Symantec 16-00-00091 - FNC XGRD FW VPN 200 Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Firewall
  5. 16-00-00091 - FNC XGRD FW VPN 200
  6. Installation and configuration manual

Symantec 16-00-00091 - FNC XGRD FW VPN 200 Installation And Configuration Manual

Firewall / vpn
Hide thumbs
Table of Contents

Advertisement

Quick Links

Symantec Firewall / VPN
100 / 200 / 200R Models
Installation and Configuration Guide
October, 2001

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 16-00-00091 - FNC XGRD FW VPN 200 and is the answer not in the manual?

Questions and answers

Related Manuals for Symantec 16-00-00091 - FNC XGRD FW VPN 200

Summary of Contents for Symantec 16-00-00091 - FNC XGRD FW VPN 200

  • Page 1 Symantec Firewall / VPN 100 / 200 / 200R Models Installation and Configuration Guide October, 2001...
  • Page 2 Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
  • Page 3 Software are as follows: You may: A. use the Software solely as part of the Appliance for no more than the number of users as have been licensed to you by Symantec under a License Module; B. use the Restore Software solely to restore the Appliance to its original factory functionality in the event the Software preloaded on the Appliance is corrupted or becomes unusable;...
  • Page 4 Symantec warrants that the media on which the Restore Software is distributed will be free from defects for a period of thirty (30) days from the date of purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money you paid for the Restore Software.
  • Page 5 Appliance. The license entitles You to receive a copy of the source code for Linux only upon request at a nominal charge. If you are interested in obtaining a copy of such source code, please contact Symantec Customer Service at one of the above addresses...

  • Page 6: Service And Support Solutions

    Technical information may still be available through the Service & Support Web site (http:// service.symantec.com). When Symantec announces that a product will no longer be marketed or sold, telephone support will be discontinued 60 days later. Support will be available for discontinued products from the Service & Support...

  • Page 7: Customer Service

    Customer Service Order Desk at (800) 568-9501. Worldwide service and support Technical support and customer service solutions vary by country. For information on Symantec and International Partner locations outside of the United States, please contact one of the service and support offices listed below, or connect to http://www.symantec.com, select the country you want information...
  • Page 8 Symantec Region Sur http://www.service.symantec.com/mx Cerrito 1054 - Piso 9 +54 (11) 5382-3802 1010 Buenos Aires Fax: +54 (11) 5382-3888 Argentina Asia/Pacific Rim Symantec Australia Pty. Ltd. http://www.symantec.com/region/reg_ap/ 408 Victoria Road +61 (2) 9850-1000 Gladesville, NSW 2111 Fax: +61 (2) 9817-4550 Australia Brazil Symantec Brasil http://www.service.symantec.com/br...
  • Page 9 U.S.A. Subscription policy If your Symantec product includes virus, firewall, or web content protection, you might be entitled to receive protection updates via LiveUpdate. The length of the subscription could vary by Symantec product. When you near the end of your subscription, you will be prompted to subscribe when you start LiveUpdate.

  • Page 11: Table Of Contents

    Symantec Firewall/VPN 200R ........
  • Page 12 Main Setup Screen ............3-3 To configure using the Symantec Firewall/VPN 200 Main Setup screen ..3-4 Required by Optional Network Settings section .
  • Page 13 Static tunnel ............7-2 Symantec Firewall/VPN Static tunnel configuration ......7-3...
  • Page 14 Dynamic tunnel ............7-7 Symantec Firewall/VPN Dynamic tunnel configuration ..... . 7-7 SEVPN Dynamic tunnel configuration .

  • Page 15: Product Overview

    C H A P T E R Product Overview The Symantec Firewall/VPN appliance family of products address the complete set of needs for a small office, remote office, branch office or small business to easily and securely get networked and connected to an Internet Service Provider or central office.

  • Page 16: Networking

    The VPN feature of the Symantec Firewall/VPN enables secure and inexpensive tunneling between the local site and other sites, such as the central office or ISP. All of the Symantec Firewall/VPN models act as VPN gateways (VPN end points) for gateway to gateway VPN tunnels and remote client VPN to gateway tunnels (model 200R).

