Page 1 Nortel Business Secure Router 252 Configuration — Advanced BSR252 Business Secure Router Document Number: NN47923-501 Document Version: 1.1 Date: March 2007...
Page 2 The information in this document is proprietary to Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Page 3: Table Of Contents
Getting to know your Nortel Business Secure Router 252 ... . 31 Introducing the Nortel Business Secure Router 252 ......31 Features .
Page 4 IPSec VPN capability ......... . . 34 Nortel Contivity Client Termination ....... . . 35 Certificates .
Page 5 TCP/IP and DHCP ethernet setup menu ....... . 74 Nortel Business Secure Router 252 Configuration — Advanced...
Page 6 IP Alias Setup ........... . 77 Chapter 5 Internet access.
Page 7 SNMP Configuration ..........153 Nortel Business Secure Router 252 Configuration — Advanced...
Page 8 SNMP Traps ............155 Chapter 13 System security .
Page 9 Remote Management ..........209 Nortel Business Secure Router 252 Configuration — Advanced...
Page 10 Importing certificates ......... 233 Import Business Secure Router certificates into Netscape Navigator ... . 233 Importing the Business Secure Router Certificate into Internet Explorer .
Page 11 Business Secure Router as a PPPoE client ....... . 250...
Page 12 Log commands ............328 Configuring what you want the Business Secure Router to log ....329 Displaying logs .
Page 13: Contents
Index ............341 Nortel Business Secure Router 252 Configuration — Advanced...
Page 14 14 Contents NN47923-501...
Page 15 Menu 11.6 for VC-based Multiplexing ......95 Figure 29 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation ..96 Nortel Business Secure Router 252 Configuration — Advanced...
Page 16 Figure 30 Menu 11.1 – Remote Node Profile ......96 Figure 31 Menu 11.8 –...
Page 17 Telnet Into Menu 24.7.1 Upload System Firmware ....190 Nortel Business Secure Router 252 Configuration — Advanced ....168...
Page 18 18 Figures Figure 100 Telnet Into Menu 24.7.2 System Maintenance ....191 Figure 101 FTP Session Example of Firmware File Upload ....192 Figure 102 Menu 24.7.1 as seen using the Console Port .
Page 19 Figure 162 SIP Redirect Server ........337 Figure 163 Business Secure Router SIP ALG ......339...
Page 20 20 Figures NN47923-501...
Page 21 Menu 15.3: Trigger Port setup description ..... . . 128 Table 29 Abbreviations used in the Filter Rules Summary Menu ... . . 138 Nortel Business Secure Router 252 Configuration — Advanced...
Page 22 Table 30 Rule abbreviations used ........138 Table 31 TCP/IP Filter Rule Menu fields .
Page 23 SIP Call Progression ........334 Nortel Business Secure Router 252 Configuration — Advanced...
Page 24 24 Tables NN47923-501...
Page 25: Preface
Select or Choose means for you to use one of the predefined choices. The SMT menu titles and labels are written in Bold Times New Roman font. Menu choices are written in Bold Arial font. Nortel Business Secure Router 252 Configuration — Advanced...
Page 26: Related Publications
For more information about using the Business Secure Router, refer to the following publications: • Nortel Business Secure Router 252 Configuration — Basics (NN47923-500) The basic manual covers how to use the WebGUI to configure your Business Secure Router. •...
Page 27: Usa And Canada Authorized Distributors
*European Free phone 00800 800 89009 European Alternative: United Kingdom Africa Israel Calls are not free from all countries in Europe, Middle East, or Africa. Fax: 44-191-555-7980 E-mail: emeahelp@nortel.com +44 (0)870-907-9009 +27-11-808-4000 800-945-9779 Nortel Business Secure Router 252 Configuration — Advanced...
Page 28: Cala (Caribbean & Latin America)
Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.com Australia China India Indonesia Japan Malaysia New Zealand Philippines Singapore South Korea Taiwan NN47923-501 1-800-NORTEL (1-800-667-835) 010-6510-7770 011-5154-2210 0018-036-1004 0120-332-533 1800-805-380 0800-449-716 1800-1611-0063 800-616-2004 0079-8611-2001 0800-810-500...
Page 29 Preface Thailand 001-800-611-3007 Service Business Centre & +61-2-8870-5511 Pre-Sales Help Desk Nortel Business Secure Router 252 Configuration — Advanced...
Page 30 Preface NN47923-501...
Page 31: Getting To Know Your Nortel Business Secure Router 252
Intranet and efficiently manages data traffic on your network. Using the embedded WebGUI, you can easily set up and manage the Business Secure Router using an Internet browser. Nortel Business Secure Router 252 Configuration — Advanced...
Page 32: Features
Features This section lists the key features of the Business Secure Router. Table 1 Feature specifications Feature Number of static routes Number of NAT sessions Number of SUA (Single User Account) servers Number of address mapping rules Maximum number of VPN IP Policies...
Page 33: Networking Compatibility
Four-Port switch A combination of switch and router makes your Nortel Business Secure Router 252 a cost-effective and viable network solution. You can connect up to four computers or phones to the Business Secure Router without the cost of a switch.
Page 34: Autonegotiating 10/100 Mb/S Ethernet Lan
34 Chapter 1 Getting to know your Nortel Business Secure Router 252 Autonegotiating 10/100 Mb/s Ethernet LAN The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet. Autosensing 10/100 Mb/s Ethernet LAN The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable.
Page 35: Nortel Contivity Client Termination
Chapter 1 Getting to know your Nortel Business Secure Router 252 35 Nortel Contivity Client Termination The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software. Certificates The Business Secure Router can use certificates (also called digital IDs) to authenticate users.
Page 36: Brute Force Password Guessing Protection
36 Chapter 1 Getting to know your Nortel Business Secure Router 252 Brute force password guessing protection The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
Page 37: Dynamic Dns Support
Chapter 1 Getting to know your Nortel Business Secure Router 252 37 Dynamic DNS support With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet.
Page 38: Network Address Translation (Nat)
38 Chapter 1 Getting to know your Nortel Business Secure Router 252 Network Address Translation (NAT) NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network.
Page 39: Logging And Tracing
Applications for the Nortel Business Secure Router 252 Secure broadband internet access and VPN The Nortel Business Secure Router 252 provides broadband Internet access through ADSL. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.
Page 40: Hardware Setup
After installing your Nortel Business Secure Router 252, continue with the rest of this guide for configuration instructions. Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD.
Page 41 Chapter 1 Getting to know your Nortel Business Secure Router 252 41 Note: Please use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Nortel Business Secure Router 252 Configuration — Advanced...
Page 42 42 Chapter 1 Getting to know your Nortel Business Secure Router 252 NN47923-501...
Page 43: Chapter 2 Introducing The Smt
No parity, 8 data bits, 1 stop bit, flow control set to none Initial screen When you turn on your Business Secure Router, it performs several internal tests as well as line initialization. Nortel Business Secure Router 252 Configuration — Advanced...
Page 44: Logging On To The Smt
Business Secure Router will automatically log you off and display a blank screen. If you see a blank screen, press [ENTER] to bring up the logon screen again. Navigating the SMT interface The SMT is an interface that you use to configure your Business Secure Router. NN47923-501 Figure...
Page 45: Main Menu
After you enter the password, the SMT displays the Business Secure Router Main Menu, as shown in Figure Nortel Business Secure Router 252 Configuration — Advanced Descriptions To move forward to a submenu, type in the number of the desired submenu and press [ENTER].
Page 46: Figure 4 Main Menu
Figure 4 Main menu Business Secure Router Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup...
Page 47: Changing The System Password
Use this menu to exit (necessary for remote configuration). Menu 23.1 – System Security – Change Password Old Password= **** New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: Nortel Business Secure Router 252 Configuration — Advanced...
Page 48: Smt Menus At A Glance
48 Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview NN47923-501...
Page 49: Smt Menu 1 - General Setup
Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Nortel Business Secure Router 252 Configuration — Advanced Figure 7. Fill in the...
Page 50: Table 4 General Setup Menu Fields
NN47923-501 Figure Description Choose a descriptive name for identification purposes. Nortel recommends you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted. Enter the domain name (if you know it) here. If you leave this field blank, the ISP assigns a domain name via DHCP.
Page 51 DNS server IP address in the field to the right. With a private DNS server, you must also configure the first DNS server entry in SMT menu 3.1 to use DNS Relay. Nortel Business Secure Router 252 Configuration — Advanced Example...
Page 52: Configuring Dynamic Dns
DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address.
Page 53: Table 5 Configure Dynamic Dns Menu Fields
DDNS does not work with a private IP address. When both fields are set to No, the Business Secure Router must have a public WAN IP address in order for DDNS to work. Nortel Business Secure Router 252 Configuration — Advanced to configure Dynamic DNS parameters. http://www.dyndns.org/ www.dyndns.org Example www.dyndns.org...
Page 54 Press [SPACE BAR] to select Yes and then press [ENTER] to have the DDNS server automatically update the IP address of the host names with the public IP address that the Business Secure Router uses or is behind. You can set this field to Yes whether the IP address is public or private, static or dynamic.
Page 55: Wan And Dial Backup Setup
This chapter explains how to configure the settings for your WAN port and how to configure the Business Secure Router for a dial backup connection. WAN setup From the main menu, enter 2 to open Menu 2. Nortel Business Secure Router 252 Configuration — Advanced...
Page 56: Figure 9 Menu 2 - Wan Setup
