Page 1 UAG Series Unified Access Gateway Versions: 2.50, 4.00 Edition 2, 04/2014 Quick Start Guide CLI Reference Guide Default Login Details LAN Port https://192.168.1.1 User Name admin www.zyxel.com Password 1234 Copyright © 2011 Copyright © 2014 ZyXEL Communications Corporation ZyXEL Communications Corporation...
Page 2  IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products. Not all products support all firmware features. Screenshots, graphics and commands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
Page 3: About This Cli Reference Guide
About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD-based UAGs via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Server Firewall Telephone Switch Router UAG CLI Reference Guide...
Page 6: Table Of Contents
Contents Overview Contents Overview Introduction ............................21 Command Line Interface .........................23 User and Privilege Modes ........................36 Reference ............................40 Object Reference ............................42 Status ..............................44 Registration .............................47 AP Management .............................54 Wireless LAN Profiles ..........................57 Interfaces ..............................68 Trunks ..............................90 IP Drop-In ..............................96 Route ...............................99 Routing Protocol ............................106 Zones ..............................
Page 7 Contents Overview Content Filtering ............................189 User/Group ............................200 Addresses .............................207 Services ..............................210 Schedules .............................213 AAA Server ............................215 Authentication Objects ..........................221 Certificates ............................224 ISP Accounts ............................229 SSL Application .............................231 Endpoint Security ..........................233 Dynamic Guest Accounts ........................240 System ..............................243 System Remote Management .......................249 File Manager ............................259 Logs ..............................272 Reports and Reboot ..........................277...
Page 8: Table Of Contents
Table of Contents Table of Contents About This CLI Reference Guide......................3 Document Conventions ........................4 Contents Overview ..........................6 Table of Contents ..........................8 Part I: Introduction ..................21 Chapter 1 Command Line Interface........................23 1.1 Overview ............................23 1.1.1 The Configuration File ......................23 1.2 Accessing the CLI ..........................23 1.2.1 Console Port ..........................24 1.2.2 Web Configurator Console ......................24 1.2.3 Telnet ............................27...
Page 9 Table of Contents 1.9 Saving Configuration Changes ......................35 1.10 Logging Out .............................35 Chapter 2 User and Privilege Modes ........................36 2.1 User And Privilege Modes .........................36 2.1.1 Debug Commands ........................37 Part II: Reference ..................... 40 Chapter 3 Object Reference ..........................42 3.1 Object Reference Commands ......................42 3.1.1 Object Reference Command Example ..................43 Chapter 4 Status ..............................44...
Page 10 Table of Contents 7.3.1 SSID Profile Example ......................64 7.4 Security Profile Commands .......................64 7.4.1 Security Profile Example ......................66 7.5 MAC Filter Profile Commands ......................66 7.5.1 MAC Filter Profile Example .....................67 Chapter 8 Interfaces.............................68 8.1 Interface Overview ..........................68 8.1.1 Types of Interfaces ........................68 8.1.2 Relationships Between Interfaces ...................69 8.2 Interface General Commands Summary ...................70 8.2.1 Basic Interface Properties and IP Address Commands ............71...
Page 11 Table of Contents Chapter 10 IP Drop-In.............................96 10.1 Drop-In Mode Overview ........................96 10.1.1 Drop-In Limitations ........................97 10.2 Drop-In Commands .........................97 Chapter 11 Route..............................99 11.1 Policy Route ............................99 11.2 Policy Route Commands .........................99 11.2.1 Assured Forwarding (AF) PHB for DiffServ .................102 11.2.2 Policy Route Command Example ..................102 11.3 IP Static Route ..........................103 11.4 Static Route Commands ........................104...
Page 12 Table of Contents 15.2.1 Virtual Server Command Examples ..................118 15.2.2 Tutorial - How to Allow Public Access to a Server ............... 119 Chapter 16 VPN 1-1 Mapping ..........................120 16.1 VPN 1-1 Mapping Overview ......................120 16.2 VPN 1-1 Mapping Commands ......................120 16.2.1 vpn-1-1-map pool Sub-commands ..................122 16.2.2 vpn-1-1-map pool Command Examples ................122 16.2.3 vpn-1-1-map rule Sub-commands ..................122...
Page 13 Table of Contents 21.2 IP/MAC Binding Commands ......................135 21.3 IP/MAC Binding Commands Example ..................136 Chapter 22 Layer 2 Isolation ..........................137 22.1 Layer 2 Isolation Overview ......................137 22.2 Layer 2 Isolation Commands ......................138 22.2.1 Layer 2 Isolation White List Sub-Commands ..............138 22.3 Layer 2 Isolation Commands Example ..................139 Chapter 23 IPnP..............................140...
Page 14 Table of Contents 27.2.2 Firewall Command Examples ....................154 27.3 Session Limit Commands ......................155 Chapter 28 Billing..............................157 28.1 Billing Overview ..........................157 28.2 Billing Commands .........................157 28.2.1 Billing Profile Sub-commands ....................158 28.2.2 Billing Command Example ....................159 Chapter 29 Payment Service ..........................161 29.1 Payment Service Overview ......................161 29.2 Payment-service Commands ......................161 29.2.1 Payment-Service Provider Paypal Sub-commands .............163 29.2.2 Payment-Service Command Example .................163...
Page 15 Table of Contents Chapter 34 IPSec VPN............................175 34.1 IPSec VPN Overview ........................175 34.2 IPSec VPN Commands Summary ....................176 34.2.1 IKE SA Commands ......................177 34.2.2 IPSec SA Commands (except Manual Keys) ..............178 34.2.3 IPSec SA Commands (for Manual Keys) ................181 34.2.4 VPN Concentrator Commands ....................181 34.2.5 VPN Configuration Provisioning Commands ...............182 34.2.6 SA Monitor Commands .......................183 Chapter 35...
Page 16 Table of Contents Chapter 38 Addresses ............................207 38.1 Address Overview .........................207 38.2 Address Commands Summary .....................207 38.2.1 Address Object Commands ....................208 38.2.2 Address Group Commands ....................208 Chapter 39 Services .............................210 39.1 Services Overview ........................210 39.2 Services Commands Summary .....................210 39.2.1 Service Object Commands ....................210 39.2.2 Service Group Commands ....................
Page 17 Table of Contents 43.1 Certificates Overview ........................224 43.2 Certificate Commands ........................224 43.3 Certificates Commands Input Values ....................224 43.4 Certificates Commands Summary ....................225 43.5 Certificates Commands Examples ....................228 Chapter 44 ISP Accounts.............................229 44.1 ISP Accounts Overview .........................229 44.1.1 PPPoE and PPTP Account Commands ................229 Chapter 45 SSL Application ..........................231 45.1 SSL Application Overview ......................231...
Page 18 Table of Contents Chapter 49 System Remote Management......................249 49.1 Remote Management Overview ....................249 49.1.1 Remote Management Limitations ..................249 49.1.2 System Timeout ........................249 49.2 Common System Command Input Values ..................250 49.3 HTTP/HTTPS Commands ......................250 49.3.1 HTTP/HTTPS Command Examples ..................252 49.4 SSH ...............................252 49.4.1 SSH Implementation on the UAG ..................252 49.4.2 Requirements for Using SSH ....................252 49.4.3 SSH Commands ........................253...
Page 19 Table of Contents 50.8 Notification of a Damaged Recovery Image or Firmware .............267 50.9 Restoring the Recovery Image ......................268 50.10 Restoring the Firmware .......................270 Chapter 51 Logs ..............................272 51.1 Log Commands Summary ......................272 51.1.1 Log Entries Commands .......................272 51.1.2 System Log Commands ......................273 51.1.3 Debug Log Commands ......................274 51.1.4 E-mail Profile Commands ....................275 51.1.5 Console Port Logging Commands ..................276...
Page 20 Table of Contents Chapter 57 Watchdog Timer..........................293 57.1 Hardware Watchdog Timer ......................293 57.2 Software Watchdog Timer ......................293 57.3 Application Watchdog ........................294 57.3.1 Application Watchdog Commands Example ................295 List of Commands (Alphabetical)....................297 UAG CLI Reference Guide...
Page 21: Introduction
Introduction...
Page 23: Command Line Interface
H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your UAG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the UAG and possibly render it unusable.
Page 24: Console Port
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the UAG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your UAG, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
Page 25 Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the UAG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 26 Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Page 27: Telnet
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your UAG. If your computer is connected to the UAG over the Internet, skip to the next step. Make sure your computer IP address and the UAG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
Page 28: How Commands Are Explained
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
Page 29: Changing The Password
Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the UAG. See Section 37.2 on page 201 for the appropriate commands.
Page 30: Shortcuts And Help
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
Page 31: Entering Partial Commands
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the UAG automatically display the full command. [TAB] For example, if you enter and press , the full command of automatically...
Page 32: Input Values
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 33 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
Page 34 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- profile name 0-30 alphanumeric or _- first character: letters or _-...
Page 35: Ethernet Interfaces
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES week-day sequence, i.e. 1=first,2=second xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even hexadecimal number) for example: aa aabbcc aabbccddeeff 1.8 Ethernet Interfaces...
Page 36: User And Privilege Modes
H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the UAG uses.
Page 37: Debug Commands
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
Page 38 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT Capwap debug commands debug capwap (*) Content Filtering debug commands debug content-filter DNS query related debug commands debug dns-query (*) Dynamic guest debug commands debug dynamic-guest (*) Endpoint security debug commands debug eps...
Page 39 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT ZLD internal debug commands debug [cmdexec|corefile|ip |kernel|mac-id- rewrite|observer|switch |system|zyinetpkt|zysh-ipt-op] Update server debug command debug update server (*) VPN 1-1 mapping debug commands debug vpn-1-1-map (*) Web authentication debug commands debug web-auth (*) Controller debug commands...
Page 40: Reference
Reference...
Page 42: Object Reference
H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Page 43: Object Reference Command Example