  • Page 17: Logging - Onboard Logging

    Logs can be generated by these tools for a complete picture of network performance. IPSec/VPN Pass Through In addition to creating VPN tunnels using the Symantec Firewall/VPN as an end point, the Symantec Firewall/VPN automatically recognizes IPSec VPN sessions and allows them to pass through the firewall.
  • Page 18 Serial port for auto-modem backup • DIP Switches - Used for disabling the DHCP Server, Resetting the unit, activating the Serial Console Interface and to configure the Symantec Firewall/VPN for firmware upgrades • LAN Link LEDs - 100BaseT, 10BaseT and Duplex LED link indicators for LAN port(s) •...

  • Page 19: Symantec Firewall/Vpn 200

    Figure 1-3: Symantec Firewall/VPN 200 front panel Figure 1-4: Symantec Firewall/VPN 200 back panel Symantec Firewall/VPN 200R The Symantec Firewall/VPN 200R has all the features of the 200 model and also comes with the Symantec Enterprise VPN Client software with integrated personal firewall feature.

  • Page 20: Symantec Firewall/Vpn International Symbols

    Product Overview Symantec Firewall/VPN international symbols Table 1-1: Symantec Firewall/VPN international symbols Symbol Meaning Power Indicator LED Error Indicator LED LAN/WAN Transmit/Receive LED Backup Active LED Modem (WAN) Link LED WAN Port LAN Ports Full Duplex...

  • Page 21: Management/Configuration Interface

    Serial Port Management/Configuration interface The Symantec Firewall/VPN has a web browser-based user interface that provides screens for creating configurations, viewing status, and accessing logs. The Symantec Firewall/VPN 200 user interface has duplicate Setup fields for both WAN ports on the Main Setup screen as well as other...
  • Page 22 Product Overview Figure 1-5: Example of the user interface for Symantec Firewall/VPN 100...

  • Page 23: Installation

    • The Symantec Firewall/VPN unit • A 2 m (6.5 ft) CAT5 grade Ethernet cable • CD with User Manual, utilities and Symantec Enterprise VPN Client (200R only) • 9v DC 1000 mA power adapter • Quick Start Card Network requirements You will need the following to use the Symantec Firewall/VPN: •...

  • Page 24: Cautions And Warnings

    Do not use or store the Symantec Firewall/VPN in an environment that exceeds temperature and humidity specifications. • Do not place the Symantec Firewall/VPN near a radiator or heat register, or in a built-in installation unless adequate ventilation is provided. •...

  • Page 25: Internet Account Information

    Some ISPs (usually cable) have abbreviated names for your e-mail servers and Web home page. This is the case if your Internet home page is a very short name, like "www" or "web" rather than www.symantec.com, or your e-mail server's name is something like "pop3" or "mail" instead of mail.symantec.com You MUST obtain the actual server names (Internet names) in order to access the Web and e-mail when using the Symantec Firewall/VPN.

  • Page 26: To Connect The Cables

    Figure 2-2: Symantec Firewall/VPN 200 back panel To connect the cables Insert the 9v DC 1000 mA power adapter that was included with the Symantec Firewall/ VPN and plug it into an electrical outlet. Make sure to ONLY use the adapter that came with the unit.

  • Page 27: Configuring Your Computer

    The following is for Windows NT only. Follow the procedures below for each additional computer you connect to the Symantec Firewall/ VPN. Click Start > Settings > Control Panel.
  • Page 28 Installation...

  • Page 29: Configuration

    Menu of the Management / Configuration is located on the left side of the screen at all times. The Symantec Firewall/VPN 100 and 200 have slightly different interfaces because the 200 has two WAN (modem) ports and each WAN port can have different configurations. The 100 has one WAN (modem) port.

  • Page 30: Basic Configuration

    Click Direct Connection to the Internet. Basic configuration The following sections provide an overview of the basic tasks for configuring your Symantec Firewall/VPN. Each screen in the user interface has a separate section that describes its functions. Use the Main Setup screen to set your initial connection, or modify your connection parameters at any time.

  • Page 31: Main Setup Screen

    Figure 3-1: Firewall/VPN200 Symantec Main Setup screen The Main Setup screen is the first screen you see when you browse to the Symantec Firewall/VPN. It contains the basic settings fields needed to get you up and running on the Internet. This screen is...

  • Page 32: To Configure Using The Symantec Firewall/Vpn 200 Main Setup Screen

    For more information see Required by Optional Network Settings section on page 3-5. If you have a Static IP Internet account or are using the Symantec Firewall/VPN internally or on another network, leave this setting Enabled. Then enter the Static IP information using the Static IP &...

