Related Manuals for Nortel BSR252
Summary of Contents for Nortel BSR252
- Page 1 Nortel Business Secure Router 252 Configuration — Basics BSR252 Business Secure Router Document Number: NN47923-500 Document Version: 1.1 Date: March 2007...
- Page 2 The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
-
Page 3: Table Of Contents
Getting Help from the Nortel Web site ........ - Page 4 IPSec VPN capability ......... . . 36 Nortel Contivity Client Termination ....... . . 37 Certificates .
- Page 5 General Notes ........... . 71 Nortel Business Secure Router 252 Configuration — Basics...
- Page 6 Adding IP telephony to a multi-site network ......76 Configuring the router to act as a Nortel VPN Server (Client Termination) . . . 77 Configuring the router to connect to a Nortel VPN Server (Client Emulation) .
- Page 7 NAT definitions ..........129 Nortel Business Secure Router 252 Configuration — Basics...
- Page 8 8 Contents What NAT does ..........130 How NAT works .
- Page 9 Alerts ............. 189 Nortel Business Secure Router 252 Configuration — Basics...
- Page 10 10 Contents Configuring attack alert ..........190 Threshold values .
- Page 11 My Certificates ............263 Nortel Business Secure Router 252 Configuration — Basics...
- Page 12 12 Contents Certificate file formats ..........266 Importing a certificate .
- Page 13 Telnet ............. 350 Nortel Business Secure Router 252 Configuration — Basics...
- Page 14 14 Contents Configuring TELNET ..........351 Configuring FTP .
- Page 15 Allowing Pop-ups ..........416 Nortel Business Secure Router 252 Configuration — Basics...
- Page 16 16 Contents Enabling Pop-up Blockers with Exceptions ......417 Internet Explorer JavaScript ........419 Internet Explorer Java Permissions .
- Page 17 Traffic Redirect LAN Setup ........118 Nortel Business Secure Router 252 Configuration — Basics...
- Page 18 18 Figures Figure 30 Traffic Redirect ..........119 Figure 31 Dial Backup Setup .
- Page 19 Bandwidth Manager: Class setup ......304 Nortel Business Secure Router 252 Configuration — Basics...
- Page 20 20 Figures Figure 100 Bandwidth Manager: Edit class ....... 306 Figure 101 Bandwidth management statistics .
- Page 21 Figure 169 Network Temporarily Disconnected ......408 Nortel Business Secure Router 252 Configuration — Basics...
- Page 22 22 Figures Figure 170 Restart screen ..........409 Figure 171 Pop-up Blocker .
- Page 23 Trigger Port ..........146 Nortel Business Secure Router 252 Configuration — Basics...
- Page 24 24 Tables Table 30 IP Static Route summary ........149 Table 31 Edit IP Static Route .
- Page 25 View Log ..........374 Nortel Business Secure Router 252 Configuration — Basics...
- Page 26 26 Tables Table 100 Log settings ..........377 Table 101 Reports .
-
Page 27: Tables
Table 138 Log categories and available settings ......450 Nortel Business Secure Router 252 Configuration — Basics... - Page 28 28 Tables NN47923-500...
-
Page 29: Preface
Router for its various applications. Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See Nortel Business Secure Router 252 Configuration — Advanced (NN47923-501) for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. -
Page 30: Related Publications
Hard copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. -
Page 31: How To Get Help
Getting Help over the phone from a Nortel Solutions Center If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center. -
Page 32: Getting Help From A Specialist By Using An Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc... -
Page 33: Getting To Know Your Business Secure Router
Intranet and efficiently manages data traffic on your network. Using the embedded WebGUI, you can easily set up and manage the Business Secure Router using an Internet browser. Nortel Business Secure Router 252 Configuration — Basics... -
Page 34: Features
34 Chapter 1 Getting to know your Business Secure Router Features This section lists the key features of the Business Secure Router. Table 1 Feature specifications Feature Specification Number of static routes Number of NAT sessions 4096 Number of SUA (Single User Account) servers Number of address mapping rules Maximum number of VPN IP Policies Maximum number of VPN Tunnels (Client and/or Branch Office) -
Page 35: Networking Compatibility
You can connect up to four computers or phones to the Business Secure Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN. Nortel Business Secure Router 252 Configuration — Basics... -
Page 36: Autonegotiating 10/100 Mb/S Ethernet Lan
36 Chapter 1 Getting to know your Business Secure Router Autonegotiating 10/100 Mb/s Ethernet LAN The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet. Autosensing 10/100 Mb/s Ethernet LAN The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable. -
Page 37: Nortel Contivity Client Termination
Chapter 1 Getting to know your Business Secure Router 37 Nortel Contivity Client Termination The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software. Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users. -
Page 38: Brute Force Password Guessing Protection
38 Chapter 1 Getting to know your Business Secure Router Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords. -
Page 39: Dynamic Dns Support
TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2). Nortel Business Secure Router 252 Configuration — Basics... -
Page 40: Network Address Translation (Nat)
40 Chapter 1 Getting to know your Business Secure Router Network Address Translation (NAT) NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network. Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. -
Page 41: Logging And Tracing
The Business Secure Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers. Nortel Business Secure Router 252 Configuration — Basics... -
Page 42: Hardware Setup
Figure 1 Secure Internet Access and VPN Application Business Secure Router Hardware Setup Refer to Nortel Business Secure Router 252 — Fundamentals (NN47923-301) for hardware connection instructions. Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment. - Page 43 Chapter 1 Getting to know your Business Secure Router 43 Note: Please use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Nortel Business Secure Router 252 Configuration — Basics...
- Page 44 44 Chapter 1 Getting to know your Business Secure Router NN47923-500...
-
Page 45: Introducing The Webgui
Make sure your Business Secure Router hardware is properly connected and prepare your computer and computer network to connect to the Business Secure Router. Refer to Nortel Business Secure Router 252 — Fundamentals (NN47923-301). Nortel Business Secure Router 252 Configuration — Basics... -
Page 46: Figure 2 Login Screen
46 Chapter 2 Introducing the WebGUI Launch your web browser. Type 192.168.1.1 as the URL. Type the username (“nnadmin” is the default) and the password (“PlsChgMe!” is the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields. Figure 2 Login screen A screen asking you to change your password (highly recommended) appears and is shown in... -
Page 47: Figure 3 Change Password Screen
Figure 3 Change password screen Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device. Figure 4 Replace certificate screen Nortel Business Secure Router 252 Configuration — Basics... -
Page 48: Restoring The Factory-Default Configuration Settings
Business Secure Router to the factory defaults. Uploading a configuration file through console port Download the default configuration file from the Nortel FTP site, unzip it and save it in a folder. Turn off the Business Secure Router, begin a terminal emulation software session and turn on the Business Secure Router again. -
Page 49: Navigating The Business Secure Router Webgui
Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help. Note: The help icon does not appear in the MAIN MENU screen. Nortel Business Secure Router 252 Configuration — Basics... -
Page 50: Figure 6 Main Menu Screen
50 Chapter 2 Introducing the WebGUI Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays. NN47923-500... -
Page 51: Figure 7 Contact Support
Chapter 2 Introducing the WebGUI 51 Figure 7 Contact Support Nortel Business Secure Router 252 Configuration — Basics... - Page 52 52 Chapter 2 Introducing the WebGUI NN47923-500...
-
Page 53: Wizard Setup
The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel Business Secure Router 252 — Fundamentals (NN47923-301) to know what to enter in each field. -
Page 54: Ppp Over Ethernet
ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information about PPPoE, see the PPPoE appendix in the Nortel Business Secure Router 252 Configuration — Advanced guide. -
Page 55: Vc-Based Multiplexing
32 to 65535 for the VCI (0 to 31 is reserved for local management of ATM traffic). Wizard setup configuration: first screen In the Site Map screen, click Wizard Setup to display the first wizard screen. Nortel Business Secure Router 252 Configuration — Basics... -
Page 56: Figure 8 Wizard Screen 1
56 Chapter 3 Wizard setup Figure 8 Wizard Screen 1 Table 2 describes the fields in Figure Table 2 Wizard Screen 1 Label Description Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise, select Bridge. -
Page 57: Ip Address And Subnet Mask
The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However, the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway. Nortel Business Secure Router 252 Configuration — Basics... -
Page 58: Ip Assignment With Pppoa Or Pppoe Encapsulation
58 Chapter 3 Wizard setup IP assignment with PPPoA or PPPoE encapsulation If you have a dynamic IP, the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field. -
Page 59: Nailed-Up Connection (Only With Ppp)
Wizard setup configuration: second screen The second wizard screen varies depending on which mode and encapsulation type you use. All screens shown use the routing mode. Configure the fields and click Next to continue. Nortel Business Secure Router 252 Configuration — Basics... -
Page 60: Figure 9 Internet Connection With Pppoa
60 Chapter 3 Wizard setup Figure 9 Internet connection with PPPoA Table 3 describes the fields in Figure Table 3 Internet connection with PPPoA Label Description User Name Enter the logon name your ISP gave you. Password Enter the password associated with the username above. IP Address This option is available if you select Routing in the Mode field. -
Page 61: Figure 10 Internet Connection With Rfc 1483
Figure Table 4 Internet connection with RFC 1483 Label; Description IP Address This field is available if you select Routing in the Mode field. Type your ISP-assigned IP address in this field. Nortel Business Secure Router 252 Configuration — Basics... -
Page 62: Figure 11 Internet Connection With Enet Encap
ISP-assigned IP address in the IP Address text box below. Subnet Mask Enter a subnet mask in dotted decimal notation. If you are implementing subnetting, see the IP subnetting appendix in the Nortel Business Secure Router 252 Configuration — Advanced guide. NN47923-500... -
Page 63: Figure 12 Internet Connection With Pppoe
Chapter 8, “Network Address Translation (NAT) Screens,” on page 129. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen. Figure 12 Internet connection with PPPoE Nortel Business Secure Router 252 Configuration — Basics... -
Page 64: Table 6 Internet Connection With Pppoe
64 Chapter 3 Wizard setup Table 6 describes the fields in Figure Table 6 Internet connection with PPPoE Label Description Service Name Type the name of your PPPoE service here. User Name Enter the username exactly as your ISP assigned. If assigned a name in the form user@domain, where domain identifies a service name, then enter both components exactly as given. -
Page 65: Dhcp Setup
Verify the settings in the following screen. To change the LAN information on the Business Secure Router, click Change LAN Configurations. Otherwise click Save Settings to save the configuration and skip to “Test your Internet connection” on page Nortel Business Secure Router 252 Configuration — Basics... -
Page 66: Figure 13 Wizard Screen 3
66 Chapter 3 Wizard setup Figure 13 Wizard Screen 3 To change your Business Secure Router LAN settings, click Change LAN Configuration to display the following screen. Note: If you change the Business Secure Router LAN IP address, you must use the new IP address to access the WebGUI again. NN47923-500... -
Page 67: Figure 14 Wizard: Lan Configuration
LAN IP Address Enter the IP address of your Business Secure Router in dotted decimal notation, for example, 192.168.1.1 (factory default). LAN Subnet Mask Enter a subnet mask in dotted decimal notation. DHCP Nortel Business Secure Router 252 Configuration — Basics... - Page 68 68 Chapter 3 Wizard setup Table 7 Wizard: LAN configuration (continued) Label Description DHCP With DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) individual clients (workstations) can obtain TCP/ IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server.
-
Page 69: Wizard Setup Configuration: Connection Tests
Figure 15 Wizard Screen 4 Test your Internet connection Launch your Web browser and navigate to www.nortel.com. Internet access is just the beginning. For more detailed information on the complete range of features for the Business Secure Router, see the rest of this guide. If you cannot access the Internet, open the WebGUI again to confirm that the Internet settings you configured in the Wizard Setup are correct. - Page 70 70 Chapter 3 Wizard setup NN47923-500...