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified user group show reference object-group username object. [username] Displays which configuration settings reference the specified address show reference object-group address group object. [object_name] Displays which configuration settings reference the specified service show reference object-group service...
Page 44: Status
H A PT ER Status This chapter explains some commands you can use to display information about the UAG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the UAG’s startup state. show boot status Displays whether the console and auxiliary ports are on or off. show comport status Displays the CPU utilization.
Page 45 Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=8000, limit(lo)=1400, max=6115, min=6115, avg=6115 Router(config)# show mac MAC address: 00:00:AA:80:05:58-00:00:AA:80:05:5C Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 512MB...
Page 46 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : UAG715 firmware version: V2.50(AACG.0) BM version : 1.22...
Page 47: Registration
H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the UAG for subscription services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your UAG and manage subscription services available for the UAG. To use a subscription service, you have to register the UAG and activate the corresponding service at myZyXEL.com.
Page 48: Maximum Number Of Managed Aps
Chapter 5 Registration 5.2.2 Maximum Number of Managed APs The UAG is initially configured to support up to one local AP and 8 remote managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 16.
Page 49: Command Examples
Chapter 5 Registration 5.3.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is registered.
Page 50: Command Examples
Chapter 5 Registration 5.4.1 Command Examples The following command displays the service registration status and type and how many days remain before the service expires. Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =============================================================================== Extension User Licensed standard External-AP-Control...
Page 51 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Congo, Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia...
Page 52 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands Netherlands Antilles...
Page 53 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu US Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu...
Page 54: Ap Management
H A PT ER AP Management This chapter shows you how to configure wireless AP management options on your UAG. 6.1 AP Management Overview The UAG allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the UAG automatically handles basic configuration for you.
Page 55 Chapter 6 AP Management The following table describes the commands available for AP management. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 13 Command Summary: AP Management COMMAND DESCRIPTION Adds the specified AP to the UAG for management.
Page 56: Ap Management Commands Example
Chapter 6 AP Management 6.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
Page 57: Wireless Lan Profiles
H A PT ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your UAG. 7.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your UAG do not have on-board configuration files, you must create “profiles”...
Page 58 Chapter 7 Wireless LAN Profiles Table 14 Input Values for General Radio and Monitor Profile Commands (continued) LABEL DESCRIPTION Sets the HT MCS rate. The available rates are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, wlan_mcs_speed 12, 13, 14, 15.
Page 59: Wireless Lan Profiles
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Fixes the channel bandwidth as 40 MHz. The no command has the [no] dot11n-disable-coexistence AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Page 60 Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use the no [no] amsdu parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 61: Ap Profile Commands Example
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Disables or sets the 5 GHz support rate. 5g-support-speed {disable | wlan_5g_support_speed} The default is 6.0~54.0. Sets the outgoing chain mask rate. tx-mask chain_mask Sets the incoming chain mask rate. rx-mask chain_mask Activates HT protection for this profile.
Page 62: Ssid Profile Commands
Chapter 7 Wireless LAN Profiles It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu...
Page 63 Chapter 7 Wireless LAN Profiles Table 16 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 macfilterprofile alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Page 64: Ssid Profile Example
Chapter 7 Wireless LAN Profiles 7.3.1 SSID Profile Example The following example creates an SSID profile with the name ‘ZyXEL’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist. Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid ZyXEL Router(config-ssid-radio)# qos wmm Router(config-ssid-radio)# data-forward localbridge...
Page 65 Chapter 7 Wireless LAN Profiles Table 19 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WEP encryption strength (64 or 128) and the default wep <64 | 128> default-key <1..4> key value (1 ~ 4). If you select WEP-64 enter 10 hexadecimal digits in the range of “A-F”, “a-f”...
Page 66: Security Profile Example
Chapter 7 Wireless LAN Profiles 7.4.1 Security Profile Example The following example creates a security profile with the name ‘SECURITY01’.. Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)# 7.5 MAC Filter Profile Commands...
Page 67: Mac Filter Profile Example
Chapter 7 Wireless LAN Profiles 7.5.1 MAC Filter Profile Example The following example creates a MAC filter profile with the name ‘MACFILTER01’.. Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# MAC 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# MAC 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# MAC 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)#...
Page 68: Interfaces
H A PT ER Interfaces This chapter shows you how to use interface-related commands. 8.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 69: Relationships Between Interfaces
Chapter 8 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 22 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET...
Page 70: Trunks
Chapter 8 Interfaces Table 23 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying interface is a member of a bridge.
Page 71: Basic Interface Properties And Ip Address Commands
Chapter 8 Interfaces 8.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 25 interface General Commands: Basic Properties and IP Address Assignment COMMAND DESCRIPTION Displays the connection status of the specified type of interfaces. show interface {ethernet | vlan | bridge | ppp | auxiliary} status Displays information about the specified interface, specified type of...
Page 72: Route
Chapter 8 Interfaces Table 25 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp-ack|content- specified type of traffic. filter|dns|ipsec-vpn|ssl-vpn} deactivate Specifies the upstream bandwidth for the specified interface. The [no] upstream <0..1048576>...
Page 73 Chapter 8 Interfaces This example shows how to modify the name of interface lan2 to “VIP”. First you have to check the interface system name (ge4 in this example) on the UAG. Then change the name and display the result. Router>...
Page 74: Dhcp Setting Commands
Chapter 8 Interfaces This example shows how to restart an interface. You can check all interface names on the UAG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 75 Chapter 8 Interfaces Table 26 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the UAG should assign. Use this [no] host ip command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 76 Chapter 8 Interfaces Table 26 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool. The final pool size is limited by the subnet mask. <1..65535>...
Page 77 Chapter 8 Interfaces 8.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Page 78: Interface Parameter Command Examples
Chapter 8 Interfaces 8.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 27 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
Page 79: Ospf Commands
Chapter 8 Interfaces Table 28 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified version number. The [no] ip rip {send | receive} version command sets the send or received version to the current global <1..2>...
Page 80 Chapter 8 Interfaces Table 29 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the number of seconds the UAG waits for “hello” messages from [no] ip ospf dead-interval <1..65535> peer routers before it assumes the peer router is not available and deletes associated routing information.
Page 81: Connectivity Check (Ping-Check) Commands
Chapter 8 Interfaces 8.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the UAG stops routing to the gateway.
Page 82: Ethernet Interface Specific Commands
Chapter 8 Interfaces 8.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 83: Port Grouping Commands
Chapter 8 Interfaces Table 32 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The UAG automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Page 84: Virtual Interface Specific Commands
Chapter 8 Interfaces 8.3.2.1 Port Grouping Command Examples The following commands add physical port 5 to interface lan1. Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= wan1 wan2 lan1 lan2 Router(config)# port-grouping lan1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping...
Page 85: Pppoe/Pptp Specific Commands
Chapter 8 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface lan1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 8.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
Page 86: Pppoe/Pptp Interface Command Examples
Chapter 8 Interfaces Table 35 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
Page 87: Usb Storage General Commands Example
Chapter 8 Interfaces Table 36 USB Storage General Commands (continued) COMMAND DESCRIPTION Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount Sets to have the UAG log or not log any information about the connected USB [no] logging usb-storage storage device(s) for the system log.
Page 88: Vlan Interface Command Examples
Chapter 8 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 37 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Table 24 on page 70 for detailed information about the interface name.
Page 89: Bridge Interface Command Examples
Chapter 8 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 39 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your UAG model supports.
Page 90: Chapter 9 Trunks
H A PT ER Trunks This chapter shows you how to configure trunks on your UAG. 9.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the UAG sends traffic through another member of the trunk.
Page 91: Trunk Commands Input Values
Chapter 9 Trunks 9.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 41 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name The name cannot start with a number. This value is case-sensitive. The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface.
Page 92: Trunk Command Examples
Chapter 9 Trunks Table 42 interface-group Commands Summary (continued) COMMAND DESCRIPTION Displays whether the UAG enable SNAT or not. The UAG performs SNAT show system default-snat by default for traffic going to or from the WAN interfaces. Displays the WAN trunk the UAG first attempts to use. show system default-interface-group 9.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces wan1 and...
Page 93: Link Sticking
Chapter 9 Trunks 9.6 Link Sticking You can have the UAG send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Page 94: Link Sticking Command Example
Chapter 9 Trunks mode before you can use these commands. See Table 41 on page 91 for details about the values you can input with these commands. Table 43 ip load-balancing link-sticking Commands Summary COMMAND DESCRIPTION Turns link sticking on or off. [no] ip load-balancing link-sticking activate Sets for how many seconds (30-3600) the UAG sends all of each [no] ip load-balancing link-sticking timeout...
Page 95 Chapter 9 Trunks UAG CLI Reference Guide...
Page 96: Chapter 10 Ip Drop-In
HAPTER IP Drop-In This chapter explains some commands you can use to set the UAG interfaces to work in drop-in mode. 10.1 Drop-In Mode Overview When the UAG is in drop-in mode, you can deploy it in your existing network without changing the network architecture and use its multiple WAN feature to connect to more than one ISP.
Page 97: Drop-In Limitations
Chapter 10 IP Drop-In 10.1.1 Drop-In Limitations • The interfaces in drop-in mode cannot join the port group of the interfaces that are not in drop-in mode. But other interfaces can join a drop-in interface’s port group. • The interfaces in drop-in mode cannot be part of a bridge interface. •...