  • Page 33: Required By Optional Network Settings Section

    Some ISPs authenticate on the adapter (MAC) address of your Ethernet card to confirm who you are. The Symantec Firewall/VPN might have to mimic your computer by adapter address to connect to your ISP. You must enter the MAC address retrieved from the computer connected to the Internet service.

  • Page 34: To Configure For Dsl Or Cable Modem Using Pppoe

    Enter the MAC (see below) or Host/Domain Name in the appropriate fields. Note: The host and domain names are case sensitive. Click Save. The Symantec Firewall/VPN restarts and attempts to connect to the Internet. Wait a moment, then click Back to the Main Setup page.

  • Page 35: Static Ip And Dns

    Static IP and DNS Static IP and DNS If you have a Static IP account from your ISP or are using the Symantec Firewall/VPN behind another gateway device, enter the network information on the Static IP and DNS screen. This screen is similar to a computer's Network Properties screen.

  • Page 36: Dns Gateway Section

    255.255.255.0 (Class "C" network). In the Default Gateway field enter the default gateway. Symantec Firewall/VPN sends any packet it does not know to route to the default gateway. In the Domain Name Servers field enter up to three Domain Name Servers.

  • Page 37: Status

    If you have trouble accessing the Internet, confirm that you have a WAN IP address. If you do, there might be a DNS or other problem at your ISP. In any case, have this screen handy when calling Symantec Support. LAN IP and DHCP Caution: DO NOT change these settings unless needed by your network.

  • Page 38: Unit Lan Ip

    Configuration Figure 3-4: LAN IP and DHCP screen UNIT LAN IP The Unit LAN IP is the IP Address of the Symantec Firewall/VPN on your LAN (your hosts see it as their default Gateway). Caution: If you change this and click Save, YOU WILL NOT BE ABLE TO ACCESS THE SYMANTEC FIREWALL/VPN UNLESS YOU REBOOT (release and renew your host IP) because the unit’s IP address, network mask, and default...

  • Page 39: Dhcp

    2-5 for more information). The Symantec Firewall/VPN always assigns an IP address for the DNS server (192.168.0.1 by default) unless static DNSs are set. This is normal, as the Symantec Firewall/VPN will take care of DNS requests sent to the ISP.

  • Page 40: To Configure A Password

    Configuration Figure 3-5: Config Password screen Note: The User Name is always admin when logging into the Firewall/VPN. To configure a password Enter the password. Re-enter the password to verify. Click Save. If you forget your password, you will have to perform a manual reset (see Chapter 9 - Trouble Shooting) or reset the unit through the serial console.

  • Page 41: Advanced Configuration

    C H A P T E R Advanced Configuration Advanced PPPoE Most users will not need to access this page since the default settings of the Symantec Firewall/VPN are optimal for most situations and will make PPPoE accounts behave transparently.
  • Page 42 Advanced Configuration Figure 4-1: Advanced PPPoE screen To configure Advanced PPPoE Note: You must be DISCONNECTED in order to use this feature.
  • Page 43 In the Idle Time Out, field enter the number of minutes of inactivity after which you want the Symantec Firewall/VPN to disconnect the PPPoE connection. Enter 0 to keep the connection always on and to prevent the Symantec Firewall/VPN from ever hanging up. If the value is more than 0, enable Connect on Demand to redial automatically when needed.

  • Page 44: Dynamic Dns Service

    Advanced Configuration The log file located in View Log screen provides useful information about your PPPoE connection if you have any trouble connecting to your ISP. Dynamic DNS Service Dynamic DNS Service is a way for people outside to connect to your computers using a domain name, even when you have a dynamic IP account from your ISP (your IP address changes from time to time).
  • Page 45 Dynamic DNS Service Figure 4-2: Dynamic DNS Service screen The Symantec Firewall/VPN contacts a Dynamic DNS service every time your IP changes and updates it automatically. The Dynamic DNS service then updates DNS servers throughout the world. Dynamic DNS services are available for pay and for free. The Dynamic DNS client in the Symantec Firewall/VPN is compatible with most standard services.

  • Page 46: Optional Dynamic Dns Settings

    When there is more than one router on a network, you must add routing settings on the Firewall/ VPN, to tell it what traffic goes to which router. The unit supports static routes or RIP2 (dynamic routing) protocol routing. When you specify routing, the Symantec Firewall/VPN can automatically forward the packet to the correct router.
  • Page 47 Routing Figure 4-3: Routing screen If RIP2 is not being used on the network, you must make entries in the static routing table through the Routing interface screen. Use the static routing table only when needed. If you make incorrect entries, you may lose your connection to the unit and have to preform a manual reset.

