Nokia IP40 User Manual

Hide thumbs

Also See for IP40

User manual - 194 pages
Quick start manual - 4 pages
Quick start manual - 4 pages

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

IP40 Security Platform

User's Guide

Version 1.1

N450916002 Rev A

June 2004

Also See for Nokia IP40

Nokia E61i User Manual 209 pages

Nokia IP40 User Manual 194 pages

Nokia IP40 Quick Start Manual 4 pages

Related Manuals for Nokia IP40

Network Router Nokia IP40 Quick Start Manual
(4 pages)
Firewall Nokia IP530 - Remote Access Server Installation Manual
Install coreboot (9 pages)

Firewall Nokia IP740 - Remote Access Server Product Manual
Check point ng (24 pages)
Firewall Nokia ip500 series Installation Manual
(162 pages)

Summary of Contents for Nokia IP40

Page 1

IP40 Security Platform User’s Guide Version 1.1 N450916002 Rev A June 2004...
Page 2

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services;...
Page 3

Singapore 119968 Nokia Customer Support Web Site: https://support.nokia.com/ Email: tac.support@nokia.com Americas Europe Voice: 1-888-361-5030 or Voice: +44 (0) 125-286-8900 1-613-271-6721 Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897 040113 Nokia IP40 Security Platform User’s Guide v1.1...
Page 4

Nokia IP40 Security Platform User’s Guide v1.1...
Page 5: Table Of Contents

Nokia IP40 Satellite 16, Satellite 32, Satellite Unlimited ....20 Nokia IP40 Security Platform Features ....... . . 20 Connectivity .
Page 6: Table Of Contents

Logging Off from Nokia IP40 Security Platform ......51 Understanding the Nokia IP40 Web GUI ....... . 52 Using the Nokia IP40 Security Platform Web-based User Interface .
Page 7: Table Of Contents

Using Static Routes ..........91 Setting Up the Nokia IP40 Security Platform Security Policy ....95 Setting the Firewall Security Level .
Page 8: Table Of Contents

High- Availability Solution with a Single Nokia IP40 Security Platform ..135 High Availability Solution with Dual Nokia IP40 ......136...
Page 9: Table Of Contents

Setting Up Nokia IP40 as a VPN Server ....... .
Page 10: Table Of Contents

Setting Up Nokia IP40 Satellite X ........
Page 11: Table Of Contents

Checking for Software Updates When Remotely Managed ....210 Managing with Nokia Horizon Manager ....... . . 211 Check Point SmartCenter LSM .
Page 12: Table Of Contents

FCC Notice (US) ..........236 Nokia IP40 Security Platform User’s Guide v1.1...
Page 13: In This Guide

Security Platform. This guide provides information about the new features incorporated into the Nokia IP40. This version of Nokia IP40 uses the SofaWare VPN-1 Embedded NG. For a quick reference on how to configure features in Nokia IP40, see the Nokia IP40 Security Platform Quick Start Guide and Nokia IP40 Security Platform Online Help, part of the graphical user interface (GUI) in the appliance.
Page 14: Conventions This Guide Uses

Availability feature. Chapter 11, “Configuring Nokia IP40 Through Out-of-Band Management,” explains the method to configure the Nokia IP40 through Out of Band Management. Chapter 12, “Configuring Device Functions,” discusses how to configure device functions such as setting date and time, loading factory defaults and performing firmware upgrade.
Page 15: Command-line Conventions

Notes provide information of special interest or recommendations. Command-Line Conventions This section defines the elements of commands that are available in Nokia products. You might encounter one or more of the following elements on a command-line path. Table 1 Command-Line Conventions...
Page 16: Text Conventions

• Emphasizes a point or denotes new terms at the place where Italics they are defined in the text. • Indicates an external book title reference. • Indicates a variable in a command: if_name delete interface Nokia IP40 Security Platform User’s Guide v1.1...
Page 17: Menu Items

Nokia IP40 menu items in procedures are separated by the greater than sign (>). For example, Start > Programs > Nokia > Security indicates that you first click Start, then choose the Programs menu command, then choose Nokia, and finally choose Security.
Page 18

Nokia IP40 Security Platform User’s Guide v1.1...
Page 19: Introduction

WAN connection to headquarters, and dual homing with BGP to route return traffic securely, over VPN. The Nokia IP40 Security Platform can be integrated with an overall enterprise security policy for maximum security. The IP40 facilitates centralized management and automatic deployment with the security management architecture of Check Point, and Nokia Horizon Manager.
Page 20: Nokia Ip40 Tele 8

IP40 Tele 8 can act as a VPN server, which allows a single user to securely access resources protected by the appliance from home or while travelling.
Page 21

Nokia IP40 Security Platform Table 3 Nokia IP40 Security Platform Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele 8 16/32/Unlimited Users (nodes) 16, 32, unlimited PPPoE client PPTP client DHCP client DHCP server Static IP MAC cloning Backup Internet connection, static NAT,...
Page 22: Firewall

Introduction Firewall Table 4 Firewall Connectivity provides details about the IP40 Security Platform v1.1 firewall connectivity. Table 4 Firewall Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Firewall Type Check Point Firewall-1 Check Point Firewall-1 Embedded NG Embedded NG...
Page 23: Vpn Connectivity

Feature Nokia IP40 Tele 8 (16/32/Unlimited) Exposed host DMZ network VPN Connectivity Table 5 VPN Connectivity provides details about IP40 Security Platform v1.1 VPN connectivity. Table 5 VPN Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele8 16/32/Unlimited IPSEC VPN remote...
Page 24

SecuRemote server RADIUS Client DAIP with VPN certificates Back up VPN gateways SmartCenter Connector (SSC) NG AI support Bypass NAT Route all traffic Route Based VPN and failover Multiple PPP connections Active tunnels Nokia IP40 Security Platform User’s Guide v1.1...
Page 25: Management

Nokia IP40 Security Platform Management Table 6 Management provides details about the IP40 Security Platform v1.1 management: Table 6 Management Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Web-based management Access to IP40 through OOB, SSH and SNMP Telnet access...
Page 26: Security Services

Point Smart Update) Check Point Smart LSM Check Point Provider-1 Security Services Table 7 Security Services provides details about IP40 Security Platform v1.1 security services: Table 7 Security Services Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Firewall security...
Page 27: Diagnostics And Maintenance

Protocol support for TCP/IP, ICMP, GRE, ESP and UDP Diagnostics and Maintenance Table 8 Diagnostics and Maintenance provides details about IP40 v1.1 diagnostics and maintenance: Table 8 Diagnostics and Maintenance Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited)
Page 28: Nokia Ip40 Security Platform Package Contents

A country-specific power cord for universal power supply An Ethernet-crossover cable, labeled Crossover An RS-232 console (null modem) cable The IP40 CD. The IP40 CD includes the following documents needed to set up and use the device: Nokia IP40 Security Platform Quick Start Guide Nokia IP40 Security Platform User’s Guide Version 1.1 (this document)
Page 29: Appliance Overview

The following sections provide an overview of Nokia IP40 Security Platform rear and front panels. Nokia IP40 Security Platform Rear Panel All physical connections (network and power) to the IP40 are made through the rear panel. Nokia IP40 Security Platform User’s Guide v1.1...
Page 30

Connect the power adapter to this jack. The device connects to the power source. The auxiliary port or dial-in port is a 9-pin male connector. This port is used to dial in to IP40 through a modem when the IP40 is unreachable through other ports.
Page 31

Appliance Overview Table 9 explains the items on the rear panel of the Nokia IP40. Table 9 Rear Panel of IP40 Label Description Console The console port is a 9-pin male connector that can be connected to the serial (COM) port of your computer.
Page 32: Nokia Ip40 Security Platform Front Panel

