Page 1 Nortel Business Secure Router 222 Configuration — Basics BSR222 Business Secure Router Document Number: NN47922-500 Document Version: 1.4 Date: May 2007...
Page 2 The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Page 3: Table Of Contents
Getting Help from the Nortel Web site ........
Page 4 Embedded FTP and TFTP Servers ....... . . 40 Applications for the Nortel Business Secure Router 222 ..... . . 41 Secure broadband internet access and VPN .
Page 5 Adding IP telephony to a multi-site network ......72 Configuring the router to act as a Nortel VPN Server (Client Termination) . . . 73 Configuring the router to connect to a Nortel VPN Server (Client Emulation) .
Page 6 6 Contents Preventing heavy data traffic from impacting telephone calls ... . . 75 Setting Up a Remote Office with a UNIStim IP Telephone ....75 Inter-Operability With Third-Party Routers .
Page 7 Port forwarding: Services and Port Numbers ......138 Nortel Business Secure Router 222 Configuration — Basics...
Page 8 8 Contents Configuring servers behind SUA (example) ......138 Configuring SUA Server ..........139 Configuring Address Mapping .
Page 9 Days and Times ........... . . 197 Nortel Business Secure Router 222 Configuration — Basics...
Page 10 IPSec ............201 Nortel Business Secure Router 222 VPN functions ......201 VPN screens overview .
Page 11 Trusted remote host certificate fingerprints ......286 Nortel Business Secure Router 222 Configuration — Basics...
Page 12 12 Contents Importing a certificate of a trusted remote host ......288 Trusted remote host certificate details .
Page 13 Configuring Security ..........356 Nortel Business Secure Router 222 Configuration — Basics...
Page 14 14 Contents Chapter 19 UPnP ............359 Universal Plug and Play overview .
Page 15 Netscape Java Permissions and JavaScript ......419 Nortel Business Secure Router 222 Configuration — Basics...
Page 16 16 Contents Appendix B Log Descriptions ..........423 VPN/IPSec Logs .
Page 17 Traffic Redirect WAN Setup ........119 Nortel Business Secure Router 222 Configuration — Basics...
Page 18 18 Figures Figure 30 Traffic Redirect LAN Setup ........120 Figure 31 Traffic Redirect .
Page 19 Bandwidth Manager: Summary ....... 300 Nortel Business Secure Router 222 Configuration — Basics...
Page 20 20 Figures Figure 100 Bandwidth Manager: Class setup ......302 Figure 101 Bandwidth Manager: Edit class ....... 304 Figure 102 Bandwidth management statistics .
Page 21 Figure 169 Network Temporarily Disconnected ......401 Nortel Business Secure Router 222 Configuration — Basics...
Page 22 22 Figures Figure 170 Restart screen ..........402 Figure 171 Pop-up Blocker .
Page 23 SUA/NAT setup ..........140 Nortel Business Secure Router 222 Configuration — Basics...
Page 24 24 Tables Table 30 Address Mapping ......... . 142 Table 31 Address Mapping edit .
Page 25 Configuring UPnP ......... . 361 Nortel Business Secure Router 222 Configuration — Basics...
Page 26 26 Tables Table 100 UPnP Ports ..........362 Table 101 View Log .
Page 27 Log categories and available settings ......442 Nortel Business Secure Router 222 Configuration — Basics...
Page 28 28 Tables NN47922-500...
Page 29: Preface
Router for its various applications. Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See Nortel Business Secure Router 222 Configuration — Advanced (NN47922-501) for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router.
Page 30: Related Publications
Hard copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers.
Page 31: How To Get Help
Getting Help over the phone from a Nortel Solutions Center If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
Page 32: Getting Help From A Specialist By Using An Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Page 33: Getting To Know Your Nortel Business Secure Router 222
Router. Introducing the Nortel Business Secure Router 222 The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN). By integrating Network Address Translation (NAT), firewall and Virtual Private...
Page 34: Physical Features
34 Chapter 1 Getting to know your Nortel Business Secure Router 222 Table 1 Feature Specifications Feature Specification Number of address mapping rules Maximum number of VPN IP Policies Maximum number of VPN Tunnels (Client and/or Branch Office) Maximum number of concurrent VPN IPSec Connections...
Page 35: Auxiliary Port
Chapter 1 Getting to know your Nortel Business Secure Router 222 35 Auxiliary port The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails.
Page 36: Certificates
36 Chapter 1 Getting to know your Nortel Business Secure Router 222 Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
Page 37: Brute Force Password Guessing Protection
Chapter 1 Getting to know your Nortel Business Secure Router 222 37 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
Page 38: Pptp Encapsulation
38 Chapter 1 Getting to know your Nortel Business Secure Router 222 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.
Page 39: Snmp
Chapter 1 Getting to know your Nortel Business Secure Router 222 39 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network.
Page 40: Full Network Management
40 Chapter 1 Getting to know your Nortel Business Secure Router 222 Full network management The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface.
Page 41: Applications For The Nortel Business Secure Router 222
Applications for the Nortel Business Secure Router 222 Secure broadband internet access and VPN You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.
Page 42: Hardware Setup
Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions. NN47922-500...
Page 43: Introducing The Webgui
Make sure your Business Secure Router hardware is properly connected and prepare your computer and computer network to connect to the Business Secure Router. Refer to the Nortel Business Secure Router 222 — Fundamentals (NN47922-301). Nortel Business Secure Router 222 Configuration — Basics...
Page 44: Figure 2 Login Screen
44 Chapter 2 Introducing the WebGUI Launch your web browser. Type 192.168.1.1 as the URL. Type the user name (nnadmin is the default) and the password (PlsChgMe! is the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields.
Page 45: Figure 3 Change Password Screen
Figure 3 Change password screen Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device. Figure 4 Replace certificate screen Nortel Business Secure Router 222 Configuration — Basics...
Page 46: Restoring The Factory Default Configuration Settings
Business Secure Router to the factory defaults. Uploading a configuration file via console port Download the default configuration file from the Nortel FTP site, unzip it and save it in a folder. Turn off the Business Secure Router, begin a terminal emulation software session and turn on the Business Secure Router again.
Page 47: Navigating The Business Secure Router Webgui
Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help. Note: The help icon does not appear in the MAIN MENU screen. Nortel Business Secure Router 222 Configuration — Basics...
Page 48: Figure 6 Main Menu Screen
48 Chapter 2 Introducing the WebGUI Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays. NN47922-500...
Page 49: Figure 7 Contact Support
Chapter 2 Introducing the WebGUI 49 Figure 7 Contact Support Nortel Business Secure Router 222 Configuration — Basics...
Page 50 50 Chapter 2 Introducing the WebGUI NN47922-500...
Page 51: Wizard Setup
The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel Business Secure Router 222 — Fundamentals (NN47922-301) to know what to enter in each field.
Page 52: Domain Name
52 Chapter 3 Wizard setup Domain Name The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Business Secure Router via DHCP.
Page 53: Ethernet
Chapter 3 Wizard setup 53 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. Figure 9 Wizard 2: Ethernet Encapsulation Nortel Business Secure Router 222 Configuration — Basics...
Page 54: Pptp
54 Chapter 3 Wizard setup Table 2 describes the fields in Figure Table 2 Wizard 2: Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
Page 55: Figure 10 Wizard 2: Pptp Encapsulation
Select Nailed Up Connection if you do not want the connection to Connection time out. Idle Timeout Type the time, in seconds, that elapses before the router automatically disconnects from the PPTP server. The default is 45 seconds. Nortel Business Secure Router 222 Configuration — Basics...
Page 56: Pppoe Encapsulation
56 Chapter 3 Wizard setup Table 3 Wizard 2: PPTP Encapsulation Label Description PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
Page 57: Figure 11 Wizard2: Pppoe Encapsulation
Select PPP over Ethernet from the drop-down list. Service Name Type the name of your service provider. User Name Type the username given to you by your ISP. Password Type the password associated with the username above. Nortel Business Secure Router 222 Configuration — Basics...
Page 58: Wizard Setup: Screen 3
58 Chapter 3 Wizard setup Table 4 Wizard2: PPPoE Encapsulation Nailed Up Select Nailed Up Connection if you do not want the connection to Connection time out. Idle Timeout Type the time, in seconds, that elapses before the router automatically disconnects from the PPPoE server.
Page 59: Ip Address And Subnet Mask
ISP will assign you a dynamic IP address when the connection is established. If this is the case, Nortel recommends that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the Business Secure Router.
Page 60: Dns Server Address Assignment
DNS Server address assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.nortel.com is 47.249.48.20. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 61: Table 6 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254. Subnet mask 255.255.255.0 Gateway (or default route) 192.168.1.1(Business Secure Router LAN IP) The third wizard screen varies according to the type of encapsulation that you select in the second wizard screen. Nortel Business Secure Router 222 Configuration — Basics...
Page 62: Figure 12 Wizard 3
62 Chapter 3 Wizard setup Figure 12 Wizard 3 Table 7 describes the fields in Figure Table 7 Wizard 3 Label Description WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address.
Page 63 Assignment to its corresponding IP address and vice versa. For example, the IP address of www.nortel.com is 47.249.48.20. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 64 64 Chapter 3 Wizard setup Table 7 Wizard 3 Label Description First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router’s WAN IP address). The field to the right displays the (read-only) DNS Second DNS Server server IP address that the ISP assigns.
Page 65: Basic Setup Complete
Chapter 3 Wizard setup 65 Basic Setup Complete Well done! You have successfully set up your Business Secure Router to operate on your network and access the Internet. Nortel Business Secure Router 222 Configuration — Basics...
Page 66 66 Chapter 3 Wizard setup NN47922-500...
Page 67: User Notes
BCM50 is changed, the following command must be used to enable the router to assign the first address to a different BCM50: ip dhcp enif0 server m50mac clear Login Requires Reboot Nortel Business Secure Router 222 Configuration — Basics...
Page 68: Firewall
68 Chapter 4 User Notes If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu.
Page 69: Vpn Client Termination
If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products. User Name Restrictions User names are limited to a maximum length of 63 characters.
Page 70: Security
70 Chapter 4 User Notes VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned.
Page 71: Advanced Router Configuration
In VPN / Summary, add a new tunnel by editing an unused rule. Create an Active, Branch Office tunnel. Select 'Nailed Up' if the tunnel should not be closed while not in use. Nortel Business Secure Router 222 Configuration — Basics...
Page 72: Adding Ip Telephony To A Multi-Site Network
72 Chapter 4 User Notes b Enter the authentication information, with either a pre-shared key or an imported certificate. Enter the IP Address assigned to the router WAN port. This should be a static address, or a dynamic DNS name, and the IP address of the remote router.
Page 73: Configuring The Router To Act As A Nortel Vpn Server (Client Termination)
2 <Remote_BCM50_IP_Address> 7000 1 Create a tunnel between the sites, as described above. Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide. Configuring the router to act as a Nortel VPN Server (Client Termination) Under VPN / Client Termination, Enable Client Termination.
Page 74: Allowing Remote Management Of A Lan-Connected Bcm50
74 Chapter 4 User Notes Allowing remote management of a LAN-connected BCM50 Create the appropriate NAT server rules to add the BCM50. Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and Element Manager access: One named BCM_HTTPS, with port number 443, and the IP address of the BCM50 One named BCM_EM, with the port number 5989, and the IP address of the BCM50...
Page 75: Preventing Heavy Data Traffic From Impacting Telephone Calls
Under VPN / Summary, create an entry for the IP telephone client tunnel. (Contivity Client, Active, Keep Alive). Fill in the IP address of the Contivity Client Server, and the name and password of the telephone set user account. Nortel Business Secure Router 222 Configuration — Basics...
Page 76: Inter-Operability With Third-Party Routers
Business Secure Router and a Cisco router, the following configuration rules should be followed: Ensure that the WAN IP of the BSR222/252 router and the Cisco router are not in the same subnet. Configure the connection to use DES Encryption and MD5 Authentication.
Page 77: Chapter 5 System Screens
DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network. Nortel Business Secure Router 222 Configuration — Basics...
Page 78: Configuring General Setup
78 Chapter 5 System screens Figure 13 depicts an example where three VPN tunnels are created from Business Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters.
Page 79: Figure 14 System General Setup