  • Page 48: Routing Table Data

    Other routers on the local LAN Other routers on the local network must use the Symantec Firewall/VPN's local router as the default route. The entries will be the same as the Symantec Firewall/VPN's local router, with the exception of the Gateway IP Address.
  • Page 49 Routing Figure 4-4: Routes example For the LAN shown above, with two routers and three LAN segments, the Symantec Firewall/ VPN's Routing Table requires two entries as follows: Entry 1 (Segment 1) Destination IP Address 192.168.1.0 Subnet Mask 255.255.255.0 Gateway IP Address 192.168.0.100...

  • Page 50: Host Ip And Group

    LAN. On the Symantec Firewall/VPN Model 200s you can bind a Host to a specific WAN port. This prevents the Host from using both WAN ports when dual Broadband connection binding is in effect.
  • Page 51 Enter the Network Adapter Address. The Symantec Firewall/VPN identifies the host by the adapter address of its Network Interface Card (NIC - usually an Ethernet Card). You must enter the address of the Host's NIC into this field.

  • Page 52: Access Filters

    In the Reserved IP field, enter the IP address you want for this computer. It must be on the same class network as the Symantec Firewall/VPN. If this is for a virtual server, ensure that the IP address matches the IP address you entered using the Virtual Server screen.

  • Page 53: Security Groups

    Access Filters Figure 4-6: Access Filters Security Groups By default, all computers are part of the Everyone group and have no restrictions on Internet use. To define filters, first select the group, specify the use of packet filters, and then enter the filters for that group using this screen.

  • Page 54: Special Applications

    Advanced Configuration To configure Access Filters Note: Always click Save after each group setting. Select a Security Group from the Select Group drop down list. Associate hosts with Security Groups using the Host IP & Group Screen. Click Update Fields Below. In the Group Filter Setting section, click the Use Packet Filters Below radio button.
  • Page 55 Special Applications Figure 4-7: Special Applications screen To configure Special Applications Under Existing Special Apps, select an entry from the drop down list. Some of the predefined Special Application entries are available from this menu (since they are all disabled by default, you must select, enable, and update the entry) plus any that you have added yourself.
  • Page 56 If one port is used, enter the same number in both fields. Click Add to add a new entry. Click Delete to selete the entry shown and free up Symantec Firewall/VPN memory. Click Update if you have changed the entry shown.

  • Page 57: Virtual Servers

    Web server behind the firewall. External users connect to a domain assigned by the Dynamic DNS feature or the modem port IP address to access a virtual server. The Symantec Firewall/VPN automatically routes the traffic to the appropriate Host IP on the LAN.
  • Page 58 Advanced Configuration Figure 4-8: Virtual Servers screen To configure a Virtual Server Using the Host IP & Group screen, setup a static local IP for your server (or on the server itself). Virtual Servers need a local host with a static IP address to operate effectively. 4-18...

  • Page 59: Virtual Servers Example - Ip Address Seen By Internet Users

    Virtual Servers Check the Enable box next to the server type Enter that local host LAN IP address to activate a pre-defined virtual server. You can have different virtual servers directed to the same host. Click Save. Virtual Servers example - IP Address seen by Internet users The following diagram (Figure 4-9, on page 4-20 ) shows an example network where both Internet users are connecting to the same IP Address, but are using different protocols or port numbers.

  • Page 60: Custom Virtual Server

    This function defines a custom server accessible from the outside by the Firewall/VPN’s external WAN IP address. The Symantec Firewall/VPN then redirects the request to an internal local IP address for the virtual server. You should first check the Virtual Server screen to make sure your server is not already predefined.

  • Page 61: Existing Custom Virtual Servers

    Custom Virtual Server Figure 4-10: Custom Virtual Servers screen Existing Custom Virtual Servers If you have previously made an entry to this screen and you want to update or delete it, you must first select it from the Select Entry drop down list and then click Update Fields Below to access it's settings.