You can monitor the IP40 operations by viewing the LEDs on the front panel. Figure 2 Front Panel of Nokia IP40 Security platform. The items on the front panel of the Nokia IP40 Security Platform are explained in Table 10 page 32.
Page 33: Installing Nokia Ip40 Security Platform

Installing Nokia IP40 Security Platform Installing Nokia IP40 Security Platform This chapter describes how to set up and install the Nokia IP40 Security Platform in a networking environment. The chapter covers the following topics: Before You Install Nokia IP40 Security Platform...
Page 34

In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card installed on your computer. If TCP/IP is already installed and configured on your computer, skip the following procedure about how to install TCP/IP. Nokia IP40 Security Platform User’s Guide v1.1...
Page 35

If you are prompted for original Windows installation files, provide the installation CD and relevant path, D:\win98, D:\win95, and so on. 5. Restart your computer if prompted. If you are connecting the IP40 to an existing LAN, consult your network manager/system administrator for the correct configuration. To make TCP/IP settings 1.
Page 36

2. Click the Gateway tab and remove any installed gateways. 3. Click the DNS Configuration tab and click Disable DNS. 4. Click the IP Address tab, and click Obtain an IP address automatically. Nokia IP40 Security Platform User’s Guide v1.1...
Page 37: Microsoft Windows Xp And 2000 Operating Systems

Before You Install Nokia IP40 Security Platform Note Nokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, click Specify an IP address and enter an IP address in the range of 192.168.10.129 to 254.
Page 38

2. Double-click the Network and Dial-up Connections icon (in Windows XP double-click the Network Connections icon). The Network and Dial-up Connections window appears. 3. Right-click the Local Area Connection icon and select Properties from the drop-down list. The Local Area Connection Properties window appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 39

Before You Install Nokia IP40 Security Platform 4. Check for TCP/IP in the Component list and whether it is configured with the Ethernet card installed on your computer. If TCP/IP does not appear in the Components list, install it as described in the section “To...
Page 40

TCP/IP protocol is installed on your computer. To make TCP/IP settings 1. In the Local Area Connection Properties window, double-click Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP) Properties window opens. Nokia IP40 Security Platform User’s Guide v1.1...
Page 41: Setting Up Nokia Ip40 Security Platform With An Apple Computer

2. Click Obtain an IP address automatically. Note Nokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, select Specify an IP address and enter an IP address in the range of 192.168.10.129 to 254. Enter 255.255.255.0 as the subnet mask.
Page 42: Connecting Nokia Ip40 Security Platform To The Network

The following topology examples illustrate proper network cabling. Figure 3 IP40 Topologies Installing Your Network Plan your network and the location of the IP40, then install your network. To install the network 1. Connect the LAN cable: a. Connect one end of the Ethernet cable to the LAN port at the back of the appliance.
Page 43: Getting Started

213 in this document. Note The IP40 ships without a password defined. If you are logging in for the first time, you are prompted to define the password by entering it twice. If you already logged in before, enter the username and password you previously defined.
Page 44: Configuring Nokia Ip40 Security Platform For Internet Connection

Configuring Nokia IP40 Security Platform for Internet Connection This section provides information about how to make the initial settings for your Nokia IP40 Security Platform by using the Setup wizard and connecting to the Internet. Nokia IP40 Security Platform User’s Guide v1.1...
Page 45: Making Initial Nokia Ip40 Security Platform Settings

This section provides the information about how to use the Setup wizard to set the device time, and to make the initial Nokia IP40 Security Platform settings. Setting Nokia IP40 Security Platform Time Use the following procedure to set the time of Nokia IP40 Security Platform. Nokia IP40 Security Platform User’s Guide v1.1...
Page 46

Getting Started To set the IP40 Security Platform time 1. When the IP40 Set Time wizard dialog box appears, click the appropriate setting, for the time settings you want to make. If you click the computer’s clock, the IP40 is automatically updated with the time settings of your computer.
Page 47: Registering With The Nokia Support Site

3. Specify the IP addresses of the Primary and Secondary servers, to use as NTP time servers. Select your time zone from the Time Zone drop down list. 4. Click Next. The IP40 Set Time Wizard dialog box appears, indicating that time settings are changed successfully. 5. Click Finish to exit the Set Time wizard.
Page 48: Connecting To A Central Management Server

When you are registered for support, the Subscription Services window appears. This window allows you to define the central management server that the IP40 connects to. The IP40 can connect to a central management server to allow central management of the firewall and VPN policies.
Page 49: Logging On To Nokia Ip40 Security Platform

Making Initial Nokia IP40 Security Platform Settings If your IP40 is centrally managed by any of these servers, check I wish to connect to a service center and enter the IP address of the central management server in the Specified IP text box, then click Next.
Page 50: Accessing Nokia Ip40 Securely

Getting Started Note The default user name for all Nokia IP40 licenses is admin. For the IP40 Satellite X licenses, you can define additional users. These additional users have separate usernames and passwords. For the IP40 Tele 8 license, you can only log on with the username admin.
Page 51: Logging Off From Nokia Ip40 Security Platform

IP40 is not yet known to the browser, so a security alert appears. 2. Click Yes to install the security certificate of the IP40 that you are trying to access. If you are using Internet Explorer 5.0 or later, do the following: a.
Page 52: Understanding The Nokia Ip40 Web Gui

52. Understanding the Nokia IP40 Web GUI When you log on to Nokia IP40 security platform by using HTTP or HTTPS, you can configure the device by using the following methods: Quick Setup Wizard—configures the most common settings required for the IP40 to be up and running.
Page 53: Using The Nokia Ip40 Security Platform Web-based User Interface

Figure 4 Main Components of the Nokia IP40 Security Platform GUI Note The Tele 8 license of IP40 does not support all of the features mentioned in the table 12 below. For information on features supported by the Tele configuration, see “Nokia IP40...
Page 54

Getting Started Table 12 gives the name and functionality of each element in the Nokia IP40 GUI. Table 12 Names and Functions of the Nokia IP40 GUI Elements Main Tab Secondary Tabs Description Welcome Displays Welcome and configuration information. Reports...
Page 55

Understanding the Nokia IP40 Web GUI Table 12 Names and Functions of the Nokia IP40 GUI Elements Main Tab Secondary Tabs Description Tools Comprises several tools to effectively manage your IP40. Users Internal Users Allows you to view, add, edit, and delete list of IP40 users.
Page 56

Your Internet connection status. You have different fields under Internet status. They are: Connected: your IP40 device is connected to the Internet Not Connected: your IP40 device is not connected to the Internet Establishing Connection: your IP40 device is connecting to the Internet.
Page 57: Accessing Nokia Ip40 Security Platform

Typically the WAN port for your device is connected to your Internet service provider (ISP), while the LAN port is connected to your computer, or to a hub, if you are using IP40 between your computer network and the outside world. You can connect your computer to the console port of your IP40 to manage the device by using the command-line interface (CLI).
Page 58: Configuration Methods

Connecting Nokia IP40 Security Platform to a Computer by Using the Console Port Your Nokia IP40 Security Platform has a console serial port. Connect the RS-232 cable (that is shipped along with the appliance) from the serial port of your computer to the console port of IP40.
Page 59

Select the following port settings: Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None 5. Click Ok to continue. 6. The login prompt is displayed by default. Nokia IP40 Security Platform User’s Guide v1.1...
Page 60: Using Telnet To Connect To Nokia Ip40 Security Platform

Accessing Nokia IP40 Security Platform The IP40 ships without a password defined. If you are logging in for the first time,you are prompted to define the password by entering it twice. If you logged in before, enter the username and password you previously defined.
Page 61: Enabling And Disabling Telnet Access To Nokia Ip40