Page 98 Chapter 10 IP Drop-In The following example shows you how to set the drop-in WAN interface and LAN interface, set a WAN host, turn on the dop-in mode and show the settings. Router> configure terminal Router(config)# ip drop-in Router(drop-in)# wan-host 10.1.2.3 Router(drop-in)# wan-interface wan1 lan-interface lan1 Router(drop-in)# activate Router(drop-in)# exit...
Page 99: Chapter 11 Route
HAPTER Route This chapter shows you how to configure policies for IP routing and static routes on your UAG. 11.1 Policy Route Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 100 Chapter 11 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 47 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You must globally activate [no] bwm activate bandwidth management to have individual policy routes policies apply bandwidth management.
Page 101 Chapter 11 Route Table 47 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Leaves the sub-command mode. exit Sets the interface on which the incoming packets are received. The no [no] interface interface_name command resets the incoming interface to the default ( means all interfaces.
Page 102: Assured Forwarding (Af) Phb For Diffserv
Chapter 11 Route Table 47 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Gives policy routes priority over NAT virtual server rules (1-1 SNAT). [no] policy controll-virtual-server-rules Use the no command to give NAT virtual server rules priority over activate policy routes. Displays whether or not the global setting for bandwidth management show bwm activation on the UAG is enabled.
Page 103: Ip Static Route
Chapter 11 Route through the interface wan1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address. Router(config)# address-object TW_SUBNET 192.168.2.0 255.255.255.0 Router(config)# address-object GW_1 192.168.2.250 Router(config)# policy insert 1 Router(policy-route)# description example Router(policy-route)# destination any Router(policy-route)# interface ge1...
Page 104: Static Route Commands
Chapter 11 Route a route through the same gateway R1 (via gateway R2). The static routes are for you to tell the UAG about the networks beyond the network connected to the UAG directly. Figure 15 Example of Static Routing Topology 11.4 Static Route Commands The following table describes the commands available for static route.
Page 105: Static Route Commands Examples
Chapter 11 Route 11.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface wan1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 wan1 Router(config)# Router(config)# show ip route-settings Route...
Page 106: Chapter 12 Routing Protocol
HAPTER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the UAG. 12.1 Routing Protocol Overview Routing protocols give the UAG routing information about the network from other routers. The UAG then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 107: Rip Commands
Chapter 12 Routing Protocol 12.2.1 RIP Commands This table lists the commands for RIP. Table 52 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
Page 108: Ospf Area Commands
Chapter 12 Routing Protocol 12.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 54 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
Page 109: Learned Routing Information Commands
Chapter 12 Routing Protocol 12.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 56 ip route Commands: Learned Routing Information COMMAND DESCRIPTION Displays learned routing and other routing show ip route [kernel | connected | static | ospf | rip | information.
Page 110: Chapter 13 Zones
HAPTER Zones Set up zones to configure network security and network policies in the UAG. 13.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The UAG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Page 111: Zone Commands Summary
Chapter 13 Zones 13.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 57 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name Use up to 31 characters (a-zA-Z0-9_-).
Page 112: Zone Command Examples
Chapter 13 Zones 13.2.1 Zone Command Examples The following commands add interfaces vlan123 and vlan234 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface vlan123 Router(zone)# interface vlan234 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 113: Chapter 14 Ddns
HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the UAG. 14.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 114: Ddns Commands Summary
Chapter 14 DDNS 14.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 60 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 115 Chapter 14 DDNS Table 61 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the backup WAN interface in the specified DDNS profile. [no] backup-iface interface_name command clears it. Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it.
Page 116: Virtual Servers
HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 15.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the UAG that you want to make available outside the private network.
Page 117 Chapter 15 Virtual Servers The following table lists the virtual server commands. Table 63 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
Page 118: Virtual Server Command Examples
Chapter 15 Virtual Servers Table 63 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
Page 119: Tutorial - How To Allow Public Access To A Server
Chapter 15 Virtual Servers 15.2.2 Tutorial - How to Allow Public Access to a Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the wan1 interface and map it to the HTTP server’s private IP address of 192.168.3.7.
Page 120: Vpn 1-1 Mapping
HAPTER VPN 1-1 Mapping This chapter shows you how to configure VPN 1-1 mapping on your UAG. 16.1 VPN 1-1 Mapping Overview VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG’s WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address.
Page 121 Chapter 16 VPN 1-1 Mapping The following table describes the commands available for VPN 1-1 mapping. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 65 Command Summary: vpn-1-1-map COMMAND DESCRIPTION Enables VPN 1-1 mapping on the UAG.
Page 122: Vpn-1-1-Map Pool Sub-Commands
Chapter 16 VPN 1-1 Mapping 16.2.1 vpn-1-1-map pool Sub-commands The following table describes the sub-commands for the vpn-1-1-map pool command. Table 66 vpn-1-1-map pool Sub-commands COMMAND DESCRIPTION Configures the name of the IP address object the profile is set to use. address address_object An address object presents the IP address(es), which can be assigned to the matched users by the UAG.
Page 123: Vpn-1-1-Map Rule Command Examples
Chapter 16 VPN 1-1 Mapping Table 67 vpn-1-1-map rule Sub-commands (continued) COMMAND DESCRIPTION Sets the name of the pool profile used by this rule. You can associate up [no] pool profile_name to four pool profiles to a VPN 1-1 mapping rule. The no command removes the specified pool file.
Page 124: Chapter 17 Http Redirect
HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your UAG. 17.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. 17.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 125: Http Redirect Command Examples
Chapter 17 HTTP Redirect Table 69 Command Summary: HTTP Redirect (continued) COMMAND DESCRIPTION Disables a rule with the specified rule name. ip http-redirect deactivate description Removes a rule with the specified rule name. no ip http-redirect description Clears all HTTP redirect rules. ip http-redirect flush Displays HTTP redirect settings.
Page 126: Chapter 18 Smtp Redirect
HAPTER SMTP Redirect This chapter shows you how to configure SMTP redirection on your UAG. 18.1 SMTP Redirect Overview SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The UAG forwards SMTP traffic using TCP port 25. 18.1.1 SMTP Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
Page 127: Smtp-Redirect Sub-Commands
Chapter 18 SMTP Redirect The following table describes the commands available for SMTP redirection. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 71 Command Summary: SMTP Redirect COMMAND DESCRIPTION Enters the smtp-redirect sub-command mode to set a SMTP redirect [no] smtp-redirect <1..16>...
Page 128: Smtp Redirect Command Examples
Chapter 18 SMTP Redirect 18.2.2 SMTP Redirect Command Examples The following commands create a SMTP redirect rule, enable it and display the settings. Router# configure terminal Router(config)# smtp-redirect 1 Router(smtp-redirect)# activate Router(smtp-redirect)# interface lan2 Router(smtp-redirect)# server smtp.zyxel.com.tw Router(smtp-redirect)# source lan1_1 Router(smtp-redirect)# user admin Router(smtp-redirect)# exit Router(config)# show smtp-redirect...
Page 129: Chapter 19 Alg
HAPTER This chapter covers how to use the UAG’s ALG feature to allow certain applications to pass through the UAG. 19.1 ALG Introduction The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the UAG’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
Page 130: Alg Commands
Chapter 19 ALG 19.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 73 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity- timeout | signal-port Use inactivity-timeout to have the UAG apply SIP media and signaling...
Page 131: Alg Commands Example
Chapter 19 ALG 19.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 UAG CLI Reference Guide...
Page 132: Chapter 20 Upnp
HAPTER UPnP 20.1 UPnP and NAT-PMP Overview The UAG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 133: Upnp & Nat-Pmp Commands Example
Chapter 20 UPnP Table 74 ip upnp Commands (continued) COMMAND DESCRIPTION Enables NAT-PMP on the UAG. [no] nat-pmp activate The no command disables NAT-PMP on the UAG. Enables UPnP on the UAG. [no] upnp-igd activate The no command disables UPnP on the UAG. Removes all or a specific port mapping rule.
Page 134 Chapter 20 UPnP The following example displays the UAG’s port mapping entries and removes the entry with the specified port number and protocol type. Router# configure terminal Router(config) # show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp Internal Port: 1122...
Page 135: Chapter 21 Ip/Mac Binding
HAPTER IP/MAC Binding 21.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 136: Ip/Mac Binding Commands Example
Chapter 21 IP/MAC Binding 21.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the lan1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No...
Page 137: Chapter 22 Layer 2 Isolation
HAPTER Layer 2 Isolation 22.1 Layer 2 Isolation Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the UAG’s local network(s), on which layer-2 isolation is enabled, except the devices in the white list. Note: Layer-2 isolation does not check the wireless traffic.
Page 138: Layer 2 Isolation Commands
Chapter 22 Layer 2 Isolation 22.2 Layer 2 Isolation Commands The following table lists the l2-isolation commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 76 l2-isolation Commands COMMAND DESCRIPTION Enters the layer 2 isolation sub-command mode to enable Layer-2 isolation l2-isolation...
Page 139: Layer 2 Isolation Commands Example
Chapter 22 Layer 2 Isolation 22.3 Layer 2 Isolation Commands Example The following example enables Layer-2 isolation on the UAG and interface lan2. It also creates a rule in the white list to allow access to the device with IP address 172.17.0.66. It then displays the Layer-2 isolation settings.
Page 140: Chapter 23 Ipnp
HAPTER IPnP 23.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the UAG are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the UAG’s LAN IP address can connect to the UAG or access the Internet through the UAG.
Page 141: Ipnp Commands Example
Chapter 23 IPnP 23.3 IPnP Commands Example The following example enables IPnP on the UAG and interface lan1. It also displays the IPnP settings. Router# configure terminal Router(config)# ip ipnp activate Router(config)# ip ipnp config Router(ipnp)# interface lan1 Router(ipnp)# exit Router(config)# show ip ipnp activation IPnP Status: yes Router(config)# show ip ipnp interface...
Page 142: Chapter 24 Web Authentication
HAPTER Web Authentication 24.1 Web Authentication Overview Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 143: Web-Auth Login Setting Sub-Commands
Chapter 24 Web Authentication Table 79 web-auth Commands (continued) COMMAND DESCRIPTION Creates a new condition for forcing user authentication at the end of the web-auth policy append current list and enters sub-command mode. See Table 81 on page 145 the sub-commands. Creates a new condition for forcing user authentication at the specified web-auth policy insert <1..1024>...
Page 144 Chapter 24 Web Authentication Table 80 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION [no] internal-welcome-url url Sets the welcome page’s URL when you select to use the default login page built into the UAG; for example, http://IIS server IP Address/welcome.html. You can use up to 255 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%) in quotes.
Page 145: Web-Auth Policy Sub-Commands