  • Page 62: Exposed Host (Dmz)

    Click Clear Form before adding a new entry. Exposed Host (DMZ) This screen will let you define a custom server accessible from the outside by the Symantec Firewall/VPN 's external WAN IP address. The unit redirects all requests not explictily allowed by a virtual server rule to the exposed host.
  • Page 63 Exposed Host (DMZ) Figure 4-11: Exposed Host (DMZ) To configure an Exposed Host Enter the LAN IP address of the host PC you want to Expose. Select the WAN Port from the WAN Port drop down list. Select the session from the Session drop down list. Click the Enable radio button.

  • Page 64: Expert Level

    Internet connection and a DSL connection, or Static IP and SDSL, PPPoE and DHCP. The Symantec Firewall/VPN 200 will bind the bandwidth on your two connections by sending network packets to both WAN ports. If you want, you can bind hosts to a single WAN port. Any...
  • Page 65 Expert Level Figure 4-12: Expert Level screen 4-25...

  • Page 66: Expert Level Connection Fields

    Expert Level Connection fields Load Balance On the Symantec Firewall/VPN 200 or 200R you have the option of manually setting the Load Balance to use when using the Broadband Connection Binding feature. This setting determines what percentage of packets are sent to either WAN port. For slower connections, use a lower value on that WAN port for best performance.

  • Page 67: Expert Level - Advanced Features Section Fields

    NAT Function Disabling NAT turns the Symantec Firewall/VPN into a bridge or pure router. This is useful if you already have a NAT device on your network and are using the Symantec Firewall/VPN as a PPPoE "dial-up"...

  • Page 68: Expert Level - Snmp Trap Receiver Section Fields

    IP followed by port 8088. For example: type "http://207.158.227.235:8088" into your external browser if 207.158.227.235 was the address obtained from your ISP by the Symantec Firewall/VPN. You must be accessing from the IP range specified. Also, you should set the Configuration Password for security.

  • Page 69: Configuring Virtual Private Networks (Vpn)

    This chapter describes the procedures for configuring VPN tunnels using VPN - Static Key, VPN - Dynamic Key and VPN - Client Identity features of the Symantec Firewall/VPN User Interface. It also provides a brief overview of VPNs, encryption and authentication.
  • Page 70 ESP DES SHA1 ESP SHA1 Table 5-1: IPSec Encryption types The Symantec Firewall/VPN offers two types of VPN tunnels; Static Key and Dynamic Key. • VPN - Static Key tunnel - A user manually enters an authentication key (long string of numbers and letters) as well as an encryption key (another string used for the encryption algorithm) if encryption is used.

  • Page 71: To Configure A Vpn Using Static Key

    To configure a VPN using Static Key To configure a VPN using Static Key Figure 5-1: VPN - Static Key screen From the Main Menu, select VPN - Static Key .
  • Page 72 Configuring Virtual Private Networks (VPN) In the Name field, enter a descriptive name for the Security Association. The Security Association Name must be between 1 and 15 characters long. Click the Enable radio button. From the WAN drop down list, select a WAN port . From the PPPoE Session drop down list, select the Session number.

  • Page 73: To Update A Vpn Configuration Using Static Key

    To configure a VPN using Static Key Set to Enable to support Network Neighborhood on Windows through a VPN tunnel. 13. In the Remote Subnet 1 field, enter the IP address of your Destination Network. 14. In the Mask field, enter the Subnet Mask of your Destination Network. The format for the Destination Network Mask field is a minimum of seven digits ( x.x.x.x) and a maximum of fifteen digits (xxx.xxx.xxx.xxx).

  • Page 74: Static Tunnel Example

    Configuring Virtual Private Networks (VPN) Static tunnel example The following example consists of a network diagram of a gateway-to-gateway static tunnel and a table ( Table 5-2 on page 5-7 ) that shows all of the entries required to configure both endpoints of this static tunnel.
  • Page 75 To configure a VPN using Static Key Table 5-2: Static tunnel network example settings VPN Static Key Symantec FW/VPN 100 Symantec FW/VPN 200 screen fields settings settings IPSec Security Association: Name static_100_to_200 static_200_to_100 Enable/Disable Enable Enable Wan Port WAN1 WAN 2...