4. Enter your username and password.You can now, manage your IP40 Security Platform by using simple commands. 5. Press the tab key to view a list of useful, simple commands to start managing your IP40. For more information, see Nokia IP40 Security Platform CLI Reference Guide Version 1.1.
Page 62: Using Secure Shell To Connect To Nokia Ip40 Security Platform

Accessing Nokia IP40 Security Platform Using Secure Shell to Connect to Nokia IP40 Security Platform You can use Secure Shell (SSH) to access your IP40 Security Platform, securely. SSH is an application protocol and software suite that allows secure network services over an insecure network such as the Internet.
Page 63: Deploying Nokia Ip40 Security Platform With Nokia Horizon Manager

You can use Nokia Horizon Manager to perform software inventory, configuration, and image management operations. Note You can manage the IP40 Security Platform by using Nokia Horizon Manager v1.3.1 and later. Deploying Nokia IP40 Security Platform with Check Point SmartCenter Large Scale Manager The Check Point SmartCenter Large Scale Manager (LSM) allows you to manage many Check Point Remote Office/Branch Office (ROBO) gateways from a single SmartCenter Server.
Page 64

Accessing Nokia IP40 Security Platform Nokia IP40 Security Platform User’s Guide v1.1...
Page 65: Connecting To The Internet With Nokia Ip40 Security Platform

You must configure the Internet connection on initial operation, and reset to defaults operations. Using the Setup Wizard You can use the Setup Wizard to configure the Internet connection for Nokia IP40 Security Platform through graphical user interface (GUI). The Setup Wizard guides you through the configuration process, step by step.
Page 66

Connecting to the Internet with Nokia IP40 Security Platform PPTP or PPPoE dialer Dial-up Internet access by using V90 or ISDN T/A modems To configure the Internet connection by using the Setup wizard 1. Click Network from the main menu.
Page 67

When you are connected, the wizard prompts you to register your details and set up your subscription options, which vary from product to product. For information about configuring device time, registering with Nokia Support Center and subscribing to additional services with the Setup wizard, see Chapter 3, “Getting Started”...
Page 68: Cable Modem Connection Settings

Connecting to the Internet with Nokia IP40 Security Platform 2. Follow the instructions until the wizard is done, and then click Finish. You are now connected to the Internet through a direct LAN connection. Cable Modem Connection Settings If you selected cable modem connection through the procedure “To configure the Internet...
Page 69: Cloning A Mac Address

Configuring Internet Connection The Nokia IP40 takes the place of the computer behind the cable modem and you can use MAC cloning to enter the original computer MAC address without contacting the ISP to change that information. To configure for cable modem connection 1.
Page 70: Dsl Connection Settings

Connecting to the Internet with Nokia IP40 Security Platform 3. Do one of the following: a. Click This Computer to automatically clone the MAC address of your computer to the IP40. b. If the ISP requires authentication by using the MAC address of a different computer, enter the MAC address in the MAC cloning field.
Page 71

3. Follow the instructions until the wizard is finished, and then click Finish. To connect by using the PPTP connection method Select PPTP in the . The PPTP configuration window appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 72

Connecting to the Internet with Nokia IP40 Security Platform 1. Enter the following information: Username and Password, and confirm the password. Service name. IP address of the DSL modem in the Server IP field. Internal IP address (The IP address required to access the DSL modem).
Page 73: Manually Configuring The Internet Setting

Manually Configuring the Internet Setting Manually Configuring the Internet Setting You can configure the Internet settings for your IP40 manually also. To configure the Internet connection 1. Proceed as per steps 1 and 2 in “Using the Setup Wizard” on page 65 to connect using DHCP, PPTP and PPPoE 2.
Page 74

This field is optional. If a service center requires it, the Host Name is provided by them. 3. Enter the maximum transmission unit (MTU-1500) 4. If you do not want the IP40 to obtain an IP address automatically by using DHCP, do the following: a.
Page 75

If you choose PPPoE type Internet connection in procedure as described in “Manually Configuring the Internet Setting” on page 73, the following window appears: 1. Enter the following information: Enter your Username and Password and confirm the Password. Nokia IP40 Security Platform User’s Guide v1.1...
Page 76

If your service center did not provide you with a service name, leave this text box empty. You can set the maximum transmission unit size (MTU). Nokia recommends that you leave this field empty. However, to modify the default MTU, consult with your service provider.
Page 77: Direct Dial-up Ppp

3. Click Apply. Direct Dial-Up PPP You can connect the Nokia IP40 Security Platform to the Internet by using a dial-up connection. The device can establish a PPP connection to an ISP by using an external modem connected to an auxiliary port. The modem can be an analog modem or an ISDN terminal adapter.
Page 78: Configuring Dial-up With The Gui

Connecting to the Internet with Nokia IP40 Security Platform Configuring Dial-Up with the GUI The following sections give details about how to configure dial-up and direct dial-up connections on the Nokia IP40 Security Platform: Dial-up—when enabled, the WAN connection is established only when interesting traffic enters the network.
Page 79: Configuring Dial-up With The Cli

Use the following command to configure dial-up by using the CLI wizard: wizard dialup For more information about how to use other dialup commands, see the Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...
Page 80: Multiple Dial-up Profiles

The Internet connection retains its connected or not connected status until Nokia IP40 is rebooted. The IP40 then connects to the Internet if the connection is enabled. For information on how to enable the Internet connection, see the section on “Enabling or Disabling the Internet...
Page 81: Configuring A Backup Internet Connection

IP40 remains connected to the Internet. You can configure different DNS servers for the two connections. The IP40 device acts as a DNS relay and routes requests from computers within the network to the appropriate DNS server for the active Internet connection.
Page 82

Connecting to the Internet with Nokia IP40 Security Platform Table 14 Internet Connection Information Field Description Status Indicates the connection status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh = hours...
Page 83: Managing Your Local Area Network

IP40 to its factory settings. To reset the Nokia IP40 Security Platform to its factory default settings, choose Setup > Firmware > Tools > Factory Settings. You can also press the Reset button at the rear panel of the device.
Page 84: Enabling And Disabling The Dhcp Server

IP addresses in your network by using the IP40 Satellite X licenses. You might want to do this if, for example, you are adding the IP40 to a large existing network and do not want the network IP address range to change, or if you are using a DHCP server other than the IP40, that assigns addresses within a different range.
Page 85: Enabling Or Disabling Hide Nat

Network Address Translation (NAT) enables you to share a single IP address among several computers. Note NAT is enabled by default. NAT can only be disabled in IP40 Satellite X licenses. If NAT is disabled, you need to buy an IP address range. To enable NAT 1.
Page 86: Configuring A Dmz Network

3. Go to the DMZ Network Settings area. 4. If desired, enable or disable Hide NAT. 5. In the IP40 DMZ IP text box, enter the IP address of the DMZ network default gateway. Note The DMZ network must not overlap the LAN network.
Page 87: Using Static Nat

IP40 supports Proxy Address Resolution Protocol (ARP). When an external source attempts to communicate with a computer that has static NAT enabled, the IP40 automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface.
Page 88

The Static NAT wizard opens, with the Static NAT Mapping dialog box displayed. 3. Complete the fields using the information given in the Table 15 on page 90 4. Click Next The Static NAT Mapping Updated dialog box appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 89

Using Static NAT 5. Click Finish. If you added a new mapping, it appears in the static NAT page. To edit an existing static NAT mapping, click Edit tab. Nokia IP40 Security Platform User’s Guide v1.1...
Page 90: Viewing And Deleting Static Nat Mappings

The following procedures explain how to view and delete static NAT mappings. To view static NAT mappings 1. Click Network in the main menu. 2. Click the Static NAT tab. The Static NAT page appears with a list of existing static NAT mappings. Nokia IP40 Security Platform User’s Guide v1.1...
Page 91: Using Static Routes