Label Description System Name Choose a descriptive name for identification purposes. Nortel recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted.
Page 80 80 Chapter 5 System screens Table 8 System general setup Label Description System DNS DNS (Domain Name System) is for mapping a domain name to its Servers (if corresponding IP address and vice versa. The DNS server is applicable) extremely important because without it, you must know the IP address of a machine before you can access it.
Page 81: Dynamic Dns
Note: If you have a private WAN IP address, you cannot use Dynamic DNS. To change your Business Secure Router’s DDNS, click SYSTEM, then the DDNS tab. The screen illustrated in Figure 15 appears. Nortel Business Secure Router 222 Configuration — Basics...
Page 82: Figure 15 Ddns
82 Chapter 5 System screens Figure 15 DDNS Table 9 describes the fields in Figure Table 9 DDNS Label Description Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
Page 83: Configuring Password
To change the password of your Business Secure Router (recommended), click SYSTEM, then the Password tab. The screen illustrated in Figure 16 appears. In this screen, you can change password of the Business Secure Router. Nortel Business Secure Router 222 Configuration — Basics...
Page 84: Figure 16 Password
84 Chapter 5 System screens Figure 16 Password Table 10 describes the fields in Figure Table 10 Password Label Description Administrator Setting The administrator can access and configure all of the Business Secure Router's features. Old Password Type your existing system administrator password (PlsChgMe! is the default password).
Page 85: Predefined Ntp Time Server List
The Business Secure Router can use this predefined list of time servers regardless of the Time Protocol you select. Nortel Business Secure Router 222 Configuration — Basics...
Page 86: Configuring Time And Date
86 Chapter 5 System screens When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried.
Page 87: Figure 17 Time And Date
Chapter 5 System screens 87 Figure 17 Time and Date Nortel Business Secure Router 222 Configuration — Basics...
Page 88: Table 12 Time And Date
88 Chapter 5 System screens Table 12 describes the fields in Figure Table 12 Time and Date Label Description Current Time and Date Current Time This field displays the time on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the time with the time server.
Page 89 GMT or UTC (GMT+1). Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 90: Alg
90 Chapter 5 System screens With Application Layer Gateway (ALG), applications can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow. Note: You must enable the FTP, H.323 or SIP ALG in order to use bandwidth management on that application.
Page 91: Table 13 Alg
ALG with a SIP device that is using STUN (Simple Traversal of User Datagram Protocol (UDP) through NAT). Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 92 92 Chapter 5 System screens NN47922-500...
Page 93: Lan Screens
The Business Secure Router is preconfigured with a pool of IP addresses for the DHCP clients (DHCP Pool). Do not assign static IP addresses from the DHCP pool to your LAN computers. Nortel Business Secure Router 222 Configuration — Basics...
Page 94: Dns Servers
94 Chapter 6 LAN screens DNS servers Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN. LAN TCP/IP The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 95: Multicast
Secure Router periodically updates this information. IP multicasting can be enabled or disabled on the Business Secure Router LAN, WAN or both interfaces in the WebGUI (LAN; WAN). Select None to disable IP multicasting on these interfaces. Nortel Business Secure Router 222 Configuration — Basics...
Page 96: Configuring Ip
96 Chapter 6 LAN screens Configuring IP Click LAN to open the IP screen. Figure 19 LAN IP NN47922-500...
Page 97: Table 14 Lan Ip
DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. Nortel Business Secure Router 222 Configuration — Basics...
Page 98 98 Chapter 6 LAN screens Table 14 LAN IP Label Description First DNS Server Select From ISP if your ISP dynamically assigns DNS Second DNS Server server information (and the Business Secure Router's WAN Third DNS Server IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns.
Page 99 LAN field in the WAN IP screen. Enabling one automatically enables the other. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 100: Configuring Static Dhcp
100 Chapter 6 LAN screens Configuring Static DHCP With Static DHCP, you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 101: Configuring Ip Alias
Note: Make sure that the subnets of the logical networks do not overlap. To change the IP Alias settings of your Business Secure Router, click LAN, then the IP Alias tab. The screen appears as shown in Figure Nortel Business Secure Router 222 Configuration — Basics...
Page 102: Figure 21 Ip Alias
102 Chapter 6 LAN screens Figure 21 IP Alias Table 16 describes the fields in Figure Table 16 IP Alias Label Description IP Alias 1,2 Select the check box to configure another LAN network for the Business Secure Router. IP Address Enter the IP address of your Business Secure Router in dotted decimal notation.
Page 103 By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 104 104 Chapter 6 LAN screens NN47922-500...
Page 105: Wan Screens
If the WAN port route fails to connect to the Internet, the Business Secure Router tries the traffic redirect route next. In the same manner, the Business Secure Router uses the dial backup route if the traffic redirect route also fails. Nortel Business Secure Router 222 Configuration — Basics...
Page 106: Configuring Route
106 Chapter 7 WAN screens The dial backup or traffic redirect routes cannot take priority over the WAN routes. Configuring Route Click WAN to open the Route screen. Figure 22 WAN: Route Table 17 describes the fields in Figure Table 17 WAN: Route Label Description...
Page 107: Configuring Wan Isp
To change your Business Secure Router’s WAN ISP settings, click WAN, then the WAN ISP tab. The screen differs by the encapsulation Ethernet Encapsulation The screen shown in Figure 23 is for Ethernet encapsulation. Figure 23 Ethernet Encapsulation Nortel Business Secure Router 222 Configuration — Basics...
Page 108: Pppoe Encapsulation
108 Chapter 7 WAN screens Table 18 describes the fields in Figure Table 18 Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (Road Runner Telstra authentication method), RR-Manager (Road Runner Manager authentication method) or RR-Toshiba (Road Runner Toshiba authentication method).
Page 109: Figure 24 Pppoe Encapsulation
Business Secure Router does that part of the task. Furthermore, with NAT, all of the computers on the LAN have access. The screen shown in Figure 24 is for PPPoE encapsulation. Figure 24 PPPoE Encapsulation Nortel Business Secure Router 222 Configuration — Basics...
Page 110: Pptp Encapsulation
110 Chapter 7 WAN screens Table 19 describes the fields in Figure Table 19 PPPoE Encapsulation Label Description Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (for example, DSL, cable, or wireless) connection.
Page 111: Figure 25 Pptp Encapsulation
To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. User Name Type the username given to you by your ISP. Nortel Business Secure Router 222 Configuration — Basics...
Page 112: Service Type
112 Chapter 7 WAN screens Table 20 PPTP Encapsulation Label Description Password Type the password associated with the username. Nailed up Connection Select Nailed Up Connection if you do not want the connection to time out. Idle Timeout This value specifies the time, in seconds, that elapses before the Business Secure Router automatically disconnects from the PPTP server.
Page 113: Figure 26 Rr Service Type
If it does not, you must enter the authentication server IP address. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 114: Configuring Wan Ip
114 Chapter 7 WAN screens Configuring WAN IP To change the WAN IP settings of your Business Secure Router, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select. If your ISP did not assign you a fixed IP address, click Get automatically from ISP (Default);...
Page 115: Figure 27 Wan: Ip
Chapter 7 WAN screens 115 Figure 27 WAN: IP Nortel Business Secure Router 222 Configuration — Basics...
Page 116: Table 22 Wan: Ip
116 Chapter 7 WAN screens Table 22 describes the fields in this Figure Table 22 WAN: IP Label Description Get automatically Select this option if your ISP did not assign you a fixed IP address. from ISP This is the default selection. Use fixed IP Select this option if your ISP assigned a fixed IP address.
Page 117 Basic Input/Output System) are TCP or UDP packets that enable a (NetBIOS over computer to connect to and communicate with a LAN. For some TCP/IP): dial-up services, such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. Nortel Business Secure Router 222 Configuration — Basics...
Page 118: Configuring Wan Mac
118 Chapter 7 WAN screens Table 22 WAN: IP Label Description Allow between Select this check box to forward NetBIOS packets from the LAN to WAN and LAN the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you must also enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.
Page 119: Traffic Redirect
30) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/Business Secure Router firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). Nortel Business Secure Router 222 Configuration — Basics...
Page 120: Configuring Traffic Redirect
120 Chapter 7 WAN screens Figure 30 Traffic Redirect LAN Setup Business Secure Router Configuring Traffic Redirect To change your Business Secure Router’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown in Figure NN47922-500...
Page 121: Figure 31 Traffic Redirect
1 for directly connected networks. The number must be between 1 and 15. A number greater than 15 means the link is down. The smaller the number, the lower the cost. Nortel Business Secure Router 222 Configuration — Basics...
Page 122: Configuring Dial Backup
122 Chapter 7 WAN screens Table 23 Traffic Redirect Label Description Check WAN IP Configuration of this field is optional. If you do not enter an IP address Address here, the Business Secure Router uses the default gateway IP address. Configure this field to test your Business Secure Router's WAN accessibility.
Page 123: Figure 32 Dial Backup Setup
Chapter 7 WAN screens 123 Figure 32 Dial Backup Setup Nortel Business Secure Router 222 Configuration — Basics...
Page 124: Table 24 Dial Backup Setup
124 Chapter 7 WAN screens Table 24 describes the fields in Figure Table 24 Dial Backup Setup Label Description Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the logon name assigned by your ISP. Password Type the password assigned by your ISP.
Page 125 RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. Nortel Business Secure Router 222 Configuration — Basics...
Page 126 126 Chapter 7 WAN screens Table 24 Dial Backup Setup Label Description RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only.
Page 127: Advanced Modem Setup
The response strings tell the Business Secure Router the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; consult the documentation of your WAN device to find the correct tags. Nortel Business Secure Router 222 Configuration — Basics...
Page 128: Configuring Advanced Modem Setup
128 Chapter 7 WAN screens Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure Note: Consult the manual of your WAN device connected to your dial backup port for specific AT commands. Note: Figure 33 Advanced Setup NN47922-500...
Page 129: Table 25 Advanced Setup
Call Back Delay Type a number of seconds for the Business Secure (sec) Router to wait between dropping a callback request call and dialing the corresponding callback call. Nortel Business Secure Router 222 Configuration — Basics...
Page 130 130 Chapter 7 WAN screens Table 25 Advanced Setup Label Description Example Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. NN47922-500...
Page 131: Network Address Translation (Nat) Screens
For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. Nortel Business Secure Router 222 Configuration — Basics...
Page 132: What Nat Does
132 Chapter 8 Network Address Translation (NAT) Screens Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side.
Page 133: How Nat Works
IP address and port. A host on the Internet can only send a packet to the private IP address and port if the private IP address and port has previously sent a packet to that host’s IP address and port. Nortel Business Secure Router 222 Configuration — Basics...
Page 134: Nat Application
134 Chapter 8 Network Address Translation (NAT) Screens Figure 35, B can send packets, with source IP address e.f.g.h and port 20202 to A because A previously sent a packet to IP address e.f.g.h and port 20202. B cannot send packets, with source IP address e.f.g.h and port 10101 to A because A has not sent a packet to IP address e.f.g.h and port 10101.
Page 135: Nat Mapping Types
Server: With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. Nortel Business Secure Router 222 Configuration — Basics...
Page 136: Using Nat
136 Chapter 8 Network Address Translation (NAT) Screens Table 27 summarizes these types. Table 27 NAT mapping type Type IP Mapping SMT Abbreviations One-to-One ILA1 IGA1 Many-to-One (SUA/PAT) ILA1 IGA1 ILA2 IGA1 … Many-to-Many Overload ILA1 IGA1 M-M Ov ILA2 IGA2 ILA3 IGA1...
Page 137: Sua Server
Note: If you do not assign a Default Server IP Address, the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup. Nortel Business Secure Router 222 Configuration — Basics...
Page 138: Port Forwarding: Services And Port Numbers
138 Chapter 8 Network Address Translation (NAT) Screens Port forwarding: Services and Port Numbers The most often used port numbers are shown in Table 28. Refer to Assigned Numbers (RFC 1700) for further information about port numbers. Refer to the Supporting CD for more examples and details on SUA/NAT.
Page 139: Configuring Sua Server