  • Page 76: To Configure A Vpn With Dynamic Key

    Configuring Virtual Private Networks (VPN) To configure a VPN with Dynamic Key Figure 5-3: VPN Dynamic Key screen part 1...
  • Page 77 To configure a VPN with Dynamic Key Figure 5-4: VPN Dynamic Key screen part 2 From the Main Menu, select VPN - Dynamic Key. In the Name field, enter a descriptive name for the Security Association. Click the Enable radio button. From the WAN drop down list, select a WAN port.
  • Page 78 Configuring Virtual Private Networks (VPN) NATted on the network. Main Mode provides the most protection from encryption based denial of service attacks. Aggressive Mode uses three message exchanges between the initiator and respondent during key negotiation. It does not depend on the IP address of the two devices, therefore it is often used for VPN tunnels where IP address are not known ahead of time.

  • Page 79: To Update A Vpn Configuration Using Dynamic Key

    To configure a VPN with Dynamic Key The Pre-Shared Key is a minimum of 20 characters and a maximum of 64 characters. 16. Under For Gateway-to-Gateway Tunnels, click the Enable NetBIOS Broadcast radio button to forward Netbios broadcast packets. 17. Click the Global Tunnel Enable or Disable radio button. Enabling the Global Tunnel for a VPN tunnel forces all outbound (Internet) traffic to go through the VPN tunnel.

  • Page 80: Dynamic Tunnel Example

    Configuring Virtual Private Networks (VPN) From the Security Association drop down list, select a Security Association Name to view information about that Security Association. Click Delete to delete the VPN. Dynamic tunnel example The following example consists of a network diagram of a gateway-to-gateway dynamic tunnel and a table ( Table 5-3 on page 5-13) that shows all of the entries required to configure both endpoints of this dynamic tunnel.
  • Page 81 To configure a VPN with Dynamic Key Table 5-3: Dynamic tunnel network example settings VPN Dynamic Key Symantec FW/VPN 100 Symantec FW/VPN 200 screen fields settings settings IPSec Security Association: Name dynamicIKE_100_to_200 dynamicIKE_200_to_100 Enable/Disable Enable Enable Wan Port WAN1 WAN 2...

  • Page 82: Vpn Client Identity

    Configuring Virtual Private Networks (VPN) VPN Dynamic Key Symantec FW/VPN 100 Symantec FW/VPN 200 screen fields settings settings Global Tunnel disable disable Remote Subnet 1 IP 192.168.0.0 192.168.100.0 Remote Subnet 1 Mask 255.255.255.0 255.255.255.0 VPN Client Identity Figure 5-6: VPN Client Identity screen The VPN Client Identity screen identifies and enables VPN Client users.
  • Page 83 VPN Client Identity To add a new VPN Client user. From the Symantec Firewall/VPN 200R Main Menu select Client Identity. Under User Identity, click Enable. In the User Name field enter your user name. In the Pre-Shared Key field enter your pre-shared key.
  • Page 84 Configuring Virtual Private Networks (VPN) 5-16...

  • Page 85: Utilities

    This screen lets you set up the Automatic Backup or Analog/ISDN connection information. You must connect an external modem (analog or ISDN) to the Symantec Firewall/VPN's serial port in order to use this feature. In backup mode, the Symantec Firewall/VPN will automatically dial when broadband drops.
  • Page 86 Utilities Figure 6-1: Backup/Analog/ISDN screen...
  • Page 87 If your Internet connection type is Dynamic DHCP or Static IP, the Alive Indicator must be set. The Alive Indicator is used by the Symantec Firewall/VPN to determine whether that WAN connection is functioning or not even if traffic is idle on the WAN (needed for backup activation).

  • Page 88: Serial Configuration Console

    PPP (Analog/ISDN) connection. Serial configuration console The Symantec Firewall/VPN can be configured or reset through the Serial port using the included Null Modem Cable connected to the COM port of a computer. This configuration console is very useful for installing the Symantec Firewall/VPN into an existing network. This prevents the Symantec Firewall/VPN from interfering with the network when it is connected.
  • Page 89 Serial configuration console To use the Serial console Connect the Null Modem cable from your computer's COM port to the Serial port on the Firewall/VPN. Set DIP Switch 3 to ON (Down position) on the Firewall/VPN. Start up a terminal program (HyperTerminal is included with Windows). Set to connect directly to your COM port (usually COM1 or COM2).

  • Page 90: Manual Reset

    Read these steps completely before starting to reset the Firewall/VPN. Note: You'll need a paper clip for this procedure. Turn off power to the Symantec Firewall/VPN by pulling the power plug from the back of the unit. Set DIP switch 1 to ON (down)

  • Page 91: Configuration Back Up

    The unit should now have its IP & network mask defaults and password cleared. Configuration back up The Symantec Firewall/VPN lets you back up the configuration settings you made through the user interface should something happen to the unit. This procedure results in a small file that can be put on a floppy and into a firesafe box or other safe place.