-
Page 71: User Notes
BCM50 is changed, the following command must be used to enable the router to assign the first address to a different BCM50: ip dhcp enif0 server m50mac clear Login Requires Reboot Nortel Business Secure Router 252 Configuration — Basics... -
Page 72: Firewall
72 Chapter 4 User Notes If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu. -
Page 73: Vpn Client Termination
If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products. User Name Restrictions User names are limited to a maximum length of 63 characters. -
Page 74: Security
74 Chapter 4 User Notes VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned. -
Page 75: Advanced Router Configuration
Enter the IP Address assigned to the router WAN port. This should be a static address, or a dynamic DNS name, and the IP address of the remote router. d Select the encryption and authentication algorithms. Nortel Business Secure Router 252 Configuration — Basics... -
Page 76: Adding Ip Telephony To A Multi-Site Network
76 Chapter 4 User Notes Add an IP policy, by specifying the IP address ranges of the local and remote hosts that will use the tunnel. Repeat these steps at the other end of the branch. Note: If VPN Client Termination is used on these sites, the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site. -
Page 77: Configuring The Router To Act As A Nortel Vpn Server (Client Termination)
2 <Remote_BCM50_IP_Address> 7000 1 Create a tunnel between the sites, as described above. Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide. Configuring the router to act as a Nortel VPN Server (Client Termination) Under VPN / Client Termination, Enable Client Termination. -
Page 78: Setting Up The Router For Guest Access
78 Chapter 4 User Notes One named BCM_HTTPS, with port number 443, and the IP address of the BCM50 One named BCM_EM, with the port number 5989, and the IP address of the BCM50 Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool. -
Page 79: Preventing Heavy Data Traffic From Impacting Telephone Calls
(Contivity Client, Active, Keep Alive). Fill in the IP address of the Contivity Client Server, and the name and password of the telephone set user account. Under VPN / Global Setting, enable Exclusive Mode, and fill in the MAC address of the telephone set. Nortel Business Secure Router 252 Configuration — Basics... -
Page 80: Inter-Operability With Third-Party Routers
80 Chapter 4 User Notes Under Bandwidth Management, set up both WAN and LAN bandwidth management to reserve 110 kbps of bandwidth for UDP traffic (protocol ID 17). Provision the IP set with the corporate call server address. On the PC, install Contivity Client Software, and configure it with the PC user account information. -
Page 81: System Screens
DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network. Nortel Business Secure Router 252 Configuration — Basics... -
Page 82: Configuring General Setup
82 Chapter 5 System screens Figure 16 depicts an example where three VPN tunnels are created from Business Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters. -
Page 83: Figure 17 System General Setup
Label Description System Name Choose a descriptive name for identification purposes. Nortel recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted. - Page 84 84 Chapter 5 System screens Table 8 System general setup Label Description System DNS DNS (Domain Name System) is for mapping a domain name to its Servers (if corresponding IP address and vice versa. The DNS server is applicable) extremely important because without it, you must know the IP address of a machine before you can access it.
-
Page 85: Dynamic Dns
Note: If you have a private WAN IP address, you cannot use Dynamic DNS. To change the DDNS settings, click SYSTEM, then the DDNS tab. The screen illustrated in Figure 18 appears. Nortel Business Secure Router 252 Configuration — Basics... -
Page 86: Figure 18 Ddns
86 Chapter 5 System screens Figure 18 DDNS Table 9 describes the fields in Figure Table 9 DDNS Label Description Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. -
Page 87: Configuring Password
To change the password of your Business Secure Router (recommended), click SYSTEM, then the Password tab. The screen illustrated in Figure 19 appears. In this screen, you can change password of the Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 88: Figure 19 Password
88 Chapter 5 System screens Figure 19 Password Table 10 describes the fields in Figure Table 10 Password Label Description Administrator Setting The administrator can access and configure all of the Business Secure Router's features. Old Password Type your existing system administrator password (“PlsChgMe!” is the default password). -
Page 89: Predefined Ntp Time Server List
The Business Secure Router can use this predefined list of time servers regardless of the Time Protocol you select. Nortel Business Secure Router 252 Configuration — Basics... -
Page 90: Configuring Time And Date
90 Chapter 5 System screens When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried. -
Page 91: Figure 20 Time And Date
Chapter 5 System screens 91 Figure 20 Time and Date Nortel Business Secure Router 252 Configuration — Basics... -
Page 92: Table 12 Time And Date
92 Chapter 5 System screens Table 12 describes the fields in Figure Table 12 Time and Date Label Description Current Time and Date Current Time This field displays the time on your Business Secure Router. Each time you reload this page, the Business Secure Router synchronizes the time with the time server. - Page 93 GMT or UTC (GMT+1). Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 94: Alg
94 Chapter 5 System screens With Application Layer Gateway (ALG), an application can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow. Note: You must enable the FTP, H.323 or SIP ALG in order to use bandwidth management on that application. -
Page 95: Table 13 Alg
ALG with a SIP device that is using STUN (Simple Traversal of User Datagram Protocol (UDP) through NAT). Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics... - Page 96 96 Chapter 5 System screens NN47923-500...
-
Page 97: Lan Screens
The Business Secure Router is preconfigured with a pool of IP addresses for the DHCP clients (DHCP Pool). Do not assign static IP addresses from the DHCP pool to your LAN computers. Nortel Business Secure Router 252 Configuration — Basics... -
Page 98: Dns Servers
98 Chapter 6 LAN screens DNS servers Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN. LAN TCP/IP The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. -
Page 99: Multicast
Secure Router periodically updates this information. IP multicasting can be enabled or disabled on the Business Secure Router LAN, WAN or both interfaces in the WebGUI (LAN; WAN). Select None to disable IP multicasting on these interfaces. Nortel Business Secure Router 252 Configuration — Basics... -
Page 100: Configuring Ip
100 Chapter 6 LAN screens Configuring IP Click LAN to open the IP screen. Figure 22 LAN IP NN47923-500... -
Page 101: Table 14 Lan Ip
DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. Nortel Business Secure Router 252 Configuration — Basics... - Page 102 102 Chapter 6 LAN screens Table 14 LAN IP Label Description First DNS Select From ISP if your ISP dynamically assigns DNS server Server information (and the Business Secure Router's WAN IP address). The Second DNS field to the right displays the (read-only) DNS server IP address that the Server ISP assigns.
-
Page 103: Configuring Static Dhcp
MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. Nortel Business Secure Router 252 Configuration — Basics... -
Page 104: Figure 23 Static Dhcp
104 Chapter 6 LAN screens To change the static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown in Figure Figure 23 Static DHCP Table 15 describes the fields in Figure Table 15 Static DHCP Label Description This is the index number of the Static IP table entry (row). -
Page 105: Configuring Ip Alias
Note: Make sure that the subnets of the logical networks do not overlap. To change the IP Alias settings of your Business Secure Router, click LAN, then the IP Alias tab. The screen appears as shown in Figure Figure 24 IP Alias Nortel Business Secure Router 252 Configuration — Basics... -
Page 106: Table 16 Ip Alias
106 Chapter 6 LAN screens Table 16 describes the fields in Figure Table 16 IP Alias Label Description IP Alias 1,2 Select the check box to configure another LAN network for the Business Secure Router. IP Address Enter the IP address of your Business Secure Router in dotted decimal notation. -
Page 107: Wan Screens
If the WAN port route fails to connect to the Internet, the Business Secure Router tries the traffic redirect route next. In the same manner, the Business Secure Router uses the dial backup route if the traffic redirect route also fails. Nortel Business Secure Router 252 Configuration — Basics... -
Page 108: Configuring Route
108 Chapter 7 WAN screens The dial backup or traffic redirect routes cannot take priority over the WAN routes. Configuring Route Click WAN to open the Route screen. Figure 25 WAN: Route NN47923-500... -
Page 109: Pppoe Encapsulation
IP services for individuals. Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. Nortel Business Secure Router 252 Configuration — Basics... -
Page 110: Configuring Wan Isp
110 Chapter 7 WAN screens By implementing PPPoE directly on the Business Secure Router (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Business Secure Router does that part of the task. Furthermore, with NAT, all of the LAN computers will have access. -
Page 111: Figure 26 Wan: Wan Isp
Chapter 7 WAN screens 111 Figure 26 WAN: WAN ISP Nortel Business Secure Router 252 Configuration — Basics... -
Page 112: Table 18 Wan: Wan Isp
112 Chapter 7 WAN screens Table 18 describes the fields in Figure Table 18 WAN: WAN ISP Label Description Name Enter the name of your Internet Service Provider, for example, MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. -
Page 113: Configuring Wan Ip
If your ISP did not assign you a fixed IP address, click Get automatically from ISP (Default); otherwise click Use fixed IP Address and enter the IP address in the field My WAN IP Address. Nortel Business Secure Router 252 Configuration — Basics... -
Page 114: Figure 27 Wan: Ip
114 Chapter 7 WAN screens Figure 27 WAN: IP NN47923-500... -
Page 115: Table 19 Wan: Ip
RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts. Nortel Business Secure Router 252 Configuration — Basics... -
Page 116: Chapter 21
116 Chapter 7 WAN screens Table 19 WAN: IP Label Description RIP Direction With RIP (Routing Information Protocol), a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. -
Page 117: Traffic Redirect
WAN so that the Business Secure Router still provides firewall protection. This feature is not available on all models. Figure 28 Traffic Redirect WAN Setup Business Secure Router Nortel Business Secure Router 252 Configuration — Basics... -
Page 118: Configuring Traffic Redirect
118 Chapter 7 WAN screens The network topology illustrated in Figure 29 avoids triangle route security issues when the backup gateway is connected to the LAN. Use IP alias to configure the LAN into two or three logical networks with the Business Secure Router itself as the gateway for each LAN network. -
Page 119: Configuring Dial Backup
Reset Click Reset to begin configuring this screen afresh. Configuring Dial Backup To change the dial backup settings, click WAN, then the Dial Backup tab. The screen appears as shown in Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 120: Figure 31 Dial Backup Setup
120 Chapter 7 WAN screens Figure 31 Dial Backup Setup NN47923-500... -
Page 121: Table 21 Dial Backup Setup
WAN, Traffic Redirect, Dial Backup. Get IP Address Select this check box if your ISP will automatically assign you Automatically from an IP address (dynamic IP address). Remote Server Nortel Business Secure Router 252 Configuration — Basics... - Page 122 122 Chapter 7 WAN screens Table 21 Dial Backup Setup Label Description Used Fixed IP Address Select this check box if your ISP assigned you a fixed IP address and then enter the IP address in the following field. My WAN IP Address Leave the field set to 0.0.0.0 (default) to have the ISP or other remote router dynamically (automatically) assign your WAN IP address, if you do not know it.
- Page 123 (it is the same as selecting Always On). Call Schedule Sets Specify call schedule sets to use on the dial backup connection. The call schedule sets must already be configured (see Chapter 21, “Call scheduling screens,” on page 387). Nortel Business Secure Router 252 Configuration — Basics...
-
Page 124: Advanced Modem Setup
124 Chapter 7 WAN screens Table 21 Dial Backup Setup Label Description Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Advanced Modem Setup AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. -
Page 125: Configuring Advanced Modem Setup
Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure Note: Consult the manual of your WAN device connected to your dial backup port for specific AT commands. Note: Figure 32 Advanced Setup Nortel Business Secure Router 252 Configuration — Basics... -
Page 126: Table 22 Advanced Setup
126 Chapter 7 WAN screens Table 22 describes the fields in Figure Table 22 Advanced Setup Label Description Example AT Command Strings Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call. ~ ~~+++~~ath represents a one-second wait. - Page 127 Chapter 7 WAN screens 127 Table 22 Advanced Setup Label Description Example Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 128 128 Chapter 7 WAN screens NN47923-500...