Chapter 24 Web Authentication 24.2.2 web-auth policy Sub-commands The following table describes the sub-commands for several web-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 81 web-auth policy Sub-commands COMMAND DESCRIPTION Activates the specified condition. The no command deactivates the [no] activate specified condition.
Page 146: Web-Auth User-Agreement Sub-Commands
Chapter 24 Web Authentication 24.2.3 web-auth user-agreement Sub-commands The following table describes the sub-commands for several web-auth user-agreement commands. Note that not all rule commands use all the sub-commands listed here. Table 82 web-auth user-agreement Sub-commands COMMAND DESCRIPTION Sets the user agreement page’s URL; for example, http://IIS server IP [no] agreement-url url Address/logout.html.
Page 147 Chapter 24 Web Authentication • endpoint security object: use “EPS-WinXP” and “EPS-WinVista” for the first and second checking EPS objects Router# configure terminal Router(config)# web-auth policy insert 1 Router(config-web-auth-1)# activate Router(config-web-auth-1)# description EPS-on-LAN Router(config-web-auth-1)# source LAN1_SUBNET Router(config-web-auth-1)# destination DMZ_Servers Router(config-web-auth-1)# authentication force Router(config-web-auth-1)# no schedule Router(config-web-auth-1)# eps activate Router(config-web-auth-1)# eps 1 EPS-WinXP...
Page 148: Chapter 25 Walled Garden
HAPTER Walled Garden 25.1 Walled Garden Overview A user must log in before the UAG allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.
Page 149: Walled-Garden Rule Sub-Commands
Chapter 25 Walled Garden 25.2.1 walled-garden rule Sub-commands The following table describes the sub-commands for several walled-garden rule commands. Note that not all rule commands use all the sub-commands listed here. Table 84 walled-garden rule Sub-commands COMMAND DESCRIPTION Enables this entry. The command disables the entry.
Page 150: Chapter 26 Advertisement
HAPTER Advertisement 26.1 Advertisement Overview You can set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. 26.2 Advertisement Commands This table lists the advertisement commands. You must use the command configure terminal to enter the configuration mode before you can use these commands.
Page 151: Chapter 27 Firewall
HAPTER Firewall This chapter introduces the UAG’s firewall and shows you how to configure your UAG’s firewall. 27.1 Firewall Overview The UAG’s firewall is a stateful inspection firewall. The UAG restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 152: Firewall Commands
Chapter 27 Firewall 27.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 86 Input Values for General Firewall Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
Page 153 Chapter 27 Firewall Table 87 Command Summary: Firewall (continued) COMMAND DESCRIPTION Removes a direction specific through-Device rule or firewall profile_name {zone_object|Device} delete to-Device rule. <1..5000> <1..5000>: the index number in a direction specific firewall rule list. Removes all direction specific through-Device rule or firewall profile_name {zone_object|Device} flush to-Device rules.
Page 154: Firewall Sub-Commands
Chapter 27 Firewall 27.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 88 firewall Sub-commands COMMAND DESCRIPTION Sets the action the UAG takes when packets match this action {allow|deny|reject} rule. Enables a firewall rule. The no command disables the [no] activate firewall rule.
Page 155: Session Limit Commands
Chapter 27 Firewall The following example shows you how to add an IPv4 firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. • Create an IP address object. •...
Page 156 Chapter 27 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 90 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/firewall sessions per host.
Page 157: Chapter 28 Billing
HAPTER Billing 28.1 Billing Overview You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method or configure a discount price plan. 28.2 Billing Commands This table lists the billing commands.
Page 158: Billing Profile Sub-Commands
Chapter 28 Billing Table 91 billing Commands (continued) COMMAND DESCRIPTION Creates a new discount level by setting the duration of the billing period [no] billing discount unit <2..10> that should be reached before the UAG charges users at this level and price price defining this level’s charge per time unit.
Page 159: Billing Command Example
Chapter 28 Billing 28.2.2 Billing Command Example This example sets the accounting method to time-to-finish and configures the idle timeout that elapses before the UAG disconnects a user. Router# configure terminal Router(config)# billing accounting-method time-to-finish Router(config)# billing accumulation idle-detection timeout 30 Router(config)# This example enables and creates a custom discount pricing plan.
Page 160 Chapter 28 Billing plan settings, that is, the billing profile settings for button A when it is selected as the button to assign the base charge. Router# configure terminal Router(config)# printer-manager button a billing_1hour Router(config)# show billing discount default rule Conditions Unit Unit price...
Page 161: Chapter 29 Payment Service
HAPTER Payment Service 29.1 Payment Service Overview The online payment service allows users to purchase access time online with a credit card. You must register with the supported credit card service before you can configure the UAG to handle credit card transactions. 29.2 Payment-service Commands The following table identifies the values required for many of these commands.
Page 162 Chapter 29 Payment Service Table 94 payment-service Commands (continued) COMMAND DESCRIPTION Sets the UAG to use a custom online payment service page. [no] payment-service page- customization You can customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time The no command sets the UAG to use the default online payment service page built into the device.
Page 163: Payment-Service Provider Paypal Sub-Commands
Chapter 29 Payment Service 29.2.1 Payment-Service Provider Paypal Sub-commands The following table describes the sub-commands for the payment-service provider paypal command. Table 95 payment-service provider paypal Sub-commands COMMAND DESCRIPTION Sets your PayPal account name. You should already have a PayPal account [no] account e-mail to receive credit card payments.
Page 164: Chapter 30 Printer Manager
HAPTER Printer Manager 30.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the UAG, and that there is printing paper in the printer. Refer to the printer’s documentation for details.
Page 165: Printer-Manager Printer Sub-Commands
Chapter 30 Printer Manager Table 96 printer-manager Commands (continued) COMMAND DESCRIPTION Displays settings of all or the specified printer that can be managed by the show printer-manager printer [<1..10>] UAG. Displays information about the printers that are connected and can be show printer-manager printer-status managed by the UAG.
Page 166: Chapter 31 Free Time
HAPTER Free Time 31.1 Free Time Overview With Free Time, the UAG can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 31.2 Free-Time Commands The following table lists the free-time commands. You must use the configure terminal command to enter the configuration mode before you can use these commands.
Page 167: Free-Time Commands Example
Chapter 31 Free Time 31.3 Free-Time Commands Example The following example enables the free time feature and sets the UAG to provide user account information in the web screen and also sent account information via SMS text messages. It then displays the free time settings.
Page 168: Chapter 32 Sms
HAPTER 32.1 SMS Overview The UAG supports Short Message Service (SMS) to send short text messages to mobile phone devices. At the time of writing, the UAG uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a Vianett account in order to use the SMS service. 32.2 SMS Commands The following table lists the sms-service commands.
Page 169: Sms Commands Example
Chapter 32 SMS 32.3 SMS Commands Example The following example enables the SMS service on the UAG to provide and configures the ViaNett account information. It then displays the SMS settings. Router# configure terminal Router(config)# sms-service activate Router(config)# sms-service provider vianett Router(sms-service-vianett)# username test@example.com Router(sms-service-vianett)# password 12345 Router(sms-service-vianett)# exit...
Page 170: Chapter 33 Bandwidth Management
HAPTER Bandwidth Management 33.1 Bandwidth Management Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 33.1.1 BWM Type The UAG supports two types of bandwidth management: shared and per-user.
Page 171: Bandwidth Sub-Commands
Chapter 33 Bandwidth Management Table 100 bwm Commands (continued) COMMAND DESCRIPTION Moves a policy to the number that you specified. bwm move <1..127> to <1..127> Displays whether bandwidth management is enabled. show bwm activation Displays all bandwidth management policies. show bwm all Displays the default bandwidth management policy.
Page 172 Chapter 33 Bandwidth Management Table 101 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the source interface of the traffic to which this policy [no] incoming-interface {interface applies. interface_name | trunk group_name} interface_name: The name of the interface. This depends on the UAG model. See Table 24 on page 70 for detailed information about the interface name.
Page 173 Chapter 33 Bandwidth Management Table 101 bwm Sub-commands (continued) COMMAND DESCRIPTION Specifies a service or service group to identify the type of [no] service service-object {service_name | traffic to which this policy applies. any} any: the policy is effective for every service. The no command resets the service to the default (any).
Page 174: Bandwidth Management Commands Example
Chapter 33 Bandwidth Management 33.3 Bandwidth Management Commands Example The following example adds a new bandwidth management policy for trial-users to limit incoming and outgoing bandwidth and sets the traffic priority to 3. It then displays the policy settings. Router# configure terminal Router(config)# bwm append Router(config-bwm append 6)# activate Router(config-bwm append 6)# description example...
Page 175: Chapter 34 Ipsec Vpn
HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the UAG. 34.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 176: Ipsec Vpn Commands Summary
Chapter 34 IPSec VPN and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 21 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 177: Ike Sa Commands
Chapter 34 IPSec VPN Table 102 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_name characters. Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation...
Page 178: Ipsec Sa Commands (Except Manual Keys)
Chapter 34 IPSec VPN Table 103 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the DHx group to the specified group. group1 group2 group5 Enables NAT traversal. The command disables NAT traversal. [no] natt Sets the local gateway address to the specified IP address, domain local-ip {ip {ip | domain_name} | name, or interface.
Page 179 Chapter 34 IPSec VPN Table 104 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Renames the specified IPSec SA (first map_name) to the specified crypto map rename map_name map_name name (second map_name). crypto map map_name Activates or deactivates the specified IPSec SA. activate deactivate Set a specific number of bytes for the Maximum Segment Size...
Page 180 Chapter 34 IPSec VPN Table 104 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Automatically re-negotiates the SA as needed. The command [no] nail-up does not. Enables replay detection. The command disables it. [no] replay-detection Enables NetBIOS broadcasts through the IPSec SA. The [no] netbios-broadcast command disables NetBIOS broadcasts through the IPSec SA.
Page 181: Ipsec Sa Commands (For Manual Keys)
Chapter 34 IPSec VPN 34.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 105 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), authentication key and set session-key {ah <256..4095>...
Page 182: Vpn Configuration Provisioning Commands
Chapter 34 IPSec VPN Table 106 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
Page 183: Sa Monitor Commands
Chapter 34 IPSec VPN 34.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 108 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
Page 184: Chapter 35 Ssl Vpn
HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 35.1 SSL Access Policy An SSL access policy allows the UAG to perform the following tasks: • limit user access to specific applications or files on the network. •...
Page 185: Ssl Vpn Commands
Chapter 35 SSL VPN Table 109 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 186: Setting An Ssl Vpn Rule Tutorial