  • Page 92: View Log

    This screen lets you set the type of log entries recorded and to set log forwarding parameters. Logs generated on the Symantec Firewall/VPN are buffered in a limited memory space. When the log is full, new entries overwrite the oldest ones so it is best to have the log forwarded.
  • Page 93 Log Settings Figure 6-4: Log Settings screen To configure Log Settings Under Forwarding, in the Syslog Server field, enter the IP address of a host running a standard Syslog utility to receive the Log file. In the SMTP field, enter the IP address or URL of the SMTP server you want to receive the Log file in the SMTP Server under Email Settings.
  • Page 94 Utilities The Email Receiver field holds a maximum of 39 characters. If you want more than one receiver, separate them using a comma. Under Log Type, check the boxes for the types of messages you want to log. Under Time, in the Alternate NTP Server field, enter the IP address of the alternate NTP Server.

  • Page 95: Configuring The Symantec Firewall/Vpn To The Symantec Enterprise Vpn

    Firewall/VPN to the Symantec Enterprise VPN The Symantec Firewall/VPN offers the ability to create tunnels between itself and a Symantec Enterprise VPN Server (SEVPN). This tunnel can either be created statically, or dynamically using IKE. This chapter outlines the steps necessary to create both static and dynamic tunnels.

  • Page 96: Static Tunnel

    Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN Figure 7-1: Symantec Firewall/VPN connecting to Symantec Enterprise VPN Static tunnel Static tunnels are configured by specifying all of the key information for the tunnel on both ends. Each end must match identically for the tunnel to work properly. Static tunnels can use either DES...

  • Page 97: Symantec Firewall/Vpn Static Tunnel Configuration

    Symantec Firewall/VPN Static tunnel configuration Figure 7-2: VPN - Static tunnel diagram On the Symantec Firewall/VPN appliance, select the VPN - Static option from the configuration page. You should be presented with a screen similar to Figure 7-3 on page 7-4.
  • Page 98 Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN Figure 7-3: VPN Static configuration screen...
  • Page 99 Static tunnel Initially, the screen you see should be blank with a few of the defaults entered. In order to properly configure a static tunnel you will need the following information from the SEVPN: • Gateway IP address of the SEVPN. •...

  • Page 100: Sevpn Static Tunnel Configuration

    Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN 11. Check Disable for NetBIOS Broadcast. 12. Check Disable for Global Tunnel. 13. Set Remote Subnet to the destination network protected by the SEVPN. 14. Set Mask to the netmask of the destination network protected by the SEVPN.

  • Page 101: Dynamic Tunnel

    Figure 7-4: VPN Dynamic tunnel diagram Symantec Firewall/VPN Dynamic tunnel configuration On the Symantec Firewall/VPN appliance, select the VPN - Dynamic option from the configuration page. You should be presented with a screen similar to Figure 7-5 on page 7-8.
  • Page 102 Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN Figure 7-5: VPN Dynamic configuration screen...
  • Page 103 Dynamic tunnel To configure the tunnel: In the Name field, enter a new name for this tunnel. Check Enable. Select the WAN Port you want to bind the VPN tunnel to. Select the PPPoE Session you want to bind the tunnel to. Check Main Mode for Phase I Negotiation.

  • Page 104: Sevpn Dynamic Tunnel Configuration

    Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN SEVPN Dynamic tunnel configuration The follwoing table is a brief list of the steps to configure the SEVPN. Table 7-2: SEVPN Dynamci tunnel configuration steps Symantec Enterprise Firewall and Configuration Steps...

  • Page 105: Connecting To Symantec Enterprise Vpn Client

    Firewall/VPN which provides secure access to the private network. To create a secure tunnel you must configure both ends of the tunnel. One end is the Symantec Firewall/VPN 200R and the other end is the Symantec Enterprise VPN Client. The following sections describe how to configure both end points of the Symantec Enterprise VPN Client to Symantec Firewall/VPN 200R secure tunnel.