Click SUA/NAT to open the SUA Server screen. Refer to Chapter 10, “Firewalls,” on page 155 Chapter 11, “Firewall screens,” on page 171 for port numbers commonly used for particular services. Nortel Business Secure Router 222 Configuration — Basics...
Page 140: Figure 38 Sua/Nat Setup
140 Chapter 8 Network Address Translation (NAT) Screens Figure 38 SUA/NAT setup Table 29 describes the fields in Figure Table 29 SUA/NAT setup Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Page 141: Configuring Address Mapping
4, rules 5 to 7 are pushed up by 1 rule, so old rules 5, 6, and 7 become new rules 4, 5, and 6. To change your Business Secure Router’s Address Mapping settings, click SUA/ NAT, then the Address Mapping tab. The screen appears as shown in Figure Nortel Business Secure Router 222 Configuration — Basics...
Page 142: Figure 39 Address Mapping
142 Chapter 8 Network Address Translation (NAT) Screens Figure 39 Address Mapping Table 30 describes the fields in Figure Table 30 Address Mapping Label Description Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address.
Page 143 Click Insert to insert a new mapping rule before an existing one. Configuring Address Mapping To edit an Address Mapping rule, click the Edit button to display the screen shown in Figure Nortel Business Secure Router 222 Configuration — Basics...
Page 144: Figure 40 Address Mapping Edit
144 Chapter 8 Network Address Translation (NAT) Screens Figure 40 Address Mapping edit Table 31 describes the fields in Figure Table 31 Address Mapping edit Label Description Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address.
Page 145: Trigger Port Forwarding
This way, you do not need to configure a new IP address each time you want a different LAN computer to use the application. Trigger Port Forwarding example Figure 41 illustrates an example of trigger port forwarding. Nortel Business Secure Router 222 Configuration — Basics...
Page 146: Two Points To Remember About Trigger Ports
146 Chapter 8 Network Address Translation (NAT) Screens Figure 41 Trigger Port Forwarding process: example Business Secure Router Jane (A) requests a file from the Real Audio server (port 7070). Port 7070 is a trigger port and causes the Business Secure Router to record Jane’s computer IP address.
Page 147: Configuring Trigger Port Forwarding
To change trigger port settings of your Business Secure Router, click SUA/NAT and the Trigger Port tab. The screen appears as shown in Figure Note: Only one LAN computer can use a trigger port (range) at a time. Figure 42 Trigger Port Nortel Business Secure Router 222 Configuration — Basics...
Page 148: Table 32 Trigger Port
148 Chapter 8 Network Address Translation (NAT) Screens Table 32 describes the fields in Figure Table 32 Trigger Port Label Description This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted, including spaces.
Page 149: Static Route Screens
N3 because it does not know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the Business Secure Router about the networks beyond the remote nodes. Nortel Business Secure Router 222 Configuration — Basics...
Page 150: Configuring Ip Static Route
150 Chapter 9 Static Route screens Figure 43 Example of Static Routing topology Business Secure Router Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen. Note: The first static route entry is for the default WAN route. You cannot modify or delete this static default route.
Page 151: Figure 44 Static Route Screen
Router’s LAN or WAN port. The gateway helps forward packets to their destinations. Edit Click a static route index number and then click Edit to set up a static route on the Business Secure Router. Nortel Business Secure Router 222 Configuration — Basics...
Page 152: Configuring Route Entry
152 Chapter 9 Static Route screens Configuring Route entry Select a static route index number and click Edit. The screen is illustrated in Figure 45. Fill in the required information for each static route. Figure 45 Edit IP Static Route Table 34 describes the fields in Figure...
Page 153 RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 154 154 Chapter 9 Static Route screens NN47922-500...
Page 155: Firewalls
In addition, specific policies must be implemented within the firewall itself. Types of firewalls There are three main types of firewalls: Packet Filtering firewalls Application level firewalls Stateful Inspection firewalls Nortel Business Secure Router 222 Configuration — Basics...
Page 156: Packet Filtering Firewalls
156 Chapter 10 Firewalls Packet Filtering firewalls Packet filtering firewalls restrict access based on the source or destination computer network address of a packet and the type of application. Application level firewalls Application level firewalls restrict access by serving as proxies for external servers.
Page 157: Introduction To The Business Secure Router Firewall
These computers have access to Internet services such as e-mail, FTP, and the World Wide Web. However, inbound access is not allowed unless the remote host is authorized to use a specific service. Nortel Business Secure Router 222 Configuration — Basics...
Page 158: Denial Of Service
158 Chapter 10 Firewalls Figure 46 Business Secure Router firewall application Business Secure Router Denial of Service Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 159: Types Of Dos Attacks
400 of the original (non fragmented) IP packet.” The Teardrop program creates a series of IP fragments with overlapping offset fields. After these fragments are reassembled at the destination, some systems crash, hang, or reboot. Nortel Business Secure Router 222 Configuration — Basics...
Page 160: Figure 47 Three-Way Handshake
160 Chapter 10 Firewalls Weaknesses in the TCP/IP specification leave it open to SYN Flood and LAND attacks. These attacks are executed during the handshake that initiates a communication session between two applications. Figure 47 Three-way handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.
Page 161: Figure 48 Syn Flood
IP address, known as the victim network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. Nortel Business Secure Router 222 Configuration — Basics...
Page 162: Figure 49 Smurf Attack
162 Chapter 10 Firewalls Figure 49 Smurf attack • ICMP vulnerability ICMP is an error reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 35 ICMP commands that trigger alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY •...
Page 163: Stateful Inspection
Internet. By default, the Business Secure Router’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. Nortel Business Secure Router 222 Configuration — Basics...
Page 164: Stateful Inspection Process
164 Chapter 10 Firewalls In summary, stateful inspection: • Allows all sessions originating from the LAN (local network) to the WAN (Internet). • Denies all sessions originating from the WAN to the LAN. Figure 50 Stateful inspection Business Secure Router Figure 50 shows the Business Secure Router’s default firewall rules in action, and demonstrates how stateful inspection works.
Page 165: Stateful Inspection And The Business Secure Router
Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the Internet. • Allow certain types of traffic from the Internet to specific hosts on the LAN. • Allow access to a Web server to everyone but competitors. Nortel Business Secure Router 222 Configuration — Basics...
Page 166: Tcp Security
166 Chapter 10 Firewalls • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator.
Page 167: Udp/Icmp Security
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a control connection, which is used for sending commands between endpoints, and then data connections, which are used for transmitting bulk information. Nortel Business Secure Router 222 Configuration — Basics...
Page 168: Guidelines For Enhancing Security With Your Firewall
168 Chapter 10 Firewalls Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server opens a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet is normally rejected.
Page 169: Packet Filtering Vs. Firewall
Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked. Nortel Business Secure Router 222 Configuration — Basics...
Page 170: When To Use The Firewall
170 Chapter 10 Firewalls • The firewall uses session filtering, or smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session. • The firewall provides e-mail service to notify you of routine reports and when alerts occur.
Page 171: Chapter 11 Firewall Screens
Access methods The WebGUI is, by far, the most comprehensive firewall configuration tool your Business Secure Router has to offer. For this reason, Nortel recommends that you configure your firewall using the WebGUI. With SMT screens, you can activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users, refer to Nortel Business Secure Router 222 Configuration —...
Page 172 172 Chapter 11 Firewall screens By default, the Business Secure Router’s stateful packet inspection blocks packets traveling in the following directions: • WAN to LAN • WAN to WAN/Business Secure Router This prevents computers on the WAN from using the Business Secure Router as a gateway to communicate with other computers on the WAN, or to manage the Business Secure Router, or both.
Page 173: Rule Logic Overview
For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users can connect to computers with running FTP servers. Does this rule conflict with any existing rules? Nortel Business Secure Router 222 Configuration — Basics...
Page 174: Key Fields For Configuring Rules
174 Chapter 11 Firewall screens Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the WebGUI screens. Key fields for configuring rules Action Set the action to either Block or Forward. Note: Block means the firewall silently discards the packet.
Page 175: Lan To Wan Rules
The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you want to allow certain WAN users to have access to your LAN, you need to create custom rules to allow it. Nortel Business Secure Router 222 Configuration — Basics...
Page 176: Configuring Firewall
176 Chapter 11 Firewall screens Figure 52 WAN to LAN traffic Business Secure Router Configuring firewall Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in Figure The Business Secure Router applies the firewall rules in order, starting from the first rule for a packet’s direction of travel.
Page 177 A better solution is to use IP alias to put the Business Secure Router and the backup gateway on separate subnets. See the Appendix B “Triangle Route” of Nortel Business Secure Router 222 Configuration — Advanced (NN47922-501) for more about triangle route topology.
Page 178: Figure 53 Enabling The Firewall
178 Chapter 11 Firewall screens Figure 53 Enabling the firewall Table 38 describes the fields in Figure Table 38 Firewall rules summary: First screen Label Description Enable Firewall Select this check box to activate the firewall. The Business Secure Router performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 179 (Match), don't match the rule (Not Match), both (Both), or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. Nortel Business Secure Router 222 Configuration — Basics...
Page 180: Configuring Firewall Rules
180 Chapter 11 Firewall screens Table 38 Firewall rules summary: First screen Label Description Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 181: Figure 54 Creating And Editing A Firewall Rule
Secure Router to use the rule after you apply it. Packet Direction Use the drop-down list to select the direction of packet travel to which you want to apply this firewall rule. Nortel Business Secure Router 222 Configuration — Basics...
Page 182 182 Chapter 11 Firewall screens Table 39 Creating and editing a firewall rule Label Description Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. The source address can be a particular (single) IP, a range of IP addresses (for example, 192.168.1.10 to 192.169.1.50), a subnet or any IP address.
Page 183: Configuring Source And Destination Addresses
Enter the subnet mask here, if applicable. Apply Click Apply to save your changes to the Business Secure Router and exit this screen. Cancel Click Cancel to exit this screen without saving. Nortel Business Secure Router 222 Configuration — Basics...
Page 184: Configuring Custom Ports
184 Chapter 11 Firewall screens Configuring custom ports You can also configure customized ports for services not predefined by the Business Secure Router (see “Predefined services” on page 188 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) Web site.
Page 185: Example Firewall Rule
Click Insert to display the firewall rule configuration screen. Figure 57 Firewall edit rule screen example Select WAN to LAN as the Packet Direction. Select Any in the Destination Address box and then click DestEdit. Nortel Business Secure Router 222 Configuration — Basics...
Page 186: Figure 58 Firewall Rule Edit Ip Example
186 Chapter 11 Firewall screens Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 58 Firewall rule edit IP example In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as shown in Figure 59 click Apply.
Page 187: Figure 60 Myservice Rule Configuration Example
Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router. Nortel Business Secure Router 222 Configuration — Basics...
Page 188: Predefined Services
188 Chapter 11 Firewall screens Figure 61 My Service example rule summary Predefined services The Available Services list box in the Edit Rule screen (see Figure 54) displays all predefined services that the Business Secure Router already supports. Next to the name of the service, two fields appear in brackets.
Page 189: Table 42 Predefined Services
This is another popular Internet chat program. MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol. MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. Nortel Business Secure Router 222 Configuration — Basics...
Page 190 190 Chapter 11 Firewall screens Table 42 Predefined services Service Description NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System (NFS) is a client/server distributed file service that provides transparent file sharing for network environments. NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