Init= N/A Edit Advanced Setup= N/A Figure Description The Business Secure Router uses the connection with the lowest metric value first. The default WAN connection is 1 as your broadband connection through the WAN port must always be your preferred method of accessing the WAN.
Page 57: Traffic Redirect Setup
2.1 — Advanced Setup. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 252 Configuration — Advanced Example 115200 at&fs0=0...
Page 58: Figure 10 Menu 2.2 - Traffic Redirect Setup
This field sets the priority for this route among the routes the Business Secure Router uses. The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Page 59: Dial Backup
To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes, and then press [ENTER]. Nortel Business Secure Router 252 Configuration — Advanced Figure 12 on...
Page 60: Figure 11 Menu 2.1 - Advanced Wan Setup
Enter the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the Business Secure Router capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication.
Page 61: Remote Node Profile (Backup Isp)
Secure Router to wait between dropping a callback request call and dialing the corresponding callback call. (Figure 12) and configure the setup for your Dial Backup Nortel Business Secure Router 252 Configuration — Advanced Default CONNECT Default 60 seconds 0 to disable the...
Page 62: Figure 12 Menu 11.2 - Remote Node Profile (Backup Isp)
Figure 12 Menu 11.2 – Remote Node Profile (Backup ISP) Menu 11.2 - Remote Node Profile (Backup ISP) Rem Node Name= GUI Active= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Press ENTER to Confirm or ESC to Cancel: Table 11...
Page 63 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour). Nortel Business Secure Router 252 Configuration — Advanced (see “Editing PPP for more information. for more information.
Page 64: Editing Ppp Options
Idle Timeout Editing PPP options The Business Secure Router dial back-up feature uses PPP. To edit the remote node PPP options, move the cursor to the [Edit PPP Options] field in Menu 11.2 - Remote Node Profile, and use the space bar to select [Yes]. Press [Enter] to open Menu 11.2.1 as shown in...
Page 65: Editing Tcp/Ip Options
CISCO PPP if your Dial Backup WAN device uses Cisco PPP encapsulation, otherwise select Standard PPP. Press [SPACE BAR] and then [ENTER] to select Yes to enable or No to disable Stac compression. Nortel Business Secure Router 252 Configuration — Advanced EXAMPLE Standard PPP (default) (default)
Page 66: Figure 14 Menu 11.3 - Remote Node Network Layer Options
IP address here if you know it (static). Leave this field set to 0.0.0.0 to have the ISP or other remote router dynamically send its subnet mask if you do not know it. Enter the remote gateway’s subnet mask here if you know it (static).
Page 67 Press [SPACE BAR] and then [ENTER] to select the RIP direction from Both/ None/In Only/Out Only and None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/RIP-2M. Nortel Business Secure Router 252 Configuration — Advanced Example 0.0.0.0 (default) None...
Page 68: Editing Logon Script
For some remote gateways, text logon is required before PPP negotiation is started. The Business Secure Router provides a script facility for this purpose. The script has six programmable sets; each set is composed of an Expect string and a ‘Send’...
Page 69 They are replaced with the outgoing login name and password in the remote node when the Business Secure Router sees them in a ‘Send’ string. Note that both variables must be entered exactly as shown. No other characters can appear before or after, either, i.e., they must be used alone in response to logon...
Page 70: Figure 15 Menu 11.2.3 - Remote Node Setup Script
Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. Enter an Expect string to match. After matching the Expect string, the Business Secure Router returns the string in the Send field. matched.
Page 71: Remote Node Filter
Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Chapter 11, “Filter configuration,” on page 133 Nortel Business Secure Router 252 Configuration — Advanced Menu 11.2.4 -...
Page 72 72 Chapter 3 WAN and Dial Backup Setup NN47923-501...
Page 73: Lan Setup
With Menu 3, you can specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets are useful to block certain packets, reduce traffic, and prevent security breaches. Enter Menu Selection Number: Nortel Business Secure Router 252 Configuration — Advanced...
Page 74: Tcp/Ip And Dhcp Ethernet Setup Menu
Figure 18 Menu 3.1 – LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 75: Figure 20 Menu 3.2 - Tcp/Ip And Dhcp Ethernet Setup
DHCP server. If set to None, the DHCP server will be disabled. This field specifies the first of the contiguous addresses in the IP address pool. Nortel Business Secure Router 252 Configuration — Advanced Example Server 192.168.1.2...
Page 76 (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you chose From ISP for...
Page 77: Ip Alias Setup
IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown in Nortel Business Secure Router 252 Configuration — Advanced Table 15 to configure TCP/IP parameters for the LAN port.
Page 78: Figure 21 Menu 3.2.1 - Ip Alias Setup
Router in dotted decimal notation. Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Business Secure Router. Example 192.168.1.1 255.255.255.0...
Page 79 Business Secure Router. Outgoing Protocol Enter the filter sets you wish to apply to the Filters outgoing traffic between this node and the Business Secure Router. Nortel Business Secure Router 252 Configuration — Advanced Example None RIP-1...
Page 80 80 Chapter 4 LAN setup NN47923-501...
Page 81: Internet Access
You only need to know the Ethernet Encapsulation Gateway IP address if you are using ENET ENCAP encapsulation. From the main menu, type 4 to display Menu 4 shown in the following figure. Nortel Business Secure Router 252 Configuration — Advanced Internet Access Setup, as —...
Page 82: Figure 22 Menu 4 - Internet Access Setup
Figure 22 Menu 4 – Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Table 17 describes the fields in...
Page 83: Basic Setup Complete
You can deactivate the firewall in menu 21.2 or using the embedded WebGUI in the Business Secure Router. You can also define additional firewall rules or modify existing ones, but exercise extreme caution in doing so. For more information about the firewall, see Nortel Business Secure Router 252 Configuration — Basics (NN47923-500). Description...
Page 84 84 Chapter 5 Internet access NN47923-501...
Page 85: Chapter 6 Remote Node Setup
If you encounter a case where the peer disconnects right after a successful authentication, please make sure that you specify the correct authentication protocol when connecting to such an implementation. Nortel Business Secure Router 252 Configuration — Advanced...
Page 86: Nailed-Up Connection
The first is that idle timeout is disabled. The second is that the Business Secure Router will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 87: Encapsulation And Multiplexing Scenarios
The PPP protocol already contains this information. • Scenario 2. One VC, One Protocol (IP) Nortel Business Secure Router 252 Configuration — Advanced 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit:...
Page 88: Figure 24 Menu 11.1 - Remote Node Profile
Selecting RFC-1483 encapsulation with VC-based multiplexing requires the least amount of overhead (0 octets). However, if there is a potential need for multiple protocol support in the future, it may be safer to select PPPoA encapsulation instead of RFC-1483, so you do not need to reconfigure either computer later.
Page 89 Select Yes to enable and No to disable. Edit IP/Bridge Press [SPACE BAR] to select Yes and press [ENTER] to display Menu 11.3 – Remote Node Network Layer Options. Nortel Business Secure Router 252 Configuration — Advanced Example ENET ENCAP LLC-based...
Page 90: Edit Ip/Bridge
Type the number of seconds (0-9999) that can elapse when the Business Secure Router is idle (there is no traffic going to the remote node), before the Business Secure Router automatically disconnects the remote node. 0 means that the session will not timeout.
Page 91: Figure 25 Menu 11.3 - Remote Node Network Layer Options
Rem IP Addr This is the IP address you entered in the previous menu. Rem Subnet Type the subnet mask assigned to the remote node. Mask Nortel Business Secure Router 252 Configuration — Advanced Bridge Options: Ethernet Addr Timeout(min)= Example Dynamic...
Page 92 Feature if you have multiple public WAN IP addresses for your Business Secure Router. Select SUA Only if you have just one public WAN IP address for your Business Secure Router. The SMT uses Address Mapping Set 255 (menu 15.1.255 - Figure 40).
Page 93: Remote Node Filter
For more information on defining the filters, please refer to Chapter 11, “Filter the additional option of specifying remote node call filter sets. Description configuration. For PPPoE or PPPoA encapsulation, you have Nortel Business Secure Router 252 Configuration — Advanced Example Menu 11.1.4-...
Page 94: Figure 26 Menu 11.1.4 - Remote Node Filter (Ethernet Encapsulation)
Figure 26 Menu 11.1.4 – Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 27 Menu 11.1.4 – Remote Node Filter (PPPoE or PPPoA Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters=...
Page 95: Editing Atm Layer Options
Menu 11.6 - Remote Node ATM Layer Options VC Options for Bridge: VPI #= 1 VCI #= 36 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Nortel Business Secure Router 252 Configuration — Advanced...
Page 96: Advance Setup Options
Figure 29 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation In this case, only one set of VPI and VCI numbers need be specified for all protocols. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (1 to 31 is reserved for local management of ATM traffic).
Page 97: Figure 31 Menu 11.8 - Advance Setup Options
PPPoE client software on their computers to connect to the ISP. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 252 Configuration — Advanced Figure...
Page 98 98 Chapter 6 Remote Node setup NN47923-501...
Page 99: Ip Static Route Setup
Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 32 to configure IP static routes in menu 12. 1. Nortel Business Secure Router 252 Configuration — Advanced...
Page 100: Figure 32 Menu 12 - Ip Static Route Setup
Figure 32 Menu 12 – IP Static Route Setup Menu 12 - IP Static Route Setup 1. ________ 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ Now, enter the index number of the static route that you want to configure.