Chapter 35 SSL VPN Table 110 SSL VPN Commands COMMAND DESCRIPTION Sets the number of minutes to have the UAG repeat the endpoint security [no] eps periodical-check check at a regular interval. The no command disables this setting. <1..1440> Use this to configure for a VPN tunnel between the authenticated users and [no] network-extension {activate | the internal network.
Page 187 Chapter 35 SSL VPN First of all, configure 10.1.1.254/24 for the IP address of interface wan1 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface lan2 which is an internal network. Router(config)# interface wan1 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 188 Chapter 35 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1...
Page 189: Chapter 36 Content Filtering
HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 36.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Page 190: Content Filter Command Input Values
Chapter 36 Content Filtering 36.5 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 111 Content Filter Command Input Values LABEL DESCRIPTION The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the UAG model supports.
Page 191: General Content Filter Commands
Chapter 36 Content Filtering Table 111 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
Page 192 Chapter 36 Content Filtering mode to be able to use these commands. See Table 111 on page 190 for details about the values you can input with these commands. Table 112 content-filter General Commands COMMAND DESCRIPTION Turns on content filtering. The command turns it off.
Page 193: Content Filter Filtering Profile Commands
Chapter 36 Content Filtering Table 112 content-filter General Commands (continued) COMMAND DESCRIPTION Adds or removes a common trusted or forbidden web site entry. [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} ipv4: IPv4 address <W.X.Y.Z> ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 <W.X.Y.Z>/<1..32>...
Page 194 Chapter 36 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Enters the sub-command for configuring the content content-filter profile filtering_profile custom-list filtering profile’s list of forbidden keywords. This has the keyword content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL.
Page 195: Content Filter Url Cache Commands
Chapter 36 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Sets a content filtering profile to use the external web [no] content-filter profile filtering_profile url filtering service. The command has the profile not use url-server the external web filtering service. Sets how many seconds the UAG is to wait for a response [no] content-filter service-timeout service_timeout from the external content filtering server.
Page 196: Content Filtering Statistics
Chapter 36 Content Filtering Use the command to enter the configuration mode to be able to use these configure terminal commands. See Table 111 on page 190 for details about the values you can input with these commands. Table 114 content-filter url-cache Commands COMMAND DESCRIPTION Sets how long to keep a content filtering URL cache entry...
Page 197: Content Filtering Statistics Example
Chapter 36 Content Filtering 36.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics. Router(config)# content-filter statistics collect Router(config)# show content-filter statistics summary total web pages inspected web pages warned by category service : 0 web pages blocked by category service: 0 web pages blocked by custom service restricted web features...
Page 198 Chapter 36 Content Filtering Activate the customization. Router# configure terminal Router(config)# address-object sales 172.16.3.0/24 Router(config)# schedule-object all_day 00:00 23:59 Router(config)# content-filter profile sales_CF_PROFILE Router(config)# content-filter profile sales_CF_PROFILE url category adult-mature-content Router(config)# content-filter profile sales_CF_PROFILE url category pornography Router(config)# content-filter profile sales_CF_PROFILE url url-server Router(config)# content-filter profile sales_CF_PROFILE custom java Router(config)# content-filter profile sales_CF_PROFILE custom activex Router(config)# content-filter profile sales_CF_PROFILE custom proxy...
Page 199 Chapter 36 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
Page 200: Chapter 37 User/Group
HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the UAG. You can also set up rules that control when users have to log in to the UAG before the UAG routes traffic for them (see Chapter 24 on page 142).
Page 201: User/Group Commands Summary
Chapter 37 User/Group 37.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 117 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
Page 202: User Group Commands
Chapter 37 User/Group Table 118 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the reauthentication time for the specified user. Set it to username username [no] logon-re-auth-time zero to set unlimited reauthentication time. The command <0..1440> sets the reauthentication time to thirty minutes (regardless of the current default setting for new users).
Page 203: User Setting Commands
Chapter 37 User/Group 37.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication. Table 120 username/groupname Commands Summary: Settings COMMAND DESCRIPTION Displays the default lease and reauthentication times for the show users default-setting {all | user-type specified type of user accounts.
Page 204: Additional User Commands
Chapter 37 User/Group Table 120 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Enables the limit on the number of simultaneous logins by users of [no] users simultaneous-logon {administration the specified account-type. The command disables the limit, or | access | billing-account} enforce allows an unlimited number of simultaneous logins.
Page 205 Chapter 37 User/Group 37.2.4.1 Additional User Command Examples The following commands display the users that are currently logged in to the UAG and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No: 0 Name: admin Type: admin...
Page 206 Chapter 37 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer ===========================================================================1 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5...
Page 207: Chapter 38 Addresses
HAPTER Addresses This chapter describes how to set up addresses and address groups for the UAG. 38.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Page 208: Address Object Commands
Chapter 38 Addresses 38.2.1 Address Object Commands This table lists the commands for address objects. Table 123 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type. service-object | schedule-object} [object_name] Creates the specified IPv4 address object using the specified...
Page 209 Chapter 38 Addresses Table 124 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Adds the specified address to the specified address group. The no [no] address-object object_name command removes the specified address from the specified group. Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name).
Page 210: Chapter 39 Services
HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 39.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 39.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 211: Service Group Commands
Chapter 39 Services Table 126 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the specified service-object object_name icmp icmp_value parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information-reply | information-request | mask-reply | mask-request | mobile-redirect | parameter- problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
Page 212 Chapter 39 Services Table 127 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command removes the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified service group from the first group_name to the object-group service rename group_name second group_name.
Page 213: Chapter 40 Schedules
HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. 40.1 Schedule Overview The UAG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the UAG.
Page 214: Schedule Command Examples
Chapter 40 Schedules Table 129 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
Page 215: Chapter 41 Aaa Server
HAPTER AAA Server This chapter introduces and shows you how to configure the UAG to use external authentication servers. 41.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the UAG supports. •...
Page 216: Ldap-Server Commands
Chapter 41 AAA Server Table 130 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the UAG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
Page 217: Radius-Server Commands
Chapter 41 AAA Server 41.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 132 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
Page 218: Aaa Group Server Ldap Commands
Chapter 41 AAA Server Table 133 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
Page 219: Aaa Group Server Radius Commands
Chapter 41 AAA Server Table 134 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
Page 220: Aaa Group Server Command Example
Chapter 41 AAA Server Table 135 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the descriptive information for the RADIUS server group.
Page 221: Authentication Objects
HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 42.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the UAG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 222: Aaa Authentication Command Example
Chapter 42 Authentication Objects Table 136 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. [no] aaa authentication profile-name member1 [member2] = group ad, group ldap, group radius, or local. member [member3] [member4] Note: You must specify at least one member for each profile.
Page 223 Chapter 42 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the UAG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
Page 224: Chapter 43 Certificates
HAPTER Certificates This chapter explains how to use the Certificates. 43.1 Certificates Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 225: Certificates Commands Summary
Chapter 43 Certificates Table 138 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 226 Chapter 43 Certificates Table 139 ca Commands Summary (continued) COMMAND DESCRIPTION Enters the sub command mode for validation of ca validation remote_certificate certificates signed by the specified remote (trusted) certificates. Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the UAG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be...
Page 227 Chapter 43 Certificates Table 139 ca Commands Summary (continued) COMMAND DESCRIPTION Displays the certification path of the specified local (my show ca category {local|remote} name certificate_name certificates) or remote (trusted certificates) certificate. certpath Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}]...
Page 228: Certificates Commands Examples
Chapter 43 Certificates 43.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
Page 229: Isp Accounts
HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE and PPTP interfaces. 44.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, or PPTP. 44.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 230 Chapter 44 ISP Accounts Table 140 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the PPTP server for the specified PPTP ISP account. The command [no] server ip clears the server name. Sets the encryption for the specified PPTP ISP account. The command [no] encryption {nomppe | mppe-40 sets the encryption to nomppe.
Page 231: Chapter 45 Ssl Application
HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 45.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
Page 232: Ssl Application Command Examples
Chapter 45 SSL Application Table 141 SSL Application Object Commands COMMAND DESCRIPTION Sets this to create a link to a web site you specified that you expect the SSL server-type weblink url url VPN users to commonly use. url: Enter the fully qualified domain name (FQDN) or IP address of the application server.
Page 233: Chapter 46 Endpoint Security
HAPTER Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 46.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Page 234: Endpoint Security Commands Summary
Chapter 46 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 46.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands.
Page 235 Chapter 46 Endpoint Security Table 143 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, [no] personal-firewall use this command for each of them. Use the list signature personal-firewall personal_firewall_softwar command to view the available personal firewall software package options.
Page 236 Chapter 46 Endpoint Security Table 143 Endpoint Security Object Commands COMMAND DESCRIPTION If you set windows as the operating system (using the os-type command), use this windows-version {windows- command to set the version of Windows. 2000 | windows-xp | windows-2003 | windows- 2008 | windows-vista | windows-7 | windows- 2008r2}...
Page 237: Endpoint Security Object Command Example