Page 191: Alerts
Rule Edit screen (see Figure Configure the Log Settings screen to have the Business Secure Router send an immediate e-mail message to you when an event generates an alert. Nortel Business Secure Router 222 Configuration — Basics...
Page 192: Configuring Attack Alert
192 Chapter 11 Firewall screens Configuring attack alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen (Figure 62) you can choose to generate an alert whenever an attack is detected. For DoS attacks, the Business Secure Router uses thresholds to determine when to drop sessions that do not become fully established.
Page 193: Tcp Maximum Incomplete And Blocking Period
The Business Secure Router continues to block all new connection requests until the Blocking Period expires. Nortel Business Secure Router 222 Configuration — Basics...
Page 194: Figure 62 Attack Alert
194 Chapter 11 Firewall screens The Business Secure Router also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click the Attack Alert tab to bring up the screen shown in Figure Figure 62 Attack alert...
Page 195 (min) Enter the length of Blocking Period in minutes. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 196 196 Chapter 11 Firewall screens NN47922-500...
Page 197: Chapter 12 Content Filtering
Java applets, and cookies and disable web proxies. Days and Times With the Business Secure Router, you can also define time periods and days during which the Business Secure Router performs content filtering. Nortel Business Secure Router 222 Configuration — Basics...
Page 198: Configure Content Filtering
198 Chapter 12 Content filtering Configure Content Filtering Click Content Filter on the navigation panel, to open the screen show in Figure Figure 63 Content filter NN47922-500...
Page 199: Table 44 Content Filter
Select check boxes for the days that you want the Business Secure Router to perform content filtering. Select the Everyday check box to have content filtering turned on all days of the week. Nortel Business Secure Router 222 Configuration — Basics...
Page 200 200 Chapter 12 Content filtering Table 44 Content filter Label Description Time of Day to Time of Day to Block allows the administrator to define during which Block time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.
Page 201: Vpn
IP layer. Nortel Business Secure Router 222 VPN functions You can use the Business Secure Router as either: • A Contivity Client (for an encrypted connection to a single VPN router). Nortel Business Secure Router 222 Configuration — Basics...
Page 202: Vpn Screens Overview
As a VPN router that can have encrypted connections to multiple remote VPN routers. With this role, it can also serve as a termination point for encrypted connections from computers using Nortel’s Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.
Page 203: Other Terminology
This screen lists all of your VPN rules. Contivity Client Use these screens to configure simple VPN rules that Rule Setup have the Nortel Business Secure Router 222 operate as a VPN client. Branch Office Use these screens to manually configure VPN rules...
Page 204: Data Confidentiality
204 Chapter 13 VPN Data confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data is not altered during transmission. Data origin authentication The IPSec receiver can verify the source of IPSec packets.
Page 205: Ipsec Algorithms
(Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and Triple DES algorithms. Nortel Business Secure Router 222 Configuration — Basics...
Page 206: Ah (Authentication Header) Protocol
206 Chapter 13 VPN The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404), provide an authentication mechanism for the AH and ESP protocols. The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols.
Page 207: Key Management
Select MD5 for minimal security and SHA-1 for maximum security. Key management Your Business Secure Router uses IKE (ISAKMP) key management in order to set up a VPN. Nortel Business Secure Router 222 Configuration — Basics...
Page 208: Encapsulation
208 Chapter 13 VPN Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 66 Transport and Tunnel mode IPSec encapsulation Transport mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Page 209: Ipsec And Nat
(in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Nortel Business Secure Router 222 Configuration — Basics...
Page 210: Secure Gateway Address
210 Chapter 13 VPN Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload, which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT, although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints (see “NAT Traversal”...
Page 211: Dynamic Secure Gateway Address
(tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus. The firewall allows traffic to go through your VPN tunnels. Nortel Business Secure Router 222 Configuration — Basics...
Page 212: Figure 68 Summary
212 Chapter 13 VPN Figure 68 Summary IP Policies NN47922-500...
Page 213: Table 49 Summary
This is the static WAN IP address or URL of the remote VPN switch. Gateway This field displays 0.0.0.0 when you configure the Secure Gateway Address Address field in the VPN Branch Office screen to 0.0.0.0. Nortel Business Secure Router 222 Configuration — Basics...
Page 214: Keep Alive
214 Chapter 13 VPN Table 49 Summary Label Description Edit Click the radio button next to a VPN index number and then click Edit to edit a specific VPN policy. Delete Click the radio button next to a VPN policy number you want to delete and then click Delete.
Page 215: Nat Traversal
NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the Nortel Business Secure Router 222 and the remote VPN switch. Figure 69 NAT router between VPN switches Normally, you cannot set up a VPN connection with a NAT router between the two VPN switches because the NAT router changes the header of the IPSec packet.
Page 216: Nat Traversal Configuration
216 Chapter 13 VPN NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. VPN switch B checks the UDP port 500 header and responds. VPN switches A and B build a VPN connection.
Page 217: Figure 70 Vpn Contivity Client Rule Setup
Connection Type Select Branch Office to manually configure a VPN rule. This has the Nortel Business Secure Router 222 operate as a VPN router. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch.
Page 218: Configuring Advanced Setup
218 Chapter 13 VPN Table 50 VPN Contivity Client rule setup Label Description Destination This field specifies the IP address or the domain name (up to 31 case-sensitive characters) of the remote VPN switch. You can use alphanumeric characters, the underscore, dash, period and the @ symbol in a domain name.
Page 219: Table 51 Vpn Contivity Client Advanced Rule Setup
Click Cancel to return to the VPN Contivity Client Rule Setup screen without saving your changes. Note: Click Apply in the VPN - Contivity Client screen to save the Group Authentication settings. Nortel Business Secure Router 222 Configuration — Basics...
Page 220: Id Type And Content
220 Chapter 13 VPN ID Type and content With aggressive negotiation mode (see “Negotiation Mode” on page 239 for more information), the Business Secure Router identifies incoming SAs by ID type and content since this identifying information is not encrypted, so that is can distinguish between multiple rules for SAs that connect from remote VPN switches that have dynamic WAN IP addresses.
Page 221: Id Type And Content Examples
Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com Nortel Business Secure Router 222 Configuration — Basics...
Page 222: My Ip Address
222 Chapter 13 VPN The two Business Secure Routers shown in Table 55 cannot complete their negotiation because Business Secure Router B’s Local ID type is IP, but Business Secure Router A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.
Page 223: Figure 72 Vpn Branch Office Rule Setup
Chapter 13 VPN 223 Figure 72 VPN Branch Office rule setup Nortel Business Secure Router 222 Configuration — Basics...
Page 224: Table 56 Vpn Branch Office Rule Setup
224 Chapter 13 VPN Table 56 describes the fields in Figure Table 56 VPN Branch Office rule setup Label Description Connection Type Select Branch Office to manually configure a VPN rule. Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a VPN switch.
Page 225 This field displays the beginning and ending (static) IP addresses of a range of computers when the IP policy's Branch Tunnel NAT Address Mapping Rule Type field is configured to Many-to-One or Many One-to-one in the IP Policy screen. Nortel Business Secure Router 222 Configuration — Basics...
Page 226 226 Chapter 13 VPN Table 56 VPN Branch Office rule setup Label Description Local IP Address This field displays the IP address (or range of IP addresses) of the computers on your Business Secure Router's local network, for which you have configured this IP policy. This field displays the IP policy's virtual IP address (or range of addresses) when you enable branch tunnel NAT address mapping in the IP Policy screen.
Page 227 Both ends of the VPN tunnel must use the same preshared key. You see a “PYLD_MALFORMED” (payload malformed) log if the same preshared key is not used on both ends. Retype to Confirm Type your preshared key again in this field. Nortel Business Secure Router 222 Configuration — Basics...
Page 228 228 Chapter 13 VPN Table 56 VPN Branch Office rule setup Label Description Certificate Use the drop-down list to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click My Certificates to go to the My Certificates screen, where you can view the Business Secure Router's list of certificates.
Page 229 If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field and the LAN’s full IP address range as the local IP address, then you cannot configure any other active rules with the Secure Gateway Address field set to 0.0.0.0. Nortel Business Secure Router 222 Configuration — Basics...
Page 230 230 Chapter 13 VPN Table 56 VPN Branch Office rule setup Label Description Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next).
Page 231: Configuring An Ip Policy
Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy’s settings. The Branch Office – IP Policy setup screen is shown in Figure Figure 73 VPN Branch Office — IP Policy Nortel Business Secure Router 222 Configuration — Basics...
Page 232: Table 57 Vpn Branch Office - Ip Policy
232 Chapter 13 VPN Table 57 describes the fields in Figure Table 57 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. Use 1 for ICMP, 6 for TCP, 17 for UDP, and so on.
Page 233 VPN tunnel. When the Type field is configured to Many One-to-one, enter the beginning (static) IP address of the range of IP addresses that you want to use for the VPN tunnel. Nortel Business Secure Router 222 Configuration — Basics...
Page 234 234 Chapter 13 VPN Table 57 VPN Branch Office — IP Policy Label Description Virtual Ending IP When the Type field is configured to One-to-one or Address Many-to-One, this field is N/A. When the Type field is configured to Many One-to-one, enter the ending (static) IP address of the range of IP addresses that you want to use for the VPN tunnel.
Page 235 LAN behind your Business Secure Router. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your Business Secure Router. Nortel Business Secure Router 222 Configuration — Basics...
Page 236: Port Forwarding Server
236 Chapter 13 VPN Table 57 VPN Branch Office — IP Policy Label Description Ending IP Address / When the Address Type field is configured to Single Address, Subnet Mask this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your Business Secure Router.
Page 237: Figure 74 Vpn Branch Office - Ip Policy - Port Forwarding Server
Number of an individual port forwarding server entry. Active Select this check box to activate the port forwarding server entry. Name Enter a descriptive name for identifying purposes. Nortel Business Secure Router 222 Configuration — Basics...
Page 238: Ike Phases
238 Chapter 13 VPN Table 58 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field.
Page 239: Negotiation Mode
If an IPSec SA times out, the VPN switch must renegotiate the SA the next time someone attempts to send traffic. Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association (SA) is established for each connection through IKE negotiations. Nortel Business Secure Router 222 Configuration — Basics...
Page 240: Preshared Key
240 Chapter 13 VPN Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange, and an exchange of nonces (a nonce is a random number).
Page 241: Configuring Advanced Branch Office Setup
The basic IKE rule setup screen displays. In the VPN Branch Office Rule Setup screen, click the Advanced button to display the VPN Branch Office Advanced Rule Setup screen. Figure 76 VPN Branch Office advanced rule setup Nortel Business Secure Router 222 Configuration — Basics...
Page 242: Table 59 Vpn Branch Office Advanced Rule Setup
242 Chapter 13 VPN Table 59 describes the fields in Figure Table 59 VPN Branch Office Advanced Rule Setup Label Description Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Detection Denial of Service (DoS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
Page 243 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. Nortel Business Secure Router 222 Configuration — Basics...
Page 244: Sa Monitor
244 Chapter 13 VPN Table 59 VPN Branch Office Advanced Rule Setup Label Description SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It can range from 60 to 3 000 000 seconds (almost 35 days).
Page 245: Figure 77 Vpn Sa Monitor
This field displays the IP address of the computer using the VPN IPSec feature of your Business Secure Router. Remote IP This field displays IP address (in a range) of computers on the Address remote network behind the remote VPN switch. Nortel Business Secure Router 222 Configuration — Basics...
Page 246: Global Settings