Page 101: Figure 33 Menu 12.1 - Edit Ip Static Route
Enter the IP address of the gateway. The gateway is an immediate neighbor of your Business Secure Router that forwards the packet to the destination. On the LAN, the gateway must be a router on the same segment as your Business Secure Router; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 102 102 Chapter 7 IP Static Route Setup NN47923-501...
Page 103: Chapter 8 Dial-In User Setup
By storing user profiles locally, your Business Secure Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your Business Secure Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.
Page 104: Figure 35 Menu 14.1 - Edit Dial-In User
Figure 35 Menu 14.1 – Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 22 describes the fields in Table 22 Menu 14.1- Edit Dial-in User Field User Name...
Page 105: Network Address Translation (Nat)
NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup. see“Address Mapping Sets” on page (Figure 37 on page Nortel Business Secure Router 252 Configuration — Advanced 108. The 107). Figure 36...
Page 106: Figure 36 Menu 4 - Applying Nat For Internet Access
Figure 36 Menu 4 – Applying NAT for Internet Access ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Figure 37...
Page 107: Figure 37 Menu 11.3 - Applying Nat To The Remote Node
Mapping Set 255 (menu 15.1 - “Address Mapping Sets” on page 108). Choose SUA Only if you have just one public WAN IP address for your Business Secure Router. Nortel Business Secure Router 252 Configuration — Advanced Options Full Feature None SUA Only...
Page 108: Nat Setup
NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA.
Page 109: Sua Address Mapping Set
SUA Address Mapping Set Enter 255 to display the screen shown in Figure 40 (see “SUA (Single User Account) Versus NAT” on page 105). The fields in this menu cannot be changed. Nortel Business Secure Router 252 Configuration — Advanced...
Page 110: Figure 40 Menu 15.1.255 - Sua Address Mapping Rules
Figure 40 Menu 15.1.255 – SUA Address Mapping Rules Set Name= SUA Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Table 24 explains the fields in Note: Menu 15.1.255 is read-only. Table 24 SUA Address Mapping Rules Field Set Name...
Page 111: User-Defined Address Mapping Sets
Name field means that this is a required field and you must enter a name for the set. Note: The entire set is deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. Nortel Business Secure Router 252 Configuration — Advanced “General NAT examples” on Example 255.255.255.255 0.0.0.0...
Page 112: Ordering Your Rules
Ordering your rules Ordering your rules is important because the Business Secure Router applies the rules in the order that you specify. When a rule matches the current packet, the Business Secure Router takes the corresponding action and the remaining rules are ignored.
Page 113: Table 25 Fields In Menu 15.1.1
42, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. Note: An IP End address must be numerically greater than its corresponding IP Start address. Nortel Business Secure Router 252 Configuration — Advanced Example NAT_SET Edit...
Page 114: Figure 42 Menu 15.1.1.1: Editing Or Configuring An Individual Rule In A Set
Figure 42 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Table 26 describes the fields in Table 26 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field...
Page 115: Configuring A Server Behind Nat
Global IP Start Configuring a server behind NAT Note: If you do not assign a Default Server IP address, the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup.
Page 116: Figure 43 Menu 15.2 - Nat Server Sets
Figure 43 Menu 15.2 – NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port ------------------------------------------------------ Select Command= None Press ENTER to Confirm or ESC to Cancel: Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.1 - NAT Server Configuration (see the next figure).
Page 117: Figure 44 15.2.1 - Nat Server Configuration
Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. Nortel Business Secure Router 252 Configuration — Advanced Index= 1 End port= 0...
Page 118: Figure 45 Menu 15.2 - Nat Server Setup
Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel.
Page 119: General Nat Examples
In the Internet access example shown in Figure 47, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Nortel Business Secure Router 252 Configuration — Advanced...
Page 120: Figure 47 Nat Example 1
Network Address Translation field in menus 4 and 11.3 is specifically preconfigured to handle this case. NN47923-501 Business Secure Router Menu 4 - Internet Access Setup Press ENTER to Confirm or ESC to Cancel: “General NAT examples” on page...
Page 121: Example 2: Internet Access With An Inside Server
In this case, you do exactly as shown in Figure 49 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure Nortel Business Secure Router 252 Configuration — Advanced...
Page 122: Example 3: Multiple Public Ip Addresses With Inside Servers
In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example reserves one IGA for each department with an FTP server and all departments use the other IGA.
Page 123: Figure 51 Nat Example 3
Start IP as 10.132.50.1 (our first IGA). (see Repeat the previous step for rules 2 to 4 as outlined above. When finished, menu 15.1.1 looks like as shown in Nortel Business Secure Router 252 Configuration — Advanced Figure 53).
Page 124: Figure 52 Example 3: Menu 11.3
Figure 52 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment = Dynamic Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 1 Metric= 15 Private= No RIP Direction= None...
Page 125: Figure 53 Example 3: Menu 15.1.1.1
Figure 53 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 252 Configuration — Advanced...
Page 126: Figure 54 Example 3: Final Menu 15.1.1
Figure 54 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP --------------- --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 255.255.255.255 Now configure the IGA3 to map to our web server and mail server on the LAN. Enter 15 from the main menu.
Page 127: Configuring Trigger Port Forwarding
Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in Figure Menu 15.2 - NAT Server Setup Start Port End Port Select Rule= N/A Nortel Business Secure Router 252 Configuration — Advanced IP Address 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0...
Page 128: Figure 56 Menu 15.3 - Trigger Port Setup
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Business Secure Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 129 Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 252 Configuration — Advanced Example 7070 7070...
Page 130 130 Chapter 9 Network Address Translation (NAT) NN47923-501...
Page 131: Introducing The Firewall
[SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the WebGUI to configure firewall rules. Enter Menu Selection Number: Nortel Business Secure Router 252 Configuration — Advanced Figure Figure 58. Press...
Page 132: Figure 58 Menu 21.2 - Firewall Setup
Figure 58 Menu 21.2 – Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies.
Page 133: Chapter 11 Filter Configuration
This chapter shows you how to create and apply filters. Introduction to filters Your Business Secure Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering.
Page 134: Filter Structure
NetBIOS, into a single set and give it a descriptive name. With the Business Secure Router, you can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Page 135: Filter Set
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Nortel Business Secure Router 252 Configuration — Advanced Start Packet into...
Page 136: Configuring A Filter Set
Configuring a Filter Set The Business Secure Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Enter 21 in the main menu to open menu 21. Figure 61 Menu 21 – Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Page 137: Figure 62 Menu 21.1- Filter Set Configuration
Filter Set # Comments ------ ----------------- _______________ _______________ _______________ _______________ _______________ _______________ Figure 63 shows the summary of the existing rules in the Table 30 contain a brief description of the abbreviations Nortel Business Secure Router 252 Configuration — Advanced...
Page 138: Table 29 Abbreviations Used In The Filter Rules Summary Menu
Table 29 Abbreviations used in the Filter Rules Summary Menu Field Type Filter Rules These parameters are displayed here. Table 30 Rule abbreviations used Abbreviation The next section provides information on configuring the filter rules. NN47923-501 Description The filter rule number: 1 to 6. Active: “Y”...
Page 139: Configuring A Filter Rule
When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the Business Secure Router warns you and prevents you from saving.
Page 140: Figure 63 Menu 21.1.1.1 - Tcp/Ip Filter Rule
Figure 63 Menu 21.1.1.1 – TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 Destination: IP Addr= Source: IP Addr= TCP Estab= N/A More= No Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 141 Action Matched - Only packets that match the rule parameters are logged. Action Not Matched - Only packets that do not match the rule parameters are logged. Both – All packets are logged. Nortel Business Secure Router 252 Configuration — Advanced Options 0.0.0.0 0-65535 None...
Page 142 Table 31 TCP/IP Filter Rule Menu fields Field Action Matched Action Not Matched Figure 64 illustrates the logic flow of an IP filter. NN47923-501 Description Press [SPACE BAR] and then [ENTER] to select the action for a matching packet. Press [SPACE BAR] and then [ENTER] to select the action for a packet not matching the rule.
Page 143: Figure 64 Executing An Ip Filter
Matched Check Src & Not Matched Dest Port Matched More? Action Matched Check Next Rule Drop Forward Drop Packet Nortel Business Secure Router 252 Configuration — Advanced Action Not Matched Check Next Rule Drop Check Next Rule Forward Accept Packet...
Page 144: Configuring A Generic Filter Rule
For IP packets, it is generally easier to use the IP rules directly. For generic rules, the Business Secure Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 145: Figure 65 Menu 21.1.1.1 - Generic Filter Rule
The range for this field is 0 to 8. Mask Enter the mask (in Hexadecimal notation) to apply to the data portion before comparison. Log= None Nortel Business Secure Router 252 Configuration — Advanced Options Generic Filter Rule TCP/IP Filter...