To add a static route 1. Click Network in the main menu, and click the Static Routes tab. The Static Routes page appears, with a listing of existing static routes. Nokia IP40 Security Platform User’s Guide v1.1...
Page 92

4. Click Apply. The new static route is saved. Table 16 Edit Route Page Fields Field Action Destination Type the network address of the destination network. Network Subnet Mask Select the subnet mask. Nokia IP40 Security Platform User’s Guide v1.1...
Page 93

The Static Routes page appears, with a listing of existing static routes. 2. In the desired route row, click the Erase tab. A confirmation message appears. 3. Click OK. The route is deleted. Nokia IP40 Security Platform User’s Guide v1.1...
Page 94

Managing Your Local Area Network Nokia IP40 Security Platform User’s Guide v1.1...
Page 95: Setting Up The Nokia Ip40 Security Platform Security Policy

Setting Up the Nokia IP40 Security Platform Security Policy This chapter describes how to set up the Nokia IP40 security policy. It includes the following topics: Setting the Firewall Security Level Configuring Virtual Servers Creating Firewall Rules Allow and Block Rules...
Page 96: Configuring Virtual Servers

Setting Up the Nokia IP40 Security Platform Security Policy To change the firewall security level 1. Click Security on the main menu. The Firewall page appears. 2. To set the security level, drag the slider or click on the security level that you want to select.
Page 97

3. In the Allow column, check the check box of the desired service or application. If you are using IP40 Satellite X, the appropriate check box in the VPN Only column is to be enabled. 4. To allow connections made through a VPN only, select the VPN Only check box.
Page 98: Security Policy

The following sections describe how to customize your security policy. Creating Firewall Rules The Nokia IP40 Security Platform checks the protocol used, the ports range, and destination IP address when deciding whether to allow or block traffic. By default, in the medium security level, the IP40 blocks all connection attempts from the Internet (WAN) to the LAN, and allows all outgoing connection attempts from the LAN to the Internet (WAN).
Page 99

Customizing Nokia IP40 Security Platform Security Policy Depending on the button you select, the Allow and Forward rule, or the Allow Rules, or the Block Rules page appears. The following table gives more information about the firewall rules that you create.
Page 100

Internet to a specific service in your internal network. Note In IP40 Tele 8, the Allow Rules page does not contain a VPN Only column, and the Block Rules page does not contain an Also VPN column. 4. Complete the fields using the information in Table 19 on page 101.
Page 101

Customizing Nokia IP40 Security Platform Security Policy 6. Complete the fields using information from the table below The Done dialog box appears. 7. Click Finish. The new rule appears in the Firewall Rules page. Table 19 on page 101 gives more information about the firewall rule fields.
Page 102: Deleting Rules

The rule is deleted. Defining an Exposed Host The Nokia IP40 Security Platform allows you to define an exposed host, which is a computer that is not protected by the firewall. This allows unlimited incoming and outgoing connections between the Internet and the exposed host computer.
Page 103

Caution Entering an IP address can make the designated computer vulnerable to external attacks. Nokia recommends that you not define an exposed host unless you are fully aware of the security risks. To define a computer as an exposed host The exposed host receives all traffic that is not forwarded to another computer by using Allow and Forward rules.
Page 104

Setting Up the Nokia IP40 Security Platform Security Policy Nokia IP40 Security Platform User’s Guide v1.1...
Page 105: Configuring Network Access

Access Control Changing Your Password You can change the password of your Nokia IP40 Security Platform, any time. The method for changing password varies depending on the IP40 configuration you are using. The default username and password for Nokia IP40 Tele 8 Configuration is admin.You can change the password for this user.
Page 106

Use five to twenty five alphanumeric characters for the new password. 3. Click Apply. Your changes are saved. In Nokia IP40 Satellite X, you can define multiple users and perform the following tasks: Change your password Add users View and edit users...
Page 107: Adding Users

4. Click Apply. Your changes are saved. Adding Users You can add users with IP40 Satellite X only. The number of IP40 users you can add is limited according to your software. To add a user 1. Click Users on the main menu.
Page 108: Viewing And Editing Users

Configuring Network Access Viewing and Editing Users You can view and edit users with IP40 Satellite X only. To view or edit users 1. Click Users on the main menu. The Users page appears. 2. Click Edit against the user you want to edit.
Page 109: Deleting Users

You can set up VPN access for users with IP40 Satellite X only. If you are using the IP40 as a VPN server, you can allow users to access it remotely through their VPN clients (a Check Point SecureClient, Check Point SecuRemote, IP40 Tele 8, or another IP40 Satellite X).
Page 110: Using Radius Authentication

You can use RADIUS to authenticate both Nokia IP40 Security Platform users, and VPN clients trying to connect to the IP40. When a user accesses the IP40 GUI and tries to log on, the IP40 sends the entered username and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching username and password pair.
Page 111: Access Control

Type the shared secret to use for secure communication with the RADIUS server. Administrator Select the level of access to the IP40 portal to assign to all users Level that the RADIUS server authenticates. The levels are: No Access: The user cannot access the IP40.
Page 112: Telnet Access

60 Secure Shell Nokia IP40 supports SSH 2.0. The SSH feature in IP40 provides secure remote access to the appliance. In addition, SCP is supported to enable secure upgrade of the device, downloading of public keys, HTTPS certificates, import and export features.
Page 113: Enabling Or Disabling Ssh Service

IP Address Range Click Internal Network to enable only computers from your internal network to access your IP40 through SSH. Similarly, click ANY to enable any host (with any IP address) to connect to IP40 through SSH, and so on.
Page 114: Ssh Authentication Methods

Using SSH Client You need an SSH client to connect to the SSH server running on IP40. Install an SSH client if you do not have one already. You can use the SSH client to connect to the IP40 by using password authentication or public key authentication.
Page 115: Configuring And Managing Ssh Key Pairs

Use the following commands to show service detail configurations: show ssh server log-level Configuring and Managing SSH Key Pairs This section provides details about how to configure and manage your SSH key pairs. Nokia IP40 Security Platform User’s Guide v1.1...
Page 116: Managing Authorized Keys

Enabling HTTPS Web Access You can enable HTTPS remote access, so that IP40 users can securely access the IP40 portal from the Internet, by accessing the URL https://X.X.X.X:981, where X.X.X.X is the IP40 Internet IP address.
Page 117: Generating A Self-signed Certificate And Private Key

The Management page appears. 3. In the HTTPS menu, click : Internal Network— to enable only users of your internal network to access your IP40 through HTTPS. Internal Network + VPN— to enable users of your internal network and users connected to your IP40 through a VPN tunnel to access your IP40 through HTTPS.
Page 118: Installing A Certificate And Private Key

<cert-file path | cert-request-file path> key-file path For more information see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Installing a Certificate and Private Key Use the following commands to copy a certificate and its associated private key in the /var/etc/ https_ssl_cert_server.crt and /var/etc/https_ssl_server.key files.
Page 119: Configuring And Monitoring Snmp

MIB-II (for more information, see RFC 1213) Host Resource MIB (for more information, see RFC 1514) SNMP Configuration from Nokia IP40 Security Platform You can use the Nokia IP40 GUI portal and the command-line interface (CLI) to set, change, and view parameters for SNMP. Security Platform...
Page 120: Configuring The Snmp Parameters

IP Address Range Disabled If you select Internal Network, SNMP access to the IP40 is allowed from computers in your internal network or LAN only; if you select IP Address Range, you can specify a range of IP addresses from which SNMP access is allowed to your IP40.
Page 121: Configuring Snmp Parameters From The Command-line Interface

IP address of the device from where a trap is generated. Use the command set snmp trappduAgent ip_address from the IP40 CLI for setting the trapPduAgent. You cannot set the trapPduAgent from the IP40 GUI portal. For more information, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1.
Page 122: Viewing Snmp Parameters