246 Chapter 13 VPN Table 60 VPN SA Monitor Label Description Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Business Secure Router processing requirements and communications latency (delay).
Page 247: Figure 78 Vpn Global Setting
MAC address that you specify to set up a VPN connection to the remote VPN switch. MAC Address Allowed Enter the MAC address of the computer you want to allow to use the VPN tunnel. Nortel Business Secure Router 222 Configuration — Basics...
Page 248: Vpn Client Termination
VPN Client Termination Use these screens to configure the Business Secure Router for VPN connections from computers using Nortel’s Contivity VPN Client software. In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the...
Page 249: Figure 79 Vpn Client Termination
Chapter 13 VPN 249 Figure 79 VPN Client Termination Nortel Business Secure Router 222 Configuration — Basics...
Page 250: Table 62 Vpn Client Termination
250 Chapter 13 VPN Table 62 describes the fields in Figure Table 62 VPN Client Termination Label Description Enable Client Turn on the client termination feature if you want the Business Termination Secure Router to support VPN connections from computers using Contivity VPN Client software.
Page 251 Diffie-Hellman Group 5 uses a 1 536-bit random number. Assignment of Client Select Use Static Addresses if the Contivity VPN clients are using static IP addresses. You must specify these in the remote user profiles. Nortel Business Secure Router 222 Configuration — Basics...
Page 252: Vpn Client Termination Ip Pool Summary
252 Chapter 13 VPN Table 62 VPN Client Termination Label Description IP Address Pool Have the Business Secure Router assign IP addresses to the Contivity VPN clients from a pool of IP address that you define. Select the pool to use. Click Configure IP Address Pool to define the ranges of IP addresses that you can select from.
Page 253: Figure 80 Vpn Client Termination Ip Pool Summary
Click the radio button next to an IP address pool entry and click Edit to open the screen where you can configure the entry’s settings. Delete Click the radio button next to an IP address pool entry and click Delete to remove it. Nortel Business Secure Router 222 Configuration — Basics...
Page 254: Vpn Client Termination Ip Pool Edit
254 Chapter 13 VPN VPN Client Termination IP pool edit In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen. Then click the Configure IP Address Pool link to open the VPN Client Termination IP Pool Summary screen.
Page 255: Vpn Client Termination Advanced
VPN Client Termination screen. Then click the Advanced button to open the following screen. Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels. Nortel Business Secure Router 222 Configuration — Basics...
Page 256: Figure 82 Vpn Client Termination Advanced
256 Chapter 13 VPN Figure 82 VPN Client Termination advanced NN47922-500...
Page 257: Table 65 Vpn Client Termination Advanced
This is how many times the VPN Contivity client can resend the keep-alive packet to the Business Secure Router to check the connection before attempting to use the first fail-over gateway. Nortel Business Secure Router 222 Configuration — Basics...
Page 258 258 Chapter 13 VPN Table 65 VPN Client Termination advanced Label Description Accept ISAKMP Initial The Business Secure Router can accept the INITIAL-CONTACT Contact Payload status messages to inform it that the Contivity VPN client is establishing a first SA. The Business Secure Router then deletes the existing SAs because it assumes that the sending Contivity VPN client has restarted and no longer has access to any of the existing SAs.
Page 259 Enter the minimum number of characters that can be used for a Length Contivity VPN client password. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 260 260 Chapter 13 VPN NN47922-500...
Page 261: Certificates
Jenny receives the message and uses Tim’s public key to decrypt it. Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s public key to decrypt the message. Nortel Business Secure Router 222 Configuration — Basics...
Page 262: Advantages Of Certificates
262 Chapter 14 Certificates The Business Secure Router uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that is sent after establishing a connection. The method used to secure the data that is sent through an established connection depends on the type of connection.
Page 263: Configuration Summary
My Certificates Click CERTIFICATES, My Certificates to open the Business Secure Router’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray, as shown in Figure Nortel Business Secure Router 222 Configuration — Basics...
Page 264: Figure 84 My Certificates
264 Chapter 14 Certificates Figure 84 My Certificates NN47922-500...
Page 265: Table 66 My Certificates
This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. Nortel recommends that you give each certificate a unique name. Type This field displays what kind of certificate this is.
Page 266: Certificate File Formats
266 Chapter 14 Certificates Table 66 My Certificates Label Description Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays, asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features are configured to use.
Page 267: Importing A Certificate
Router. Note: 2. The certificate you import replaces the corresponding request in the My Certificates screen. Note: 3. You must remove any spaces from the certificate’s filename before you can import it. Nortel Business Secure Router 222 Configuration — Basics...
Page 268: Figure 85 My Certificate Import
268 Chapter 14 Certificates Figure 85 My Certificate Import Table 67 describes the labels in Figure Table 67 My Certificate Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 269: Creating A Certificate
Certificate Create screen. Use this screen to have the Business Secure Router create a self-signed certificate, enroll a certificate with a certification authority, or generate a certification request. For more information, see Figure Figure 86 My Certificate create Nortel Business Secure Router 222 Configuration — Basics...
Page 270: Table 68 My Certificate Create
You do not have to fill in every field, although the Common Name is mandatory. The certification authority can add fields (such as a serial number) to the subject information when it issues a certificate. Nortel recommends that each certificate have unique subject information. Common Name Select a radio button to identify the certificate’s owner by IP address,...
Page 271 Number and the Key fields if your certification authority uses CMP enrollment protocol. Just fill in the Key field if your certification authority uses the SCEP enrollment protocol. Type the key that the certification authority gave you. Nortel Business Secure Router 222 Configuration — Basics...
Page 272: My Certificate Details
272 Chapter 14 Certificates Table 68 My Certificate create Label Description Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the Business Secure Router is generating the self-signed certificate or certification request.
Page 273: Figure 87 My Certificate Details
Chapter 14 Certificates 273 Figure 87 My Certificate details Nortel Business Secure Router 222 Configuration — Basics...
Page 274: Table 69 My Certificate Details
274 Chapter 14 Certificates Table 69 describes the labels in Figure Table 69 My Certificate details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You can use any character (not including spaces).
Page 275 This is the certificate’s message digest that the Business Secure Router calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the Business Secure Router calculated using the SHA1 algorithm. Nortel Business Secure Router 222 Configuration — Basics...
Page 276: Trusted Cas
276 Chapter 14 Certificates Table 69 My Certificate details Label Description Certificate in This read-only text box displays the certificate or certification request PEM (Base-64) in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII Encoded Format characters to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority’s Web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer...
Page 277: Figure 88 Trusted Cas
This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) or C (Country). Nortel recommends that each certificate have unique subject information. Nortel Business Secure Router 222 Configuration — Basics...
Page 278 278 Chapter 14 Certificates Table 70 Trusted CAs Label Description Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization, or company and country. With self-signed certificates, this is the same information as in the Subject field.
Page 279: Importing A Trusted Ca's Certificate
Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Nortel Business Secure Router 222 Configuration — Basics...
Page 280: Trusted Ca Certificate Details
280 Chapter 14 Certificates Table 71 Trusted CA import Label Description Apply Click Apply to save the certificate on the Business Secure Router. Cancel Click Cancel to quit and return to the Trusted CAs screen. Trusted CA Certificate details Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen, shown in Figure 90.
Page 281: Figure 90 Trusted Ca Details
Chapter 14 Certificates 281 Figure 90 Trusted CA details Nortel Business Secure Router 222 Configuration — Basics...
Page 282: Table 72 Trusted Ca Details
282 Chapter 14 Certificates Table 72 describes the labels in Figure Table 72 Trusted CA details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 283 SHA1 Fingerprint This is the certificate’s message digest that the Business Secure Router calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone, for example) that this is actually a valid certificate. Nortel Business Secure Router 222 Configuration — Basics...
Page 284: Trusted Remote Hosts
284 Chapter 14 Certificates Table 72 Trusted CA details Label Description Certificate in PEM This read-only text box displays the certificate or certification request (Base-64) in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII Encoded Format characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later...
Page 285: Figure 91 Trusted Remote Hosts
Router uses to sign the trusted remote host certificates. Certificate) This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. Nortel Business Secure Router 222 Configuration — Basics...
Page 286: Verifying A Certificate Of A Trusted Remote Host
Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company), or C (Country). Nortel recommends that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Page 287: Figure 92 Remote Host Certificates
Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 93 Certificate details Verify (over the phone, for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. Nortel Business Secure Router 222 Configuration — Basics...
Page 288: Importing A Certificate Of A Trusted Remote Host
288 Chapter 14 Certificates Importing a certificate of a trusted remote host Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the Business Secure Router, see Figure Note: The trusted remote host certificate must be a self-signed...
Page 289: Trusted Remote Host Certificate Details
Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and change the certificate’s name. Nortel Business Secure Router 222 Configuration — Basics...
Page 290: Figure 95 Trusted Remote Host Details
290 Chapter 14 Certificates Figure 95 Trusted remote host details NN47922-500...
Page 291: Table 75 Trusted Remote Host Details
Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Nortel Business Secure Router 222 Configuration — Basics...
Page 292 292 Chapter 14 Certificates Table 75 Trusted remote host details Label Description Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the Business Secure Router uses RSA...
Page 293: Directory Servers
Distribution Points field of the incoming certificate. If the certificate does not list a server or the listed server is not available, the Business Secure Router checks the servers listed here. Figure 96 Directory servers Nortel Business Secure Router 222 Configuration — Basics...
Page 294: Add Or Edit A Directory Server
294 Chapter 14 Certificates Table 76 describes the labels in Figure Table 76 Directory Servers Label Description PKI Storage This bar displays the percentage of the Business Secure Router’s PKI Space in Use storage space that is currently in use. The bar turns from green to red when the maximum is approached.
Page 295: Figure 97 Directory Server Add
LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates. Server Address Type the IP address (in dotted decimal notation) or the domain name of the directory server. Nortel Business Secure Router 222 Configuration — Basics...
Page 296 296 Chapter 14 Certificates Table 77 Directory server add Label Description Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field. You can change the server port number if needed, however, you must use the same server port number that the directory server uses.
Page 297: Chapter 15 Bandwidth Management
For example, you can set the WAN interface speed to 1 024 kb/s (or less) if the broadband device connected to the WAN port has an upstream speed of 1 024 kb/s. Nortel Business Secure Router 222 Configuration — Basics...
Page 298: Bandwidth Classes And Filters
298 Chapter 15 Bandwidth management Bandwidth classes and filters Use bandwidth subclasses to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth subclass based on a specific application or subnet. Use the Class Setup tab (see “Bandwidth Manager Class Configuration”...
Page 299: Application And Subnet Based Bandwidth Management
64 Kb/s 64 Kb/s Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter, leave some of the interface’s bandwidth unbudgeted. Nortel Business Secure Router 222 Configuration — Basics...
Page 300: Configuring Summary
300 Chapter 15 Bandwidth management Configuring summary Click BW MGMT to open the Summary screen. Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. Figure 99 Bandwidth Manager: Summary Table 79 describes the labels in Figure Table 79 Bandwidth Manager: Summary Label...
Page 301: Configuring Class Setup