Page 146: Example Filter
This data is now be displayed on Menu 21.1.1 - Filter Rules Summary. Example Filter The example shown in Business Secure Router via Telnet. See the included disk for more Filter Rules example. NN47923-501 Figure 66 is set to block outside users from accessing the...
Page 147: Figure 66 Telnet Filter Example
Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in Nortel Business Secure Router 252 Configuration — Advanced Figure...
Page 148: Figure 67 Example Filter: Menu 21.1.3.1
Figure 67 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None...
Page 149: Filter Types And Nat
TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number Menu 21.1.3 - Filter Rules Summary Filter Rules Figure Nortel Business Secure Router 252 Configuration — Advanced M m n N D F...
Page 150: Firewall Versus Filters
This section shows you where to apply the filters after you design them. The Business Secure Router already has filters to prevent NetBIOS traffic from triggering calls, and block incoming Telnet, FTP and HTTP connections. Note: Nortel recommends that you apply filters if you do not activate the firewall. NN47923-501 Figure Chapter 10, “Introducing the firewall,”...
Page 151: Applying Lan Filters
Telnet, FTP and HTTP connections. For PPPoE or PPPoA encapsulation, you have the additional option of specifying remote node call filter sets. Figure 71 – note that call filter sets are only present Nortel Business Secure Router 252 Configuration — Advanced...
Page 152: Figure 71 Filtering Remote Node Traffic
Figure 71 Filtering Remote Node Traffic Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: NN47923-501...
Page 153: Chapter 12 Snmp Configuration
To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password. Nortel Business Secure Router 252 Configuration — Advanced...
Page 154: Figure 72 Menu 22 - Snmp Configuration
Set requests from the management station. If you enter a trusted host, your Business Secure Router will only respond to SNMP messages from this address. A blank (default) field means your Business Secure Router will respond to all SNMP messages it receives, regardless of source.
Page 155: Snmp Traps
SNMP Traps The Business Secure Router will sends traps to the SNMP manager when any one of the following events occurs: Table 34 SNMP Traps Trap # Trap Name coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) authenticationFailure (defined in RFC-1215)
Page 156 156 Chapter 12 SNMP Configuration NN47923-501...
Page 157: Chapter 13 System Security
System password Figure 73 Menu 23 – System security Nortel recommends you change the default password. If you forget your password, you have to restore the default configuration file. For more information, see “Restoring the factory-default configuration settings” in Nortel Business Secure Router 252 Configuration —...
Page 158: Configuring External Radius Server
Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 74 Menu 23 – System Security From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security – RADIUS Server, as shown in Figure 75 Menu 23.2 –...
Page 159: Table 35 Menu 23.2 System Security: Radius Server
After you complete this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Nortel Business Secure Router 252 Configuration — Advanced Figure...
Page 160: Ieee 802.1X
The IEEE 802.1x standards outline enhanced security methods for both the authentication of users and encryption key management. Follow the steps below to enable EAP authentication on your Business Secure Router. From the main menu, enter 23 to display Menu23 – System Security. Figure 76 Menu 23 – System Security Enter 4 to display Menu 23.4 –...
Page 161: Table 36 Menu 23.4 System Security: Ieee802.1X
This field is activated only when you select Authentication Required in the Port Control field. The default time interval is 3 600 seconds (or 1 hour). Nortel Business Secure Router 252 Configuration — Advanced Figure...
Page 162 ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. After you enable user authentication, you need to specify an external RADIUS server or create local user accounts on the Business Secure Router for authentication. NN47923-501 Description The authentication database contains user login information.
Page 163: System Information And Diagnosis
Secure Router. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown in Figure Nortel Business Secure Router 252 Configuration — Advanced...
Page 164: System Status
System Status is a tool that can be used to monitor your Business Secure Router. Specifically, it gives you information on your system firmware version, number of packets sent, and number of packets received.
Page 165: Figure 79 Menu 24.1 - System Maintenance - Status
The number of error packets on this connection. This shows the transmission rate in bytes per second. This shows the receiving rate in bytes per second. Nortel Business Secure Router 252 Configuration — Advanced 11:48:18 Tue. Jun. 06, 2006 Tx B/s...
Page 166: System Information And Console Port Speed
Table 37 Menu 24.1 System Maintenance: Status (continued) Field Up Time My WAN IP (from ISP) Ethernet Status Tx Pkts Rx Pkts Collision Line Status Upstream Speed Downstream Speed CPU Load System information and console port speed With your system you can choose different console port speeds. To get to the System Information and Console Port Speed.
Page 167: System Information
Please enter selection: System Information System Information gives you information about your system, as shown in Figure 81. More specifically, it gives you information on your routing protocol, Ethernet address and IP address. Nortel Business Secure Router 252 Configuration — Advanced...
Page 168: Figure 81 Menu 24.2.1 - System Maintenance - Information
Multiplexer) are using. Refers to the Ethernet MAC (Media Access Control) of your Business Secure Router. This is the IP address of the Business Secure Router in dotted decimal notation. This shows the subnet mask of the Business Secure Router.
Page 169: Console Port Speed
Figure 82 Menu 24.2.2 – System Maintenance – Change Console Port Speed Menu 24.2.2 – System Maintenance – Change Console Port Speed Log and trace The Business Secure Router has a syslog facility for message logging, and a trace function for viewing call-triggering packets. Description This field shows the DHCP setting (None, Relay or Server) of the Business Secure Router.
Page 170: Syslog Logging
Figure 83 Menu 24.3 – System Maintenance: Log and Trace Syslog logging The Business Secure Router uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as shown Figure Figure 84 Menu 24.3.2 –...
Page 171: Cdr
Jul 19 11:19:32 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 RAS: board 0 line 0 channel 0, call 1, C02 Call Terminated Nortel Business Secure Router 252 Configuration — Advanced...
Page 172: Packet Triggered
Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c0200010061626364656 66768696a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 RAS: Packet Trigger: Protocol=1,...
Page 173: Ppp Log
Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 RAS: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 RAS: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 RAS: ppp:CCP Closing Nortel Business Secure Router 252 Configuration — Advanced...
Page 174: Firewall Log
Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”) rule: <a,b>...
Page 175 With the diagnostic facility, you can test the different aspects of your Business Secure Router to determine if it is working properly. In Menu 24.4, you can choose among various types of diagnostic tests to evaluate your system, as shown Figure Nortel Business Secure Router 252 Configuration —...
Page 176: Wan Dhcp
WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in WAN & LAN DHCP. LAN DHCP is discussed in Nortel Business Secure Router 252 Configuration — Basics (NN47923-500). The Business Secure Router can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or...
Page 177: Figure 87 Wan & Lan Dhcp
Enter the number of the selection you want to perform or press [ESC] to cancel. Nortel Business Secure Router 252 Configuration — Advanced Business Secure Router for more details. Chapter 5, “Internet...
Page 178 178 Chapter 14 System information and diagnosis NN47923-501...
Page 179: Firmware And Configuration File Maintenance
DHCP Setup and TCP/IP Setup. It comes with a rom filename extension. Once you have customized the Business Secure Router settings, they can be saved back to your computer under a filename of your choosing.
Page 180: Backup Configuration
Note that the internal filename refers to the filename on the Business Secure Router and the external filename refers to the filename not on the Business Secure Router, that is, on your computer, local network or FTP site and so the name (but not the extension) can vary.
Page 181: Backup Configuration
Enter open, followed by a space and the IP address of your Business Secure Router. Press [ENTER] when prompted for a username. Enter your password as requested (the default password is PlsChgMe!). Nortel Business Secure Router 252 Configuration — Advanced (Figure For details on backup using TFTP (note that you must 88).
Page 182: Example Of Ftp Commands From The Command Line
Enter bin to set transfer mode to binary. Use get to transfer files from the Business Secure Router to the computer, for example, get rom-0 config.rom transfers the configuration file on the Business Secure Router to your computer and renames it config.rom. See earlier in this chapter for more information on filename conventions.
Page 183: Tftp And Ftp Over Wan Management Limitations
The Business Secure Router supports the uploading and downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Nortel does not recommend using TFTP over WAN, although it can work. To use TFTP, your computer must have both Telnet and TFTP clients. To back up the configuration file, follow the procedure shown next.
Page 184: Tftp Command Example
Enter the IP address of the Business Secure Router. 192.168.1.1 is the Business Secure Router’s default IP address when shipped. Use Send to upload the file to the Business Secure Router and Fetch to back up the file on your computer.
Page 185: Back Up Via Console Port
Figure 91 Menu 24.5 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Run the HyperTerminal program by clicking Transfer, then Receive File as shown in Figure Nortel Business Secure Router 252 Configuration — Advanced for information about Figure...
