3COM 3CR858-91 User Manual

Size:
4.17 Mb
Download

Firewall 61

you set up here are available for selection when you configure access control (see “Access Control”onpage 57).

To configure a schedule rule, do the following:

1Select Firewall from the main menu, then selectClient IP Filters from thesub-menu,and select theSchedule Rule tab. TheSchedule Rule screen displays (Figure 40).

Figure 40 Schedule Rule Screen

2Click Add Rule, or clickEdit in the Configure column to edit an existing entry. TheSchedule Rule - Add Rule screen displays (Figure 41).

You can delete an existing entry by clicking on deletein the Configure column.

62 CHAPTER5: ROUTERCONFIGURATION

Figure 41 Schedule Rule - Add Rule Screen

3Enter a name and comment for the schedule rule in the Name andComment text boxes.

4Specify the schedule rules for the required days and times. Note that all times should be in 24 hour format.

5Click Apply to save the settings.

MAC Address The MAC Address Filter is a powerful security feature that allows you toFiltering specify which computers are allowed on the network. Any computers

attempting to access the network that are not specified in the filter list will be denied access.

Firewall 63

To set up MAC Address Filtering, do the following:

1Select Firewall from the main menu, then selectMAC Address Filtering from thesub-menu.TheMAC Address Filtering screen displays (Figure 42).

Figure 42 MAC Address Filtering

2To enable this feature, click the Enable radio button.

3Enter the MAC address of each client on your network that you want to allow network access in the MAC Address text boxes.

Alternatively, you can copy a MAC address into the MAC Address text box, as follows:

a Select the name of the computer from theDHCP Client List b Select a row ID from theCopy To drop-downlist

c Click onCopy To. The MAC address is inserted into the selected row.

4Click Apply to save the settings.

DMZ If you have a client PC that cannot run an Internet application properly from behind the firewall, you can open the client up to unrestrictedtwo-wayInternet access. This may be necessary if the NAT feature is causing problems with an application such as a game or video conferencing application.

CAUTION: Use this feature on a temporary basis. The computer in the DMZ is not protected from hacker attacks.

64 CHAPTER5: ROUTERCONFIGURATION

To put a computer in the DMZ, do the following:

1Select Firewall from the main menu, then selectDMZ from thesub-menu.TheDMZ screen displays (Figure 43).

Figure 43 DMZ Screen

2Select the ENABLE radio button.

3The first row in the Public IP Address column defaults to the IP address of the WAN interface. Enter the last digits of the client PCs IP address in the

Client PC IP Address text box.

4If you have been assigned more than one IP address for the WAN interface, then you can enter up to eight different IP addresses in the

Public IP Address text boxes.

5For each Public IP Address, enter a client PCs IP address in the Client PC IP Address text box.

6Click Apply to save the settings.

VPN

The Router has a Virtual Private Network (VPN) feature that provides a

 

secure link between remote users and the corporate network by

 

establishing an authenticated and encrypted tunnel for passing secure

 

data over the Internet. The Router supports three modes of VPN

 

operation:

 

IPsec (IP Security) — provides IPnetwork-layerencryption. IPSec can

 

support large encryption networks (such as the Internet) by using

 

digital certificates for device authentication. When setting up an IPSec

VPN 65

connection between two devices, make sure that they support the same encryption method.

Enabling IPSec VPN disables pass-throughto IPSec and L2TP over IPSec Virtual Servers on the LAN.Pass-throughoutbound from clients on the LAN to servers on the Internet is unaffected.

PPTP (Point-to-PointTunneling Protocol) — provides a secure tunnel for remote client access to a PPTP security gateway. It is not as secure as IPSec but is easy to administer. PPTP does not support gateway to gateway connections and is only suitable for connecting remote users. Check that your ISP’s routers support this protocol before you use it.

Enabling the PPTP Server disables PPTP pass-throughto a Virtual Server on the LAN.Pass-throughoutbound from clients on the LAN to servers on the Internet is unaffected.

L2TP over IPSec — this is a combination of two protocols. L2TP is used to authenticate a user, and IPSec is used to encrypt data. L2TP over IPSec does not support gateway to gateway connections and is only suitable for connecting remote users. Check that your ISP’s routers support this protocol before you use it.

Enabling L2TP over IPSec disables pass-throughto IPSec and L2TP over IPSec Virtual Servers on the LAN.Pass-throughoutbound from clients on the LAN to servers on the Internet is unaffected.

Using the VPN Tunnel Configuration screen, you can add new IPSec, L2TP over IPSec and PPTP connections, and to edit existing connections. When adding or editing values on this screen remember that both ends of the connection must contain the same information.

66 CHAPTER5: ROUTERCONFIGURATION

To configure a VPN connection on your Router:

1Select VPN from the main menu.TheVPN screen displays (Figure 44).

Figure 44 VPN Screen

2In the Enable VPN section, select the Yes radio button for the connection methods you want to use.

IPSec must be enabled if you want to use L2TP over IPSec.

3To set up the Router for L2TP and PPTP, you must allocate IP addresses from the Router’s LAN for use with the protocol. The connections made by L2TP and PPTP will appear to come from these addresses. The addresses must be in a continuous range.