Configure subclass layers for the root class. To add or delete child classes on an interface, click BW MGMT, then the Class Setup tab. The screen appears as shown in Figure 100. Nortel Business Secure Router 222 Configuration — Basics...
Page 302: Figure 100 Bandwidth Manager: Class Setup
302 Chapter 15 Bandwidth management Figure 100 Bandwidth Manager: Class setup Table 80 describes the labels in Figure 100. Table 80 Bandwidth Manager: Class Setup Label Description Interface Select an interface from the drop-down list for which you wish to set up classes.
Page 303: Bandwidth Manager Class Configuration
To add a subclass, click BW MGMT, and then the Class Setup tab. Click the Add Sub-Class button to open the screen shown in Figure 101. Nortel Business Secure Router 222 Configuration — Basics...
Page 304: Figure 101 Bandwidth Manager: Edit Class
304 Chapter 15 Bandwidth management Figure 101 Bandwidth Manager: Edit class Table 81 describes the labels in Figure 101. Table 81 Bandwidth Manager: Edit class Label Description Class Configuration Class Name Use the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 305 Destination IP Address. Destination Port Enter the port number of the destination. See “Predefined services” on page 188 Chapter 11 Firewall screens for a table of services and port numbers. Nortel Business Secure Router 222 Configuration — Basics...
Page 306: Bandwidth Management Statistics
306 Chapter 15 Bandwidth management Table 81 Bandwidth Manager: Edit class Label Description Source IP Address Enter the source IP address. Source Subnet Enter the destination subnet mask. This field is N/A if you do not Mask specify a Source IP Address. Source Port Enter the port number of the source.
Page 307: Figure 102 Bandwidth Management Statistics
Click Set Interval to apply the new update period you entered in the Update Period field above. Stop Update Click Stop Update to stop the browser from refreshing bandwidth management statistics. Clear Counter Click Clear Counter to clear all of the bandwidth management statistics. Nortel Business Secure Router 222 Configuration — Basics...
Page 308: Monitor
308 Chapter 15 Bandwidth management Monitor To view the device’s bandwidth usage and allotments, click BW MGMT, then the Monitor tab. The screen appears as shown in Figure 103. Figure 103 Bandwidth manager monitor Table 84 describes the labels in Figure 103.
Page 309: Ieee 802.1X
RADIUS server. Types of RADIUS messages The following types of RADIUS messages are exchanged between the Business Secure Router and the RADIUS server for user authentication: Nortel Business Secure Router 222 Configuration — Basics...
Page 310: Eap Authentication Overview
310 Chapter 16 IEEE 802.1x • Access-Request Sent by the Business Secure Router requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access.
Page 311: Configuring 802.1X
The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the user. Configuring 802.1X To change your Business Secure Router’s Authentication settings, click 802.1X. The screen appears, as shown in Figure 105. Nortel Business Secure Router 222 Configuration — Basics...
Page 312: Figure 105 802.1X
312 Chapter 16 IEEE 802.1x Figure 105 802.1X Table 85 describes the labels in Figure 105. Table 85 802.1X Label Description Authentication Select Authentication Required, No Access or No Authentication Type Required from the drop-down list. Select Authentication Required to authenticate all users before they can access the network.
Page 313 Business Secure Router does not check the local user database and the authentication fails. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 314 314 Chapter 16 IEEE 802.1x NN47922-500...
Page 315: Authentication Server
RADIUS server. However, there is a limit on the number of users you can authenticate in this way. Local User database To see your Business Secure Router’s local user list, click AUTH SERVER. The Local User Database screen appears as shown in Figure 106. Nortel Business Secure Router 222 Configuration — Basics...
Page 316: Figure 106 Local User Database
316 Chapter 17 Authentication server Figure 106 Local User database Table 86 describes the labels in Figure 106. Table 86 Local User database Label Description User ID This field displays the logon name for the user account. Active This field displays Yes if the user account is enabled or No if it is disabled. User type This field displays whether the user account can be used for a IEEE 802.1X or IPSec logon (or both).
Page 317: Edit Local User Database
To change a local user database entry, click AUTH SERVER. In the Local User Database screen, select an entry’s radio button and click the Edit button to display the Local User Database Edit screen, as shown in Figure 107. Nortel Business Secure Router 222 Configuration — Basics...
Page 318: Figure 107 Local User Database Edit
318 Chapter 17 Authentication server Figure 107 Local User database edit NN47922-500...
Page 319: Table 87 Local User Database Edit
VPN tunnel. Configure Click this link to set up the list of networks to use as split or inverse split Network networks. Nortel Business Secure Router 222 Configuration — Basics...
Page 320: Current Split Networks
320 Chapter 17 Authentication server Table 87 Local User database edit Label Description Split Tunnel This field applies when you select Enabled in the Split Tunneling field. Networks Select the network for which you force traffic to be encrypted and go through the VPN tunnel.
Page 321: Current Split Networks Edit
Current Split Networks screen. Click Add or select a network and click Edit in order to display the Current Networks Edit screen. Use this screen shown in Figure 109 to configure a set of subnets to use with split or inverse split VPN tunnels. Nortel Business Secure Router 222 Configuration — Basics...
Page 322: Figure 109 Current Split Networks Edit
322 Chapter 17 Authentication server Figure 109 Current split networks edit Table 89 describes the labels in Figure 109. Table 89 Current split networks edit Label Description Network Enter a name to identify the split network. Name IP Address Enter the IP address for the split network in dotted decimal notation. Netmask Enter the netmask for the split network in dotted decimal notation.
Page 323: Configuring Radius
Use RADIUS if you want to authenticate users using an external server. To set up your Business Secure Router’s RADIUS Server settings, click AUTH SERVER, then the RADIUS tab. The screen appears, as shown in Figure 110. Nortel Business Secure Router 222 Configuration — Basics...
Page 324: Figure 110 Radius
324 Chapter 17 Authentication server Figure 110 RADIUS Table 90 describes the labels in Figure 110. Table 90 RADIUS Label Description Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the Business Secure Router.
Page 325 Enter the password again to make sure that you have entered it correctly. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 326 326 Chapter 17 Authentication server NN47922-500...
Page 327: Remote Management Screens
To disable remote management of a service, select Disable in the corresponding Server Access field. Remote management limitations Remote management over LAN or WAN does not work if: Nortel Business Secure Router 222 Configuration — Basics...
Page 328: Remote Management And Nat
328 Chapter 18 Remote management screens A filter in SMT menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a Telnet, FTP, or Web service. A service is disabled in one of the remote management screens. The IP address in the Secured Client IP field does not match the client IP address.
Page 329: Introduction To Https
1 HTTPS connection requests from an SSL-aware Web browser go to port 443 (by default) on the Business Secure Router’s WS (Web server). 2 HTTP connection requests from a Web browser go to port 80 (by default) on the Business Secure Router’s WS (Web server). Nortel Business Secure Router 222 Configuration — Basics...
Page 330: Configuring Www
330 Chapter 18 Remote management screens Figure 111 HTTPS implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, the Business Secure Router blocks all HTTP connection attempts. Configuring WWW To change your Business Secure Router’s Web settings, click REMOTE MGMT to open the WWW screen.
Page 331: Figure 112 Www
Business Secure Router a certificate. To do that, the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Business Secure Router (see the appendix on importing certificates for details). Nortel Business Secure Router 222 Configuration — Basics...
Page 332: Https Example
332 Chapter 18 Remote management screens Table 91 WWW Label Description Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the Business Secure Router, for example, 8443, you must notify people who need to access the Business Secure Router WebGUI to use https://Business Secure Router IP Address:8443 as the URL.
Page 333: Internet Explorer Warning Messages
Click Examine Certificate if you want to verify that the certificate is from the Business Secure Router. If you select Accept this certificate temporarily for this session, then click OK to continue in Netscape. Nortel Business Secure Router 222 Configuration — Basics...
Page 334: Figure 114 Figure 18-4 Security Certificate 1 (Netscape)
334 Chapter 18 Remote management screens Select Accept this certificate permanently to import the Business Secure Router’s certificate into the SSL client. Figure 114 Figure 18-4 Security Certificate 1 (Netscape) NN47922-500...
Page 335: Avoiding The Browser Warning Messages
Business Secure Router’s HTTPS server certificate that your browser received. To check the common name specified in the certificate that your Business Secure Router sends to HTTPS clients: Nortel Business Secure Router 222 Configuration — Basics...
Page 336: Logon Screen
336 Chapter 18 Remote management screens Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. b Click CERTIFICATES. Find the certificate that was displayed in the Server Certificate field and check its Subject column. CN stands for certificate’s common name (see Figure 119 on page 340 for an example).
Page 337: Figure 116 Logon Screen (Internet Explorer)
Chapter 18 Remote management screens 337 Figure 116 Logon screen (Internet Explorer) Nortel Business Secure Router 222 Configuration — Basics...
Page 338: Figure 117 Login Screen (Netscape)
338 Chapter 18 Remote management screens Figure 117 Login screen (Netscape) Click Login to proceed. The screen shown in Figure 118 appears. The factory default certificate is a common default certificate for all Business Secure Router models. NN47922-500...
Page 339: Figure 118 Replace Certificate
Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router’s MAC address that is specific to this device. Click CERTIFICATES to open the My Certificates screen. You see information similar to that shown in Figure 119. Nortel Business Secure Router 222 Configuration — Basics...
Page 340: Figure 119 Device-Specific Certificate
340 Chapter 18 Remote management screens Figure 119 Device-specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate. The My Certificates screen appears (Figure 120). NN47922-500...
Page 341: Ssh Overview
Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. Nortel Business Secure Router 222 Configuration — Basics...
Page 342: How Ssh Works
342 Chapter 18 Remote management screens Figure 121 SSH Communication Example How SSH works Figure 122 summarizes how a secure connection is established between two remote hosts. Figure 122 How SSH Works Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key.
Page 343: Ssh Implementation On The Business Secure Router
Business Secure Router over SSH. Configuring SSH To change your Business Secure Router’s Secure Shell settings, click REMOTE MGMT, and then the SSH tab. The screen shown in Figure 123 appears. Nortel Business Secure Router 222 Configuration — Basics...
Page 344: Figure 123 Ssh
344 Chapter 18 Remote management screens Figure 123 SSH Table 92 describes the labels in Figure 123. Table 92 SSH Label Description Server Host Select the certificate whose corresponding private key is to be used to identify the Business Secure Router for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 14, “Certificates,”...
Page 345: Secure Telnet Using Ssh Examples
Chapter 18 Remote management screens 345 Note: Nortel recommends that you disable Telnet and FTP when you configure SSH for secure connections. Secure Telnet using SSH examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the Business Secure Router. The configuration and connection steps are similar for most SSH client programs.
Page 346: Example 2: Linux
346 Chapter 18 Remote management screens Example 2: Linux This section describes how to access the Business Secure Router using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the Business Secure Router. Enter “telnet 192.168.1.1 22”...
Page 347: Secure Ftp Using Ssh Example
Business Secure Router. Type yes and press [ENTER]. Enter the password to log on to the Business Secure Router. Use the put command to upload a new firmware to the Business Secure Router. Nortel Business Secure Router 222 Configuration — Basics...
Page 348: Telnet
348 Chapter 18 Remote management screens Figure 127 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 349: Configuring Telnet
Business Secure Router using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 350: Configuring Ftp
350 Chapter 18 Remote management screens Configuring FTP You can upload and download the Business Secure Router’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. To change your Business Secure Router’s FTP settings, click REMOTE MANAGEMENT, and then the FTP tab.
Page 351: Configuring Snmp
Figure 131 illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. The default get and set communities are public. Note: SNMP is only available if TCP/IP is configured. Nortel Business Secure Router 222 Configuration — Basics...
Page 352: Figure 131 Snmp Management Model