-
Page 129: Network Address Translation (Nat) Screens
For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. Nortel Business Secure Router 252 Configuration — Basics... -
Page 130: What Nat Does
130 Chapter 8 Network Address Translation (NAT) Screens Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. -
Page 131: How Nat Works
IP address and port. A host on the Internet can only send a packet to the private IP address and port if the private IP address and port has previously sent a packet to the IP address and port of that host. Nortel Business Secure Router 252 Configuration — Basics... -
Page 132: Nat Application
132 Chapter 8 Network Address Translation (NAT) Screens Figure 34, B can send packets, with source IP address e.f.g.h and port 20202 to A because A previously sent a packet to IP address e.f.g.h and port 20202. B cannot send packets, with source IP address e.f.g.h and port 10101 to A because A has not sent a packet to IP address e.f.g.h and port 10101. -
Page 133: Nat Mapping Types
Server: With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. Nortel Business Secure Router 252 Configuration — Basics... -
Page 134: Using Nat
134 Chapter 8 Network Address Translation (NAT) Screens Table 24 summarizes these types. Table 24 NAT mapping type Type IP Mapping SMT Abbreviations One-to-One ILA1 IGA1 Many-to-One (SUA/PAT) ILA1 IGA1 ILA2 IGA1 … Many-to-Many Overload ILA1 IGA1 M-M Ov ILA2 IGA2 ILA3 IGA1... -
Page 135: Sua Server
Note: If you do not assign a Default Server IP Address, the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup. Nortel Business Secure Router 252 Configuration — Basics... -
Page 136: Port Forwarding: Services And Port Numbers
136 Chapter 8 Network Address Translation (NAT) Screens Port forwarding: Services and Port Numbers The most often used port numbers are shown in Table 25. Refer to Assigned Numbers (RFC 1700) for further information about port numbers. Table 25 Services and port numbers Services Port Number ECHO... -
Page 137: Configuring Sua Server
Click SUA/NAT to open the SUA Server screen. Refer to Chapter 10, “Firewalls,” on page 153 Chapter 11, “Firewall screens,” on page 169 for port numbers commonly used for particular services. Nortel Business Secure Router 252 Configuration — Basics... -
Page 138: Figure 37 Sua/Nat Setup
138 Chapter 8 Network Address Translation (NAT) Screens Figure 37 SUA/NAT setup Table 26 describes the fields in Figure Table 26 SUA/NAT setup Label Description Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. -
Page 139: Configuring Address Mapping
4, rules 5 to 7 are pushed up by 1 rule, so old rules 5, 6, and 7 become new rules 4, 5, and 6. To change the NAT address mapping settings, click SUA/NAT, then the Address Mapping tab. The screen appears as shown in Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 140: Figure 38 Address Mapping
140 Chapter 8 Network Address Translation (NAT) Screens Figure 38 Address Mapping Table 27 describes the fields in Figure Table 27 Address Mapping Label Description Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. - Page 141 Click Insert to insert a new mapping rule before an existing one. Configuring Address Mapping To edit an Address Mapping rule, click the Edit button to display the screen shown in Figure Nortel Business Secure Router 252 Configuration — Basics...
-
Page 142: Figure 39 Address Mapping Edit
142 Chapter 8 Network Address Translation (NAT) Screens Figure 39 Address Mapping edit Table 28 describes the fields in Figure Table 28 Address Mapping edit Label Description Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. -
Page 143: Trigger Port Forwarding
IP address each time you want a different LAN computer to use the application. Trigger Port Forwarding example Figure 40 illustrates an example of trigger port forwarding. Nortel Business Secure Router 252 Configuration — Basics... -
Page 144: Two Points To Remember About Trigger Ports
144 Chapter 8 Network Address Translation (NAT) Screens Figure 40 Trigger Port Forwarding process: example Business Secure Router Jane (A) requests a file from the Real Audio server (port 7070). Port 7070 is a trigger port and causes the Business Secure Router to record Jane’s computer IP address. -
Page 145: Configuring Trigger Port Forwarding
To change trigger port settings of your Business Secure Router, click SUA/NAT and the Trigger Port tab. The screen appears as shown in Figure Note: Only one LAN computer can use a trigger port (range) at a time. Figure 41 Trigger Port Nortel Business Secure Router 252 Configuration — Basics... -
Page 146: Table 29 Trigger Port
146 Chapter 8 Network Address Translation (NAT) Screens Table 29 describes the fields in Figure Table 29 Trigger Port Label Description This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted, including spaces. -
Page 147: Static Route Screens
N3 because it does not know that there is a route through the same remote node Router 1 (through gateway Router 2). The static routes are for you to tell the Business Secure Router about the networks beyond the remote nodes. Nortel Business Secure Router 252 Configuration — Basics... -
Page 148: Configuring Ip Static Route
148 Chapter 9 Static Route screens Figure 42 Example of Static Routing topology Business Secure Router Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen. Note: The first static route entry is for the default WAN route. You cannot modify or delete this static default route. -
Page 149: Figure 43 Static Route Screen
LAN or WAN port. The gateway helps forward packets to their destinations. Edit Click a static route index number and then click Edit to set up a static route on the Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 150: Configuring Route Entry
150 Chapter 9 Static Route screens Configuring Route entry Select a static route index number and click Edit. The screen is illustrated in Figure 44. Fill in the required information for each static route. Figure 44 Edit IP Static Route Table 31 describes the fields in Figure... - Page 151 RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 152 152 Chapter 9 Static Route screens NN47923-500...
-
Page 153: Firewalls
In addition, specific policies must be implemented within the firewall itself. Types of firewalls There are three main types of firewalls: Packet Filtering firewalls Application level firewalls Stateful Inspection firewalls Nortel Business Secure Router 252 Configuration — Basics... -
Page 154: Packet Filtering Firewalls
154 Chapter 10 Firewalls Packet filtering firewalls Packet filtering firewalls restrict access based on the source or destination computer network address of a packet and the type of application. Application level firewalls Application level firewalls restrict access by serving as proxies for external servers. -
Page 155: Introduction To The Business Secure Router Firewall
These computers have access to Internet services such as e-mail, FTP, and the World Wide Web. However, inbound access is not allowed unless the remote host is authorized to use a specific service. Nortel Business Secure Router 252 Configuration — Basics... -
Page 156: Denial Of Service
156 Chapter 10 Firewalls Figure 45 Business Secure Router firewall application Business Secure Router Denial of Service Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. -
Page 157: Types Of Dos Attacks
400 of the original (non fragmented) IP packet.” The Teardrop program creates a series of IP fragments with overlapping offset fields. After these fragments are reassembled at the destination, some systems crash, hang, or reboot. Nortel Business Secure Router 252 Configuration — Basics... -
Page 158: Figure 46 Three-Way Handshake
158 Chapter 10 Firewalls Weaknesses in the TCP/IP specification leave it open to SYN Flood and LAND attacks. These attacks are executed during the handshake that initiates a communication session between two applications. Figure 46 Three-way handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. -
Page 159: Figure 47 Syn Flood
IP address, known as the victim network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. Nortel Business Secure Router 252 Configuration — Basics... -
Page 160: Figure 48 Smurf Attack
160 Chapter 10 Firewalls Figure 48 Smurf attack • ICMP vulnerability ICMP is an error reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 33 ICMP commands that trigger alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY •... -
Page 161: Stateful Inspection
Internet. By default, the Business Secure Router stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Nortel Business Secure Router 252 Configuration — Basics... -
Page 162: Stateful Inspection Process
162 Chapter 10 Firewalls • Allows all sessions originating from the LAN (local network) to the WAN (Internet). • Denies all sessions originating from the WAN to the LAN. Figure 49 Stateful inspection Business Secure Router Figure 49 shows the Business Secure Router default firewall rules in action, and demonstrates how stateful inspection works. -
Page 163: Stateful Inspection And The Business Secure Router
Allow certain types of traffic from the Internet to specific hosts on the LAN. • Allow access to a Web server to everyone but competitors. • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. Nortel Business Secure Router 252 Configuration — Basics... -
Page 164: Tcp Security
164 Chapter 10 Firewalls These custom rules work by evaluating the network traffic source IP address, destination IP address, IP protocol type, and comparing these to rules set by the administrator. Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. -
Page 165: Udp/Icmp Security
This can be done safely, since the PORT command contains address and port information, which can be used to uniquely identify the connection. Nortel Business Secure Router 252 Configuration — Basics... -
Page 166: Guidelines For Enhancing Security With Your Firewall
166 Chapter 10 Firewalls Any protocol that operates in this way must be supported on a case-by-case basis. You can use the Custom Ports feature in the WebGUI to do this. Guidelines for enhancing security with your firewall Change the default password through SMT or WebGUI. Think about access control before you connect your device to the network in any way. -
Page 167: When To Use Filtering
To selectively block or allow inbound or outbound traffic between inside host or networks and outside host or networks. Remember that filters cannot Nortel Business Secure Router 252 Configuration — Basics... - Page 168 168 Chapter 10 Firewalls distinguish traffic originating from an inside host or an outside host by IP address. The firewall performs better than filtering if you need to check many rules. Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur.
-
Page 169: Firewall Screens
Access methods The WebGUI is, by far, the most comprehensive firewall configuration tool your Business Secure Router has to offer. For this reason, Nortel recommends that you configure your firewall using the WebGUI. With SMT screens, you can activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users, refer to Nortel Business Secure Router 252 Configuration —... - Page 170 170 Chapter 11 Firewall screens By default, the Business Secure Router stateful packet inspection blocks packets traveling in the following directions: • WAN to LAN • WAN to WAN/Business Secure Router This prevents computers on the WAN from using the Business Secure Router as a gateway to communicate with other computers on the WAN, or to manage the Business Secure Router, or both.
-
Page 171: Rule Logic Overview
For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users can connect to computers with running FTP servers. Does this rule conflict with any existing rules? Nortel Business Secure Router 252 Configuration — Basics... -
Page 172: Key Fields For Configuring Rules
172 Chapter 11 Firewall screens Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the WebGUI screens. Key fields for configuring rules Action Set the action to either Block or Forward. Note: Block means the firewall silently discards the packet. -
Page 173: Lan To Wan Rules
The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you want to allow certain WAN users to have access to your LAN, you need to create custom rules to allow it. Nortel Business Secure Router 252 Configuration — Basics... -
Page 174: Configuring Firewall
174 Chapter 11 Firewall screens Figure 51 WAN to LAN traffic Business Secure Router Configuring firewall Click FIREWALL to open the Summary screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in Figure The Business Secure Router applies the firewall rules in order, starting from the first rule for the direction of travel of a packet. - Page 175 A better solution is to use IP alias to put the Business Secure Router and the backup gateway on separate subnets. See the Appendix B “Triangle Route” of Nortel Business Secure Router 252 Configuration — Advanced (NN47923-501) for more about triangle route topology.
-
Page 176: Figure 52 Enabling The Firewall
176 Chapter 11 Firewall screens Figure 52 Enabling the firewall Table 36 describes the fields in Figure Table 36 Firewall rules summary: First screen Label Description Enable Firewall Select this check box to activate the firewall. The Business Secure Router performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. - Page 177 (Match), don't match the rule (Not Match), both (Both), or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 178: Configuring Firewall Rules
178 Chapter 11 Firewall screens Table 36 Firewall rules summary: First screen Label Description Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. -
Page 179: Figure 53 Creating And Editing A Firewall Rule
Secure Router to use the rule after you apply it. Packet Direction Use the drop-down list to select the direction of packet travel to which you want to apply this firewall rule. Nortel Business Secure Router 252 Configuration — Basics... - Page 180 180 Chapter 11 Firewall screens Table 37 Creating and editing a firewall rule Label Description Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. The source address can be a particular (single) IP, a range of IP addresses (for example, 192.168.1.10 to 192.169.1.50), a subnet or any IP address.
-
Page 181: Configuring Source And Destination Addresses
Enter the subnet mask here, if applicable. Apply Click Apply to save your changes to the Business Secure Router and exit this screen. Cancel Click Cancel to exit this screen without saving. Nortel Business Secure Router 252 Configuration — Basics... -
Page 182: Configuring Custom Ports
182 Chapter 11 Firewall screens Configuring custom ports You can also configure customized ports for services not predefined by the Business Secure Router (see “Predefined services” on page 186 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) Web site. -
Page 183: Example Firewall Rule
Click Insert to display the firewall rule configuration screen. Figure 56 Firewall edit rule screen example Select WAN to LAN as the Packet Direction. Select Any in the Destination Address box and then click DestEdit. Nortel Business Secure Router 252 Configuration — Basics... -
Page 184: Figure 57 Firewall Rule Edit Ip Example
184 Chapter 11 Firewall screens Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 57 Firewall rule edit IP example In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as shown in Figure 58 click Apply. -
Page 185: Figure 59 Myservice Rule Configuration Example
Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 186: Predefined Services
186 Chapter 11 Firewall screens Figure 60 My Service example rule summary Predefined services The Available Services list box in the Edit Rule screen (see Figure 53) displays all predefined services that the Business Secure Router already supports. Next to the name of the service, two fields appear in brackets. -
Page 187: Table 40 Predefined Services
This is another popular Internet chat program. MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol. MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. Nortel Business Secure Router 252 Configuration — Basics... - Page 188 188 Chapter 11 Firewall screens Table 40 Predefined services Service Description NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System (NFS) is a client/server distributed file service that provides transparent file sharing for network environments. NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
-
Page 189: Alerts
Rule Edit screen (see Figure Configure the Log Settings screen to have the Business Secure Router send an immediate e-mail message to you when an event generates an alert. Nortel Business Secure Router 252 Configuration — Basics... -
Page 190: Configuring Attack Alert
190 Chapter 11 Firewall screens Configuring attack alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen (Figure 61) you can choose to generate an alert whenever an attack is detected. For DoS attacks, the Business Secure Router uses thresholds to determine when to drop sessions that do not become fully established. -
Page 191: Tcp Maximum Incomplete And Blocking Period
The Business Secure Router continues to block all new connection requests until the Blocking Period expires. Nortel Business Secure Router 252 Configuration — Basics... -
Page 192: Figure 61 Attack Alert
192 Chapter 11 Firewall screens The Business Secure Router also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click the Attack Alert tab to bring up the screen shown in Figure Figure 61 Attack alert... - Page 193 (min) Enter the length of Blocking Period in minutes. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 194 194 Chapter 11 Firewall screens NN47923-500...