Page 186: Restore Configuration
FTP is the preferred method for restoring your current computer configuration to your Business Secure Router since FTP is faster. note that you must wait for the system to automatically restart after the file transfer is complete.
Page 187: Restore Using Ftp
Find the rom file (on your computer) that you want to restore to your Business Secure Router. Use put to transfer files from the Business Secure Router to the computer, for example, “put config.rom rom-0” transfers the configuration file config.rom on your computer to the Business Secure Router.
Page 188: Restore Using Ftp Session Example
Enter quit to exit the ftp prompt. The Business Secure Router automatically restarts after a successful restore process. Restore using FTP session example Figure 95 Restore using FTP session example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0...
Page 189: Uploading Firmware And Configuration Files
Maintenance – Upload System Configuration File. Warning: Do not interrupt the file transfer process as this can permanently damage your Business Secure Router. Nortel Business Secure Router 252 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 190: Firmware File Upload
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the Business Secure Router, the screens for uploading firmware and the configuration file using FTP appear.
Page 191: Configuration File Upload
“put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Business Secure Router and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer Nortel Business Secure Router 252 Configuration — Advanced Figure 100 appears when you access menu 24.7.2 via Telnet.
Page 192: Ftp Session Example Of Firmware File Upload
TFTP and FTP over WAN. TFTP file upload The Business Secure Router also supports the uploading of firmware files using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP also works over WAN, Nortel does not recommend doing this.
Page 193: Tftp Upload Command Example
“TFTP upload command example” on page documentation of your TFTP client program. For UNIX, use get to transfer from the Business Secure Router to the computer, put to transfer from the computer to the Business Secure Router, and binary to set binary transfer mode.
Page 194: Uploading Via Console Port
Secure Router. However, in the event of your network being down, uploading files is only possible with a direct connection to your Business Secure Router via the console port. Under normal conditions, Nortel does not recommend uploading files via the console port, as FTP or TFTP are faster. Any serial communications program should work fine;...
Page 195: Uploading Xmodem Firmware Using Hyperterminal
Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in Nortel Business Secure Router 252 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 196: Figure 104 Menu 24.7.2 As Seen Using The Console Port
The password may change (menu 23), also. port speed will be reset to 9600 bps and the password to "PlsChgMe!". Do You Wish To Proceed:(Y/N) to restart the Business Secure Router. “Uploading Xmodem 195. The procedure for other serial...
Page 197: Uploading Xmodem Configuration File Using Hyperterminal
Click Transfer, then Send File to display the screen shown in Figure 105 Example Xmodem Upload After the configuration upload process is complete, restart the Business Secure Router by entering Nortel Business Secure Router 252 Configuration — Advanced Type the configuration file’s location, or click Browse to search for it.
Page 198 198 Chapter 15 Firmware and configuration file maintenance NN47923-501...
Page 199: System Maintenance Menus 8 To 10
24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or www.nortel.com for more detailed information about CI commands. Enter 8 from Menu 24 - System Maintenance.
Page 200: Command Syntax
Figure 106 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Firmware Update 8. Command Interpreter Mode 9.
Page 201: Command Usage
Call history chronicles preceding incoming and outgoing calls. To access the call control menu, select option 9 in menu 24 to go to Menu 24.9 - System Maintenance - Call Control, as shown in Figure 107. Nortel Business Secure Router 252 Configuration — Advanced...
Page 202: Budget Management
Figure 107 Call Control Budget management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the Budget Management menu NN47923-501 Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number:...
Page 203: Figure 108 Budget Management
11.1.) The elapsed time is the time used up within this period. Enter “0” to update the screen or press [ESC] to return to the previous screen. Nortel Business Secure Router 252 Configuration — Advanced Elapsed Time/Total Period No Budget No Budget...
Page 204: Call History
Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 109 Call History Menu 24.9.2 - Call History Phone Number Enter Entry to Delete(0 to exit):...
Page 205: Time And Date Setting
There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Business Secure Router. With Menu 24.10, you can update the time and date settings of your Business Secure Router.
Page 206: Figure 111 Menu 24.10 System Maintenance: Time And Date Setting
Figure 111 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): Current Date: New Date (yyyy-mm-dd): Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr):...
Page 207 GMT or UTC (GMT+1). After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. Nortel Business Secure Router 252 Configuration — Advanced...
Page 208: Resetting The Time
The Business Secure Router resets the time in three instances: • After you make changes to and leave menu 24.10 • After starting up the Business Secure Router starts up, if a time server configured in menu 24.10 • After starting the Business Secure Router, in 24-hour intervals...
Page 209: Chapter 17 Remote Management
To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Nortel Business Secure Router 252 Configuration — Advanced...
Page 210: Figure 112 Menu 24.11 - Remote Management Control
[ENTER] to choose from: LAN only, WAN only, ALL or Disable. The default 0.0.0.0 allows any client to use this service to remotely manage the Business Secure Router. Enter an IP address to restrict access to a client with a matching IP address.
Page 211: Remote Management Limitations
Telnet session is disconnected if you begin a web session; it does not begin if a Web session is already running. There is a firewall rule that blocks remote management. Nortel Business Secure Router 252 Configuration — Advanced for details).
Page 212 212 Chapter 17 Remote Management NN47923-501...
Page 213: Chapter 18 Call Scheduling
_______________ _______________ _______________ _______________ _______________ Enter Schedule Set Number to Configure= 0 Edit Name= N/A Press ENTER to Confirm or ESC to Cancel: Nortel Business Secure Router 252 Configuration — Advanced Schedule Set # Name ------ ----------------- _______________ _______________ _______________...
Page 214: Figure 114 Menu 26.1 - Schedule Set Setup
For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the Business Secure Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on.
Page 215: Table 48 Menu 26.1 Schedule Set Setup
After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Nortel Business Secure Router 252 Configuration — Advanced Example 2000-01-01 Once...
Page 216: Figure 115 Applying Schedule Sets To A Remote Node (Pppoe)
After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure 115 Applying Schedule Sets to a Remote Node (PPPoE) Rem Node Name= ChangeMe...
Page 217: Setting Up Your Computer Ip Address
IP addresses that place them in the same subnet as the Business Secure Router LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window Nortel Business Secure Router 252 Configuration — Advanced...
Page 218: Installing Components
Figure 116 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. b Select Adapter and click Add.
Page 219: Configuring
IP Address and Subnet Mask fields. Figure 117 Windows 95/98/Me: TCP/IP properties: IP address Click the DNS Configuration tab. — If you do not know your DNS information, select Disable DNS. Nortel Business Secure Router 252 Configuration — Advanced...
Page 220: Verifying Settings
Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Business Secure Router and restart your computer when prompted. Verifying Settings Click Start and then Run.
Page 221: Windows 2000/Nt/Xp
For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 119 Windows XP: Start menu For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 120 Windows XP: Control Panel Nortel Business Secure Router 252 Configuration — Advanced...
Page 222: Figure 121 Windows Xp: Control Panel: Network Connections: Properties
Right-click Local Area Connection and then click Properties. Figure 121 Windows XP: Control Panel: Network Connections: Properties Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 122 Windows XP: Local Area Connection Properties NN47923-501...
Page 223: Figure 123 Windows Xp: Advanced Tcp/Ip Settings
Subnet mask, and then click Add. — Repeat the above two steps for each IP address you want to add. — Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. Nortel Business Secure Router 252 Configuration — Advanced...
Page 224: Figure 124 Windows Xp: Internet Protocol (Tcp/Ip) Properties
— In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. — Click Add. —...
Page 225: Verifying Settings
Status and then click the Support tab. Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 125 Macintosh OS 8/9: Apple Menu Nortel Business Secure Router 252 Configuration — Advanced...
Page 226: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your Business Secure Router in the Router address box. Close the TCP/IP Control Panel.
Page 227: Macintosh Os X
— Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 128 Macintosh OS X: Network Nortel Business Secure Router 252 Configuration — Advanced...
Page 228: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your Business Secure Router in the Router address box. Click Apply Now and close the window.
Page 229: Triangle Route
Triangle Route The Ideal Setup When the firewall is on, your Business Secure Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Business Secure Router to protect your LAN against attacks.
Page 230: The Triangle Route Solutions