Chapter 46 Endpoint Security 46.1.3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS-Example. Only the computers that match the following criteria can access the company’s SSL VPN: • Operating system: Windows XP •...
Page 238 Chapter 46 Endpoint Security Then he also needs to check the personal firewall software name defined on the UAG. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection =============================================================================== Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 239 Chapter 46 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2011...
Page 240: Dynamic Guest Accounts
HAPTER Dynamic Guest Accounts 47.1 Dynamic Guest Accounts Overview Dynamic guest accounts are guest accounts, but are created dynamically and stored in the UAG’s local user database. A dynamic guest account has a dynamically-created user name and password. A dynamic guest account user can access the UAG’s services only within a given period of time and will become invalid after the expiration date/time.
Page 241: Dynamic-Guest Sub-Commands
Chapter 47 Dynamic Guest Accounts Table 144 dynamic-guest Commands (continued) COMMAND DESCRIPTION Creates a dynamic guest account (billing-user) with the specified user [no] dynamic-guest user_name name and enters the dynamic-guest sub-command mode to set the password and timeout settings. See Table 145 on page 241 for the sub- commands.
Page 242: Dynamic-Guest Command Example
Chapter 47 Dynamic Guest Accounts 47.2.2 Dynamic-guest Command Example This example shows how to create a dynamic guest account, configure the account related settings and displays the account information. Router# configure terminal Router(config)# dynamic-guest generate [dynamic guest] username:gn0ti7, password:ihzun7 Router(config-dynamic-guest)# charge 5 Router(config-dynamic-guest)# expire-time 2013-06-26 14:00 Router(config-dynamic-guest)# payment-info cash Router(config-dynamic-guest)# phone 0912345678...
Page 243: Chapter 48 System
HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 48.1 System Overview Use these commands to configure general UAG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which UAG zones (if any) from which computers.
Page 244 Chapter 48 System Figure 23 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 245: Host Name Commands
Chapter 48 System Table 146 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
Page 246: Date/Time Commands
Chapter 48 System 48.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 148 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 247: Dns Overview
Chapter 48 System 48.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 48.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
Page 248: Dns Command Example
Chapter 48 System Table 151 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
Page 249: System Remote Management
HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which UAG zones (if any) from which computers. Note: To access the UAG from a specified computer using a service, make sure no service control rules or to-Device firewall rules block that traffic. 49.1 Remote Management Overview You may manage your UAG from a remote location via: •...
Page 250: Common System Command Input Values
Chapter 49 System Remote Management 49.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 152 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 251 Chapter 49 System Remote Management Table 153 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
Page 252: Http/Https Command Examples
Chapter 49 System Remote Management 49.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 253: Ssh Commands
Chapter 49 System Remote Management 49.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 154 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the UAG CLI.
Page 254: Telnet
Chapter 49 System Remote Management 49.5 Telnet You can configure your UAG for remote Telnet access. 49.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 155 Command Summary: Telnet COMMAND...
Page 255: Configuring Ftp
Chapter 49 System Remote Management 49.7 Configuring FTP You can upload and download the UAG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 49.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Page 256: Snmp
Chapter 49 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 49.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 257: Snmp Commands
Chapter 49 System Remote Management 49.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 158 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the UAG.
Page 258: Icmp Filter
Chapter 49 System Remote Management The following command sets the password (secret) for read-write ( ) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.16.15.84 and the password (sent with each trap) to qwerty.
Page 259: Chapter 50 File Manager
HAPTER File Manager This chapter covers how to work with the UAG’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files. 50.1 File Directories The UAG stores files in the following directories. Table 160 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 260: Comments In Configuration Files Or Shell Scripts
Chapter 50 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 24 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1...
Page 261: Errors In Configuration Files Or Shell Scripts
Chapter 50 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface wan1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 262: Configuration File Flow At Restart
Chapter 50 File Manager • When the UAG reboots, if the startup-config.conf file passes the error check, the UAG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Page 263: File Manager Commands Summary
Chapter 50 File Manager 50.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 163 File Manager Commands Summary COMMAND DESCRIPTION Has the UAG use a specific configuration file. You must still use the apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash (“non- write...
Page 264: File Manager Command Examples
Chapter 50 File Manager Table 163 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Has the UAG ignore any errors in the startup-config.conf file and apply all setenv-startup stop-on-error off of the valid commands.
Page 265: Command Line Ftp Configuration File Upload Example
Chapter 50 File Manager The firmware update can take up to five minutes. Do not turn off or reset the UAG while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 50.8 on page 267 to recover the firmware.
Page 266: Command Line Ftp Configuration File Download Example
Chapter 50 File Manager 50.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the UAG and saves it on the computer as current.conf. Figure 26 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Page 267: Notification Of A Damaged Recovery Image Or Firmware
Chapter 50 File Manager 50.8 Notification of a Damaged Recovery Image or Firmware The UAG’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the UAG notifies you of a damaged recovery image or firmware file.
Page 268: Restoring The Recovery Image
Chapter 50 File Manager If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 50.10 on page 270 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
Page 269 Chapter 50 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 32 atuk Command for Restoring the Recovery Image > atuk This command is for restoring the "recovery image" (xxx.ri). Use This command only when 1) the console displays "Invalid Recovery Image"...
Page 270: Restoring The Firmware
Chapter 50 File Manager Enter atgo. The UAG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 50.10 on page 270 to recover the firmware.
Page 271 Chapter 50 File Manager Enter “quit” to exit the ftp prompt. Figure 38 FTP Firmware Transfer Complete 200 PORT command successful 150 Opening BINARY mode data connection for 250AACG0C0.bin 226-firmware verifying... 226-firmware updating... 226-Please Wait about 5 minutes!! 226-Do not poweroff or reset, 226-system will reboot automatically after finished updating.
Page 272: Chapter 51 Logs
HAPTER Logs This chapter provides information about the UAG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the UAG. 51.1 Log Commands Summary The following table describes the values required for many log commands.
Page 273: System Log Commands
Chapter 51 Logs 51.1.2 System Log Commands This table lists the commands for the system log settings. Table 166 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged in the system log and logging system-log category module_name debugging log for the specified category.
Page 274: Debug Log Commands
Chapter 51 Logs 51.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 167 logging Commands: Debug Log Settings COMMAND DESCRIPTION Displays the current settings for the debug log. show logging debug status Displays the specified entries in the system log. show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] pri: alert | crit | debug | emerg | error | info | notice | warn...
Page 275: E-Mail Profile Commands
Chapter 51 Logs 51.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 169 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION Displays the current settings for the e-mail profiles. show logging status mail Enables the specified e-mail profile. The command disables [no] logging mail <1..2>...
Page 276: Console Port Logging Commands
Chapter 51 Logs 51.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw Router(config)# logging mail 1 send-alerts-to lachang.li@zyxel.com.tw Router(config)# logging mail 1 from lachang.li@zyxel.com.tw...
Page 277: Chapter 52 Reports And Reboot
HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the UAG using commands. It also covers the daily report e-mail feature. 52.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 52.1.1 Report Commands This table lists the commands for reports.
Page 278: Report Command Examples
Chapter 52 Reports and Reboot 52.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report lan1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 279 Chapter 52 Reports and Reboot Use these commands to have the UAG e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 174 Email Daily Report Commands COMMAND DESCRIPTION Displays the e-mail daily report settings.
Page 280: Email Daily Report Example
Chapter 52 Reports and Reboot Table 174 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sends the daily e-mail report immediately. send-now Discards all report data and starts all of the report statistics reset-counter-now data counters over at zero. Leaves the sub-command mode. exit 52.2.1 Email Daily Report Example This example sets the following about sending a daily report e-mail:...
Page 281: Reboot
Chapter 52 Reports and Reboot This displays the email daily report settings and has the UAG send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25 smtp auth: yes smtp username: 12345 smtp password: pass12345...
Page 282: Session Timeout
HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 175 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
Page 283: Chapter 54 Diagnostics
HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 54.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 284: Chapter 55 Packet Flow Explore
HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 55.1 Packet Flow Explore Use this to get a clear picture on how the UAG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Page 285: Packet Flow Explore Commands Example
Chapter 55 Packet Flow Explore 55.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, VPN 1-1 Mapping Route, 1-1 SNAT, SiteTo Site VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Page 286 Chapter 55 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated VPN 1-1 mapping rules. Router> sshow system route vpn-1-1-map Source Destination Outgoing Gateway...
Page 287 Chapter 55 Packet Flow Explore The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT...
Page 288: Chapter 56 Maintenance Tools
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the UAG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 178 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 289 Chapter 56 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 179 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic going through the [no] packet-capture activate set interface(s).
Page 290: Maintenance Command Examples
Chapter 56 Maintenance Tools 56.1 Maintenance Command Examples Some packet-trace command examples are shown below. Router# packet-trace duration 3 tcpdump: listening on eth0 19:24:43.239798 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:43.240199 192.168.1.1 > 192.168.1.10: icmp: echo reply 19:24:44.258823 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:44.259219 192.168.1.1 >...
Page 291: Packet Capture Command Example