-
Page 195: Chapter 12 Content Filtering
Java applets, and cookies and disable web proxies. Days and Times With the Business Secure Router, you can also define time periods and days during which the Business Secure Router performs content filtering. Nortel Business Secure Router 252 Configuration — Basics... -
Page 196: Configure Content Filtering
196 Chapter 12 Content filtering Configure Content Filtering Click Content Filter on the navigation panel, to open the screen show in Figure Figure 62 Content filter NN47923-500... -
Page 197: Table 42 Content Filter
Select check boxes for the days that you want the Business Secure Router to perform content filtering. Select the Everyday check box to have content filtering turned on all days of the week. Nortel Business Secure Router 252 Configuration — Basics... - Page 198 198 Chapter 12 Content filtering Table 42 Content filter Label Description Time of Day to Time of Day to Block allows the administrator to define during which Block time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.
-
Page 199: Vpn
IP layer. Business Secure Router VPN functions You can use the Business Secure Router as either: • A Contivity Client (for an encrypted connection to a single VPN router). Nortel Business Secure Router 252 Configuration — Basics... -
Page 200: Vpn Screens Overview
As a VPN router that can have encrypted connections to multiple remote VPN routers. With this role, it can also serve as a termination point for encrypted connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software. -
Page 201: Other Terminology
Decryption is the opposite of encryption; it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Figure 63 Encryption and decryption Nortel Business Secure Router 252 Configuration — Basics... -
Page 202: Data Confidentiality
202 Chapter 13 VPN Data confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data is not altered during transmission. Data origin authentication The IPSec receiver can verify the source of IPSec packets. -
Page 203: Ipsec Algorithms
(Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and Triple DES algorithms. Nortel Business Secure Router 252 Configuration — Basics... -
Page 204: Ah (Authentication Header) Protocol
204 Chapter 13 VPN The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404), provide an authentication mechanism for the AH and ESP protocols. The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. -
Page 205: Key Management
Select MD5 for minimal security and SHA-1 for maximum security. Key management Your Business Secure Router uses IKE (ISAKMP) key management in order to set up a VPN. Nortel Business Secure Router 252 Configuration — Basics... -
Page 206: Encapsulation
206 Chapter 13 VPN Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 65 Transport and Tunnel mode IPSec encapsulation Transport mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. -
Page 207: Tunnel Mode
The VPN device at the receiving end does not know about the NAT in the middle, so it assumes that the data was maliciously altered. Nortel Business Secure Router 252 Configuration — Basics... -
Page 208: Secure Gateway Address
208 Chapter 13 VPN IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending Business Secure Router, and its destination address is the inbound address of the VPN device at the receiving end. -
Page 209: Dynamic Secure Gateway Address
(tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus. The firewall allows traffic to go through your VPN tunnels. Nortel Business Secure Router 252 Configuration — Basics... -
Page 210: Figure 67 Summary
210 Chapter 13 VPN Figure 67 Summary IP Policies NN47923-500... -
Page 211: Table 47 Summary
This is the static WAN IP address or URL of the remote IPSec router. Gateway This field displays 0.0.0.0 when you configure the Secure Gateway Address Address field in the VPN Branch Office screen to 0.0.0.0. Nortel Business Secure Router 252 Configuration — Basics... -
Page 212: Keep Alive
212 Chapter 13 VPN Table 47 Summary Label Description Edit Click the radio button next to a VPN index number and then click Edit to edit a specific VPN policy. Delete Click the radio button next to a VPN policy number you want to delete and then click Delete. -
Page 213: Nat Traversal
VPN. The NAT router changes the header of the IPSec packet so it does not match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built. Nortel Business Secure Router 252 Configuration — Basics... -
Page 214: Nat Traversal Configuration
214 Chapter 13 VPN NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN connection. -
Page 215: Figure 69 Vpn Contivity Client Rule Setup
The remote IPSec router must also have keep alive enabled in order for this feature to work. Description Enter a brief description about this rule for identification purposes. Nortel Business Secure Router 252 Configuration — Basics... -
Page 216: Configuring Advanced Setup
216 Chapter 13 VPN Table 48 VPN Contivity Client rule setup Label Description Destination This field specifies the IP address or the domain name (up to 31 case-sensitive characters) of the remote IPSec router. You can use alphanumeric characters, the underscore, dash, period and the @ symbol in a domain name. -
Page 217: Figure 70 Vpn Contivity Client Advanced Rule Setup
When On Demand Client Tunnel is not enabled, you need to go to the VPN Summary screen and click the Connect button to create a VPN connection to the remote IPSec router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 218: Id Type And Content
218 Chapter 13 VPN Table 49 VPN Contivity Client advanced rule setup Label Description Apply Click Apply to temporarily save the settings and return to the VPN - Contivity Client screen. The Group Authentication settings are saved to the Business Secure Router if you click Apply in the VPN - Contivity Client screen. -
Page 219: Id Type And Content Examples
IPSec router or what you configure in the Secure Gateway Address field below. ID type and content examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. Nortel Business Secure Router 252 Configuration — Basics... -
Page 220: My Ip Address
220 Chapter 13 VPN The two Business Secure Routers shown in Table 52 can complete negotiation and establish a VPN tunnel. Table 52 Matching ID type and content configuration example Business Secure Router A Business Secure Router B Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2... -
Page 221: Configuring Branch Office Vpn Rule Setup
Configuring Branch Office VPN Rule Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule. The VPN Branch Office Rule Setup screen is shown in Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 222: Figure 71 Vpn Branch Office Rule Setup
222 Chapter 13 VPN Figure 71 VPN Branch Office rule setup NN47923-500... -
Page 223: Table 54 Vpn Branch Office Rule Setup
Multiple SAs connecting through a IPSec router must have the same negotiation mode. Encapsulation Mode Select Tunnel mode or Transport mode from the drop-down list. Tunnel is compatible with NAT, Transport is not. Nortel Business Secure Router 252 Configuration — Basics... - Page 224 224 Chapter 13 VPN Table 54 VPN Branch Office rule setup Label Description Available/ Selected IP The Available IP Policy table displays network routes. Use the Policy Add, Edit and Delete buttons to configure this list. Move the network routes that you want to use the VPN tunnel down into the Selected IP Policy table.
- Page 225 Type field is configured to Range Address in the IP Policy screen. This field displays a (static) IP address and a subnet mask when the IP policy's Local Address Type field is configured to Subnet Address in the IP Policy screen. Nortel Business Secure Router 252 Configuration — Basics...
- Page 226 226 Chapter 13 VPN Table 54 VPN Branch Office rule setup Label Description Remote IP Address This field displays the IP addresses of computers on the remote network behind the remote IPSec router. This field displays a single (static) IP address when the IP policy's Remote Address Type field is configured to Single Address in the IP Policy screen.
- Page 227 Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Nortel Business Secure Router 252 Configuration — Basics...
- Page 228 228 Chapter 13 VPN Table 54 VPN Branch Office rule setup Label Description Peer Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you make the VPN connection or leave the field blank to have the Business Secure Router automatically use the address in the Secure Gateway Address field.
- Page 229 (Authentication) and phase 2 (Key Exchange) settings for the rule. Apply Click Apply to save your changes to the Business Secure Router. Cancel Click Cancel to return to the VPN Summary screen without saving your changes. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 230: Configuring An Ip Policy
230 Chapter 13 VPN Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy. The Branch Office – IP Policy setup screen is shown in Figure NN47923-500... -
Page 231: Figure 72 Vpn Branch Office - Ip Policy
Chapter 13 VPN 231 Figure 72 VPN Branch Office — IP Policy Nortel Business Secure Router 252 Configuration — Basics... -
Page 232: Table 55 Vpn Branch Office - Ip Policy
232 Chapter 13 VPN Table 55 describes the fields in Figure Table 55 VPN Branch Office — IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy. For example, use 1 for ICMP, 6 for TCP, 17 for UDP. - Page 233 VPN tunnel. When the Type field is configured to Many One-to-one, enter the beginning (static) IP address of the range of IP addresses that you want to use for the VPN tunnel. Nortel Business Secure Router 252 Configuration — Basics...
- Page 234 234 Chapter 13 VPN Table 55 VPN Branch Office — IP Policy Label Description Virtual Ending IP When the Type field is configured to One-to-one or Address Many-to-One, this field is N/A. When the Type field is configured to Many One-to-one, enter the ending (static) IP address of the range of IP addresses that you want to use for the VPN tunnel.
- Page 235 LAN behind your Business Secure Router. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 236: Port Forwarding Server
236 Chapter 13 VPN Table 55 VPN Branch Office — IP Policy Label Description Ending IP Address / When the Address Type field is configured to Single Address, Subnet Mask this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your Business Secure Router. -
Page 237: Figure 73 Vpn Branch Office - Ip Policy - Port Forwarding Server
Number of an individual port forwarding server entry. Active Select this check box to activate the port forwarding server entry. Name Enter a descriptive name for identifying purposes. Nortel Business Secure Router 252 Configuration — Basics... -
Page 238: Ike Phases
238 Chapter 13 VPN Table 56 VPN Branch Office — IP Policy - Port Forwarding Server Label Description Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field. -
Page 239: Figure 74 Two Phases To Set Up The Ipsec Sa
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-key cryptography–see “Perfect Forward Secrecy (PFS)” on page 241. Select None (the default) to disable PFS. • Choose Tunnel mode or Transport mode. Nortel Business Secure Router 252 Configuration — Basics... -
Page 240: Negotiation Mode
240 Chapter 13 VPN • Set the IPSec SA lifetime. In this field, you can determine how long the IPSec SA will stay up before it times out. The Business Secure Router automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. -
Page 241: Diffie-Hellman (Dh) Key Groups
The basic IKE rule setup screen displays. In the VPN Branch Office Rule Setup screen, click the Advanced button to display the VPN Branch Office Advanced Rule Setup screen. Nortel Business Secure Router 252 Configuration — Basics... -
Page 242: Figure 75 Vpn Branch Office Advanced Rule Setup
242 Chapter 13 VPN Figure 75 VPN Branch Office advanced rule setup Table 57 describes the fields in Figure Table 57 VPN Branch Office Advanced Rule Setup Label Description Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Detection Denial of Service (DoS) attacks. - Page 243 DH5 refers to Diffie-Hellman Group 5, a 1 536-bit random number. Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec. Nortel Business Secure Router 252 Configuration — Basics...
- Page 244 244 Chapter 13 VPN Table 57 VPN Branch Office Advanced Rule Setup Label Description Multiple Proposal Select this check box to allow the Business Secure Router to use any of its phase 2 encryption and authentication algorithms when negotiating an IPSec SA. Clear this check box to have the Business Secure Router use only the phase 2 encryption and authentication algorithms when negotiating an IPSec SA.