The reply from the WAN goes directly to the computer on the LAN without going through the Business Secure Router. As a result, the Business Secure Router resets the connection, as the connection is not acknowledged. Figure 130 Triangle Route Problem...
Page 231: Figure 131 Ip Alias
Subnet 2. The reply from WAN goes to the Business Secure Router. The Business Secure Router ends the response to the computer in Subnet 1. Figure 131 IP Alias Business Secure Router Nortel Business Secure Router 252 Configuration — Advanced...
Page 232 232 Appendix B Triangle Route NN47923-501...
Page 233: Importing Certificates
In Netscape Navigator, you can permanently trust the Business Secure Router server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in Figure 132 Security Certificate Nortel Business Secure Router 252 Configuration — Advanced Figure 132 to do this.
Page 234: Importing The Business Secure Router Certificate Into Internet Explorer
Router, simply import the self-signed certificate into your operating system as a trusted certification authority. To have Internet Explorer trust a Business Secure Router certificate issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certification authority.
Page 235: Figure 134 Certificate General Information Before Import
Appendix C Importing certificates 235 Click Install Certificate to open the Install Certificate wizard. Figure 134 Certificate General Information before Import Nortel Business Secure Router 252 Configuration — Advanced...
Page 236: Figure 135 Certificate Import Wizard 1
236 Appendix C Importing certificates Click Next to begin the Install Certificate wizard. Figure 135 Certificate Import Wizard 1 NN47923-501...
Page 237: Figure 136 Certificate Import Wizard 2
Appendix C Importing certificates 237 Select where you want to store the certificate and click Next. Figure 136 Certificate Import Wizard 2 Nortel Business Secure Router 252 Configuration — Advanced...
Page 238: Figure 137 Certificate Import Wizard 3
Click Finish to complete the Import Certificate wizard. Figure 137 Certificate Import Wizard 3 Click Yes to add the Business Secure Router certificate to the root store. Figure 138 Root Certificate Store NN47923-501...
Page 239: Enrolling And Importing Ssl Client Certificates
You must have imported at least one trusted CA to the Business Secure Router in order for the Authenticate Client Certificates to be active (see “Certificates” in Nortel Business Secure Router 252 Configuration — Basics (NN47923-500) for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the Business Secure Router (see the Business Secure Router’s Trusted CA WebGUI...
Page 240: Figure 140 Business Secure Router Trusted Ca Screen
240 Appendix C Importing certificates Figure 140 Business Secure Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificates, your personal certificates and a password to install the personal certificates. NN47923-501...
Page 241: Installing Your Personal Certificates
You need a password in advance. The CA can issue the password or you can specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to Figure 141. Figure 142 Nortel Business Secure Router 252 Configuration — Advanced...
Page 242: Figure 142 Personal Certificate Import Wizard 1
242 Appendix C Importing certificates Click Next to begin the wizard. Figure 142 Personal certificate import wizard 1 NN47923-501...
Page 243: Figure 143 Personal Certificate Import Wizard 2
The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate. Figure 143 Personal certificate import wizard 2 Nortel Business Secure Router 252 Configuration — Advanced...
Page 244: Figure 144 Personal Certificate Import Wizard 3
244 Appendix C Importing certificates Enter the password given to you by the CA. Figure 144 Personal certificate import wizard 3 NN47923-501...
Page 245: Figure 145 Personal Certificate Import Wizard 4
Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 145 Personal certificate import wizard 4 Nortel Business Secure Router 252 Configuration — Advanced...
Page 246: Figure 146 Personal Certificate Import Wizard 5
Click Finish to complete the wizard and begin the import process. Figure 146 Personal certificate import wizard 5 Figure 147 installed on your computer. Figure 147 Personal certificate import wizard 6 NN47923-501 shows the screen that appears when the certificate is correctly...
Page 247: Using A Certificate When Accessing The Business Secure Router Example
Figure 148 Access the Business Secure Router via HTTPS When Authenticate Client Certificates is selected on the Business Secure Router, you are asked to select a personal certificate to send to the Business Secure Router. This screen displays even if you only have a single certificate,...
Page 248: Figure 150 Business Secure Router Secure Login Screen
248 Appendix C Importing certificates The Business Secure Router login screen appears. Figure 150 Business Secure Router secure login screen NN47923-501...
Page 249: Appendix D
It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional dial-up scenario Figure 151 traditional dial-up networking. depicts a typical hardware configuration in which the PCs use Nortel Business Secure Router 252 Configuration — Advanced Figure 151).
Page 250: How Pppoe Works
However, the PPP negotiation is between the PC and the ISP. Business Secure Router as a PPPoE client When using the Business Secure Router as a PPPoE client, the PCs on the LAN see only the Ethernet and are not aware of the PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 251: Figure 152 Business Secure Router As A Pppoe Client
Appendix D PPPoE 251 Figure 152 Business Secure Router as a PPPoE Client Business Secure Router Business Secure Router Nortel Business Secure Router 252 Configuration — Advanced...
Page 252 252 Appendix D PPPoE NN47923-501...
Page 253: Hardware Specifications
(DataTerminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The Business Secure Router is DCE when you connect a computer to the console port. The Business Secure Router is DTE when you connect a modem to the dial backup port.
Page 254: Figure 153 Console Or Dial Backup Port Pin Layouts
Figure 153 Console or dial backup port pin layouts i n 5 i n 9 Table 50 Console or dial backup port pin assignments CONSOLE Port RS – 232 (Female) DB-9F Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 = DCE –DTR...
Page 255: Ac Power Adapter Specifications
Crossover (Adapter) (Switch) OTD + IRD + OTD - IRD - IRD + OTD + IRD - OTD - Nortel Business Secure Router 252 Configuration — Advanced (Switch) IRD + IRD - 3 OTD + 6 OTD -...
Page 256 256 Appendix E Hardware specifications NN47923-501...
Page 257: Ip Subnetting
ID. • Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting. (There is also a class “E” address, which is reserved for future use.) Nortel Business Secure Router 252 Configuration — Advanced...
Page 258: Table 52 Allowed Ip Address Range By Class
Table 51 Classes of IP addresses IP Address: Octet 1 Class A Network number Class B Network number Class C Network number Note: Host IDs of all zeros or all ones are not allowed. Therefore: A class C network (8 host bits) can have 2 A class B address (16 host bits) can have 2 A class A address (24 host bits) can have 2 hosts).
Page 259: Subnet Masks
This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. Natural mask 255.0.0.0 255.255.0.0 255.255.255.0 Nortel Business Secure Router 252 Configuration — Advanced...
Page 260: Example: Two Subnets
255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 The first mask shown is the class C natural mask. Normally, if no mask is specified, it is understood that the natural mask is being used. Example: two subnets As an example, you have a class C address 192.168.1.0 with subnet mask of 255.255.255.0.
Page 261: Table 55 Subnet 1
192.168.1. 11000000.10101000.00000001. 255.255.255. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.254 – 2 or 126 hosts for each subnet. Nortel Business Secure Router 252 Configuration — Advanced Last Octet bit value 00000000 10000000 Last octet bit value 10000000 10000000...
Page 262: Example: Four Subnets
192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Page 263: Example: Eight Subnets
Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 Network number 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.193 First Address Last Address Nortel Business Secure Router 252 Configuration — Advanced Last Octet Bit Value 10000000 11000000 Last Octet Bit Value 11000000 11000000 Broadcast Address...
Page 264: Subnetting With Class A And Class B Networks
NN47923-501 First Address Last Address Subnet Mask No. Subnets 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Table 51) available for subnetting. Subnet Mask No. Subnets 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) Broadcast Address No.
Page 265 255.255.255.192 (/26) 1 024 255.255.255.224 (/27) 2 048 255.255.255.240 (/28) 4 096 255.255.255.248 (/29) 8 192 255.255.255.252 (/30) 16 384 255.255.255.254 (/31) 32 768 Nortel Business Secure Router 252 Configuration — Advanced No. Hosts per Subnet 2 046 1 022...
Page 266 266 Appendix F IP subnetting NN47923-501...
Page 267: Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands.
Page 268: Sys Commands
Sets or displays the system’s current date. Sets or displays the system time. Sets how often the Business Secure Router gets the date and time from the time server. Gets the date and time from the time server. Displays the domain name that the device sends to the LAN DHCP clients.
Page 269 [0:none/ 1:log] ppp [0:none/1:log] remote [0:none/1:log] tcpreset [0:none/1:log] upnp [0:none/1:log] Nortel Business Secure Router 252 Configuration — Advanced Description Removes extra phone numbers. Resets node and mask. Displays a list of the device’s major features. Displays the ISDN firmware type.
Page 270 Table 64 Sys commands Command clear display errlog load mail NN47923-501 urlblocked [0:none/1:log/ 2:alert/3:both] urlforward [0:none/1:log] [access|attack|error|ike|i psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] clear disp online alertAddr [mail address] clearLog [0:no/1:yes] display logAddr [mail address] schedule display schedule hour [0-23] schedule minute [0-59] schedule policy [0:full/ 1:hourly/2:daily/3:weekly/ 4:none]...
Page 271 <0:no|1:yes> display trilog <0:no|1:yes> [0:cold boot/1: immediate reboot/2: bootModule debug mode] [minute] Nortel Business Secure Router 252 Configuration — Advanced Description Sets the log e-mail’s subject. Enables or disables SMTP authentication. Sets the SMTP authentication username. Sets the SMTP authentication password.