352 Chapter 18 Remote management screens Figure 131 SNMP Management Model An SNMP-managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Business Secure Router). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 353: Supported Mibs
(for example, download new files, and CI command sys reboot). For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. Nortel Business Secure Router 222 Configuration — Basics...
Page 354: Remote Management: Snmp
354 Chapter 18 Remote management screens REMOTE MANAGEMENT: SNMP To change your Business Secure Router’s SNMP settings, click REMOTE MANAGEMENT, and then the SNMP tab. The screen appears as shown in Figure 132. Figure 132 SNMP Table 96 describes the fields in Figure 132.
Page 355: Configuring Dns
Click Reset to begin configuring this screen afresh. Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for example, the IP address of www.nortel.com is 47.249.48.20. To change your Business Secure Router’s DNS settings, click REMOTE MANAGEMENT, and then the DNS tab.
Page 356: Configuring Security
356 Chapter 18 Remote management screens Figure 133 DNS Table 97 describes the fields in Figure 133. Table 97 DNS Label Description Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interfaces (if any) through which a computer can send DNS queries to the Business Secure Router.
Page 357: Figure 134 Security
Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise, select LAN & WAN to reply to both incoming LAN and WAN Ping requests. Nortel Business Secure Router 222 Configuration — Basics...
Page 358: Nn47922
358 Chapter 18 Remote management screens Table 98 Security Label Description Do not respond to Select this option to prevent hackers from finding the Business requests for Secure Router by probing for unused ports. If you select this option, unauthorized the Business Secure Router does not send ICMP response packets services to port requests for unused ports, thus leaving the unused ports and...
Page 359: Upnp
With NAT traversal, the device can do the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Nortel Business Secure Router 222 Configuration — Basics...
Page 360: Cautions With Upnp
360 Chapter 19 UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports can present network security issues. Network information and configuration can also be obtained and modified by users in some network environments.
Page 361: Figure 135 Configuring Upnp
Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets). Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 222 Configuration — Basics...
Page 362: Displaying Upnp Port Mapping
362 Chapter 19 UPnP Displaying UPnP port mapping Click UPnP and then Ports to display the screen as shown in Figure 136. Use this screen to view the NAT port mapping rules that UPnP creates on the Business Secure Router. Figure 136 UPnP Ports Table 100 describes the labels in...
Page 363: Installing Upnp In Windows Example
Follow the steps below to install UPnP in Windows Me. Click Start and Control Panel. Double-click Add/Remove Programs. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Nortel Business Secure Router 222 Configuration — Basics...
Page 364: Installing Upnp In Windows Xp
364 Chapter 19 UPnP Figure 137 Add/Remove programs: Windows setup In the Communications window, select the Universal Plug and Play check box in the Components selection box. Click OK to return to the Add/Remove Programs Properties window and click Next. Restart the computer when prompted.
Page 365: Figure 139 Network Connections
Optional Networking Components …. The Windows Optional Networking Components Wizard window appears. Figure 139 Network connections Select Networking Service in the Components selection box and click Details. Figure 140 Windows optional networking components wizard Nortel Business Secure Router 222 Configuration — Basics...
Page 366: Using Upnp In Windows Xp Example
366 Chapter 19 UPnP In the Networking Services window, select the Universal Plug and Play check box. Figure 141 Windows XP networking services Click OK to return to the Windows Optional Networking Component Wizard window and click Next. Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP.
Page 367: Figure 142 Internet Gateway Icon
Right-click the icon and select Properties. Figure 142 Internet gateway icon In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Figure 143 Internet connection properties Nortel Business Secure Router 222 Configuration — Basics...
Page 368: Figure 144 Internet Connection Properties Advanced Setup
368 Chapter 19 UPnP You can edit or delete the port mappings or click Add to manually add port mappings. Figure 144 Internet connection properties advanced setup Figure 145 Service settings Note: When the UPnP-enabled device is disconnected from your computer, all port mappings are deleted automatically.
Page 369: Webgui Easy Access
This is helpful if you do not know the IP address of your Business Secure Router. Follow the steps below to access the WebGUI. Click Start and then Control Panel. Double-click Network Connections. Nortel Business Secure Router 222 Configuration — Basics...
Page 370: Figure 148 Network Connections
370 Chapter 19 UPnP Select My Network Places under Other Places Figure 148 Network connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click the icon for your Business Secure Router and select Invoke. The WebGUI logon screen displays.
Page 371: Logs Screens
Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Nortel Business Secure Router 222 Configuration — Basics...
Page 372: Figure 150 View Log
372 Chapter 20 Logs Screens Figure 150 View Log Table 101 describes the fields in Figure 150. Table 101 View Log Label Description Display The categories that you select in the Log Settings page display in the drop-down list. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 373: Configuring Log Settings
Note: Alerts are e-mailed as soon as they happen. Logs can be e-mailed as soon as the log is full. Selecting many alert and log categories (especially Access Control) can result in many e-mails being sent. Nortel Business Secure Router 222 Configuration — Basics...
Page 374: Figure 151 Log Settings
374 Chapter 20 Logs Screens Figure 151 Log settings NN47922-500...
Page 375: Table 102 Log Settings
Use the drop-down list to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 p.m.) to send the logs. Nortel Business Secure Router 222 Configuration — Basics...
Page 376: Configuring Reports
376 Chapter 20 Logs Screens Table 102 Log settings Label Description Select the categories of the logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.
Page 377: Figure 152 Reports
Business Secure Router can count these as hits, thus the Web hit count is not (yet) 100% accurate. Figure 152 Reports Note: Enabling the Business Secure Router’s reporting function decreases the overall throughput by about 1 Mb/s. Nortel Business Secure Router 222 Configuration — Basics...
Page 378: Viewing Web Site Hits
378 Chapter 20 Logs Screens Table 103 describes the fields in Figure 152. Table 103 Reports Label Description Collect Statistics Select the check box and click Apply to have the Business Secure Router record report data. Send Raw Traffic Select the check box and click Apply to have the Business Secure Statistics to Router send unprocessed traffic statistics to a syslog server for Syslog Server for...
Page 379: Figure 153 Web Site Hits Report Example
Web site as another hit on the Web site. Hits This column lists how many times each Web site has been visited. The count starts over at 0 if a Web site passes the hit count limit. Nortel Business Secure Router 222 Configuration — Basics...
Page 380: Viewing Protocol/Port
380 Chapter 20 Logs Screens Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Page 381: Viewing Lan Ip Address
Note: Computers take turns using dynamically assigned LAN IP addresses. The Business Secure Router continues recording the bytes sent to or from a LAN IP address when it is assigned to a different computer. Nortel Business Secure Router 222 Configuration — Basics...
Page 382: Figure 155 Lan Ip Address Report Example
382 Chapter 20 Logs Screens Figure 155 LAN IP address report example Table 106 describes the fields in Figure 155. Table 106 LAN IP Address Report Label Description IP Address This column lists the LAN IP addresses to and from which the most traffic has been sent.
Page 383: Reports Specifications
Bytes count limit: Up to 2 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 2 bytes. Nortel Business Secure Router 222 Configuration — Basics...
Page 384 384 Chapter 20 Logs Screens NN47922-500...
Page 385: Call Scheduling Screens
You can design up to 12 schedule sets. You can apply up to four schedule sets for a remote node. Call schedule summary Click CALL SCHEDULE to open the Call Schedule Summary screen. Nortel Business Secure Router 222 Configuration — Basics...
Page 386: Figure 156 Call Schedule Summary
386 Chapter 21 Call scheduling screens Figure 156 Call schedule summary Table 108 describes the fields in Figure 156. Table 108 Call Schedule Summary Label Description This is the call schedule set number. Name This field displays the name of the call schedule set. Active This field shows whether the call schedule set is turned on (Yes) or off (No).
Page 387: Call Scheduling Edit
Select the a call schedule set's radio button and click Delete to remove that call schedule set. Call scheduling edit To configure a schedule set, click the Edit button to display the screen shown in Figure 157. Figure 157 Call schedule edit Nortel Business Secure Router 222 Configuration — Basics...
Page 388: Table 109 Call Schedule Edit
388 Chapter 21 Call scheduling screens If a connection has been already established, your Business Secure Router will not drop it. After the connection is dropped manually or it times out, that remote node can not be triggered again until the end of the Duration. Table 109 Call schedule edit Label Description...
Page 389: Applying Schedule Sets To A Remote Node
PPPoE or PPTP encapsulation (refer to “Configuring WAN ISP” on page 107). Click WAN, WAN IP to display the WAN IP screen as shown in Figure 158. Use the screen to apply up to four schedule sets. Nortel Business Secure Router 222 Configuration — Basics...
Page 390: Figure 158 Applying Schedule Sets To A Remote Node
390 Chapter 21 Call scheduling screens Figure 158 Applying Schedule Sets to a remote node NN47922-500...
Page 391: Maintenance
Business Secure Router. Status screen Click MAINTENANCE to open the Status screen, where you can monitor your Business Secure Router. Note that these fields are READ-ONLY and only used for diagnostic purposes. Nortel Business Secure Router 222 Configuration — Basics...
Page 392: Figure 159 System Status
The model name identifies your device type. The model name is also on a sticker on your device. If you are uploading firmware, be sure to upload firmware for this exact model name. Nortel Firmware The release of firmware currently on the Business Secure Router Version: and the date the release was created.
Page 393: System Statistics
TxPkts This is the number of transmitted packets on this port. RxPkts This is the number of received packets on this port. Collisions This is the number of collisions on this port. Nortel Business Secure Router 222 Configuration — Basics...
Page 394: Dhcp Table Screen
394 Chapter 22 Maintenance Table 111 System Status: Show statistics Label Description Tx B/s This displays the transmission speed, in bytes per second, on this port. Rx B/s This displays the reception speed, in bytes per second, on this port. Up Time This is the total amount of time the line has been up.
Page 395: F/W Upload Screen
Click Refresh to renew the screen. F/W Upload screen Find firmware at www.nortel.com/index.html in a file that usually uses the system model name with a *.bin extension. The upload process uses FTP (File Transfer Protocol) and can take up to two minutes. After a successful upload, the system reboots.
Page 396: Figure 162 Firmware Upload
396 Chapter 22 Maintenance Click MAINTENANCE, and then the F/W UPLOAD tab. Follow the instructions to upload firmware to your Business Secure Router. Figure 162 Firmware upload Table 113 describes the fields in Figure 162. Table 113 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click...
Page 397: Figure 163 Firmware Upload In Process
If the upload was not successful, the screen shown in Figure 165 appears. Uploading the wrong firmware file or a corrupted firmware file can cause this error. Click Return to return to the F/W Upload screen. Figure 165 Firmware upload error Nortel Business Secure Router 222 Configuration — Basics...
Page 398: Configuration Screen
398 Chapter 22 Maintenance Configuration screen Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown in Figure 166. Figure 166 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Business Secure Router to its factory defaults.
Page 399: Backup Configuration
With backup configuration, you can back up and save the device’s current configuration to a 104 KB file on your computer. After your device is configured and functioning properly, Nortel recommends that you back up your configuration file before making configuration changes. The backup configuration file is useful in case you need to return to your previous settings.
Page 400: Restore Configuration
400 Chapter 22 Maintenance Restore configuration With restore configuration, you can upload a new or previously saved configuration file from your computer to your Business Secure Router. Table 114 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse...
Page 401: Restart Screen
IP address (192.168.1.1). See your Nortel Business Secure Router 222 — Fundamentals (NN47922-301) guide for details about how to set up your computer’s IP address.
Page 402: Figure 170 Restart Screen
402 Chapter 22 Maintenance Figure 170 Restart screen NN47922-500...
Page 403: Appendix A Troubleshooting
9 600 b/s is the default speed on leaving the factory. Try other speeds in case the speed has been changed. • No parity, 8 data bits, 1 stop bit, data flow set to none. Nortel Business Secure Router 222 Configuration — Basics...