-
Page 245: Sa Monitor
See the section “Keep Alive” on page 212 about keep alive to have the Business Secure Router renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic. Nortel Business Secure Router 252 Configuration — Basics... -
Page 246: Figure 76 Vpn Sa Monitor
246 Chapter 13 VPN Figure 76 VPN SA Monitor Table 58 describes the fields in Figure Table 58 VPN SA Monitor Label Description This is the security association index number. Name This field displays the identification name for this VPN policy. Connection Type This field displays whether this is a connection to another IPSec router or to a Contivity VPN client. -
Page 247: Global Settings
Exclusive Use Mode for Select this check box to permit only the computer with the Client Tunnel MAC address that you specify to set up a VPN connection to the remote IPSec router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 248: Vpn Client Termination
VPN Client Termination Use these screens to configure the Business Secure Router for VPN connections from computers using Nortel Contivity VPN Client software. In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the... -
Page 249: Figure 78 Vpn Client Termination
Chapter 13 VPN 249 Figure 78 VPN Client Termination Nortel Business Secure Router 252 Configuration — Basics... -
Page 250: Table 60 Vpn Client Termination
250 Chapter 13 VPN Table 60 describes the fields in Figure Table 60 VPN Client Termination Label Description Enable Client Turn on the client termination feature if you want the Business Termination Secure Router to support VPN connections from computers using Contivity VPN Client software. - Page 251 Diffie-Hellman Group 5 uses a 1 536-bit random number. Assignment of Client Select Use Static Addresses if the Contivity VPN clients are using static IP addresses. You must specify these in the remote user profiles. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 252: Vpn Client Termination Ip Pool Summary
252 Chapter 13 VPN Table 60 VPN Client Termination Label Description IP Address Pool Have the Business Secure Router assign IP addresses to the Contivity VPN clients from a pool of IP address that you define. Select the pool to use. Click Configure IP Address Pool to define the ranges of IP addresses that you can select from. -
Page 253: Figure 79 Vpn Client Termination Ip Pool Summary
Click the radio button next to an IP address pool entry and click Edit to open the screen where you can configure the entry. Delete Click the radio button next to an IP address pool entry and click Delete to remove it. Nortel Business Secure Router 252 Configuration — Basics... -
Page 254: Vpn Client Termination Ip Pool Edit
254 Chapter 13 VPN VPN Client Termination IP pool edit In the WebGUI, click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen. Then click the Configure IP Address Pool link to open the VPN Client Termination IP Pool Summary screen. -
Page 255: Vpn Client Termination Advanced
VPN Client Termination screen. Then click the Advanced button to open the following screen. Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels. Nortel Business Secure Router 252 Configuration — Basics... -
Page 256: Figure 81 Vpn Client Termination Advanced
256 Chapter 13 VPN Figure 81 VPN Client Termination advanced NN47923-500... -
Page 257: Table 63 Vpn Client Termination Advanced
This is how many times the VPN Contivity client can resend the keep-alive packet to the Business Secure Router to check the connection before attempting to use the first fail-over gateway. Nortel Business Secure Router 252 Configuration — Basics... - Page 258 258 Chapter 13 VPN Table 63 VPN Client Termination advanced Label Description Accept ISAKMP Initial The Business Secure Router can accept the INITIAL-CONTACT Contact Payload status messages to inform it that the Contivity VPN client is establishing a first SA. The Business Secure Router then deletes the existing SAs because it assumes that the sending Contivity VPN client has restarted and no longer has access to any of the existing SAs.
- Page 259 Enter the minimum number of characters that can be used for a Length Contivity VPN client password. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 260 260 Chapter 13 VPN NN47923-500...
-
Page 261: Certificates
Jenny receives the message and uses Tim’s public key to decrypt it. Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s public key to decrypt the message. Nortel Business Secure Router 252 Configuration — Basics... -
Page 262: Advantages Of Certificates
262 Chapter 14 Certificates The Business Secure Router uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that is sent after establishing a connection. The method used to secure the data that is sent through an established connection depends on the type of connection. -
Page 263: Configuration Summary
Click CERTIFICATES, My Certificates to open summary list of certificates and certification requests stored on the Business Secure Router. Certificates display in black and certification requests display in gray, as shown in Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 264: Figure 83 My Certificates
264 Chapter 14 Certificates Figure 83 My Certificates NN47923-500... -
Page 265: Table 64 My Certificates
This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. Nortel recommends that you give each certificate a unique name. Type This field displays what kind of certificate this is. -
Page 266: Certificate File Formats
266 Chapter 14 Certificates Table 64 My Certificates Label Description Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays, asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features are configured to use. -
Page 267: Importing A Certificate
Router. Note: 2. The certificate you import replaces the corresponding request in the My Certificates screen. Note: 3. You must remove any spaces from the certificate filename before you can import it. Nortel Business Secure Router 252 Configuration — Basics... -
Page 268: Figure 84 My Certificate Import
268 Chapter 14 Certificates Figure 84 My Certificate Import Table 65 describes the labels in Figure Table 65 My Certificate Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. -
Page 269: Creating A Certificate
Certificate Create screen. Use this screen to have the Business Secure Router create a self-signed certificate, enroll a certificate with a certification authority, or generate a certification request. For more information, see Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 270: Figure 85 My Certificate Create
270 Chapter 14 Certificates Figure 85 My Certificate create NN47923-500... -
Page 271: Table 66 My Certificate Create
You do not have to fill in every field, although the Common Name is mandatory. The certification authority can add fields (such as a serial number) to the subject information when it issues a certificate. Nortel recommends that each certificate have unique subject information. Common Name Select a radio button to identify the owner of the certificate by IP address, domain name, or e-mail address. - Page 272 272 Chapter 14 Certificates Table 66 My Certificate create Label Description Create a Select Create a certification request and save it locally for later certification manual enrollment to have the Business Secure Router generate request and save it and store a request for a certificate. Use the My Certificate Details locally for later screen to view the certification request and copy it to send to the manual enrollment...
-
Page 273: My Certificate Details
In the case of a self-signed certificate, you can set it to be the one that the Business Secure Router uses to sign the trusted remote host certificates that you import to the Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 274: Figure 86 My Certificate Details
274 Chapter 14 Certificates Figure 86 My Certificate details NN47923-500... -
Page 275: Table 67 My Certificate Details
Business Secure Router. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) or Country (C). Nortel Business Secure Router 252 Configuration — Basics... - Page 276 276 Chapter 14 Certificates Table 67 My Certificate details Label Description Issuer This field displays identifying information about the certification authority that issued the certificate, such as Common Name, Organizational Unit, Organization or Country. With self-signed certificates, this is the same as the Subject Name field.
-
Page 277: Trusted Cas
Business Secure Router accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. Nortel Business Secure Router 252 Configuration — Basics... -
Page 278: Figure 87 Trusted Cas
This field displays the name used to identify this certificate. Subject This field displays identifying information about the owner of the, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) or C (Country). Nortel recommends that each certificate have unique subject information. NN47923-500... - Page 279 Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Business Secure Router. Refresh Click this button to display the current validity status of the certificates. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 280: Importing A Trusted Ca Certificate
280 Chapter 14 Certificates Importing a Trusted CA certificate Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen, shown in Figure 88. Follow the instructions in this screen to save a trusted certification authority certificate to the Business Secure Router. -
Page 281: Trusted Ca Certificate Details
Business Secure Router to check a certification authority list of revoked certificates before trusting a certificate issued by the certification authority. Nortel Business Secure Router 252 Configuration — Basics... -
Page 282: Figure 89 Trusted Ca Details
282 Chapter 14 Certificates Figure 89 Trusted CA details NN47923-500... -
Page 283: Table 70 Trusted Ca Details
This field displays identifying information about the certification authority that issued the certificate, such as Common Name, Organizational Unit, Organization or Country. With self-signed certificates, this is the same information as in the Subject Name field. Nortel Business Secure Router 252 Configuration — Basics... - Page 284 284 Chapter 14 Certificates Table 70 Trusted CA details Label Description Signature This field displays the type of algorithm that was used to sign the Algorithm certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm).
-
Page 285: Trusted Remote Hosts
You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen because the Business Secure Router automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy. Nortel Business Secure Router 252 Configuration — Basics... -
Page 286: Figure 90 Trusted Remote Hosts
This field displays the name used to identify this certificate. Subject This field displays identifying information about the owner of the certificate, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company), or C (Country). Nortel recommends that each certificate have unique subject information. NN47923-500... -
Page 287: Verifying A Certificate Of A Trusted Remote Host
The following procedure describes how to use a certificate fingerprint to verify that you have the remote host’s actual certificate. Browse to where you have the remote host’s certificate saved on your computer. Nortel Business Secure Router 252 Configuration — Basics... -
Page 288: Figure 91 Remote Host Certificates
288 Chapter 14 Certificates Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 91 Remote host certificates Double-click the certificate icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. -
Page 289: Importing A Certificate Of A Trusted Remote Host
Note: The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its file name before you can import it. Figure 93 Trusted remote host import Nortel Business Secure Router 252 Configuration — Basics... -
Page 290: Trusted Remote Host Certificate Details
290 Chapter 14 Certificates Table 72 describes the labels in Figure Table 72 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. -
Page 291: Figure 94 Trusted Remote Host Details
Chapter 14 Certificates 291 Figure 94 Trusted remote host details Nortel Business Secure Router 252 Configuration — Basics... -
Page 292: Table 73 Trusted Remote Host Details
292 Chapter 14 Certificates Table 73 describes the labels in Figure Table 73 Trusted remote host details Label Description Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. - Page 293 (through floppy disk for example). Export Click this button and then Save in the File Download screen. The Save As screen displays. Browse to the location that you want to use and click Save. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 294: Directory Servers
294 Chapter 14 Certificates Table 73 Trusted remote host details Label Description Apply Click Apply to save your changes to the Business Secure Router. You can only change the name of the certificate. Cancel Click Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen. -
Page 295: Add Or Edit A Directory Server
Click CERTIFICATES, Directory Servers to open the Directory Servers screen. Click Add (or the details icon) to display the screen shown in Figure Use this screen to configure information about a directory server that the Business Secure Router can access. Nortel Business Secure Router 252 Configuration — Basics... -
Page 296: Figure 96 Directory Server Add
296 Chapter 14 Certificates Figure 96 Directory server add Table 75 describes the labels in Figure Table 75 Directory server add Label Description Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list to select the access protocol used by the directory server. - Page 297 Click Apply to save your changes to the Business Secure Router. Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen. At the time of writing, LDAP is the only choice for directory server access protocol. Nortel Business Secure Router 252 Configuration — Basics...
- Page 298 298 Chapter 14 Certificates NN47923-500...
-
Page 299: Chapter 15 Bandwidth Management
For example, you can set the WAN interface speed to 1 024 kb/s (or less) if the broadband device connected to the WAN port has an upstream speed of 1 024 kb/s. Nortel Business Secure Router 252 Configuration — Basics... -
Page 300: Bandwidth Classes And Filters
300 Chapter 15 Bandwidth management Bandwidth classes and filters Use bandwidth subclasses to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth subclass based on a specific application or subnet. Use the Class Setup tab (see “Bandwidth Manager Class Configuration”... -
Page 301: Application And Subnet Based Bandwidth Management
64 Kb/s Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter, leave some of the bandwidth on the interface unbudgeted. Nortel Business Secure Router 252 Configuration — Basics... -
Page 302: Configuring Summary
302 Chapter 15 Bandwidth management Configuring summary Click BW MGMT to open the Summary screen. Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. Figure 98 Bandwidth Manager: Summary Table 77 describes the labels in Figure Table 77 Bandwidth Manager: Summary Label... -
Page 303: Configuring Class Setup
Configure subclass layers for the root class. To add or delete child classes on an interface, click BW MGMT, then the Class Setup tab. The screen appears as shown in Figure Nortel Business Secure Router 252 Configuration — Basics... -
Page 304: Figure 99 Bandwidth Manager: Class Setup
304 Chapter 15 Bandwidth management Figure 99 Bandwidth Manager: Class setup Table 78 describes the labels in Figure Table 78 Bandwidth Manager: Class Setup Label Description Interface Select an interface from the drop-down list for which you wish to set up classes. -
Page 305: Bandwidth Manager Class Configuration
To add a subclass, click BW MGMT, and then the Class Setup tab. Click the Add Sub-Class button to open the screen shown in Figure 100. Nortel Business Secure Router 252 Configuration — Basics... -
Page 306: Figure 100 Bandwidth Manager: Edit Class
306 Chapter 15 Bandwidth management Figure 100 Bandwidth Manager: Edit class Table 79 describes the labels in Figure 100. Table 79 Bandwidth Manager: Edit class Label Description Class Configuration Class Name Use the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. - Page 307 Destination IP Address. Destination Port Enter the port number of the destination. See “Predefined services” on page 186 Chapter 11 Firewall screens for a table of services and port numbers. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 308: Bandwidth Management Statistics
308 Chapter 15 Bandwidth management Table 79 Bandwidth Manager: Edit class Label Description Source IP Address Enter the source IP address. Source Subnet Enter the destination subnet mask. This field is N/A if you do not Mask specify a Source IP Address. Source Port Enter the port number of the source. -
Page 309: Figure 101 Bandwidth Management Statistics
Click Set Interval to apply the new update period you entered in the Update Period field above. Stop Update Click Stop Update to stop the browser from refreshing bandwidth management statistics. Clear Counter Click Clear Counter to clear all of the bandwidth management statistics. Nortel Business Secure Router 252 Configuration — Basics... -
Page 310: Monitor
310 Chapter 15 Bandwidth management Monitor To view bandwidth usage and allotments, click BW MGMT, then the Monitor tab. The screen appears as shown in Figure 102. Figure 102 Bandwidth manager monitor Table 82 describes the labels in Figure 102. Table 82 Bandwidth manager monitor Label Description... -
Page 311: Ieee 802.1X
RADIUS server. Types of RADIUS messages The following types of RADIUS messages are exchanged between the Business Secure Router and the RADIUS server for user authentication: Nortel Business Secure Router 252 Configuration — Basics... -
Page 312: Eap Authentication Overview
312 Chapter 16 IEEE 802.1x • Access-Request Sent by the Business Secure Router requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. -
Page 313: Configuring 802.1X
The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the user. Configuring 802.1X To change the authentication settings, click 802.1X. The screen appears, as shown Figure 104. Nortel Business Secure Router 252 Configuration — Basics... -
Page 314: Figure 104 802.1X
314 Chapter 16 IEEE 802.1x Figure 104 802.1X Table 83 describes the labels in Figure 104. Table 83 802.1X Label Description Authentication Select Authentication Required, No Access or No Authentication Type Required from the drop-down list. Select Authentication Required to authenticate all users before they can access the network. - Page 315 Business Secure Router does not check the local user database and the authentication fails. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 316 316 Chapter 16 IEEE 802.1x NN47923-500...