Page 272 Table 64 Sys commands Command display debug listPerHost sessPerHost timeout trcdisp trclog switch online NN47923-501 display icmp igmp tcpsyn tcpfin others parse, brief, disp [on|off] [on|off] Description Shows all runtime Temporarily Open Sessions. Turns TOS debug message on or off. Displays all hosts session counts.
Page 273 [on|off] [on|off] [on|off] <addr> <port> Nortel Business Secure Router 252 Configuration — Advanced Description Sets the level (1-10) of trace logs (1 shows the least) to display. Uses hexadecimal characters to set the type of trace logs to record.
Page 274 Table 64 Sys commands Command parse brief version view wdog switch romreset server pwderrtm upnp active config display firewall NN47923-501 [[start_idx], end_idx] <filename> [on|off] [value] access <telnet|ftp|web|icmp|snmp| dns> <value> load disp port <telnet|ftp|web|snmp> <port> save secureip <telnet|ftp| web|icmp|snmp|dns> <ip> [minute] [0:no/1:yes] [0:deny/1:permit] [0:deny/1:pass]...
Page 275 <0:Between LAN and WAN/ 3: IPSec Pass through/ 4: Trigger Dial> <on|off> <level> <iface name> Nortel Business Secure Router 252 Configuration — Advanced Description Saves UPnP information. Saves UPnP information. Displays the system socket’s ID #, type, control block address (PCB), IP...
Page 276: Exit Command
Exit Command Table 65 Exit Command Command exit Ethernet Commands Table 66 lists and describes the Ethernet commands. Each of these commands must be preceded by information on the LAN configuration. Table 66 Ether Commands Command config driver disp <name> status <ch_name>...
Page 277: Ip Commands
<ip address> Displays the IP address of a domain name. name <host name> Configures the system DNS server settings. Shows the system DNS server settings. display Nortel Business Secure Router 252 Configuration — Advanced to display the host IP address.
Page 278 Shows the LAN DNS server settings. display Enables or disables the HTTP debug flag. debug [on|off] This command currently does not work. Displays the ICMP statistics counter. Sets the ICMP router discovery flag. <iface> [on|off] Configures a network interface. [iface] [ipaddr] [broadcast <addr> |mtu <value>|dynamic]...
Page 279 Sends ICMP packets to trace the route of a <host> [ttl] remote host. [wait] [queries] Add iface2 to the iface1’s group. <iface1> [<iface2>] Remove the specified interface from the <iface> ipxparent group. Nortel Business Secure Router 252 Configuration — Advanced...
Page 280 Table 67 IP commands Command enable exemptZone customize tredir failcount partner target NN47923-501 Description Enables or disables content filtering. [0:no/1:yes] Displays content filtering exempt zone display information. Enables or disables content filtering exempt actionFlags zone action flags that determine to which IP [type(1-3)][enabl addresses content filtering applies.
Page 281 <gateway> [<metric>] Sets a static route’s subnet mask. mask <IP subnet mask> Sets a static route’s gateway IP address. gateway <IP address> Sets a static route’s metric number. metric <metric #> Nortel Business Secure Router 252 Configuration — Advanced...
Page 282 Table 67 IP commands Command dropIcmp igmp debug forwardall querier iface robustness status display siptimeout NN47923-501 Description Turns private mode on or off. private <yes|no> Enables or disables a static route rule. active <yes|no> Sets whether or not the device allows ICMP [0|1] fragment packets.
Page 283: Ipsec Commands
IPSec process to check against the SPD. When this switch is turned on, packets are not be put through the IPSec process, even if there are active IPSec rules. Nortel Business Secure Router 252 Configuration — Advanced to display the third...
Page 284 (2 default) and 0 means the connection never times out. Sets the idle timeout for IPSec <minutes> connections where the Business Secure Router is waiting for a response from the peer. Sets the autotimer for updating IPSec <0~255> rules that use a domain name as the secure gateway IP address.
Page 285 <0:DES | 1:3DES | 2:AES> Sets the phase 1 authentication <0:MD5 | algorithm. 1:SHA1> Sets the phase 1 SA lifetime. <seconds> Sets the key group for phase 1 IKE setup. <0:DH1 | 1:DH2> Nortel Business Secure Router 252 Configuration — Advanced...
Page 286 <0:Username either send just the username and Password | password to the remote Contivity IPSec 1:Group ID & router, or a group ID and password as Password well. Sets whether or not outgoing packets can <on | off> automatically trigger a VPN connection to the remote Contivity IPSec router.
Page 287 Sets the local address type. <0:single | 1:range | 2:subnet> Sets the local ending IP address or <IP> subnet mask. Sets the local starting port number. <port> Sets the local ending port number. <port> Nortel Business Secure Router 252 Configuration — Advanced...
Page 288 Table 68 IPSec commands Command rmAddrType rmAddrStart rmAddrEndMask rmPortStart rmPortEnd btNatActive btNatType btNatAddrStart btNatArEnd swSkipOverlapIP <on|off> adjTcpMss <off|auto|user defined value> contivityDial contivityDrop contivityState contivitySplit contivityTimecnt <0~65535> exemptHost display load <index> active <Yes|No> NN47923-501 Description Sets the remote address type. <0:single | 1:range | 2:subnet>...
Page 289 Configures Group ID fields for RADIUS radius groupId Server authentication method. Configures Group Password fields for radius groupPwd RADIUS Server authentication method. Enables or disables Pre-Shared Key radius psk <on authentication type for RADIUS Server. | off> Nortel Business Secure Router 252 Configuration — Advanced...
Page 290 Table 68 IPSec commands Command encr ipPool natt failover NN47923-501 Description Enables or disables the specified <128AES_SHA1 | encryption algorithm. 3DES_SHA1 | 3DES_MD5 | DES_SHA1 | DES_MD5 | AH_SHA1 | AH_MD5> <on | off> Enables or disables the specified <DES_DH1 | Diffie-Hellman encryption level.
Page 291 <on | off> instead of always having to manually enter them. Enables or disables the password manage <on | management facilities, including off> maximum password age, minimum password length, and allow alpha-numeric passwords only. Nortel Business Secure Router 252 Configuration — Advanced...
Page 292: Wan Commands
Table 68 IPSec commands Command WAN Commands The following chart lists and describes the wan commands. Each of these commands must be preceded by wan when you use them. Table 69 WAN Commands Command adsl bert cellcnt chandata close defbitmap dyinggasp linedata open...
Page 293 Save Sets the waiting time before checking the timer hunting table result. Sends VC hunt pattern again. Send Displays hwsar packets incoming/outgoing information. Oam loopback function. Oamloopback [VPI] [VCI] [F5] [endToEnd] [funcType] Nortel Business Secure Router 252 Configuration — Advanced...
Page 294: Sys Firewall Commands
Sys firewall commands Table 70 lists and describes the system firewall commands. Each of these commands must be preceded by firewall active yes Table 70 Sys firewall Command disp active <yes|no> disp clear dynamicrule display tcprst rst113 display smtp display ignore ignore logBroadcast...
Page 295: Bandwidth Management Commands
<wrr|prr> <efficient> bandwidth xxx <name xxx> <priority x> Nortel Business Secure Router 252 Configuration — Advanced to display bm show lan Description Enables bandwidth management (BWM) for traffic going out the LAN interface. You can also specify the b/s of bandwidth.
Page 296 Table 71 Bandwidth management commands Command del # mod # add # del # mod # NN47923-501 <borrow on|off> <bandwidth xxx> <name xxx> <priority x> <borrow on|off> bandwidth xxx <name xxx> <priority x> <borrow on|off> <bandwidth xxx> <name xxx> <priority x> Description The class can borrow bandwidth from its parent...
Page 297 Daddr <mask Dmask> Dport Saddr <mask Smask> Sport protocol Nortel Business Secure Router 252 Configuration — Advanced Description The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Adds a filter for class # in LAN.
Page 298: Certificates Commands
Table 71 Bandwidth management commands Command monitor <#> <#> moveFilter < <from> channName> config save load clear Certificates commands Table 72 describes the certificate commands. Each of these commands must be preceded by my_cert list All of these commands start with Table 72 Certificates commands Command my_cert...
Page 299 "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. Nortel Business Secure Router 252 Configuration — Advanced...
Page 300 For my certificate importation to be successful, a certification request corresponding to the imported certificate must already exist on Business Secure Router. After the importation, the certification request is automatically deleted. If a descriptive name is not specified for the imported certificate, the certificate adopts the descriptive name of the certification request.
Page 301 Renames the specified trusted CA certificate. <old name> <old name> specifies the name of the certificate to <new name> be renamed. <new name> specifies the new name the certificate is saved as. Nortel Business Secure Router 252 Configuration — Advanced...
Page 302 Table 72 Certificates commands Command crl_issuer remote_trusted import export view verify delete list rename dir_server NN47923-501 Description Specifies whether or not the specified CA issues <name> CRL. [on|off] <name> specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used.
Page 303 [login:pswd] <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]". Nortel Business Secure Router 252 Configuration — Advanced...
Page 304: Ieee 802.1X Commands
IEEE 802.1X commands Table 73 lists and describes the IEEE 802.1x commands. Each of these commands must be preceded by the IEEE 802.1X debug messages to the first level. Table 73 IEEE 802.1X commands Command debug level <level> trace user <user> RADIUS commands Table 74 lists and describes the RADIUS commands.
Page 305: Netbios Filter Commands
Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. • Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. Nortel Business Secure Router 252 Configuration — Advanced...
Page 306: Display Netbios Filter Settings
Display NetBIOS filter settings Figure 155 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows: Table 75 NetBIOS filter default settings Name...
