists the commands for reports.
Chapter 52 Reports and Reboot 52.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report lan1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 279
Chapter 52 Reports and Reboot Use these commands to have the UAG e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 174 Email Daily Report Commands COMMAND DESCRIPTION Displays the e-mail daily report settings.
Chapter 52 Reports and Reboot Table 174 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sends the daily e-mail report immediately. send-now Discards all report data and starts all of the report statistics reset-counter-now data counters over at zero. Leaves the sub-command mode. exit 52.2.1 Email Daily Report Example This example sets the following about sending a daily report e-mail:...
Chapter 52 Reports and Reboot This displays the email daily report settings and has the UAG send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25 smtp auth: yes smtp username: 12345 smtp password: pass12345...
HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 175 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 54.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 55.1 Packet Flow Explore Use this to get a clear picture on how the UAG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Chapter 55 Packet Flow Explore 55.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, VPN 1-1 Mapping Route, 1-1 SNAT, SiteTo Site VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Page 286
Chapter 55 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated VPN 1-1 mapping rules. Router> sshow system route vpn-1-1-map Source Destination Outgoing Gateway...
Page 287
Chapter 55 Packet Flow Explore The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT...
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the UAG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 178 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 289
Chapter 56 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 179 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic going through the [no] packet-capture activate set interface(s).
Chapter 56 Maintenance Tools Table 180 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
Page 292
Chapter 56 Maintenance Tools • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)# file-suffix Example Router(packet-capture)# files-size 10 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)#...
HAPTER Watchdog Timer This chapter provides information about the UAG’s watchdog timers. 57.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Chapter 57 Watchdog Timer 57.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 183 app-watchdog Commands COMMAND DESCRIPTION...
Chapter 57 Watchdog Timer 57.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. UAG CLI Reference Guide...
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. [no] {anti-virus | personal-firewall} activate .........234 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......193 [no] aaa authentication default member1 [member2] [member3] [member4] ....221...
Page 298
List of Commands (Alphabetical) [no] app-watch-dog console-print {always|once} .........294 [no] app-watch-dog cpu-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog disk-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog interval <6..300> ...........294 [no] app-watch-dog mem-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog retry-count <1..5> ..........294 [no] app-watch-dog sys-reboot ............294...
Page 312
List of Commands (Alphabetical) {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ....251 ip http server table {admin|user} rule move rule_number to rule_number ....251 ip http-redirect activate description ..........124 ip http-redirect deactivate description ..........125 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> ...124 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535>...
Page 313
List of Commands (Alphabetical) logging mail <1..2> schedule daily hour <0..23> minute <0..59> ......275 logging mail <1..2> schedule weekly day day hour <0..23> minute <0..59> ....275 logging mail <1..2> sending_now ............275 logging system-log category module_name {disable | level normal | level all} ...273 logging usb-storage category category disable ...........87...
Page 314
List of Commands (Alphabetical) no port <1..x> ................83 no sa spi spi ................183 no sa tunnel-name map_name .............183 no schedule-object object_name ............213 no server-type .................232 no service-object object_name ............210 no slot_name ap-profile ..............55 no smtp-address ................279 no smtp-auth username ..............279 no snmp-server rule rule_number ............257 no sslvpn policy profile_name...
Page 315
List of Commands (Alphabetical) policy {policy_number | append | insert policy_number} .........100 policy default-route ..............101 policy delete policy_number ............101 policy flush ................101 policy list table ..............101 policy move policy_number to policy_number ..........101 port <1..65535> ending-port <1..65535>] ..........231 port <1..65535> ending-port <1..65535>] [program-path program-path] ....231 port status Port<1..x>...
Page 317
List of Commands (Alphabetical) show capwap ap all statistics ............55 show capwap ap ap_mac slot_name detail ..........55 show capwap ap wait-list ..............55 show capwap manual-add ..............55 show capwap station all ..............55 show clock date ................246 show clock status ..............246 show clock time ................246 show comport status ..............44...
Page 318
List of Commands (Alphabetical) show interface {interface_name | ethernet | vlan | bridge | ppp | virtual ethernet | virtual vlan | virtual bridge | all} ............71 show interface ppp system-default ............86 show interface ppp user-define ............86 show interface send statistics interval ..........71 show interface summary all ..............71...
Page 319
List of Commands (Alphabetical) show mac ................44 show mem status .................44 show ntp server ................246 show object-group {address | address6} [group_name] ........208 show object-group service group_name ...........211 show ospf area IP virtual-link ............108 show packet-capture config .............288 show packet-capture config .............289 show packet-capture status .............288...
Page 320
List of Commands (Alphabetical) show reference object-group aaa radius [group_name] ........43 show reference object-group address [object_name] ........43 show reference object-group interface [object_name] ........43 show reference object-group service [object_name] ........43 show reference object-group username [username] .........43 show report [interface_name {ip | service | url}] ........277 show report status ..............277...
Page 321
List of Commands (Alphabetical) show usb-storage ................86 show username [username] ...............201 show users {username | all | current} ..........204 show users default-setting {all | user-type {admin | limited-admin | pre- subscriber | user | guest | ext-user | ext-group-user}} ..........203 show users idle-detection-settings .............204 show users kick-previous-settings...
Page 322
List of Commands (Alphabetical) zone {ALL|zone_object} action {accept|deny} ........257 snmp-server rule move rule_number to rule_number ........257 split-size <1..2048> ..............289 ssid ..................63 sslvpn network-extension local-ip ip ...........185 sslvpn no connection username user_name ..........186 sslvpn policy {profile_name | profile_name append | profile_name insert <1..16>} ..185 sslvpn policy move <1..16>...