-
Page 317: Authentication Server
RADIUS server. However, there is a limit on the number of users you can authenticate in this way. Local User database To see the local user list, click AUTH SERVER. The Local User Database screen appears as shown in Figure 105. Nortel Business Secure Router 252 Configuration — Basics... -
Page 318: Figure 105 Local User Database
318 Chapter 17 Authentication server Figure 105 Local User database Table 84 describes the labels in Figure 105. Table 84 Local User database Label Description User ID This field displays the logon name for the user account. Active This field displays Yes if the user account is enabled or No if it is disabled. User type This field displays whether the user account can be used for a IEEE 802.1X or IPSec logon (or both). -
Page 319: Edit Local User Database
To change a local user database entry, click AUTH SERVER. In the Local User Database screen, select the radio button of an entry and click the Edit button to display the Local User Database Edit screen, as shown in Figure 106. Nortel Business Secure Router 252 Configuration — Basics... -
Page 320: Figure 106 Local User Database Edit
320 Chapter 17 Authentication server Figure 106 Local User database edit NN47923-500... -
Page 321: Table 85 Local User Database Edit
VPN tunnel. Configure Click this link to set up the list of networks to use as split or inverse split Network networks. Nortel Business Secure Router 252 Configuration — Basics... -
Page 322: Current Split Networks
322 Chapter 17 Authentication server Table 85 Local User database edit Label Description Split Tunnel This field applies when you select Enabled in the Split Tunneling field. Networks Select the network for which you force traffic to be encrypted and go through the VPN tunnel. -
Page 323: Current Split Networks Edit
Current Split Networks screen. Click Add or select a network and click Edit in order to display the Current Networks Edit screen. Use this screen shown in Figure 108 to configure a set of subnets to use with split or inverse split VPN tunnels. Nortel Business Secure Router 252 Configuration — Basics... -
Page 324: Figure 108 Current Split Networks Edit
324 Chapter 17 Authentication server Figure 108 Current split networks edit Table 87 describes the labels in Figure 108. Table 87 Current split networks edit Label Description Network Enter a name to identify the split network. Name IP Address Enter the IP address for the split network in dotted decimal notation. Netmask Enter the netmask for the split network in dotted decimal notation. -
Page 325: Configuring Radius
Use RADIUS if you want to authenticate users using an external server. To set up RADIUS server settings, click AUTH SERVER, then the RADIUS tab. The screen appears, as shown in Figure 109. Nortel Business Secure Router 252 Configuration — Basics... -
Page 326: Figure 109 Radius
326 Chapter 17 Authentication server Figure 109 RADIUS Table 88 describes the labels in Figure 109. Table 88 RADIUS Label Description Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the Business Secure Router. - Page 327 Enter the password again to make sure that you have entered it correctly. Apply Click Apply to save your changes to the Business Secure Router. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics...
- Page 328 328 Chapter 17 Authentication server NN47923-500...
-
Page 329: Remote Management Screens
To disable remote management of a service, select Disable in the corresponding Server Access field. Remote management limitations Remote management over LAN or WAN does not work if: Nortel Business Secure Router 252 Configuration — Basics... -
Page 330: Remote Management And Nat
330 Chapter 18 Remote management screens A filter in SMT menu 3.1 (LAN) or in menu 11.1.4 (WAN) is applied to block a Telnet, FTP, or Web service. A service is disabled in one of the remote management screens. The IP address in the Secured Client IP field does not match the client IP address. -
Page 331: Introduction To Https
1 HTTPS connection requests from an SSL-aware Web browser go to port 443 (by default) on the Business Secure Router WS (Web server). 2 HTTP connection requests from a Web browser go to port 80 (by default) on the Business Secure Router WS (Web server). Nortel Business Secure Router 252 Configuration — Basics... -
Page 332: Configuring Www
332 Chapter 18 Remote management screens Figure 110 HTTPS implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, the Business Secure Router blocks all HTTP connection attempts. Configuring WWW To change your Business Secure Router Web settings, click REMOTE MGMT to open the WWW screen. -
Page 333: Figure 111 Www
Business Secure Router a certificate. To do that, the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the Business Secure Router (see the appendix on importing certificates for details). Nortel Business Secure Router 252 Configuration — Basics... -
Page 334: Https Example
334 Chapter 18 Remote management screens Table 89 WWW Label Description Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the Business Secure Router, for example, 8443, you must notify people who need to access the Business Secure Router WebGUI to use https://Business Secure Router IP Address:8443 as the URL. -
Page 335: Internet Explorer Warning Messages
Click Examine Certificate if you want to verify that the certificate is from the Business Secure Router. If you select Accept this certificate temporarily for this session, then click OK to continue in Netscape. Nortel Business Secure Router 252 Configuration — Basics... -
Page 336: Figure 113 Figure 18-4 Security Certificate 1 (Netscape)
336 Chapter 18 Remote management screens Select Accept this certificate permanently to import the Business Secure Router certificate into the SSL client. Figure 113 Figure 18-4 Security Certificate 1 (Netscape) NN47923-500... -
Page 337: Avoiding The Browser Warning Messages
Business Secure Router HTTPS server certificate that your browser received. To check the common name specified in the certificate that your Business Secure Router sends to HTTPS clients: Nortel Business Secure Router 252 Configuration — Basics... -
Page 338: Logon Screen
338 Chapter 18 Remote management screens Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. b Click CERTIFICATES. Find the certificate that was displayed in the Server Certificate field and check its Subject column. CN stands for the common name of the certificate (see Figure 118 on page 342 for an... -
Page 339: Figure 115 Logon Screen (Internet Explorer)
Chapter 18 Remote management screens 339 Figure 115 Logon screen (Internet Explorer) Nortel Business Secure Router 252 Configuration — Basics... -
Page 340: Figure 116 Login Screen (Netscape)
340 Chapter 18 Remote management screens Figure 116 Login screen (Netscape) Click Login to proceed. The screen shown in Figure 117 appears. The factory default certificate is a common default certificate for all Business Secure Router models. NN47923-500... -
Page 341: Figure 117 Replace Certificate
Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device. Click CERTIFICATES to open the My Certificates screen. You see information similar to that shown in Figure 118. Nortel Business Secure Router 252 Configuration — Basics... -
Page 342: Figure 118 Device-Specific Certificate
342 Chapter 18 Remote management screens Figure 118 Device-specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate. The My Certificates screen appears (Figure 119). NN47923-500... -
Page 343: Ssh Overview
Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. Nortel Business Secure Router 252 Configuration — Basics... -
Page 344: How Ssh Works
344 Chapter 18 Remote management screens Figure 120 SSH Communication Example How SSH works Figure 121 summarizes how a secure connection is established between two remote hosts. Figure 121 How SSH Works Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. -
Page 345: Ssh Implementation On The Business Secure Router
Business Secure Router over SSH. Configuring SSH To change the Secure Shell settings, click REMOTE MGMT, and then the SSH tab. The screen shown in Figure 122 appears. Nortel Business Secure Router 252 Configuration — Basics... -
Page 346: Figure 122 Ssh
346 Chapter 18 Remote management screens Figure 122 SSH Table 90 describes the labels in Figure 122. Table 90 SSH Label Description Server Host Select the certificate whose corresponding private key is to be used to identify the Business Secure Router for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 14, “Certificates,”... -
Page 347: Secure Telnet Using Ssh Examples
Chapter 18 Remote management screens 347 Note: Nortel recommends that you disable Telnet and FTP when you configure SSH for secure connections. Secure Telnet using SSH examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the Business Secure Router. The configuration and connection steps are similar for most SSH client programs. -
Page 348: Example 2: Linux
348 Chapter 18 Remote management screens Example 2: Linux This section describes how to access the Business Secure Router using the OpenSSH client program that comes with most Linux distributions. Test whether the SSH service is available on the Business Secure Router. Enter “telnet 192.168.1.1 22”... -
Page 349: Secure Ftp Using Ssh Example
Business Secure Router. Type yes and press [ENTER]. Enter the password to log on to the Business Secure Router. Use the put command to upload a new firmware to the Business Secure Router. Nortel Business Secure Router 252 Configuration — Basics... -
Page 350: Telnet
350 Chapter 18 Remote management screens Figure 126 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. -
Page 351: Configuring Telnet
Business Secure Router using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics... -
Page 352: Configuring Ftp
352 Chapter 18 Remote management screens Configuring FTP You can upload and download the Business Secure Router firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. To change your Business Secure Router FTP settings, click REMOTE MANAGEMENT, and then the FTP tab. -
Page 353: Configuring Snmp
Figure 130 illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. The default get and set communities are public. Note: SNMP is only available if TCP/IP is configured. Nortel Business Secure Router 252 Configuration — Basics... -
Page 354: Figure 130 Snmp Management Model
354 Chapter 18 Remote management screens Figure 130 SNMP Management Model An SNMP-managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Business Secure Router). An agent translates the local management information from the managed device into a form compatible with SNMP. -
Page 355: Supported Mibs
(for example, download new files, and CI command sys reboot). For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. Nortel Business Secure Router 252 Configuration — Basics... -
Page 356: Remote Management: Snmp
356 Chapter 18 Remote management screens REMOTE MANAGEMENT: SNMP To change your Business Secure Router SNMP settings, click REMOTE MANAGEMENT, and then the SNMP tab. The screen appears as shown in Figure 131. Figure 131 SNMP Table 94 describes the fields in Figure 131. -
Page 357: Configuring Dns
Click Reset to begin configuring this screen afresh. Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for example, the IP address of www.nortel.com is 47.249.48.20. To change your Business Secure Router DNS settings, click REMOTE MANAGEMENT, and then the DNS tab. -
Page 358: Configuring Security
358 Chapter 18 Remote management screens Figure 132 DNS Table 95 describes the fields in Figure 132. Table 95 DNS Label Description Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interfaces (if any) through which a computer can send DNS queries to the Business Secure Router. -
Page 359: Figure 133 Security
Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise, select LAN & WAN to reply to both incoming LAN and WAN Ping requests. Nortel Business Secure Router 252 Configuration — Basics... - Page 360 360 Chapter 18 Remote management screens Table 96 Security Label Description Do not respond to Select this option to prevent hackers from finding the Business requests for Secure Router by probing for unused ports. If you select this option, unauthorized the Business Secure Router does not send ICMP response packets services to port requests for unused ports, thus leaving the unused ports and...