Page 404: Problems With The Lan Led
Table 117 Troubleshooting the LAN Interface Problem Corrective Action I cannot access the Check your Ethernet cable type and connections. Refer to the Nortel Business Business Secure Secure Router 222 — Fundamentals (NN47922-301) guide for LAN connection Router from the LAN.
Page 405: Problems With The Wan Interface
LAN as the Business Secure Router’s WAN MAC address. Use the WAN screens in the WebGUI. Nortel recommends that you clone your computer’s MAC address, even if your ISP presently does not require MAC address authentication.
Page 406: Problems Accessing An Internet Web Site
406 Appendix A Troubleshooting Problems accessing an internet Web site Table 120 Troubleshooting Web Site Internet Access Problem Corrective Action Cannot connect to a Disable content filtering and clear your browser cache. Try connecting to the Web Web site on the site again.
Page 407: Problems With The Webgui
LAN connection. Refer to the “Problems with the WAN interface” on page 405 for instructions about checking your WAN connection. See also “Problems with the WebGUI” on page 407. Nortel Business Secure Router 222 Configuration — Basics...
Page 408: Allowing Pop-Up Windows, Javascript And Java Permissions
408 Appendix A Troubleshooting Allowing Pop-up Windows, JavaScript and Java Permissions In order to use the WebGUI, you must allow: • Web browser pop-up windows from your device • JavaScript • Java permissions Internet Explorer Pop-up Blockers Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions vary Disable pop-up blocking to log on to your device, if necessary.
Page 409: Enabling Pop-Up Blockers With Exceptions
Enabling Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. Nortel Business Secure Router 222 Configuration — Basics...
Page 410: Figure 173 Internet Options
410 Appendix A Troubleshooting Select Settings… to open the Pop-up Blocker Settings screen. Figure 173 Internet options Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. NN47922-500...
Page 411: Internet Explorer Javascript
Click Close to return to the Internet Options screen. Click Apply to save this setting. Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer, check that JavaScript and Java permissions are enabled. Nortel Business Secure Router 222 Configuration — Basics...
Page 412: Figure 175 Internet Options
412 Appendix A Troubleshooting In Internet Explorer, click Tools, Internet Options, and then the Security tab. Figure 175 Internet options Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default).
Page 413: Internet Explorer Java Permissions
From Internet Explorer, click Tools, Internet Options, and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. Nortel Business Secure Router 222 Configuration — Basics...
Page 414: Java (Sun)
414 Appendix A Troubleshooting Click OK to close the window. Figure 177 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options, and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. Click OK to close the window.
Page 415: Netscape Pop-Up Blockers
Note: Netscape 7.2 screens are used here. Screens for other Netscape versions vary Either disable the blocking of unrequested pop-up windows (enabled by default in Netscape) or allow pop-ups from Web sites by creating an exception for your device’s IP address. Nortel Business Secure Router 222 Configuration — Basics...
Page 416: Allowing Pop-Ups
416 Appendix A Troubleshooting Allowing Pop-ups In Netscape, click Tools, Popup Manager and then select Allow Popups From This Site. Figure 179 Allow Popups from this site In the Netscape search toolbar, you can enable and disable pop-up blockers for Web sites. Figure 180 Netscape Search Toolbar You can also check if pop-up blocking is disabled in the Popup Windows screen in the Privacy &...
Page 417: Enable Pop-Up Blockers With Exceptions
Alternatively, if you only want to allow pop-up windows from your device, follow these steps: In Netscape, click Edit, and then Preferences. In the Privacy & Security directory, select Popup Windows. Make sure the Block unrequested popup windows check box is selected. Nortel Business Secure Router 222 Configuration — Basics...
Page 418: Figure 182 Popup Windows
418 Appendix A Troubleshooting Click the Allowed Sites... button. Figure 182 Popup Windows Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.1.1. NN47922-500...
Page 419: Netscape Java Permissions And Javascript
If pages of the WebGUI do not display properly in Netscape, check that JavaScript and Java permissions are enabled. In Netscape, click Edit and then Preferences. Click the Advanced directory. In the Advanced screen, make sure the Enable Java check box is selected. Nortel Business Secure Router 222 Configuration — Basics...
Page 420: Figure 184 Advanced
420 Appendix A Troubleshooting Click OK to close the window. Figure 184 Advanced Click the Advanced directory and then select Scripts & Plug-ins. Make sure the Navigator check box is selected in the enable JavaScript section. NN47922-500...
Page 421: Figure 185 Scripts & Plug-Ins
Appendix A Troubleshooting 421 Click OK to close the window. Figure 185 Scripts & Plug-ins Nortel Business Secure Router 222 Configuration — Basics...
Page 422 422 Appendix A Troubleshooting NN47922-500...
Page 423: Appendix B Log Descriptions
Someone has logged on to the router's WebGUI WEB Login Successfully interface. Someone has failed to log on to the router's WEB Login Fail WebGUI interface. Someone has logged on to the router via Telnet. TELNET Login Successfully Nortel Business Secure Router 222 Configuration — Basics...
Page 424: Table 126 Upnp Logs
424 Appendix B Log Descriptions Table 125 System Maintenance Logs Log Message Description Someone has failed to log on to the router via TELNET Login Fail Telnet. Someone has logged on to the router via FTP. FTP Login Successfully Someone has failed to log on to the router via FTP. FTP Login Fail NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Page 425 TCP The firewall detected a TCP port scan attack. ports scan TCP The firewall detected a TCP teardrop attack. teardrop TCP The firewall detected an UDP teardrop attack. teardrop UDP Nortel Business Secure Router 222 Configuration — Basics...
Page 426: Table 129 Access Logs
426 Appendix B Log Descriptions Table 128 Attack Logs Log Message Description The firewall detected an ICMP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the ip spoofing - no...
Page 427 OSPF access matched the listed a firewall rule and the Firewall rule match: Business Secure Router blocked or forwarded it according OSPF (set:%d, to the rule’s configuration. rule:%d) Nortel Business Secure Router 222 Configuration — Basics...
Page 428 428 Appendix B Log Descriptions Table 129 Access Logs Log Message Description Access matched the listed firewall rule and the Business Firewall rule match: Secure Router blocked or forwarded it according to the (set:%d, rule:%d) rule’s configuration. TCP access did not match the listed firewall rule and the Firewall rule NOT Business Secure Router logged it.
Page 429 <set %d/rule %d> Access matched the listed filter rule (denied LAN IP). Filter match FORWARD Access was allowed and the router forwarded the packet. <set %d/rule %d> Nortel Business Secure Router 222 Configuration — Basics...
Page 430 430 Appendix B Log Descriptions Table 129 Access Logs Log Message Description With firewall messages, this is the number of the ACL (set:%d) policy set and denotes the packet's direction (see Table 130). With filter messages, this is the number of the filter set. With firewall messages, the firewall rule number denotes (rule:%d) the number of a firewall rule within an ACL policy set.With...
Page 431: Table 130 Acl Setting Notes
Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of service and network Nortel Business Secure Router 222 Configuration — Basics...
Page 432: Vpn/Ipsec Logs
432 Appendix B Log Descriptions Table 131 ICMP Notes Type Code Description Redirect datagrams for the Type of service and host Echo Echo message Time exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter problem Pointer indicates the error Timestamp Timestamp request message Timestamp reply...
Page 433: Vpn Responder Ipsec Log
Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): VPN Responder IPSec Log Figure 187 shows a typical log from the VPN connection peer. Nortel Business Secure Router 222 Configuration — Basics...
Page 434: Figure 187 Example Vpn Responder Ipsec Log
434 Appendix B Log Descriptions Figure 187 Example VPN Responder IPSec Log Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.100> 01 Jan 08:08:07 Recv:<SA> 01 Jan 08:08:08 Send:<SA> 01 Jan 08:08:08 Recv:<KE><NONCE> 01 Jan 08:08:10 Send:<KE><NONCE>...
Page 435: Table 133 Sample Ike Key Exchange Logs
“Remote Addr”. If this IP (range) conflicts with a with rule <#d> previously configured rule, the connection is not allowed. The peer’s “Local IP Addr” range is invalid. !! Invalid IP <IP start>/ <IP end> Nortel Business Secure Router 222 Configuration — Basics...
Page 436: Nn47922
436 Appendix B Log Descriptions Table 133 Sample IKE Key Exchange Logs Log Message Description If the security gateway is “0.0.0.0”, the Business !! Remote IP <IP start> / Secure Router uses the peer’s “Local Addr” as its <IP end> conflicts “Remote Addr”.
Page 437: Table 134 Sample Ipsec Logs During Packet Transmission
Check them. failed If an SA has no packets transmitted for a period Rule <#d> idle time out, of time (configurable via CI command), the disconnect Business Secure Router drops the connection. Nortel Business Secure Router 222 Configuration — Basics...
Page 438: Table 135 Rfc-2408 Isakmp Payload Types
438 Appendix B Log Descriptions Table 135 shows RFC-2408 ISAKMP payload types that the log displays. Refer to the RFC for detailed information about each type. Table 135 RFC-2408 ISAKMP Payload Types Log Display Payload Type Security Association PROP Proposal TRANS Transform Key Exchange...
Page 439 The recorded reason codes>, cert not codes are only approximate reasons for not trusting the trusted: <subject certificate. See Table 137 for the corresponding descriptions name> of the codes. Nortel Business Secure Router 222 Configuration — Basics...
Page 440: Table 137 Certificate Path Verification Failure Reason Codes
440 Appendix B Log Descriptions Table 137 Certificate Path Verification Failure Reason Codes Code Description Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid.
Page 441: Table 138 Iieee 802.1X Logs
RADIUS Server. The local user database operates as the Use Local User Database to authentication server. authenticate user. The RADIUS server operates as the Use RADIUS to authenticate authentication server. user. Nortel Business Secure Router 222 Configuration — Basics...
Page 442: Log Commands
442 Appendix B Log Descriptions Table 138 II E EE 802.1X Logs Log Message Description There is no authentication server to authenticate No Server to authenticate a user. user. A user was not authenticated by the local user Local User Database does not database because the user is not listed in the find user`s credential.
Page 443: Displaying Logs
Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs. Nortel Business Secure Router 222 Configuration — Basics...
Page 444: Log Command Example
444 Appendix B Log Descriptions Log Command Example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras>...
Page 445: Index
Budget 126 AT Command Strings 127, 129 Bypass Triangle Route 179 AT Response Strings 129 ATDP 127 ATH 127 Cable Modem 157 Attack Alert 192, 194 Call Back Delay 129 Attack Types 162 Nortel Business Secure Router 222 Configuration — Basics...
Page 446 446 Index Call Control 129 Default Server IP Address 139 Call Scheduling 37, 385 Denial of Service 157, 158, 192, 193 Maximum Number of Schedule Sets 385 DES 207 Precedence 385 Destination Address 174, 182 Precedence Example 385 DHCP 52, 60, 81, 93, 94, 394 Called ID 129 DHCP (Dynamic Host Configuration Protocol) 39 Calling Line Identification 129...
Page 447 IGMP-v2 126 FTP Restrictions 327 Illegal Commands 162 FTP Server 40 Initial Contact Payload 258 Full Feature 116 Inside 132 Full Network Management 40 Inside Global Address 132 Inside Local Address 132 Nortel Business Secure Router 222 Configuration — Basics...
Page 448 448 Index Internet Control Message Protocol (ICMP) 161 MAIN MENU 48 Internet Group Multicast Protocol 95, 117 Management Information Base (MIB) 352 IP Address 58, 59, 137, 394 Many One-to-One 143, 144 IP Alias 38, 101 Many to Many No Overload 135 IP Multicast 38 Many to Many Overload 135 Internet Group Management Protocol...
Page 449 RIP 94, 95, 125 PPPoE 37, 52, 56, 57 RIP Direction 95, 117 PPPoE Encapsulation 108 RIP Version 94, 117, 125 PPTP 52, 54, 138 RIP-1 94, 117, 125 PPTP Encapsulation 38, 110 RIP-2 94 Nortel Business Secure Router 222 Configuration — Basics...
Page 450 450 Index RIP-2B 95, 117, 125 SMTP 138 RIP-2M 95, 117, 125 Smurf 161, 162 Roadrunner Manager 113 SNMP 39, 138, 351 Get 353 RoadRunner Support 40 Manager 352 RoadRunner Toshiba 113 MIBs 353 Root Class 301 Trap 353 Routing Information Protocol 94 SNMP (Simple Network Management RR- Service Type 112 Protocol) 39...
Page 451 Upgradeable Firmware 40 Uploading a Configuration File Via Console Port 46 UPnP 37 UPnP Examples 363 UPnP Port Mapping 362 Upper Layer Protocols 167 URL Keyword Blocking 199 User Profiles 315 Username 44 Nortel Business Secure Router 222 Configuration — Basics...

Nortel BSR222 Configuration

Preface

Chapter 1 Getting to Know Your Nortel Business Secure Router 222

Chapter 2 Introducing the Webgui

Chapter 3 Wizard Setup

Chapter 4 User Notes

Chapter 5 System Screens

Chapter 6 LAN Screens

Chapter 7 WAN Screens

Chapter 8 Network Address Translation (NAT) Screens

Chapter 9 Static Route Screens

Chapter 10 Firewalls

Chapter 11 Firewall Screens

Quick Links

Troubleshooting

Related Manuals for Nortel BSR222

Summary of Contents for Nortel BSR222