- snmp Trapreceiver traps - SNMP Traps For additional and detailed information on how to use the set and show commands, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...
Page 123: High Availability

Nokia IP40 supports VRRP that caters to device failures, connects to multiple ISP supporting Demand Dialing, Internet link selection by using BGP to cater to ISP link failures, and seamless routing of encrypted traffic across multiple WAN links.
Page 124: Configuring Vrrp With Cli Commands

(addressed to the Internet) to IP40 (R1), default router. VRRP specifies a mechanism that IP40 (R2) uses to start acting as the default router when IP40 (R1) fails, and the hosts in the LAN do not become isolated. As shown in the preceding figure, the branch office network uses a single virtual router ID (V1).
Page 125: Dual Homing

Use the following commands to delete the VRRP configuration: delete vrrp interface <lan | dmz> virtual-router vrid <value> For more information about VRRP commands, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Dual Homing Nokia IP40 Security Platform supports dual homing Internet connection, which provides an uninterrupted link to the ISP.
Page 126: Isp Connectivity

A simple dual home configuration is shown in the following figure. Configuring Nokia IP40 Security Platform for Dual Homing ISP Connectivity The following sections give information about how to configure the Nokia IP40 dual homing feature: Configuring primary Internet profile for DSL/ Cable/Automatic DHCP (see “Configuring...
Page 127: Configuring Isp Dial-up Profiles

Use the following command to configure ISP dial-up profiles by using the CLI wizard: wizard dialup For more information about how to use other dial-up commands, see th Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Use the following commands to modify ISP dial-up profiles: set dialup profile <id>...
Page 128: Border Gateway Protocol

BGP peers. The central office BGP peer advertises the CO networks to the IP40 and BGP. The traffic originating from the IP40 LAN destined to the central office network is tunneled and sent.
Page 129: Enabling Bgp Routing

Route Based VPN and BGP Note You can configure BGP by using the Nokia IP40 CLI only. This feature is not supported in the IP40 GUI. Use the command-line options from a command shell (such as Hyper terminal) to configure these options. A brief list of important commands are included in this guide to provide an introduction.
Page 130: Viewing Debugging Information

<on | off > Adding a BGP Peer to Nokia IP40n Security Platform Nokia IP40 Security Platform supports both internal and external BGP neighbors. Internal neighbors are in the same autonomous system; external neighbors are in different autonomous systems. Normally, external neighbors are adjacent to each other and share a subnet, while internal neighbors can be anywhere in the same autonomous system.
Page 131: Creating Access- Lists On Nokia Ip40 Security Platform

Route Based VPN and BGP Creating Access- Lists on Nokia IP40 Security Platform Access lists are filters that enable you to restrict the routing information a router advertises to a neighbor. BGP uses address-based access lists. Use the following commands to configure access lists: add bgp access-list <list-name>...
Page 132: Configuring A Remote Bgp Peer With Md5 Authentication

BGP peers or the connection between them is not established. The authentication feature uses the MD5 algorithm. Invocation of this feature enables Nokia IP40 to generate and check the MD5 digest of every segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, a message appears on the console.
Page 133: Configuring A Local Loopback Interface

Internet connection (optionally with multiple profiles). In this mode, device fails over to secondary Internet connection (dial-up) if all high priority BGP peers become unreachable. It continues to monitor the status of high priority BGP peers and falls back to primary Nokia IP40 Security Platform User’s Guide v1.1...
Page 134: Configuring Criteria For Path Selection

VPN device or a router connected to frame relay network. In this mode, IP40 uses DMZ as backup to the primary Internet connection. The traffic is tunneled as long as BGP peer is reachable over VPN through primary Internet connection.
Page 135: High- Availability Solution With A Single Nokia Ip40 Security Platform

VPN. If this BGP session fails because of any service interruption, dial-up is activated. Nokia IP40 (R1) connects to RO2 and establishes a VPN connection. R1, and the BGP peer (R4) located in RO2 establish a BGP connection over VPN, and the traffic from the branch office flows through this alternative path.
Page 136: High Availability Solution With Dual Nokia Ip40

RO1 by using DSL or a cable connection (preferred path). If any service interruption occurs in the R1 LAN , Nokia IP40 (R2) takes over as the default virtual router and forwards the branch office traffic on the DMZ to RO1 securely. If the IP40 (R1) device fails, R2 becomes master and dial-up is activated.
Page 137: Out-of-band Management

Nokia IP40 Security Platform supports remote management by using Out-Of-Band management (OOB), where IP40 acts as a remote access server (RAS) and waits for the incoming call. To use OOB, connect a modem to the AUX port of your appliance with dial-up Internet connection.
Page 138: Configuring Oob From The Nokia Ip40 Security Platform Gui

Configuring OOB from the Nokia IP40 Security Platform GUI Configure the modem settings from the IP40 GUI before you use the OOB feature. To configure the modem settings from the IP40 Security Platform GUI 1. Click Network from the main menu.
Page 139: Secure Shell And Https Access Through Out-of-band Dial-in

OOB for a time period of 30 minutes, irrespective of the current firewall filters. To boot your Nokia IP40 in Remote Configuration Mode, hold the Reset button and connect the power to the device. The default username and password for OOB are admin and password respectively, if the first time password is not set.
Page 140

Configuring Nokia IP40 Through Out-of-Band Management Nokia IP40 Security Platform User’s Guide v1.1...
Page 141: Configuring Device Functions

Use the following commands to view or change your platform host name: show hostname set hostname name For more information on setting the host name, see Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Date and Time Configuration For information on setting the date and time, see “Setting Nokia IP40 Security Platform Time”...
Page 142: System Logging Configuration

Configuring Device Functions System Logging Configuration You can configure the Nokia IP40 Security Platform to send event logs to a syslog server that resides in your internal network or on the Internet. The logs detail the date and the time each event occurred.
Page 143: Network Utilities

Network Utilities For more information about how to set the syslog server, see Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Network Utilities You can use the following network utilities from the IP40 Security Platform GUI: Ping Traceroute WHOIS...
Page 144: Managing Configuration

Exporting the Nokia IP40 Security Platform Configuration You can export the Nokia IP40 Security Platform configuration to a *.cfg file, and use this file to back up and restore IP40 settings, as needed.The configuration file includes all of your settings.
Page 145: Importing The Nokia Ip40 Security Platform Configuration

5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the Nokia IP40 Security Platform Configuration To restore the configuration of your appliance from a configuration file, you must import the file: Nokia IP40 Security Platform User’s Guide v1.1...
Page 146

6. Click OK. The Tools page reappears. Note You can use the HTTP, TFTP, FTP, SCP protocols through the IP40 CLI for configuration export and import. For additional information, see Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...
Page 147: Upgrading Firmware

Upgrading Firmware Upgrading Firmware You can upgrade Nokia IP40 Security Platform to a new firmware version of the product. If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats.
Page 148

3. Click Upgrade Product. The Setup wizard opens, with the Install Product Key dialog box displayed. 4. Select Product Key. 5. In the Product Key field, enter the new product key. 6. Click Next. Nokia IP40 Security Platform User’s Guide v1.1...
Page 149: Dynamic Dns

IP address on the Internet. This is useful for Nokia Horizon Manager to locate the IP40 devices that it manages by the host names that are used at remote office and branch offices. Nokia IP40 Security Platform User’s Guide v1.1...
Page 150: Configuring Ddns

Resetting Nokia IP40 Security Platform to Factory Defaults You can reset Nokia IP40 to its default settings. When you reset your IP40, it reverts to the state it was originally in when you purchased it, and your firmware reverts to the version that shipped with the device.
Page 151: By Using The Reset Button