-
Page 361: Upnp
With NAT traversal, the device can do the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Nortel Business Secure Router 252 Configuration — Basics... -
Page 362: Cautions With Upnp
362 Chapter 19 UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports can present network security issues. Network information and configuration can also be obtained and modified by users in some network environments. -
Page 363: Figure 134 Configuring Upnp
Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets). Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. Nortel Business Secure Router 252 Configuration — Basics... -
Page 364: Displaying Upnp Port Mapping
364 Chapter 19 UPnP Displaying UPnP port mapping Click UPnP and then Ports to display the screen as shown in Figure 135. Use this screen to view the NAT port mapping rules that UPnP creates on the Business Secure Router. Figure 135 UPnP Ports Table 98 describes the labels in... -
Page 365: Installing Upnp In Windows Example
Follow the steps below to install UPnP in Windows Me. Click Start and Control Panel. Double-click Add/Remove Programs. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Nortel Business Secure Router 252 Configuration — Basics... -
Page 366: Installing Upnp In Windows Xp
366 Chapter 19 UPnP Figure 136 Add/Remove programs: Windows setup In the Communications window, select the Universal Plug and Play check box in the Components selection box. Click OK to return to the Add/Remove Programs Properties window and click Next. Restart the computer when prompted. -
Page 367: Figure 138 Network Connections
Optional Networking Components …. The Windows Optional Networking Components Wizard window appears. Figure 138 Network connections Select Networking Service in the Components selection box and click Details. Figure 139 Windows optional networking components wizard Nortel Business Secure Router 252 Configuration — Basics... -
Page 368: Using Upnp In Windows Xp Example
368 Chapter 19 UPnP In the Networking Services window, select the Universal Plug and Play check box. Figure 140 Windows XP networking services Click OK to return to the Windows Optional Networking Component Wizard window and click Next. Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP. -
Page 369: Figure 141 Internet Gateway Icon
Right-click the icon and select Properties. Figure 141 Internet gateway icon In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Figure 142 Internet connection properties Nortel Business Secure Router 252 Configuration — Basics... -
Page 370: Figure 143 Internet Connection Properties Advanced Setup
370 Chapter 19 UPnP You can edit or delete the port mappings or click Add to manually add port mappings. Figure 143 Internet connection properties advanced setup Figure 144 Service settings Note: When the UPnP-enabled device is disconnected from your computer, all port mappings are deleted automatically. -
Page 371: Webgui Easy Access
This is helpful if you do not know the IP address of your Business Secure Router. Follow the steps below to access the WebGUI. Click Start and then Control Panel. Double-click Network Connections. Nortel Business Secure Router 252 Configuration — Basics... -
Page 372: Figure 147 Network Connections
372 Chapter 19 UPnP Select My Network Places under Other Places Figure 147 Network connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click the icon for your Business Secure Router and select Invoke. The WebGUI logon screen displays. -
Page 373: Logs Screens
Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Nortel Business Secure Router 252 Configuration — Basics... -
Page 374: Figure 149 View Log
374 Chapter 20 Logs Screens Figure 149 View Log Table 99 describes the fields in Figure 149. Table 99 View Log Label Description Display The categories that you select in the Log Settings page display in the drop-down list. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. -
Page 375: Configuring Log Settings
Note: Alerts are e-mailed as soon as they happen. Logs can be e-mailed as soon as the log is full. Selecting many alert and log categories (especially Access Control) can result in many e-mails being sent. Nortel Business Secure Router 252 Configuration — Basics... -
Page 376: Figure 150 Log Settings
376 Chapter 20 Logs Screens Figure 150 Log settings NN47923-500... -
Page 377: Table 100 Log Settings
When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent. Day for Sending Log Use the drop-down list to select which day of the week to send the logs. Nortel Business Secure Router 252 Configuration — Basics... -
Page 378: Configuring Reports
378 Chapter 20 Logs Screens Table 100 Log settings Label Description Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 p.m.) to send the logs. Select the categories of the logs that you want to record. Logs include alerts. -
Page 379: Figure 151 Reports
Business Secure Router can count these as hits, thus the Web hit count is not (yet) 100% accurate. Figure 151 Reports Note: Enabling the reporting function decreases the overall throughput by about 1 Mb/s. Nortel Business Secure Router 252 Configuration — Basics... -
Page 380: Viewing Web Site Hits
380 Chapter 20 Logs Screens Table 101 describes the fields in Figure 151. Table 101 Reports Label Description Collect Statistics Select the check box and click Apply to have the Business Secure Router record report data. Send Raw Traffic Select the check box and click Apply to have the Business Secure Statistics to Router send unprocessed traffic statistics to a syslog server for Syslog Server for... -
Page 381: Figure 152 Web Site Hits Report Example
Web site as another hit on the Web site. Hits This column lists how many times each Web site has been visited. The count starts over at 0 if a Web site passes the hit count limit. Nortel Business Secure Router 252 Configuration — Basics... -
Page 382: Viewing Protocol/Port
382 Chapter 20 Logs Screens Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. -
Page 383: Viewing Lan Ip Address
Note: Computers take turns using dynamically assigned LAN IP addresses. The Business Secure Router continues recording the bytes sent to or from a LAN IP address when it is assigned to a different computer. Nortel Business Secure Router 252 Configuration — Basics... -
Page 384: Figure 154 Lan Ip Address Report Example
384 Chapter 20 Logs Screens Figure 154 LAN IP address report example Table 104 describes the fields in Figure 154. Table 104 LAN IP Address Report Label Description IP Address This column lists the LAN IP addresses to and from which the most traffic has been sent. -
Page 385: Reports Specifications
Bytes count limit: Up to 2 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 2 bytes. Nortel Business Secure Router 252 Configuration — Basics... - Page 386 386 Chapter 20 Logs Screens NN47923-500...
-
Page 387: Call Scheduling Screens
You can design up to 12 schedule sets. You can apply up to four schedule sets for a remote node. Call schedule summary Click CALL SCHEDULE to open the Call Schedule Summary screen. Nortel Business Secure Router 252 Configuration — Basics... -
Page 388: Figure 155 Call Schedule Summary
388 Chapter 21 Call scheduling screens Figure 155 Call schedule summary Table 106 describes the fields in Figure 155. Table 106 Call Schedule Summary Label Description This is the call schedule set number. Name This field displays the name of the call schedule set. Active This field shows whether the call schedule set is turned on (Yes) or off (No). -
Page 389: Call Scheduling Edit
Select the a call schedule set's radio button and click Delete to remove that call schedule set. Call scheduling edit To configure a schedule set, click the Edit button to display the screen shown in Figure 156. Figure 156 Call schedule edit Nortel Business Secure Router 252 Configuration — Basics... -
Page 390: Table 107 Call Schedule Edit
390 Chapter 21 Call scheduling screens If a connection has been already established, your Business Secure Router will not drop it. After the connection is dropped manually or it times out, that remote node can not be triggered again until the end of the Duration. Table 107 Call schedule edit Label Description... -
Page 391: Applying Schedule Sets To A Remote Node
(refer to “Configuring Dial Backup” on page 119). Click WAN, Dial Backup to display the Dial Backup screen as shown in Figure 157. Use the screen to apply up to four schedule sets. Nortel Business Secure Router 252 Configuration — Basics... -
Page 392: Figure 157 Applying Schedule Sets To A Remote Node
392 Chapter 21 Call scheduling screens Figure 157 Applying Schedule Sets to a remote node NN47923-500... - Page 393 Chapter 21 Call scheduling screens 393 Nortel Business Secure Router 252 Configuration — Basics...
- Page 394 394 Chapter 21 Call scheduling screens NN47923-500...
-
Page 395: Maintenance
Business Secure Router. Status screen Click MAINTENANCE to open the Status screen, where you can monitor your Business Secure Router. Note that these fields are READ-ONLY and only used for diagnostic purposes. Nortel Business Secure Router 252 Configuration — Basics... -
Page 396: Figure 158 System Status
System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Nortel Firmware The release of firmware currently on the Business Secure Router Version and the date the release was created. -
Page 397: System Statistics
System statistics Read-only information here includes port status and packet specific statistics. Also provided are system up time and poll intervals. The Poll Interval(s) field is configurable. Nortel Business Secure Router 252 Configuration — Basics... -
Page 398: Figure 159 System Status: Show Statistics
398 Chapter 22 Maintenance Figure 159 System Status: Show statistics Table 109 describes the fields in Figure 159. Table 109 System Status: Show Statistics Label Description System up Time This is the elapsed time the system has been up. CPU Load This field specifies the percentage of CPU utilization. -
Page 399: Dhcp Table Screen
Click MAINTENANCE, and then the DHCP Table tab. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP Client information (including IP Address, Host Name, and MAC Address) of all network clients using the DHCP server. Nortel Business Secure Router 252 Configuration — Basics... -
Page 400: Diagnostic Screen
400 Chapter 22 Maintenance Figure 160 DHCP Table Table 110 describes the fields in Figure 160. Table 110 DHCP Table Label Description This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. -
Page 401: Figure 161 Diagnostic
Figure 161. Table 111 Diagnostic Label Description General TCP/IP Type the IP address of a computer that you want to ping in order to test a Address connection. Nortel Business Secure Router 252 Configuration — Basics... -
Page 402: F/W Upload Screen
Margin F/W Upload screen Find firmware at www.nortel.com/index.html in a file that usually uses the system model name with a *.bin extension. The upload process uses FTP (File Transfer Protocol) and can take up to two minutes. After a successful upload, the system reboots. -
Page 403: Figure 162 Firmware Upload
Note: Do not turn off the device while firmware upload is in progress! After you see the Firmware Upload in Process (Figure 163) screen, wait two minutes before logging on to the device again. Nortel Business Secure Router 252 Configuration — Basics... -
Page 404: Figure 163 Firmware Upload In Process
404 Chapter 22 Maintenance Figure 163 Firmware Upload In Process The device automatically restarts in this time, causing a temporary network disconnect. In some operating systems, you can see the icon Shown in Figure 164 on your desktop. Figure 164 Network Temporarily Disconnected After two minutes, log on again and check your new firmware version in the System Status screen. -
Page 405: Configuration Screen
Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Business Secure Router to its factory defaults. The warning screen will appear (see Figure 167). Nortel Business Secure Router 252 Configuration — Basics... -
Page 406: Backup Configuration
With backup configuration, you can back up and save the current device configuration to a 104 KB file on your computer. After your device is configured and functioning properly, Nortel recommends that you back up your configuration file before making configuration changes. The backup configuration file is useful in case you need to return to your previous settings. -
Page 407: Restore Configuration
Figure 168 Configuration Upload Successful The device automatically restarts in this time, causing a temporary network disconnect. In some operating systems, you see the icon shown in Figure 169 your desktop. Nortel Business Secure Router 252 Configuration — Basics... -
Page 408: Restart Screen
IP address (192.168.1.1). See your Nortel Business Secure Router 252 — Fundamentals (NN47923-301) guide for details about how to set up your computer IP address. -
Page 409: Figure 170 Restart Screen
Chapter 22 Maintenance 409 Figure 170 Restart screen Nortel Business Secure Router 252 Configuration — Basics... - Page 410 410 Chapter 22 Maintenance NN47923-500...