In the IP Address Pool for L2TP/PPTP Clients section, enter the first LAN address in the range in the Start Address text boxes, and the last address in the range in theEnd Address text boxes.

These addresses must be within the Router’s LAN subnet, and must not form part of the DHCP pool.

4The VPN Connections table displays the currently configured VPN connections. Refer to one of the following sections for details on how to set up or edit a VPN connection:

“Adding an IPSec Connection” on page 67.

“Adding an L2TP over IPSec Connection” on page 68.

“Adding a PPTP Connection” on page 70.

VPN 67

Adding an IPSec To add an IPSec Connection, or to edit an existing IPSec connection:

Connection

1In the VPN screen, click Add, or clickEdit to edit an existing connection.

2At the Tunnel Type drop-downlist, selectIPSec. The screen shown inFigure 45 displays.

Figure 45 VPN Tunnel Configuration - IPSec Screen

3Enter a descriptive name for the tunnel at the Tunnel Name text box.

4At the Remote VPN Server drop-downlist, select either IP Address or ANY. If you select IP Address, enter the IP address or host name of the remote server in theIP Address/Host Name text box. If you selectANY, you do not need to specify an IP address or host name, as any remote server can be used.

5At the Remote Party ID drop-downlist, select either IP_IPV4_ADDR or ID_USER_FQDN. This must be entered identically on the IPSec software installed on the client’s machine.

If you select IKE Main Mode from theKey Management drop-downlist (seestep 8), you must enterIP_IPV4_ADDR here.

6Type a name for the Remote Party ID in the text box next to thedrop-downlist. This must be unique for each connection rule that you create.

7Enter the Remote Network Addressand Remote Subnet Maskfor the Remote Party ID. The remote network address is usually the network address of the LAN connected to the remote server.

68 CHAPTER5: ROUTERCONFIGURATION

8Enter the Network Address andSubnet Mask of the local secure group. The network address of the local secure group is usually the network address of the local network.From theKey Management drop-downlist, select either IKE Main Mode or IKE Aggressive Mode.

9At the Pre-shared Key text box, enter the password for the connection. This must be unique for each connection rule that you create.

10Enter the Key lifetime, in seconds. The default is 3600 seconds. The value must be at least 300 seconds.

11Select MD5, SHA1 or None from the Authentication Algorithm drop-downlist. Both ends of the connection must use the same value.

12Select DES, 3DES or None from the Encrypt Algorithm drop-downlist. 3DES is more secure than DES but may take longer to encrypt. Both ends of the connection must use the same value.

3DES is not shipped as standard with the Router due to international restrictions on encryption. If your country permits their use, they can be downloaded from the 3Com Web site at http://www.3com.com

13Click Apply to save the settings.

The IKE Keep Alive feature is not available.

Adding an L2TP over

To add an L2TP over IPSec Connection, or to edit an existing L2TP over

IPSec Connection

IPSec connection:

1In the VPN screen, click Add, or clickEdit to edit an existing connection.

2At the Tunnel Type drop-downlist, selectL2TP over IPSec. The screen shown inFigure 46 displays.

VPN 69

Figure 46 VPN Tunnel Configuration - L2TP over IPSec Screen

3Enter a name for the tunnel at the Tunnel Name text box.

4Enter the user name that the remote VPN client will use to connect in the

User name text box.

5Enter the password that will need to be supplied to connect in the

Password text box.

6Type in an Idle Timeout. This is the amount of time, in minutes, that you want the connection to remain inactive before it times out. Enter 0 if you do not want the connection to timeout.

7Select either the L2TP Server orL2TP Client radio button. If you select L2TP Client, enter the following information:

Check the Auto reconnect check box if you want to automaticallyre-connectif the session ends or is dropped.

Select either Network orHost as the local type setting.

Enter the Remote Server address in the text box.

8If you want to enter details of the remote network, check the Remote Network Setting - Enable check box, then enter theRemote Network Address andRemote Subnet Mask. This information must be entered if you want to see clients connected to the L2TP over IPSec server.

9At the Pre-shared Key text box, enter the password for the IPSec connection. This must be unique for each connection rule that you create.

10At the Remote Party ID drop-downlist, select either IP_IPV4_ADDR or ID_USER_FQDN.

70 CHAPTER5: ROUTERCONFIGURATION

11Type a name for the Remote Party ID in the text box next to the drop-downlist. This must be unique for each connection rule that you create.

12Click Apply to save the settings.

Adding a PPTP To add a PPTP Connection, or to edit an existing PPTP connection:

Connection

1In the VPN screen, click Add, or clickEdit to edit an existing connection.

2At the Tunnel Type drop-downlist, selectPPTP. The screen shown inFigure 47 displays.

Figure 47 VPN Tunnel Configuration - PPTP Screen

3Enter a name for the tunnel at the Tunnel Name text box.

4Enter the user name that the remote VPN client will use to connect in the

User name text box.

5Enter the password that will need to be supplied to connect in the

Password text box.

6Type in an Idle Timeout. This is the amount of time, in minutes, that you want the connection to remain inactive before it times out. Enter 0 if you do not want the connection to timeout.

7Select either the PPTP Server orPPTP Client radio button. If you select PPTP Client, enter the following information:

Check the Auto reconnect check box if you want tore-connectautomatically after the PPTP session ends or is dropped.