Resetting Nokia IP40 Security Platform to Factory Defaults by Using the Reset Button The Restore Defaults button is inside a hole on the back panel of Nokia IP40. To press the button, use a large flat-tipped object, such as a thick paper clip. Pressing the Restore Defaults button for seven seconds restores all IP40 settings back to factory defaults.
Page 152

Configuring Device Functions Note You can also reset your Nokia IP40 to factory defaults by using the GUI, or the CLI, and remote config mode. Nokia IP40 Security Platform User’s Guide v1.1...
Page 153: Viewing Reports

Viewing Reports This chapter provides an overview of the reports you can view from the Nokia IP40 Security Platform GUI, and how to view them. This chapter includes the following topics: Viewing the Event Log Viewing Active Computers Viewing Active Connections...
Page 154: Viewing Active Computers

IP address of the attacking computer. Nokia IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down external attacks.
Page 155

If you exceed the maximum number of computers allowed by your license, a warning message appears, and the computers that exceed the node limit are marked in red. These computers might not be able to access the Internet through IP40. Note To increase the number of computers that your license allows, you must upgrade your product.
Page 156: Viewing Active Connections

1. Click Reports on the main menu, and then choose Active Connections. The Active Connections page appears. 2. Do the following: Click Refresh to refresh the display. To view information about the destination computer, click its IP address. Nokia IP40 Security Platform User’s Guide v1.1...
Page 157: Viewing Vpn Tunnels

Viewing Reports on Nokia IP40 Security Platform The IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. Viewing VPN Tunnels You can view a list of currently established VPN tunnels.
Page 158: Viewing The Diagnostics Summary

You can refresh the table by refreshing the browser. Viewing the Diagnostics Summary You can view the diagnostics summary for your device from the IP40 GUI. The diagnostics summary provides useful information about your device, such as node limit, network status, primary network status, secondary network status, my network status, setup state, users state, security, and subscription services.
Page 159

Viewing Reports on Nokia IP40 Security Platform 5. Use the scroll bar to view more information. Nokia IP40 Security Platform User’s Guide v1.1...
Page 160

Viewing Reports Nokia IP40 Security Platform User’s Guide v1.1...
Page 161: Working With Vpns

The Nokia IP40 Tele 8, and Satellite 16/32/U licenses provide VPN functionality. Nokia IP40 Tele 8 contains a VPN client and can act as a VPN server. Nokia IP40 Satellite 16/32/U can act as a VPN client, a VPN server, or a VPN gateway.
Page 162

Nokia IP40 Satellite (Gateway) Check Point NG AI, NG, FP3, FP2, FP1 Nokia IP40 Satellite Check Point NG AI using VPN-1 Edge/ Embedded Gateway Check Point Smart LSM using VPN-1 Edge/Embedded ROBO Gateway. Nokia IP40 Security Platform User’s Guide v1.1...
Page 163: Setting Up Nokia Ip40 As A Vpn Server

VPN mode. IP40 Tele and Satellite both provide VPN functionality. Nokia IP40 Tele license contains a VPN client and can act as a VPN server. Nokia IP40 satellite can act as a VPN client, a VPN server, or a VPN gateway.
Page 164: Configuring Remote Access Vpns

1. Click VPN in the main menu, and click the VPN Sites tab. 2. Click New Site at the bottom of the page. 3. The IP40 VPN site wizard appears. If you select Remote Access VPN, the VPN Network Configuration dialog box appears.
Page 165

To configure the site for manual login, select Manual Login. Enter a username and password to be used for logging on to the VPN site. b. To enable the IP40 to log on to the VPN site automatically, Select Automatic Login Nokia IP40 Security Platform User’s Guide v1.1...
Page 166: Configuring Site-to-site Vpn

“Completing Site Creation” on page 169. Note The automatic login option in the GUI is supported for Nokia IP40 Satellite X and only manual login is available for Nokia IP40 Tele license. Configuring Site-to-Site VPN If you selected site-to-site VPN, the VPN Gateway Address window appears.
Page 167

Check Use Shared Secret or Use Certificate, depending on the secure communication method to be used. c. If you choose Use Shared Secret, enter the Shared Secret. 6. If Specify Configuration option is selected, the following window appears: Nokia IP40 Security Platform User’s Guide v1.1...
Page 168

In the Subnet mask column, select the subnet masks for the destination network addresses. Note Obtain the destination networks and subnet masks from the VPN site system administrator. c. Click Next. The Authentication window appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 169: Completing Site Creation

You can see the downloaded topology on your IP40 device from http://my.firewall/ vpntopo.html Deleting a VPN Site You can delete a VPN site from the IP40 Tele 8 and IP40 Satellite X. To delete a VPN site 1. Click VPN on the main menu.
Page 170: Logging To A Vpn Site

If you chose manual login, log on to a VPN site every time you want to access the VPN site. You can log on to a VPN site either through the Nokia IP40 GUI or the my.vpn page. When you log on, a VPN tunnel is established.
Page 171: Logging On From The Nokia Ip40 Security Platform Gui

If your IP40 is configured to automatically download the network configuration, the IP40 downloads the network configuration. If you specified a network configuration when you add the VPN site, the IP40 attempts to create a tunnel to the VPN site.
Page 172: Logging On Through My.vpn

You do not need to know the my.firewall page administrator's password to use the my.vpn page. To log on to a VPN site through the my.vpn page 1. Go to http://my.vpn.The VPN Login window appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 173: Logging Off A Vpn Site

To log off from a VPN site, in the VPN Login Status dialog box, click Close. All open tunnels from the IP40 to the VPN site are closed, and the VPN Login Status dialog box closes. Closing the browser or dismissing the VPN Login Status box also terminates the VPN session within a short time.
Page 174

5. Type the pass-phrase that your received from the network administrator. 6. Click Ok. Your certificate is installed, and a success message appears. 7. Click Ok. Nokia IP40 Security Platform User’s Guide v1.1...
Page 175: Installing Vpn Certificates By Using Cli

SmartCenter NG AI that uses Check Point Large Scale Manager and the dynamically configured IP40 security platform that uses the DAIP. The certificate created on the Check Point NG AI can be uploaded to the IP40 Satellite. To upload VPN certificates and to create a dynamic VPN site by using Check Point Smart LSM 1.
Page 176: Security Platform

Working with VPNs 7. Click the VPN Sites tab to see the Dynamic VPN tunnel created between your Nokia IP40 and the Check Point NG AI management station. Uninstalling the Certificate from your Nokia IP40 Security Platform Follow this procedure to uninstall VPN certificate from Nokia IP40 Security Platform.
Page 177: Installing The Security Policy By Using Gui

To install the security policy by using GUI 1. Click Setup on the main menu. The Firmware window appears 2. Click Firmware Update. The Firmware Update window appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 178: Vpn Scenarios

Note The following sections provide only an introduction to the VPN scenarios supported by Nokia IP40 Security Platform. They DO NOT discuss the complete usage scenario. For more information about usage scenarios, contact the Nokia support site. Nokia IP40 as VPN Server Nokia IP40 as a VPN server supports the following scenario: Nokia IP40 Security Platform User’s Guide v1.1...
Page 179: Setting Up Nokia Ip40 Satellite X

SecuRemote to Nokia IP40 Satellite X (VPN Client to Gateway) This VPN topology enables Nokia IP40 Tele 8, Nokia IP40 Satellite X, Check Point SecuRemote and SecureClient VPN clients to connect to an IP40 Satellite X acting as a VPN server. Note In this configuration, the IP40 Satellite X VPN server must have a static IP address and domain name.
Page 180: Nokia Ip40 As Vpn Client