  • Page 106: Configuring Symantec Enterprise Vpn Client With Symantec Firewall/Vpn 200R

    Connecting to Symantec Enterprise VPN Client Figure 8-1: Symantec Enterprise VPN Client configurations To ensure the safe transmission of data in the tunnels, Symantec Enterprise VPN Client uses a suite of standardized security protocols including the Internet Security Association and Key Management Protocol (ISAKMP), the Internet Key Exchange (IKE) policy, and the IP Security (IPSec) protocol.
  • Page 107 Tunnels must be connected each time you reboot your PC. After the gateways and tunnels are connected, they remain connected until you disconnect them, an inactivity timeout occurs, a dial- up connection is lost, you exit Windows or shut down Symantec Enterprise VPN Client. Configure Symantec Firewall/VPN 200R for a dynamic tunnel to Symantec Enterprise VPN Client From the Symantec Firewall/VPN 200R Main Menu, select Client Identity.
  • Page 108 The pre-shared key must be between 20 and 64 characters. Click Add. From the Symantec Firewall/VPN 200R Main Menu, select VPN Dynamic Key. Under IPSec Security Association, in the Name field enter a descriptive name. Click the Enable radio button to enable the security association.
  • Page 109 Configuring Symantec Enterprise VPN Client with Symantec Firewall/VPN 200R 11. In the Encryption and Authentication Method list, select a method. This method must match the encryption and authentication method you use when configuring the Symantec Enterprise VPN Client end of the tunnel.
  • Page 110 Connecting to Symantec Enterprise VPN Client Figure 8-4: VPN Dynamic Key screen...
  • Page 111 Configure Symantec Enterprise VPN Client for a Dynamic tunnel to Symantec Firewall/VPN 200R The following table outlines the steps required to configure Symantec Enterprise VPN Client for a Dynamic Tunnel to the Symantec Firewall/VPN 200R. See the Symantec Enterprise VPN Client...
  • Page 112 Connecting to Symantec Enterprise VPN Client Table 8-1: Symantec Enterprise VPN Client configuration Symantec Enterprise VPN Client Configuration Steps Configuration Guide Chapter - Section - Subsection Launch Symantec Enterprise VPN Getting Started Client. Create a new Gateway. Managing Gateways - Adding a Gateway...

  • Page 113: Trouble Shooting

    Symantec Firewall/VPN is powered ON. • Ensure that your PC and the Symantec Firewall/VPN are on the same network segment. If you are installing the Symantec Firewall/VPN for the first time, ensure that your PC is using an IP Address within the range 192.168.0.2 to 192.168.0.255 thus compatible with the Firewall/VPN's default IP Address of 192.168.0.1.

  • Page 114: Problem 3: Some Applications Do Not Run Properly When Using The Firewall/Vpn

    Solution: Use the Special Applications screen to allow the use of special Internet applications. • The Symantec Firewall/VPN processes the data passing through it, so it is not transparent. The application may require the release of TCP and UDP ports that would otherwise not function correctly.
  • Page 115 Services button on the Advanced PPPoE screen will provide the same effect without the need of the suffix.
  • Page 116 Trouble Shooting...

  • Page 117: Firmware Upgrades

    C H A P T E R Firmware Upgrades The Symantec Firewall/VPN does its job by following a set of instructions that are coded into its permanent memory. These instructions are called Firmware. The Firmware contains all of the features and functionality of the Firewall/VPN.

  • Page 118: To Upgrade Firmware

    Power off the unit by pulling the adapter plug from the back of the Firewall/VPN. Flip DIP switch 1 & 2 to the ON position (DOWN) Put the power plug back into the Symantec Firewall/VPN. Open up a DOS prompt by clicking Start then Run… Type command and click OK.
  • Page 119 Index Access Filters 4-12 firmware upgrade 10-1 Advanced PPPoE 4-1 Full Duplex 1-6 Aggressive Mode 5-9, 5-10 Alive Indicator 6-3 Analog/ISDN 6-3 Gateway Authentication Key 5-4 adding 8-7 Automatic Backup 6-1 downloading from 8-3 Backup / Analog / ISDN 6-1 High Availability 1-2 Backup Active LED 1-6 Host IP and Group 4-11...
  • Page 120 Static IP 6-3 Static IP and DNS 3-7 Static IP Internet Account 2-3 NAT 1-2 Status Screen 3-9 NAT Function 4-27 Symantec Enterprise VPN Server 7-1 NetBIOS Broadcast 5-4 network card 2-1 nxtftp utility 10-1 TCP/IP Network Protocol 2-2 Technical Support 3-vi...

This manual is also suitable for:

100200200r

Table of Contents

Save PDF