-
Page 411: Troubleshooting
9 600 b/s is the default speed on leaving the factory. Try other speeds in case the speed has been changed. • No parity, 8 data bits, 1 stop bit, data flow set to none. Nortel Business Secure Router 252 Configuration — Basics... -
Page 412: Problems With The Lan Led
Corrective Action I cannot access the Check your Ethernet cable type and connections. For LAN connection instructions see Nortel Business Secure Router 252 - Fundamentals (NN47923-301). Business Secure Router from the LAN. Make sure the Ethernet adapter is installed in the computer and functioning properly. -
Page 413: Problems With The Wan Interface
Problems with the WAN interface Table 117 Troubleshooting the WAN Interface Problem Corrective Action For initial setup of the Business Secure Router, see Nortel Business Cannot get WAN IP Secure Router 252 - Fundamentals (NN47923-301). address from the ISP. The ISP provides the WAN IP address after authentication. -
Page 414: Problems Accessing An Internet Web Site
414 Appendix A Troubleshooting Problems accessing an Internet Web site Table 119 Troubleshooting Web Site Internet Access Problem Corrective Action Cannot connect to a Disable content filtering and clear your browser cache. Try connecting to the Web Web site on the site again. -
Page 415: Problems With The Webgui
LAN connection. Refer to the “Problems with the WAN interface” on page 413 for instructions about checking your WAN connection. See also “Problems with the WebGUI” on page 415. Nortel Business Secure Router 252 Configuration — Basics... -
Page 416: Allowing Pop-Up Windows, Javascript And Java Permissions
416 Appendix A Troubleshooting Allowing Pop-up Windows, JavaScript and Java Permissions In order to use the WebGUI, you must allow: • Web browser pop-up windows from your device • JavaScript • Java permissions Internet Explorer Pop-up Blockers Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions vary Disable pop-up blocking to log on to your device, if necessary. -
Page 417: Enabling Pop-Up Blockers With Exceptions
Enabling Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. Nortel Business Secure Router 252 Configuration — Basics... -
Page 418: Figure 173 Internet Options
418 Appendix A Troubleshooting Select Settings… to open the Pop-up Blocker Settings screen. Figure 173 Internet options Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. NN47923-500... -
Page 419: Internet Explorer Javascript
Click Close to return to the Internet Options screen. Click Apply to save this setting. Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer, check that JavaScript and Java permissions are enabled. Nortel Business Secure Router 252 Configuration — Basics... -
Page 420: Figure 175 Internet Options
420 Appendix A Troubleshooting In Internet Explorer, click Tools, Internet Options, and then the Security tab. Figure 175 Internet options Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default). -
Page 421: Internet Explorer Java Permissions
From Internet Explorer, click Tools, Internet Options, and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. Nortel Business Secure Router 252 Configuration — Basics... -
Page 422: Java (Sun)
422 Appendix A Troubleshooting Click OK to close the window. Figure 177 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options, and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. Click OK to close the window. -
Page 423: Netscape Pop-Up Blockers
Note: Netscape 7.2 screens are used here. Screens for other Netscape versions vary Either disable the blocking of unrequested pop-up windows (enabled by default in Netscape) or allow pop-ups from Web sites by creating an exception for your device IP address. Nortel Business Secure Router 252 Configuration — Basics... -
Page 424: Allowing Pop-Ups
424 Appendix A Troubleshooting Allowing Pop-ups In Netscape, click Tools, Popup Manager and then select Allow Popups From This Site. Figure 179 Allow Popups from this site In the Netscape search toolbar, you can enable and disable pop-up blockers for Web sites. Figure 180 Netscape Search Toolbar You can also check if pop-up blocking is disabled in the Popup Windows screen in the Privacy &... -
Page 425: Enable Pop-Up Blockers With Exceptions
Alternatively, if you only want to allow pop-up windows from your device, follow these steps: In Netscape, click Edit, and then Preferences. In the Privacy & Security directory, select Popup Windows. Make sure the Block unrequested popup windows check box is selected. Nortel Business Secure Router 252 Configuration — Basics... -
Page 426: Figure 182 Popup Windows
426 Appendix A Troubleshooting Click the Allowed Sites... button. Figure 182 Popup Windows Type the IP address of your device (the Web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.1.1. NN47923-500... -
Page 427: Netscape Java Permissions And Javascript
If pages of the WebGUI do not display properly in Netscape, check that JavaScript and Java permissions are enabled. In Netscape, click Edit and then Preferences. Click the Advanced directory. In the Advanced screen, make sure the Enable Java check box is selected. Nortel Business Secure Router 252 Configuration — Basics... -
Page 428: Figure 184 Advanced
428 Appendix A Troubleshooting Click OK to close the window. Figure 184 Advanced Click the Advanced directory and then select Scripts & Plug-ins. Make sure the Navigator check box is selected in the enable JavaScript section. NN47923-500... -
Page 429: Figure 185 Scripts & Plug-Ins
Appendix A Troubleshooting 429 Click OK to close the window. Figure 185 Scripts & Plug-ins Nortel Business Secure Router 252 Configuration — Basics... - Page 430 430 Appendix A Troubleshooting NN47923-500...
-
Page 431: Log Descriptions
Someone has logged on to the router's WebGUI WEB Login Successfully interface. Someone has failed to log on to the router's WEB Login Fail WebGUI interface. Someone has logged on to the router through TELNET Login Successfully Telnet. Nortel Business Secure Router 252 Configuration — Basics... -
Page 432: Table 125 Upnp Logs
432 Appendix B Log Descriptions Table 124 System Maintenance Logs Log Message Description Someone has failed to log on to the router through TELNET Login Fail Telnet. Someone has logged on to the router through FTP. FTP Login Successfully Someone has failed to log on to the router through FTP Login Fail FTP. - Page 433 TCP The firewall detected a TCP port scan attack. ports scan TCP The firewall detected a TCP teardrop attack. teardrop TCP The firewall detected an UDP teardrop attack. teardrop UDP Nortel Business Secure Router 252 Configuration — Basics...
-
Page 434: Table 128 Access Logs
434 Appendix B Log Descriptions Table 127 Attack Logs Log Message Description The firewall detected an ICMP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack. NetBIOS TCP The firewall detected a TCP IP spoofing attack while the ip spoofing - no... - Page 435 OSPF access matched the listed a firewall rule and the Firewall rule match: Business Secure Router blocked or forwarded it according OSPF (set:%d, to the configuration of the rule. rule:%d) Nortel Business Secure Router 252 Configuration — Basics...
- Page 436 436 Appendix B Log Descriptions Table 128 Access Logs Log Message Description Access matched the listed firewall rule and the Business Firewall rule match: Secure Router blocked or forwarded it according to the (set:%d, rule:%d) configuration of the rule. TCP access did not match the listed firewall rule and the Firewall rule NOT Business Secure Router logged it.
- Page 437 <set %d/rule %d> Access matched the listed filter rule (denied LAN IP). Filter match FORWARD Access was allowed and the router forwarded the packet. <set %d/rule %d> Nortel Business Secure Router 252 Configuration — Basics...
- Page 438 438 Appendix B Log Descriptions Table 128 Access Logs Log Message Description With firewall messages, this is the number of the ACL (set:%d) policy set and denotes the packet's direction (see Table 129). With filter messages, this is the number of the filter set. With firewall messages, the firewall rule number denotes (rule:%d) the number of a firewall rule within an ACL policy set.With...
-
Page 439: Table 129 Acl Setting Notes
Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of service and network Nortel Business Secure Router 252 Configuration — Basics... -
Page 440: Vpn/Ipsec Logs
440 Appendix B Log Descriptions Table 130 ICMP Notes Type Code Description Redirect datagrams for the Type of service and host Echo Echo message Time exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter problem Pointer indicates the error Timestamp Timestamp request message Timestamp reply... -
Page 441: Vpn Responder Ipsec Log
Start Phase 2: Quick Mode 01 Jan 08:02:26 Send:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Recv:<HASH><SA><NONCE><ID><ID> 01 Jan 08:02:26 Send:<HASH> Clear IPSec Log (y/n): VPN Responder IPSec Log Figure 187 shows a typical log from the VPN connection peer. Nortel Business Secure Router 252 Configuration — Basics... -
Page 442: Figure 187 Example Vpn Responder Ipsec Log
442 Appendix B Log Descriptions Figure 187 Example VPN Responder IPSec Log Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.100> 01 Jan 08:08:07 Recv:<SA> 01 Jan 08:08:08 Send:<SA> 01 Jan 08:08:08 Recv:<KE><NONCE> 01 Jan 08:08:10 Send:<KE><NONCE>... -
Page 443: Table 132 Sample Ike Key Exchange Logs
“Remote Addr”. If this IP (range) conflicts with a with rule <#d> previously configured rule, the connection is not allowed. The peer “Local IP Addr” range is invalid. !! Invalid IP <IP start>/ <IP end> Nortel Business Secure Router 252 Configuration — Basics... - Page 444 444 Appendix B Log Descriptions Table 132 Sample IKE Key Exchange Logs Log Message Description If the security gateway is “0.0.0.0”, the Business !! Remote IP <IP start> / Secure Router uses the peer “Local Addr” as its <IP end> conflicts “Remote Addr”.
-
Page 445: Table 133 Sample Ipsec Logs During Packet Transmission
Check them. failed If an SA has no packets transmitted for a period Rule <#d> idle time out, of time (configurable through CI command), the disconnect Business Secure Router drops the connection. Nortel Business Secure Router 252 Configuration — Basics... -
Page 446: Table 134 Rfc 2408 Isakmp Payload Types
446 Appendix B Log Descriptions Table 134 shows RFC 2408 ISAKMP payload types that the log displays. Refer to RFC 2408 for detailed information about each type. Table 134 RFC 2408 ISAKMP Payload Types Log Display Payload Type Security Association PROP Proposal TRANS... - Page 447 The recorded reason codes>, cert not codes are only approximate reasons for not trusting the trusted: <subject certificate. See Table 136 for the corresponding descriptions name> of the codes. Nortel Business Secure Router 252 Configuration — Basics...
-
Page 448: Table 136 Certificate Path Verification Failure Reason Codes
448 Appendix B Log Descriptions Table 136 Certificate Path Verification Failure Reason Codes Code Description Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid. -
Page 449: Table 137 Ieee 802.1X Logs
RADIUS Server. The local user database operates as the Use Local User Database to authentication server. authenticate user. The RADIUS server operates as the Use RADIUS to authenticate authentication server. user. Nortel Business Secure Router 252 Configuration — Basics... -
Page 450: Log Commands
450 Appendix B Log Descriptions Table 137 IEEE 802.1X Logs Log Message Description There is no authentication server to authenticate No Server to authenticate a user. user. A user was not authenticated by the local user Local User Database does not database because the user is not listed in the find user`s credential. -
Page 451: Displaying Logs
Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router logs. Nortel Business Secure Router 252 Configuration — Basics... -
Page 452: Log Command Example
452 Appendix B Log Descriptions Log Command Example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras>... -
Page 453: Index
Budget 123 AT Response Strings 126 Bypass Triangle Route 177 ATDP 124 ATH 124 ATM loopback test 402 Call Back Delay 126 Attack Alert 190, 192 Call Control 126 Attack Types 160 Nortel Business Secure Router 252 Configuration — Basics... - Page 454 454 Index Call Scheduling 38, 387 DES 205 Maximum Number of Schedule Sets 387, 391 Destination Address 172, 180 Precedence 387 DHCP 65, 85, 97, 98, 399 Precedence Example 387 DHCP (Dynamic Host Configuration Protocol) 40 Called ID 126 DHCP Server 101 Calling Line Identification 126 diagnostic 400 Central Network Management 39...
- Page 455 ICMP Commands That Trigger Alerts 160 Rule Logic 171 ICMP echo 159 Rule Security Ramifications 171 ICMP Vulnerability 160 Services 186 Idle Timeout 123 Types 153 When To Use 167 IEEE 802.1x 37 Nortel Business Secure Router 252 Configuration — Basics...
- Page 456 456 Index IGMP 99, 116, 123 IGMP-V1 116 LAN IP Address 380, 383 IGMP-v1 123 LAN Setup 97, 107 IGMP-V2 116 LAN TCP/IP 98 IGMP-v2 123 LAN to WAN Rules 173 Illegal Commands 160 LAND 158, 159 Initial Contact Payload 258 Local 130 Inside 130 Local End IP 140, 142...
- Page 457 IP address 57 One Minute Low 192 Proportional Bandwidth Allocation 300 One to One 133 Protocol/Port 380, 382 One-Minute High 191 publications One-to-One 142 hard copy 30 Outside 130 related 30 Nortel Business Secure Router 252 Configuration — Basics...
- Page 458 458 Index PVC 54 Rules 169, 173 Checklist 171 Creating Custom 169 Key Fields 172 Quick Start Guide 45 LAN to WAN 173 Logic 171 Predefined Services 186 Source and Destination Addresses 181 RADIUS 311 Shared Secret Key 312 RADIUS Message Types 311 SA Monitor 245 reboot 402 Saving the State 161...
- Page 459 Virtual Channel Identifier (VCI) 55 technical publications 30 virtual circuit (VC) 54 Telnet 350 Virtual Path Identifier (VPI) 55 Telnet Configuration 350 VPI 55, 56 text conventions 29 VPI & VCI 55 Nortel Business Secure Router 252 Configuration — Basics...
- Page 460 460 Index VPN Client Termination 248 WAN to LAN Rules 173 Web Proxy 197 Web Site Hits 380 WebGUI 45, 49, 155, 166, 172 Windows Networking 116, 247 Wizard Setup 53 WWW 332 Xmodem Upload 49 NN47923-500...
Need help?
Do you have a question about the BSR252 and is the answer not in the manual?
Questions and answers