If you are using the IP40 in a standalone mode, add the license manually. Adding VPN Sites by Using Nokia IP40 Tele 8 Using Nokia IP40 Tele 8 licenses, you can define only remote access VPN sites. To define site- to-site VPN gateways, you must have IP40 Satellite X license.
Page 181

To add a VPN site, click New Site. b. To edit a VPN site, click Edit in the desired VPN site row.: If you click the option a, the Nokia VPN Site Wizard opens, as shown in the following window: 3.
Page 182

Note You can download the network configuration only if you are connecting to a Check Point VPN-1 or Nokia IP40 Satellite X VPN Gateway. To specify configuration 7. If you chose Specify Configuration in the preceding procedure, a dialog box appears.
Page 183

VPN sites list. To route all traffic If you chose Route All Traffic in Adding VPN sites by using the IP40 Tele 8, the VPN Network Configuration dialog box appears with the following message: Only one VPN Profile can be configured as Route All Traffic.
Page 184: Nokia Ip40 Site-to-site Vpns Support

The following sections describe about site-to-site VPNs, and the modes they support. Adding VPN Sites by Using Nokia IP40 Satellite X You can define each VPN site according to the function you want IP40 Satellite X to perform when connecting to the site: VPN Client—define the VPN site as a remote access VPN site using the following...
Page 185

IP40 Satellite IP40 Tele If the VPN client is enabled, the IP40 GUI main menu includes a VPN menu option. In addition, the Reports pages include an additional VPN Tunnels submenu that allows you to view the active VPN tunnels.
Page 186: Setting Up Nokia Ip40 Tele 8

FP1,FP2, FP3, NG, or NG AI You can use the IP40 Tele 8 as a VPN client to establish a Remote to Site VPN connectivity with a Check Point server by using version 4.1, FP1, FP2, FP3, NG, or NG AI.
Page 187

Nokia IP40 Tele 8 to Check Point NG AI Setting Up Nokia IP40 Tele 8 To configure a VPN tunnel between Nokia IP40 Tele 8 and Check Point FP3, on IP40 Tele 8, (VPN client) add a VPN site. Setting Up Check Point NG AI Configure a VPN-1 Edge/Embedded gateway object on the Check Point Smart Dashboard.
Page 188

To set up the IP40 Satellite X 1. Specify the IP address of Nokia IP40 Satellite X on the remote Nokia IP40 Satellite X. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X devices).
Page 189: Unrestricted Mode

Solution A: Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) Hosts on Network 1 establish the TCP/IP connection to the external IP address of the IP40 Satellite X site-to-site VPN gateway. The IP40 Satellite X device is configured through the IP40 GUI Security page to port forward the inbound traffic to the defined host.
Page 190: Defining A Backup Vpn Gateway

Check Point Multiple Entry Point document. Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) Nokia IP40 Satellite X to VPN-1 or Check Point v4.1, FP1, FP2, FP3, NG, or NG AI configuration enables you to establish site-to-site VPN connections between an IP40 Satellite X site-to-site VPN gateway and a VPN-1 site-to-site VPN gateway.
Page 191

To configure Nokia IP40 Satellite X 1. Specify the IP address of Nokia IP40 Satellite X on the VPN-1 server. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X and the VPN- 1 Server).
Page 192

Certificate instead of Use Shared Secret. Nokia IP40 Satellite X to Check Point SmartCenter FP3/NG AI You can use Nokia IP40 Satellite X as a VPN server to establish a VPN connectivity with SmartCenter FP3/NG AI server by using VPN-1 Edge/Embedded gateway or using VPN-1 Edge/Embedded ROBO gateway in case of Smart LSM (VPN Star Community).
Page 193: For Vpn Connection With Smartcenter Fp3

To configure the IP40 Satellite X for VPN connection with SmartCenter FP3 1. Specify the IP address of Nokia IP40 Satellite X on the VPN-1 server. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X and the VPN- 1 Server).
Page 194: Site-to-site Vpn With Windows 2000

2. Enter the IP address of the Check Point NG AI Management station. The Connecting window appears. 3. Enter the Gateway ID and Registration Key that is used while creating the IP40 dynamic object on the LSM. 4. The Connecting window appears.
Page 195: Site-to-site Vpn With Nokia Cryptocluster

For more information on how to configure the Windows 2000 server, see SofaWare’s Configuring Windows 2000/ XP IPSec to Site-to-Site VPN. Site-to-Site VPN with Nokia CryptoCluster You can configure for VPN connectivity between the Nokia IP40 Satellite X, and a Nokia VPN Gateway (CryptoCluster) for site-to-site VPN. Authentication supported: preshared secret...
Page 196: Vpn Routing Between Two Nokia Ip40 Security Platforms

The Nokia IP40 Security Platform supports mesh VPN topology using Check Point where different IP40 Security Platforms are configured as site to site VPNs within a mesh topology. The limitation in this scenario is that the IP40 configured on Check Point should have a static WAN IP address.
Page 197: Using Managed Services

Using Managed Services You can integrate your IP40 Security Platforms into an overall enterprise security policy, for maximum security. The Check Point Security Management Architecture (SMART) delivers a single enterprise-wide security policy that you can centrally manage and automatically deploy an unlimited number of IP40 gateways.
Page 198

To specify a Service Center, do the following: Select Specified In the Specified text box, enter the IP address of the desired Service Center, as given to you by the service center. 5. Click Next. The Connecting screen appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 199

Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider. b. Click Next. The Connecting window appears. The Confirmation dialog box appears with a list of services to which you are subscribed. Nokia IP40 Security Platform User’s Guide v1.1...
Page 200

When the download is complete, the IP40 restarts by using the new firmware. The Welcome page appears. The services to which you are subscribed are now available on your IP40 and listed as such on the Account page. For more information, see “Viewing Service Information...
Page 201: Viewing Service Information From The Account

The refresh option restarts the connection to the service center and refreshes the service settings of your device. To refresh your service center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. Nokia IP40 Security Platform User’s Guide v1.1...
Page 202: Configuring Your Account

Using Managed Services 2. In the Service Account area, click Refresh. The IP40 reconnects to the Service Center. Your service settings are refreshed. Configuring Your Account You to access your service center Web site, which might offer additional configuration options for your account.
Page 203: Disconnecting From Your Service Center

The following things happen: You are disconnected from the Service Center. The services to which you were subscribed are no longer available on your IP40. Sofaware Security Management Portal The SofaWare Management Center (SMC) is a Web-based application for managing, and configuring the SofaWare Security Management Portal (SMP).
Page 204: Web Filtering

If you are remotely managed, contact your service center to change these settings. To enable or disable Web filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web filtering page appears. 2. Drag the On/Off lever upwards or downwards. Nokia IP40 Security Platform User’s Guide v1.1...
Page 205: Selecting Categories To Block

1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. Web filtering is temporarily disabled for all internal network computers. Snooze changes to Resume. Nokia IP40 Security Platform User’s Guide v1.1...
Page 206: Virus Scanning

Enabling or Disabling Email Antivirus This section gives you information about how to enable or disable the email antivirus option. Note If you are remotely managed, contact your service center to change these settings. Nokia IP40 Security Platform User’s Guide v1.1...
Page 207: Selecting Protocols For Scanning

Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol is scanned. Email sending (SMTP). If enabled, all outgoing email is scanned. Protocols marked with a check mark are scanned, while those marked with cross mark (x) are not. Nokia IP40 Security Platform User’s Guide v1.1...
Page 208: Temporarily Disabling Email Antivirus

1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears. 2. Click Snooze. Email antivirus is temporarily disabled for all internal network computers. Snooze changes to Resume. The Email Antivirus Off popup window opens. Nokia IP40 Security Platform User’s Guide v1.1...
Page 209: Automatic And Manual Updates