Chapter 56 Maintenance Tools Table 180 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
Page 292 Chapter 56 Maintenance Tools • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)# file-suffix Example Router(packet-capture)# files-size 10 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)#...
Page 293: Chapter 57 Watchdog Timer
HAPTER Watchdog Timer This chapter provides information about the UAG’s watchdog timers. 57.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 294: Application Watchdog
Chapter 57 Watchdog Timer 57.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 183 app-watchdog Commands COMMAND DESCRIPTION...
Page 295: Application Watchdog Commands Example
Chapter 57 Watchdog Timer 57.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. UAG CLI Reference Guide...
Page 296 Chapter 57 Watchdog Timer UAG CLI Reference Guide...
Page 297: List Of Commands (Alphabetical)
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. [no] {anti-virus | personal-firewall} activate .........234 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......193 [no] aaa authentication default member1 [member2] [member3] [member4] ....221...
Page 298 List of Commands (Alphabetical) [no] app-watch-dog console-print {always|once} .........294 [no] app-watch-dog cpu-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog disk-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog interval <6..300> ...........294 [no] app-watch-dog mem-threshold min <1..100> max <1..100> ......294 [no] app-watch-dog retry-count <1..5> ..........294 [no] app-watch-dog sys-reboot ............294...
Page 299 List of Commands (Alphabetical) [no] console baud baud_rate ............246 [no] content-filter active .............192 [no] content-filter block message message ..........192 [no] content-filter block redirect redirect_url ........192 [no] content-filter cache-timeout _timeout ..........192 [no] content-filter cache-timeout _timeout ..........196 [no] content-filter default block ............192 [no] content-filter license license ............192 [no] content-filter license license...
Page 300 List of Commands (Alphabetical) | af41 | af42 | af43 | cs0 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | wmm_be0 | wmm_be24 | wmm_bk16 | wmm_bk8 | wmm_vi32 | wmm_vi40 | wmm_vo48 | wmm_vo56}} ..171 [no] dscp {any | <0..63>} ..............100 [no] dscp class {default | dscp_class}...
Page 301 List of Commands (Alphabetical) wmm_be0 | wmm_be24 | wmm_bk16 | wmm_bk8 | wmm_vi32 | wmm_vi40 | wmm_vo48 | wmm_vo56}} [no] incoming-interface {interface interface_name | trunk group_name} ....172 [no] in-dnat activate ..............180 [no] in-snat activate ..............180 [no] interface {interface_name|any} ............127 [no] interface {num|interface-name} .............91 [no] interface interface_name ............101...
Page 302 List of Commands (Alphabetical) [no] ip-select-backup {iface | auto | custom} ..........114 [no] isakmp policy policy_name ............177 [no] item cf-report ..............279 [no] item cpu-usage ..............279 [no] item mem-usage ..............279 [no] item port-usage ..............279 [no] item session-usage ..............279 [no] item traffic-report ...............279 [no] join interface_name ..............89...
Page 303 List of Commands (Alphabetical) [no] mail-to-2 e_mail ..............279 [no] mail-to-3 e_mail ..............279 [no] mail-to-4 e_mail ..............279 [no] mail-to-5 e_mail ..............279 [no] metric <0..15> ..............71 [no] mss <536..1452> ..............86 [no] mss <536..1460> ..............71 [no] mtu <576..1500> ..............71 [no] multicast-to-unicast ...............60 [no] mx {ip | domain_name} .............114 [no] nail-up ................180...
Page 304 List of Commands (Alphabetical) [no] port interface_name ..............88 [no] printer-manager activate ............164 [no] printer-manager encrypt activate ..........164 [no] printer-manager printer <1..10> ...........164 [no] radius-server host radius_server auth-port auth_port ......217 [no] radius-server key secret ............217 [no] radius-server timeout time ............217 [no] reauth <30..30000> ..............65 [no] redistribute {static | ospf} ............107...
Page 305 List of Commands (Alphabetical) [no] service-type {dyndns | dyndns_static | dyndns_custom | dynu-basic | dynu-premium | no-ip | peanut-hull | 3322-dyn | 3322-static} ..........114 [no] session-limit activate ............156 [no] session-url url ..............144 [no] shutdown ................71 [no] sms-service activate ..............168 [no] smtp-auth activate ..............279 [no] smtp-port <1..65535>...
Page 306 List of Commands (Alphabetical) [no] users retry-limit ..............203 [no] users simultaneous-logon {administration | access | billing-account} enforce ..204 [no] users simultaneous-logon {administration | access | billing-account} limit login_number [no] users update-lease automation .............204 [no] version <1..2> ..............107 [no] vlan-id <1..4094> ..............88 [no] vlan-support ...............63...
Page 307 List of Commands (Alphabetical) activate ................165 activate ................177 activate ................179 activate ................97 address address_object ..............122 address-object object_name {ip | ip_range | ip_subnet | interface-ip | interface-subnet | in- terface-gateway} {interface} .............208 address-object rename object_name object_name ..........208 adjust-mss {auto | <200..1500>} ............179 advertisement flush ..............150...
Page 308 List of Commands (Alphabetical) capwap manual-add {enable | disable} ............55 capwap show statistic ..............55 capwap station kick sta_mac .............55 cdp {activate|deactivate} ..............226 certificate certificate-name ............177 charge price ................241 ch-width wlan_htcw ..............60 clear ...................36 clear aaa authentication profile-name ..........221 clear aaa group server ad [group-name] ..........217 clear aaa group server ldap [group-name] ..........218...
Page 309 List of Commands (Alphabetical) op] (*) ................39 debug [remoteWTP | remoteWTP-cmd] (*) ...........39 debug alg ................37 debug billing show shm (*) ..............37 debug ca (*) ................37 debug capwap (*) ................38 debug content-filter ..............38 debug dns-query (*) ..............38 debug dynamic-guest (*) ..............38 debug eps ................38...
Page 310 List of Commands (Alphabetical) dscp-marking <0..63> ..............100 dscp-marking class {default | dscp_class} ..........100 dtim-period <1..255> ..............59 duration <0..300> ..............289 dynamic-guest freeuser user_name ............240 dynamic-guest generate ..............240 dynamic-guest generate-freeuser ............240 eap {external | internal auth_method} ...........65 enable ..................36 encapsulation {tunnel | transport} .............179 eps insert <1..8>...
Page 311 List of Commands (Alphabetical) gateway url ................163 group1 .................178 group2 .................178 group5 .................178 group-key <30..30000> ..............65 groupname rename groupname groupname ...........202 guard-interval wlan_htgi ..............60 host-ip {ip-address | profile_name | any> ..........289 host-port <0..65535> ..............289 ..................37 idle <30..30000> ................65 iface {add | del} {interface_name | virtual_interface_name} ......289 in-dnat <1..10>...
Page 312 List of Commands (Alphabetical) {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ....251 ip http server table {admin|user} rule move rule_number to rule_number ....251 ip http-redirect activate description ..........124 ip http-redirect deactivate description ..........125 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> ...124 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535>...
Page 313 List of Commands (Alphabetical) logging mail <1..2> schedule daily hour <0..23> minute <0..59> ......275 logging mail <1..2> schedule weekly day day hour <0..23> minute <0..59> ....275 logging mail <1..2> sending_now ............275 logging system-log category module_name {disable | level normal | level all} ...273 logging usb-storage category category disable ...........87...
Page 314 List of Commands (Alphabetical) no port <1..x> ................83 no sa spi spi ................183 no sa tunnel-name map_name .............183 no schedule-object object_name ............213 no server-type .................232 no service-object object_name ............210 no slot_name ap-profile ..............55 no smtp-address ................279 no smtp-auth username ..............279 no snmp-server rule rule_number ............257 no sslvpn policy profile_name...
Page 315 List of Commands (Alphabetical) policy {policy_number | append | insert policy_number} .........100 policy default-route ..............101 policy delete policy_number ............101 policy flush ................101 policy list table ..............101 policy move policy_number to policy_number ..........101 port <1..65535> ending-port <1..65535>] ..........231 port <1..65535> ending-port <1..65535>] [program-path program-path] ....231 port status Port<1..x>...
Page 316 List of Commands (Alphabetical) service-object object_name icmp icmp_value ..........211 service-object object_name protocol <1..255> ...........211 service-object rename object_name object_name ..........211 service-register checkexpire ............48 service-register service-type standard license-key key_value ......48 service-register service-type trial service content-filter ......48 session timeout {tcp-established | tcp-synrecv | tcp-close | tcp-finwait | tcp-synsent | tcp- closewait | tcp-lastack | tcp-timewait} <1..300>...
Page 317 List of Commands (Alphabetical) show capwap ap all statistics ............55 show capwap ap ap_mac slot_name detail ..........55 show capwap ap wait-list ..............55 show capwap manual-add ..............55 show capwap station all ..............55 show clock date ................246 show clock status ..............246 show clock time ................246 show comport status ..............44...
Page 318 List of Commands (Alphabetical) show interface {interface_name | ethernet | vlan | bridge | ppp | virtual ethernet | virtual vlan | virtual bridge | all} ............71 show interface ppp system-default ............86 show interface ppp user-define ............86 show interface send statistics interval ..........71 show interface summary all ..............71...
Page 319 List of Commands (Alphabetical) show mac ................44 show mem status .................44 show ntp server ................246 show object-group {address | address6} [group_name] ........208 show object-group service group_name ...........211 show ospf area IP virtual-link ............108 show packet-capture config .............288 show packet-capture config .............289 show packet-capture status .............288...
Page 320 List of Commands (Alphabetical) show reference object-group aaa radius [group_name] ........43 show reference object-group address [object_name] ........43 show reference object-group interface [object_name] ........43 show reference object-group service [object_name] ........43 show reference object-group username [username] .........43 show report [interface_name {ip | service | url}] ........277 show report status ..............277...
Page 321 List of Commands (Alphabetical) show usb-storage ................86 show username [username] ...............201 show users {username | all | current} ..........204 show users default-setting {all | user-type {admin | limited-admin | pre- subscriber | user | guest | ext-user | ext-group-user}} ..........203 show users idle-detection-settings .............204 show users kick-previous-settings...
Page 322 List of Commands (Alphabetical) zone {ALL|zone_object} action {accept|deny} ........257 snmp-server rule move rule_number to rule_number ........257 split-size <1..2048> ..............289 ssid ..................63 sslvpn network-extension local-ip ip ...........185 sslvpn no connection username user_name ..........186 sslvpn policy {profile_name | profile_name append | profile_name insert <1..16>} ..185 sslvpn policy move <1..16>...
Page 323 List of Commands (Alphabetical) users default-setting [no] logon-lease-time <0..1440> ........203 users default-setting [no] logon-re-auth-time <0..1440> ........203 users default-setting [no] user-type {admin | limited-admin | pre- subscriber | user | guest | ext-user | ext-group-user} ............203 users default-setting [no] user-type {admin | limited-admin | pre- subscriber | user | guest | ext-user | ext-group-user} logon-due-time time ........203 users default-setting [no] user-type {admin | limited-admin | pre- subscriber | user | guest | ext-user | ext-group-user} logon-lease-time <0..1440>...