Page 307: Example Commands
This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 3 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. Nortel Business Secure Router 252 Configuration — Advanced...
Page 308 308 Appendix H NetBIOS filter commands NN47923-501...
Page 309: Boot Commands
After you start up your Business Secure Router, you are given a choice to go into debug mode by pressing a key at the prompt shown in screen shown in Figure 156.
Page 310: Figure 157 Boot Module Commands
ATRWx display the 16-bit value of address x ATRLx display the 32-bit value of address x ATGO(x) run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
Page 311: Log Descriptions
Someone has failed to log on to the router's SMT interface. Someone has logged on to the router's WebGUI interface. Someone has failed to log on to the router's WebGUI interface. Someone has logged on to the router via Telnet. Nortel Business Secure Router 252 Configuration — Advanced...
Page 312: Table 78 Upnp Logs
Someone has failed to log on to the router via Telnet. Someone has logged on to the router via FTP. Someone has failed to log on to the router via FTP. The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Page 313: Table 80 Attack Logs
The firewall detected an ICMP echo attack. icmp echo ICMP (type:%d, code:%d) The firewall detected a TCP syn flood attack. syn flood TCP The firewall detected a TCP port scan attack. ports scan TCP Nortel Business Secure Router 252 Configuration — Advanced...
Page 314 The firewall detected a TCP NetBIOS attack. The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route. The firewall detected an UDP IP spoofing attack while the Business Secure Router did not have a default route.
Page 315: Table 81 Access Logs
IGMP (set:%d, rule:%d) to the rule’s configuration. ESP access matched the listed firewall rule and the Firewall rule match: ESP Business Secure Router blocked or forwarded it according (set:%d, rule:%d) to the rule’s configuration. Nortel Business Secure Router 252 Configuration — Advanced...
Page 316 Business Secure Router blocked or forwarded it according to the rule’s configuration. Access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule’s configuration. TCP access did not match the listed firewall rule and the Business Secure Router logged it.
Page 317 The router sent an ICMP response packet. This packet Router sent ICMP automatically bypasses the firewall. response packet (type:%d, code:%d) Table 83 for type and code details. Nortel Business Secure Router 252 Configuration — Advanced 82).
Page 318: Table 82 Acl Setting Notes
ACL set 2 for packets traveling from the WAN to the LAN. ACL set 7 for packets traveling from the LAN to the LAN or the Business Secure Router. ACL set 8 for packets traveling from the WAN to the WAN or the Business Secure Router.
Page 319: Vpn/Ipsec Logs
DESCRIPTION This message is sent by the "RAS" when this syslog is generated. The messages and notes are defined in this appendix’s other charts. Figure 158 Nortel Business Secure Router 252 Configuration — Advanced shows a typical log from the...
Page 320: Figure 158 Example Vpn Initiator Ipsec Log
Figure 158 Example VPN initiator IPSec log Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n):...
Page 321: Vpn Responder Ipsec Log
VPN tunnel are not using the same pre-shared key. Log: Recv Main Mode request from <192.168.100.100> Recv:<SA> Send:<SA> Recv:<KE><NONCE> Send:<KE><NONCE> Recv:<ID><HASH> Send:<ID><HASH> Phase 1 IKE SA process done Recv:<HASH><SA><NONCE><ID><ID> Start Phase 2: Quick Mode Send:<HASH><SA><NONCE><ID><ID> Recv:<HASH> Nortel Business Secure Router 252 Configuration — Advanced...
Page 322: Table 85 Sample Ike Key Exchange Logs
The Local IP Addr range for the peer is invalid. If the security gateway is 0.0.0.0, the Business Secure Router uses Local Addr for the peer as its Remote Addr. If a peer Local Addr range conflicts with other connections, the Business Secure Router does not accept VPN connection requests from this peer.
Page 323 My Remote <IP address> vs. My Local <IP address> -> <symbol> Error ID Info Nortel Business Secure Router 252 Configuration — Advanced Description The Business Secure Router limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded.
Page 324: Table 86 Sample Ipsec Logs During Packet Transmission
The packet matches the rule index number (#d), but Phase 1 or Phase 2 negotiation for outbound (from the VPN initiator) traffic is not finished yet. If the Business Secure Router receives a packet with the wrong sequence number it discards it. The authentication configuration settings are incorrect.
Page 325: Table 88 Pki Logs
The router received an ARL (Authority Revocation List), with Rcvd ARL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose address and port are recorded in the Source field. Nortel Business Secure Router 252 Configuration — Advanced...
Page 326: Table 89 Certificate Path Verification Failure Reason Codes
List) from the LDAP server whose address and port are recorded in the Source field. The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.
Page 327: Table 90 Ieee 802.1X Logs
RADIUS accepts user. RADIUS rejects user. Pls check RADIUS Server. Nortel Business Secure Router 252 Configuration — Advanced Description A user was authenticated by the local user database. A user was not authenticated by the local user database because of an incorrect user password.
Page 328: Log Commands
The router logged off a user whose session expired. The router logged off a user who ended the session. The router logged off a user from which there was no authentication response. The router logged off a user whose idle timeout period expired.
Page 329: Configuring What You Want The Business Secure Router To Log
Use the sys logs save command to store the settings in the Business Secure Router (you must do this in order to record logs). Displaying logs Use the sys logs display command to show all of the logs in the Business Secure Router’s log.
Page 330: Log Command Example
Use the sys logs display [log category] command to show the logs in an individual Business Secure Router log category. Use the sys logs clear command to erase all of the Business Secure Router’s logs. Log command example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results.
Page 331: Brute Force Password Guessing Protection
This command sets the password protection to block all access attempts for N (a number from 1 to 60) minutes after the third time an incorrect password is entered. Nortel Business Secure Router 252 Configuration — Advanced...
Page 332 332 Appendix K Brute force password guessing protection NN47923-501...
Page 333: Sip
The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address (johndoe@your-ITSP.com, for example) or numbers like a telephone number (1122334455@VoIP-provider.com, for example). Nortel Business Secure Router 252 Configuration — Advanced...
Page 334: Sip Service Domain
SIP Service Domain The SIP service domain of the VoIP service provider is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-provider.com is the SIP service domain. SIP Call Progression Table 93 displays the basic steps in the setup and tear down of a SIP call.
Page 335: Sip Servers
The client device (A in the figure) sends a call invitation to the SIP proxy server (B). The SIP proxy server forwards the call invitation to C. Figure 160, either A or B can act as a SIP user agent Nortel Business Secure Router 252 Configuration — Advanced...
Page 336: Sip Redirect Server
Figure 161 SIP Proxy Server SIP Redirect Server A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server.
Page 337: Sip Register Server
The register server checks your username and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. Nortel Business Secure Router 252 Configuration — Advanced...
Page 338: Business Secure Router Sip Alg
You can make and receive calls between the LAN and the WAN. You cannot make a call between the LAN and the LAN. • The SIP ALG forwards UDP packets with a port 5060 destination to pass through. • The Business Secure Router forwards SIP audio connections. NN47923-501...
Page 339: Figure 163 Business Secure Router Sip Alg
WAN port as a back up, it drops SIP connections when the primary WAN port connection fails. The Business Secure Router does not automatically change the SIP connection to the secondary WAN port. Audio session using RTP Nortel Business Secure Router 252 Configuration — Advanced...
Page 340: Signaling Session Timeout
SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the Business Secure Router uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Page 341: Index
WAN 183 Console Port 166, 167, 169, 254 Content Filtering 36 Contivity VPN Client Software 35 conventions, text 25 copyright 2 Cost Of Transmission 92 CPU Load 166 DDNS Configuration 52 Nortel Business Secure Router 252 Configuration — Advanced...
Page 342 DDNS Type 53 Denial of Service 131 DHCP 75 DHCP (Dynamic Host Configuration Protocol) 38 DHCP Ethernet Setup 74 Diagnostic 175 DIAL BACKUP 254 Dial Timeout 61 DoS (Denial of Service) 35 Drop Timeout 61 DTR 60 Dynamic DNS Support 37 Edit IP 63 EMAIL 53 E-mail Address 53...
Page 343 NAT Routers 338 Network Address Translation 83 Network Address Translation (NAT) 38, 105 Network Address Translators 338 Offline 53 OK Response 334 Operation Temperature 253 Outgoing Protocol Filters 79 Packet Error 165 Received 166 Nortel Business Secure Router 252 Configuration — Advanced...
Page 344 Transmitted 166 Packet Filtering 36 Packets 165 PAP 63, 89 Password 44, 47, 153 Period(hr) 63 Ping 177 Port Forwarding 38 PPP 64 PPP Encapsulation 95 PPPoA 87 PPPoE 36, 249 PPPoE Encapsulation 86, 94 Private 67, 92, 101 Protocol Filters 79 Incoming 79 Outgoing 79 publications...
Page 345 VC 95 VC-based Multiplexing 87 Virtual Channel Identifier (VCI) 82 Virtual Path Identifier (VPI) 82 VT100 43 WAN DHCP 176, 177 WAN Setup 55, 56 WebGUI 132 www.dyndns.org 53 XMODEM protocol 181 Nortel Business Secure Router 252 Configuration — Advanced...

Nortel 252 Configuration

Table of Contents

15 Figures

Chapter 2 Introducing the SMT

Chapter 6 Remote Node Setup

Chapter 8 Dial-In User Setup

Chapter 11 Filter Configuration

Chapter 12 SNMP Configuration

Chapter 13 System Security

Chapter 17 Remote Management

Chapter 18 Call Scheduling

Appendix D

Quick Links

Chapters

Need help?

Questions and answers

Related Manuals for Nortel 252

Summary of Contents for Nortel 252