If you are subscribed to Software Updates, you can check for new security and software updates. Checking for Software Updates when Locally Managed If your Nokia IP40 security platform is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates can be checked manually.
Page 210: Checking For Software Updates When Remotely Managed

When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the IP40 so that software updates must be checked for manually, drag the Automatic/ Manual level downwards. The IP40 does not check for software updates automatically.
Page 211: Managing With Nokia Horizon Manager

To use Nokia Horizon Manager Interface to access and manage your IP40 Security Platform: 1. Click Devices in the main menu and choose Create Devices to create an IP40 device. 2. Click Nokia Small Office Series Platform - IP40 for device type.
Page 212

Topology was loaded to the device. This should be verified from http://my.firewall/vpntopo.html. 3. You can verify that the tunnel is open by sending packets from IP40 to the VPN-1 gateway. To configure NG AI and Nokia IP40 Security Platform for site-to-site by using LSM...
Page 213: Troubleshooting

The performance of the device does not get affected even if debugging is disabled. But when debugging is enabled for many features, it can affect the primary firewall and VPN task of Nokia IP40. Debugging should be enabled judiciously and for brief periods.
Page 214: Viewing Debugging Levels

I cannot access the Internet. What should I do? Check for the following: Check if the PWR LED is active. If not, check the power connection to the IP40. Check if the WAN LED is on. If not check the network cable to the modem and make sure the modem is turned on.
Page 215

Every time I start Internet Explorer, the application searches for an Internet connection. This is unnecessary, since I am connected through the IP40. What should I do? For Internet Explorer, versions 5 and 6, do the following: 1.
Page 216

I changed the network settings to incorrect values and am unable to correct my error. What should I do? Reset the network to its default settings by using the reset button on the back of the IP40 device. Nokia IP40 Security Platform User’s Guide v1.1...
Page 217

Set the router to direct all incoming connections to the external IP address of IP40. Keep in mind that if you use IP40 behind another NAT device, you might lose some of the advantages of the IP40, such as broad application support and high performance.
Page 218

Check for the correct username, Authentication Failure password given for the VPN site during login. I cannot connect to IP40 Satellite VPN site by using IP40 Satellite X. What should I do? Check for the following error messages in Report->Event Log: Error Message Verify...
Page 219: Viewing Firmware Status

I cannot download the certificate. What should I do? Ensure that the device date and management date matches. Viewing Firmware Status The firmware is the software program embedded in the IP40. You can view your current firmware version and additional details. To view the firmware status 1.
Page 220: Failsafe Mode

Nokia IP40 Security Platform enters failsafe mode when the main kernel becomes corrupted. If the main kernel becomes corrupted, the IP40 loads a failsafe kernel to the RAM. For the device to function properly, it must be upgraded with a new firmware.
Page 221: Upgrading Firmware From Failsafe Kernel

If the firmware of your device gets corrupted, and your device is not working properly, you need to reload the firmware in it. You can reload your firmware by using the Faisafe Kernel. You can use the OOB feature in the IP40 for remote HTTPS or SSH access and to perform firmware upgrades.
Page 222

Troubleshooting 3. Click Diagnostics. Technical information about the IP40 appears in a new window. 4. To refresh the contents of the window, click Refresh. The contents are refreshed. 5. To close the window, click Close. Nokia IP40 Security Platform User’s Guide v1.1...
Page 223: A Specifications

Read the installation and operation procedures provided in this User Guide. Failure to follow the instructions can result in damage to equipment, and or personal injuries. Before cleaning the IP40, unplug the power cord. Use only a soft cloth dampened with water for cleaning.
Page 224

Specifications Do not route the cables in a walkway or in a location that will crimp the cables. Nokia IP40 Security Platform User’s Guide v1.1...
Page 225: B Warranty

Software to provide managed services provided that each copy of the Software is used solely on behalf of and for the benefit of a single client on the single piece of equipment provided by Nokia. An MSP may discontinue use of the Software on behalf of one client and use the Software to provide managed services to another single client.
Page 226

Software error. Furthermore, the above warranty does not apply to any portion of the product supplied by a third party. In no event does Nokia warrant that the Software is error-free or that the Customer will be able to operate it without problems or service interruptions.
Page 227

Upon termination, Customer shall cease all use of the Software and shall destroy or return to Nokia the original(s) and all copies of the Software and documentation made or furnished hereunder. Customer may terminate the License at any time by destroying all copies of the Software and documentation.
Page 228

US. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. Nokia IP40 Security Platform User’s Guide v1.1...
Page 229: C End User License Agreement

You does not come with a License Key then the Licensed Configuration shall be the minimum configuration allowed by the user manual of SofaWare S-Box, and upon which the licensing fee was based. Nokia IP40 Security Platform User’s Guide v1.1...
Page 230

(or permit others to) decipher, reverse translate, decompile, disassemble or otherwise reverse engineer or attempt to reconstruct or discover any source code or underlying ideas or algorithms or file formats or programming or interoperability interfaces of Nokia IP40 Security Platform User’s Guide v1.1...
Page 231

Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide SofaWare with written notice of any such claim within ten (10) days of Your notice thereof and provide reasonable assistance in its defense. SofaWare has sole discretion and Nokia IP40 Security Platform User’s Guide v1.1...
Page 232

SofaWare's export regulation information page (www.sofaware.com or www.s- box.com) for specific information. You agree that You will not ship, transfer, or export the Product into any country, or make available or use the Product in any manner, prohibited by law. Nokia IP40 Security Platform User’s Guide v1.1...
Page 233

Agreement, and no license to the Product is granted to any government requiring different terms. 9.4 Questions? Should You have any questions concerning this Agreement contact the manufacturer at SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan, Israel 52522. Nokia IP40 Security Platform User’s Guide v1.1...
Page 234

End User License Agreement Nokia IP40 Security Platform User’s Guide v1.1...
Page 235: D Compliance Information

“The product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 89/ 336/EEC.” Alan Hutchinson Quality Engineer Mountain View, California European contact:Greg Shortell Nokia Telecommunications 2 Heathrow Blvd, 284 Bath Road Heathrow, Middlesex UB7 ODQ England Nokia IP40 Security Platform User’s Guide v1.1...
Page 236: Compliance Statement

Consult the dealer or an experienced radio/TV technician for help. Caution Any changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment. Nokia IP40 Security Platform User’s Guide v1.1...
Page 237

FCC Notice (US) Nokia IP40 Security Platform User’s Guide v1.1...
Page 238

Compliance Information Nokia IP40 Security Platform User’s Guide v1.1...
Page 239

105 deleting users 109 border gateway protocol (BGP) 128 viewing users 108 configuring NG AI and IP40 for site-to-site using LSM profiles 211 configuring Nokia IP40 for dual homing ISP changing IP addresses in your network 85 connectivity 126...
Page 240

123 downloading pre-compiles policy 176 high-availability solution DSL connection settings 70 with dual Nokia IP40 Security Platform 136 using automatic DHCP 72 with single Nokia IP40 Security Platform 135 using PPPoE 71 HTTPS access through OOB 139...
Page 241

172 FP3/NG AI 192 logging on to a VPN site from GUI 171 Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) 190 logging on to Nokia IP40 Security Platform 49 Nokia IP40 Security Platform Features 20...
Page 242

142 uploading VPN certificates setting up Check Point FP3 191 by using Check Point Smart LSM 175 Setting up IP40 Satellite X for VPN connection with using managed services 197 SmartCenter FP3 193 using network utilities from IP40 GUI 143...
Page 243

225 Web filtering 204 enabling Web filtering 204 selecting categories to block 205 temporarily disabling Web filtering 205 to allow or block a category 205 working with VPNs 161 Nokia IP40 Security Platform User’s Guide v1.1 Index - 243...
Page 244

Index - 244 Nokia IP40 Security Platform User’s Guide v1.1...