ZyXEL Communications UAG Series User Manual

About this CLI Reference Guide

Document Conventions

Contents Overview

Table of Contents

Introduction

PART I Introduction

Chapter 1 Command Line Interface

Chapter 2 User and Privilege Modes

Reference

PART II Reference

Chapter 3 Object Reference

Chapter 4 Status

Chapter 5 Registration

Chapter 6 AP Management

Chapter 7 Wireless LAN Profiles

Chapter 8 Interfaces

Chapter 9 Trunks

Chapter 10 IP Drop-In

Chapter 11 Route

Chapter 12 Routing Protocol

Chapter 13 Zones

Chapter 14 DDNS

Chapter 15 Virtual Servers

Chapter 16 VPN 1-1 Mapping

Chapter 17 HTTP Redirect

Chapter 18 SMTP Redirect

Chapter 19 ALG

Chapter 20 Upnp

Chapter 21 IP/MAC Binding

Chapter 22 Layer 2 Isolation

Chapter 23 Ipnp

Chapter 24 Web Authentication

Chapter 25 Walled Garden

Chapter 26 Advertisement

Chapter 27 Firewall

Chapter 28 Billing

Chapter 29 Payment Service

Chapter 30 Printer Manager

Chapter 31 Free Time

Chapter 32 SMS

Chapter 33 Bandwidth Management

Chapter 34 Ipsec VPN

Chapter 35 SSL VPN

Chapter 36 Content Filtering

Chapter 37 User/Group

Chapter 38 Addresses

Chapter 39 Services

Chapter 40 Schedules

Chapter 41 AAA Server

Chapter 42 Authentication Objects

Quick Links

Related Manuals for ZyXEL Communications UAG Series

Summary of Contents for ZyXEL Communications UAG Series